Wednesday, June 21, 2017

Comptia Security + terms to Remember Chapter 3

Basic Connection Protocols:


TCP: Provides connection-oriented traffic (guaranteed delevery). It uses the three way handshake.
SYN>SYN/ACK>ACK.

UDP provides connectionless session. (without a three-way handshake.) Audio and Video uses it.

IP: Identify the hosts in a network and delivers the traffic.

ICMP: is used for testing basic connectivity between two systems. ping, pathping, and tracert.

ARP:  Resolves IPV4 address to media access control MAC address. IP uses the IP address to send it to a destination, once it arrives, it uses the MAC to send it to the right host/device. NDP: is the ARP for IPV6.


Encryption Protocols (Encrypts data in transit)


SSH: Secure Shell secures FTP as SFTP.

SCP: is based on SSH and uses TCP port 22.

SSL: encrypts HHTP traffic as HTTPS

TLS is SSL replacement you can use it in any application with the same port. When it is used with HTTPS, it uses TCP port 443.

IPsec: is used to encrypt traffic. It is native to IPV6 but IPV4 uses it. IPsec creates secured tunnels fro VPN.


Application Protocols


HTTP and HTTPS use port 80 and 443 and transmit  data over the Internet in unencrypted and encrypted formats, respectively.

 FTP supports uploading and downloading large files to and from a FTP server. FTP uses TCP port 20 and 21 and TFTP uses UDP port 69.

SFTP uses SSH to encrypt FTP traffic and transmits  it using port 22. FTPS uses SSL to encrypt FTP traffic.


Telnet is a legacy protocol administrators have used to connect to remote systems. It uses TCP port 23 and sends data in cleartext. SSH is the secured alternative. SNMP is used to manage and monitor network devices.

SMTP sends email on TCP port 25, POP3 recieves email on port 110, and IMAP4 uses port 143

Subnetting allows you to divide a classful network into two or more smaller networks. CIDR notation uses a forward slash and a number to identify the subnet mask.

IPV6 has a significantly larger address space than IPv4. Ipsec is built in to IPv6 and can encrypt any type of IPv6 traffic.

DNS zones include records such as A records for IPv4 address and AAA records for IPv6 address. DNS uses TCP port 53 for zone transfers and UDP port 53 for DNS client queries. Most internet based DNS server run BIND software on Unix or Linux servers, and it is common to configure DNS servers to only use secure zone transfers.

Administrators use ports to identify traffic they want to allow or block. For example, SSH, SCP, and SFTP use port TCP port 22 by default. So, by configuring a firewall to allow traffic on port 22, they are allowing SSH, SCP, and SFTP traffic. Memorize the ports in Table 3.1 so that you can answer CompTIA Security+ port related questions very easily.

Loop protection such as STP or RSTP is necessary to protect against switching loop problems, such as those caused when two ports of a switch are connected together.

You can create multiple VLNAs with a single switch. A VLAN can logically group several different computers together, or logically separate computers, without regard of their physical location.

Port security includes disabling unused ports and limiting the number of MAC addresses per port. A more advanced implementation is to restrict each physical port to only a single specific MAC address. An 802.1x server provides port-based authentication, ensuring that only authorized clients can connect to a network. It prevents rogue devices from connecting.

Routers and packet filtering firewalls perform basic filtering with an access control list (ACL). ACLs identify what traffic is allowed and what traffic is blocked. An ACL can control traffic based on networks, subnets, IP address, ports, and some protocols. Implicit deny blocks all access that has not been explicitly granted. Routers and firewalls use implicit deny as the last rule in the access control list.


Host-based firewall provide protection for individual hosts such as servers or workstations. A host-based firewall provides intrusion protection for the host.Linux systems support xtables for firewall capabilities. Network-based firewalls are often dedicated servers or appliances and provide protection for the network.


Firewall use a deny any any, deny any, or drop all statement at the end of the ACL to enforce an implicit deny strategy. The statement forces the firewall to block any traffic that was not previously allowed in the ACL. The implicit deny strategy provides a secure starting point for a firewall.

Web application firewalls provide a strong protection for web servers. They protect against several different types of attacks, with focus on a web application attacks such as cross-site scripting attacks.

DMZ is a buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. In other words, Internet clients can access the services hosted on serves in the DMZ, but the DMZ provides a layer of protection for internal network.

NAT translate public IP addresses into private IP addresses, and private IP addresses into public IP addresses. A common form of NAT is port address translation. Dynamic NAT (DNAT) uses multiple public IP addresses, whereas PAT use a single public IP address.

