356 97 25MB
English Pages [851] Year 2019
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM Blind Folio: i
ALL IN ONE
CASP+
®
CompTIA Advanced Security Practitioner Certification EXAM GUIDE Second Edition (Exam CAS-003)
00-FM.indd 1
13/03/19 1:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM Blind Folio: ii
This page intentionally left blank
00-FM.indd 2
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM Blind Folio: iii
ALL IN ONE
CASP+
®
CompTIA Advanced Security Practitioner Certification EXAM GUIDE Second Edition (Exam CAS-003)
Nicholas Lane, Wm. Arthur Conklin, Gregory White, Dwayne Williams
New York Chicago San Francisco Athens London Madrid Mexico City Milan New Delhi Singapore Sydney Toronto
McGraw-Hill Education is an independent entity from CompTIA®. This publication and accompanying media may be used in assisting students to prepare for the CASP+® CompTIA Advanced Security Practitioner exam. Neither CompTIA nor McGraw-Hill Education warrants that use of this publication and accompanying media will ensure passing any exam. CompTIA and CASP+ are trademarks or registered trademarks of CompTIA in the United States and/or other countries. All other trademarks are trademarks of their respective owners.
00-FM.indd 3
13/03/19 1:18 PM
Copyright © 2019 by McGraw-Hill Education. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. ISBN: 978-1-26-044134-5 MHID: 1-26-044134-2 The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-044133-8, MHID: 1-26-044133-4. eBook conversion by codeMantra Version 1.0 All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com. TERMS OF USE This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM Blind Folio: v
I must thank my wife, Tiffany, for managing our home, children, and all the homework during this long project. This would be a challenging endeavor for anyone, especially while pregnant. Without her, this book could not have happened. —Nicholas Lane I would like to thank my wife, best friend, muse, and love, Susan, for all the sacrifices she has made as I “appropriated” family time to play cat herder one more time. Without her support, I could not accomplish half of what I do. —Art Conklin, Ph.D. I need to thank my wife, Charlan, for all of the support and encouragement she has provided throughout not just this book, but all of our over thirty years together. It keeps getting better and I owe that to her. —Gregory White, Ph.D. Thanks to my loving wife, Leah, for all her love, support, and understanding. And to my children for forgiving Daddy when he often missed that last book before bedtime. —Dwayne Williams
00-FM.indd 5
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM Blind Folio: vi
This page intentionally left blank
00-FM.indd 6
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM Blind Folio: vii
ABOUT THE AUTHORS Nicholas Lane is an award-winning technical instructor at New Horizons Computer Learning Centers and a practitioner with 20 years of experience in the technology industry. At the 2018 Hacker Halted conference by EC-Council, Lane was recognized as one of the top 5 EC-Council security instructors in North America. He has delivered advanced security certification training to all branches of the military and government, including the FBI and DoD. He is a member of InfraGard, which is a partnership between the FBI and the private sector in pursuance of national security objectives for U.S. critical infrastructure. As a member of CompTIA’s Network+ Advisory Committee, Lane has the distinction of being one of the designers of CompTIA’s Network+ certification. He was a contributing author to McGraw-Hill Education’s CompTIA Cloud+ Certification Study Guide, Second Edition (Exam CV0-002). He is a speaker at technology conference events and is a certification blogger for CompTIA. Lane also serves on CompTIA’s Instructor Network Advisory Committee, which provides instructor and certification resources to thousands of instructors worldwide. He holds numerous certifications, including CISSP, CEH, CEI, MCT, MCSE, CASP+, MCITP, Security+, and others. Wm. Arthur Conklin is an associate professor in the College of Technology at the University of Houston. He is also the Director for the Center for Information Security Research and Education. Conklin has a terminal degree from the Naval Postgraduate School in electrical engineering and a Ph.D. from the University of Texas at San Antonio in business administration. He currently holds Security+, CASP+, CISSP, CSSLP, CRISC, CSDP, and DFCP certifications. Conklin’s research interests lie in the areas of software assurance and the application of systems theory to security issues associated with critical infrastructures. His dissertation was on the motivating factors for home users in adopting security on their own PCs. He has coauthored five books on information security and has written and presented numerous conference and academic journal papers. He has over 10 years of teaching experience at the college level and has assisted in building two information security programs that have been recognized by the NSA and DHS as Centers of Academic Excellence in Information Assurance Education. A former U.S. Navy officer, he was also previously the Technical Director at the Center for Infrastructure Assurance and Security at the University of Texas at San Antonio. Gregory White has been involved in computer and network security since 1986. He spent 19 years on active duty with the U.S. Air Force and 11 years in the Air Force Reserves before retiring after a combined 30 years of service. He obtained his Ph.D. in computer science from Texas A&M University in 1995. His dissertation topic was in the area of computer network intrusion detection, and he continues to conduct research in this area today. He is currently the Director for the Center for Infrastructure Assurance and Security and is an associate professor of computer science at the University of Texas
00-FM.indd 7
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM Blind Folio: viii
at San Antonio. White has written and presented numerous articles and conference papers on security. He is also the coauthor of five textbooks on computer and network security and has written chapters for two other security books. White continues to be active in security research. His current research initiatives include efforts in high-speed intrusion detection, community infrastructure protection, and visualization of community and organization security postures and incident response. Dwayne Williams is Associate Director, Special Projects for the Center for Infrastructure Assurance and Security at the University of Texas at San Antonio and has over 18 years of experience in information systems and network security. Williams’ experience includes six years of commissioned military service as a Communications-Computer Information Systems Officer in the U.S. Air Force, specializing in network security, corporate information protection, intrusion detection systems, incident response, and VPN technology. Prior to joining the CIAS, he served as Director of Consulting for SecureLogix Corporation, where he directed and provided security assessment and integration services to Fortune 100, government, public utility, oil and gas, financial, and technology clients. Williams graduated in 1993 from Baylor University with a Bachelor of Arts in computer science. Williams is a Certified Information Systems Security Professional (CISSP) and coauthor of McGraw-Hill Education’s CompTIA Security+ All-in-One Exam Guide and Sams’s Voice and Data Security.
About the Technical Editor
Daniel Lachance, CompTIA Cloud+, CompTIA Server+, CompTIA A+, CompTIA Network+, CompTIA Security+, MCT, MCSA, MCITP, MCTS, is the owner of Lachance IT Consulting, Inc., based in Halifax, Nova Scotia. Dan has delivered technical IT training for a wide variety of products for more than 20 years. He has recorded IT support videos related to security and various cloud-computing platforms. Dan has developed custom applications and planned, implemented, troubleshot, and documented various network configurations and conducted network security audits. Dan has worked as a technical editor on a number of certification books and has authored several books, including CompTIA Server+ Certification All-in-One Exam Guide (Exam SK0-004) and CompTIA Security+ Certification Practice Exams, Second Edition (Exam SY0-401). When not performing with the Halifax-based cover band Clusterfunk, Dan loves being around family and spending time outdoors.
00-FM.indd 8
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CONTENTS AT A GLANCE
Part I
Risk Management
Chapter 1
Security Influences and Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2
Security Policies and Procedures.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Chapter 3
Risk Mitigation, Strategies, and Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Chapter 4
Risk Metrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Part II Enterprise Security Architecture Chapter 5
Network Security Components, Concepts, and Architectures. . . . . . . 151
Chapter 6
Security Controls for Host Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Chapter 7
Mobile Security Controls.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Chapter 8
Software Vulnerabilities and Security Controls. . . . . . . . . . . . . . . . . . . . . . . . 309
Part III Enterprise Security Operations Chapter 9
Security Assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Chapter 10 Security Assessment Tools.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 Chapter 11 Incident Response and Recovery Procedures.. . . . . . . . . . . . . . . . . . . . . . . . . 417
Part IV Technical Integration of Enterprise Security Chapter 12 Hosts, Storage, Networks, and Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Chapter 13 Cloud and Virtualization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Chapter 14 Authentication and Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551 Chapter 15 Cryptographic Techniques.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583 Chapter 16 Securing Communications and Collaboration.. . . . . . . . . . . . . . . . . . . . . . . . 629
Part V Research, Development, and Collaboration Chapter 17 Research Methods and Industry Trends. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 Chapter 18 Technology Life Cycles and Security Activities. . . . . . . . . . . . . . . . . . . . . . . . 689
ix
00-FM.indd 9
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
x
Chapter 19 Business Unit Interactions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
00-FM.indd 10
Appendix
About the Online Content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
Index.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CONTENTS Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi Exam CAS-003 Objective Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii
Part I Chapter 1
Risk Management Security Influences and Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Risk Management of New Products, New Technologies, and User Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 New or Changing Business Models and Strategies . . . . . . . . . . . . . . 8 Partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Managed Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Acquisitions, Mergers, Divestitures, and Demergers . . . . . . . 12 Security Concerns of Interconnecting Diverse Industries . . . . . . . . . 13 Rules, Policies, and Regulations . . . . . . . . . . . . . . . . . . . . . . . 14 Export Controls and Legal Requirements . . . . . . . . . . . . . . . 20 Geography, Data Sovereignty, and Jurisdictions . . . . . . . . . . . 21 Internal and External Influences . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Competitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Audit Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Regulatory Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Top-Level Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Impact of Deperimeterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Telecommuting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Mobile and Bring Your Own Device (BYOD) . . . . . . . . . . . . 26 Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Ensuring Third-Party Providers Have Requisite Levels of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Enterprise Standard Operating Environment . . . . . . . . . . . . . 28 Personally Managed Devices . . . . . . . . . . . . . . . . . . . . . . . . . 28 Merging SOE and Personal Device Networks . . . . . . . . . . . . 29 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 xi
00-FM.indd 11
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
xii
Chapter 2
00-FM.indd 12
Security Policies and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Policy and Process Life Cycle Management . . . . . . . . . . . . . . . . . . . 42 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Policy Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 New Business and Environmental Changes . . . . . . . . . . . . . . 53 Support Legal Compliance and Advocacy by Partnering with HR, Legal, Management, and Other Entities . . . . . . . . . . . . . . . . . . . 58 Understand Common Business Documents to Support Security . . . 58 Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Business Impact Analysis (BIA) . . . . . . . . . . . . . . . . . . . . . . . 58 Interoperability Agreement (IA) . . . . . . . . . . . . . . . . . . . . . . . 59 Operating Level Agreement (OLA) . . . . . . . . . . . . . . . . . . . . 60 Nondisclosure Agreement (NDA) . . . . . . . . . . . . . . . . . . . . . 60 Master Service Agreement (MSA) . . . . . . . . . . . . . . . . . . . . . 60 Research Security Requirements for Contracts . . . . . . . . . . . . . . . . 61 Request for Proposal (RFP) . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Request for Quote (RFQ) . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Request for Information (RFI) . . . . . . . . . . . . . . . . . . . . . . . . 62 Understand General Privacy Principles for Sensitive Information . . . . 62 Support the Development of Policies Containing Standard Security Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Separation of Duties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Job Rotation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Mandatory Vacation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Least Privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Forensic Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Employment and Termination Procedures . . . . . . . . . . . . . . . 66 Continuous Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Ongoing Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Training and Awareness for Users . . . . . . . . . . . . . . . . . . . . . 68 Auditing Requirements and Frequency . . . . . . . . . . . . . . . . . 68 Information Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
Contents
xiii
Chapter 3
00-FM.indd 13
Risk Mitigation, Strategies, and Controls . . . . . . . . . . . . . . . . . . . . . . . 81 Categorize Data Types by Impact Levels Based on CIA . . . . . . . . . . 81 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 CIA Tradeoffs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Determine the Aggregate Score of CIA . . . . . . . . . . . . . . . . . . . . . . 84 Nomenclature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Incorporate Stakeholder Input into CIA Impact-Level Decisions . . . . 86 Determine Minimum-Required Security Controls Based on Aggregate Score . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Select and Implement Controls Based on CIA Requirements and Organizational Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Extreme Scenario Planning/Worst-Case Scenario . . . . . . . . . . . . . . 88 Conduct System-Specific Risk Analysis . . . . . . . . . . . . . . . . . . . . . . 90 Qualitative Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Quantitative Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Make Risk Determination Based on Known Metrics . . . . . . . . . . . . 95 Magnitude of Impact Based on ALE and SLE . . . . . . . . . . . . 95 Likelihood of Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Return on Investment (ROI) . . . . . . . . . . . . . . . . . . . . . . . . . 97 Total Cost of Ownership (TCO) . . . . . . . . . . . . . . . . . . . . . . 98 Translate Technical Risks in Business Terms . . . . . . . . . . . . . . . . . . 98 Recommend Which Strategy Should Be Applied Based on Risk Appetite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Avoid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Mitigate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Accept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Risk Management Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Exemptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Deterrence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Inherent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Residual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Continuous Improvement/Monitoring . . . . . . . . . . . . . . . . . . . . . . 102 Business Continuity Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 IT Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Adherence to Risk Management Frameworks . . . . . . . . . . . . 105 Enterprise Resilience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
xiv
Chapter 4
Part II Chapter 5
00-FM.indd 14
Risk Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Review Effectiveness of Existing Security Controls . . . . . . . . . . . . . 121 Gap Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Conduct a Lessons-Learned/After-Action Review . . . . . . . . . 123 Reverse-Engineer/Deconstruct Existing Solutions . . . . . . . . . . . . . . 124 Creation, Collection, and Analysis of Metrics . . . . . . . . . . . . . . . . . 126 KPIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 KRIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Prototype and Test Multiple Solutions . . . . . . . . . . . . . . . . . . . . . . . 129 Create Benchmarks and Compare to Baselines . . . . . . . . . . . . . . . . 130 Analyze and Interpret Trend Data to Anticipate Cyber Defense Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Analyze Security Solution Metrics and Attributes to Ensure They Meet Business Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Latency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Maintainability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Recoverability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Cost Benefit Analysis (ROI, TCO) . . . . . . . . . . . . . . . . . . . . 138 Use Judgment to Solve Problems Where the Most Secure Solution Is Not Feasible . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Enterprise Security Architecture Network Security Components, Concepts, and Architectures . . . . 151 Physical and Virtual Network and Security Devices . . . . . . . . . . . . 151 UTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 NIDS/NIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 INE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 NAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 SIEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
Contents
xv
Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 MicroSD HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Application and Protocol-Aware Technologies . . . . . . . . . . . . . . . . . 163 WAF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Passive Vulnerability Scanner . . . . . . . . . . . . . . . . . . . . . . . . . 163 DAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Advanced Network Design (Wired/Wireless) . . . . . . . . . . . . . . . . . 164 Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 RDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 VNC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 VDI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Reverse Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 IPv4 and IPv6 Transitional Technologies . . . . . . . . . . . . . . . . 170 Network Authentication Methods . . . . . . . . . . . . . . . . . . . . . 172 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Mesh Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Placement of Hardware, Applications, and Fixed/Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . 174 Complex Network Security Solutions for Data Flow . . . . . . . . . . . . 175 DLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Deep Packet Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Data Flow Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Network Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Data Flow Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Secure Configuration and Baselining of Networking and Security Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Network Baselining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Configuration Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Change Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Availability Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Network ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Software-Defined Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Network Management and Monitoring Tools . . . . . . . . . . . . . . . . . 183 Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Alert Fatigue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Advanced Configuration of Routers, Switches, and Other Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Transport Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Trunking Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Route Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
00-FM.indd 15
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
xvi
DDoS Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Remotely Triggered Black Hole . . . . . . . . . . . . . . . . . . . . . . . 191 Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Separation of Critical Assets . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Network Segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Quarantine/Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Persistent/Volatile and Nonpersistent Agents . . . . . . . . . . . . . 196 Agent vs. Agentless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Network-Enabled Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 System on a Chip (SoC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Building/Home Automation Systems . . . . . . . . . . . . . . . . . . 197 IP Video . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 HVAC Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Physical Access Control Systems . . . . . . . . . . . . . . . . . . . . . . 199 A/V Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Scientific/Industrial Equipment . . . . . . . . . . . . . . . . . . . . . . . 200 Critical Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Chapter 6
00-FM.indd 16
Security Controls for Host Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Trusted Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 SELinux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 SEAndroid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Trusted Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Least Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Endpoint Security Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Antimalware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Anti-Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Spam Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 HIPS/HIDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Data Loss Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Host-Based Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Log Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Endpoint Detection and Response . . . . . . . . . . . . . . . . . . . . 232 Host Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Standard Operating Environment/Configuration Baselining . . . 233 Security/Group Policy Implementation . . . . . . . . . . . . . . . . . 235
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
Contents
xvii
Command Shell Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . 235 Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Configuring Dedicated Interfaces . . . . . . . . . . . . . . . . . . . . . 237 External I/O Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 File and Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Firmware Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Boot Loader Protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Secure Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Measured Launch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Integrity Measurement Architecture . . . . . . . . . . . . . . . . . . . 251 BIOS/UEFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Attestation Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 TPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Vulnerabilities Associated with Hardware . . . . . . . . . . . . . . . . . . . . 253 Terminal Services/Application Delivery Services . . . . . . . . . . . . . . . 254 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Chapter 7
00-FM.indd 17
Mobile Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Enterprise Mobility Management . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Containerization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Configuration Profiles and Payloads . . . . . . . . . . . . . . . . . . . 266 Personally Owned, Corporate-Enabled (POCE) . . . . . . . . . . 268 Application Wrapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Remote Assistance Access . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Application, Content, and Data Management . . . . . . . . . . . . 269 Over-the-Air Updates (Software/Firmware) . . . . . . . . . . . . . . 270 Remote Wiping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 SCEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 BYOD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 COPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 CYOD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Application Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Side Loading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Unsigned Apps/System Apps . . . . . . . . . . . . . . . . . . . . . . . . . 274 Context-Aware Management . . . . . . . . . . . . . . . . . . . . . . . . . 275 Security Implications/Privacy Concerns . . . . . . . . . . . . . . . . . . . . . 277 Data Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Device Loss/Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Hardware Anti-Tampering . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 TPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
xviii
Rooting and Jailbreaking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Push Notification Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Geotagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Encrypted Instant Messaging Apps . . . . . . . . . . . . . . . . . . . . 283 Tokenization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 OEM/Carrier Android Fragmentation . . . . . . . . . . . . . . . . . . 284 Mobile Payment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Tethering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Unauthorized Domain Bridging . . . . . . . . . . . . . . . . . . . . . . 290 Baseband Radio/SoC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Augmented Reality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 SMS/MMS/Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Wearable Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Cameras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Watches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Fitness Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Glasses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Medical Sensors/Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Headsets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Security Implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Chapter 8
00-FM.indd 18
Software Vulnerabilities and Security Controls . . . . . . . . . . . . . . . . . 309 Application Security Design Considerations . . . . . . . . . . . . . . . . . . 310 Secure by Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Secure by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Secure by Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Specific Application Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Insecure Direct Object References . . . . . . . . . . . . . . . . . . . . . 313 Cross-Site Scripting (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Cross-Site Request Forgery (CSRF) . . . . . . . . . . . . . . . . . . . . 314 Clickjacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Input Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Improper Error and Exception Handling . . . . . . . . . . . . . . . . 319 Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Improper Storage of Sensitive Data . . . . . . . . . . . . . . . . . . . . 320 Fuzzing/Fault Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
Contents
xix
Secure Cookie Storage and Transmission . . . . . . . . . . . . . . . . 322 Buffer Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Memory Leaks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Integer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Race Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Resource Exhaustion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Geotagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Data Remnants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Use of Third-Party Libraries . . . . . . . . . . . . . . . . . . . . . . . . . 326 Code Reuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Application Sandboxing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Secure Encrypted Enclaves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Database Activity Monitors and Web Application Firewalls . . . . . . . 327 Client-Side Processing vs. Server-Side Processing . . . . . . . . . . . . . . 328 JSON/REST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Browser Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 HTML5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 AJAX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 SOAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 State Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Operating System Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Firmware Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Part III Enterprise Security Operations Chapter 9
00-FM.indd 19
Security Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 Security Assessment Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 Malware Sandboxing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Memory Dumping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Runtime Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Code Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 Pivoting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 Open Source Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Security Assessment Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
xx
Self-Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Internal and External Audits . . . . . . . . . . . . . . . . . . . . . . . . . 367 Color-Team Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Chapter 10 Security Assessment Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 Network Tool Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 Port Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 Vulnerability Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 Protocol Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 SCAP Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Network Enumerators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Fuzzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 HTTP Interceptors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Exploitation Tools/Frameworks . . . . . . . . . . . . . . . . . . . . . . . 391 Visualization Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 Log Reduction and Analysis Tools . . . . . . . . . . . . . . . . . . . . . 393 Host Tool Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 Password Crackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 Vulnerability Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Command-Line Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 Local Exploitation Tools/Frameworks . . . . . . . . . . . . . . . . . . 405 SCAP Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 File Integrity Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 Log Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 Reverse Engineering Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 Physical Security Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Lock Picks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 RFID Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 IR Cameras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Chapter 11 Incident Response and Recovery Procedures . . . . . . . . . . . . . . . . . . 417 E-Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 Electronic Inventory and Asset Control . . . . . . . . . . . . . . . . . 418 Data Retention Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Data Recovery and Storage . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Data Ownership and Handling . . . . . . . . . . . . . . . . . . . . . . . 421 Legal Holds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
00-FM.indd 20
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
Contents
xxi
Data Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 Detection and Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Mitigation and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Recovery/Reconstitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Facilitate Incident Detection and Response . . . . . . . . . . . . . . . . . . . 426 Internal and External . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Criminal Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Hunt Teaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Behavioral Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Heuristic Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Establish and Review System, Audit, and Security Logs . . . . . 429 Incident and Emergency Response . . . . . . . . . . . . . . . . . . . . . . . . . 429 Chain of Custody . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Digital Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Digital Forensics Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Privacy Policy Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 Continuity of Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Incident Response Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 Order of Volatility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Incident Response Support Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 437 dd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 nbtstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 nc (Netcat) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 memdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 tshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 Foremost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Severity of Incident or Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 Downtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 Legal Ramifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 Post-Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 Root-Cause Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447 After-Action Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
00-FM.indd 21
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
xxii
Part IV Technical Integration of Enterprise Security Chapter 12 Hosts, Storage, Networks, and Applications . . . . . . . . . . . . . . . . . . . . 461 Adapt Data Flow Security to Meet Changing Business Needs . . . . . 462 Adhere to Standards (Popular, Open, De Facto) . . . . . . . . . . . . . . . 463 Open Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 Adherence to Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 Competing Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Lack of Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 De Facto Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Interoperability Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Legacy Systems and Software/Current Systems . . . . . . . . . . . 467 Application Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Software Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Standard Data Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Protocols and APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Resilience Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Use of Heterogeneous Components . . . . . . . . . . . . . . . . . . . . 473 Course of Action Automation/Orchestration . . . . . . . . . . . . . 474 Distribution of Critical Assets . . . . . . . . . . . . . . . . . . . . . . . . 474 Persistence and Nonpersistence of Data . . . . . . . . . . . . . . . . . 474 Redundancy/High Availability . . . . . . . . . . . . . . . . . . . . . . . . 475 Assumed Likelihood of Attack . . . . . . . . . . . . . . . . . . . . . . . . 476 Data Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Data Remnants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Data Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Data Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Data Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Data Sovereignty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Data Volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Resources Provisioning and Deprovisioning . . . . . . . . . . . . . . . . . . 479 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Virtual Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Data Remnants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Design Considerations During Mergers, Acquisitions, and Demergers/Divestitures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 Network Secure Segmentation and Delegation . . . . . . . . . . . . . . . . 482 Logical Deployment Diagram and Corresponding Physical Deployment Diagram of All Relevant Devices . . . . . . . . . . . . . . 483 Security and Privacy Considerations of Storage Integration . . . . . . . 484 Security Implications of Integrating Enterprise Applications . . . . . . 486 CRM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 ERP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
00-FM.indd 22
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
Contents
xxiii
CMDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488 Integration Enablers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500 Chapter 13 Cloud and Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Cloud Computing Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Advantages Associated with Cloud Computing . . . . . . . . . . . 505 Issues Associated with Cloud Computing . . . . . . . . . . . . . . . 506 Virtualization Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Technical Deployment Models (Outsourcing/Insourcing/Managed Services/Partnership) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Cloud and Virtualization Considerations and Hosting Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 On-premises vs. Hosted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Cloud Service Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 Security Advantages and Disadvantages of Virtualization . . . . . . . . 516 Advantages of Virtualizing . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 Disadvantages of Virtualizing . . . . . . . . . . . . . . . . . . . . . . . . 520 Type 1 vs. Type 2 Hypervisors . . . . . . . . . . . . . . . . . . . . . . . . 522 Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 vTPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 Hyper-Converged Infrastructure (HCI) . . . . . . . . . . . . . . . . . 525 Virtual Desktop Infrastructure (VDI) . . . . . . . . . . . . . . . . . . 526 Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528 Secure Enclaves and Volumes . . . . . . . . . . . . . . . . . . . . . . . . . 528 Cloud-Augmented Security Services . . . . . . . . . . . . . . . . . . . . . . . . 530 Antimalware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 Vulnerability Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 Sandboxing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 Cloud Security Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 Security as a Service (SECaaS) . . . . . . . . . . . . . . . . . . . . . . . . 533 Vulnerabilities Associated with the Commingling of Hosts with Different Security Requirements . . . . . . . . . . . . . . . . . . . . . 533 Data Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535 Vulnerabilities Associated with a Single Server Hosting Multiple Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 Vulnerabilities Associated with a Single Platform Hosting Multiple Companies’ Virtual Machines . . . . . . . . . . . . . . 537
00-FM.indd 23
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
xxiv
Resources Provisioning and Deprovisioning . . . . . . . . . . . . . . . . . . 538 Virtual Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 Data Remnants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 Chapter 14 Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552 Authentication Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 Certificate-Based Authentication . . . . . . . . . . . . . . . . . . . . . . 557 SSL/TLS Certificate-Based Authentication . . . . . . . . . . . . . . 558 Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560 Context-Aware Authentication . . . . . . . . . . . . . . . . . . . . . . . 560 Push-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 561 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 OAuth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 XACML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 SPML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563 Attestation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563 Identity Proofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563 Identity Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 SAML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565 OpenID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Shibboleth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 WAYF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568 Trust Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569 Hierarchical Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 Peer-to-Peer Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 RADIUS Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 AD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580 Chapter 15 Cryptographic Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583 Cryptography Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583 Goals of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584 Cryptographic Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 Symmetric Key Encryption Methods . . . . . . . . . . . . . . . . . . . 586 Asymmetric or Public Key Encryption Methods . . . . . . . . . . 590
00-FM.indd 24
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
Contents
xxv
Cryptography Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 Key Stretching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 Hashing Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595 Message Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 Code Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 Pseudorandom Number Generation . . . . . . . . . . . . . . . . . . . 598 Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 Data-in-Transit Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 599 Data-in-Memory/Processing Encryption . . . . . . . . . . . . . . . . 600 Data-at-Rest Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600 Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602 Cryptographic Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 Cryptographic Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 Cryptoprocessors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 Cryptographic Service Providers . . . . . . . . . . . . . . . . . . . . . . 604 Digital Rights Management (DRM) . . . . . . . . . . . . . . . . . . . 604 Watermarking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 GNU Privacy Guard (GPG) . . . . . . . . . . . . . . . . . . . . . . . . . 605 SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 S/MIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608 Cryptographic Applications and Proper/Improper Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608 Stream vs. Block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610 PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610 Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610 Cryptocurrency/Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . . 616 Mobile Device Encryption Considerations . . . . . . . . . . . . . . 617 Elliptic Curve Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . 618 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627 Chapter 16 Securing Communications and Collaboration . . . . . . . . . . . . . . . . . . 629 Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630 Dial-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 DirectAccess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 Resource and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 Desktop and Application Sharing . . . . . . . . . . . . . . . . . . . . . 632 Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
00-FM.indd 25
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
xxvi
Unified Collaboration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 Conferencing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 Storage and Document Collaboration Tools . . . . . . . . . . . . . 638 Unified Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . 639 Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640 Presence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641 E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641 Telephony and VoIP Integration . . . . . . . . . . . . . . . . . . . . . . 643 Collaboration Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Part V
Research, Development, and Collaboration
Chapter 17 Research Methods and Industry Trends . . . . . . . . . . . . . . . . . . . . . . . . 657 Performing Ongoing Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 New Technologies, Security Systems, and Services . . . . . . . . . 661 Technology Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663 Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665 Latest Attacks, Vulnerabilities, and Threats . . . . . . . . . . . . . . 665 Zero-Day Mitigation Controls and Remediation . . . . . . . . . . 667 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670 Researching Security Implications of Emerging Business Tools . . . . 671 Evolving Social Media Platforms . . . . . . . . . . . . . . . . . . . . . . 671 Integration Within the Business . . . . . . . . . . . . . . . . . . . . . . 672 Big Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673 AI/Machine Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673 Global IA Industry/Community . . . . . . . . . . . . . . . . . . . . . . . . . . . 674 Computer Emergency Response Team (CERT) . . . . . . . . . . . 675 Conventions/Conferences . . . . . . . . . . . . . . . . . . . . . . . . . . . 676 Research Consultants/Vendors . . . . . . . . . . . . . . . . . . . . . . . . 677 Threat Actor Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677 Emerging Threat Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687 Chapter 18 Technology Life Cycles and Security Activities . . . . . . . . . . . . . . . . . 689 Systems Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . 689 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691 Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692 Test and Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692
00-FM.indd 26
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
Contents
xxvii
Commissioning/Decommissioning . . . . . . . . . . . . . . . . . . . . 692 Operational Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693 Asset Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 Asset/Object Reuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697 Software Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . 697 Requirements Gathering Phase . . . . . . . . . . . . . . . . . . . . . . . 697 Design Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 Development Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699 Testing Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699 Operations and Maintenance Phase . . . . . . . . . . . . . . . . . . . . 699 Application Security Frameworks . . . . . . . . . . . . . . . . . . . . . 700 Software Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700 Development Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . 705 Secure Coding Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709 Validation of the System Design . . . . . . . . . . . . . . . . . . . . . . 711 Adapting Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713 Emerging Threats and Security Trends . . . . . . . . . . . . . . . . . . 713 Disruptive Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714 Asset Management (Inventory Control) . . . . . . . . . . . . . . . . . . . . . 715 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 Chapter 19 Business Unit Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725 Security Requirements Across Various Roles . . . . . . . . . . . . . . . . . . 725 Sales Staff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726 Programmers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727 Database Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728 Network Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729 Management/Executive Management . . . . . . . . . . . . . . . . . . 730 Financial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731 Human Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732 Emergency Response Team . . . . . . . . . . . . . . . . . . . . . . . . . . 732 Facilities Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733 Physical Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 733 Legal Counsel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733 Security Processes and Controls for Senior Management . . . . . . . . . 734 Secure Collaboration Within Teams . . . . . . . . . . . . . . . . . . . . . . . . 735 Governance, Risk, and Compliance Committee . . . . . . . . . . . . . . . 736 Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737 Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743
00-FM.indd 27
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
xxviii
00-FM.indd 28
Appendix
About the Online Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Your Total Seminars Training Hub Account . . . . . . . . . . . . . . . . . . Privacy Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Single User License Terms and Conditions . . . . . . . . . . . . . . . . . . . TotalTester Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Pre-Assessment Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other Book Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Performance-Based Questions . . . . . . . . . . . . . . . . . . . . . . . . Downloadable Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
745 745 745 745 745 747 747 747 748 748 748
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
ACKNOWLEDGMENTS The creation of this book was the epitome of a team effort. There are many talented individuals I must thank at McGraw-Hill Education and Cenveo Publisher Services. Their collective efforts were critical in making a book of this scale possible. To the executive editor, Tim Green: Thank you for bringing me on board for this incredible project! You have an amazing team of editors, yet you were the driving force behind all aspects of this book. I appreciate our many talks about family, and the considerable patience you’ve exercised during project challenges. I look forward to working on many projects with you in the future. To the editorial coordinator, Claire Yee: Thank you for all the guidance you provided me on this book, and on the previous Cloud+ project! Many thanks, also, for being my “go-to” person no matter how ridiculous some of my inquiries were. As I’ve told you and Tim before, you’re a star! To the technical editor, Daniel Lachance: Thank you for the substantial technical expertise you brought to this book! Your suggestions were much needed. Most importantly, thank you for ridding the book of all the nonsense I had written during those 3 a.m. sessions. To the editorial supervisor, Patty Mon: Thank you for working with me on another McGraw-Hill Education project! Most of all, thank you for supervising the considerable effort required to convert my grammatical rubbish into the professional text our readers deserve! To the copy editor, Bart Reed: Thank you for all of your suggestions, attention to detail, and professionalism throughout these past several months! To the proofreader, Paul Tyler: Thank you for the fantastic job you did proofreading this book! You were awesome. To the acquisitions editor, Amy Stonebraker-Gray: You deserve a special shout-out since you introduced me to McGraw-Hill Education in the first place. Thank you for involving me in the Cloud+ Certification CV0-002 Study Guide, Second Edition, project and your role in landing me this CASP+ project. Authoring for a “Mount Rushmore” publishing company like McGraw-Hill Education is a dream come true, and I cannot thank you enough for that! To the senior project manager, Sonam Arora: Thank you for your help organizing all the proofreading and copyediting assignments between team members! I also want to thank you for always being so professional and courteous to me. To the associate project manager, Aishwarya Gosain: Thank you for helping Sonam with the multitude of proofreading and copyediting tasks! Great job! To the indexer, Karin Arrigoni: Thank you for doing such a great job indexing this book! Considering its size, it makes your efforts all the more remarkable. To all the other behind-the-scenes contributors at McGraw-Hill Education: Thank you for everything! xxix
00-FM.indd 29
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
xxx
To my wonderful family: To my incredible children, Carter, Tristan, Madison, and Victoria, for being my inspiration for everything in life. To my mother, Patricia, whose greatness rubbed off just enough to make this project possible. To my father, Lawrence, and oldest brother “Tommy,” who guided my hands from Heaven. To my brother Chris, for blazing the trail of success for our family. To my parent-in-laws, Thomas and Mildred, for all the help they’ve given our family. Finally, to my brother Larry, whom the doctors called “The Miracle Man.” He was the inspiration for my entering the technology field. I thank you all from the bottom of my heart. —Nicholas Lane
00-FM.indd 30
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
INTRODUCTION Day by day, nothing seems to change until one day everything is different. Given the theme of this book, one might surmise that I’m only referring to the current state of information security. Yet, take a glance at the news, social media, or emergency vehicles at the local high school, and you’ll discover that all aspects of our security are under attack. It’s not just the hackers we fear, but also previously mundane things like answering the phone, responding to a knock at the door, and the safety of our children at school. We’re also under constant surveillance by many devices in our homes and businesses, such as smartphones, tablets, TVs, and even smart speakers. At any moment our device’s built-in camera and microphone could be recording us while selling our personal information to various third parties. Most surprising, the majority of us are readily consenting to this collection and sale of our personal data. It’s safe to say that today we feel less secure about everything. One could argue it is contradictory to suggesting that most people have become increasingly paranoid while at the same time a majority of such folks are deliberately sharing their personal information in order to play Candy Crush Saga for free. Perhaps those individuals have become resigned to the belief that their data was already stolen long ago; therefore, they might as well enjoy the application. Technology cannot be blamed for all of the challenges in the world, yet it does play a crucial role in our uneasiness. With continual advances in technology devices, communication infrastructures, and information sources, billions of people have transitioned from being unplugged bystanders to technological choreographers of their environment. While most people choose to use technology to improve their quality of life, others are pulling off major credit card heists, and even triggering cyberwarfare between nations. This technological upheaval is responsible for seeding today’s most sophisticated attacker, the cybercriminal. Hackers are literally everywhere. They are people just like you and me, only they’re no longer operating in the shadows. You’ll find them taunting the world via their social media channels––much to the applause of their thousands of subscribers. Meanwhile, other malicious insiders are having lunch with you at the office while plotting their next data breach. With names such as hackers, attackers, crackers, cyberterrorists, phreakers, script kiddies, suicide hackers, hacktivists, and more, it is clear that hacking is no longer just an intellectual curiosity. Nor are the majority of hackers operating as recluses like in years past. Hacking has become a capitalistic enterprise funded by organized cybercriminal corporations, governments, billionaires, and terrorist groups. Through strength in numbers, today’s cybercriminals are more powerful than at any time in history. With access to unlimited hacking tools, weaponized artificial intelligence, international botnets, state-sponsored military attacks, and infinite cloud computing resources, hackers have become true masters of societal disruption.
