CompTIA Security+ sy0-601

cyber · 13 Aug 2023

Domain 1.0 Threats, Attacks, and Vulnerabilities
Domain 2.0 Architecture and Design
Domain 3.0 Implementation
Domain 4.0 Operations and Incident Response
Domain 5.0 Governance, Risk, and Compliance
5.1 Compare and contrast various types of control
Security+ (SY0-601) Acronym List
Security+ Proposed Hardware and Software List
Reference

Domain 1.0 Threats, Attacks, and Vulnerabilities

Phishing(Solicits information via email)
Smishing
Vishing
Spam
Spam over instant messaging(SPIM)
Spear phishing(Solicits information via highly targeted email designed for one person)
Dumpster diving(Discovers sensitive information discarded in the trash)
Shoulder surfing
Pharming
Tailgating(Accesses a building by having someone hold the door open)
Eliciting information
Whaling(Target high value individuals, such as senior executives)
Prepending
Identity fraud
Invoice scams
Credential harvesting
Reconnaissance
Hoax
Impersonation(simply means pretending to be someone else)
Watering hole attack
Typosquatting
Pretexting
Influence campaigns
- Hybrid warfare
- Social media
Principles(reasons for effectiveness)
- Authority
- Intimidation
- Consensus
- Scarsity
- Familiarity
- Trust
- Urgency

1.2 Given a scenario, analyze potential indicators to determine the type of attack

Malware
- Ransomware
- Trojans (Masquerades as desirable software to trick user into installing it)
- Worms (Spreads between systems by exploiting vulnerabilities;no user action require)
- Potentially unwanted programs(PUPs)
- Fileless viruse
- Command and control
- Bots
- Cryptomalware
- Logic bombs
- Spyware(Monitor user activity, such as keystrokes and web visits. Keyloggers are an example of spyware.)
- Keyloggers
- Remote access Trojan(RAT)
- Rookit
- Backdoor
Password attack
- Spraying
- Dictionary
- Brute force
  - Offline
  - Online
- Rainbow table
- Plaintext/unencrypted
Physical attacks
- Malicious Universal
- Serial Bus(USB) cable
- Malicious flash drive
- Card cloning
- Skimming(Duplicating a smart card by reading (skimming) the confidential data stored on it. Also known as skimming.)
Adversarial artificial intelligence(AI)
- Tained training data for machine learning(ML)
- Security of machine learning algorithms
Supply-chain attacks
Cloud-based vs. on-promises attacks
Cryptographic attacks
- Birthday(an attempt to find collisions in hash functions)
- Collision (replay attack - an attempt to reuse authentication requests)
- Downgrade

1.3 Given a scenario, analyze potential indicators associated with application attacks

Privilege escalation
Cross-site scripting(XSS, A malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser’s security model of trusted zones.)
Injections
- Structured query language(SQL)
- Dynamic-link library(DLL)
- Lightweight Directory Access Protocol(LDAP)(Use TCP port 389)
- Extensible Markup Language(XML)
Pointer/object dereference
Directory Traversal
Buffer overflows
Race conditions
- Time of check/time of use
Error handling
Improper input handling
Reply attack
- Session replays
Integer overflow
Request forgeries
- Server-side
- Cross-site
Application programming interface(API) attacks
Resource exhaustion
Memory leak
Secure Socket Layer(SSL) stripping
Driver manipulation
- Shimming (Small library that handle the operation itself, change the arguments passed, or redirect the request elsewhere)
- Refactoring (Identify the flow and then modify the internal structured code)
Pass the hash (attacker captures a password hash and then passes it through for authentication and lateral access)

1.4 Given a scenario, analyze potential indicators associated with network attacks

Wireless
- Evil twin ( a malicious fake wireless access point)
- Rogue access point
- Bluesnarfing (data theft using Bluetooth)
- Bluejacking (pranksters to push unsolicited messages to engage/ennoy other nearby Bluetooth)
- Disassociation (break the wireless connection)
- Jamming (a DoS attack that using channel by occupying the channel)
- Radio frequency identification(RFID) (commonly used in access badge systems)
- Near-field communication(NFC) (the touch pay system at the grocery)
- Initialization vector(IV) (modifies the initialization vector of an encrypted wireless packet during transmission)
On-path attack(previously known as man-in-the-middle attack/man-in-the-browser attack)
Layer 2 attacks
- Address Resolution Protocol(ARP)poisoning
- Media access control(MAC) flooding
- MAC cloning
Domain name system(DNS)
- Domain hijacking
- DNS poisoning (attacker alter the domain-name-to-IP-address mapping in a DNS system)
- Uniform Resource
- Loctor(URL) redirection
- Domain reputation
Distributed denial-of-service(DDoS) (DoS is a resource consumption attack, DDoS is use multiple compromised computer systems as source of attack traffic.(Xmas tree attacks are examples of DoS attack))
- Network (targeting flaws in network protocols)
- Application (exploit weaknesses in the application layer (layer 7))
- Operational technology(OT) (targets the weaknesses of software and hardware devices)
Malicious code or script execution
- PowerShell
- Python
- Bash
- Macros
- Visual Basic for Applications(VBA)

1.5 Explain different threat actors, vectors, and intelligence sources

Actors and threats
- Advanced persistent(APT)
- Insider threats
- State actors
- Hacktivists
- Script kiddies(Someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. Script kiddie attacks might have no specific target or any reasonable goal other than gaining attention or proving technical abilities.)
- Criminal syndicates
- Hackers
  - Authorized
  - Unauthorized
  - Semi-authorized
- Shadow IT (often done with good intensions)
- Competitors
Atributes or actors
- Internal/external
- Level of sophistication/capability
- Resources/funding
- Intent/motivation
Vectors
- Direct access
- Wireless
- Email
- Supply chain
- Social media
- Removable media
- Cloud
Threat intelligence sources
- Open-source inteligence(OSINT)
- Closed/prioprietary
- Vulnerability databases
- Public/private information-sharing center
- Dark web
- Indicators of compromise
- Automated indicator Sharing (AIS)
  - Structured Threat Information
  - eXpression(STIX)/Trusted
  - Automated eXchange of Inteligence Information(TAXII)
  - Predictive analysis(a mix of automation and human intelligence)
  - Threat maps
  - File/code repositories
Research sources
- Vendor websites
- Vulnerability feeds
- Conferences
- Academic journals
- Request for comments(RFC)
- Local Industry groups
- Social media
- Threat feeds
- Adversary tactics, techniques, and procedures(TTP)

