CompTIA Security+ Sy-601 Certification [Part 4]

For Section 3 of the Security+ Sy-601 exam – Security Implementations, we will be covering various topics ranging from Secure Protocols, Host, Endpoint and Application Security, Wireless & Network Security, and AAA, IAM.

1. Identity and Access Management

Any system’s security can be compromised if access is open to anyone. The Identity and Access Management (IAM) concept controls this using three steps: authentication, authorization, and Accounting (commonly known as AAA).

  • Identification – Identification is stage 1, where any user provides credentials or any other form of identification, to prove his/her identity. Identification can be proved by usernames, access cards, or both. These methods are used only to claim the user’s identity and don’t imply their owner is authenticated or authorized to enter or perform changes in the system. For physical devices or locations, biometrics can also be used as an Identification method.
  • Authentication – Authentication is used to prove the claim of the user’s identity. It can be achieved via three strategies, Something You know (Passwords, Pin, or Access Keys), Something You Are (Biometrics), and Something You Have (Token Devices). These strategies are often combined for improved security, known as Multi-Factor Authentication (MFA). For MFA, strategies combined must be different, for example, Password and Security Questions together are not termed as MFA since both are “something you know” strategies. Successful implementation of MFA can be determined by False Acceptance Ratio (Incorrect User Allowed) or False Rejection Ratio (Correct User Denied).
    • Password Management – Various protocols can be used for successful password-based authentications. PAP (Password Authentication Protocol, unencrypted, insecure), CHAP (Challenge Handshake Authentication Protocol, uses a secret key, secure). Single sign-on (SSO) allows the user to use the same credentials across multiple devices using the federated authentication solutions like Active directory.
    • Radius and TACAS – Radius is an intermediatory server, used to approve the access to the remote systems by authorizing requests from the central directory like Microsoft AD, LDAP, etc). TACAS+ is similar to Radius but provides additional security by using TCP and Encryption.
    • Kerberos and LDAP – Kerberos is the authentication protocol for authentication using ticket-based session keys. LDAP or Lightweight Directory Access Protocol is used to query information from the centralized directory service. Microsoft AD uses both Kerberos on port 88 and LDAP on port 389 for authentication and querying information.
    • SAML – Security Assertion Markup Language (SAML) is an open standard to share authentication information among different web applications (commonly known as the Service providers and the Identity providers) for Single Sign-On.
    • OpenID Connect – OpenID connect is used similar to SAML but while SAML is more feature and exclusively used for SSO among web applications, OpenID is a simpler protocol, used for authentication among two servers which can be mobile or web applications. It is mainly used with OAuth which authorizes the SSO access among two applications.
    • Key-Based SSH Access – Mostly used with Linux servers, this method involves generating an asymmetric key-pair, with the user keeping the private key while the server keeping the public key. For the authentication request, the server responds with a challenge message. The user encrypts the challenge message with the private key and responds to the server. The server decrypts the message with the public key from the same key pair and if successful, authenticates the ssh session for the user.
  • Authorization – Authorization provides rights of the user once the identity claim is proven after authentication. Authorization recommends the policy of the least privilege and separation of the duties, to ensure the users only have the limited rights without consolidation of admin rights in a few hands.
    • Access Controls – Access controls can be applied to the user’s access in two ways, Mandatory Access Control (MAC) and Discretionary Access Control (DAC). MAC is used when access to users is defined by the system or organization and cannot be modified by users themselves. DAC is used when users are provided with permission to modify system access as they fit. For the file level, DAC allows the user to create a list of users and their permission from Read-Only to Read-Write based on their requirements.
    • RBAC – Role-based access control is used for the authorization of the group of users on a common authority level, using the role assigned to them. For any new user, simply assigning a particular role can provide required access to the system needed for the day-to-day work. Any user not assigned to a rule shall be treated with the Implicit Deny policy, i.e. user cannot do anything unless the rule is applied.
    • ABAC – Attribute-based access control is used for the authorization of the group of users based on their attributes like Job grade, Manager, Dates, etc. Advanced from of ABAC may include the location of the user or time of the day restriction, to allow the users access only when they are in a specific location or at a specific time.
  • Accounting – Accounting begins with account management, which involves creating, maintaining, and removing unique user or service accounts. Accounts can be either standard user accounts or privileged user accounts with advanced admin access. We may also have shared user accounts, used by multiple users or systems.
    • Account Policies – Password management is one of the key topics covered in the Account policies. Password must be long with unique letters, change after every fixed interval of days, and avoid reuse.
    • Account Monitoring – Account monitoring is required to identify the abnormality in the user account’s activity. It may include someone logging in the system at unusually odd hours, or trying to access an account from a location other than the office. Geotagging and Geofencing are some of the techniques to determine a user’s location when accessing the system.
    • Account Lifecycle – The account lifecycle involves the creation and deletion of the user account when an employee joins or leaves the organization. This process can be automated for the scheduled termination of the account.