xxxi
00-FM.indd 31
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
xxxii
In many ways, security practitioners have mirrored the very hackers they were recruited to stop––by working as outsiders. Traditional security and IT departments operated in seclusion; they built security policies with minimal feedback from others, and implemented countermeasures only to put out fires. In essence, security solutions were reactionary as opposed to proactive. Solutions were mere ingredients that were sprinkled onto business operations rather than being sewn directly into the fabric of operations. Since hackers have evolved every aspect of their arsenal, the modern-day security practitioner must also adapt. Today’s security practitioner must proactively bake security solutions into every aspect of the business, as opposed to only reacting after a breach has been reported. They must coordinate with all levels of the organization––from the CEO to the end user––in order to ensure that appropriate security solutions are implemented. Care must be taken to ensure that solutions provide adequate security, while also permitting the business to fulfill its financial and strategic goals. This is more challenging than it seems because security solutions are restrictive by nature. The omnipresence of security can become quite expensive too; yet data leakage, compliance failures, auditing fines or shutdowns, lost market share, corporate espionage, and damaged reputations are considerably more expensive. I will say this with an ounce of affection and a pound of foreboding: Good security is annoying. Security solutions often come with unintended side effects, such as reductions in ease-of-use and functionalities to business processes. Most individuals will, at least initially, resist such trade-offs. The knowledge gained as security practitioners compels us to accept these side effects as quid pro quo for our improved security posture. It is the goal of CASP+, and my personal mission in security, to help you implement security solutions in a manner that is even more annoying to our adversaries than it is to us. When businesses operate from a place of freedom, they can exert more control over their destinies—provided that they never lose sight of the fact that freedom isn’t free. —Nicholas Lane
CompTIA Advanced Security Practitioner (CASP+) Back in 2012, the U.S. Navy approached CompTIA to develop an advanced cybersecurity certification that would serve as a viable alternative to the (ISC)² Certified Information Systems Security Professional (CISSP) certification. Like many organizations, the Navy had relied upon the CISSP for assessment and accreditation of advanced cybersecurity skills, yet it felt that something was missing. Despite CISSP’s global popularity, longevity, and irrefutable value in the security industry, the combination of its managerial slant and lack of performance-based questions created an imperfect alignment with the Navy’s “hands-on” security objectives. The CompTIA Advanced Security Practitioner (CASP+) certification was born out of a military need to certify security practitioners as possessing the advanced practical cybersecurity skills necessary to defend the nation. Shortly after the development of CASP+, the U.S. Department of Defense (DoD) approved it as part of the DoD 8570.01-M directive.
00-FM.indd 32
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
Introduction
xxxiii
NOTE It’s important to note that CASP+ focuses on the security practitioners who are responsible for implementing security solutions. On the other hand, CISSP focuses on higher-level security management tasks such as identifying which security policies and frameworks are appropriate for an organization. Once the CISSP expert performs those critical tasks, it’ll be CASP+ practitioners who implement the practical solutions to achieve those objectives. CASP+ isn’t necessarily more important than CISSP; rather, it’s a completely different security role.
For civilians reading this book, don’t be deterred by CASP+ having military roots. Enterprises have considerable need of cybersecurity professionals with proven hands-on skills to protect assets from digital attackers. Enterprises from all over the world list the CASP+ certification as a prerequisite for job seekers. The CompTIA Security+ certification is CompTIA’s entry-level security certification and one that is considered a precursor to the mastery-level CompTIA Advanced Security Practitioner certification. Security+ is a vendor-neutral certification that is designed to demonstrate an individual’s competency in the following areas:
•• Network security •• Compliance and operational security •• Threats and vulnerabilities •• Application, data, and host security •• Access control and identity management •• Cryptography CASP+ is designed to follow the CompTIA Security+ certification. It is also vendorneutral and is designed to demonstrate an individual’s competency in risk management, enterprise security architecture, enterprise security operations, technical integration of enterprise security, and research, development, and collaboration regarding security trends. The exam covers the knowledge necessary for an individual to be able to conceptualize, design, and engineer secure solutions across complex enterprise environments and has a technical, hands-on focus at the enterprise level. Although there is no official prerequisite for the CASP+ certification, CompTIA recommends professionals to complete CompTIA Security+ as well as CompTIA PenTest+ or CompTIA Cybersecurity Analyst (CySA+), in either order. The exam itself consists of a maximum of 90 questions, with a time limit of 165 minutes in which to complete the exam. There is no scaled scoring for this exam; it is pass/fail only. The recommended level of experience for exam candidates is 10 years of experience in IT administration, including at least five years of hands-on technical security experience.
00-FM.indd 33
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
xxxiv
NOTE The CASP exam is a pass/fail exam, but the online practice exam engine included with this book is not a pass/fail exam simulation due to the limitations of the software. A passing score on the actual CASP exam is calculated using psychometrically determined scores, and is not determined solely using the raw score. This balances test-to-test difficulty and other factors, making all passing scores comparable. Taking a single practice exam does not afford the ability to do this type of scoring, but scores less than 75 percent during practice should be taken as a sign that additional preparation might be a wise course of action before attempting the real certification exam.
The Five CASP+ Domains
Although the CASP+ certification is designed for practitioners with hands-on knowledge, skills, and abilities, you will see some managerial skill requirements listed among the exam objectives too. A security practitioner cannot be expected to produce practical solutions for security policies and frameworks if such requirements aren’t fundamentally understood. All of these skill requirements are covered throughout the five CASP+ domains. These domains, and their relative weights in terms of coverage, are as follows:
•• 1.0 Risk Management (19%) •• 2.0 Enterprise Security Architecture (25%) •• 3.0 Enterprise Security Operations (20%) •• 4.0 Technical Integration of Enterprise Security (23%) •• 5.0 Research, Development and Collaboration (13%)
Performance-Based Exam Questions
Unlike CISSP, the CASP+ certification exam includes multiple types of questions, such as drag and drop, performance-based simulations, and the traditional multiple question/ answer. An individual taking the exam will find some questions presented as a scenario and will then need to launch a simulated environment. The environment will be at the level of detail appropriate for an individual with the experience recommended for those taking the CASP+ exam. The individual will then need to perform whatever task is most appropriate, given the scenario and tools or information presented for the question. With this method, CompTIA is able to go beyond a simple “textbook understanding” of the subject and can test the skill level of individuals taking the exam.
CASP-Proposed Hardware and Software
Although the CASP+ certification is intended to be vendor-neutral, CompTIA nonetheless has provided a list of hardware and software that individuals taking the exam are expected to have some knowledge of. Some items in the list are simply types of tools that an individual might expect to see questions about, whereas others are examples of vendorspecific tools and technologies that individuals are expected to know something about. The list supplied by CompTIA is provided in Tables 1 through 5.
00-FM.indd 34
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
Introduction
xxxv
Laptops
Basic server hardware (e-mail server)
Active Directory server
Tokens
Mobile devices (Android and iOS)
Switches (managed switch) – IPv6 capable
Router – IPv6 capable (wired/wireless)
Gateway
Firewall
VoIP
Proxy server
Load balancer
NIPS
HSM
Access points
Crypto-cards
Smart cards
Smart card reader
Biometric devices
Arduino/Raspberry Pi
SCADA device Table 1 List of Equipment Examples for the CASP+ Certification Exam
Keyboards
Cables
NICs
Power supplies
External USB flash drives Table 2 List of Spare Hardware Examples for the CASP+ Certification Exam
Spectrum analyzer Antennas RF hacking hardware/SDR Table 3 List of Tool Examples for the CASP+ Certification Exam
Virtualized appliances (firewall, IPS, SIEM solution, RSA authentication, Asterisk PBX)
Windows
Linux distros
VMware Player/VirtualBox
Vulnerability assessment tools
SSH and Telnet utilities
Threat modeling tool
Host IPS
Helix software
Kali and all Kali toolsets
Remediation software
GNS and associated firmware
Log analysis tools Table 4 List of Software Examples for the CASP+ Certification Exam
00-FM.indd 35
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
xxxvi
Sample logs
Sample network traffic (packet capture)
Sample organizational structure
Sample network documentation
Broadband Internet connection
3G/4G and/or hotspot
Computer and mobile peripheral devices Table 5 List of Other Examples for the CASP+ Certification Exam
Accreditation
CASP+ is accredited by the American National Standards Institute (ANSI) in order to demonstrate compliance with the international ISO/IEC 17024 standard. ANSI is an organization that oversees the development of standards throughout the U.S. and globally.
How to Use This Book
True to its “All-In-One” namesake, this book packs enough information to help you pass the exam as well as to serve as an on-the-job reference. Yet, that information is only as useful as the diligence you put into understanding it. To help you get the most out of this book, let’s go over the book’s design elements and give you a few tips along the way:
•• Certification Objectives This book’s chapters and topics are sequentially mapped to the CASP+ exam objectives to provide predictability in your learning experience––in addition to simplifying any subsequent exam objective research or review you’ll perform after completing a section. The end of this section contains the Objective Map, which is a summary of the CASP+ exam objectives. Visit the CASP+ portal on www.CompTIA.org for the detailed list. •• Tips Tip sections provide insider information or a best practice about a subject. •• Exam Tips Exam tip sections contain pertinent information likely to be targeted in the exam. •• Cautions Caution sections provide warnings about products, processes, and procedures that should be observed.
End-of-Chapter Questions
At the end of each chapter module you’ll find questions similar to the multiple-choice questions found on the actual exam. The answers to these questions can be found at the end of the book. By completing the end-of-chapter questions, you’ll reinforce what you’ve learned from that chapter while becoming familiar with the structure of any multiple-choice exam questions you receive on the real exam.
Using the Objective Map
The Objective Map included in this section has been constructed to help give you a bird’s-eye view of the official CASP+ exam objectives as published by CompTIA.
00-FM.indd 36
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
Introduction
xxxvii
Included with the Objective Map are the respective chapters that provide detailed coverage of the objectives. A more detailed exam objective mapping was not necessary since this book already conveniently covers each exam objective in sequential order.
The Accompanying Media
This book includes accompanying media that features the TotalTester exam software that allows you to generate a complete practice exam or quizzes by chapter module or by exam domain. See the appendix for more information about the online content.
Exam CAS-003 Objective Map Official Exam Objective
All-in-One Coverage
Chapter No.
1.0 Risk Management 1.1 Summarize business and industry influences and associated security risks.
Security Influences and Risk
1
1.2 Compare and contrast security, privacy policies and procedures based on organizational requirements.
Security Policies and Procedures
2
1.3 Given a scenario, execute risk mitigation strategies and controls.
Risk Mitigation, Strategies, and Controls
3
1.4 Analyze risk metric scenarios to secure the enterprise.
Risk Metrics
4
2.1 Analyze a scenario and integrate network and security components, concepts and architectures to meet security requirements.
Network Security Components, Concepts, and Architectures
5
2.2 Analyze a scenario to integrate security controls for host devices to meet security requirements.
Security Controls for Host Devices
6
2.3 Analyze a scenario to integrate security controls for mobile and small form factor devices to meet security requirements.
Mobile Security Controls
7
2.4 Given software vulnerability scenarios, select appropriate security controls.
Software Vulnerabilities and Security Controls
8
3.1 Given a scenario, conduct a security assessment using the appropriate methods.
Security Assessments
9
3.2 Analyze a scenario or output, and select the appropriate tool for a security assessment.
Security Assessment Tools
10
3.3 Given a scenario, implement incident response and recovery procedures.
Incident Response and Recovery Procedures
11
2.0 Enterprise Security Architecture
3.0 Enterprise Security Operations
00-FM.indd 37
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / FM
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
xxxviii
Official Exam Objective
All-in-One Coverage
Chapter No.
4.0 Technical Integration of Enterprise Security 4.1 Given a scenario, integrate hosts, storage, networks, and applications into a secure enterprise architecture.
Hosts, Storage, Networks, and Applications
12
4.2 Given a scenario, integrate cloud and virtualization technologies into a secure enterprise architecture.
Cloud and Virtualization
13
4.3 Given a scenario, integrate and troubleshoot advanced authentication and authorization technologies to support enterprise security objectives.
Authentication and Authorization
14
4.4 Given a scenario, implement cryptographic techniques.
Cryptographic Techniques
15
4.5 Given a scenario, select the appropriate control to secure communications and collaboration solutions.
Securing Communications and Collaboration
16
5.1 Given a scenario, apply research methods to determine industry trends and their impact to the enterprise.
Research Methods and Industry Trends
17
5.2 Given a scenario, implement security activities across the technology life cycle.
Technology Life Cycles and Security Activities
18
5.3 Explain the importance of interaction across diverse business units to achieve security goals.
Business Unit Interactions
19
5.0 Research, Development and Collaboration
00-FM.indd 38
12/03/19 5:38 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1 Blind Folio: 1
PART I
Risk Management Chapter 1 Chapter 2 Chapter 3 Chapter 4
01-ch01.indd 1
Security Influences and Risk Security Policies and Procedures Risk Mitigation, Strategies, and Controls Risk Metrics
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1 Blind Folio: 2
This page intentionally left blank
01-ch01.indd 2
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
1
CHAPTER
Security Influences and Risk This chapter presents the following topics: • Risk management of new products, new technologies, and user behaviors • New or changing business models and strategies • Security concerns of interconnecting diverse industries • Internal and external influences • Impact of deperimeterization
Before the modern computing revolution began, risk management was a lot less complicated. The designers of government, military, and university networks were primarily tasked with guarding against one risk type: physical security attacks. Many attacks, such as theft, vandalism, and sabotage, all required the attacker to gain physical access to the premises. Naturally, we countered these attacks with physical security countermeasures such as armed and unarmed guards, locked doors, surveillance cameras, fences, and ID badges. Provided that the bad guys were kept off the premises, our assets were considered safe. Information workers would then happily go about using, storing, and transmitting information with little regard for security. Such historical reliance on physical security explains why most TCP/IP protocols like FTP, Telnet, and HTTP weren’t designed to support cryptography. With the foxes stomping around helplessly outside the hen houses, organizations didn’t feel compelled to suffer the performance slowdowns and interoperability challenges brought about by cryptography. Fast-forward to 2018, and you’ll notice that risk management has considerably more than just physical security to worry about. Here are just a few examples:
• Hackers can attack from countless external and internal locations. • The Internet consists of over 20 billion IoT (Internet of Things) devices, with 30–50 billion devices expected by 2020. That’s a lot of targets to protect. • Over 300 million new malware threats are released every year. • Most of the elite hackers have joined international cybersecurity factions to accelerate the global scale and impact of their attacks.
3
01-ch01.indd 3
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
4
• The source and fingerprint of cybersecurity attacks are frequently spoofed to make other victims appear guilty of the crimes. • Millions of mobile applications collect and profit off of our data as collateral for providing us with free applications. • Cybercriminals are utilizing artificial intelligence (AI) to automate data collection, analysis, and attacks against targets. • Forensic investigations are often led into international tailspins due to cyber-law differences, country tensions, plus the time and cost of tracing a global attacker’s whereabouts. There are also the nonhuman risk factors like natural disasters, electrical failures, environmental fluctuations, reputation losses, and weather events to consider. These can easily bring a business to its knees if business continuity and disaster recovery plans aren’t in place. Despite the importance of those factors, the two risk categories that most commonly threaten businesses are human-based risks and technological risks. People have always been critical to organizations, whereas technology is increasingly more missioncritical and costlier to them. More assets to purchase means more assets to protect against attacks. More assets to attack means more breaches to correct and recover from. Today’s businesses face more layers of danger than ever before; therefore, an extensive modernization of risk management is needed to keep businesses protected. This chapter focuses on how risk management should be designed and implemented in order to reduce business risks to acceptable levels. If you’re curious as to why risk management is the first chapter of the book, it should be noted that CompTIA—not coincidentally—rearranged the exam objectives to include risk management as the first domain. Just as the CISSP certification from ISC² has “Security and Risk Management” as its first domain, risk management is now generally considered to be the starting point for advanced security certifications. After all, security practitioners cannot properly determine what security controls are needed, at what scope and depth, and for which assets, unless risk management processes are performed first. If the implementation of security controls can be likened to throwing a ball, then risk management is the hand that dictates the velocity, direction, and target of the ball being thrown. In this light, risk management is a natural starting point for the first and crucial chapter in this book.
Risk Management of New Products, New Technologies, and User Behaviors
Truth be told, most people don’t consider risk management to be the most exciting security topic. It is about as riveting as the commentary on an ice fishing tournament. Yet, its importance cannot be overstated. If organizations don’t implement risk management processes, they will succumb to a litany of risk factors and threats. Whether those factors are human-based or not, deliberate or accidental, environmental or due to natural disaster, or financial or reputational, the list of what can go wrong is essentially infinite. As Murphy’s Law suggests, “Anything that can go wrong, will go wrong.” It’s only a question of when.
01-ch01.indd 4
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
5
Figure 1-1 Risk management process
PART I
Like many security concepts, risk management is a bit abstract. Similar to the Open System Interconnection (OSI) model, risk management is an intangible depiction of real and tangible things. It can be difficult to qualify or quantify entities that you cannot see, purchase, or hold in your hand. Risk management is, however, something we must document, discuss, review, and revise; most importantly, it is something we do. As you can see in Figure 1-1, risk management is a sequential and recurring process of identification, assessment, analyzation, and mitigation of risks. The operative word here is “recurring.” If done properly, risk management processes will never end once they’ve begun. Once we’ve mitigated all known risks to the extent possible, we monitor the organizational environment until something changes. If a new product, technology, or user behavior is detected, we put that change under the risk management microscope to, again, identify, assess, analyze, and mitigate any risks introduced by the change. No matter how big or small that change might be, some form of risk will manifest itself. Whether the risk presented to the organization is strategic, compliance-related, operational, financial, or reputational in nature, we’ll tackle that risk with our well-defined risk management processes. Okay, it’s fair to say that risk management is pretty important stuff, but time out. What exactly is risk? Risk is a commonly misunderstood term, and the definition can vary from industry to industry. In the case of information security, risk refers to the probability of a threat causing a loss as well as the impact of the loss caused by the threat. It is imperative that organizations make every effort to reduce both aspects of risk to acceptable levels.
Identification
Mitigation
Risk Management Process
Assessment
Analyzation
01-ch01.indd 5
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
6
Like anything else, risk management has its challenges—one of which is the difficulty of sustaining a desired risk profile. A risk profile represents a cross-section of an organization’s comfort level concerning which risks it will and will not tolerate. Just when we thought our risk profile had reached equilibrium, something inevitably changes to throw it off balance. Such changes will require organizations to reassess their risk profile and, if necessary, correct it. The changes in the security posture are seldom in a positive direction, and they frequently require adjustments in security controls to maintain the current risk level. Keep in mind that risk management and information security are not the same thing. Risk management does require information security, but information security is not risk management in itself. Information security can be viewed as, largely, a technological endeavor, driven by technical factors and managed to technical metrics. Examples include number of incidents, time to resolve an incident, and number of systems affected. Risk management is a different approach—one marked by measuring the effect of security on the enterprise’s business objectives, typically in dollars of risk or liability exposure. This is a newer method of measuring the value of information security efforts and is more in line with senior management methodologies of managing a business. Finding ways to tie information security efforts to the risk management of a business—whether to a new product, a new technology, or new business process—is an essential function of the management chain associated with securing information. Put simply, we must bake risk management directly into company objectives and processes rather than merely sprinkle on its technological ingredients after the meal is served. CAUTION A frequent misconception that people have about risk is to only consider probability or impact as opposed to probability and impact. We’ll dive deeper into risk in Chapter 3.
In addition to being a predictable life cycle that we anchor our security processes to, risk management will also ensure that no stones are left unturned in terms of where we should be implementing controls. Because risk management requires us to consider the risk factors of all important business assets and processes, we are more likely to implement security controls across the board rather than neglect a key area. EXAM TIP Make sure you know the steps of the risk management cycle, outlined earlier, for the exam.
Another thing to consider is CompTIA created the CASP certification largely at the request of the U.S. Navy. To that end, military and government organizations are popular breeding grounds for security practitioners who desire the CASP certification as per DoD 8570 requirements. Although valuable to all organizations, it would particularly behoove military and government security practitioners to consider the risk management frameworks, standards, and guidelines already published by well-known standards organizations. Borrowing from these well-known risk management guidelines will soften the
01-ch01.indd 6
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
7
PART I
difficulty of devising your own methods from scratch. A great resource for learning more about federal-level security requirements—and security in general—can be found on the National Institute of Standards and Technologies (NIST) website. NIST is a U.S. government agency that develops a formal series of special publications (SPs) that detail policies, procedures, and guidelines for the security of federal computer devices. Although these publications have a government and military slant to them, many organizations successfully adapt these standards and guidelines into their own risk management processes. NIST has published its own Risk Management Framework (RMF), which is described by six unique stages. These stages are detailed in NIST SP 800-39, “Managing Information Security Risk,” and shown here:
• Stage 1: Categorize the information systems and data (FIPS 199 and SP 800-60). • Stage 2: Select security controls (FIPS 200 and SP 800-53). • Stage 3: Implement security controls (SP 800-34, SP 800-61, and SP 800-128). • Stage 4: Assess the effectiveness of the security controls (SP 800-53A). • Stage 5: Authorize the information system and data (SP 800-37). • Stage 6: Monitor the security controls (SP 800-37, SP 800-53A, and SP 800-137). Reprinted courtesy of the National Institute of Standards and Technology, U.S. Department of Commerce. Not copyrightable in the United States.
Despite NIST publications being American based, the information contained in their standards and guidelines can benefit organizations all across the globe. In contrast to NIST, the International Organization for Standardization (ISO) creates standards for worldwide consumption. ISO is the world’s largest standards organization and, per its website, handles everything from “technology, to food safety, to agriculture and healthcare.” This also includes information security standardization. Similar to NIST, ISO accreditations can be granted to organizations for demonstrating compliance with some of their standards. For example, Microsoft Office 365 is ISO/IEC 27001 and ISO/IEC 27018 compliant. For NIST’s part, Office 365 is FIPS 140-2 compliant. NOTE Two of the more useful documents associated with security controls are NIST Special Publication 800-53, Rev 4, “Recommended Security Controls for Federal Information Systems and Organizations,” and the CIS “Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines” (www.sans.org/critical-security-controls/). The NIST document is a comprehensive library collection of hundreds of controls associated with three levels of security requirements: high, medium, and low. The SANS list is a distilled set of the most critical controls for implementation in an enterprise.
The NIST and ISO risk management guidelines supply proven processes that help us link security and risk management activities to an organizational security program.
01-ch01.indd 7
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
8
Although these standards are not part of the exam objectives, the information contained within them will both aid your CASP studies and guide you through actual implementation in the real world. TIP Be sure to check out the ISO/IEC 27005 standard, which covers ISO’s international perspective on risk management.
New or Changing Business Models and Strategies
A running theme throughout this book is the importance of business objectives to the security practitioner. In the past, security folks only worried about security stuff, and decision-makers worried about business objectives. Take Starbucks, for example: its business objectives are to make coffee, make money, make customers happy, and go home. Rinse and repeat. Anything else will often be viewed as obstacles to achieving these objectives. Starbucks would much rather not have to worry about firewalls, complex passwords, intrusion prevention systems, and employee security training. Businesses only bother to fund security initiatives because it is obvious that security threats pose some level of risk to business objectives. What many executives fail to realize is the extent of risks posed to their business objectives. Then there’s the regulatory threat of business leaders being fined, shut down, or put in jail due to audit failures, law circumvention, compliance negligence, and violations that hover like a storm cloud. The security practitioner must never lose sight of their primary purpose, which is to help ensure the achievement of business objectives. It is incumbent on us to educate business leaders about cybersecurity risks and threats so that they realize the full potential of losses that could derail their business objectives. That cannot happen unless security practitioners acquire a similar level of urgency for the sustainability of achieving business objectives. We don’t install a firewall simply to stop unauthorized or malicious network traffic. We install firewalls to help Starbucks make or save money through the prevention of financial losses caused by unauthorized traffic traversing the network. Whether it is Starbucks or any other organization, it has to think about the security implications caused by technological changes and, additionally, the changes that take place with business models and strategies. Security is a function of the business processes, people, and technologies that are employed to achieve business objectives. Businesses have models and strategies they employ to guide them in their pursuit of business objectives. These models can be simple or complex and can encompass certain portions of a business or the business as a whole. Examples of models include how personnel are employed as well as whether to rely on in-house expertise or offshore talent. Businesses can grow by merger or acquisition or by creating partnerships with other firms to increase business opportunity. These types of strategies can involve the sharing of internal information, including current capabilities related to information security. The acquisition of a firm that has significant security challenges can affect the value of the target being acquired.
01-ch01.indd 8
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
9
Partnerships PART I
Business partnerships can come in two main forms: formal and informal. Formal partnerships exist as a business relationship between two or more parties, as defined by a series of legal documents. Although the partnership types can vary, and are typically governed by state law, the basic premise is that partners share in the operational responsibility as well as the profits and liabilities associated with a business. A second form of partnership is the informal business partnership. An informal business partnership is marked by an arrangement between parties where they agree to cooperate in a manner that can advance their mutual business interests. In this form, the financial relationship can be contractually defined. Partnerships offer many advantages to businesses. Separating certain business functions can allow different businesses to focus their efforts on differing business objectives. In today’s Internet-connected world, the primary business customer links, as between a bank and its customers, can contain many data elements. There are also opportunities to collect additional information that has business value to other parties. This second set of relationships has many names: affiliates, third-party vendors, and so on. The sharing of information across these boundaries has many security-related implications. Information sharing across organizational partnerships requires significant planning. Policies associated with the use of information by a partner need to be determined in advance, along with customer notifications and approvals. There are administrative and legal issues as well. In the United States, the standard is for the customer to opt out of information sharing. In the European Union, the opposite is true; customers need to opt in to allow information sharing. The exception to these rules and regulations would be when the partnership exists to act as a single entity to the customer. EXAM TIP In the European Union, the sharing of information has been regulated via the EU Data Protection Directive since 1995. In 2016, the European Commission adopted its successor known as the General Data Protection Regulation (GDPR), which became enforceable as of May 2018.
Outsourcing Outsourcing is a common business strategy in today’s competitive environment. Many things can be outsourced—from remote drive-through associates at a burger joint to all forms and functions of business operations. Virtually any aspect of a business can be outsourced, particularly in today’s many service-oriented industries that can be done by teleworkers. As in all business relationships, the devil is in the details. The terms of the outsourcing agreement, both with respect to operations and deliverables, will govern results and expectations. There can be many names for this set of business requirements, including service level agreements (SLAs), but the bottom line is that the definitions in the outsourcing agreement will govern all aspects of the relationship. Failure to clearly determine and define the requirements of an outsourcing agreement is one of the principal reasons behind later dissatisfaction and failure of an outsourcing relationship.
01-ch01.indd 9
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
10
A common agreement used between parties sharing information is a nondisclosure agreement (NDA), which, as the name implies, requires that the agreeing parties not disclose confidential information to third parties for a certain period of time. It can be legally binding and will document the rights and responsibilities of both parties with respect to the confidentiality attributes of the information being shared. NOTE NDAs are covered in more detail in Chapter 2.
Cloud It goes without saying that one of the biggest technical lightning rods in the IT industry today is cloud computing. Yet, businesses are already improving their productivity and lowering their costs by utilizing the applications, accessibility, storage, availability, and scalability benefits provided by Internet-based cloud companies. Businesses are hosting tools such as content management systems (CMS), learning management systems (LMS), enterprise resource planning (ERP), customer relationship management (CRM), payroll, human resources, expense reporting, and others on the cloud exclusively. On the flipside, such reliance on a cloud computing provider comes with a measure of uncertainty and control. Here are just some of the important questions an organization must ask a cloud provider before contracting its services:
• What level of control do we have over our data? • Where is our data? • Can we control who accesses our data? • Do we have access to logs? • Is our data kept in region or replicated to other regions? • Are we sharing servers with other businesses? • Can we procure our own cloud server? • What annual uptime promises do you as the provider uphold? • How will we be compensated for inadequate service levels? It is also important to find out what risk management and assessment processes the cloud provider implements. See what vulnerability and penetration tests it has done. Research information regarding security breaches and any negative remarks from customers or current/former partners. You also shouldn’t have to compete for the cloud provider’s services—let it compete for yours. EXAM TIP Service level agreements (SLAs) are a great place to learn about the service offerings and promises of a cloud provider. The contents of an SLA will vary across organizations and industries. You can find more information about SLAs in Chapter 2.
01-ch01.indd 10
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
11
PART I
Now that cloud computing’s compliance capabilities are catching up with its productivity benefits, businesses are increasingly taking the plunge. The cloud’s Internet-based implementations also make it easier for organizations to partner up, collaborate, share information and resources. It can also raise questions as to how partner responsibilities and accountability will work when the shared infrastructure belongs to neither partner. However, the previous fears regarding the lack of control of cloud data and systems—and insight into configurations and data—are gradually dissipating because cloud providers have specifically beefed up their offerings in order to both meet compliance requirements and reassure critics that technical controls and insights are in abundance now. Yet, let your risk management processes do the vetting for you. In the end, you want the productivity benefits of cloud computing to be aligned with your risk profile.
Managed Security Services One of the capabilities that can be outsourced is security services—and there are many reasons why an organization may consider this option. Commonly called managed security services, numerous features can be included under this umbrella term. What initially began as outsourced network services, managed security services can offer a business a professionally managed network and a security presence. Network security is a highly technical issue, and scale can play a significant issue. Many organizations will not have the network size to support the number and level of professional network engineers to handle security issues. Outsourcing this functionality takes advantage of a provider’s firm to scale personnel across multiple firms. EXAM TIP The term managed security service provider (MSSP) is commonly used to describe organizations that offer security outsourcing functions, such as Check Point, IBM, and Dell SecureWorks. The advantages of an MSSP include security as a core competency, personnel scaling issues (including skill level), and the ability to perform 24/7/365 monitoring despite organizations being spread across regions and time zones.
