TOTAL: CompTIA Security+ Certification (SY0-601)

In this introduction Mike and Dan talk about the course and what you will learn.

In this video Mike Meyers and Dan Lachance discuss the details of what is on the CompTIA Security+ SY0-601 exam. 

Managing risk involves identifying threat actors from script kiddies to state-sponsored attackers. Mitigating threats is achieved by identifying assets and putting security controls in place to mitigate risks.

The CIA security triad (confidentiality, integrity and availability) describes how solutions such as encryption, hashing, and data backups can address potential attack vectors that might be exploited by threat actors.

With the ever-changing IT threat landscape, how can you keep up with the latest security issues? Threat intelligence refers to the wide variety of open-source intelligence (OSINT) and proprietary IT security sources that use standards such as STIX and TAXII for cybersecurity intelligence sharing.

A risk management framework aids in identifying and managing risk and is sometimes required for compliance with data privacy regulations such as GDPR and HIPAA. Organization security policies are often influenced by data privacy regulations.

Various security standards such as PCI DSS and the Cloud Controls Matrix (CCM) define what types of security controls to put in place to mitigate risk both on-premises and in the cloud. The specific type of attack vector determines whether managerial, operational, or technical controls should be deployed.

How can you determine whether assets are adequately protected from threats? One way is running periodic risk assessments to address the ever-changing threat landscape to define the likelihood and impact of security incidents.

Is the cost of a security control justified? A quantitative risk assessment uses various calculations against an asset to determine the maximum yearly spend for protecting that asset.

The same risk can have a different impact to various organizations. Qualitative risk assessment use subjective priority ratings for risks rather than dollar values.

In addition to deploying effective security controls to protect assets, what can be done to ensure business continuity in the event of a security incident. A business impact analysis involves proactive planning to help reduce downtime and data loss when negative events occur.

Protecting personally identifiable information, or PII, is crucial and required by security regulations such as GDPR, but of the vast amounts of data in an organization, how do you know which data is sensitive? The answer is through data roles and responsibilities assigned to personnel in conjunction with data discovery and classification tools on-premises and in the cloud.

Security must be applied to all phases of the information life cycle, from collection to its eventual archiving and deletion. This includes data security techniques such as tokenization and masking while considering how laws apply to data based on its location (data sovereignty).

Digital data resides on physical storage devices. Secure storage media disposal mechanisms, such as shredding, cryptographic erasure, degaussing, and disk wiping, must be put in place to ensure sensitive data cannot be retrieved by unauthorized users.

Hiring the right employees and contractors for the job always matters. Enacting internal security controls such as background checks, mandatory vacations, job rotation, and separation of duties goes a long way in ensuring the integrity of business processes.

Some business activities cannot be completed entirely within an organization and must be outsourced. Ensuring that proper security safeguards are in place throughout the hardware, software, and personnel supply chain results in a properly secured data, such as through data loss prevention (DLP) tools.

When organizations enter into business partnerships with third-party service providers, the agreements and contracts they both sign protect both organizations legally, as well as establish the terms of service. This episode covers the various types of business agreements.

Threats are executed by a variety of different threat actors, each type having a different motivation for executing attacks. This episode presents a scenario where correct type of threat actor must be selected.

When storage media has reached the end of its useful life, data must be wiped from it in a secure manner which can include using some built-in operating system tools. Linux administrators can use the dd command to wipe disk partitions by overwriting them with random data.

The use of social media platforms has skyrocketed in recent years. Organizations must take the appropriate steps to ensure that sensitive data is not leaked through this mechanism.

Cryptography is the practice of disguising information in a way that looks random. This episode explores the history of cryptography and how it has evolved into the complex systems today.

Data are not all the same. Whether data are at rest, in use, or in transit will affect how you can best secure it.

This episode introduces various methods used to protect the critical keys in cryptography that keep communication secure.

In this episode, Mike describes encrypting and decrypting data with the same key. He also covers how symmetric algorithms can either be block or streaming and use various types of ciphers depending on which one is used.

Symmetric block algorithms have limitations depending on which kind of cipher is used. This episode explores the different block modes.

In this episode, Mike describes encrypting and decrypting data with different keys and the magic that happens when key pairs are generated.