1.6 Explain the security concerns associated with various types of vulnerabilities

Cloud-based vs. on-promises vulnerabilities
Zero-day (an attack that uses a vulnerability that is either unknow to anyone but the attacker or known anly to a limited group of people)
Weak configuration
- Open permissions
- Unsecure root accounts
- Errors
- Weak encryptions
- Unsecure protocols (telnet, SNMPv1/v2,ftp)
- Default settings
- Open ports and services
Third-party risks
- Vendor management
  - System integration(potential for increased risk of insider attack)
  - Lack of vendor support
- Supply chain(include: supplier, manufacturers,distributors and customers)
- Outsourced code development
- Data storage
Improper or weak patch management
- Firmware
- Operating system(OS)
- Applications
Legacy platforms
Impacts
- Data loss
- Data breaches(When confidential or private data is read, copied, or changed without authorization. Data breach events may have notification and reporting requirements.)
- Data exfiltration
- Identity theft
- Financial
- Reputation
- Availability loss

1.7 Summarize the techniques used in security assessments

Threat hunting
- Inteligence fusion(involves industry and government)
- Threat feeds()
- Advisories and bulletins()
- Maneuver(assessment techniques that avoid alerting threat actors)
Vulnerability scans
- False positives
- False negatives
- Log reviews
- Credentialed vs. non-credentialed
- Intrusive vs. non-intrusive
- Application
- Web application
- Network
- Common Vulnerabilities and Exposure(CVE)/Common Vulnerability Scoring System(CVSS) (The CVE list feeds into the NVD)
- Configuration review
Syslog/Security information and event management(SIEM)
- Review reports
- Packet capture
- Data inputs
- User behavior analysis
- Sentiment analysis(Artificial intelligence and machine learning)
- Security monitoring
- Log aggregation
- Log collectors
Security orchestration, automation, and response(SOAR) ()

1.8 Explain the techniques used in penetration testing

Penetration testing
- Known environment(white box test)
- Unknown environment(black box test)
- Partially known environment(limited information, grey box test)
- Rules of engagement
- Lateral movement
- Privilege escalation
- Persistence
- Cleanup
- Bug bounty(rewards are given for reporting vulnerabilities)
- Pivoting
Passive and active reconnaissance
Passive
- Drones
- War flying(combine war driving with a drones)
- War driving()
- OSINT
- Footprinting
Active
- Footprinting(includes active and passive methods)
Exercise types
- Red team(offense)
- Blue team(defense)
- White team(judge / referee)
- Purple team(process improvement)

Domain 2.0 Architecture and Design

2.1 Explain the importance of security concepts in an enterprise environment

Configuration management
- Diagrams
- Baseline configuration(is the process of identifying and documenting all aspects of an asset’s configurations to create a secure template against which all subsequent configurations are measured. Provide configuration snapshot.)
- Standard naming conventions(is a convention for naming thing)
- Internet protocol(IP) scheme
Data sovereignty
Data protection
- Data loss prevention(DLP)(Technology solution that search systems and monitor networks for sensitive information that is unsecured and provide the ability to remove the information, block the transmission, or encrypt the stored system)
- Masking
- Encryption
- At rest(full disk encryption)
- In transit/motion(TLS)(Transport layer security (TLS) is used to protect data in transit over a network.)
- In processing
- Tokenization
- Rights management
Geographical considerations
Response and recovery controls
Secure Sockets Layer(SSL)/Transport Layer Security(TLS)inspections
Hashing
API considerations
Site resiliency
- Hot site
- Cold site
- Warm site
Deception and disruption
- Honeypots
- Honeyfiles
- Honeynets
- Fake telemetry
- DNS sinkhole

2.2 Summarize virtualization and cloude computing concepts

Cloud models
- Infrastructure as a service(IaaS)
- Platform as a service(PaaS)
- Software as a service(SaaS)
- Anything as a service(XaaS)
- Public
- Community
- Private
- Hybrid
Cloud service providers(Offer cloud computing services for sale to third parties - Provide adds-on services)
Managed service provider(MSP)/managed security service provider(MSSP manage an entire security infrastructure, monitor system logs, manage firewalls or networks, perform identity and access management)
On-promises vs. off-premises
Fog computing
Edge computing
Thin client
Containers
Microservices/API
Infrastructure as code
- Software-defined networking(SDN)
- Software-defined visibility(SDV)
Serverless architecture
Services integration
Resource policies
Transit gateway
Virtualization
- Virtual machine(VM) sprawl avoidance(Unused and unmaintained servers)
- VM escape protection

2.3 Summarize secure application development, deployment, and automation concepts

Environment
- Development
- Test
- Staging
- Production
- Quality assurance(QA)
Provisioning and deprovisioning(after onboarding admin create auth credential and grant appropriate authorization)
Integrity measurement
Secure coding techniques
- Normalization
- Stored procedures
- Obfuscation/camouflage
- Code reuse/dead code
- Server-side vs. client-side execution and validation
- Memory management
- Use of third-party libraries and software development kits(SDKs)
- Data exposure
Open Web Application Security Project(OWASP)
Software diversity
- Compiler
- Binary
Automation/scripting
- Automated course of action
- Continuous monitoring
- Continuous validation
- Continuous integration(n is designed to trigger automatic code integration in the main code base instead of developing in isolation and then integrating them at the end of the development cycle)
- Continuous delivery
- Continuous deployment(is a software development method that releases or deploys software automatically into the production environment. In this model, no one manually checks the code and pushes it into your app)
Elasticity(expanding and contracting quickly)
Scalability
Version control(Assigns numbers to each version)