Network services are not the only aspect of security that can be, and commonly is, outsourced. Additional specialized functions, such as physical security, vulnerability assessments, penetration testing, operational security monitoring, compliance monitoring/ auditing, digital forensics, and a variety of consulting efforts, are common functions found under the guise of security outsourcing. With each of these, the primary reason for outsourcing is the level of professional service a business specializing in these aspects can bring to bear on these technically demanding issues. Many aspects of security can be highly technical, requiring significant levels of skilled personnel who are expensive to acquire and keep trained. Resources such as these are leased rather than owned, and outsourcing provides this form of business relationship. A growing need in business is a combination of incident response and e-discovery. Various external factors such as local, state, and federal regulations—in addition to increased probability and impact of cybersecurity attacks—are driving the technical needs in both of these areas. Growing in-house talent has high cost curves for training and salary needs.
01-ch01.indd 11
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
12
Both of these functions tend to be intermittent in need, and having expensive personnel sitting and waiting for the next need is wasteful and inefficient. Creating partnerships with specialty organizations, and outsourcing these capabilities, are both cost-effective and make good security sense as well.
Acquisitions, Mergers, Divestitures, and Demergers Mergers and acquisitions (M&A) are common in business and frequently involve the merging of common business functions, such as IT, across the newly combined enterprise. Combining security methods across different organizations can be more complicated due to differences in culture, morale, people, processes, and technologies. When this type of event occurs, a complete top-to-bottom security gap assessment needs to be performed to compare and contrast both organizations’ security methods as well as to determine what actions are needed. In many cases, it is not that one business has the final say, but rather the best practices from each are adopted. Upon completion of the merger, an additional gap analysis should be performed on the collective organizations in order that a complete security picture can be established. Another critical aspect associated with mergers and acquisitions occurs during the period while the final negotiations are conducted. This time period, referred to as the due diligence period, is an opportunity for a company to get operational details associated with all critical business functionality. During this period, it is important for the IT and security groups to completely examine the security functions in terms of capabilities and compliance. Significant liabilities are associated with security failures, and these need to be determined and factored into the negotiations. This is also the opportunity to document the security gap between the desired security state and the actual as-observed state. Based on this information, an action plan can be developed to manage the transition after the merger. EXAM TIP When IT groups are being combined during M&A activities, numerous technical details need to be considered and worked out as part of the transition. Different network hardware vendors? Different architectures? Different policies and procedures tied to architecture and vendors? These need to be worked out so that IT transitions are minimally disruptive.
Divestitures and demergers represent a volatile period for the involved organizations. With a divestiture, an organization is selling off one of its business units, whereas demergers are breaking apart two previously combined organizations. Such decoupling may have resulted from government pressures, antitrust legalities, or through a focused rebranding initiative to improve competitive offerings. Assets such as people, technology, and data will potentially stay with one party or leave with the other. The trouble is, particularly in the case of demergers, the organizations share virtually everything—data, software, technology, processes, leadership, customers, and more. Seamlessly divorcing these integrated elements can be very challenging.
01-ch01.indd 12
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
13
PART I
Risk management must be conducted in order to provide assurances that security controls are implemented, or already in place, to prevent ownership issues and deliberate or involuntary data leakage. Data ownership should be established in order to ascertain which organization is the responsible party for the security of that data. Data leakage is a strong possibility due to the difficulty of reviewing all user accounts and data permissions to determine which permissions must be modified or revoked entirely during the divestiture or demerger. The comprehensive revocation of data permissions can be automated through scripts or other orchestration software. Data reclassification processes might be needed in the event of transferring data ownership to another entity. After an organization has comprehensively reviewed and, if necessary, declassified any content that is to be transmitted to the target entity, that content may be safely provided to the other entity. EXAM TIP Know the names of and differences between the different business models and strategies.
Security Concerns of Interconnecting Diverse Industries
Forty-five years ago, few laws or regulations addressed computer security or privacy in electronic data systems and communication. Today, however, multiple laws and regulations are aimed at securing the confidentiality and integrity of data in various sectors. These laws and regulations have arisen out of necessity as the level of connectivity to computer systems and networks has increased at an extremely rapid rate. As organizations within the same sector have realized the benefit of interconnecting to each other, rules have been created to help ensure a consistent level of security exists across the entire sector. Often, these rules and laws have been driven by major significant breaches that have resulted in the loss of sensitive information or services. When organizations are able to stay within the electronic boundaries of the sector in which they reside, it helps them maintain the prescribed level of security as mandated within that sector. In today’s highly interconnected environment, however, we are increasingly seeing organizations interacting with others across different sectors as well. This introduces new security concerns, as each sector will dictate how data is to be handled, transmitted, stored, and disposed of when no longer needed. As organizations cross sector boundaries, the rules governing the new sector may differ in security details, which may result in additional levels of security being required. Because rules often dictate a minimum standard, the impact will generally be felt when the new sector’s requirements are more stringent. Blending the requirements of the two sectors then becomes a matter of ensuring the minimum standards are met for all relevant sectors. There may, however, be times when the blending of the security requirements is not as simple as establishing new minimum standards and will require more elaborate security processes be established. For example, technology trends like Bring Your Own Device (BYOD) may be tolerated by one organization, but regarded as a terminable offense by the other.
01-ch01.indd 13
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
14
Rules, Policies, and Regulations Many international compliance standards exist to enforce security and privacy across the public, private, government, and military sectors. Although the list of standards is too numerous to list here, this section highlights some of the more well-known compliance standards such as HIPAA, GLBA, SOX, FISMA, PCI, and a relative newcomer from the EU called GDPR. Whether you are a hospital, bank, Fortune 500 company, government agency, or a mobile device repair shop at the mall, there are laws that need to be observed. The trick is to review all the requisite laws and standards that affect your organization and then adapt them into the organization’s security policies and procedures. Although the CASP exam does not require an in-depth knowledge of these compliance standards, security practitioners should research these areas in order to know the legal requirements that exist for their respective organizations, and how to fully adhere to them. Failure to demonstrate compliance can lead to heavy fines, organizational shutdown, or even stints in prison. Although most certification resources tend to skimp on these topics, we’ll be providing you with deeper coverage in order to best prepare you for your role as a security practitioner.
Health Insurance Portability and Accountability Act (HIPAA)
An excellent example of a security regulation that has arisen as a result of the desire to make information more accessible by those who need it is the U.S. Health Insurance Portability and Accountability Act (HIPAA). Signed in 1996, this regulation, which provides standards for the management and protection of protected health information (PHI), was the result of the need to make medical records more accessible to doctors when needed. For example, if you go on vacation away from your hometown and have an accident while on your trip, you would want the doctors treating you to know of any medical conditions that might impact their ability to treat you. Thus, you’ll want them to have easy access to your medical records. At the same time, however, you don’t want your personal medical information to be easily obtained by unauthorized parties. This provides for the two contrarian goals of accessibility and privacy—or, put another way, portability and accountability. HIPAA addresses this while prescribing penalties for the individuals or organizations who do not procure the appropriate level of protection for a patient’s PHI. At the time of this writing, the fines can range from $100 to $50,000 per violation (or per record), with a maximum of $1.5 million per year for each violation. NOTE HIPAA is one of the reasons why you’ll notice at hospitals that printers are hidden from customers, front office staff have privacy screens on their monitors, and many of these employees are completely hidden behind walls as they interact with customers. The security and privacy of PHI are paramount here.
HIPAA not only applies to healthcare providers such as hospitals, private practices, hospices, nurseries, and retirement homes, but also educational and even many corporate environments. Medical data is everywhere.
01-ch01.indd 14
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
15
PART I
HIPAA Security Rule The HIPAA Security Rule was created to standardize the protection of PHI. It is divided up into three sets of standards and specifications. Although the CASP exam does not require knowledge of specific HIPAA specifications, HIPAA applies to a broad enough set of organizations to warrant a brief summary of its requirements. These specifications can be referenced for various corporate, on-the-job security implementations. You can review them here: Administrative Safeguards • Security Management Process • Risk Analysis • Risk Management • Sanction Policy • Information System Activity Review • Assigned Security Responsibility • Workforce Security • Authorization and/or Supervision • Workforce Clearance Procedures • Termination Procedures • Information Access Management • Isolating Healthcare Clearinghouse Functions • Access Authorization • Access Establishment and Modification • Security Awareness and Training • Security Reminders • Protection from Malicious Software • Login Monitoring • Password Management • Security Incident Procedures • Response and Reporting • Contingency Plan • Data Backup Plan • Disaster Recovery Plan • Emergency Mode Operation Plan • Testing and Revision Procedure • Applications and Data Criticality Analysis
01-ch01.indd 15
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
16
• Evaluation • Business Associate Contracts and Other Arrangements • Written Contract or Other Arrangement Physical Safeguards • Facility Access Controls • Contingency Operations • Facility Security Plan • Access Control and Validation Procedures • Workstation Use • Workstation Security • Device and Media Controls • Disposal • Media Reuse • Accountability • Data Backup and Storage Technical Safeguards • Access Control • Unique User Identification • Emergency Access Procedure • Automatic Logoff • Encryption and Decryption • Audit Controls • Integrity • Mechanism to Authenticate Electronic Protected Health Information • Person or Entity Authentication • Transmission Security • Integrity Controls • Encryption TIP To learn more about HIPAA security and privacy requirements, review the HIPAA Security Rule and the HIPAA Privacy Rule on the U.S. Department of Health and Human Services (HHS) website at https://www.hhs.gov.
01-ch01.indd 16
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
17
Gramm-Leach-Bliley Act
PART I
The financial sector has also created regulations governing various financial organizations, such as the Gramm-Leach-Bliley Act (GLBA). This is another example of a law whose main purpose is not security or privacy but addresses them as well. GLBA removed restrictions that prevented certain financial institutions from being able to consolidate services such as banking, securities, and insurance. The legislation included provisions mandating policies in financial institutions to protect consumer’s private information (referred to as personally identifiable information, or PII). This protection is provided as per GLBA’s Privacy Rule and Safeguards Rule. The Privacy Rule mandates that financial companies send out annual privacy notices to their consumers regarding what information is collected and with whom it is shared. It also includes consumer opt-out requirements. The Safeguards Rule requires the creation of security policies that include the following criteria:
• Designate one of more employees to coordinate its information security program. • Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks. • Design and implement a safeguards program, and regularly monitor and test it. • Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information. • Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring. NOTE For more information about GLBA’s Privacy Rule and the Safeguards Rule, visit https://www.ftc.gov.
Sarbanes-Oxley Act (SOX)
Another well-known piece of legislation with security overtones is the Sarbanes-Oxley Act (SOX). This law was implemented in 2002, largely in response to corporate account scandals at Enron, WorldCom, Global Crossing, Tyco, and others. To clear up a common misconception, SOX applies not only to publicly held organizations; there are certain portions of it that can also apply to privately held organizations. Among many things, SOX places additional responsibilities on corporations in the areas of internal controls, audits, and disclosures. Its section on internal controls requires management to assess the design and effectiveness of internal controls, understand the flow of transactions (including the IT aspects of transactions), evaluate controls to prevent and detect fraud, and conduct a fraud risk assessment.
01-ch01.indd 17
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
18
Here is a SOX compliance checklist:
• Establish safeguards to prevent data tampering. • Establish safeguards to establish timelines. • Establish verifiable controls to track data access. • Ensure that safeguards are operational. • Periodically report the effectiveness of safeguards. • Detect security breaches. • Disclose security safeguards to SOX auditors. • Disclose security breaches to SOX auditors. • Disclose failures of security safeguards to SOX auditors.
Federal Information Security Management Act (FISMA)
Regulations governing security and privacy are not aimed at industry alone. The U.S. Federal Information Security Management Act (FISMA) sets security standards for U.S. government agencies and systems. Unlike the other legislation described, FISMA is aimed solely at information security. In passing this act, the government acknowledged the importance of information security to the economic and security interests of the nation. The act requires federal agencies to implement an agency-wide program to provide information security for the information and assets owned and processed by the agency. It has resulted in a recognition by agencies of their security responsibilities and encourages a risk-based approach to implement cost-effective security. FISMA compliance requirements include the following categories:
• Inventory of information systems • Categorize information and information systems according to risk level • Security controls • Conduct risk assessments • System security plan • Certification and accreditation • Continuous monitoring
Payment Card Industry Data Security Standard (PCI DSS)
One of the more ubiquitous security standards in everyday business life is the Payment Card Industry Data Security Standard (PCI DSS, or PCI for short). This standard was created by five international credit card companies—American Express, Discover, JCB International, MasterCard and Visa—in order to ensure that all businesses that process card cards protect both the credit card transactions and the card holder data. Because this standard was created by credit card companies, it was not, at least initially, treated as law. However, some states are beginning to refer to PCI in their laws or incorporate
01-ch01.indd 18
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
19
PART I
its components into new laws. Validation of PCI compliance is required annually and must be accomplished by an external assessor for organizations that handle a large volume of transactions. For those who are not required to bring in an external assessor, a self-assessment questionnaire instead is used to validate compliance with the regulations.
PCI Data Security Standard
Here is a summary of the PCI Data Security Standard, which can be viewed in more detail on https://www.pcisecuritystandards.org:
• Build and Maintain a Secure Network • Install and maintain a firewall configuration to protect cardholder data • Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data • Protect stored cardholder data • Encrypt transmission of cardholder data across open, public networks • Maintain a Vulnerability Management Program • Use and regularly update antivirus software or programs • Develop and maintain secure systems and applications • Implement Strong Access Control Measures • Restrict access to cardholder data by business need-to-know • Assign a unique ID to each person with computer access • Restrict physical access to cardholder data • Regularly Monitor and Test Networks • Track and monitor all access to network resources and cardholder data • Regularly test security systems and processes • Maintain an Information Security Policy • Maintain a policy that addresses information security for employees and contractors
EU Directive 2002/58/EC and Directive 2009/136/EC
The U.S. is not alone in its recognition of the importance of electronic security and privacy. The European Union originally issued Directive 2002/58/EC on Privacy and Electronic Communications. Aimed at providers of electronic communications services such as Internet service providers (ISPs) and telecom companies, this directive prescribes the obligations of these providers to offer security for their services, including notifying subscribers of particular risks such as viruses and other major threats. The directive was
01-ch01.indd 19
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
20
later amended by Directive 2009/136—sometimes referred to as the cookie law or cookie directive—which requires a user’s consent before cookies are installed. This helps to align the EU’s online privacy requirements with the rest of its data retention and privacy laws.
EU General Data Protection Regulation
In what promises to be a global juggernaut, the EU’s latest regulation is the General Data Protection Regulation (GDPR), which requires all individuals within the European Union to have their data and privacy protected. Although designed for the European Union, the international distribution of businesses and customers will, circumstantially, extend the GDPR’s reach to the U.S. and other nations. It promises to give consumers more control over their data, in addition to levying stiff fines for noncompliance. According to a 2018 Forrester report, 80 percent of organizations will not comply with the new law. Of that 80 percent, a whopping 50 percent of those companies are expected to deliberately not comply with the law since they believe the cost of compliance will be worse than noncompliance. EXAM TIP Security professionals need to know the various laws and regulations that govern their sector. Of increasing importance is the need to understand additional regulations and how they blend together as organizations cross sector boundaries, resulting in a need to comply with multiple security regulations. This is true no matter what country the organization resides in and can be complicated if the organization not only crosses sectors but international boundaries as well. In today’s highly networked environment, it is not hard for a company in one country to end up conducting business in other countries via the Internet.
Export Controls and Legal Requirements Considering that businesses will occasionally integrate with other businesses in separate nations, we’ll have to consider the legal aspects of exporting data across these transnational borders. Not long ago, cross-border data flows were relatively unrestricted. That began to change in the early 2010s when details of the controversial U.S. global surveillance program (PRISM) were leaked worldwide by Edward Snowden, which sent shockwaves throughout the international community. Many countries began implementing “data-protectionism” measures such as data localization in order to legally prevent certain data types from ever leaving the local country. Commonly blocked data types include financial, personal, and governmental. Those in favor of data localization suggest it protects the interests of the local nation, whereas critics believe it hurts the global economy as well as the cloud computing industry, due to the globally distributed nature of cloud storage. To navigate through the tangle of international data transmissions, businesses may have to first obtain government approval and/or pay a steep price to gain approval. Firms will have to identify which data residency requirements, if any, apply to their data and then, if possible, perform a risk assessment on that data to determine which security controls should be implemented to safely transmit that data to the target country.
01-ch01.indd 20
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
21
PART I
It must also be understood what the target country’s laws and requirements are regarding the data exchange. There may be significant differences between the target nation’s data storage and transmission requirements from that of the sending nation. It is also possible that the data’s country of origin cannot legally delete the data until it is first deleted from the partner country. Due to the murky waters of international data exchange, it is crucial that organizations on all sides of the country boundary have a cross-border data flow agreement in place that defines the transmission, usage, and storage requirements of all respective nations.
Geography, Data Sovereignty, and Jurisdictions Not only must organizations that integrate internationally have a firm grip on source and destination laws and requirements, but individual businesses that have multiple sites across international geographic boundaries must be equally prepared for transnational differences. Until recently, it wasn’t wise for organizations (and governments) to simply assume that the access, controls, disclosures, and e-discovery processes of an organization in one country will have jurisdiction in that same company’s data centers located in other countries. This was a hard-fought topic in the recent United States v. Microsoft court case of 2017–2018. Several years ago, the U.S. government issued a warrant to Microsoft demanding that it turn over information from a suspect’s e-mail account stored in a Microsoft data center in Ireland. Microsoft felt that Ireland’s privacy laws and authorities should have sole discretion of how, or if, the requested data should be disclosed. This is the basic premise behind data sovereignty, which stipulates that once data has been collected on foreign soil, it is subject to the laws of that particular nation. Microsoft refused to comply with the most pertinent portions of the warrant, countering with advice that the U.S. government should directly contact the Ireland authorities to make the data request. The U.S. government wasn’t interested due to concerns that the process for international data requests would take too long. The case concluded with Microsoft not having to fetch the data—that is, until the U.S. government signed a landmark law that changed everything. In 2018, the U.S. government created a bill called the Cloud Act that empowers the government to issue warrants that compel American businesses to pull data from their servers stored in local and international data centers. It appears that the bill will contain some key compromises by both the government and the American businesses whose data is subject to search and seizure overseas. Overall, the U.S. government appears to have gotten most of what it wanted. It is safe to say that the Cloud Act will have enormous repercussions on global data privacy for years to come. TIP Data privacy laws such as GDPR and the Cloud Act are changing the digital privacy landscapes for organizations and consumers in many industries locally and abroad. Research these and any emerging laws in order to have the latest intel on how such laws will affect your organization’s digital privacy. Digital privacy is one of the areas of greatest concern to both businesses and its personnel.
01-ch01.indd 21
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
22
Internal and External Influences
Security is often perceived as a technical issue in the enterprise, yet there are numerous factors that influence the specific aspects of security within the enterprise. Both internal and external sources of security requirements exist, resulting in a potentially complex pathway to navigate. The major sources of security requirements include compliance requirements, internal audit findings, customer requirements, and senior management policy. It is fair to say that such a diverse set of requirements can create conflicting items that need to be managed.
Competitors Businesses frequently bring new products, technologies, and processes to market under the guise that they are listening to their customers. Although this is true enough, such companies are often taking cues from the successful offerings of their competition. Companies do their homework on the competition. Organizations cannot fully understand their industry and target audience without performing competitive intelligence and analysis of the opposition. Beyond profiling the competition’s technology, products, industry, competitors, customers, personnel, strengths, and weaknesses, this reconnaissance also helps ascertain which regulations and requirements the competition must meet. Assuming that the competition’s compliance laws and regulations apply to your organization is a good starting point. Such external influences can indirectly generate ideas as to how your organization can meet and exceed those compliance requirements. Although being “different” in the business world can be a critical competitive differentiator, compliance and regulations humble a business into following a common criterion. Compliance is not the time or place to be different.
Audit Findings The principal method of achieving security through IT processes comes in the form of controls. Security controls come in a wide range of types—from access control lists to security logs, passwords, and so on. A wide variety of sources can be used for determining the requirement of controls, including industry sources, government documents, and specific regulations themselves. A key element in the life cycle of security controls is the use of an audit function to ensure that the controls are properly implemented and effective. Periodic audit reviews of business processes should be performed, and compared against, acceptable thresholds. If the audit results reveal weaknesses or deficiencies in the employment of security controls, we’ll know how much correction is needed. An internal audit is a task that requires a significant amount of subject matter expertise. IT-based internal audits typically cover a much wider basis than just security controls. There are a wide variety of well-known methods to help us conduct an audit, from checklists to industry frameworks. One framework, called the Control Objectives for Information and related Technologies (COBIT) framework, is a set of best practices for IT management created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). The COBIT framework provides managers, auditors, and
01-ch01.indd 22
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
23
PART I
users with a set of generally accepted measures, indicators, processes, and best practices to assist them in maximizing the benefits from the use of information technology. Internal audits are a tool in the corporate risk management playbook. Their role is to provide independent information concerning the effectiveness of the IT security function as well as verifying that systems from the network layer through the application layer, including processes and procedures, are proper and operating per expectations of management. The role of an IT audit is to assist all levels of the operation, from users to top management, learn and understand how the systems are actually operating. Properly employed, an internal audit program can improve security through awareness at all levels of an organization. NOTE The two main professional societies for internal audit activities are the Institute of Internal Auditors (IIA) and the Information Systems Audit and Control Association (ISACA). ISACA has several certification programs related to internal audit and information security: Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), and Certified in Governance of Enterprise IT (CGEIT).
Regulatory Entities Technical knowledge may be the driving force behind security innovations, but compliance is the driving force behind security budgets. Compliance efforts are those designed to conform to a set of regulations or legal requirements. Failure against these requirements can range from fines to organizational shutdown and even to jail time; therefore, management needs to pay close attention to these issues. The list of regulations and legal requirements can be long, and is firm specific, but some common sources that hit many organizations are SOX, GLBA, HIPAA/HITECH, and PCI DSS, to name a few. The result of these regulations and requirements is a series of business process requirements that require periodic validation. More information about SOX, GLBA, HIPAA, and PCI DSS can be found earlier in this chapter. EXAM TIP The Health Information Technology for Economic and Clinical Health Act (HITECH), part of the American Recovery and Reinvestment Act of 2009 (ARRA), widens the scope of privacy and security protections available under HIPAA. It increases the potential legal liability for noncompliance, and it provides for more enforcement. The HITECH Act imposes databreach notification requirements for unauthorized uses and disclosures of unencrypted personal health information (PHI). The HITECH Act extends HIPAA security rules to business associates, including software vendors of electronic medical record systems.
The primary weapon in verifying that an organization is compliant with the growing list of requirements associated with compliance issues is to undergo internal audits.
01-ch01.indd 23
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
24
Internal audits are a business function that involves the verification that business processes comply with requirements and regulations. In the information security space, this commonly involves the verification that specific security controls are in place and functioning. An audit provides a means of measuring compliance and tracking of this activity over time.
Client Requirements Clients and customers can impose security-related requirements on a firm by the nature of their business relationships and the nature of the information passed between them. Information security requirements can be imposed across parties by a variety of mechanisms. One is a contractual requirement, such as imposed in the PCI standard. This set of requirements applies to all parties processing information associated with payment cards. The requirements are imposed by contract, so a firm assumes the related responsibilities when it chooses to handle this type of data. Clients and customers can also add requirements—such as nondisclosure agreements— that govern who is allowed to access specific elements of information. The number of different situations that can lead to client data restrictions or security requirements is too large to even begin to enumerate. The only way to handle these situations in business is through the use of a structured approach to security, where the forms of protection are separated from individual business processes and are built into the infrastructure itself. This allows security functions such as access control groups to manage access to work across specific requirements and makes compliance with complex sets of differing requirements more manageable. Attempting to build individual systems for each relationship is a quick road to an unsustainable set of requirements that will eventually end in failure.
Top-Level Management Top-level management is a key element in an information security program. Executives distribute resources based on perceived business need, so security must compete with marketing, accounting, production, and all other departments. Top-level management also sets directions with respect to business models/strategies. The sum total of all top management decisions has a distinct effect on the information security posture of a firm. For top-level management to make good decisions with respect to information security, it is important that they become aware of the opportunities and consequences associated with decisions and the security posture. The primary challenge in communicating the distinct need of information security with respect to the various business decisions being contemplated is one of language. Most information security professionals have come up through the ranks, with promotions being used as rewards for technical excellence. At the operational end of information security practices, the primary language is one dominated by technical issues. However, the management end uses a different language, one based on risk management. The challenge for information security specialists is in learning to translate their technical vocabulary into a risk management business-oriented vocabulary and lexicon. The value
01-ch01.indd 24
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
25
PART I
inherent in speaking the “business language” is so apparent that executives will often promote business-savvy professionals with limited technical skills into an IT Director/ VP, CIO, or CSO position, as opposed to promoting technically savvy professionals with a more limited business acumen. Failure to properly describe the information security issues in the business language of risk management, opportunities, and challenges will result in top-level management either under-resourcing the information security function or pursuing business opportunities and strategies that possibly impair security or have less of a return because of security and risk issues.
Impact of Deperimeterization
There has been a shift in the design of security associated with networks and information stores. The old way was to build a series of rings of protection, with edge devices controlling access to the information. These rings are denoted in the seven layers of the Defense in Depth model. The outmost layer was referred to as the perimeter and enabled the enterprise to build security as a set of barrier devices. As enterprises have become more complex and hyper-connected, coupled with the advent of cloud computing, mobile devices, and teleworkers, the idea of perimeters has fallen by the wayside. Rather than simply building impregnable walls at the network’s edge, security controls need to follow users and workstations regardless of device type and location, in addition to the resource type and location.
Telecommuting The resultant design after the end of perimeter defenses had initially been the establishment of enclaves—smaller, purpose-specific network segments that can be isolated using items such as next-generation firewalls. This permits not just the use of port-level security, but application-level and user-level access across ports. The current thinking is that the edge of the enterprise now rests in many cases with the user, especially when using a mobile or personal device as a means of connection to company assets. Telecommuters are a rapidly growing worker base that is forcing businesses to rethink their productivity and security methods. Telecommuting creates a need for user awareness and training that empowers the worker to follow security best practices. This is especially true when considering users might be working from personal devices that aren’t as locked down as a business computer. Organizations are addressing configuration standardization issues by implementing powerful cloud-based tools that ensure configurations and applications are reaching the telecommuters anywhere. These cloud-based mobile device management (MDM) tools are benefiting IT and security departments by centrally distributing policies, processes, and configurations to remote workers to ensure security baselines are met regardless of their device type, location, or domain membership status. Traveling personnel are now enjoying the same corporate benefits of data-clean laptops, VPN software, multifactor authentication, drive encryption, and remote backup and wipe capabilities as the users who are tethered to their desktops.
01-ch01.indd 25
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
26
NOTE The terms telecommuting and teleworking are not interchangeable. Telecommuters primarily work from home, whereas teleworkers travel to locations other than the main office, such as branch offices, coffee shops, libraries, and customer sites.
Cloud Like many things in life, cloud computing’s strengths and weaknesses are often the same thing. For example, advocates often applaud cloud computing’s ability to provide users with external and ubiquitous access to its resources anywhere, any time, from virtually any device. Those same businesses might also complain that the IT resources, applications, data, and controls are—wait for it—external. It’s true that organizations won’t have the same degree of control over Internet-based cloud resources as they would within their on-premises environment. The good news is that major cloud providers like Microsoft, Amazon, IBM, and Google are intelligently chasing down the compliance accreditations in order to persuade cloud computing critics to take a chance. For example, the Microsoft Cloud products meet dozens of compliance laws and standards, including ISO, HIPAA, DoD, IRS, NIST, FedRAMP, EU Model Clauses, GLBA, and SOX. In fact, Microsoft claims to have the most compliance accreditations out of all cloud providers. The trick is going to be integrating the applicable compliance laws into your organization’s risk management and security policies so that you can minimize the risks associated with the boundary no longer being completely under your organization’s control. By meeting various compliance laws, it would seem that cloud computing is capable of far more resource management, monitoring, and auditing capabilities than previously thought. That is good news indeed!
Mobile and Bring Your Own Device (BYOD) Bring Your Own Device (BYOD) is a concept where users choose and buy any mobile device they want, and then bring them into the workplace to access organizational resources. Corporate Owned Personally Enabled (COPE) devices introduce a situation where corporations buy devices but employees use them for personal and business needs. Choose Your Own Device (CYOD) enables a business to publish a limited list of devices that employees can buy. This allows businesses to limit the disparity of devices to support yet gives employees some level of choice. Employees and businesses experience a mutual benefit with CYOD. Smartphones and tablets have caused this phenomenon to sweep across numerous industries. It would seem that BYOD is, at best, a bittersweet pill to swallow. On the one hand, many organizations appreciate their employees heaping the several-hundred-dollar cost per mobile device onto themselves. They also benefit from a reduction in training costs due to individuals choosing their devices and practicing with them nonstop. Yet, this does nothing for the malicious software that mobile devices may bring into the organization (ingress) and the confidential data that might be extracted from the organization (egress), not to mention the wide variety of Android, iOS, and Windows OS versions and device types that inevitably lead to inconsistencies with policy, configuration, access control, and more. Specific ownership of the device does not alter the security equation.
01-ch01.indd 26
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
27
PART I
Regulations such as HIPAA and Sarbanes-Oxley do not regulate the device but rather the security of the information. This places some unique policy issues in front of firms that allow BYOD. The responsibility to protect the information still rests with the firm, so this means that issues such as patching and running security utilities on devices that are owned, operated, and managed by individual employees must be addressed and managed. The new wireless devices have led to the concept of cloud-based mobile device management tools, which allow remote application installation, configuration deployment, security standardization, inventories, patching, remote management, antimalware scans, and alert/log management. This approach is similar to the one employed by BlackBerry’s BlackBerry Enterprise Server (BES) when connecting BlackBerries to a corporate network.
Outsourcing As discussed earlier, outsourcing can bring a lot of value to a business. However, like cloud computing, outsourcing forces an organization to surrender its usual control over policies and security controls. The outsourcing consumer must investigate the risk management processes, policies, and procedures of the outsourcing provider. Two organizations rarely have the same security posture; therefore, organizations must perform their due diligence before signing on the dotted line. You do not want to place mission-critical, sensitive, and confidential materials on an uncertain provider’s infrastructure.
Ensuring Third-Party Providers Have Requisite Levels of Information Security Clearly, the organizational boundary is everywhere and nowhere at the same time. Organizations have to contend with the conflicting scenarios of managing the business assets that are in-house—and on personal devices—coupled with the limited management control over content stored with cloud computing and outsourcing providers. In the case of cloud computing and outsourcing providers, our organization must first do its homework. The following are good questions to ask the cloud or outsourcing provider:
• Does your organization have a security awareness and training program? • Does your organization encrypt data at rest, in use, and in transit? • Does your organization utilize multifactor authentication? • Is your organization accredited by any compliance and standards organizations? • Does your organization have a business continuity plan and disaster recovery plan? • What is your organization’s availability/uptime statistics per quarter and annually? • Does your organization conduct vulnerability assessments and penetrating testing? • Does your organization have an incident response plan (IRP)? • How will we be compensated if you don’t uphold SLA requirements? • Will you outsource any of our information to your own outsourcing providers? • What level of access to audit logs will we have?
01-ch01.indd 27
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
28
Enterprise Standard Operating Environment An enterprise standard operating environment is an architected, prearranged set of configurations designed to include operating systems, applications, and associated configurations. Standardizing operating environments leads to a reduction in variation and complexity and assists in the efficient operation of an enterprise. Complexity can be an enemy of security because overly complex systems require complex arrangements of security functions to ensure security attributes can be managed in spite of system setup parameters. There are several distinct areas where standardized environments make business sense. In server environments, whether clustered or farmed, having identical configurations among like machines makes it easier to manage all administrative tasks by standard operating procedure (SOP) and to automate common administrative functions. This results in a reduction of workload associated with the deployment, maintenance, and securing of systems. Repeatable processes are also easier to manage from a riskbased approach because the risks can be calculated in a repeating fashion, thus reducing variability. Another environment that can take advantage of the characteristics of standard operating environments is the business desktop. Developing a standard business desktop environment makes the management of large numbers of individual machines a process that can be automated and managed efficiently. Even if there are a few different classes in the standard environment—for example, a power user desktop, an ordinary desktop, and a laptop configuration—managing a small number is highly advantageous over managing a number that would otherwise approach the number of machines. Such standardization also benefits Corporate Owned Personally Enabled (COPE) mobile devices, which, as the name implies, were purchased by a business but provided to the user for professional and nonprofessional usage.