Learn the Diffie-Hellman key exchange agreement and methods in this very complex algorithm.

Hashes provide assurance of data integrity using fascinating mathematical calculations. Passwords are a very common use for hashing.

Digital certificates are used in many different places to verify the identity of a public key owner. They can also include verification from third parties for an added layer of security.

Web of trust is a mostly outdated method of proving identities, however it is helpful to understand as the predecessor of public key infrastructure (PKI) which is widely used today.

In this episode, Mike discusses public key infrastructure (PKI), used to enable commerce and other secure activities over the Internet.

Mike reviews different types of certificates including Web, e-mail, code-signing, machine/computer, and user.

Mike tours various certificates in this episode.

In this episode, Mike explains how encrypted information is at risk and explores ways to protect it.

Passwords are often stored in hash format but can still be susceptible to attacks. The various password attacks include brute force, dictionary, and rainbow table. Salting and key stretching add another layer of security to hashed passwords.

Dan demonstrates how to use a password cracking tool to turn hashed passwords into cleartext.

Protecting sensitive data can be done using many techniques. In this episode , the viewer is tested on the best security control for a given scenario.

Multifactor authentication should always be used for administratrive accounts. In this demo, SSH public key authentication is configured for a Linux host.

Digital cryptocurrencies provide a centralized public way to pay for goods and services. This video explains the relationship between cryptocurrency, public ledgers and the blockchain.

Authorization to access resources occurs after the successful proving of one’s identity through authentication.

Multifactor authentication (MFA) hardens user sign-in by requiring more than one factor, or category of authentication, such as something you know combined with something you have.

What role does authorization play in identity and access management (IAM)? Authorization relates to resource permissions granted to a security principal such as a user or device.

The 3 As – authentication, authorization, and accounting/auditing, play a big role in IT security. Tracking activity through auditing provides accountability for access to resources such as files on a file server or database rows.

Have you ever had trouble remembering usernames and passwords for multiple web apps? Password vaults serve as a protected credential repository in addition to common authentication methods such as one-time password codes, certificate-based authentication and SSH public key authentication.

Controlling access to resources begins with policies governing how credentials are managed. Permissions to use resources can be configured through attribute-based access control (ABAC), role-based access control (RBAC), discretionary access control (DAC), and for high security environments, mandatory access control (MAC).

Accountability for resource access is possible only with people using their own unique user accounts where the principle of least privilege has been applied, ideally through group-assigned permissions. Account policies can determine conditions that allow or deny resource access, such as the location of a user.

Older network authentication protocols such as password authentication protocol (PAP) and challenge handshake authentication protocol (CHAP) have been deprecated in favor of protocols such as Kerberos and extensible authentication protocol (EAP). Variations of the RADIUS authentication protocol are still used to authenticate users and devices to networks.

How can authentication be removed from individual apps? The answer is identity federation, which uses a centralized identity provider that is trusted by resources, such as Web apps, and can also support single sign-on (SSO).

There are a variety of ways in which user authentication can be implemented prior to allowing the user access to the Internet. This question presents a scenario that requires a user to sign off on the terms of agreement before gaining Internet access.

User and group management in Linux can be performed at the command line. This demo makes use of the useradd and groupadd commands to create authentication identities.

Authentication can be configured and managed within a single organization to control access to IT resources. This episode covers identity federation and its relationship to identity and resource providers.

The command-line interface (CLI) allows technicians to interact with Windows, Linux, and macOS systems by typing in commands such as ping and ipconfig. Windows uses a command prompt, macOS uses a terminal shell and Linux can use a variety of shells including bash. Microsoft PowerShell is an object-oriented CLI supported on Windows, Linux, and macOS.

Shells allow technicians to enter commands, such as a Linux bash shell or a Windows command prompt. Reverse shells are the result of infected victim machines that reach out to an attacker station.

Is there a better way to automate operating system commands than through scripts and text manipulation? Yes! Microsoft PowerShell is an object-oriented cross-platform command environment that uses a verb-noun type of syntax, such as with the Get-Service cmdlet.

A Linux shell is a case-sensitive command line environment that supports scripting and comes in various flavors including bash, Korn and C shells.