2.4 Summarize authentication and authorization design concepts

Authentication methods
- Directory service
- Federation
- Attestation(approved device compliant with company policies)
- Technologies
  - Time-based one-time password(TOTP)(like google authentication soft token this protocol)
  - HMAC-based one-time password(HOTP)(hardware token)
  - Short message service(SMS)
  - Token key(one-time password provided on a hardware of software token generator)
  - Static codes
  - Authentication applications
  - Push notifications
  - Phone call
- Smart card authentication(means programming cryptographic information onto a card equipped with a secure processing chip. The chip stores the user’s digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card.)
Biometrics
- Fingerprint(often found on computing devices, allow self-enrollment)
- Retina
- Iris
- Facial(scans user’s facial structure)
- Voice(requires user to speak a phrase)
- Vein(żyła)
- Gait analysis(chód)
- Efficacy acceptance
- False rejection
- Crossover error rate(FAR=false acceptace rate and FRR=false rejection rate)
Multifactor authentication(MFA) factors and attributes
- Factors
  - Something you know
  - Something you have
  - Something you are
- Attributes
  - Somewhere you are
  - Something you can do
  - Something you exhibit(personality trait)
  - Someone you know
Authentications authorization, and accounting(AAA)(Authorization is the term for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. A accounting, which measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session.)
Cloud vs. on-premises requirements

2.5 Given a scenario, implement cybersecurity resilience

Redundancy
- Geographical dispersal
- Disk
  - Redundant array of inexpensive disks(RAID) levels
  - Multipath
- Network
  - Load balances
  - Network interface card(NIC)teaming(also known as Load Balancing/Failover (LBFO) in the Microsoft world)
- Power
  - Uninterruptible power supply(UPS)(essentially a battery)
  - Generator(standby power source)
  - Dual supply
  - Manager power distribution units(PDUs)
Replication
- Storage area network(SAN)
- VM
On-premises vs. cloud
Backup types
- Full
- Incremental
- Snapshot
- Differential
- Tape(most suitable system for data storage requiring large capacity)
- Disk
- Copy(useful in one-off/add hoc scenario)
- Network-attached storage(NAS)
- Storage area network(SAN)
- Cloud
- Image
- Online vs. Offline
- Offsite storage
  - Distance consideration
Non-persistence
- Revert to know state
- Last known good configuration
- Live boot media
High availability(HA is theability to keep services up and running for long periods of time. Uses multiple systems to protect against service failure.)
- Scalability(Increasing capacity with demand - Horizontal Scaling is adds more servers to the pool to meet increased demand - Vertical Scaling is adds more resources(CPU, memory) to existing servers to meet increased demand)
Restoration order
Diversity(impact of diversity on availability, resiliency,and security)
- Technologies(different technology)
- Vendors(multiple vendors)
- Crypto(multiple algorithms)
- Controls

2.6 Explain the security implications of embedded and specialized systems

Embedded systems(Technology components of an Internet of Things device that place a full computer inside of another, large system.)
- Raspberry Pi
- Field-programmable gate arrey(FPGA)
- Arduino
Supervisory control and data acquisition(SCADA)/industrial control system(ICS)
- Facilities
- Industrial
- Manufacturing
- Energy
- Logistics
Internet of Things(IoT)
- Sensors
- Smart devices
- Wearables
- Facility automation
- Weak defaults
Specialized
- Medical systems
- Vehicles
- Aircraft
- Smart meters
Voice over IP(VoIP)
Heating, ventilation, air conditioning(HVAC)
Drones
Multifunction printer(MFP)
Real-time operating system(RTOS)
Surveillance systems
System on chip(SoC)
Communication considerations
- 5G
- Narrow-band
- Baseband radio
- Subscriber identity module(SIM)cards
- Zigbee(Low-power wireless communications open source protocol used primarily for home automation. ZigBee uses radio frequencies in the 2.4 GHz band and a mesh topology.)
Constraints
- Power
- Compute
- Network
- Crypto
- Inability to patch
- Authentication
- Range
- Cost
- Implied trust

2.7 Explain the importance of physical security controls

Bollards(stop car moving after point)/barricades
Access control vestibules
Badges
Alarms
Signage(discourage intruders)
Cameras
- Motion recognition
- Object detection
Closed-circuit television(CCTV)
Industrial camouflage
Personnel
- Guards
- Robot sentries
- Reception
- Two-person integrity/control
Locks
- Biometrics
- Electronic
- Physical
- Cable locks
USB data blocker
Lighting
Fencing
Fire suppression

? Class Type Suppression material

A Common combustibles Watre,soda acid(a dry powder or liquid chemical)

B Liquids CO2,halon,soda acid

C Electrical CO2,halon

D Metal Dry powder

K Kitchen Wet chemicals

Class	Type	Suppression material
A	Common combustibles	Watre,soda acid(a dry powder or liquid chemical)
B	Liquids	CO2,halon,soda acid
C	Electrical	CO2,halon
D	Metal	Dry powder
K	Kitchen	Wet chemicals

Sensors
- Motion detection
- Noise detection
- Proximity reader(nearness)
- Moisture detection(humidity)
- Cards
- Temperature
Drones
Visitor logs
Faraday cages(prevents wireless or cellular phones)
Air gap(A type of network isolation that physically separates a network from all other networks.)
Screened subnet(previously known as demilitarized zone)(like DMZ)
Protected cable distribution
Secure area
- Air gap(like secure area demilitarized zone (DMZ).)
- Vault
- Safe
- Hot aisle
- Cold aisle
Secure data destruction
- Burning
- Shredding(shred a metal hard drive into powder)
- Pulping(if burning is not available, pulping, which turns the data into paper mache, is the best option)
- Pulverizing(use a hammer and smash frive into pieces, or drill through all the platters)
- Degaussing(create a stronge magnetic field that erases data on some media and destroy electronics)
- Third-party solutions