A proxy server forwards requests for services from a client. It provides caching to improve performance and reduce internet bandwidth usage, Proxy servers use URL filters to restrict access to certain sites, and can log user activities.


A web security gateway and unified threat management appliances both combine multiple security controls into a single appliance. They can inspect data streams and often include URL filtering, malware inspection, and content inspection components.


















Thursday, June 8, 2017

Comptia Security + terms to Remember Chapter 2

Control Implementation Methods


Risk mitigation uses the following controls to reduce risk:
There are three implementation methods: Technical, management, and operational.

  • Technical Controls uses technology. (Firewall, Encryption, Antivirus, IDS, and least privilege)
  • Management Controls use administrative or management methods.
  • Operational Controls are implemented by people in day-to-day operations. 
Technology Controls use technology to reduce vulnerabilities. Some Examples include Encryption, Antivirus, IDS, and least privilege. Technical physical security and environmental include motion detectors and fire suppression system. 


Management Controls use planning and assessment to reduce manage risk. Some examples are: Risk assessment (quantify and qualify risk within an organization), Vulnerability assessment (attempts to discover weakness), Penetration tests (exploits the vulnerability).

Operational Controls ensures that day-to-day operations are in comply with security plan. It deals with people and not technology. Examples: Awareness and training, Configuration and Change management, Contingency planning, Media protection (flash drive), physical and environmental protection. 

Control Goals 


Preventive Controls  (before) attempt to prevent security incidents. Hardening systems increases a system's basic configuration to prevent incidents. Security goals can prevent unauthorized personnel from entering a secure area. Change management processes help prevent outages from configuration changes. An account disablement policy ensues that accounts are disabled when a user leaves the organization. 

Detective Controls attempt to detect (after) when vulnerabilities have been exploited. some examples include log monitoring, trend analysis, security audits, and CCTV systems.

Deterrent controls is to discourage a threat. For that you can use, computer cable locks and hardware locks. When a thief see a laptop with a cable lock, they will not steal it.

Compensating Controls are alternative controls used instead of a primary control. Example: A company hires a person and the Smart card takes about a week to arrive. Employees use the smart card and a PIN to log in to computers, since the person does not have a smart card. They give him a temporary hard token. It is still dual-factor authentication.

Door Access Systems



In the event of a fire, door access systems should allow personnel to exit the building without any form of authentication. Access points to data centers and server rooms should be limited to a single entrance and exit whenever possible.


Cipher locks require users to enter a code to gain access. It is important to provide training to users on the importance of keeping the code secure. This includes not giving it out to others and preventing shoulder surfers.


Proximity cards are credit card-sized access cards. Users pass the card near a proximity card reasder and the card then reads the data on the card. some access control points use proximity cards with PINs for authentication


Door access systems include cipher locks, proximity cards, and biometrics. Cipher locks do not identify users. Proximity cards can identify and authenticate users when combined with a PIN. Biometrics can also identify and authenticate users.


Tailgating is a security violation that occurs when on user follows closely behind another without using credentials. Mantraps allow onl a single person to pass at a time. Sophisticated mantraps can identify and authenticate individuals before allowing access.


Security guards are physical controls that can protect access to restricted areas. Security guards can be an effective deterrent to prevent tailgating. They can also check individual's identification against a pre-approved access list.


Video Surveillance provides reliable proof of a person's location and activity. It can identify who enters and exits secure areas and can record theft of assets.


Barricades provide stronger barriers than fences and attempt to deter attackers. Bollards are effective barricades that can block vehicles.


Cable locks are effective threat deterrents for small equipment such as laptops and some workstations. When used properly, they prevent losses due to theft of small equipment.


Locking cabinets in server rooms provide an added physical security measure. A locked cabinet prevents unauthorized access to equipment mounted in server bays.


Principle of Least Privilege the rights (install something) and permission (access to folder) a user need to perform their job. Need to know is similar to principle of least privilege but it only deals with data and information which is protected by permission(access to a folder) only. 











Tuesday, June 6, 2017

Comptia Security + terms to Remember Chapter - Authentication Services Chapter 1

Compatia Security + Authentication Services

Comparing Authentication Services


Kerberos

Kerberos is a network authentication protocol within a Microsoft Windows Active Directory domain or Unix realm. It uses a database of objects such as active directory and KDC (or TGT server) to issue time stamped tickets that expire after a certain time period.