Personally Managed Devices Personally managed devices bring convenience to end users. An old axiom is that when security meets convenience, convenience always wins—and this is still evident in many business environments. An important point to consider regarding personally managed devices is the usage of the local administrator or root account. A local administrator account is similar to a Microsoft Active Directory (AD) domain administrator account because it provides the functions of an administrator account, except it only affects the local machine as opposed to the entire company AD domain. This provides the ability for local users to run programs that require administrator access, installing and removing programs, accessing files, and enabling or disabling services. Local administrative rights allow a user a great degree of flexibility in a wide range of functions that would normally require central IT to administer. Local administrator accounts make some functions easier for users, but they also make malware attacks easier and more damaging. If a user falls prey to a malware attack and the user has local administrator privileges, then so does the malware.
01-ch01.indd 28
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
29
PART I
NOTE You should assume that if you are logged in as an administrator or root account, any malware on your device also has administrative privileges. This is why Linux administrators typically log on with a standard user account and, only when needed, run the su command to switch the user to a root account. The Linux sudo command can also be configured to allow regular users to run commands with elevated permissions without providing root credentials to users. Microsoft has since added a similar feature in Windows called User Account Control (UAC). Most people find UAC intrusive and often, unnecessarily, shut it off. Yes, the prompts do come up at inopportune times, but you must remember that good security is usually going to be a little bit annoying.
Although the malware likely only has administrative access to the local machine, it can still make significant changes to the local box. In the age of sophisticated malware, the effects of an attack may not be immediately visible to the end user, and information can be stolen and migrated from an infected machine. For this reason, it is a recommended security practice to not allow local administrative accounts, or, at most, use them sparingly. As more and more workers desire to work from their home PCs—either as part of telecommuting or just doing work that spills over into family time—some security concerns arise. Where will the data be stored? Will it exist outside the enterprise network, and, if so, what protections and tracking will be afforded to the specific data? The two main threats are data leakage from a personal device and the infiltration of viruses and malware from home machines back into the corporate network.
Merging SOE and Personal Device Networks As corporate enterprise networks have to address the growing trend of personally owned devices—and support their access to enterprise data—several issues become apparent. How does one integrate these two network structures (enterprise SOE is uniform; BYOD is diverse) with respect to policies and procedures? There are several approaches, each with advantages and disadvantages. First, the mobile devices can be connected via their own network structure, limiting access between the two networks in a manner so that traffic can be monitored and controlled. Second, these devices can be controlled via network access technologies that ensure specific levels of protection. VMware’s Airwatch, Microsoft Intune, Mobile Iron, and MaaS360 are all great MDM solutions for synergizing the mobile and personal devices into the organizational environment. Lastly, the devices can be configured not to store data, thus leaving all data on the enterprise servers. TIP Check out “The Best Mobile Device Management (MDM) Solutions” on the PCMag website. It provides an excellent and easy-to-follow ranking table of well-known MDM solutions.
01-ch01.indd 29
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
30
Chapter Review
Although this wasn’t the most exciting chapter you’ve ever read, we cannot overstate its importance. CompTIA put risk management as the first domain in the exam objectives for good reason. Risk management give us a 30,000-foot perspective that allows us to see the organizational and security “big picture.” We devoted several sections that summarized business and industry influences, in addition to the associated security risks. This allowed us to ask, and answer, the vital question, “What does a security practitioner do?” The answer is to reduce risks to the extent possible so that businesses can successfully focus on their core competencies and achieve their business objectives. Before we get into all the nitty-gritty on risks, threats, vulnerabilities, and security controls covered in later chapters, we start by looking out the airplane window and understanding the various security-related battlegrounds from high-up. We covered risk management of new products, technologies, and user behaviors in order to show how organizations should systematically and securely deal with internal changes. We covered new or changing business models and strategies, such as partnerships, outsourcing, cloud computing, acquisitions, mergers, divestitures, and demergers, because organizations are in a constant state of flux and their eventual growth, or shrinkage, must factor in the necessary security documentation, requirements, processes, responsibilities, and ownership of shared data and assets. We also talked about how data ownership and data reclassification situations can arise whenever organizations must conduct business with entities that are domestic and international. More national and transnational considerations were discussed in the sections about integrating diverse industries, including rules, policies, regulations, export controls, legal requirements, geography, data sovereignty, and jurisdictions. Like business models, these requirements also help shape security agreements, processes, and expectations for organizations with a global footprint. Next, we talked about the influence of competitors, auditors and audit findings, regulatory entities, client requirements, and top-level management. Clearly, security requirements can come from many directions, both internally and externally; therefore, we must consider the security requirements that stem from these sources. Lastly, we talked about the impact of deperimeterization coming from telecommuting, cloud computing, mobile devices, BYOD, and outsourcing. As we’ve seen, security boundaries now go wherever the user goes; therefore, consistent and strict security controls must also follow those users. Chapter 2 will take the airplane down a few thousand feet by comparing and contrasting security, privacy policies, and procedures based on organizational requirements.
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
01-ch01.indd 30
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
31
• Measurement of information security issues at management levels is in the framework of risk management, not technical indicators. • Risk management involves the identification, assessment, analyzation, and mitigation of risks. • Risk profiles represent a cross-section of an organization’s comfort level of which risks it will and will not tolerate. • Risk management measures the effect of security on business objectives as opposed to technical objectives. • Today’s security practitioners must consider both business objectives and security objectives. • NIST is a U.S. government agency that develops a formal series of special publications that detail policies, procedures, and guidelines for the security of federal computer devices. • NIST has published its own Risk Management Framework (RMF), which is described by six unique stages. These stages are detailed in NIST SP 800-39: Managing Information Security Risk. They include Categorize, Select, Implement, Assess, Authorize, and Monitor regarding security controls. • ISO is the world’s largest standards organization, and it creates standards for many industries, including security and technology. • Both NIST and ISO are able to provide official accreditation to organizations for demonstrating compliance with particular standards and guidelines.
PART I
Risk Management of New Products, New Technologies, and User Behaviors
New or Changing Business Models and Strategies • Many partnership business models involve the exchange of information, making information security requirements a cross-business issue. • Business models influence how personnel are employed and whether to rely on in-house expertise or offshore talent. • Partnerships are either formal or informal. • Partners share in the operational responsibility as well as the profits and liabilities associated with a business. • Policies associated with the use of information by a partner need to be determined in advance, along with customer notifications and approvals. • The sharing of customer data with other parties is governed by notification of business purpose and, in the EU, customer consent (opt-in). • Cloud computing helps organizations reduce their costs and improve productivity by utilizing the applications, accessibility, storage, availability, and scalability benefits provided by Internet-based cloud companies.
01-ch01.indd 31
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
32
• Organizations must determine the risk management and assessment processes the cloud provider implements prior to signing an agreement. • Service level agreements are a great place to learn about the service offerings and promises of a cloud, outsourcing, or other provider. • As business processes become global, the outsourcing of business functions is becoming more common, including information security activities. • Mergers and acquisitions can result in changes to many business processes, including information security processes, requiring careful attention during due diligence periods. • Managed security services involve the outsourcing of security and network services. This includes physical security, vulnerability assessments, penetration testing, operational security monitoring, compliance monitoring/auditing, digital forensics, and a variety of consulting efforts.
Security Concerns of Interconnecting Diverse Industries • Various laws and regulations have been created to enforce confidentiality, integrity, and availability requirements on organizations within a sector and across sectors. • HIPAA is a healthcare regulation which provides standards for the management and protection of protected health information (PHI). • The HIPAA Security Rule was created to standardize the protection of PHI. It requires administrative, physical, and technical safeguards. • GLBA includes provisions for financial organizations to protect the privacy of customer data. The Safeguards Rule and Privacy Rule carry out these requirements. • SOX mandates corporations to implement various internal controls, auditing and disclosure practices. It was created to protect businesses, investors, and customers from corporate scandals. • FISMA is aimed at government agencies for the sole purpose of enforcing various security requirements on government networks and devices. • PCI DSS requires all organizations that process payment cards to protect both the transactions and the card holder data. • European Union Directive 2002/58/EC and Directive 2009/136/EC require telecommunications and Internet service providers to offer security for their services which include notifications to customers of security threats. • GDPR improves upon the security and privacy practices of EU customer data. It will have influence outside of the EU due to organizations having international locations. • Organizations with international partnerships and locations will need to consider local and foreign export requirements.
01-ch01.indd 32
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
33
Internal and External Influences PART I
• Compliance with external regulations constitutes a major security initiative. • Analysis of competitors will improve organizational awareness of security standards, procedures, guidelines, and best practices. • An internal audit can function to verify compliance with internal and external security requirements, providing management with feedback on risk management efforts. • The COBIT framework provides managers, auditors, and users with a set of generally accepted measures, indicators, processes, and best practices to assist them in maximizing the benefits from the use of information technology. • HITECH widens the scope of privacy and security protections available under HIPAA. • Client and customer data security requirements can result in security requirements in the enterprise. • Top-level management evaluates security using a risk management mindset, which differs from the technical mindset seen closer to security operations.
Impact of Deperimeterization • Organizational boundaries have moved from the edge network to wherever the user’s device is. This includes the edge network, cloud computing environment, Wi-Fi network, the user’s at-home network, or networks accessed while traveling. • Telecommuters primarily work from home, whereas teleworkers travel to non-main office locations like branch offices or customer sites. • Cloud computing has extended organizational networks, applications, and data onto the Internet, thereby providing ubiquitous access to data at any time, from any device, from anywhere. • Personally owned devices, especially in the mobile data access arena, are a form of the new perimeter that extends beyond corporate control, making users the new perimeter. • BYOD allows users to choose and buy any mobile device they want, and then bring them into the workplace to access organizational resources. • COPE is a situation where corporations buy devices but employees use them for personal and business needs. • CYOD enables a business to publish a limited list of devices that employees can buy. This allows businesses to limit the disparity of devices to support yet gives employees some level of choice. • Enterprise standard operating environments reduce complexity, improve security, and reduce resource requirements for operations.
01-ch01.indd 33
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
34
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. Risk management is an approach to information security that is built upon which elements? (Choose all that apply.) A. Security controls B. Policy C. Internal audit D. FISMA
2. Which of the following represent the correct order of steps for risk management? A. Assessment, Identification, Analyzation, Mitigation B. Designing, Assessing, Analyzation, Mitigation C. Planning, Assessing, Analyzation, Mitigation D. Identification, Assessment, Analyzation, Mitigation
3. Which new technologies represent the greatest set of risks to a business? (Choose two.) A. Smartphones B. Social media C. Virtualization D. Cloud computing
4. Audit findings can be best described as which of the following? A. A method to facilitate improvements in the security system B. An obligation of a firm to its shareholders C. A management tool to drive change D. A tool to reduce risk in the enterprise
5. An organization is looking to sell off a large piece of its business, which will then function as a separate organization. Both entities will need to ensure that proper security requirements are met on both sides. Which of the following options best describes this scenario? A. Deperimeterization B. Demerger C. Divestiture D. Deregulation
01-ch01.indd 34
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
35
A. Deperimeterization
PART I
6. An American corporation has a data center in Paris. If the U.S. government issues a warrant to the corporation demanding that it turn over information stored in the Paris data center, the corporation might refuse on grounds that Paris has legal control over data stored on those servers. Which two answers best describe this situation? B. Data sovereignty C. Common criteria D. Jurisdiction
7. When managing risk associated with IT security, which of the following options are available? (Choose all that apply.) A. Acceptance B. Reduction C. Sharing D. Outsourcing
8. New technology can introduce risk to an enterprise. Which of the following describes significant risks associated with employee-owned devices, smartphones, and tablets? A. These devices can extend network boundaries. B. These devices can be used to steal data. C. These devices are next to impossible to secure. D. These devices are concentrated within senior management who have greater
levels of access. 9. You are expecting visitors from a local research university who are partnering with your firm in a new product development effort. What documents will be executed before any substantive discussions occur between the parties? A. BPA B. MOU C. SLA D. NDA 10. You have been notified by management that your firm is acquiring a small, specialized forensics firm. Your firm is public; the small firm is private. You intend to operate the small forensics firm as an independent firm. It has a small group of clients, built on a solid reputation. Which regulations will require examination before the acquisition? A. HIPAA/HITECH B. Sarbanes-Oxley Act (SOX) C. FISMA D. CAN SPAM
01-ch01.indd 35
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
36
11. An internal audit can provide management information with respect to the efficacy of security controls. Which documents can provide baseline guidance? (Choose all that apply.) A. FISMA B. COBIT C. Consensus Audit Guidelines D. NIST SP 800-53
12. Your desktop machines (numbering 50) are getting old, and management has approved a replacement plan. You presented a solution based on an enterprise standard operating environment. You promoted this solution for what reasons? (Choose all that apply.) A. Cost savings from buying in bulk. B. Operational savings from a single environment. C. Improved security from a single environment. D. Reduced bickering over who has a better machine.
13. Deperimeterization is an acknowledgment that: A. Mobile access devices make edge-based protection impractical by itself. B. Networks are dynamic and not defined as static structures. C. Firewalls are no longer effective. D. Insider threats make boundary security no longer relevant.
14. Internal audits are a useful tool for ensuring which of the following? A. Management has budgeted the correct amount of resources for security. B. Regulatory-mandated security controls are effective in eliminating risk. C. The PCI DSS standard is effective at securing credit card data. D. Security controls are effectively deployed.
15. The sharing of customer data with third-party business partners is permitted under which of the following? A. Opt-in provisions of the EU Data Protection Directive B. An MOU between the firm and a third-party firm C. An SLA between the firm and a third-party partner D. A business partnership agreement
16. Outsourcing of security operations can be advantageous for which of the following reasons? A. An outsource firm can take advantage of issues of scale with respect to
information, workers, and so on. B. Managed security services are cheaper because of competition in the marketplace.
01-ch01.indd 36
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
37
C. Specialized services such as forensics require expertise only large firms
01-ch01.indd 37
PART I
can provide. D. Managed security service providers can provide 24/7/365 operations. 17. The HITECH Act imposes what additional restrictions on HIPAA-related data? (Choose all that apply.) A. Imposes data-breach notification requirements B. Increases enforcement through industry self-monitoring efforts C. Extends coverage requirements to software vendors of electronic healthcare record systems D. Limits elements considered to be personal health information (PHI) 18. Risk is defined as: A. The expected annual loss from unforeseen problems B. A level of loss that cannot be avoided C. The loss associated with threats against system vulnerabilities D. Costs from inadequate security 19. To calculate risk, one needs to know which elements? (Choose all that apply.) A. The chance of a threat occurring B. The exposure of a business asset or value to a threat C. The cost of the security control mitigating a threat D. The level of loss that can be transferred to other parties 20. What value does risk analysis provide to management? (Choose all that apply.) A. Quantifies the impact of the threat source B. Supports budgeting for security C. Determines responsibility with respect to losses D. Allows for the adjusting of security policy 21. Cloud computing has an impact on the security posture of an organization. Which of the following is not a risk associated with cloud computing? A. Regulatory requirements (for example, HIPAA/HITECH) associated with the data stored in the cloud B. Backup provisions for the data stored in the cloud C. Business viability of the cloud provider D. Where the data is actually stored (location, country, and so on)
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
38
22. A firm is looking at adopting a telecommuting policy for many of its workers. Which of the following risks are likely and need to be specifically addressed? (Choose all that apply.) A. The risk of data leakage from data being on a home PC B. The costs associated with data transfers between work and home C. The employee stealing or tampering with data when on home equipment D. The risk of malware from a home PC entering the work network
23. Which of the following statements are true concerning compliance? (Choose all that apply.) A. Indicates that a firm’s actions are aligned with its own internal policies B. Indicates that a firm’s actions are aligned with the laws and regulations C. Indicates security functionality is sufficient D. Is a result of an effective internal audit program
Answers 1. A, C. A risk management framework is built around security controls (A) and audits (C). 2. D. Identification, Assessment, Analyzation, Mitigation is the correct answer. 3. A, D. Smartphones (A) present a significant risk to businesses due to the dual threat of smartphones bringing malicious content into the company, and sensitive data being extracted from the company. Cloud computing (D) imposes several sources of risk because it is typically located outside the enterprise and can involve data leaving the enterprise’s direct control. 4. A. Audit findings can and should be used to improve security control effectiveness in the enterprise. 5. C. Divestiture takes place when an organization sells off one of its business units. 6. B, D. Data sovereignty (B) and jurisdiction (D) specify that once data has been collected on foreign soil, it is subject to the laws of the foreign nation. 7. A, B, C, D. Acceptance (A) is one of four options and is necessary for residual risk. Reduction (B) is a term that is synonymous with mitigation or the application of security controls. Sharing (C) and outsourcing (D) are both forms of transference—risks can be shared with partners or outsourced. 8. A. Mobile devices that connect to the network and can access data effectively shift the perimeter of the network to the device. 9. D. A nondisclosure agreement (NDA) will be executed before any sharing of information occurs, specifically to limit accidental loss of confidential information.
01-ch01.indd 38
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
Chapter 1: Security Influences and Risk
39
11. B, C, D. COBIT (B) is a framework for control objectives in an IT environment. The Consensus Audit Guidelines (C) are a list of the top 20 security controls. NIST SP 800-53 (D) is a collection of hundreds of security controls.
PART I
10. B. The Sarbanes-Oxley Act (SOX) is the set of regulations associated with information security, financial reporting, and public companies. Because the new firm is private, its processes may not be compliant, so attention may be needed in this area.
12. B, C. Having a monoculture environment for hardware and software (B) makes automation of many administrative tasks an efficient option, lowering operational costs and improving security. Although a single monoculture environment is not naturally more secure and may in fact suffer if it has some systematic failure because there is no diversity and all machines would be affected, it can be made more secure with unified operational policies and procedures (C). 13. A. The rise of smartphones and tablets that consume corporate data and interface with operational systems has made the concept of perimeter security a topic without specific bounds. The use of Bring Your Own Device has furthered the issues of a perimeter, forcing security to focus on the information, not the perimeter. You cannot rely on the perimeter for security anymore. 14. D. Internal audits alert all levels of management to the effectiveness of security controls as deployed in the enterprise. 15. A. All data interactions with customers located in the EU are under the regulation of the EU Data Protection Directive, and the standard is based on opt-in by the customer for all sharing. 16. A. Outsourcing of security functionality is advantageous when a firm does not have the appropriate scale of operations to handle worker retention, training, information update exposure, specialized skills, and 24/7/365 coverage. 17. A, C. The HITECH Act imposes new expanded data-breach notification requirements on affected firms (A). It also extends the coverage of information to business associates, including vendors supplying EMR software solutions (C). 18. C. Risk is defined as “the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization” (ISO/IEC 27005:2008). 19. A, B. Risk is defined as the probability of a threat being manifested (A) and its effectiveness against a business asset (B). 20. A, B, D. Risk analysis is responsible for quantifying the risk profile associated with the specific risk (A). Risk analysis can also provide input into security operations and a firm’s ability to control its computer-stored information (B). It also allows for adjusting of policies and procedures to keep the business aligned with changes needed to adequately secure the information (D).
01-ch01.indd 39
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 1
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
40
21. A. Regulatory requirements associated with the securing of data are for the most part technology and implementation methodology neutral. Data should always be encrypted in the cloud, and where data is stored does not relieve a firm of its protection requirements. 22. A, D. Data leakage from data left on a home PC is a concern (A) as well as the patch level and antivirus/antispyware/malware protection elements wherever the data is stored (D). 23. A, B. Compliance means that an organization must fulfill the requirements of its own internal policies (A) as well as those imposed by external bodies in the form of regulations and legal requirements (B).
01-ch01.indd 40
11/03/19 3:10 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CHAPTER
Security Policies and Procedures
2
This chapter presents the following topics: • Policy and process life cycle management • Support legal compliance and advocacy by partnering with human resources, legal, management, and other entities • Understand common business documents to support security • Research security requirements for contracts • Understand general privacy principles for sensitive information • Support the development of policies containing standard security practices
The further one delves into the advanced principles of security, the more apparent it becomes that security goes far beyond the boots-on-the-ground stuff like cryptography, firewalls, packet sniffers, complex passwords, and locked doors. Security practitioners spend a lot of time fussing over the managerial and regulatory aspects such as security policies, process life cycles, business documents, contracts, and privacy requirements. Similar to how the U.S. Constitution methodically lays out various laws for the country, security policies carefully define the intentions and requirements for securing the information, resources, facilities, and people of an organization. This would be challenging enough even if businesses, industries, laws, and regulations weren’t in a constant state of change. Organizations are forced to evolve on operational, tactical, and strategic levels due to various internal and exchange changes. For today’s organizations to sustain the successful delivery of their business objectives, organizations will need to approach security with the same top-down documents and methodologies like that of governance. In this chapter, we’re going to dive into security policies, privacy principles, and procedures based on company requirements. We must also consider life cycle management for the security policies based on the inevitable changes to the organization, its technology, customers, and the regulatory environment. The demands placed on organizations are more complex and mission-critical than ever; therefore, security practitioners must work closely with human resources, legal departments, and management to create and enforce a “culture of security” from the top-down. With the help of decision makers, we will
41
02-ch02.indd 41
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
42
craft various security business documents to ensure that everyone understands what is expected of them, the organization, and all other parties. Taking this top-down approach to security, organizations will be steered by upper management for not only the achievement of business objectives but also security objectives.
Policy and Process Life Cycle Management
Important in any organization’s approach to implementing security are the policies, processes, standards, guidelines, procedures, and baselines used to detail what users and administrators should be doing to maintain the security of the environment. Collectively, these documents communicate the requirements and methods needed to determine how security will be implemented throughout an organization. They are inspired by various internal and external influences, including local, state, and federal regulations, competition, auditors, customers, business partnerships, and even international laws. Security policies have to account for a lot of moving parts, including the following:
• Organizations are always changing. • New technologies are constantly being added or modified. • Employees come and go. • New roles and responsibilities are created. • New local, state, federal, and international laws are being created. • Hackers are multiplying in number, scope, and skill at an alarming rate. In order for businesses to deal with these intricacies, they’ll need a little help from their executive friends. Taking a top-down approach to security will require decision makers, and other departments, to collectively evangelize the integration of security into all business processes and objectives. If upper management cares about security, it’ll go a long way in getting the rest of the organizational staff to go along.
Policies Security policies are documents that provide the foundation for organizational security goals. They provide information and high-level guidance to all parties in an organization with respect to the goals and objectives associated with a specific aspect of the business. Depending on the organization, security policies may number in the dozens or more. With each security policy, a life cycle exists to manage the policy through creation, implementation, and its eventual retirement, as noted next. Several steps are involved in policy life cycles: 1. Perform a risk assessment to identify risks to organizational assets. 2. Utilize policy templates to guide policy creation. 3. Seek policy input from executives and other stakeholders. 4. Establish penalties for policy violations.
02-ch02.indd 42
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
43
5. Publish the policy to all employees in the organization. 7. Utilize technology to enforce policies whenever possible. 8. Educate staff about the policy contents.
PART I
6. Ensure staff members read, understand, and sign the policy.
9. Schedule reviews for the policy on an annual or semi-annual basis. 10. Retire the policy when it’s no longer applicable.
As a general principle, the internal policies created by organizations are a reflection of the external laws and regulations that apply to the organization. When you are creating security policies, it is important that the policies fully comply with any pertinent laws and regulations; otherwise, you risk running afoul of the law. Since executives should understand the legal aspects that affect the business, seek their input and gain their approval before publishing the policy company-wide. Also, don’t forget to review the policies every once in a while. Policy reviews should be conducted at least once or twice a year to ensure they remain relevant in your environment. Businesses change often enough to invalidate certain aspects of security policies; plus, the regulatory environment is rarely stationary. In fact, the policies should include a section that explicitly requires scheduled reviews to ensure compliance.
Policy Types Before we dive into the numerous examples of security policies, it is important to cover how security policies are categorized. Understanding these categories will help you to adopt a big-picture perspective on the (seemingly) endless supply of security policies. These categories vary in terms of the scope of the policy (what it affects) as well as the enforceability of the policy (requirements versus recommendations):
• Organizational policies These policies focus on matters that relate to all aspects of an organization. They are umbrella policies that encapsulate the business as a whole. • System-specific policies These policies focus on specific computers or network systems as well as the necessary security controls that protect them. • Issue-specific policies These policies focus only on specific organizational issues such as department issues, business products and processes, and others. They are not concerned with the overall organization, nor do they target specific computer and network systems. EXAM TIP Be aware of regulatory, advisory, and informative policy categories, too. Regulatory policies ensure that organizations are following the legal requirements of a compliance law. Advisory policies provide strong recommendations as to the appropriate behaviors and actions that can be exhibited by employees. Informative policies are gentle recommendations or reminders for employees to consider.
02-ch02.indd 43
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
44
Now that we talked about how security policies are categorized, we’re going to dig into examples of actual security policies. Most study resources only provide a handful of examples and move on. This All-In-One exam guide goes the extra mile in listing out a great many of the most popular security policies so that you are not only better prepared for the exam but also for the security field itself. Once we’ve sufficiently covered examples of policies, we’ll discuss the remaining building blocks of policies which include standards, guidelines, processes, procedures, and baselines.
Acceptable Encryption Policy
Organizations may use this policy to detail the requirements that cryptographic algorithms—also known as ciphers—must meet in order to be trusted for use within the organization. These requirements may include whether or not an algorithm has widespread usage in the field, the existence of published studies, and peer reviews. Such policies should also mandate that only well-known algorithms should be used, and to avoid all “home-grown” algorithms. This is important because some individuals mistakenly feel that utilizing a self-made algorithm is superior to well-known algorithms due to their inherent obscurity. This logic suggests that if no one has ever heard of an algorithm, then no one will attack it—or know how to. This is not only untrue but a dangerous assumption to make. Attackers will generally be able to reverseengineer a self-made cryptographic algorithm with relative ease due to its lack of depth and complexity. NOTE Examples of popular cryptographic algorithms include DES, 3DES, RC4, AES, RSA, MD5, SHA1, and SHA2. For more information, see Chapter 15.
Acceptable Use Policy
An acceptable use policy (AUP) is a popular policy that documents all of the acceptable and unacceptable uses of computers, networks, and data. Like with most policies, employees are expected to read, understand, consent to, and sign the AUP. Organizations rely heavily on this to limit their liability. Failure to sign this document will likely lead to immediate termination. Plus, users aren’t expected to be able to access computer resources until their signature has been received. Failure to abide by all the requirements of the AUP will possibly result in the disciplinary actions indicated in the policy. TIP The SANS Institute is a fantastic resource for publicly available security policy templates. Visit the SANS website to download templates and then brand and personalize them to fit your organizational needs. You’ll notice that the security policies of many organizations tend to look alike. That is because they typically source the security policy templates from the same Internet sites as others!
02-ch02.indd 44
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
45
Access Control Policy
PART I
This critical policy specifies the resources that require protection, the methods of protection, and the individuals, roles, or clearance levels that are to be granted access. It also defines circumstances in which special access can be granted, including the “need-toknow” scenarios, conflicts of interest, authority demands, and others. Access control is often centered around access control lists (ACLs), which can vary in meaning based on file system, networking, or database contexts. In security jargon, we will often substitute “subject” for a user and “object” for a resource. In simple terms, security subjects access security objects. In general, we define an ACL as a list that describes the permissions granted to users of a resource. The access control policy may also outline the usage of one or more access control methods, which are defined next. Discretionary Access Control (DAC) This common access control method describes how the owner of an object determines which subjects can access the object—and to what degree. In other words, access control is at the owner’s “discretion.” The Windows NTFS file system is a good example of discretionary access control since it utilizes the concept of file/folder owners. NOTE In Windows, the creator of a file/folder is the default owner, hence the built-in system group called Creator Owners. When users create a file or folder object, Windows automatically makes them a member of the Creator Owners group for that object. These owners—who might be ordinary end users—have the powerful ability to change permissions for their owned objects. In order to prevent end users from abusing this discretionary privilege, Administrators have the ability to “take ownership” away from the original Creator Owners in order to become the new owners. Inevitably, Administrators are likely to become the owners of everything.
Role-Based Access Control (RBAC) Becoming increasingly popular, this access control method uses an organizational or departmental role to determine the access granted to individuals. Rather than leave it to the self-governing discretion of an object owner, the company role that an individual belongs to is used to determine access. For example, Sales users are added to the Sales department role, and the Sales department role is granted “read” access to the Sales folder. Neither the users, the owners, nor the resources determine access. This allows greater consistency and predictability of access since roles are well-defined across many groups of people. Mandatory Access Control (MAC) Frequently used by the military and other highsecurity environments, mandatory access control often revolves around the usage of security clearance levels of subjects as well as the sensitivity or classification labels of objects. In other words, certain airmen, marines, sailors, or soldiers have the required clearance level to access materials that have a Confidential security classification.
02-ch02.indd 45
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
46
EXAM TIP Mandatory access control is generally considered to be the strongest access control method, hence its frequent usage in government and military environments.
Rule-Based Access Control This access control method is focused on implementing standardized rules for all users of a system rather than customizing the rules to the users, as with DAC. For example, a network appliance such as a router or firewall will utilize high-level packet-filtering rules that apply to everyone. Put another way, these rules are focused on situations, not individuals.
Acquisition Assessment Policy
This policy defines the roles, responsibilities, and processes for organizations that have acquired another organization. It may mandate security onboarding processes, training requirements for all parties, security reviews, background checks, reviews of laws and regulations, and offboarding processes should acquisitions be reversed in the future.
Clean Desk Policy
Although its important enough for your work area to be aesthetically clean, that is not what this policy is referring to. Our work areas often have sensitive materials in plain sight, such as passwords on sticky notes as well as paperwork with personally identifiable information (PII), including names, phone numbers, e-mail addresses, Social Security numbers, account numbers, credit card details, medical records, intellectual property, trade secrets, religious preferences, and so on. This policy requires that we lock away all of these materials so that only authorized parties are able to access them.
Change Management Policy
Change management policies detail the formal process of requesting, deliberating, approving, and scheduling changes to IT systems. This ensures that all changes are documented, in congruence with organizational policies, and that ill-advised changes are unlikely to take place. Granted, this policy does frustrate many individuals due to the inevitable implementation slowdowns it produces, but it should be preferred to wait for positive outcomes versus racing toward negative ones.
Data Retention Policy
Much to an organization’s chagrin, data retention policies require that certain data types be retained for a certain number of years—despite the possibility of the data losing its usefulness, and the lingering fear that buried and incriminating information may one day expose the organization to liability. On the plus side, such policies will help keep organizations on the straight and narrow due to the variety of losses that can be incurred through noncompliance. Retention requirements may include length of time, data accessibility requirements, and methods of archival and destruction. Like most policies, they are subject to the organization’s industry and geographical location.
02-ch02.indd 46
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
47
Disaster Recovery Plan (DRP) Policy
PART I
This important policy documents the recovery methods for various worst-case scenarios, including system, application, and data failures. Although DRPs are generally part of the more critical business continuity plans (BCPs), they aren’t the same thing. Whereas BCPs focus more on grander business survival needs, DRPs fixate on the technological recovery aspects of the organization. It is crucial that management allocates sufficient budget to the needs of the DRP to ensure all documented disaster types have meaningful mitigations in place and are recoverable in the promised timelines. NOTE Disaster recovery is discussed in more detail in Chapter 11.
E-mail Policy
Considering the criticality of e-mail communications, most organizations will need to thoroughly police its usage. E-mail policies help standardize the proper use of e-mail systems, while also raising awareness regarding procedures and guidelines. This policy may contain many requirements for e-mail handling, including the following:
• Creation, reading, downloading, and transmission of messages • SPAM filtering • Attachment handling • Disabling HTML • Malware protection • Combat social engineering • Confidentiality • Privacy • Digital signatures • Encryption • Business versus personal usage TIP It’s great advice to avoid downloading attachments from untrusted sources—however, attackers are more likely to exploit you directly through the e-mail message content. Since most e-mail users have HTML enabled on their e-mail application, attackers will use an HTML-based exploit of inserting malicious scripts and links into the e-mail message. To prevent this, you can disable HTML support in your e-mail application. Granted, your e-mails will no longer enjoy the aesthetic benefits of HTML, but you’ll be much more secure in the long run.
02-ch02.indd 47
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
48
Ethics Policy
This is a human-level policy that mandates the exercise of lawful behaviors, good judgment, professionalism, and fairness to all customers, employees, partners, vendors, and other parties. It seeks to prevent wrongdoing or illegal actions, regardless of whether such negative outcomes were intentional. This policy also promotes an open-door culture for information requests, information sharing, the exercise of due diligence for issues that are real or indeterminate, and accountability for mistakes.