2.8 Summarize the basic of cryptographic concepts

Digital signatures(encrypted hash of a message, encrypted with the sender’s private key)
Key length(large keys tend to be more secure, Since 2015, NIST recommands a minimum of 2048-bit keys for RSA)
Key stretching
Salting(random data that is used as an additional input to a one-way function that hashes data, a password or passphrase)
Hashing(one-way function that scrambles plain text to produce a unique message digest)
?Encryption(two-way function;what is encrytped can be decrypted with the proper key)
Key exchange
Elliptic-curve cryptography(ECC)(small, fast key that is used for encryption in small mobile devices,256-bit ECC key is stronger than a 2048-bit RSA key)
Perfect forward secrecy(PFS)
Quantum()
- Communications
- Computing
Post-quantum
Ephemeral(Using ephemeral session keys means that any future compromise of the server will not translate into an attack on recorded data)
Modes of operation
- Authenticated
- Unauthenticated
- Counter
Blockchain
- Public ledgers
Cipher suites
- Stream
- Block
Symmetric vs. asymmetric(Symetric relies on the use of a shared secret key. Asymmetric- public-privates key pairs for communication between parties.)
Lightweight ctyptography
Steganography(Steganalysis is the study of detecting messages hidden using steganography. It is analogous to cryptanalysis applied to cryptography. The goal of steganalysis is to identify suspected packages, determine whether or not they have a payload encoded into them, and, if possible, recover that payload. A computer file,message,image, or video is cancealed within another file,message,image,or video)
- Audio
- Video
- Image
Homomorphic encryption(allows users to run calculation on data while it is still encrypted)
Common use cases
- Low power devices
- Low latency
- High resiliency
- Supporting confidentiality( is used for both data-at-rest (file encryption) and data-in-transit (transport encryption))
- Supporting integrity
- Supporting obfuscation
- Supporting authentication
- Supporting non-repudiation
Limitation
- Speed
- Size
- Weak keys
- Time
- Longevity(a measure of the confidence that people have in a given cipher)
- Predictability
- Reuse
- Entropy
- Computational overheads
- Resource vs. security constraints

Domain 3.0 Implementation

3.1 Given a scenario, implement secure protocols

Protocols
- Domain Name System Security Extensions(DNSSEC)
- SSH
- Secure/Multipurpose Internet Mail Extensions(S/MIME)
- Secure Real-time Transport Protocol(SRTP)
- Lightweight Directory Access Protocol Over SSL(LDAPS)
- File Transfer Protocol, Secure(FTPS)
- SSH File Transfer Protocol(SFTP)
- Simple Network Management Protocol, version 3(SNMP3)
- Hypertext transfer protocol over SSL?TLS(HTTPS)
- IPSec
  - Authentication header(AH)/Encapsulating Security Payloads(ESP)
  - Tunnel/transport
- Post Office Protocol(POP)/Internet Message Access Protocol(IMAP)
Use cases
- Voice and video
- Time synchronization
- Email and web
- File transfer
- Directory services
- Remote access
- Domain name resolution
- Routnig and switching
- Network address allocation
- Subscription services

3.2 Given a scenario, implement host or application security solutions

Endpoint protection
- Antivirus
- Anti-malvare
- Endpoint detection and response(EDR)
- DLP(Data loss prevention)
- Next-generation firewall(NGFW)(Incorporates advanced security features, such as contextual information about the user and application)
- Host-based intrusion prevention system(HIPS)(Takes proactive measures to block suspicious network activity)
- Host-based intrusion detection system(HIDS)(Alerts administrators to suspicious network activity)
- Host based firewall
Boot integrity
- Boot security/Unified Extensible Firmware Interfact(UEFI)(UEFI Replaces BIOS with a flexible alternative)
- Measured boot(Each device verifies the hash of the next device in the boot chain)
- Boot attestation(Confirmed hashes are stored in the TPM)
Database
- Tokenization
- Salting
- Hashing
Application security
- Input validations
- Secure cooking
- Hypertext Transfer Protocol(HTTP)headers
- Code signing
- Allow list
- Block list/deny list
- Secure coding practices
- Static code analysis
  - Manual code review
- Dynamic code analysis
- Fuzzing
Hardening
- Open ports and services
- Registry
- Disk encryption
- OS
- Patch management
  - Third-party updates
  - Auto-updates
Self-encrypting drive(SED)/full-disk encryption(FDE)
- Opal
Hardware root or trust(Verifies firmware integrity)
Trusted Platform Module(TPM)
Sandboxing(Provides a safe space to run potentially malicious code. Isolates malicious content)

3.3 Given a scenario, implement secure network designs

Load balancing
- Active/active
- Active/passive
- Scheduling
- Virtual IP
- Persistence
Network segmentation
- Virtual local area network(VLAN)
- Screened subnet(previously know as demilitarized zone)
- East-west traffic
- External
- Intranet
- Zero Trust
Virtual private network(VPN)
- Always-on
- Split tunenel vs. full tunnel
- Remote access vs. site-to-site
- IPSec
- SSL/TLS
- HTML5
- Layer 2 tunneling protocol(L2TP)
DNS
Network access control(NAC)
- Agent and agentless
Out-of-band management
Port security
- Broadcast storm prevention
- Bridge Protocol Data Unit(BPDU) guard
- Loop prevention
- Dynamic Host Configuration Protocol(DHCP) snooping
- Media access control(MAC)filtering
Network appliances
- Jump servers
- Proxy servers
  - Forward
  - Reverse
- Network-based intrusion detection system(NIDS)/network-based intrusion prevention system(NIPS)
  - Signature-based
  - Heuristic/behavior
  - Anomaly
  - Inline vs. passive
- HSM(is a network appliance designed to perform centralized PKI management for a network of devices. This means that it can act as an archive or escrow for keys in case of loss or damage)
- Sensors
- Collectors
- Aggregators
- Firewalls(Restrict network traffic. Firewalls, by default, block any network connection attempts that are not explicitly allowed by a firewall rule.)
  - Web application firewall(WAF)
  - NGFW
  - StatefulStateless
  - Unified threat management(UTM)
  - Network address translation(NAT)gateway
  - Content/URL filter
  - Open-source vs. prioprietary
  - Hardware vs. software
  - Appliance vs. host-based vs. virtual
Access control list(ACL)
Route security
Quality of service(QoS)
Implications of IPv6
Port spanning/port mirroring
- Port taps
Monitoring services
File integrity monitors(Watch for unexpected file modifications. Periodically verify that the hash values of critical files have not changed)