LDAP

LDAP is based on an earlier version of x.500 Windows active directory domains and Unix Realms use LDAP to identify objects in query strings with codes such as CN=users and DC=oscar.com Secure LDAP encrypts transmissions with SSL or TLS.


SSO

SSO enhances security by requiring users to use and remember only one set of credentials for authentication. Once signed on using SSO, this one set of credentials is used throughout a user's entire session. SSO can provide central authentication against a federated database for different operating systems.  SSO does not support authorization. SSO only supports Identification and Authentication.


SALM

SALM is an XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications.


Authenticating RAS Clients


PAP authentication uses a password or a PIN. Its weakness is that PAP sends the information across a network in cleartext, making it susceptible to sniffing attacks. CHAP is more secure than PAP because passwords are not sent over the network in cleartext. BOTH PAP and CHAP use PPP.



Radius provides centralized authentication. Diameter is an improvement over RADIUS, and it supports many additional capabilities, including securing transmission with EAP.












Friday, June 2, 2017

Comptia Security + Terms to Remember Chapter 1

Integrity verify that data has not been modified. Loss of integrity can occur through unauthorized changes. Hashing Algorithms, such as MD5, HMAC, or SHA-1 calculate hashes to verify integrity.

A hash is a simple number created by applying an algorithm to a file. By comparing hash, you can verify the integrity of the file has been maintain.

Digital Signatures can verify the integrity of  emails and files. Digital Signatures require certificates (PKI manages the certificates) and also provide authentication and non-repudiation (you can not deny it later)

Availability ensures that systems stay available when needed and often address single point of failure or SPF. You can increase availability by adding fault tolerance and redundacies, such as RAID, Failover Cluster, backups ang generators. HVAC cooling systems also increase availability.

Redundancy is to add a second server just in case the first one fails, which provides fault tolerance. If the server is down, the second kicks in to provide fault tolerance. Safety is anothe common goal of security. For Example: adding fences and lighting.


Layered security, or defense in depth, combines multiple layers of security, such as a firewall, an IDS, content filtering, and antivirus software.


Risk is the likelihood that a threat will exploit a vulnerability. Risk mitigation reduces the chances that a threat will exploit a vulnerability, or reduces the impact of the risk, by implementing security protocols. Reducing risk is known as Risk mitigation.


Identification occurs when a user claims an identity such as with username or email address. Authentication occurs when the user proves the claimed identity (such as with a password) and the credentials are verified. Access control system authorize access to resources based on permissions granted to the proven identity.

Authentication Factors:


Something you know, such as password or PIN
Something you have, such as a smart card or USB Token
Something you are, such as fingerprint
Somewhere you are, location using GPS.
Something you do, such as gesture on touch screen.


The first factor of authentication (something you know, such as password or PIN) is the weakest factor. Passwords should be strong, changed regularly, never shared, with another person, and stored in a safe place if written down. Technical methods (such as a technical password policy) ensures that users regularly change their passwords and don't reuse the same password.

Passwords


Complex passwords use a mix of characters types. Strong Passwords use a mix of character types and have a minimum password length of eight characters. Users should change passwords every 45 to 90 days.



Before resetting passwords for users, it is important to verify the user's identity. When resetting passwords manually, it is better to create a temporary password that expires upon first use. You can combine password history with a minimum password age to prevent users from reusing the same password. A password history of 24 remembers the last 24 passwords.

Biometrics or Something You are


Smart Cards are often used with dual-factor authentication where users have something  (the smart card) and know something (such as password or PIN). Smart Cards include embedded certificates used with digital signatures and encryption. CACs and PIV's are specialized smart cards that include photo identification. They are used to gain access into secure locations and to log on to computers systems.

Biometrics Error:


False acceptance: This is when a biometric system incorrectly identifies an unauthorized user as an authorized user.

False Rejection: This is when a biometric system incorrectly rejects an authorized user.

Two or more methods in the same factor of authentication (such as PIN and password) is single-factor authentication. Dual-factor (or two factor) authentication uses two different factors such as a USB token and a PIN. Multifactor authentication uses two or more factors.


HTOP vs TOTP


HTOP and TOTP are both open source standards used to create one-time use passwords. HTOP creates a one-time use password that does not expire until you log in. TOTP creates a one-time Password that expires after 30 seconds.

Something you are is the strongest individual method of authentication because it is the most difficult for an attacker to falsify. Biometric methods include finger print, retina scans, and palm scanners.