Extranet Policy
Organizations within and across various industries often have a need to connect to each other’s network through the Internet. This policy helps to establish many requirements, including the following:
• Roles and responsibilities • Resources to be protected • Methods of resource protection • Data ownership • Backup and recovery methods • Connectivity methods to be used • Points of contact • Termination of access NOTE Policies can be created either from the top down or from the bottom up. Top-down policies have the advantages of aligning with strategic goals of the organization while also being evangelized by organizational leadership. The disadvantage is that they are sometimes too high level to be of direct use to most in the organization. Bottom-up policies can directly address operational issues but may lack the necessary support from executives to become enforceable.
Firewall Policy
This policy stipulates the recommendations and/or requirements for the usage of hostbased or network-based firewalls throughout an organization. It should indicate who the responsible parties are for firewalls. The responsible party will usually be listed as a job role or job title, as opposed to an individual’s name, to account for employee turnover. It must also specify the rule types that determine which traffic types will be permitted or dropped. It also specifies the procedures for proper management of the firewall, and, if necessary, any provisions for maintenance windows and recovery procedures.
Internet Usage Policy
Considering the Internet is an equally helpful and dangerous asset, it is important for organizations to curtail its usage as needed. This policy defines how the Internet can and cannot be used via company computers and networks, at the company facilities,
02-ch02.indd 48
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
49
PART I
during company time. It explains various scenarios of Internet usage, including e-mail, web browsing, and maybe even social media. Considering how many threats come to fruition as a result of the Internet, extra emphasis must be given to Internet policies, procedures, and awareness to protect the business from malicious software, social engineering, and hackers.
Media Disposal Policy
Since full data or fractions of data (called data remnants) can survive typical drive formatting and file deletions, proper sanitization and disposal techniques are required for discarded media types like hard drives, flash drives, floppies, and optical discs. Notwithstanding the obvious environmental benefits gained from proper disposal, assurances must also be provided that all confidential data has been fully erased from media. NOTE Contrary to popular belief, drive formatting or file deletion doesn’t actually format or delete much of anything. Such tactics typically erase the pointers to data rather than the actual data itself. In general, attackers will be able to reconstruct the pointers to recover the data. There are countless stories of data being recovered from discarded hard drives or flash drives in trash cans.
Media disposal policies will call for various sanitization methods such as hard drive shredding, pulverizing, drilling holes, degaussing, or “zeroing out” to ensure the confidentiality of company data long after the media has been disposed of. The physical media destruction techniques can be particularly expensive; therefore, you should research whether it is more cost-effective to outsource this capability to another provider versus having your own media destruction equipment in-house.
Password Protection Policy
To this day, the most ubiquitous security method for computer systems is the use of passwords. A policy is needed to ensure that all parties, including employees, contractors, and vendors, fully understand the expectations of proper password management for the protection of company assets. Such password policies typically include the following requirements:
• Complex passwords Three or four character sets, including uppercase, lowercase, numbers, and special characters. • Long passwords Typically eight or more characters. • Maximum password age From 30 to 90 days is the average. • Password history Passwords cannot be reused until changed at least three to five times. • Minimum password age A minimum aging requirement helps circumvent password history abuses (in other words, users seeking to change their passwords too frequently to bypass password history requirements).
02-ch02.indd 49
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
50
Physical Security Policy
The one thing that will never change about security is that physical security is the most important type of security. A physical security policy puts into motion the requirements for various physical security countermeasures needed to secure business data, facilities, and people. Many examples of physical security countermeasures include armed and unarmed security guards, locked doors, video surveillance systems, mantrap doors, proximity cards, biometric devices, sign-in sheets, and more. There are also physical security requirements for the protection of your cabling, environmental considerations such as location and protection of HVAC controls, and uninterruptable power supplies and generators to mitigate power failures. You can have all the strong passwords, encryption, firewalls, and ACLs in the world, but if someone walks into a data center, grabs a server, and tosses it into the back of their van, you’ve been compromised. EXAM TIP Considering the criticality of physical security controls, be extra familiar with all of the physical security controls located throughout this book. Pay extra attention to preventative security types since the most important security countermeasures are achieved preventatively.
Remote Access Policy
Today’s workers remotely connect to the corporate network nearly as often as they do locally; therefore, a policy is needed to mandate secure connections regardless of device type or network origin. Remote connections are inherently risky due to the user devices often connecting from an unprotected home or public Wi-Fi network; therefore, assurances must be provided that connections will be secured in all circumstances. The security requirements may include utilizing a VPN connection with SSL/TLS or IPSec-based security, in addition to multifactor authentication. Other requirements may exist that constrain connections based on time of day, connection time limits, idle period limits, and limitations on network segments and servers to be accessed.
Removable Media Policy
External hard drives and, particularly, flash drives have become taboo for many organizations due to the dual threats of malicious content being brought into the organization (ingress) and critical content being unlawfully extracted from the organization (egress). A removable media policy will define permissible media types, what data types (if any) can be placed on them, any encryption requirements, and possible consequences of unauthorized use of such devices. Many organizations will terminate employees on the spot if they’re caught with removable media on company premises.
Social Engineering Awareness Policy
They say that the weakest link in security is the human element. Whereas a computer will generally do what it’s told, with vulnerabilities that disappear as quickly as proper configurations or security patches are put into place, human weaknesses are far better
02-ch02.indd 50
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
51
PART I
understood by attackers and are therefore more difficult to mitigate. Unlike most security threats that are countered by technological, physical, and managerial means, social engineering countermeasures are largely an endeavor of policies, procedures, and awareness. A social engineering policy should go over terminology, common examples, frequent targets, proper responses to social engineering attacks, and ongoing employee training initiatives. NOTE Social engineering follows the adage that the pen is mightier than the sword. Wherever feasible, attackers will look to take advantage of “human hacking” or “no tech hacking,” as opposed to the more difficult path of breaching computer systems. It can take eons to crack long and complex passwords, but mere seconds to extract the password from a user through shoulder surfing or phishing.
Wireless Communication Policy
Virtually all organizations have wireless networks. Corporations are pretty much a given, but also libraries, coffee shops, airports, airplanes, cars, cheap hotels, and even the occasional restaurant or park. The majority of corporate wireless networks are bridged to the corporate wired network and are set up insecurely. This makes them valuable targets since hackers will assume wireless networks to be the weakest link in the chain. Organizations must create wireless security policies that define which personal and/or business mobile devices, if any, are permitted to connect to the organization’s network. Encryption and authentication requirements must also be defined, in addition to the types of corporate content that can be accessed. Finally, the policy must decide whether or not to permit access to the Internet and app stores.
Standards Standards are required elements regarding the implementation of controls or procedures in support of a policy. They are accepted specifications that provide specific details on an objective. Some standards are externally motivated. For example, regulations for healthcare providers and financial institutions require certain security measures be taken by law. Other standards may be set by the organization to meet its own security goals. Due to their ironclad nature, it is important that—like policies—standards be reviewed on an annual or semi-annual basis to ensure ongoing alignment with policy objectives.
Guidelines Guidelines are the opposite of standards in that they specify optional and recommended security controls or processes to be followed. Think of these as good pieces of advice as opposed to orders or requirements. They can provide end users with a generalized reference to security practices, but not go as far as providing specifics into those practices.
02-ch02.indd 51
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
52
Processes Processes are a predictable series of steps needed to achieve an objective. For example, the process of creating a new user account in Microsoft Active Directory requires a few steps. One part of the process is the hiring of a new employee, followed by notifying the appropriate staff member to create the username and set the password, and then communicating the newly created account information to the new hire. Another process will exist to change the user’s password, disable the account, delete the account, or unlock the account. It is important that processes are well-documented and communicated to necessary staff, so that everyone can do their jobs in an efficient manner. Don’t make the mistake of creating processes unofficially and only telling people on a need-to-know basis. Document the process and communicate it to all required staff upfront.
Procedures Procedures are operational-level, step-by-step details on how to achieve specific business processes. Because procedures are close to the specific operations of a business, then even minor changes can affect the efficacy of a procedure. For instance, changing the brand/ make/model or upgrading the software of a firewall can result in a need to change the procedures used to manage the firewall ruleset. The high-level policy associated with what ports are open/closed will remain fine, but the details on how to enact the policy through operational actions may need updating. Procedures are different from processes in that processes explain what needs to be done, whereas procedures explain how to actually do it. They describe exactly how employees are expected to act in a given situation or to accomplish a specific task. NOTE If given the choice, IT and security professionals often neglect to write out procedures due to the disruptive belief that safeguarding knowledge improves job security. It is important for organizations to mandate the creation and dissemination of procedures in order to blast through such collaboration barriers.
Baselines Think of a baseline as a point-in-time measurement of what we agree is the acceptable level of normal performance. This baseline measurement is not necessarily an exact value but rather can be thought of as a “range of normal,” much like a needle on a compass pointing in the general direction of north. Whether that “direction” guides us toward an acceptable level network performance, Internet performance, server performance, employee attrition levels, or a specific level of security, baselines will help us stay on track or will aid us in refocusing our efforts to becoming productive again. In everyday terms, if your baseline body temperature is 98.6 degrees, then any of your measurements in excess of that temperature may indicate that you are trending toward illness. Steps must be taken to return your body temperature to (or around) the 98.6 degree baseline for you to have the best shot at being well again. The best time to
02-ch02.indd 52
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
53
New Business and Environmental Changes
PART I
capture baselines is when technological or security solutions are first implemented. At this stage, the solution is likely in its purest state; therefore, establishing a baseline here will help us to sustain this purified state indefinitely.
A major part of policy and process life cycle management stems from reviews. Policies are living documents that need to be updated as changes to the organization occur. Some of these new business changes include the following:
• Organization acquires an organization. • Organization is acquired by an organization. • Organization merges with an organization. • Organization demerges from an organization. • Organization begins a divestiture. Not only do business changes result in policy changes, but policy changes will also result in process changes. Since processes exist to carry out the requirements of a policy, the organization—and its security practitioners—must weigh the benefits of process modification against the negatives of risks being introduced. Just as proposed policy changes require analysis, so do process changes. New business changes can be thought of in terms of acquisitions, mergers, and the like—yet changes to the environment will take place in the form of new products, technologies, regulatory requirements, and emerging risks. New products like smartphone apps might be added to assist customers with online orders and in-store pick-ups as well as provide support services. New applications come with a few security considerations, including access control, auditing, upgrades, patching, configuration management, training, and documentation. Product changes can be more grandiose, like in the case of Amazon. What began solely as an e-commerce organization has now expanded into separate industries, including brick-and-mortar bookstore locations, self-checkout grocery stores, video streaming, cloud computing, and literally dozens of other products. You can only imagine the scope and impact of security challenges introduced by such scale of change. Regardless of the new business change types, security practitioners must evaluate the risks introduced prior to, during, and after the changes are implemented. They must also document their risk assessments, analysis, and mitigations to control these risks. The documentation will also serve as a knowledge base for lessons learned. Always keep in the back of your mind that policies, laws, and regulations must be considered with respect to business changes.
New Technologies
Since the early 1970s, Gordon Moore, Intel’s co-founder, has relied on his famous “Moore’s Law” to accurately predict that computing power will double roughly every two years. Yet, this progress has become, in some ways, too much of a good thing.
02-ch02.indd 53
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
54
Technology has advanced so vastly, and so quickly, that organizations often fall behind, fail to implement it correctly or fully, or neglect security entirely to expedite implementation. People had just gotten accustomed to mobile and cloud computing; now they have to wrap their heads around artificial intelligence (AI), machine learning, blockchain, Bitcoin, Internet of Things (IoT), wearables, drones, augmented reality, virtual reality, and more. It is the job of IT and security staff to ensure that organizations continue to gravitate toward these technological waves and master them. These organizations are the most likely to achieve their objectives—whereas others who cling to the old ways are headed toward certain doom. After all, nobody thought Blockbuster or Toys “R” Us would disappear. NOTE Smart organizations realize that through need comes invention. Customer demand should play a strong role in determining the technologies implemented by organizations and providers. Whether those customers are management level, staff level, public, or regulatory, we implement technology because others demand it of us. Too often, organizations mistakenly believe that they know what the customers want more than the customers do. Cures generally come after diseases, not the other way around.
New technology brings a wealth of benefits to the organization, and a fair share of risks. Security professionals must sit down with stakeholders to discuss and document the risks brought about by the new technology. You can learn more about technologyspecific risks in the following ways:
• Performing Internet research • Browsing industry magazines • Attending conference events • Contacting vendor support This will also be a good time to review some of the previous policies we listed to ensure congruence between technology, security, and business objectives. If adjustments to the policy are needed, make those changes while also keeping an eye on the new processes that will surely come about. There is much to consider in terms of specific risks and threats. Attackers may try to socially engineer the users in person, through e-mail, over the phone, or via social media to harvest company credentials. Malware may be specifically written for the technology like in the case of the point-of-sales terminal malware used in the Target hack of 2013. If the technology is software-based, attackers may attempt to eavesdrop on any network traffic sent. Data might be inadvertently stored, used, or transmitted, which can cause data leakage. Plus, there are the performance, reliability, and infrastructure integration considerations that can make the technology difficult to use. Employees also have to be trained in the technology, which can be expensive.
02-ch02.indd 54
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
55
PART I
All technologies must balance three competing factors: security, features, and ease of use. Security refers to the relative protections against risk, threats, exploits, vulnerabilities, and exposures. Features refers to the capabilities or functions of the technology. Ease of use refers to how user-friendly and easy the technology is to use. If you draw a triangle, place each of these three factors into their own corner, and place a single dot somewhere within the triangle. You are faced with an obvious dilemma:
• When you move the dot toward security, it moves further away from features and ease of use. • When you move the dot toward features, it moves further away from security and ease of use. • When you move the dot toward ease of use, it moves further away from security and features. As you can see, the dot can only be in one position at a time, and this position reflects the relative balance of security, features, and ease of use. The reality is, technology cannot be outstanding in all three of these areas simultaneously. In the end, we must “rob from Peter to pay Paul.” Understanding the tradeoffs between these three competing areas helps you to have the right expectations about the inevitable strengths and weaknesses of a piece of technology. You will need to evaluate the technologies through the lens of risk assessment, analysis, and mitigation to ensure you maintain a proper risk profile.
Regulatory Requirements
Organizations have to comply with various laws and regulations from the local, state, and federal government. As described at length in Chapter 1, many popular laws and regulations can apply to an organization, including HIPAA, PCI DSS, SOX, FISMA, GLBA, and so forth. Although NIST special publications are required with government and military organizations, they are often adopted voluntarily by corporations. ISO standards are voluntary rather than mandatory, yet are implemented all over the world for security’s sake, as well as to distinguish organizations from the competition. PCI DSS was created by credit card organizations and is therefore not actually a law. Despite this, certain states will treat PCI DSS as law, so you may have to personally investigate whether or not your state treats it as law. To get a head start on learning more about the regulations that affect your organization, consider your organization’s industry, country, state, size, and partnerships, as well as whether it’s publicly or privately held. Seek assistance from HR, internal or external legal entities, or management to learn about the precise laws and regulations that apply to your organization. The survival of the organization and the avoidance of fines (and possibly a stint in jail) depend on it. NOTE Regulatory requirements have been discussed at length in Chapter 1.
02-ch02.indd 55
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
56
Emerging Risks
As customer demands, technologies, and hackers continue to unfold, so too has the emergence of new risks. Historically, risks have followed a bit of a pattern. In the beginning, risks primarily centered around the physical—doors, locks, surveillance, security guards, and so on. As our isolated organizations began internetworking with other organizations, risks were extended from the facility’s boundary to the network perimeter boundary. Such risks were met with perimeter security controls for our firewalls, routers, VPNs, DNS, and proxy servers—among others. Then it occurred to us that many attackers are already inside the organization, hence the proliferation of internal security controls like packet sniffers, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), security information and event management (SIEM) products, and multifactor authentication. The present-day security landscape is, in a word, awesome—for the hacker community, that is. Attackers are now utilizing a new generation of AI to collect vast stores of information about their targets that can influence and automate the payloads of their attacking tools. For example, if the attacker is targeting passwords of an American organization headquartered in Seattle, the attacking tool could factor in the organization’s region, industry, language, demographics, cultural considerations, products, and more, to influence password guesses. Utilizing such intelligence, the password-cracking rules would automatically disqualify huge portions of password possibilities. This will greatly improve the efficacy of password attacks. We, too, will need to add AI-based security tools to our security portfolio to offset the risk of AI-based attacks. Malware has been all over the mainstream media recently. Today’s malware frequently resorts to encrypting the victim’s files, and demanding credit card or bitcoin payment, like in the case of the WannaCry crypto-malware. This kind of malware is also known as ransomware since it holds your files for ransom. Plus, malware has become smart enough to know when it’s being sandboxed inside of a virtual machine. This has resulted in the malware escaping from the virtual machines and attacking the hypervisors and host operating systems. Not only do we need to continue using antimalware software, but also supplementary controls like patching, next-generation firewalls, IDS, IPS, hardware security modules (HSMs), digitally signed applications, hypervisor-level firewalls, the principle of least privilege, restricted user accounts, security baselines, and much more. NOTE To anyone who says common sense by itself is the only malware protection you’ll ever need, keep in mind that over 300 million new pieces of malware are created every year. Furthermore, Symantec was quoted in 2014 as saying that only 45 percent of viruses are detectable with antivirus tools. Symantec’s suggestion was to utilize multiple security solutions to attack malware from several angles.
Upwards of 30–50 billion IoT devices are expected to be connected to the Internet by 2020. These devices will include wearables, communication platforms like the Amazon Echo, security systems, sensors, lighting, temperature controls, appliances, door locks,
02-ch02.indd 56
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
57
PART I
cars, and countless more. The scary part is most of these devices will have little to no security features built in or set up by default. Then there’s the fact that our devices often have built-in cameras, microphones, hard drives, and Internet connections; therefore, they’re in prime position to perform surveillance on us, while collecting and sharing our data with third parties. The onus is on us to create and disseminate IoT policies, securely configure these devices to the extent possible, isolate them, and educate users about effective usage. Be sure to contact IoT vendors for official recommendations on implementation and use. We must also learn what data collection and sharing methods are being utilized by these devices and, if possible, disable such features. Such data collection can violate organizational security policies, which in turn can be extended to violations of laws and regulations. Something that should scare everybody is the rise of state-sponsored hacking, also known as military or government-sponsored hacking. Given our global dependency on technology—not to mention technology’s increasing role on warfare—nations are leveraging their respective militaries to perform various espionage and hacking attacks against other nations, and sometimes against their very own people. Such cyberwarfare is repeatedly demonstrated by the superpower nations, regardless of whether or not the target is considered an ally. Although not always related to state-sponsored hacking, there are lethal hacker groups all over the world, including Anonymous, APT28, Dragonfly, and Morpho. Some of these groups are global; others are localized to a particular region. The most famous of these, at least to the American population, is the Anonymous group. Although hackers don’t always spell out their intentions, their social media accounts sometimes include warnings and plans against their targets. For example, Lizard Squad warned Sony and Microsoft about their plans to attack their gaming networks—and shortly after, they did. Sometimes these hacker groups attack a target “just because,” and other times there are deeply rooted reasons. As a result, it’s important to do research on what the popular hacker groups are saying on social media to help anticipate and protect yourself, and others, from any forecasted attacks. TIP Be sure to research the latest IT security trends. For example, your Internet query could say “IT Security Trends 2019”. After reviewing multiple research sites, you’ll notice a lot of repeats. This reproduction of security trend data is a strong sign of its credibility. Gartner, CSO Online, and PCMag all put out great security trend reports for your perusal.
The moral of the story is to do research on the emerging risk so you can develop policies, procedures, guidelines, and awareness on how to combat such risks and threats. Patch management continues to be a vital tool for the security of an organization due to hackers often looking to exploit specific hardware or software vulnerabilities. Above all, train your users and raise awareness about the current security climate. Although human beings are often considered the weakest link in security, we can greatly minimize that weakness and even turn it into a much-needed strength.
02-ch02.indd 57
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
58
Support Legal Compliance and Advocacy by Partnering with HR, Legal, Management, and Other Entities
Policies and procedures govern the operation of the business and are in response to a set of requirements developed from both internal and external requirements. External requirements may come from laws and regulations, contractual terms such as PCI DSS, or customer specifications. Many times, the best expert with respect to a specific requirement may come from an ancillary department such as legal, HR, or marketing. Building relationships and utilizing the breadth of expertise in an organization can be of tremendous value when addressing security requirements.
Understand Common Business Documents to Support Security
Business operations involve actions between many different parties—some within an organization, and some in different organizations. These actions require communication between the parties, defining the responsibilities and expectations of the parties and the business objectives, and the environment within which the objectives will be pursued. To ensure an agreement is understood between the parties, written agreements are used. Numerous forms of legal agreements and contracts are used in business. This section covers several business documents that slant toward IT and security requirements.
Risk Assessment A risk assessment is a documented process of determining the prioritization of responses to threats. Because resources are limited with respect to the opportunities to apply security controls, prioritization based on risk reduction ensures the best result for a given level of expenditure. For example, a risk assessment document might include assets such as company vehicles, campuses, information, and people. Other aspects of the document might include columns containing threats, vulnerabilities, risk status, risk impact, and risk mitigations.
Business Impact Analysis (BIA) Frequently, you’ll see a business impact analysis conducted as part of a broader business continuity plan. BIAs document the various risks to an organization and the resulting impact from disasters should those risks come to fruition. By understanding all of the worst-case scenario costs, businesses can prioritize the order and timeline of critical business functions that require restoration.
02-ch02.indd 58
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
59
PART I
EXAM TIP BIAs must promise the recovery of critical services within expected timelines. The most critical services might require recovery within a few hours; the next level of services within one or two days; and the remaining services within a week. If the core business functions aren’t operational within a promised timeline, the organization might suffer irreparable harm. Lawsuits may soon follow due to breach of contracts.
Interoperability Agreement (IA) Interoperability agreements are a broad category of agreements that include data, technology, and communication sharing requirements between two or more organizations. Some examples of these agreements include the following:
• Interconnection security agreement • Memorandum of understanding • Service level agreement • Business partnership agreement
Interconnection Security Agreement (ISA)
An interconnection security agreement is a specialized agreement between organizations that have connected IT systems to document the security requirements associated with the interconnection. An ISA can be a part of an MOU detailing the specific technical security aspects of a data interconnection.
Memorandum of Understanding (MOU)
A memorandum of understanding (MOU) is a legal document used to describe a bilateral agreement between parties. It is a written agreement expressing a set of intended actions between the parties with respect to some common pursuit or goal. It is more formal and detailed than a simple handshake, but it generally lacks the binding powers of a contract. It is also common to find MOUs between different units within an organization to detail expectations associated with the common business interest.
Service Level Agreement (SLA)
A service level agreement (SLA) is a negotiated agreement between parties detailing the expectations between a customer and a service provider. SLAs are typically included as part of a service contract and set the level of technical expectations. An SLA can define specific services, the performance level associated with a service, issue management and resolution, and so on. These specifications should include expected response times to customer service escalations via phone or e-mail, downtime recovery expectations, and so forth. They should also include compensation requirements should service levels dip below the promised amounts.
02-ch02.indd 59
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
60
EXAM TIP Although SLAs are typically formal agreements between organizations, they can also be informal handshakes between internal IT departments and other business units. It is wise to assume that there is always an SLA between service providers and service consumers.
Business Partnership Agreement (BPA)
A business partnership agreement is a legal agreement between partners establishing the terms, conditions, and expectations of the relationship between the partners. These details can cover a wide range of issues, including typical items such as the sharing of profits and losses, the responsibilities of each partner, the addition or removal of partners, and any other issues. A uniform partnership act (UPA), established by state law and convention, lays out a uniform set of rules associated with partnerships to resolve any partnership terms. The terms in a UPA are designed as “one size fits all” and are not typically in the best interest of any specific partnership, so it is best to have specifics worked out in a BPA.
Operating Level Agreement (OLA) An operating level agreement (OLA) is an internal document that defines the relationships between internal parties to support business activities. Frequently used in combination with SLAs, OLAs define the expectations inside a business to support the overall business goals established in the SLA.
Nondisclosure Agreement (NDA) A nondisclosure agreement (NDA) is an agreement between parties defining and establishing the rules for which information can be shared. There are times when information needs to be shared between parties for a specific purpose, but where further dissemination or sharing is not desired. The parties involved can draft an NDA, detailing the information to be shared and the rights and responsibilities of all parties with respect to use of the information. Frequently these documents allow information to be shared with one of the parties, but further sharing, release, or even additional use by the party is restricted. Executed as contracts, these documents can be legally enforced, with penalties for disclosures, including damages.
Master Service Agreement (MSA) As relationships between multiple organizations evolve in length and complexity, additional agreements are likely to be created. Future agreements run the risk of containing redundancies from previous agreements—which may slow down the agreement process— or produce contradictions and confusion. Rather than solve the issue reactively, we can proactively create an all-encompassing master service agreement to serve as the building block for future agreements, transactions, and business documents. This is important for organizations that anticipate having lengthy relationships with other businesses.
02-ch02.indd 60
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
61
Despite the normalcy of businesses signing contracts with vendors, today’s security climate heightens the need for security requirements to be integrated not only into product negotiations but also in the drafting of the contracts. There’s a right and a wrong way to request information on product offerings, specifications, and pricing—in addition to knowing how to bake security requirements into contracts. Failure to observe negotiation etiquette and formalities may result in not only time wasted but also the signing of bad contracts, unnecessary security risks and gaps, and a poor relationship with the vendor. Check with legal counsel to learn the particulars of security requirements and contracts to ensure organizational and regulatory requirements are met. Request for Proposal (RFP), Request for Quote (RFQ), and Request for Information (RFI) are three basic contract documents used in the procurement process that we are concerned with in terms of product negotiations and security requirements.
PART I
Research Security Requirements for Contracts
EXAM TIP It is important to understand, but not be overly concerned with, the differences between an RFI, RFQ, and RFP.
Request for Proposal (RFP) The RFP can be a lengthy document that takes considerable time to complete. The RFP accomplishes several goals, including informing potential vendors of a product or service that is being sought, providing specific details on what it is that the organization wishes to purchase, and providing a basis from which to evaluate interested vendors. For IT products and services, the requirements should also include specifications for expected security features that may include the following (items might not be applicable in all situations):
• The need for personnel to have a background investigation or security clearance • Specific training or certification requirements for personnel • Regulations or standards that must be adhered to • Security tests or assessments that must be completed on products or networks • Specific firewall, router, or intrusion detection settings or reviews • Physical security checks • Software security checks • Threat modeling requirements • Security policy reviews • Expected best practices
02-ch02.indd 61
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
62
Request for Quote (RFQ) The RFQ may be used to further restrict the list of companies that will receive the full request by asking for price ranges for services or products. The RFQ may also be rolled into the full Request for Proposal.
Request for Information (RFI) The RFI is issued by organizations seeking information regarding specific products or services in the marketplace that could be used to fill a specific need. It is often a short document and is sometimes used as a “pre-qualifier” to determine who to send follow-up requests to.
Understand General Privacy Principles for Sensitive Information
Personally identifiable information (PII) is information collected by a business for the purpose of identifying a person. Because of the rise of identity theft as a major criminal enterprise, PII has value to identity thieves. An organization has security controls to protect its data from unauthorized use and disclosure. Once an organization gathers PII, it becomes sensitive data that requires appropriate protection. The first step is to define the requirements for protection, and in the case of PII, these requirements are part of the organization’s privacy policy. Privacy is defined as the desire to control the use of one’s personal data. With respect to personal data, the organization’s privacy policy sets the terms and conditions that one should expect concerning protection of their personal data. By establishing and publishing the requirements associated with PII, an organization can ensure that the awareness of privacy requirements is spread throughout the organization and incorporated into plans, policies, and procedures. The components of a privacy policy can vary by organization, but some common components include the following:
• Clearly designate the elements of PII that are being collected and those that are stored. • Clearly state what the PII will be used for, including any transfer to third parties. • Designate security provisions and storage time for stored PII. EXAM TIP PII becomes information that requires security once an organization accepts it for use or storage. The same principles used for data security, including elements such as data minimization, can be used to protect PII.
Many of an organization’s privacy requirements will stem from laws and regulations. In Chapter 1, we talked about many laws and regulations that include privacy
02-ch02.indd 62
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
63
• HIPAA Healthcare law, including security and privacy requirements • GLBA Financial law, including privacy requirements • FISMA Government/military law, including privacy requirements • PCI DSS Not required by federal law but may be indirectly treated as law in some states • EU Directive 2002/58/EC and Directive 2009/136/EC EU legal requirements aimed at ISPs and telecommunication companies • GDPR EU law affecting many EU and potentially non-EU nations, for the privacy protections of people and businesses
PART I
requirements; therefore, we will not go over them at length again. However, here is a brief reminder:
Since organizations must incorporate some of these laws into their privacy policies, such policies will incorporate much of the “legalese” into their documentation. Many of the privacy principles inherent in policies are for the protection of an individual’s PII. An effective way to get started with the management of PII is to conduct a privacy impact analysis (PIA), which is a structured framework used to determine the level of risk associated with the collection, handling, and storage of PII. The PIA is used to evaluate privacy risks so that they can be compared to business risks and allow appropriate decisions to be made. The PIA does not change the process associated with protecting PII; it only defines a method of determining accountability and compliance levels with respect to security requirements defined for PII. In Chapter 1, we briefly highlighted the General Data Protection Regulation (GDPR) law. This legislation is, perhaps, the most significant privacy law of its kind in decades. Drafted in the European Union (EU) in April 2016 and fully implemented as of May 2018, it promises to unify the data privacy laws for the EU, while also simplifying the rules for people and organizations. It also promises to impose stiff penalties for noncompliance. It applies to all forms of personally identifiable information, including names, financial details, e-mail addresses, social media content, medical information, location data, IP addresses, and much more.
Support the Development of Policies Containing Standard Security Practices
Policies are developed in response to a perceived need of guidance due to some driving force. This driving force can be in the form of requirements, from either an internal or external source. The driving force can come from senior management in an effort to communicate corporate goals and objectives. For many policies, such as the security policy, this is important because buy-in by senior management is essential. For other policies, such as a remote access policy, the source may be the security department because the required level of technical will not be readily available from senior executives.
02-ch02.indd 63
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
64
The challenge for policies drafted from the bottom up is to get senior management buy-in. When the wording of a policy is presented in a form that makes sense in business terms, is clearly aligned with the organization’s overall goals and objectives, and can be seen to specifically support these goals and objectives, the policy is a better candidate for senior executive buy-in. Since policies—and their subsequent glories—ultimately stem from executives, so can liabilities. When policies, or even laws and regulations are violated, executives may also share culpability with the original offender individual. Although executives may not have explicitly done something wrong, they may have failed to effectively enforce the policies. Executives must exercise a certain degree of due care and due diligence in order to offset their liability with someone else’s policy violation.
Prudent Person Principle
The concepts of due care and due diligence are connected. Due care addresses whether the organization has a minimal set of policies that provides reasonable assurance of success in maintaining security. Due diligence requires that management actually do something to ensure security, such as implement procedures for testing and review of audit records, internal security controls, and personnel behavior. The standard applied is one of a “prudent person.” Would a prudent person find the actions appropriate and sincere? To apply this standard, all one has to do is ask the following question for the issue under consideration: “What would a prudent person do to protect and ensure that the security features and procedures are working or adequate?” Failure of a security feature or procedure doesn’t necessarily mean the person acted imprudently. It is clear that senior management plays a stronger role in the drafting of security policies than just giving their approval. In addition to the enforcement, testing, and auditing requirements, there are certain security practices that should be baked into organizational policies. What follows are several of the most important standard security practices.
Separation of Duties Separation of duties is a tried-and-true method of handling sensitive or high-value transactions. The basic principle is that for any high-value or sensitive transaction, a minimum of two personnel are required to perform the function. Put another way, if the intentions of the personnel are negative, the two-person requirement would serve as a form of collusion to achieve a nefarious end. Additionally, these transactions need to be designed so that a single party or group cannot both approve and execute the transaction, thus forcing a form of checks and balances.
Job Rotation Job rotation policies can serve a number of useful functions. Cross-training, a requirement before shifting jobs, provides a risk-reducing cushion in the form of a bettertrained staff. This periodic movement of employees from one job to another can assist
02-ch02.indd 64
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
65
PART I
in reducing boredom and burnout, as well as reducing risk due to employee fraud. In small organizations, where many jobs are covered by a single person, job rotation provides additional qualified personnel for periods of vacation and illness. Nobody wants to be contacted during vacation because the staff members back at the office are unfamiliar with vital procedures.