3.4 Given a scenario, install and configure wireless security settings

Cryptographic protocols
- WiFi Protected Access 2(WPA2)(support only 128 bits)
- WiFi Protected Access 3(WPA3)(256-bit AES)
- Counter-mode/CBC-MAC Protocol(CCMP)(used with WPA2, which replaced WEP and WPA)
- Simultaneous Authentication of Equals(SAE)
Authentication protocols
- Extensible Authentication Protocol(EAP)
- Protected Extensible
- Authentication Protocol(PEAP)
- EAP-FAST(developed by Cisco, it replaced LEAP, which was insecure)
- EAP-TLS
- EAP-TTLS
- IEE 802.1X
- Remote Authentication Dial-in User Service(RADIUS)Ferderation
Methods
- Pre-shared key(PSK) vs. Enterprise vs. Open
- WiFi Protected Setup(WPS)
- Captive portals(A web page or website to which a client is redirected before being granted full network access.)
Instalation considerations
- Site surveys
- Heat maps
- Wifi analyzes
- Channel overlaps
- Wireless access point(WAP)placement
- Controller and access point security

3.5 Given a scenario, implement secure mobile solutions

Connections methods and receivers
- Cellural
- WiFi
- Bluetooth
- NFC
- Infrared
- USB
- Point-to-point
- Point-to-multipoint
- Global Positioning System(GPS)
- RFID
Mobile device management(MDM)(MDM solution can be used to push configuration changes to mobile devices)
- Application management
- Content management
- Remote wipe(security feature for mobile device management that allows you to remotely clear data from a lost or stolen mobile device)
- Geofencing
- Geolocation
- Screen locks
- Push notifications
- Password and PINs
- Biometrics
- Context-aware authentication
- Containerization
- Full device encryption
Mobile device
- MicroSD hardware security module(HSM)
- MDM/Unified Endpoint Management(UEM)
- Mobile application management(MAM)
- SEAndroid
Enforcement and monitoring of:
- Third-party application stores
- Rooting/jailbreaking(the user to obtain root privileges, sideload apps, change or add carriers, and customize the interface. iOS jailbreaking is accomplished by booting the device with a patched kernel. For most exploits, this can only be done when the device is attached to a computer when it boots (tethered jailbreak).)
- Sideloading
- Custom firmware
- Carrier unlocking(enables a smartphone to be switched to a diffrent mobile network provider)
- Firmware oven-the-air(OTA)updates
- Camera use
- SMS/Multimedia Messaging Service(MMS)Rich Communication Services(RCS)
- External media
- USB On-The-Go(USB OTG)
- Recoding microphone
- GPS tagging
- Wifi direct/ad hoc
- Tethering
- Hotspot
- Payment methods
Deployment models
- Bring your own device(BYOD)
- Corporate-owned personally enabled(COPE)
- Choose your own device(CYOD)
- Corporate-owned
- Virtual desktop infrastructure(VDI provides network-based access to a desktop computing env. Amazon Workspace as example of VDI service)

3.6 Given a scenario, apply cybersecurity solutions to the cloud

Cloud security controls
- High availability across zones
- Resource policies(Resource policies place limits on the actions that may be taken by users with direct access to your cloud environment)
- Secrets management
- Integration and auditing
- Storage
  - Permissions
  - Encryption
  - Replication
  - High availability()
- Network
  - Virtual networks
  - Public and private subnets
  - Segmentation
  - API inspection and integration
- Compute
  - Security groups(Serve as IaaS firewalls. Security groups are the primary mechanism used to offer firewall functionality to IaaS customers.)
  - Dynamic resource allocation
  - Instance awareness
  - Virtual private
  - cloud(VPC)endpoint
  - Container security
Solutions
- CASB((Cloud Access Security Broker) Enterprise management software designed to mediate access to cloud services by users across all types of devices - Provide IAM services)
- Application security
- Next-generation secure web gateway(SWG)
- Firewall considerations in a cloud environment
  - Cost
  - Need for segmentation
  - Open Systems interconnection(OSI)layers
Cloud native controls vs. third-party solutions

3.7 Given a scenario, implement identity and account management controls

Identity
- Identity provider(IdP)( In a federated network, the service that holds the user account and performs authentications like Azure Active Directory is the identity provider for Office 365)
- Attributes(unique property in a user’s account details, such as employee ID)
- Certificates(a digital certificate where two keys are generated, a public key and a private key.The private kay is used for identity)
- Tokens(a digital token, such as a SAML token used for federation services, or a token used by Open Authentication(OAuth2))
- SSH keys(linux server, instead of using username and password)
- Smart cards(a credit card-loke token with a certificate embedded on a chip;it is used in conjunction with a pin.Physical card)
Account types
- User account(standard user account with limited privileges)
- Shared and generic accounts/credentials(Generic account is default andmin accounts created by manufacturers)
- Guest accounts(a legacy account that was designed to give limited access to a single computer without the need to creat a user account, normally disabled)
- Service accounts(a service account is type of administrator account used to run an application, example: account to run an anti-virus application)
Account policies
- Password complexity
- Password history(prevents someone from reusing the same password)
- Password reuse
- Network location
- Geofencing
- Geotagging
- Geolocation
- Time-based logins(employees may be restricted to accessing the network between 7 am and 6 pm)
- Access policies
- Account permissions
- Account audits
- Impossible travel time/risky login
- Lockout
- Disablement