2. Endpoint Security

Endpoint security is a broad topic covering everything from the Host operating system, server firmware, or user’s laptop and VMs. Let’s cover each endpoint below,

  • Host OS – Host OS security can be compromised in various ways,
    • Access and Vulnerabilities – Unauthorized access can be controlled by the IAM policies we discussed in the previous topic. For fixing the vulnerabilities, we should implement an external patch management solution, to apply new patches on all connected systems simultaneously. File integrity using hashing encryptions is also vital to ensure critical files in the system like the configuration file, were not modified without proper approvals.
    • Malware – We have already covered the malware and its types, like Viruses, Worms, or Trojan Horses in Section-1 of the CompTIA’s syllabus. In this section, we need to identify the ways to identify and mitigate malware in the system. Anti-Virus Software (AVS) installed host OS can perform detection and removal of the malware. We need AVS to always have the updated malware definition file, to avoid missing out on any latest threats.
    • EDR or Endpoint Detection and Response software are installed host OS, to provide more real-time detailed information and triggers on the type of programs running on the system, any user’s abnormal behavior, etc. All information collected by EDRs provides important insights, hence should be sent to SIEM or Security Incident and Event Management system or stored on a central Syslog Server. Another way to prevent malware to get installed in the first place is by implementing Application Control (Whitelist and Blacklist).
    • Firewalls – Firewalls follow the default deny principle on both inbound and bound traffic, with the permission only given to traffic matching a firewall rule with allow condition. Network firewalls sit on the border of a network, while the Host firewall run in the end system. Next-Gen Firewall (NGFW) provides enhanced features like user’s identity information, VPN access, etc. besides basic firewall functions. Intrusion Detection System (IDS) and IPS (Intrusion Prevention System) is advanced cybersecurity solutions, responsible for detecting and mitigating advanced abnormalities in the network like suspicious user signatures, or unexpected user activity or behavior in the network. IPS can sit in the path of the network as In-Band or outside as Out-Band.
    • Data Loss Prevention (DLP) – DLP systems are used to detect and block any unauthorized access to the sensitive data stored on the system. Host-based DLPs are installed on end devices to block data loss by blocking USB ports, network ports, etc., while Network-based DLPs scan the network transmission for sensitive information based on pre-defined formats, like License number, document’s watermark, etc.
  • Hardware – Hardware security involves the security of hardware modules like data disks, patching of firmware, etc.
    • Storage disks – Storage disks on a server provide storage space for both OS installation and holding OS data. All files related to system configuration, system logs, packages, etc. are kept on these disks. For keeping them secure, we can encrypt the data at rest, symmetric encryptions like AES can be used. For more advanced security, TPMs or Trusted Platform Modules can be used, which encrypts the whole disk, thereby making them impossible to use, if removed or stolen. HSM or Hardware Security Modules provides secure media to store keys used in the encryption of disk and data.
    • Firmware – Firmware is used to hold BIOS (Basic I/O System). BIOS is the light-weight OS, used to load the actual host OS whenever any system boots up by accessing the boot disk. UEFI or Unified Extensible Firmware Interface replaces BIOS in the latest systems. UEFI provides the secure boot by checking OS hash values before loading it.
    • Asset Management – For keeping a stable environment, keeping a list of all the inventories and end devices is important. All changes committed over baseline configuration must be tracked and approved by all the stakeholders. Standard naming conventions, IP address schema, and Versioning system must be used to ensure the hygiene of the asset management.
    • Embedded Systems Another category of hardware, embedded systems are the small microprocessor-based devices, used in industrial plants, IoT equipment, Sensors, etc. These systems may use simple communication protocols with an unpatched old version of any basic OS. Regular patching of all these devices, keeping devices inaccessible from the external network using DMZs and Segmentations, update of default passwords are the few approaches to secure these devices.