Mandatory Vacation Organizations have provided vacation time to their employees for many years. Few, however, force employees to take this time if they don’t want to. At some companies, employees are given the choice to either “use or lose” their vacation time. From a security standpoint, an employee who never takes time off increases the potential risk associated with their job. The employee might be involved in nefarious activities, such as fraud or embezzlement, and might be afraid that if they leave on vacation, the organization will discover their illicit activities. As a result, requiring employees to use their vacation time through a policy of mandatory vacations can help expose malicious activities. In the financial world, among banks and other financial organizations, not only are mandatory vacations required, but minimum lengths are set to ensure other employees have to take over critical actions.
Least Privilege Two common security principles are that of “need to know” and “least privilege.” The guiding factor here is that each individual in the organization is supplied with only the absolute minimum amount of information and privileges needed to perform their work tasks. To obtain access to any piece of information, the individual must have a justified need to know. Least privilege means the individual will be granted only the bare minimum amount of privilege necessary to perform their job. A policy spelling out these two principles as guiding philosophies for the organization should be created. The policy should also address who in the organization can grant access to information or assign privileges to employees. TIP Personnel who require root- or administrator-level permission for specific job functions should not log in directly using these special accounts. Users should log in with their normal credentials and use tools such as sudo or Run as Administrator to accomplish the specific functions requiring higher access. This reduces risk through accidents and enables clear logging and tracking of activity by user.
Incident Response Incident response is a team-led activity of preventing, detecting, and responding to security breaches. The key aspects are detection and response. It requires significant advance planning for successful execution. This is a complex event that requires coordination between multiple work entities, which makes it an ideal candidate to establish and communicate expectations via a policy such as an incident response policy. The policy defining
02-ch02.indd 65
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
66
roles and responsibilities for incident response will establish the governing authority for management to use resources appropriately. The policy should establish responsibilities for incident response team formation, activities, and reporting. The policy should establish responsibility for the development of incident response plans. This is a technically driven policy, but one that ultimately can touch every aspect of an organization and, as such, requires strong senior management support and backing.
Forensic Tasks Digital forensics is a task involving the collection and perseverance of digital evidence. It is highly dependent on exacting steps that need to be performed before data can be damaged or destroyed. This requires significant coordination across business units, requiring the roles and responsibilities to be detailed in a policy statement. In the case of an e-discovery case, the notice that data needs to be preserved will first appear to the general counsel office. From there, many departments can potentially become involved, including legal, IT, networking, and assorted business units, depending on the nature of the request. To ensure that the enterprise can react in a coordinated and appropriate manner requires extensive coordination between multiple parties. These coordination requirements can be presented in the policy, engaging the management of the separate elements to work together and improve the organization’s response.
Employment and Termination Procedures The people inside the building present the greatest security risk to the organization. With, essentially, unlimited access to organizational assets, employees are in prime position to do damage. To combat this, organizations must take precautions at all stages of the recruiting and hiring processes, including the following:
• Careful crafting of job descriptions on the Internet and with recruiting agencies • Thorough interviewing • Conducting employee background checks, calling references, checking credit history, and testing for drugs • Employee training • An onboarding process that includes reading, understanding, consenting to, and signing security policies • Mandating the wearing of ID badges at all times • Restricting access to all areas not explicitly required by employees • Implementing separation of duties to limit privileges • A security offboarding process that includes an exit interview, the turning over of all company materials, the disabling of all accounts, the signing of a nondisclosure agreement, and, if necessary, secure escort off the premises
02-ch02.indd 66
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
67
PART I
CAUTION It is important to have the appropriate expectations with regard to policy outcomes. Despite perfect execution of policies, bad stuff can and will likely happen anyway; therefore, don’t make false promises. Our job is to minimize risks to organizations.
Continuous Monitoring Continuous monitoring in any system takes place after initial system security implementation. It involves tracking changes to the information system that occur during its lifetime and then determining the impact of those changes on the system security controls. Continuous monitoring reduces the latency between system changes and security changes to a minimal period. This requires greater intervention on the part of security professionals, but is built around the idea of a bunch of small changes rather than major implementations described by the certification and accreditation process. The true goal of continuous monitoring is the maintenance of an ongoing understanding of the exact security posture of the organization. Continuous monitoring requires a significant level of automation to facilitate the level of monitoring and decision making required to keep abreast of the myriad changes a system faces in use. As the threat environment changes, this can lead to security changes. As the system is adapted through minor changes or interconnected to other systems, system-level interactions can result in security changes. To manually subject a system to complete reviews through a certification and accreditation process is neither feasible nor desirable. The business requirement is to maintain levels of risk commensurate with the reward associated to the system, and this business decision requires analysis of how a system stands as it is being operated, not just at static intervals. Automation of elements such as log collection and analysis, patch and antivirus updating, user auditing, and threat monitoring can assist security personnel in deploying their resources where they can best influence the required level of change necessary to keep risk at a responsible and acceptable level. Additional information can be found on NIST’s website. The continuous monitoring process involves the following three activities:
• Configuration management and control • Documentation of information system changes • Security impact analysis • Security control monitoring and impact analysis of changes to the information system • Security control selection • Selected security control assessment • Status reporting and documentation • System security plan update • Plan of action and milestones update • Status reporting
02-ch02.indd 67
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
68
The objective of these tasks is to observe and evaluate the information system security controls during the system life cycle. These tasks determine whether the changes that have occurred in the information system will negatively impact the system security.
Ongoing Security Security is not a destination, but a manner of travel. In this regard, what becomes important is the sets of activities employed to achieve continuous security-monitoring solutions. Because the system will change with new technologies, and the threat environment changes due to the shifting nature of adversaries, it is important to have a coordinated effort that can move protection priorities in response to the shifting threat landscape and requirements. These activities can be coordinated and communicated with respect to roles and responsibilities in the form of a corporate policy for ongoing security operations.
Training and Awareness for Users Users can represent both a strength and a weakness for a system’s security. One of the strongest tools to improve the security posture of users is a robust security awareness program. Training and awareness of phishing, attacks, and consequences to the enterprise can enable users to become a useful security advantage. Establishing the training and awareness program via policy, and initiated at the time of employee hiring, will assist in communicating the business value to all concerned. EXAM TIP Periodic refresher training is important, too. Many government organizations have created security awareness posters to constantly remind individuals of social engineering as a possible avenue of attack. Security newsletters, often in the form of e-mail, have also been used to remind employees of their security responsibilities.
An important element that should be stressed in training about social engineering is the type of information that the organization considers sensitive and that may be the target of a social engineering attack. There are signs that the organization could point to as indicative of an attacker attempting to gain access to sensitive corporate information. All employees should be aware of these indicators because they are the first line of defense. The scope of information that an attacker may ask for is very large, and many questions attackers pose might also be legitimate in another context (asking for the phone number of an employee, for example). Employees should be taught to be cautious about revealing personal information and should especially be alert for questions regarding account information, personally identifiable information, and passwords.
Auditing Requirements and Frequency Security is accomplished by designing control systems and implementing these systems as part of ongoing operations. Although this looks great conceptually, there are numerous opportunities for this system to fail to provide the desired level of protection. An internal audit functions as a set of checks and balances to ensure that the desired level of security
02-ch02.indd 68
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
69
PART I
control is actually present and functioning as designed. What systems need to be audited, how often, how are results handled? These are all simple questions with complex answers that cut across multiple business lines. An internal audit policy can communicate to all participants what the required expectations are and what responsibilities are assigned to which entities. This is the place to provide detailed references back to all applicable laws, regulations, and any other higher-level security requirements by which the organization may be audited for compliance. In addition, this is where the organization should set its own auditing requirements and the frequency with which it will perform self-assessments or have external audits. Because the security environment is ever-changing, a robust audit process can be used to ensure that the security responses are aligned with the shifting threat environment.
Information Classification Important to many corporations, governments, and militaries is the need to formally classify information. Classifications are specialized security labels placed on assets like files and folders to indicate their value and sensitivity. Understanding the criticality and sensitivity of our data allows us to assign the appropriate security controls to that data— chiefly in the areas of access control, auditing, data retention, archival, and data destruction. More critical and sensitive materials will require more rigorous security controls. Government and military environments are strictly regulated in their usage of classifications. This ensures that all the different branches of government, government agencies, and the military can agree on what they mean by the word “Classified.” For legal, documentation, process, and communication purposes, the following classification structure is frequently used by the U.S. government: 1. Top Secret 2. Secret 3. Confidential 4. Public Trust (sensitive material but unclassified) 5. Unclassified (Not sensitive material and unclassified) NOTE Any classifications equal or above Confidential are collectively considered “Classified.” For example, if someone does not have clearance to access Top Secret, Secret, or Confidential materials, they will be told, “You cannot access those materials because they are classified.”
The classifications given to files are based on the relative dangers presented to national security if materials are unlawfully accessed, disclosed, modified, stolen, lost, or damaged. If Top Secret materials are compromised, this could cause “exceptionally grave damage to national security.” If Secret materials are compromised, this could cause “serious damage to national security.” The danger to national security is proportionally decreased as you progress backward through the remaining classifications, like Confidential, Public Trust, and Unclassified.
02-ch02.indd 69
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
70
Businesses unrelated to government and military have more freedom with regard to file classifications. You’ll frequently see variations of classifications (listed from the highest to lowest levels) like Confidential, Private, Sensitive, and Public. Other than their naming differences, the purposes behind these file classifications are the same as the ones listed earlier for the government and military.
Chapter Review
In a nutshell, this chapter provided a comparison and contrasting of security policies, privacy policies, and procedures based on organizational requirements. Organizations are always being battered about the ocean of change with many ups and downs to disrupt their risk profile. Security professionals must proactively head off the risks introduced by changes, as per the requirements of security policies. We started from the beginning by going over policy and process life cycle management concepts, which included extensive coverage of a few dozen security policies. With organizational changes so frequent, policies serve as a rulebook to help guide our security efforts during times of change and uncertainty. Such changes will involve new business opportunities, technologies, environmental changes, regulatory requirements, and emerging risks. Once these changes have been properly weighed and measured, as per security policy requirements, we then provided coverage on the supporting of legal compliance and advocacy by partnering with human resources, legal, management, and other entities. Top-down policy management is the best route to go since alignment of business objectives, and security objectives, can be evangelized by both a common set of decision makers and a unified language and communication style. When business goals and security goals are joined at the hip, organizations are more likely to succeed. We then discussed common business documents to support security, including risk assessments, business impact analysis, interoperability agreements, interconnection security agreements, memorandums of understanding, service level agreements, operating level agreements, nondisclosure agreements, business partnership agreements, and master service agreements. The key to these documents is ensuring that your organization (consumer) and third parties (provider) fully understand and agree on their respective roles and responsibilities to one another. Each side must put certain promises in writing; define leadership, communication practices, and contact information; and communicate requirements during failures, security responsibilities, contingency plans during failures, ownership of processes and procedures, and termination requirements. Each of these documents also plays a critical role in documenting, establishing, and implementing various security requirements for both the local and other organizations. Speaking of other organizations, we also covered the researching of security requirements for contracts, including Request for Proposal, Request for Quote, and Request for Information. When negotiating with other organizations regarding product availability, product features, and product pricing, not only do you need to know what you’re talking about, but you have to “play the game” when it comes to formal documentation and negotiation tactics.
02-ch02.indd 70
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
71
PART I
We touched on privacy policy requirements, including documentation efforts and the collection and sharing requirements of personally identifiable information. Since privacy policies are written in large part for the identification and protection of PII, it is important that everyone agrees on what PII is, and the unique risk and threats to it, so that people have a better understanding of, and sense of urgency for, how to safeguard it from unauthorized access or disclosure. The final section of the chapter focused on supporting the development of policies containing standard security practices, including separation of duties, job rotation, mandatory vacation, least privilege, incident response, forensic tasks, employment and termination procedures, continuous monitoring, training and awareness for users, auditing requirements and frequency, and, finally, information classification. Many of those policy requirements help to prevent security breaches by limiting the privileges of individuals, in addition to exposing nefarious activities through forced vacations and job rotations. A big part of security policy requirements is the logging or auditing of human activities as well as determining the appropriate accountability for the actions taken in those logs. Although not as important as the prevention of breaches, the detection of breaches is still a very important security goal because you cannot prevent all breaches. Chapter 3 covers risk mitigation strategies and controls. This is an important transition from the previous chapters because they largely focus on the managerial and documentation requirements that vaguely say we need to implement security controls. The topics of Chapter 3 put us on a path to the actual implementation of those required security controls to protect our assets.
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
Policy and Process Life Cycle Management • Organizations are forced to evolve on operational, tactical, and strategic levels due to various internal and exchange changes. • Security policies are documents that provide the foundation for organizational security goals. • Policies created by organizations are a reflection of the external laws and regulations that apply to the organization. • Policy life cycle management involves the creation, usage, and retirement of policies. • Perform a risk assessment to identify risks to organizational assets. • Utilize policy templates to guide policy creation. • Seek policy input from executives and other stakeholders. • Establish penalties for policy violations. • Publish the policy to all employees in the organization.
02-ch02.indd 71
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
72
• Ensure staff members read, understand, and sign the policy. • Utilize technology to enforce policies whenever possible. • Educate staff about the policy contents. • Schedule reviews for the policy on an annual or semi-annual basis. • Retire the policy when it’s no longer applicable. • Organizational policies focus on matters that relate to all aspects of an organization. • System-specific policies focus on specific computers or network systems, and the necessary security controls that protect them. • Issue-specific policies focus only on specific organizational issues such as department issues, business products, processes, and others. • Regulatory policies ensure that organizations are following the legal requirements of a compliance law. • Advisory policies provide strong recommendations as to the appropriate behaviors and actions that can be exhibited by employees. • Informative policies are gentle recommendations or reminders for employees to consider. • Standards are required elements regarding the implementation of controls or procedures in support of a policy. • Guidelines specify optional and recommended security controls or processes to be followed. • Processes are a predictable series of steps needed to achieve an objective. • Procedures are operational-level, step-by-step details on how to achieve specific business processes. • Baselines are a point-in-time measurement of what we agree is the acceptable level of normal performance. • Policies need to be consulted and periodically revised due to changes to the business, including new business, technologies, environmental changes, regulatory requirements, and emerging risks.
Support Legal Compliance and Advocacy by Partnering with Human Resources, Legal, Management, and Other Entities • Policies are often driven by a combination of internal and external requirements. • The security requirements of policies are often best described by other departments within your organization, including human resources, legal, management, or others. • Relationships with other business units, and utilization of their skill sets, are vital to the success of an organization’s security program.
02-ch02.indd 72
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
73
Understand Common Business Documents to Support Security PART I
• Business operations involve actions between many different parties. • Numerous forms of legal agreements and contracts are used in business. • Risk assessments are a documented process of determining the prioritization of responses to threats. • Business impact analysis documents the various risks to an organization and the resulting impact from disasters should those risks come to fruition. • Interoperability agreements are a broad category of agreements that include data, technology, and communication sharing requirements between two or more organizations. • Interconnection security agreements are specialized agreements between organizations that have connected IT systems to document the security requirements associated with the interconnection. • Memorandums of understanding are legal documents used to describe a bilateral agreement between parties. • Service level agreements are negotiated agreements between parties detailing the expectations between a customer and a service provider. • Operating level agreements are internal documents that define the relationships between internal parties to support business activities. • Nondisclosure agreements are agreements between parties defining and establishing the rules for which information can be shared. • Business partnership agreements are a type of legal agreement between partners establishing the terms, conditions, and expectations of the relationship between the partners. • Master service agreements are all-encompassing agreements between multiple organizations that serve as the building blocks for future agreements, transactions, and business documents.
Research Security Requirements for Contracts • A business partnership agreement is a legal agreement between partners establishing the terms, conditions, and expectations of the relationship between the partners. • Contract signings with other businesses require formal documentation requests and security requirements to be baked into the contracts. • Request for Proposals accomplish several goals, including informing potential vendors of a product or service that is being sought, providing specific details on what it is that the organization wishes to purchase, and providing a basis from which to evaluate interested vendors.
02-ch02.indd 73
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
74
• A Request for Quote may be used to further restrict the list of companies that will receive the full request by asking for price ranges for services or products. • Requests for Information are issued by organizations seeking information regarding specific products or services in the marketplace that could be used to fill a specific need.
Understand General Privacy Principles for Sensitive Information • Personally identifiable information is information collected by a business for the purpose of identifying a person. • Once an organization gathers PII, it becomes sensitive data that requires appropriate protection. • Privacy is the desire to control the use of one’s personal data. • Establishing and publishing the requirements associated with PII allows an organization to ensure that the awareness of privacy requirements is spread throughout the organization and incorporated into plans, policies, and procedures. • Organizations must clearly designate the elements of PII that are being collected and those that are stored. • Organizations must clearly state what the PII will be used for, including any transfer to third parties. • Organizations must designate security provisions and storage time for stored PII.
Support the Development of Policies Containing Standard Security Practices • Policies are developed in response to internal and external requirements. • Policies are best created and implemented with top-down support. • Due care addresses whether the organization has a minimal set of policies that provides reasonable assurance of success in maintaining security. • Due diligence requires that management actually do something to ensure security, such as implement procedures for testing and review of audit records, internal security controls, and personnel behavior. • Separation of duties requires multiple individuals to work together to complete a single function. • Job rotation provides cross-training benefits in addition to reducing employee fraud. • Mandatory vacations force employees to take time off in order to possibly expose malicious activities that can only be concealed while employees are actively working. • Least privilege ensures that each individual in the organization is supplied with only the absolute minimum amount of information and privileges needed to perform their work tasks.
02-ch02.indd 74
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
75
PART I
• Incident response is a team-led activity of preventing, detecting, and responding to security breaches. • Forensic tasks involve the collection and perseverance of digital evidence. • Employment and termination procedures require organizations to take precautions at all stages of the recruiting and hiring processes to ensure that the best people are selected to work for the organization. • Continuous monitoring involves tracking changes to the information system that occur during its lifetime and then determining the impact of those changes on the system security controls. • Ongoing security is a coordinated effort that can move protection priorities in response to the shifting threat landscape and requirements. • User training and awareness ensure employees understand what security expectations are placed on them so that they can better protect the organizational assets and business objectives of the company. • Auditing requirements and frequency function as a set of checks and balances to measure that the desired level of security control is actually present and functioning as designed. • Information classification is a specialized security label placed on assets like files and folders to indicate their criticality and sensitivity to an organization.
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. Establishing security controls that require multiple employees to complete a task is an example of what? A. Mandatory vacations policy B. Least privilege C. Separation of duties D. Job rotation
2. Senior management has decided to restrict access to social media sites such as Facebook and Twitter. To accomplish this, administrators will perform which of the following security practices on users? A. Least privilege B. Defense in depth C. Separation of duties D. PII restrictions
02-ch02.indd 75
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
76
3. To ensure proper privacy protections are in place in an organization, which of the following business documents are used? A. BPA B. NDA C. ISA D. PIA
4. To ensure that business processes are not dependent on single employees, senior management has decreed that for designated sensitive positions, people must change jobs every six months. This is an example of what? A. Separation of duties B. Principle of least privilege C. Performing a PIA D. Job rotation
5. Which of the following security principles can management implement to communicate high-level goals and objectives to the workforce? A. Standards B. Guidelines C. Policies D. NDA
6. Two parties need to document an agreement associated with pursuing a common action. Which document would they use? A. SLA B. BPA C. NDA D. MOU
7. A new piece of equipment is placed into production to improve security during the communication of orders between internal organizations. Which of the following documents would need updating? A. Procedures B. ISA C. NDA D. MOU
02-ch02.indd 76
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
77
A. Access control policy B. Clean desk policy
PART I
8. Which of the following security policies is most appropriate for requiring that all sensitive paperwork be kept out of plain sight at your work area?
C. Physical security policy D. Removable media policy
9. True or false? A business impact analysis specifies data, technology, and communication sharing requirements between two or more organizations. A. True B. False
10. When considering the product offerings of a vendor, which of the following requests are you likely to generate first? A. Request for Proposal B. Request for Quote C. Request for Information
11. As the new Chief Privacy Officer, you are tasked with protecting PII. Your first step would be to do what? A. Collect PII securely. B. Store PII securely. C. Perform a PIA. D. Create a privacy policy.
12. As the head of the database group, you have a responsibility to provide data for enterprise applications. To meet overall SLAs, your group must provide services that are in alignment with them. To communicate these requirements, what would be the best vehicle? A. OLA B. Subordinate SLA C. MOU D. BPA
13. You have been tasked with setting up a partner program where participants are bound by the rules of the program. The best vehicle would be which of the following? A. MOU B. Implicit contract C. BPA D. ISA
02-ch02.indd 77
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
78
14. A new regulation has been issued that applies to your operations. Which of the following are used to document the required changes? (Choose all that apply.) A. Policies B. Procedures C. Standards D. PIA
15. Common components of a privacy policy include which of the following? (Choose all that apply.) A. Clearly designating the elements of PII that are being collected and those that
are stored B. Clearly stating what the PII will be used for, including any transfer to third parties C. Designating security provisions and storage time for stored PII D. Cost benefit analysis 16. Which of the following policy types focuses on specific organizational issues such as department issues, business products, and processes? A. Organizational policies B. System-specific policies C. Issue-specific policies D. Administrative-specific policies 17. Which of the following indicates the difference between advisory and informative policies? A. Advisory policies provide strong recommendations as to the appropriate behaviors and actions that can be exhibited by employees. Informative policies are gentle recommendations or reminders for employees to consider. B. Informative policies provide strong recommendations as to the appropriate behaviors and actions that can be exhibited by employees. Advisory policies are gentle recommendations or reminders for employees to consider. 18. True or false? Master service agreements are designed to serve as a single agreement that prevents the need for future agreements. A. True B. False
02-ch02.indd 78
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
Chapter 2: Security Policies and Procedures
79
PART I
19. The Chief Security Officer of a large corporation is curious as to how information classification levels are ranked in federal government environments. She is hoping that by duplicating a federal classification system, overall file security for the corporation can be improved. From most sensitive data to least sensitive, what order of information classifications would you advise her of? A. Public Trust, Top Secret, Secret, Confidential, Unclassified B. Confidential, Top Secret, Secret, Public Trust, Unclassified C. Top Secret, Secret, Confidential, Public Trust, Unclassified D. Top Secret, Confidential, Secret, Public Trust, Unclassified
20. As part of a merger, your organization acquired a smaller organization that has specialized SLAs with its customer base. Now that the two IT systems are connected, which of the following can you use to document the security requirements between the two systems? A. SLA B. OLA C. ISA D. BPA
Answers 1. C. The use of multiple people to complete a task is known as separation of duties, which creates an opportunity for checks and balances. 2. A. Assuming social media is not required, then least privilege is the granting of access to only what is needed to perform work functions. 3. D. A privacy impact assessment (PIA) is used to determine whether privacy-related data is properly handled. 4. D. Job rotation involves the moving of people among jobs in an organization to reduce the risk of only one person knowing/performing a particular task. 5. C. Policies are the documents used by management to communicate high-level goals and objectives. 6. D. An MOU is a written agreement defining a common cause and actions on behalf of parties. 7. A. Procedures are work-level step-by-step documentation that is dependent on the people, technology, and task. A change of equipment would necessitate a new procedure. 8. B. Clean desk policies require all sensitive materials on your desk, including PII and other sensitive data types, are locked away and kept out of plain sight from unauthorized users.
02-ch02.indd 79
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 2
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
80
9. B. A business impact analysis documents the various risks to an organization and the resulting impact from disasters. 10. C. Request for Information is considered a “pre-qualifier” for future proposal and quote requests. 11. D. The first step is to define the privacy policy because this provides the needed guidance for all privacy activities. 12. A. An operating level agreement (OLA) is an internal document that defines the relationships between internal parties to support business activities. 13. C. A business partner agreement (BPA) contains the complete terms and conditions that both the partners agree to be bound by as participants in the partner program. This program is set in motion once the application to participate in the program is accepted by both partners. 14. A, B. Changes in regulation can create the need for new policies and procedures. 15. A, B, C. The components of a privacy policy can vary by organization, but some common components include clearly designating the elements of PII that are being collected and those that are stored; clearly stating what the PII will be used for, including any transfer to third parties; and designating security provisions and storage time for stored PII. 16. C. Issue-specific policies target issues at the department, product, and process levels. 17. A. Advisory policies provide strong recommendations as to the appropriate behaviors and actions that can be exhibited by employees. Informative policies are gentle recommendations or reminders for employees to consider. 18. B. Master service agreements are all-encompassing agreements between multiple organizations that serve as the building blocks for future agreements, transactions, and business documents. 19. C. Government and military environments typically use Top Secret, Secret, Confidential, Public Trust, and Unclassified as their most-sensitive-to-least-sensitive classification levels. 20. C. An interconnection security agreement (ISA) is a specialized agreement between organizations that have connected IT systems to document the security requirements associated with the interconnection.
02-ch02.indd 80
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CHAPTER
Risk Mitigation, Strategies, and Controls
3
This chapter presents the following topics: • Determine security controls based on CIA requirements and organizational policies • Extreme scenario planning/worst-case scenario • Conduct system-specific risk analysis • Translate technical risks in business terms • Risk management processes • Continuous improvement and monitoring • Business continuity planning • IT governance • Enterprise resilience
One of the early themes in this book so far has been risk management, but we haven’t quite gotten into risk management mitigations, strategies, and controls—until now. Information security has become an exercise in risk management. Using the tools and techniques of risk management has improved organizations’ ability to secure the information assets they use in business operations. Securing information assets leads to a detailed examination of security models, of which the CIA triad (confidentiality, integrity, and availability) has proven to be a simple and effective way of describing basic security needs. This chapter takes a look at a variety of risk mitigation strategies and controls given the requirements stemming from business objectives, management, standards, and even worse-case scenarios.
Categorize Data Types by Impact Levels Based on CIA
The three most commonly used objectives for information security are confidentiality, integrity, and availability—commonly referred to as the CIA triad. These three attributes define different protection requirements for information in the enterprise. Although some similar tools and techniques may be used to achieve these objectives, each must be
81
03-ch03.indd 81
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
82
ensured separately. Besides simply determining the CIA attributes, it is also necessary to define the level of protection. There are many ways to define the level; the most common is a triad of high, moderate, and low. EXAM TIP An important operational detail is for the enterprise to define what high, moderate, and low mean for confidentiality, integrity, and availability. Proper definitions enable appropriate utilization of limited resources to achieve the optimal protection result as measured in terms of enterprise risk.
Federal Information Processing Standard (FIPS) 199 offers definitions for the security impacts of confidentiality, integrity, and availability as well as examples of high, moderate, and low impacts. The definitions for CIA come from the Federal Information Security Management Act (FISMA) directly.
Confidentiality The FISMA definition for confidentiality is as follows: “Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542]. A failure to ensure confidentiality can result in the unauthorized disclosure of information. This means that information should only be accessible to authorized users. In one respect, this is an easy aspect: simply restrict the data using access control lists. In practical terms, it becomes more complex. Printed reports can disclose information. Aggregate elements such as averages, which may be releasable, can fail when aggregate quantities can be reversed. A report that has sales data by region, products, and other categories can be rearranged, potentially resulting in de-aggregated values and thus in data disclosure. Confidentiality is typically provided by the following controls:
• Cryptography • Steganography • Access control/permissions • Authentication • Physical security
Integrity The FISMA definition for integrity is as follows: “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542]. An integrity violation is the unauthorized modification or destruction of information. This means that only authorized users are allowed to modify data, including writing, changing, deleting, and creating it. The creation of data where none was previously can result in integrity errors. Modification can occur even without confidentiality failures, because deletion can occur without revealing the specific data elements.
03-ch03.indd 82
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
83
Integrity is typically provided by the following controls: PART I
• Cryptographic hashes • Digital signatures • File integrity monitoring • Log analysis • Code testing • Separation of duties • Rotation of duties • End-user training NOTE Integrity failures can be serious in many cases. The deletion of key values in a database can result in data corruption and/or changed values.
Availability The FISMA definition for availability is as follows: “Ensuring timely and reliable access to and use of information…” [44 U.S.C., Sec. 3542]. A failure of availability is the disruption of access to or use of information or an information system with respect to an authorized user. Here are the most common examples of availability failures:
• Denial of service (DOS) attacks • Power failures • Equipment failures • Data corruption • Human error • Software/OS crash • Natural disasters In retrospect, here are the most common availability controls to mitigate or prevent the failures:
• Fault tolerance (redundant hard drives, power supplies, servers, clusters, ISPs, and even data centers) • Data center location/design (A/C, UPS, fire suppression, raised floor) • Patch management • Antimalware • Preventative maintenance
03-ch03.indd 83
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
84
• Backup/restoration procedures • Disaster recovery plan (DRP) • Business continuity plan (BCP)
CIA Tradeoffs The role of the three CIA attributes in securing information in the enterprise depends on the security requirements. Passwords have a high need for confidentiality, pricing data has a high need for integrity, and database servers have a high need for availability. In an e-commerce system, there are numerous elements of data to consider. The pricing data has no confidentiality requirement since it needs to be shared, yet the validity of the data is paramount, thus making integrity the primary concern. For a given order, the credit card information requires confidentiality, both during the transaction and afterward. In a distributed server environment, the determination of user rights may depend on credentials stored and maintained in a separate system, making availability an issue. In this last case, the use of redundant directory services servers—such as Active Directory domain controllers—could provide availability of authentication and authorization services should one domain controller fail. In the e-commerce pricing example, confidentiality is not needed, integrity is high, and availability is high. In the password example, the confidentiality is high, but the other two attributes raise interesting questions. If availability is compromised, the use is delayed. This raises the question, what is the cost of failure? Failure of confidentiality potentially has a lasting effect because credentials may be lost to an unauthorized party. Failure of integrity and/or availability may result in something as simple as another attempt or may be more serious in the event of an automated batch-type system. The bottom line is that all aspects need to be examined, including from the point of view of what the cost of failure is.
Determine the Aggregate Score of CIA To use the three elements of CIA along with the impact factors (high, moderate, and low) requires some method of expressing these values. FIPS 199 defines the term “security category” (SC) to express the security attributes. These values assist in determining the appropriate set of security controls needed to provide the desired elements of protection with respect to the three security attributes. Security categories can be calculated for information types and information systems. The first step of establishing the aggregate score of CIA is the determination of the potential impact of each type of risk. These impacts are typically categorized as high, moderate, and low. These values and their explanations are expressed in Table 3-1, which shows the potential impact definitions for the security objectives from FIPS 199. In order for the information presented in this table to be useful, the terms limited, serious, and severe impact or consequence need to be defined for the organization. If one is looking at financial measures, organization size and resources can make a large difference in how things are scored. For a small organization, a loss of $10,000 may be catastrophic, whereas for a large multinational organization, the same value would be considered insignificant. The definitions of the financial and personnel issues associated with these levels are presented in Table 3-2.
03-ch03.indd 84
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
85
Potential Impact Low
Moderate
High
Confidentiality
The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Integrity
The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Availability
The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals
The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
PART I
Security Objective
Table 3-1 FIPS 199 Potential Impact Definitions for Security Objectives
Potential Impact Security Objective
Severe or Catastrophic Adverse Effect
Limited Adverse Effect
Serious Adverse Effect
Personnel
May result in possible minor injury to a person
May result in significant injury to a person, or minor injury to multiple people
May result in serious injury, maiming, or death to an individual or significant injury to multiple people
Financial
May result in a financial loss that is of little or no consequence
May result in a financial impact that could impact the business or its operation
May result in a financial impact that would significantly impact the firm or result in material loss
Table 3-2 Enterprise-Specific Definitions for Security Objectives
03-ch03.indd 85
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
86
Nomenclature FIPS 199 provides a nomenclature to define security categories in the form of a list of paired values: SCinformation type = {(confidentiality, impact), (integrity, impact), (availability, impact)} For public information that is placed on a web server, with no risk impact from confidentiality, and medium impact for integrity and availability, the form is as follows: SCpublic data = {(confidentiality, NA), (integrity, moderate), (availability, moderate)} The scoring of an information system is more complicated because it requires all information types associated with the system to be scored, and the high-water mark of all the individual elements to be determined. NOTE Calculate the SC for an information system that processes the following three data sets: SCpublic data = {(confidentiality, NA), (integrity, moderate), (availability, low)} SCcontract data = {(confidentiality, moderate), (integrity, high), (availability, moderate)} SCresearch data = {(confidentiality, high), (integrity, medium), (availability, moderate)} Taking the maximum value (high-water mark) of each category yields the following: SCSystem = {(confidentiality, high), (integrity, high), (availability, moderate)}
Another name for the form SCinformation type = {(confidentiality, impact), (integrity, impact), (availability, impact)} is the calculated aggregate CIA score. In one simple expression, the requirements for protection with respect to all three elements of CIA can be expressed for an information dataset or information system.