3.8 Given a scenario, implement authentication and authorization solutions

Authentication management
- Password keys(like USB device and works in conjuction with your password to provide multi-factor authentication)
- Password vaults(use strong encryption(e.g. AES-256))
- TPM(Trusted Platform Module normally built into the motherboard of a computer, and they are used when you are using Full disk Encryption(FDE))
- HSM(Hardware Security Module is used to store encryption keys, a key escrow that holds the private keys for third parties)
- Knowledge-based authentication(KBA normally used by banks or email providers to identify when they want a password reset)
Authentication/authorization
- EAP(Extensible Auth Protocol)(auth framework, allows for new auth technologies to be compatible with existing wireless or point-to-point connection technologies)
- Challenge-Handshake Authentication Protocol(CHAP)(a user or network host to an authenticating entity. That entity may be, for example, an internet service provider. Much safer than PAP)
- Password Authentication Protocol(PAP)(does not use any encryption)
- 802.1X
- RADIUS(uses UDP and encrypts the passwords only, remote access)
- Single sign-on(SSO)(means a user doesn’t have to sign into every application they use. the user logs in once and that credential is used for multiple apps. Common SSO methods: SAML,Oauth2,OpenID)
- Security Assertion Markup Language(SAML)(common in on-prem federation scenarios)
- Terminal Access Controller Access Control System Plus(TACACS+)(admin access to network devices, uses TCP and encrypts the entire session)
- OAuth(for internet users to log into third party websites using their Microsoft, Google, Facebook, Twitter etc. accounts without exposing their passwords)
- OpenID(loggin into spotify with your FB account)
- Kerberos(authorization protocol in Microsoft Azure Directory. Ticket-based auth system. Use port 88)
Access control scheme
- Attribute based access control(ABAC)
- Role-based access control(RBAC)(typical mapped to job roles)
- Rule-based access control(global rules)
- MAC(Mandatory access control)
- Discretionary access control(DAC)(access control system where permissions may be set by the owners of files, computers, and other resources)
- Conditional access
- Privileged access management(privileged accounts within a domain)
- Filesystem permissions(NTFS(Windows), SUID and SGID(Linux, read=4,write=2,execute=1))

3.9 Given a scenario, implement public key infrastructure

Public key infrastructure(PKI)
- Key management
- Certificate authority(CA)
- Intermediate CA
- Registration authority(RA)
- Certificate revocation list(CRL)(A list of certificates that were revoked before their expiration date)
- Certificate attributes
- Online Certificate Status
- Protocol(OCSP)
- Certificate signing request(CSR)(A Base64 ASCII file that a subject sends to a CA to get a certificates)
- CN
- Subject alternative name(SAN)
- Expriation
Types of certificates
- Wildcard
- Subject alternative name(SAN)(certificate enables you use one certificate to secure hosts with different name)
- Code signing
- Self-signed
- Machine/computer
- Email
- User
- Root
- Domain validation
- Extended validation
Certificate formats
- Distinguished encoding rules(DER)
- Privacy enhanced mail(PEM)
- Personal information exchange(PFX)
- cer
- P12
- P78
Concepts
- Online vs. offline CA
- Stapling
- Pinning(technique used to associate hosts with their public key)
- Trust model
- Key escrow
- Certificate chaining

Domain 4.0 Operations and Incident Response

4.1 Given a scenario, use the appropriate tool to assess organizational security

Network reconnaissance and discovery
- tracert/traceroute
- nslookup/dig
- ipconfig/ifconfig
- nmap
  - TCP SYN (-sS)—this is a fast technique also referred to as half-open scanning, as the scanning host requests a connection without acknowledging it. The target’s response to the scan’s SYN packet identifies the port state.
  - UDP scans (-sU)—scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan.
  - Port range (-p)—by default, Nmap scans 1000 commonly used ports, as listed in its configuration file. Use the -p argument to specify a port range.
- ping/pathping
- hping
- netstat
- IP scanners
- arp
- route
- curl
- theHarvester
- sniper
- scanless
- dnsenum
- Nessus
- Cuckoo( Implementation of a sandbox for malware analysis.)
File manipulation
- head
- tail
- cat
- grep
- chmod
- logger
Shell and script environments
- SSH
- PowerShell
- Python
- OpenSSL
Packet capture and replay
- Tcpreplay
- Tcpdump
- Wireshark
Forensics
- dd
- Memdump
- WinHex(Forensics tool for Windows that allows collection and inspection of binary code in disk and memory images.)
- FTK imager
- Autopsy(The Sleuth Kit is an open source collection of command line and programming libraries for disk imaging and file analysis. Autopsy is a graphical frontend for these tools and also provides a case management/workflow tool. Also known as Sleuth Kit)
Exploitation frameworks
Password crackers
Data sanitization

4.2 Summarize the importance of policies, processes, and procedures for incident response

Incident response plans
Incident response process(Incident response is a set of procedures that an investigator follows when examining a computer security incident. This is a part of incident management. Many organizations implement incident response policies in order to assist in the identification and handling of incidents.)
Exercises
Attack frameworks
Stakeholders management
Communication plan
Disaster Recovery Plan(DRP refers more specifically to the steps and technologies for recovering from a disruptive event, especially as it pertains to restoring lost data, infrastructure failure, or other technological components.)
Business Continuity Plan(BCP is a strategy businesses put in place to continue operating with minimal disruption in the event of a disaster)
Continuity of Operations Planning(COOP)
Incident Response Team(Group of IT professionals in charge of preparing for and reacting to any type of organizational emergency)
Retention Policies( Key part of the lifecycle of a record. It describes how long a business needs to keep a piece of information (a record), where it’s stored, and how to dispose of the record when its time)

4.3 Given an incident, utilize appropriate data sources to support an investigation

Vulnerability scan output
SIEM dashboards
- Sensor
- Sensitivity
- Trends
- Alerts
- Correlation
Log files
- Network
- System
- Application
- Security
- Web
- DNS
- Authentication
- Dump files
- VoIP and call managers
- Session initiation Protocol(SIP)traffic
syslog/rsyslog/syslog-ng
journalctl
NXLog
Bandwidth monitors
Metadata
- Email
- Mobile
- Web
- File
Netflow/sFlow
- Netflow
- SFlow
- IPFIX
Protocol analyzer output