3. Network Security

Network security includes securing network equipment, using the secured network protocols, Transport layer security, etc. Before deep-diving into how to secure any network, we need to understand what are key components or terms used, while deploying and maintaining any network.

  • Network Services and Protocols – Any network uses multiple protocols to help any packet to reach from source to destination. These protocols are used on various layers, in the seven-layer OSI model used for describing a network. Each network service uses unique ports, to identify itself when sending or receiving packets.
    • TCP (Connection-Oriented) and UDP (Connection-Less) are Layer-4 transport protocols, while IP (Internet Protocol) address is on Layer-3 for deciding where the packet should be routed.
    • HTTP (Port TCP/80) and HTTPS (Port TCP/443) are the Layer-7 protocols, used on the application level.
    • DHCP (Port UDP/67) is used for assigning a dynamic IP on a system if we are not providing it with static IP.
    • DNS (Port TCP/53) is used for resolving the IP address of any system based on their FQDNs or fully qualified domain name.
    • FTP (Port TCP/21) and SFTP (Port TCP/22) are used for file transfer to the system, while SSH (Port TCP/22) and RDP (Port TCP/3389) are used for accessing the systems remotely.
    • SMTP (Port TCP/25) and POP (Port TCP/110) are used for sending and receiving emails.
    • NetBIOS (Port UDP/137-138 and TCP/139 ) is used for legacy networking API communications.
    • SNMP (Port UDP 161/162) is used for transferring alarms (as SNMP traps) from the SNMP agents to central monitoring servers.
  • Network Zones – Any Network can be broadly divided into three zones, Intranet, Internet, and Demilitarized zones (DMZs). DMZs lie in between the Internet and Intranet, to run applications like the webservers which need public access but need to stay isolated in case of a security attack. Additionally, three optional networks can also be created inside the Intranet. The Extranet is created for partners to access a few segments on Intranet via VPN. The Honeynet is created for attackers to lure them for accessing and attacking the intranet. Honeynets may terminate in Honeypots, which are system devices created for the same purpose of luring the attackers. The Darknet is an unused network segment, which can help in detecting the attack on the network if any traffic is observed on them, as these networks have zero traffic normally. All these networks are responsible for North-South and East-West traffic to the outside and inside of the organization respectively. Networks can be segmented on Layer-2 using Virtual LAN (VLAN) trunking to provide isolation to different networks, allowing systems on the same VLAN access to each other without Layer-3 Routing.
  • Network Devices – Network relies on multiple devices for providing routes to packets from Source to Destination. Some of the key types of the network equipment are,
    • Routers and Switches – Routers operate on Layer-3 with the routing table configuration, to decide the path for the destination of a packet. They can also provide a Stateless inspection of traffic to block packets based on ACL or Access Control List. Switches operate on Layer-2 with mac-address and VLAN trunking information, to decide the path for the destination of a packet, which can be either an L-3 Router or another L-2 switch in the same broadcast domain. We can have Layer-2 security risks, which can be mitigated by various techniques like VLAN pruning (Disabling VLANs on network devices if no host using them), Port security (Limiting MAC Addresses on the Switch port).
    • Firewalls and Proxy Servers – Modern firewalls provide various additional functionalities besides the basic rule-based, default-deny inspection device and the top to bottom rules-check sequence in the configuration. We can use them as NAT Gateway for accessing public internet and performing Stateful inspection. Web Application Firewalls (WAF) are exclusively used to inspect traffic on the webservers. Proxy servers are placed in front of either client-end (Forward Proxy), or in front of the Server-end (Reverse Proxy), to improve the performance of the session, content filtering, and privacy of the user session.