Incorporate Stakeholder Input into CIA Impact-Level Decisions
Policies are developed in response to a perceived need of guidance due to some driving force. This driving force can be in the form of requirements from either an internal or external source. Requirements may stem from senior management in an effort to communicate corporate goals and objectives. Policies don’t “just happen.” There is a source of the policies, and it should primarily stem from organizational stakeholders. Policies can be drafted in a top-down fashion, where senior management provides guidance on a specific topic. For many policies, such as the security policy, this is important because buy-in by senior management is essential. For other policies, such as a remote access policy, the source may be the security department because the required level of technical knowledge will not be readily available from senior executives. The challenge for
03-ch03.indd 86
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
87
PART I
policies drafted from the bottom up is to get senior management buy-in. When the wording of a policy is presented in a form that makes sense in business terms, is clearly aligned with the organization’s overall goals and objectives, and can be seen to specifically support these goals and objectives, the policy is a better candidate for senior executive buy-in. The primary objective of policies is to communicate the goals and objectives with respect to some particular aspect of the business. There can be many policies in an organization, and security is no different from any other business function—if there are issues that need to be communicated, policies are a useful tool.
Determine Minimum-Required Security Controls Based on Aggregate Score
Operational security is achieved through the implementation of security controls in the enterprise. The set of required controls depends on the aggregate score of security requirements as defined by the security category. Different security controls provide different types of coverage with respect to confidentiality, integrity, and availability. As each piece of data that flows through, or get stored on, a system is analyzed with respect to its security requirements, a set of minimum-security controls can be determined that will provide the required level of security. The security categorization (SC) of an information system defines the minimum-security requirements.
Select and Implement Controls Based on CIA Requirements and Organizational Policies
Security controls are the primary toolset for security practitioners to apply in the effort to meet security requirements. The challenge for security professionals is to employ the correct set of security controls to provide the level of protection required. Because there are numerous individual data elements in a system with differing security categories, this rapidly can be seen as a stubborn problem. To the rescue comes the SC value for the system as a whole. Using this set of values reduces the security control selection process to a very manageable level. This fits with the direction of NIST SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations,” which provides guidance on the application of security controls in the enterprise. This structured methodology reduces the complexity of layering controls in the enterprise. EXAM TIP Security controls reduce the risk associated with a threat to the enterprise in one of four ways: The organization uses security controls to either avoid the impact, transfer the impact to another party, mitigate the effect of the threat, or (as a last option) accept the risk. Ultimately the risk is reduced to a residual risk level that is accepted by the enterprise by default. This topic will be covered in more detail in the section “Recommend Which Strategy Should Be Applied Based on Risk Appetite” later in this chapter.
03-ch03.indd 87
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
88
Extreme Scenario Planning/Worst-Case Scenario
A critical perspective to have with information security is the anticipation that what can go wrong will go wrong. Although extreme scenarios are unlikely, organizations must still plan for extreme or worst-case scenarios before they occur. Some examples of worst-case scenarios include the following:
• Trade secret breach • DDOS attack • Private encryption key breach • Financial data breach • Natural disasters • Terrorism Central to any discussion about worst-case scenario planning is an understanding of the various internal and external threat actors. Although natural disasters can occur, the most likely threat source will be human related. Threat actors are individuals or groups that are responsible for actions—whether intentional or accidental—that lead to losses for other individuals or organizations. Here’s a list of internal and external threat actors:
• Internal threat actors Individuals and groups inside the organization • Disgruntled personnel • Government or corporate spy • Internal spy • Partner • Reckless or uncaring personnel • Thief • Untrained personnel • Vendor • Script kiddie • External threat actors Individuals and groups outside the organization • Activist • Competitor • Government/political • Data miner • Hacker • Nation-state attacker • Terrorist • Vandal
03-ch03.indd 88
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
89
EXAM TIP The accidents caused by non-hostile threat actors are responsible for a large percentage of cybersecurity breaches; therefore, you must keep an extra-close eye on them.
PART I
Not all internal and external threat actors are created equal. Some have bad intentions (hostile) and deliberately cause harm, whereas others don’t have bad intentions (nonhostile) yet accidentally cause harm.
According to NIST, threat actors are evaluated according to criteria based on skill level, resources, limits, visibility, objective, and outcome. Here’s a breakdown:
• Skill level Threat actor’s capabilities • None • Minimal • Operational • Adept • Resources Threat actor’s scope • Individual • Team • Large team • Organization • Nation-state/government • Limits Threat actor’s rules of engagement • Code of conduct • Legal • Extra-legal (Minor) • Extra-legal (Major) NOTE The difference between the limits of extra-legal (minor) and extralegal (major) is the extent to which threat actors are willing to break laws. Extra-legal (minor) implies a threat actor who might break laws in minor, nonviolent ways to achieve their objectives, whereas extra-legal (major) defines threat actors who break laws in major and potentially violent ways.
• Visibility Threat actor’s visibility risk appetite • Overt • Covert • Clandestine • Doesn’t care
03-ch03.indd 89
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
90
• Objective Threat actor’s short-term goal • Copy • Destroy • Injure • Take • Doesn’t care • Outcome Threat actor’s long-term goal • Acquisition/theft • Business advantage • Damage • Embarrassment • Technical advantage Organizations can address the worst-case scenarios that can arise from these threats by conducting an analysis of all threats—particularly for the preceding threat actors. After determining all possible threat criteria for internal and external threat actors, organizations will then need to determine, from the most to least important, the assets that need protection. They will then craft a variety of scenarios regarding threats exploiting those assets. Then they must create models for each scenario to cross-examine the threats, exploits, vulnerabilities, and assets for a fuller understanding. Finally, they will determine which security controls will be implemented to mitigate the threats. Details on which security controls to implement based on the most to least important risks are described throughout this chapter.
Conduct System-Specific Risk Analysis
Information systems are composed of applications and data. To examine the risk associated with a system, one must examine the information flows and respective security requirements for each. These can be expressed as security categories or in other forms that allow appropriate determination of mitigation strategies. Risk analysis can be performed in one of two manners: qualitative or quantitative. In most cases, risk management and analysis activities include elements from both quantitative and qualitative models. Either of these models can be used to determine the appropriate security measures to prioritize actions and meet the desired security requirements. Risk analysis provides upper management with the details necessary to determine how threats should be addressed. This information assists in the determination of the risks that should be avoided, mitigated, transferred, or accepted. The risk analysis process recognizes risks, quantifies the impact of threats, and supports budgeting for security. The following are the stages in the risk analysis process:
• Inventory • Threat assessment
03-ch03.indd 90
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
91
PART I
• Evaluation • Management • Monitoring The inventory phase involves the inventorying of the threats, whereas the threat assessment phase involves examining the impact of each threat. The evaluation phase is where controls are chosen and evaluated, and the management and monitoring phases relate to the operational steps for implementing specific risk management actions.
Qualitative Risk Analysis Qualitative risk analysis uses expert judgment and experience to assess the elements of occurrence and impact. To assess risk qualitatively, you compare the impact of the threat with the probability of occurrence and then assign an impact level and probability level to the risk. As previously examined, it is common to use levels such as high, moderate, and low when assigning values to probability and impact factors. Figure 3-1 illustrates the combinations of the three levels, with the shading of the box indicating the final risk level. Heavy shading indicates high risk, slight shading moderate risk, and no shading low risk. For example, if a threat has a high impact and a high probability of occurring, the risk exposure is high and probably requires some action to reduce this threat (dark shaded box in Figure 3-1). Assigning the levels of high, moderate, and low can be tricky in some cases, but in reality, a few threats can usually be identified as presenting high-risk exposure and a few threats as presenting low-risk exposure. The threats that fall somewhere in between are probably moderate in level. The primary purpose of a risk assessment is to make a determination of the prioritization of responses to threats. Because resources are limited with respect to the opportunities to apply security controls, prioritization based on risk reduction ensures the best result for a given level of expenditure.
Impact
High Impact– Low Probability
High Impact– Moderate Probability
High Impact– High Probability
Moderate Impact– Low Probability
Moderate Impact– Moderate Probability
Moderate Impact– High Probability
Low Impact– Low Probability
Low Impact– Moderate Probability
Low Impact– High Probability
Probability
Figure 3-1 Qualitative risk assessment
03-ch03.indd 91
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
92
Quantitative Risk Analysis Quantitative risk assessment uses calculations based on historical data associated with risk. This method is used in industries such as insurance, where large quantities of data occur and provide a solid basis for trending. A common method of quantitative assessment is the calculation of the annualized loss expectancy (ALE). As for most certification exams, know the definitions and formulas:
• SLE = asset value * exposure factor • ALE = SLE * ARO • SLE: Single loss expectancy • ARO: Annualized rate of occurrence • ALE: Annualized loss expectancy Calculating the ALE creates a monetary value of the impact. Begin by calculating the single loss expectancy (SLE) with the following formula: SLE = asset value * exposure factor The asset value is the dollar value of the asset being placed at risk. The exposure factor is the percentage of the asset that would be lost by the risk. The value of SLE equates to the monetary loss expected from a risk occurring. To calculate the ALE, multiply the SLE by the likelihood that the risk will materialize during a year, which is referred to as the annualized rate of occurrence (ARO): ALE = SLE * ARO A second method that is frequently used is to assign point values to high, moderate, and low and then multiply them together to determine a final risk value.
Calculate the Risk
Let’s take a look at an example. A company has a single, centralized web-based orderentry system. Orders are fulfilled from a series of five regional warehouses. What is the expected loss if there is a 1 percent chance of a hacker bringing the order-entry system down, requiring a server restore? The mean time to restore the server is six hours. Orders come in an average of 12 hours a day, bringing in $500,000 a day in average revenue across a 364-day sales calendar. It is expected that the attacks occur daily. The asset value = $500,000 The exposure factor is 0.5 (6 hours/12 hours) SLE = $500,000 * 0.5 = $250,000 ARO = 0.01 * 364 = 3.64 times ALE = SLE * ARO = $250,000 * 3.64 = $910,000 Another form of quantitative analysis is when numeric values are assigned to the levels of the qualitative analysis. Using numeric values opens up a variety of potential analysis
03-ch03.indd 92
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
93
• Severity Scores the potential effect of the threat • Occurrence Rates the likelihood that a threat will manifest as a loss • Detection Captures the likelihood that the threat will be detected and mitigated prior to resulting in a loss
PART I
options. Rather than just two factors, a third factor is sometimes included. The threefactor model for risk, with its roots in failure mode effects analysis (FMEA), uses the factors’ severity, occurrence, and detection to score risk.
These three values can then be multiplied together to create a risk priority number (RPN). Two types of scales are commonly used: one is 1–5, and the other is 1–10. On both scales, the higher number represents more likely or severe. The 1–5 scale makes it easier to agree on values, whereas the 1–10 scale provides for wider variation in RPN scores. Tables 3-3 through 3-5 are sample scoring tables for severity, occurrence, and detection. Keep in mind that these should be modified to meet your organization’s specific requirements. One of the distinct advantages of this quantitative method is its ability to distribute values across a range. Using a five-point scale, the range of RPN values is from 1 to 125. For the 10-point scale, it is 1 to 1000. Of further value is the fact that distribution is not linear, but is skewed, with the vast majority of combinations occurring in the lower scores. On the 1–1000 distribution for the three 10-point scales, over 85 percent of the combinations yield an RPN of less than 360. This tends to allow issues with high values to stand out.
Rating
10
Description
Definition (Severity of Effect)
Dangerously high
Failure could result in injury or death.
9
Extremely high
Failure could create noncompliance with federal regulations.
8
Very high
Failure could result in the process or product being inoperable or unfit for use.
7
High
Failure causes a high degree of customer dissatisfaction.
6
Moderate
Failure results in partial malfunction of the product.
5
Low
Failure creates a performance loss to cause the customer to complain.
4
Very Low
Failure can be overcome with modifications to process or product, but there is minor performance loss.
3
Minor
Failure would create a minor nuisance, but it can be overcome without performance loss.
2
Very Minor
Failure may not be readily apparent, but would have minor effects on the process or product.
1
None
Failure would not be noticeable to the customer and would not affect the process or product.
Table 3-3 Sample Severity Rating Scale
03-ch03.indd 93
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
94
Rating
Description
Potential Failure Rate
10
Very high
Occurrence is almost inevitable. More than one occurrence per day.
9
High
Occurs almost as often as not. One occurrence every three to four days.
8
High
Repeated occurrences. One occurrence per week.
7
High
One occurrence every month.
6
Moderately high
One occurrence every three months.
5
Moderate
Occasional occurrences. An occurrence every six months to one year.
4
Moderately low
Infrequent. One occurrence per year.
3
Low
One occurrence every one to three years.
2
Low
Occurrences are few and far between. One occurrence every three to five years.
1
Remote
Occurrence is unlikely. One occurrence in more than five years.
Table 3-4 Sample Occurrence Rating Scale
Rating
Description
Definition
10
Absolute uncertainty
The issue is not detectable.
9
Very remote
Issue is only detectable by chance (detected less than 1 percent of the time).
8
Remote
Issue is hard to detect. Chance of detection is less than 5 percent.
7
Very low
Detection less than 10 percent of the time.
6
Low
Detection is somewhat difficult (less than a 25 percent success rate).
5
Moderate
Chance of detection is 50:50.
4
Moderately high
Issue is detectable (detected more than 90 percent of the time).
3
High
Issue is highly detectable (detected more than 95 percent of the time).
2
Very high
Almost certain. Issue is detected more than 99 percent of the time.
1
Certain
Certain. Issue is always detected.
Table 3-5 Sample Detection Rating Scale
03-ch03.indd 94
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
95
Risk management is an essential element of business management in today’s competitive environment. Security management can be viewed as a form of risk management. One definition of risk is the possibility and effect of suffering a loss. Two components are associated with measuring loss: the possibility of an event occurring and the impact of the event. The primary purpose behind making a risk determination is to provide management with the information needed to make decisions on which threats to address and with what level of resources. If you consider the risk calculations described earlier regarding SLE, ARO, ALE, severity, occurrence, and detection scales, organizations will be in a prime position to not only make accurate risk determinations, but also to be able to organize said risks into a priority order for mitigation.
PART I
Make Risk Determination Based on Known Metrics
Magnitude of Impact Based on ALE and SLE The magnitude of impact is a measure of how much damage a particular threat would cause if it manifested itself. A threat can have an impact of zero, meaning it has no effect on the system, or it can have a catastrophic effect. And a wide range of values can occur between the two extremes. The challenge of risk management analysis is the determination of the magnitude of impact, as described in the previous section. Impacts are typically scored as high, moderate, and low. High-level impacts result in significant loss, whereas low-level impacts represent negligible losses. Moderate losses fall between these two levels.
Likelihood of Threat The likelihood of a threat is a measure of the chance that the threat will actually impact a system. The distribution of values for likelihood can vary based on the causal nature of the threat. In the case of environmental issues such as disasters, storms, and so on, the distribution of likelihoods is random with no memory function. Hence, the chance of a flood or hurricane may vary by location, but is not based on previous events. This concept fits well with insurance models, where distributions are typically normal and based on a wide range of factors. Other threats, such as hackers, follow a different distribution. Once it becomes known that a firm is vulnerable in a specific manner or fashion, repeat attacks become more common, thus forcing a memory aspect to the distribution function. This can introduce a significant fat-tail aspect to the distribution, skewing the likelihood to higher levels once the first incident is successful.
Motivation
To better understand the likelihood of threats, we must also ascertain their motivation. Malicious hackers, being human, have one or more motivations for conducting their nefarious acts. These things don’t happen in a vacuum; therefore, you should consider the following motivations:
• Financial gain through information theft • Espionage (competitor/enemy states)
03-ch03.indd 95
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
96
• Ego or fun (challenge) • Ideology (religious/political) • Grudge (former employee/customer/partner) NOTE Did you notice that we left out motivations for other threats like accidents and non-human causes like natural disasters? That is because such events are not said to have a motivation.
Knowledge of a threat’s motivation is important for developing a fuller understanding of the threat. The more information we have about a threat, the better decisions we can make on implementing the appropriate security controls to resolve the threat.
Source
As discussed earlier in the chapter, threat sources originate from internal and external threat actors who may be either hostile or non-hostile in nature. Such individuals may be intelligent and intentionally attack the organization, or uninformed and don’t realize they’re causing real or potential damage to the organization. Attackers might be relatively inept script kiddies taking advantage of an easy opportunity, or they could be adept hackers targeting the organization for a deeper reason. Competitors may hire hackers to look into company trade secrets, products, and plans. Some organizations may be the unfortunate target of a local or foreign intelligence agency or an organized cybercrime terrorist group. Although less likely, threat sources may include natural disasters such as tornados, hurricanes, earthquakes, volcanos, floods, tsunamis, blizzards, and wildfires. An organization’s region, proximity to a threat source, emergency procedures, awareness training, and facility structure as well as the time of year will play key roles in exposures caused by natural disasters.
ARO
As discussed earlier, the annualized rate of occurrence (ARO) is a prediction of how often a threat instance will materialize in one year. For another example, suppose an asset’s value (AV) is valued at $75,000 and the exposure factor (EF) for the asset is 20 percent. If you multiply the AV by EF, you get a single loss expectancy (SLE) of $15,000. Put differently, AV * EF = SLE. Now, if we can reasonably predict that the asset will be exploited/exposed once a year, we’ll say the ARO is 1. Take the ARO of 1 and multiply it by the SLE, and the asset’s annualized loss expectancy (ALE) is expected to be $15,000. Put differently, ARO * SLE = ALE. If the ARO is changed to 2 in this scenario, then the ALE for the asset will be $30,000. NOTE The key to these calculations is not merely understanding the formulas but rather to know exactly what to put “into” the formulas. It is crucial that the asset’s value is accurately determined from the start.
03-ch03.indd 96
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
97
Trend Analysis
PART I
Trend analysis is an important way to help reduce risk for an organization. We’ll cover trend analysis in greater detail in Chapter 17, but for now just know that it involves performing ongoing research on emerging industry trends to determine the potential and impact of threats that organizations may face. For example, a new trend involves hackers utilizing artificial intelligence and machine learning to augment their data collection and subsequent attacks. Other hackers are employing more evasive malware that escapes VMs and attacks the physical host, hypervisor, or even network resources. According to Symantec, here are the predicted trends in cybersecurity for 2018:
• Blockchain will find uses outside of cryptocurrencies. • Cybercriminals will use Artificial Intelligence and Machine Learning to conduct attacks. • Supply chain attacks will become mainstream. • File-less and file-light malware will increase. • Organizations will have difficulty securing software as a service (SaaS) tools. • More breaches will occur due to design, error, and compromise. • Trojans will still generate more financial losses than ransomware. • Home Internet of Things (IoT) devices will be held ransom, hacked, and used against us, and will provide access to home networks. Others are predicting trends in increasingly intelligent bots, hivenets, and swarmbots. Cybercriminals are expected to make better use of automated attacks via the dark web. Cyberwarfare between nations is expected to go from the “underground” to the “mainstream,” which we’re already seeing with recent attacks on political networks. EXAM TIP The key to trend analysis is doing research with various reputable sources online, communicating with vendors, and even attending security conventions and conferences.
Return on Investment (ROI) Let’s face it: security solutions can be expensive. Getting broken into and having customers’ credit cards/medical records/personal information stolen is expensive, too, but the mere threat of this happening is often not enough to justify the cost to prevent it from happening. C-level staff increasingly ask, “How likely is this to happen?” and “What’s the cost if we get hit once? Twice?” Security may be a cost of doing business, but increasingly the question that needs to be answered is, at how much cost? To help address those questions, CSOs are turning toward methods C-level staff and most MBA graduates understand—ROI and TCO. Return on investment (ROI) is essentially the efficiency of an investment. The “return” or benefit of the investment (minus the cost) is divided by the cost of the investment (see Figure 3-2). This formula works fairly well for manufacturing processes because any increase in productivity will likely generate a positive ROI—but what about security spending? How does one see a
03-ch03.indd 97
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
98
Figure 3-2 Simple ROI formula
ROI =
(Benefit – Cost) Cost
“return” from purchasing a new firewall? Or deploying an IPS? It is a bit trickier to show an ROI with security solutions, but it can be done. The obvious case is where spending helps reduce headcount or manpower costs—a new log consolidation tool allows one person to do the work of two people. In other cases, we will need to look at risk analysis calculations for soft numbers that can be used in ROI calculations. Let’s use a simple example: let’s say the risk of a break-in is 100 percent with no security and the cost of said break-in would be $500,000. Let’s say a firewall costing $50,000 would reduce that risk by 80 percent (theoretically providing $400,000 of risk mitigation). So, for $50,000, we could achieve $400,000 of risk mitigation. In theory, we’re “saving” $350,000 by purchasing the firewall. That’s an extremely simplistic example, but you get the idea. Take a few minutes to google “security ROI” and you’ll see entire papers written on calculating ROI for security products.
Total Cost of Ownership (TCO) So, what about total cost of ownership (TCO)? Much like owning a car, purchasing a security product isn’t a one-time expense. Cars have fuel, insurance, and maintenance costs; security products usually have maintenance agreements, require someone to operate and manage them, upgrades, and so on. Calculating the TCO of a security product involves factoring in all the expected costs over the life cycle of that product. Some are simple to calculate, such as purchase price and maintenance contracts; yet the hardest to calculate is often the largest number that factors into TCO—personnel. A security tool doesn’t run completely on its own—in almost every case, there’s a human sitting at a keyboard interacting with the security tool. The challenge is trying to estimate how many people will be needed to operate and maintain that tool. How many hours will it take? How much does that type of person get paid? What types of training classes will they need?
Translate Technical Risks in Business Terms
Chapter 19 will deep-dive into the topic of technical risks; therefore, this section provides a more cursory level of coverage. One of the reasons why organizations sometimes hire relatively nontechnical people to chief information officer (CIO) and chief security officer (CSO) roles is due to their unique ability to “bridge the gap” between their subordinates and executives. Although extensive technical/security knowledge is often a requirement for these roles, the one unmistakable quality in all cases is the role of “translator.” The CIO and CSO not only oversee their respective departments, but they must also effectively communicate the technical and security desires of their teams into the business language spoken by decision-makers. In some cases, you’ll report various risks, threats, and budgeting requests
03-ch03.indd 98
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
99
PART I
directly to the CSO; you might actually be the CSO—or you might work for an organization that does not have a CSO at all. In the latter case, you’ll need to be the translator of technical risks to various departments and users. As you can imagine, being a company-wide translator can be quite challenging due to the variation in employee roles, tenure, experience, intelligence, and business vocabulary of the individuals you’ll interact with. When talking about technical and security risks, you must first understand your audience. Are they a technical, nontechnical, or semitechnical employee? Are they an end user, manager, executive, board member, regulatory representative, or auditor? Here are some general guidelines for communicating technical information:
• Don’t say too much Communicate just enough information to make your point. Overselling dilutes the message and can create confusion. • Focus on their world Communicate what matters to them first before what matters to you. People are drawn to those that seemingly care more about others than themselves. • Humility Rather than coming across as the smart technical person talking to a nontechnical person, find a way to reverse the roles. Perhaps volunteer your own ignorance about the end-user’s individual’s knowledge, skills, and abilities so that they can teach you a few things. This puts both sides on the same plane. • Visuals Charts and graphs certainly have their place, but what works especially well is more visually stimulating visual content such as infographics showing graphics, percentages, and predictions. In the final chapter of this book, we’ll get into proper communication and interaction techniques with stakeholders from all levels of the organization, including the end user all the way up to the executive and legal levels.
Recommend Which Strategy Should Be Applied Based on Risk Appetite
All organizations have a certain risk appetite or risk level that they’re willing to accept when it comes to the protections required to fulfill their security requirements. This will drive the level of urgency or lack thereof regarding investment into security controls. Security controls are the primary toolset for security practitioners to apply in the effort to meet security requirements. The challenge for security professionals is to design the correct set of security controls to employ to provide the level of protection required. Because there are numerous individual data elements in a system with differing security categories, this rapidly can be seen as an inflexible problem. To the rescue comes the SC value for the system as a whole. Using this set of values reduces the security control selection process to a very manageable level.
03-ch03.indd 99
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
100
NOTE NIST SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations,” provides guidance on the application of security controls in the enterprise. This publication also introduces the concept of baselines and recommends a set of controls based on low criticality—with moderate criticality being handled by the baseline set plus additional controls, and high criticality adding yet more. This structured methodology reduces the complexity of layering controls in the enterprise.
Avoid Risk avoidance is a mechanism where the enterprise avoids a particular threat. It can do this through actions that avoid exposure, such as removing a feature that increases exposure. Risk avoidance seems like a simple method to remove exposure, but this method cannot be employed against all threats. All business activity involves a level of risk, and avoiding all risk means avoiding all rewards as well. Avoidance is a powerful tool for threats that have significant impacts. For instance, the positioning of backup data centers in a separate location, and one sheltered from items such as hurricanes and other threats to the primary location, avoids the risk of a storm taking out both primary and backup systems.
Transfer Risk transference can be most easily explained with a single word: insurance. Analyzing risk transference in detail illustrates that the threat is not transferred, nor is the impact, but rather some form of post-event compensation is employed to cover the impact. If a firm outsources its security management to a managed security provider, the risk still falls to the original firm, and it becomes a contractual issue with respect to settling how the loss will be covered.
Mitigate Risk mitigation is the most common form of risk management. The use of security controls to reduce the impact of an attack is a form of mitigation. An intrusion detection system acts like a burglar alarm, limiting the time an adversary has to create loss. The use of logs to determine a security issue also works to limit the exposure. Firewalls and access control mechanisms both act to limit the breadth of exposure to a threat. The concept of defense in depth acts to reduce exposure.
Accept After all the risks have been addressed and reduced, there is still a level of risk remaining known as residual risk. This risk is handled by acceptance. If a firm does not completely address any specific risk, it must accept the consequence and the loss. This mechanism is used all the time for extremely rare events and items with small exposures.
03-ch03.indd 100
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
101
Chapter 1 discussed the high-level recurring risk management process of identification, assessment, analyzation, and mitigation of risks. Taking a more detailed approach here, we’ll reiterate an important risk management framework that stems from NIST SP 800-39, “Managing Information Security Risk.” For more information on each of the stages in this framework, refer to the FIPS or special publications provided within the parentheses of each stage:
PART I
Risk Management Processes
• Categorize the information systems and data (FIPS 199 and SP 800-60). • Select security controls (FIPS 200 and SP 800-53). • Implement security controls (SP 800-34, SP 800-61, and SP 800-128). • Assess the effectiveness of the security controls (SP 800-53A). • Authorize the information system and data (SP 800-37). • Monitor the security controls (SP 800-37, SP 800-53A, and SP 800-137).
Exemptions Although risk management processes should account for all opportunities of risk, some products or systems may require exemptions from them. These exemptions can exist for many reasons, such as the age, attrition, or lack of functionality from legacy products. In other cases, state or federal regulations might stipulate an exemption. As per the ISO/IEC 27001 standard, exemptions are authorized noncompliances with mandatory requirements. For example, if a hospital mandates a 10-character minimum password for all healthcare systems, yet a specialty computer has an overriding requirement to use a smaller eight-character password due to software constraints, this is an example of an exemption. On the other hand, if another computer is not authorized to have an eight-character password at this same hospital, this is an example of an exception. Exceptions are different because they are unauthorized noncompliances with mandatory requirements. Understand that although exemptions may be required, it opens up the organization to some risk in itself. Be sure to consider any and all repercussions of exemptions to risk management processes, and consider how you might be able to trim out some of that risk without violating the exemption requirements.
Deterrence There will be some risks that cannot be outright mitigated, and in some cases too expensive to be practical. While deterrence does not prevent, detect, or mitigate risk, it can still reduce risk through more indirect mechanisms. Deterrence is the process of discouraging threat actors from performing unauthorized actions through warnings or through the threat of consequences. This could be as simple as a sign that says, “Private property. No trespassing. Violators will be prosecuted.”
03-ch03.indd 101
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
102
In most company computers, users are confronted at sign-in with a login banner that provides one or more paragraphs of warnings, including the following:
• Who are considered appropriate users of the system • What is considered appropriate usage of the system • That the system is being monitored for inappropriate usage • That privacy should not be expected while using company systems • That disciplinary action, criminal charges, or sanctions can be implemented if inappropriate usage is discovered
Inherent Inherent risk is the risk that an incident will pose if no security controls are put into place. It is because of inherent risk that we have to implement security controls in the first place. Early on in the risk assessment process, we will discover how much inherent risk exists for any potential adverse event. Equipped with that information, we can respond with the appropriate security controls to reduce the risk.
Residual Residual risk is the risk that remains after all security controls and countermeasures have been implemented. This is to be expected because no matter what you do, you cannot eliminate all risk. The important thing is that the residual risk is low enough to be acceptable to the organization.
Continuous Improvement/Monitoring
Continuous monitoring in any system takes place after initial system security implementation. It involves tracking changes to the information system that occur during its lifetime and then determining the impact of those changes on the system security controls. Continuous monitoring reduces the latency between system changes and security changes to a minimal period. This requires greater intervention on the part of security professionals, but is built around the idea of a bunch of small changes rather than major implementations described by the certification and accreditation process. The true goal of continuous monitoring is the maintenance of an ongoing understanding of the exact security posture of the organization. Continuous monitoring requires a significant level of automation to facilitate the level of monitoring and decision-making required to keep abreast of the myriad changes a system faces in use. As the threat environment changes, this can lead to security changes. As the system is adapted through minor changes or interconnected to other systems, system-level interactions can result in security changes.
03-ch03.indd 102
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
103
PART I
TIP Automation of elements such as log collection and analysis, patch and antivirus updating, user auditing, and threat monitoring can assist security personnel in deploying their resources where they can best influence the required level of change necessary to keep risk at a responsible and acceptable level.
To manually subject a system to complete reviews through a certification and accreditation process is neither feasible nor desirable. The business requirement is to maintain levels of risk commensurate with the reward associated with the system, and this business decision requires analysis of how a system stands as it is being operated, not just at static intervals. The continuous monitoring process involves the following three activities: 1. Configuration management and control a. Documentation of information system changes b. Security impact analysis
2. Security control monitoring and impact analysis of changes to the information system a. Security control selection b. Selected security control assessment
3. Status reporting and documentation a. System security plan update b. Plan of action and milestones update c. Status reporting
The objective of these tasks is to observe and evaluate the information system security controls during the system life cycle. These tasks determine whether the changes that have occurred in the information system will negatively impact the system security.
Business Continuity Planning
Also known as continuity of operations planning (COOP) in the U.S., business continuity planning is a collection of processes that permit an organization to preserve or quickly recover its business functions in the event of a serious business disruption. Not to be mixed up with disaster recovery planning since it focuses on technology recovery, business continuity planning encompasses the functionality of the overall organization and is therefore more significant. Disruptions to business continuity have many causes, including internal and external threat sources such as natural disasters, environmental failures, and man-made (intentional and accidental) threats. Central to business continuity planning is the development of the business continuity plan (BCP). The business continuity plan is a policy that documents all possible disasters and solutions ahead of time to quickly return the business to normal functionality within
03-ch03.indd 103
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
104
a promised timeline. Building a comprehensive list of disasters involving everything from technological failures, supply chain failures, natural disasters, and human causes requires soliciting feedback from various department stakeholders. A BCP document can be constructed in many ways, which might contain some of the following components:
• Decision-making authority (also known as the business continuity team) This is a team of individuals and may include the COO, CIO, VPs, directors, and other IT, security, and facilities stakeholders. Such individuals share responsibility in maintaining, communicating, and executing the provisions of the BCP. • Emergency response plan Indicates the immediate communication plan should an adverse event take place. In other words, the COO (or other senior member) will determine if present circumstances call for invoking the provisions of the BCP, which includes notifying a few other key players. If the COO isn’t available, the CIO might take over. • Operations center locations This component stipulates the need for the business to relocate to another site should the main site no longer be available for business operations. • Communications Indicates the presiding communication policy during disaster events, which includes provisions for if or when communications with certain outsiders (such as the media, law enforcement, and so on) are warranted. • Service and system recovery Indicates the most-to-least critical business functions and processes to be restored and the required timelines. The most critical functions might require restoration in one hour, whereas addition business functions might come with, say, 24-hour, two-day, or one-week requirements. • Plan maintenance Contains the requirement and frequency for reviewing the BCP, which might be quarterly, biannually, or annually.