4.4 Given an incident,apply mitigation techniques or controls to secure an environment

Reconfigure andpoint security solutions
- Application approved list
- Application blocklist/deny list
- Quarantine
Configuration changes
- Firewall rules
- MDM
- DLP
- Content filter/URL filter
- Update or revoke certificates
Isolation(users don’t impact each other)
Containment
Segmentation
SOAR
- Runbooks
- Playbooks

4.5 Explain the key aspects of digital forensics

Documentation/evidence
- Legal hold
- Video
- Admissibility
- Chain of custody(The record of evidence history from collection, to presentation in court, to disposal.)
- Timelines of sequence of events
  - Time stamps
  - Time offset
- Tags
- Reports
- Event logs
- Interviews
Acquisition
- Order of volatility
- Disk
- Random-access memory(RAM)
- Swap/pagefile
- Firmware
- Snapshot
- Cache
- Network
- Artifacts
On-premises vs. cloud
- Right-to-audit clauses
- Regulatory/jurisdiction
- Data breach notification laws
Integrity
- Hashing
- Checksums(The output of a hash function. chmod Linux command for managing file permissions.)
- Provenance
Preservation
E-discovery
Data recovery
Non-repudiation
Strategic intelligence/counterintelligence

Domain 5.0 Governance, Risk, and Compliance

5.1 Compare and contrast various types of control

Category
- Managerial(Policies and procedures defined by org’s security policy, other regulation and requirements)
- Operational(Executed by company personnel during their day-to-day operations(security awareness training, change mgmt, BCP))
- Technical(aka ‘logical’, involves the hardware or software mechanisms implemented by IT team to reduce risk(firewall rules, antivirus/malware, IDS/IPS, etc) )
Control type
- Preventive(Stops an adversary from violating security policies.EXAMPLES: fences, locks, biometrics, mantraps, alarm systems, job rotation, data classification, penetration testing, access control methods.)
- Detective(Deployed to discover or detect unwanted or unauthorized activity. EXAMPLES: security guards, guard dogs, motion detectors, job rotation, mandatory vacations, audit trails, Intrusion Detection Systems(IDSs), violation reports, honey pots, and incident investigations)
- Corrective(modifies the env to return systems to normal after an unwanted or unauthorized activity has occurred. EXAMPLES: intrusion prevention systems, antivirus solutions, alarms, mantraps, Business Continuity Planning(BCP) and security policies.)
- Deterrent(deployed to discourage violation of security policies. EXAMPLES: locks, fences, security badges, security guards, mantraps, security badges, security )
- Compensating(provide options to other existing controls to aid in enforcement of security policies. EXAMPLES: security policy, personnel supervision, monitoring and work task procedures.)
- Physical(a control you can physically touch)

5.2 Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture

Regulations, standards, and legislations
- General Data Protection Regulation(GDPR)(is a set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.)
- National,territory, or state laws(-Gramm-Lench-Bliley Act(GLBA(financial institutions)), -Federal Information Security Management Act(FISMA),-HIPAA(Health Insurance Portability and Accountability Act),-HITECHHealth information Technology for Economic and Clinical Health,-Children’s Online Privacy Protection Act(COPPA),Electronic Communications Privacy Act(ECPA))
- Payment Card Industry Data Security Standard (PCI DSS)( is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information)
Key frameworks
- Center for Internet Security(CSI)(cybersecurity best practices and threats)
  - National Institute of Standards and Technology(NIST) Risk Management Framework(RMF)/Cyber Security Framework(CSF-is aimed at private industry)
- International Organization for Standardization(ISO)27001/27002/27017/27701/31000(27001-international standard on how to manage information security,27002-improve the management of information,27017-provide guidelines related to the secure use of cloud computing,27701-improve a privacy information management system(PIMS) is extension for 27001/27002, 31000-managing risk)
- SSAE SOC2 Type I/II(Audit specifications designed to ensure that cloud/hosting providers meet professional standards. A SOC2 Type II report is created for a restricted audience, while SOC3 reports are provided for general consumption)
- Cloud security alliance(not for profit organization that produces resources to help Cloud Service Providers(CSPs))
- Cloud control matrix(CCM)(to assess the overall risk of a cloud provider)
- Reference architecture
Benchmarks/secure configuration guides(benchmarks are configuration baselines and best practices for securely configuring a system)
- Platform/vendor-specific guides(release with new products so that they can be set up as securely as possible, making them less vulnerable to attack)
  - Web server(Microsofts’s Internet Information Server(IIS), and the linux-based Apache. Both security teams reduce the attack surface, making them more secure)
  - OS(vendors have guides that detail the best practices for installing their operating systems)
  - Application server(vendors produce guides on how to configure application servers, such as email servers or database servers, to make them less vulnerable to attack)
  - Network infrastructure devices(companies like Cisco produce network devices and offer benchmarks for secure configuration)