Python is a multi-platform case-sensitive scripting language that requires a Python interpreter to be installed.

Security technicians must be comfortable with Windows commands for standard maintenance and security tasks using commands such as ping, netstat, and icalcs.

Security technicians must be comfortable with Linux commands for standard maintenance and security tasks using commands such as head, tail, grep, dig, and setting file system permissions with chmod.

How do attackers discover networks and hosts? Network scanners such as Nmap are used by attackers as well as legitimate security technicians to perform network reconnaissance.

Nmap is the most commonly used network scanning tool. Scans can be saved as XML files. Nmap can be used at the command line but it also has a frontend GUI named Zenmap.

Network traffic can be captured, saved, and analyzed using a properly placed hardware or software network protocol analyzer such as the free Wireshark tool. Capture analysis can result in identifying indicators of compromise or the use of insecure protocols.

Wireshark is a free open-source network traffic analyzer that can capture, analyze, filter, and save captured network packets.

tcpdump is a built-in Unix and Linux command-line tool that can capture, analyze, filter, and save captured network packets.

Log files can provide valuable insights related to suspicious network, host or application activity, but only if log file integrity can be ensured. Centralized logging in the enterprise on a secured logging host ensures an accurate copy of log files can be used for security and performance analysis.

Network infrastructure and host and application logs can be stored centrally such as with Linux or Windows log forwarding. This can then be fed into a centralized log ingestion and analysis system, otherwise called SIEM.

Centralized Linux log hosts can be configured using the rsyslog daemon on Linux hosts.

Managing Linux host authentication can involve the use of many command-line utilities. This episode focuses on the sequence of steps needed to enable SSH public key authentication.

Shell scripts contain Linux command that can be invoked simply by calling upon the script name. In this demo, a simple utility menu loop is created in a bash shell script.

IT network reconnaissance begins with discover hosts and services on the network. This episode uses the nmap command to map out hosts on the network.

Malware is malicious software that comes in many different shapes and sizes. This episode tackles examples of malicious code and how it related to Visual Basic for Applications (VBA).

Malicious software is referred to as malware and includes various types including ransomware, fileless viruses, worms, keyloggers, and trojan horses. Infected computers that periodically contact command and control servers are called bots or zombies.

A lack of secure configurations for networks, devices, and hosts results in an increased attack surface. Default settings, especially credentials, should not be used. Deprecated security protocols such as WEP and SSL should also be avoided.

Staying up-to-date with the latest types of security attacks is form of attack mitigation. Keeping systems hardened helps protect against zero-day attacks. Software develops must adhere to secure coding practices to ensure deployed code does not contain security flaws.

Malicious actors can trick victims into installing malicious code such as driver shims. Software programming flaws related to memory allocation can result in security threats. Secure coding, patching, and user awareness go a long way in mitigating these types of security issues.

Username and password authentication remains common, as do related dictionary and brute-force attacks. Account lockout threshold can mitigate password attacks other than password spraying attacks.

Distributed Denial of Service (DDoS) attacks use collections of infected bots, or zombies in a botnet, to flood victims hosts or networks. Bots periodically contact a malicious-user controlled command and control server.

Data availability, including through disk redundancy, is an aspect of IT security. There are various RAID levels that organize physical disks together to provide performance and/or fault tolerant benefits.

All IT solutions, in the end, run on hardware somewhere. Restricting physical access to IT hardware such as through locked server rooms and encryption of data at rest provide a layer of security.

In the enterprise, endpoint detection and response solutions report to a centralized SIEM solution when abnormal activity, including malware, is detected on hosts and devices. Intrusion detection and prevention systems (IDS/IPS) are the engine for this type of solution and can be configured with allow/deny lists.

Monitoring the network for intrusions is paramount to ensure a timely mitigation. This episode presents a monitoring scenario that requires the view to identify which type of attack took place.

RAID configurations can enhance the performance and availability of stored data, depending on the level of RAID used. In this demo, software RAID level 1 (disk mirroring) is configured in Linux.

Securing hosts properly should involve both a proactive and a reactive approach. This episode discusses what can be done about zero-day attacks.