    • Load balancers and VPNs – Loadbalancers are responsible for distributing traffic across multiple backend servers, based on different strategies like Round-Robin, the Server’s Current utilization, etc. Using load balancers can lead to a single point of failure, hence must be deployed in the High availability Active-Active or Active-Standby model. VPNs or Virtual Private Networks provide remote or site-to-site access to the corporate network using an encrypted tunnel. Layer-2 Tunnelling Protocol (L2TP), Layer-3 IPSec, and Layer-4 SSL/TLS VPNs are commonly used for VPNs.
  • Network Attacks – By this time, we have directly or indirectly covered most of the Network Security techniques. Now, we can look at the few Network Attack scenarios,
    • Flooding – Enormous amount of traffic sent to network devices is termed Flooding. A few types of flooding attacks are SYN Flooding (Huge number of Incomplete SYN messages), and MAC Flooding (filling of switches mac address table causing flood traffic on all ports). These can lead to eavesdropping and can be prevented using port security or flood guard solutions.
    • DDoS – Distributed Denial of Service (DDoS) impacts access to the network or end devices, by sending a huge amount of illegitimate traffic to the network or server. This can be achieved by using multiple sources like botnets, and sending ping requests with forged source IP addresses causing the server to reply back to the incorrect IP address. This category of DDoS attack is called Smurf attack.
    • Domain Attacks – DNS attacks are typically categorized as Man in a middle attacks, where we have the attacker sitting in between the Client and the Web server. DNS poisoning attack occurs when the attacker alters DNS entry and resolves the URL of an authentic website to the IP of the webserver hosted by the attacker. Typosquatting also sends the client to the webserver hosted by the attacker, relying on the honest mistakes in spelling by users when typing the website URLs.
    • IP and MAC Attacks – ARP or Address Resolution protocol operates at the Layer-2 and is responsible for translating the IP Address of a system for the Layer-1 physical MAC Address. ARP poisoning hence is a scenario where incorrect MAC table values send users to a system belonging to the attacker. IP or MAC Spoofing is another type of attack, where the client receives traffic from incorrect or suspicious MAC or IP addresses.
    • Short Range Attacks – Short-range communication attackers use technology like Bluetooth or NFC. Bluejacking attack sends phishing messages to the victim’s Bluetooth device while Bluesnarfing attack connects to the victim’s device and extracts information from it.
  • Network Tools – There are various command-line-based tools available for Windows Powershell and Linux Terminal, which can help extract network-level information without actually logging into the end devices.
    • ping – For reachability test using ICMP protocol with echo requests and echo reply messages
    • netstat and nc – Netstat tool can be used to list all connected devices to your system on the network. nc command-line tool is used to send raw packets to the remote server on any specific port to get a response back. If a response is received we can verify what ports are open on the remote server.
    • Nmap – Nmap is used to scan all open ports on any remote server.

4. Wireless Security

Wireless security has a different set of challenges for the security team, as devices are connected to multiple Wireless Access Points (WAP) on IEEE 802.11 Wi-Fi standard. Let’s explore some of the challenges and mitigation techniques in wireless security.

  • Wireless Encryption – Encryption, as we know by now is our biggest crusader in the fight against cyber attacks. Wired Equivalent Privacy (WEP) an old encryption standard and is now considered insecure, and so does the older version of Wi-Fi Protected Acess (WPA). WPA2 and WPA3 releases are the latest and still considered secure.
  • Wireless Authentication – Wireless authentication can use various approaches, like using a unique password, having an entry portal for keying individual details, or using a centralized authentication server connected to the organization’s directory server for authorization. For authentication, the wireless network uses its own protocols like Extensible Authentication Protocol (EAP) or Extensible Authentication Protocol (PEAP).

This ends Section 3 of the CompTIA Security+ Sy-601 exam. In Part 5, we will proceed to the next section of the exam, Operations and Incident Response.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s