5.3 Explain the importance of policies to organizational security

Personnel
- Acceptable use policy
- Job rotation(employees are rotated into different jobs, or tasks are assigned to different employees)
- Mandatory vacation
- Separation of duties(performing any critical business function should require the involvement of two or more individuals)
- Least privilege(a subject should be given only those privileges necessary to complete their job-related tasks.)
- Clean desk space(increases the physical security of data by requiring employees to limit what is on their desk)
- Background checks(potential employees should be extensive background check before being hired)
- Non-disclosure agreement(NDA)(legal contract intended to cover confidentiality with vendors and suppliers)
- Social media analysis
- Onboarding(process of integrating a new employee into a company)
- Offboarding(process to the formal separation between an employee and the company through resignation, termination, or retirement)
- User training
  - Gamification(used in computer-based training to provide employees with a question/challenges)
  - Capture the flag(a security related competition where someone is trying to hack into a resource to gain access to data(red/blue team))
  - phishing campaigns
    - Phishing simulations
  - Computer-based training(CBT)
  - Role-based training
Diversity of training techniques
Third-party risk management
- Vendors
- Supply chain(a secure chain vendors who are secure, reliable, trustworthy,reputable)
- Business partners
- Service level agreement(SLA Service level agreements document vendor obligations.)
- Memorandum of understanding(MOU)(similar to SLA)
- Measurement systems analysis(MSA)(provide a way for an organization to evaluate the quality of the process used in their measurement systems)
- Business partnership agreement(BPA)
- End of life(EOL)(point at which a vendor stops selling a product and may limit replacement parts and support)
- End of service life(EOSL)(product is no longer sold by manufacturer,updates,support agreements are not renewed)
- NDA(non-disclosure agreement - contract with vendors and suppliers not to disclose the company’s confidential information)
Data
- Classification(is process of labeling data)
- Governance(oversight and management that describes security controls)
- Retention(unnecessary retention increases liability and risk)
Credential policies
- Personnel(avoid using shared accounts unless necessary)
- Third-party
- Devices(Default password should be changed on devices with generic accounts)
- Service accounts(MAy run as local service accounts with same rights as user)
- Administrator/root accounts(require periodic pass changes and enforce pass complexity)
Organizational policies
- Change management(policy that details how changes will be processed in an organization.Guidance on the process)
- Change control(refers to the process of evaluating a change request within an organization and decided if it should go ahead. The process in action)
- Asset management(tagged and recorded in an asset registry, includes periodic(usually annual) audits need to be carried out to ensure that all assets are accounted for.)

5.4 Summarize risk management processes and concepts

Risk types
- External
- Internal
- Legacy systems(vulnerabilities to legacy systems tend to increase over time)
- Multiparty
- IP theft
- Software compliance/licensing
Risk management strategies
- Acceptance
- Avoidance
- Transference
  - Cybersecurity insurance
- Mitigation(The act of reducing risk)
Risk analysis
- Risk register
- Risk matrix/heat map
- Risk control assessment(occurs when a company periodically checks that the risk controls that they have in place are still effective with changing technology. May involve an external auditor or export)
- Risk control self-assessment(Employees evaluate existing risk controls so management-level decision makers can decide if current controls are adequate. A bottom-up approach often used in smaller organizations)
- Risk awareness
- Inherent risk
- Residual risk(a risk that remains even with all conceivable safeguards in place)
- Control risk
- Risk appetite(willing to accept)
- Regulations that affect risk posture
- Risk assessment types
  - Qualitative
  - Quantitative
- Likelihood of occurrence
- Impact
- Asset value
- Single-loss expectancy(SLE)(SLE tells us what kind of monetary loss we can expect if an asset is compromised because of a risk. Calculating SLE requires knowledge of the asset value (AV) and the range of loss that can be expected if a risk is exploited, which is known as the exposure factor (EF).)
- Annualized loss expectancy(ALE)
- Annualized rate of occurrence(ARO)(is described as an estimated frequency of the threat occurring in one year. ARO is used to scalculate ALE (annualized loss expectancy))
Disasters
- Environmental(earthquakes,floods,volcano,storms,tsunamis)
- Person-made(explosions,electrical fires,terrorist acts,power outages,othet utility failures)
- Internal vs. external
Business impact analysis
- Recovery time objective(RTO)(Duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity.)
- Recovery point objective(RPO)(Is the maximum time period from which data may be lost in the wake of a disaster.)
- Mean time to repair(MTTR)( is the average time it takes to recover from a product or system failure. This includes the full time of the outage—from the time the system or product fails to the time that it becomes fully operational again.)
- Mean time between failures(MTBF)(measures the predicted time that passes between one previous failure of a mechanical/ electrical system to the next failure during normal operation. In simpler terms, MTBF helps you predict how long an asset can run before the next unplanned breakdown happens.)
- Functional recovery plans
- Single point of failure(any non-redundant part of a system that if unavailable , would cause the entire system or service to fail)
- Disaster recovery plan(DRP)
- Mission essential functions
- Identification of critical systems
- Site risk assessment

5.5 Explain privacy and sensitive data concepts in relation to security

Organizational consequences of privacy and data breaches
- Reputation damage
- Identity theft
- Fines
- IP theft
Notifications of breaches(The EU sets their standard GDPR, and notifications of data breaches must be reported within 72 hours)
- Escalation
- Public notifications and disclosures
Data types
- Classifications
  - Public
  - Private
  - Sensitive
  - Confidential
  - Critical
  - Proprietary
- Personally identifiable information(PII)(any information that can identify an individual(name,SSN,birthdate/place,biometric,records))
- Health information
- Financial information
- Government data
- Customer data
Privacy enhancing technologies
- Data minimization
- Data masking
- Tokenization
- Anonymization(process of removing all relevant data so that it is impossible to identify original subject or person)
- Pseudo-anonymization
Roles and responsibilities
- Data owners
- Data controller
- Data processor
- Data custodian/steward(An individual who is responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures)
- Data protection officer(DPD)
Information life cycle
Impact assessment
Terms of agreement(protects the company)
Privacy notice(protects the customer)

Security+ (SY0-601) Acronym List

The following is a list of acronyms that appear on the Comptia Security+ exam Candidates are encouraged to review the complate list and attain a working knowledge of all listed acronyms as part of a comprehensive exam preparation program.

ACRONYM	DEFINITION
3DES	Triple Data Encryption
AAA	Authentication, Authorization, and Accounting
ABAC	Attribute-based Access Control
ACL	Access Control List
CSF	Cybersecurity Framework
CSIRT	Computer Security Incident Response Team
NIST	National Institute of Standards and Technology
RMF	Risk Management Framework
TTP	tactic, technique, or procedure
UEBA	User and Entity Behavior Analytics

Security+ Proposed Hardware and Software List

CompTIA has included this sample list of hardware and software to assist candidates as they prepare for the Security+ exam. This list may also be helpful for training companies that wish to create a lab component for their training offering. The bulleted lists below each topic are sample lists and are not exhaustive.

Hardware
Software
Other

Reference

CompTIA