Business Impact Analysis
Since adverse events have the potential to disrupt a business’s ability to perform critical business functions, how should we determine what those key functions are and the resulting impact to the business during failures? Crucial to a BCP is the construction of a business impact analysis (BIA), which classifies organizational risks into a series of levels and priorities with the resulting disruptions measured in financial and humansafety terms. In other words, what is most important to us and how much loss will occur if we lose those important things? BIAs include provisions for the following:
• Critical process prioritization • Tolerable downtime approximation • Impact of financial losses • Resources to restore • Reduced efficiency probabilities
03-ch03.indd 104
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
105
MTBF =
(Start of downtime–Start of uptime) Number of failures
PART I
Figure 3-3 Formula for calculating MTBF
BCPs will often incorporate important metrics to help guide and set expectations for recovery operations. Knowledge of these metrics will help keep recovery efforts focused and on schedule. Shown here are the most important BCP metrics:
• Recovery time objective (RTO) Preferred period of time it should take for normal business operations to be restored after a disaster. • Recovery point objective (RPO) Maximum period of time that an organization can tolerate a data loss. • Mean time to repair (MTTR) Measure of how long it takes before something can be restored to normal functionality. • Mean time between failures (MTBF) Measure of how long a device is expected to operate before failure. Take a look at Figure 3-3 to see how MTBF can be calculated. • Maximum tolerable downtime (MTD) Maximum time a business function can remain unavailable before it causes total and irrecoverable business failure.
IT Governance
IT governance is the implementation of processes where executive management actively ensures that IT is being used in the most effective and efficient manner by those responsible for it. This is not to say that upper management is taking responsibility away from IT management but rather they are carefully overseeing the overall effectiveness of IT and whether it is bringing value to the organization through the fulfillment of business objectives. Ultimately, IT governance seeks to bring strong alignment of IT with business objectives to ensure value is consistently brought to the organization. Better cohesion of IT and company objectives will not only provide better top-down oversight, but also provide a clear path for IT personnel to implement IT solutions that work toward the organization’s objectives. Another thing to consider is that IT governance also helps reduce organizational risk. By using a common risk management framework, IT and upper management can work synergistically toward mutually beneficial goals. More on that in the next section.
Adherence to Risk Management Frameworks IT governance sounds great, but what’s a good way for an organization to formalize it and get the most out of it? As indicated in the previous section, risk management frameworks are the answer. Control Objectives for Information and Related Technology 5
03-ch03.indd 105
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
106
(COBIT 5) is a well-known framework for IT management and governance created by the ISACA. COBIT 5 delivers on five principles:
• Meeting stakeholder needs • Covering the enterprise end-to-end • Applying a single integrated framework • Enabling a holistic approach • Separating governance from management The ISO/IEC 38500 standard was created for corporate governance of IT. It empowers upper management to provide assurances that IT is fulfilling all legal, regulatory, and
NIST Security Standards
For more information related to risk management frameworks, consider researching the following security standards:
• NIST SP 800-39 Managing Information Security Risk • NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories • FIPS 199 Standards for Security Categorization of Federal Information and Information Systems • FIPS 200 Minimum Security Requirements for Federal Information and Information Systems • NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations • NIST SP 800-34 Contingency Planning Guide for Federal Information Systems • NIST SP 800-61 Computer Security Incident Handling Guide • NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems • NIST SP 800-53A Assessing Security and Privacy Controls in Federal Information Systems and Organizations • NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach • NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
03-ch03.indd 106
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
107
• Responsibility • Strategy • Acquisition • Performance • Conformance • Human behavior
PART I
ethical obligations while remaining aligned with organizational objectives. ISO/IEC 38500 has six principles:
Another framework (and quite a popular one at that) is the Information Technology Infrastructure Library (ITIL) framework. ITIL provides best practices for the alignment of IT services with organizational objectives. At the time of this writing, the latest version of ITIL is the 2011 version. There are five “volumes” of ITIL publications, as listed here:
• Service Strategy Focuses on organizational objectives and customer needs • Service Design Converts service strategy into business objective deliverables • Service Transition Creates and improves capabilities for new services • Service Operation Manages services in environments • Continual Service Improves upon services incrementally and on a larger scale
Enterprise Resilience
Enterprise resilience consists of an organization’s ability to adapt to short-term and longterm changes. Like an organism’s immune system, enterprise resilience must be able to fight off current threats while also strengthening itself for future ones. This should not be mistaken with disaster recovery or business continuity because enterprise resilience focuses more on general risks and disruptions as opposed to large-scale disasters. Since enterprise resilience is focused on change adaptation, risk management is incorporated into the overall strategy of improving an enterprise’s resilience. For an enterprise to be resilient, it must be able to withstand changes and adversity from top to bottom— from the technological all the way through operational levels. Consider the following resiliency tactics:
• Resiliency within servers, including disk arrays, redundant power supplies, and NICs. • Resiliency across servers, including server clusters/farms, NAS/SAN, and UPSs. • Resiliency of LAN/WAN networks and connections, including redundant ISP links.
03-ch03.indd 107
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
108
US-CERT Cyber Resilience Review
The U.S. Computer Emergency Readiness Team (US-CERT) developed the Cyber Resilience Review (CRR) self-assessment package in 2016 to provide organizations with a means of self-assessing their cybersecurity resilience. Organizations may also elect to have a Department of Homeland Security (DHS) representative conduct an onsite assessment. The 41-page questionnaire consists of 10 domains of topics:
• Asset Management • Controls Management • Configuration and Change Management • Vulnerability Management • Incident Management • Service Continuity Management • Risk Management • External Dependency Management • Training and Awareness • Situational Awareness
• Resiliency of data centers, including redundant data centers through remote sites, outsourcing through cloud computing provider, and generators. • Resiliency of stakeholders through leadership contingency plans. Who is in charge when someone is unavailable? • Resiliency of the organization during economic downturns as well as changes to laws and regulations. • Resiliency of the organization to changes in the industry, with competition, vendors, and customer demands.
Chapter Review
This chapter covered the execution of risk mitigation strategies and controls given various scenarios. We started off with categorizing data types by impact levels based on CIA. We also introduced the three pillars of security—confidentiality, integrity, and availability—in addition to their various tradeoffs. The next section talked about determining the aggregate score of CIA, which involves scoring the impact of risks through low, moderate, and high severities.
03-ch03.indd 108
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
109
03-ch03.indd 109
PART I
We then went into a section on incorporating stakeholder input into CIA impactlevel decisions. The primary output resulting from the input from stakeholders will be security policies. The next section branched off of the security categories section by discussing the determination of minimum-required security controls based on aggregate score. We then covered the selection and implementation of controls based on CIA requirements and organizational policies. This section briefly touched on avoiding, transferring, mitigating, and accepting the risk. Extreme scenario planning/worst-case scenarios were the topics of the next section. We went into all the bad things that could theoretically happen as a result of human and non-human threats. Conducting system-specific risk analysis was the topic of the next section, which highlighted inventory, threat assessment, evaluation, management, and monitoring. We then went into qualitative risk analysis, which uses designations such as low, moderate, and high to measure risk. The next topic was quantitative risk analysis, which typically uses monetary values and formulas to assign meaning to risk. Making risk determinations based on known metrics was the topic of the next section. It talked about interpreting the outcome of quantitative and qualitative risk analysis in order to arrange various risks into a priority order. This included determining the magnitude of impact based on ALE and SLE, in addition to developing a deeper understanding of threat likelihood, motivations, sources, and analyzing any applicable trends regarding those threats. The end of the section talked about determining return on investment in addition to calculating the total cost of ownership for risk controls to counter the various threats. The next section briefly discussed translating technical risks into business terms by catering your security messages according to the target audience. We moved into another new section on recommending which strategy should be applied based on risk appetite. Here, we went into more detail on strategies for avoiding, transferring, mitigating, and accepting risk. We then went into a new section on risk management processes, which reintroduced several risk management frameworks along with NIST special publications. We touched on exemptions to risk management processes, in addition to risk deterrence, inherent risk, and the residual risk left over after security controls are implemented. We had a brief section on continuous improvement and monitoring practices, which highlighted the importance of automation of various elements for optimization. Business continuity planning had its own section, which covered the benefits, components, and strategies of BCPs. This section also included coverage of BCP topics such as RTO, RPO, MTTR, MTBF, and MDT. The next section of the chapter discussed IT governance and the role that upper management plays in ensuring that IT solutions are meeting company objectives in a way that adheres to risk management frameworks. The final section of the chapter discussed enterprise resilience as well as various tactics to ensure an organization is able to maintain business operations regardless of short-term and long-term changes.
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
110
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
Categorize Data Types by Impact Levels Based on CIA • The three most commonly used objectives for information security are confidentiality, integrity, and availability—commonly referred to as the CIA triad. • The FISMA definition for confidentiality is “preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.” • The FISMA definition for integrity is “guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.” • The FISMA definition for availability is “ensuring timely and reliable access to and use of information.”
Determine the Aggregate Score of CIA • The first step of establishing the aggregate score of CIA is to determine the potential impact of each type of risk. • Impacts are typically categorized as high, moderate, and low.
Incorporate Stakeholder Input into CIA Impact-Level Decisions • Security policies are developed in response to a perceived need of guidance due to some driving force, typically in the form of upper management. • Policies can be drafted in a top-down fashion, where senior management provides guidance on a specific topic. • When the wording of a policy is presented in a form that makes sense in business terms, is clearly aligned with the organization’s overall goals and objectives, and can be seen to specifically support these goals and objectives, the policy is a better candidate for senior executive buy-in. • The primary objective of policies is to communicate the goals and objectives with respect to some particular aspect of the business.
Determine Minimum-Required Security Controls Based on Aggregate Score • The set of required controls depends on the aggregate score of security requirements as defined by the security category. • Different security controls provide different types of coverage with respect to confidentiality, integrity, and availability. • The security categorization (SC) of an information system defines the minimum security requirements.
03-ch03.indd 110
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
111
• Security controls are the primary toolset for security practitioners to apply in an effort to meet security requirements. • The challenge for security professionals is to employ the correct set of security controls to provide the level of protection required. • Security controls reduce the risk associated with a threat to the enterprise in one of four ways: enterprises can avoid the impact, transfer the impact to another party, mitigate the effect of the threat, or accept the risk.
PART I
Select and Implement Controls Based on CIA Requirements and Organizational Policies
Extreme Scenario Planning/Worst-Case Scenario • Although extreme scenarios are unlikely, organizations must still plan for extreme or worst-case scenarios before they occur. • Central to any discussion about worst-case scenario planning is an understanding of the various internal and external threat actors. • Although natural disasters can occur, the most likely threat source will be human related. • Threat actors are individuals or groups that are responsible for actions—whether intentional or accidental—that lead to losses for other individuals or organizations.
Conduct System-Specific Risk Analysis • To examine the risk associated with a system, one must examine the information flows and respective security requirements for each system. • Risk analysis can be performed in one of two manners: qualitative or quantitative. • In most cases, risk management and analysis activities include elements from both quantitative and qualitative models. • Qualitative risk analysis uses expert judgment and experience to assess the elements of occurrence and impact. • To assess risk qualitatively, you compare the impact of the threat with the probability of occurrence and then assign an impact level and probability level to the risk. • Quantitative risk assessment uses calculations based on historical data associated with risk.
Make Risk Determination Based on Known Metrics • The primary purpose behind making a risk determination is to provide management with the information needed to make decisions on which threats to address and with what level of resources. • The magnitude of impact is a measure of how much damage a particular threat would cause if it manifested itself.
03-ch03.indd 111
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
112
• The challenge of risk management analysis is the determination of the magnitude of impact. • The likelihood of a threat is a measure of the chance that a threat will actually impact a system. • Knowledge of a threat’s motivation is important for developing a fuller understanding of the threat. • Threat sources originate from internal and external threat actors who may be either hostile or non-hostile in nature. • Threat sources may include natural disasters such as tornados, hurricanes, earthquakes, volcanos, floods, tsunamis, blizzards, and wildfires. • An organization’s region, proximity to threat source, emergency procedures, awareness training, and facility structure, as well as the time of year, will play key roles in exposures caused by natural disasters. • Trend analysis involves performing ongoing research on emerging industry trends to determine the potential and impact of threats that organizations may face. • Return on investment (ROI) is essentially the efficiency of an investment. • Calculating the TCO of a security product involves factoring in all the expected costs over the life cycle of that product. • The TCO may be simple to calculate (for example, purchase price and maintenance contracts), yet the hardest item to calculate is often the largest number that factors into TCO—personnel.
Translate Technical Risks in Business Terms • Security professionals must effectively communicate the technical and security desires of their teams into the business language spoken by decision-makers. • Being a company-wide translator can be quite challenging due to the variation in employee roles, tenure, experience, intelligence, and business vocabulary of the individuals you’ll interact with.
Recommend Which Strategy Should Be Applied Based on Risk Appetite • All organizations have a certain risk appetite or risk level that they’re willing to accept when it comes to the protections required to fulfill a company’s security requirements. • Risk avoidance is a mechanism where the enterprise avoids a particular threat. • Risk transference involves transferring the risk to a third party such as an insurance company. • Risk mitigation is the use of security controls to reduce the impact of an attack. • Risk acceptance involves accepting the risk because it would not be cost-effective to further reduce the risk.
03-ch03.indd 112
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
113
Risk Management Processes PART I
• Risk management is the high-level and recurring process of identification, assessment, analyzation, and mitigation of risks. • Although risk management processes should account for all opportunities of risk, some products or systems may require exemptions from them. • Exemptions can exist for many reasons, such as the age, attrition, lack of functionality from legacy products, and requirements from regulations. • Deterrence is the process of discouraging threat actors from performing unauthorized actions through warnings or the threat of consequences. • Inherent risk is the risk that an incident will pose if no security controls are put into place. • Residual risk is the risk that remains after all security controls and countermeasures have been implemented.
Continuous Improvement/Monitoring • Continuous monitoring involves tracking changes to the information system that occur during its lifetime and then determining the impact of those changes on the system security controls. • Continuous monitoring requires a significant level of automation to facilitate the level of monitoring and decision-making required to keep abreast of the myriad changes a system faces in use. • Once changes occur that reduce the organization’s security posture, new or modified security controls will be implemented to “improve” the security posture. Continuous monitoring solutions are instituted in order to continuously improve security.
Business Continuity Planning • Business continuity planning is a collection of processes that permit an organization to preserve or quickly recover its business functions in the event of a serious business disruption. • Disruptions to business continuity have many causes, including internal and external threat sources such as natural disasters, environmental failures, and man-made (intentional and accidental) threats. • The business continuity plan is a policy that documents all possible disasters and solutions ahead of time to quickly return the business to normal functionality within a promised timeline. • BCPs will often incorporate important metrics to help guide and set expectations for recovery operations.
03-ch03.indd 113
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
114
IT Governance • IT governance is the implementation of processes where executive management actively ensures that IT is being used in the most effective and efficient manner by those responsible for it. • IT governance seeks to bring strong alignment of IT with business objectives to ensure value is consistently brought to the organization. • Control Objectives for Information and Related Technology 5 (COBIT 5) is a well-known framework for IT management and governance that was created by the ISACA. • The ISO/IEC 38500 standard was created for corporate governance of IT. • ITIL provides best practices for the alignment of IT services with organizational objectives.
Enterprise Resilience • Enterprise resilience consists of an organization’s ability to adapt to short-term and long-term changes. • Enterprise resilience must be able to fight off current threats while also strengthening itself for future ones. • For an enterprise to be resilient, it must be able to withstand changes and adversity from top to bottom—from the technological all the way through operational levels.
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. There are multiple options for dealing with risk. Which of the following are appropriate risk management options? (Choose all that apply.) A. Evaluation B. Transfer C. Deferral D. Mitigation
2. Which of the following are the stages in the risk analysis process? (Choose all that apply.) A. Asset control B. Threat assessment C. Monitoring D. Budgeting
03-ch03.indd 114
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
115
A. To calculate qualitative risk
B. To calculate aggregate CIA score
PART I
3. What is the following formula used for? SCinformation type = {(confidentiality, impact), (integrity, impact), (availability, impact)}
C. To calculate the system risk consequence D. To calculate SLE
4. Which of the following federal regulations requires federal agencies to be able to monitor activity in a “meaningful and actionable way”? A. HIPAA B. Gramm-Leach-Bliley C. FISMA D. Sarbanes-Oxley
5. Which of the following refers to the act of maintaining an ongoing awareness of information security effectiveness? A. Security policy B. Incident response C. Threat assessment D. Continuous monitoring
6. As the system administrator, you are tasked with assessing the various risks to your network. Which of the following is not a category associated with risk assessment? A. Risk determination B. Likelihood determination C. Cost determination D. Risk analysis
7. Which level of impact is characterized by a significant level of loss to an enterprise? A. Catastrophic B. High C. Moderate D. Accepted risk
03-ch03.indd 115
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
116
8. Which of the following levels of likelihood is defined by a threat source that’s highly motivated and sufficiently capable, and the security controls used to prevent the vulnerability from being exercised are ineffective. A. Accepted B. Medium C. Normal D. High
9. You have been contracted to secure the confidential informants’ database for the local police department. What would be an appropriate SC attribute formula? A. SCCIs = {(confidentiality, high), (integrity, high), (availability, high)}
B. SCCIs = {(confidentiality, moderate), (integrity, moderate),
(availability, moderate)} C. SCCIs = {(confidentiality, high), (integrity, high), (availability, moderate)} D. SCCIs = {(confidentiality, moderate), (integrity, low), (availability, high)} 10. As part of your job, you are to keep the system protected from new threats. What is an important step you would take to ensure this occurs? A. Apply new controls for the threat. B. Implement end-user awareness training. C. Apply all current patches in a timely manner. D. Perform a risk assessment. 11. Which of the following refers to the element of security associated with the unauthorized deletion of data? A. Integrity B. Confidentiality C. Data retention policy D. Privacy policy 12. Minimum security control determination requires which step to be completed? A. Pen testing B. Compute aggregate CIA score C. Fuzz testing D. Vulnerability assessment 13. What factors should be part of determining an overall likelihood rating for a particular issue? (Choose all that apply.) A. Threat-source motivation B. Threat-source capability C. Asset value D. ALE
03-ch03.indd 116
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
117
A. Integrity B. Availability
PART I
14. Which of the following elements of security states that only authorized users are able to modify or delete data?
C. Confidentiality D. Authorization
15. A hacker gains unauthorized access to your system and deletes data. This is an example of what type of failure? A. Confidentiality B. Availability C. Authorization D. Integrity
16. Which of the following processes can be involved in continuous monitoring? (Choose all that apply.) A. Network flow analysis B. Configuration management and control C. Security control monitoring D. Security budget
17. An asset under attack has a potential loss amount of $135,000, and it is expected that successful attacks could occur every 18 months. What is the ALE? A. $135,000 B. $100,000 C. $90,000 D. $45,000
18. A firm is unaware of an attack and the resulting losses caused. Which risk management technique is employed with respect to this threat? A. Acceptance. B. Risk transfer. C. Risk deferral. D. There isn’t sufficient information to answer this question.
19. MTTR stands for: A. Mean time to reboot B. Mean time to reimage C. Mean time to repair D. Mean time to reinitialize
03-ch03.indd 117
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
118
20. Total cost of ownership (TCO) should include: A. Cost of hardware B. Cost of maintenance contracts C. Cost of personnel D. All of the above
Answers 1. B, D. The four options for risk treatment are avoid, mitigate, transfer, and accept. 2. B, C. The steps of the risk analysis process are inventory, threat assessment, evaluation, management, and monitoring. 3. B. SCinformation system = {(confidentiality, impact), (integrity, impact), (availability, impact)} is an expression of the calculation of an aggregate CIA score for the information system. 4. C. The Federal Information Systems Management Act (FISMA) requires federal agencies to monitor security-related activities. 5. D. Maintaining an ongoing awareness of one’s security posture is a key element in defining continuous monitoring. 6. C. Cost determination is a management step that is needed but is not part of the risk assessment. 7. B. The typical three levels are high, moderate, and low. The fact that the loss is assessed as “significant” makes the value high. 8. D. Again, the typical levels are high, moderate, and low. The fact that the threat source is assessed as “highly motivated” and the controls are assessed as “ineffective” makes the value high. 9. C. Confidential informants’ information is extremely sensitive. Simple disclosure or alteration of the records could result in injury or death. 10. D. A risk assessment is the best process for determining new threats and required countermeasures. 11. A. This is the definition of integrity. 12. B. The minimum security controls must address the complete security requirements by level, which is present in the aggregate CIA scores. 13. A, B. Threat-source motivation and capability are driving factors as to whether an attack is likely, and both impact the likelihood component. 14. A. Unauthorized alteration or deletion of data is an integrity violation. 15. D. The unauthorized deletion of data is an integrity failure.
03-ch03.indd 118
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3
Chapter 3: Risk Mitigation, Strategies, and Controls
119
17. C. The SLE = $135,000, the ARO = 12/18 = .666, and the ALE = 135,000 * 0.666 = $90,000
PART I
16. B, C. Configuration management and control as well as security control monitoring directly affect system security status and are part of a continuous monitoring solution.
18. A. By default, the risk is accepted because this action occurs without any management action. 19. C. MTTR is the abbreviation for “mean time to repair” (how quickly the system can be brought back online). 20. D. When calculating total cost of ownership, you should always include all the expenses associated with an item, including the cost of hardware, the cost of any maintenance agreements, and the cost of the personnel to run/maintain the system.
03-ch03.indd 119
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 3 Blind Folio: 120
This page intentionally left blank
03-ch03.indd 120
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 4
CHAPTER
Risk Metrics
4
This chapter presents the following topics: • Review effectiveness of existing security controls • Reverse-engineer/deconstruct existing solutions • Creation, collection, and analysis of metrics • Prototype and test multiple solutions • Create benchmarks and compare to baselines • Analyze and interpret trend data to anticipate cyber defense needs • Analyze security solution metrics and attributes to ensure they meet business needs • Use judgment to solve problems where the most secure solution is not feasible
In some environments, security is a must. In such cases, it doesn’t matter what it costs, how long it takes, or what needs to be implemented, security is the top priority. However, most businesses don’t operate that way, and security officers are increasingly being asked to justify security expenditures. Questions such as “What’s the ROI for that solution?” are increasingly being asked of security professionals. As the CISO (or any other senior security position), you’re going to be expected to answer those questions. More agile business processes are requiring creative, flexible solutions. Fifteen years ago, few dreamed that one day portable computing devices roughly the size of a magazine would support e-mail, word processing, spreadsheets, and web browsing. Now it’s possible to carry millions of printed pages worth of data around on a USB stick that masquerades as a pen. Adapting to this rapidly changing IT environment and the threats within it requires the application of tools and techniques security professionals didn’t really need to worry about 15 years ago.
Review Effectiveness of Existing Security Controls
The effectiveness of a security program is often measured in binary terms as in “did we have a breach or not?” Although that certainly is a measurement one should consider when examining the effectiveness of a security program, it’s not the only thing you should be looking at. Examining the effectiveness of any large security program can seem like a daunting task, and quite often it’s something people think only auditors do. Reviewing your current security program can help you identify areas that need improvement, areas
121
04-ch04.indd 121
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 4
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
122
that need additional spending or attention, and so on. Although creating an exhaustive review checklist is beyond the scope of this chapter, let’s consider a few areas that should be reviewed and discuss the types of items that should be examined:
• User training Your security would be perfect if it weren’t for those pesky users, right? The fact is that users need to be taught what to do, and your user training program provides that opportunity. Do you know how well your user training program is working? Have you tested how many users responded to phishing attempts? Do the users know whom to contact if they think their system is infected? What’s the average length for passwords in use? How many passwords are easily cracked? Make sure these questions can be answered if you want your end-user training program to be successful. • IDS/IPS alarms How many alarms does your IDS/IPS installation produce each day? How many of those are false positives? How are false positives screened? Some administrators get frustrated with the number of false positives and may overreact by dialing back the aggressiveness of the IDS/IPS. Although this will reduce false positives, it will also lead to the worse outcome of more false negatives. • Firewall rules How many connection attempts are your firewalls blocking? Which ports are filtered on inbound connections? Which ports are filtered or monitored for outbound connections? • Vulnerability testing What is currently being tested? How often? What is done with the findings? Are findings being addressed? If so, how long is it taking to address findings? How often are scans being performed? • Policies and procedures Are they being reviewed at least annually? How often are exceptions to policies and procedures required? Are updates needed to existing documents? Are employees told about updates? Are they reviewing applicable policies and procedures on an annual basis? As you can see, reviewing the effectiveness of an existing security program should be answering more than “what are we doing?”—it should be answering the “how well are we doing it?” type of questions. Although that can be a difficult thing to do, it will be worthwhile. EXAM TIP Reviewing the effectiveness of your organization’s security program is a necessary step to help identify areas for improvement.
Gap Analysis In a security context, a gap analysis helps determine the differences from an organization’s present state of security to its recommended or desired state. Whether motivated by compliance laws, an organization’s security policies, or just good ol’ security common sense, a gap analysis is a great way to measure the efficacy of existing security controls.
04-ch04.indd 122
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 4
Chapter 4: Risk Metrics
123
PART I
Since changes are always being introduced into the business environment, security gaps will inevitably open and widen with time. Once the gaps are determined, mitigations must be prescribed to close them. For example, your environment requires all Windows 10 computers to have passwords of at least eight characters. Yet, your security gap analysis identified many systems underperforming this minimum requirement. You propose to close the security gap by creating a configuration baseline using Microsoft’s System Center Configuration Manager to enforce the use of eight-character-minimum passwords. To ensure a systematic approach to gap analyses, take a look at the gap analysis approach shown here:
• Information security standards Utilize existing information security standards such as ISO 18028-5, 27002, NIST SP 800-65, and ISACA’s COBIT 5.0, which provide direct or indirect coverage of gap analysis best practices. • Define the scope A gap analysis may need to be trimmed to include separate location-based or smaller-sized gap analysis projects. • Review security documents This includes current policies, standards, procedures, and guidelines. • Executive approval Any kind of security review would greatly benefit from upper-management’s approval to remove business-related obstacles. • Security questionnaire This will help gather required technical, business, and people-related information regarding current security practices and controls. • Identify gaps Enumerate all technologies, security practices, and controls to identify any gaps with network appliances such as firewalls, IDSs/IPSs, routers, switches, or weaknesses with cryptographic ciphers, ACLs, wireless networking, staff training, physical security, security policies, business continuity, disaster recovery, and incident response procedures. • Gap analysis report Publish a gap analysis report containing all security gaps discovered in the previous step. Implement any last-minute mitigations before committing to a final gap analysis report. • Mitigation plan After the gap analysis report is published, develop a comprehensive remediation plan to address all gaps. Address the most critical gaps first and then work your way downward.
Conduct a Lessons-Learned/After-Action Review Eventually bad things will happen regardless of how well you plan or how many precautions you take. When things do happen, there’s often a great deal of scrambling, fingerpointing, voices raised, and chaos. While you are dealing with the situation, you often learn things that were overlooked in your procedures, such as steps that take much longer than you planned for, phone numbers that have not been updated, cables or plugs you didn’t think you needed, and so on. When the situation is over and things start to settle back down, your organization has a great opportunity to conduct a lessons-learned/afteraction review.
04-ch04.indd 123
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 4
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
124
EXAM TIP Lessons-learned/after-action reviews are not just post-incident activities. Any complex, potentially repeatable process can be improved through such reviews.
A lessons-learned/after-action review is a careful analysis of what happened, why it happened, and what can be done differently or more effectively next time. The review should include everyone with a role in that event—the larger the event, the more people involved in the review. If you are part of a large organization and the incident was a major breach that became public knowledge, the review could encompass 50 or more participants, with representatives from legal to HR to public relations. In most cases, the review will likely only involve a handful of people, but if you do find yourself in charge of performing a lessons-learned review with a large number of people, consider breaking the review up into areas and holding multiple meetings that focus on each area of the incident. Lawyers don’t really care what steps your administrators took to rewrite ACLs on the firewalls, and your administrators may not care who crafted the press release (if one was required). One thing to remember when creating multiple groupings for after-action reports is that it’s often necessary to have a high-level meeting with all the senior officials from each area involved. You should also keep in mind there’s really a small window of opportunity for holding lessons-learned/after-action reviews. Individual memories will start to fade immediately after the incident, especially if those involved have to work for 20+ hours straight to resolve the issue. Schedule and conduct your reviews as soon as you can after the incident. The reviews should be structured—follow the chronology of the incident where you can and systematically step through the entire incident so you can examine each area. It helps to record the sessions or have a dedicated note taker whose only job is to capture the lessons learned or recommendations for improvement. Keep the review as objective as possible—have participants stick to facts whenever possible. If emotions run high and people start looking for a scapegoat, you lose the opportunity to collect actionable information. If your organization is heavily into processes and procedures, lessons-learned/ after-action reviews are a great time to go over those processes and procedures. Did they work as intended? What was missing? What was wrong? How should they be updated? It also helps to have a neutral party conduct or, at least, participate in the review—someone from your organization with no vested interest who can keep the review moving forward and on task.
Reverse-Engineer/Deconstruct Existing Solutions
Sometimes the hardest thing for a security professional to do is to think like a hacker. Oftentimes we get so wrapped up in locking down, restricting, and patching that we forget to take a second to look at our solutions from the opposite perspective. If you step back and think about it, the most important question you can ask yourself is likely to be, “How would I defeat this security solution?”
04-ch04.indd 124
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 4
Chapter 4: Risk Metrics
125
PART I
EXAM TIP Reverse-engineering or deconstructing existing security solutions is an excellent way to identify entry points and weaknesses. If you can break down your own systems and correct the issues you find, you will be that much more effective against actual attackers.
You’ve probably heard the term reverse-engineer applied to things such as malware (taking it apart to see what it does and how it works), but how often have you thought about reverse-engineering your own security solutions? It might be difficult for you to do if you helped design, construct, and implement the solution, but if you’ve inherited systems or security solutions, it shouldn’t be as difficult. Here are a few steps to help get you started:
• Look at what the system does. What does the system you’re examining actually do? What inputs does it take? What are the outputs? • Determine how the solution impacts network traffic. Assuming the solution does interact with traffic, how does it do this? What types of traffic will it let in? What does it block? Does it matter which direction the traffic is flowing? • Encryption. How does the system handle encrypted traffic? Does it handle encrypted traffic at all? Or does it just pass encrypted traffic through without looking at it? • Determine what the system tells you about itself. Does it have services running? Does it have banners on those services? Can you connect to the system remotely? • Communication. Is the system a single entity or a group of resources? If it’s a group, do they communicate? Can you tell how they communicate? If you try and interfere with the communications, what happens? • Reactive capabilities. Although it’s bit trickier to test without actually generating some suspicious/malicious traffic, does the system have any capability to react to traffic that you generate? Does it block your source address after a port scan? Does it block your source address after multiple port scans? Does it block your source address after multiple failed login attempts? Does it block your activity after SQL injection attempts? Do you get blocked after attempting to execute DoS attacks? If you can take an objective look at your system and how it functions, you should be better able to understand its possible weaknesses (and correct them). Perhaps we should take this process one step further by creating an attack tree/plan for a penetration test? Imagine you are being asked to perform a penetration test on your organization or another organization. To perform a thorough test, you need to understand the environment you’ll be examining. What are the entry points? How many network links are there? Are there wireless access points? Are there dedicated links to other organizations? Remote sites?
04-ch04.indd 125
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 4
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
126
The chances of you (as a tester) getting a detailed map and a full description of the environment—including firewalls in use, use or lack of IDS/IPS, and so on—are slim to none (unless you are performing the test against your own organization and already have access to those items, or you’re conducting a white-box penetration test). If you try to look at your organization from a purely external perspective, you can start to piece together bits of information to build your own picture. IP blocks can be pulled from DNS and Whois records. Perhaps you can drive or walk around the facility looking for access points. When you’ve built your own “picture” of what you think the entry points are, you can start to build out a testing plan. External IPs you’ve uncovered can be scanned and probed. Tracing to those IPs may give you an idea of where the firewall is. Walking the firewall will help you determine what services are allowed through. Finding the e-mail servers may allow you to attempt a phishing attack (if permitted). Reverseengineering the solution in that case is really just an attempt to “discover” how your organization works and connects so that you can then flip that around and try to find a way to break in through one of those paths.
Creation, Collection, and Analysis of Metrics
It is frequently said that it is impossible to manage something you cannot measure accurately. In that respect, security is no different from most other industries—eventually it all boils down to numbers. Whether its customer service departments worrying about resolution rates, car manufacturers concerned with number of units manufactured, drive-thru restaurants clocking the speed of service per customer, or security professionals reviewing the number of IDS/IPS false positives/negatives over a given period, metrics tells an important story. Metrics allow us to measure the qualities (or lack thereof ) of a system that contribute to its security state. What we’re interested in is creating, collecting, and analyzing any metrics that inform us about short-term and long-term trends in our overall security posture. Although specifics of such metrics will be discussed in more detail in the upcoming sections on key performance indicators (KPIs) and key risk indicators (KRIs), gathering security-related metrics can provide numerous benefits to an organization, including the following:
• Advises resource allocation Metrics can simultaneously guide experts on what security adjustments need to be made, while also easing executive buy-in if additional purchases are required. • Communicates security performance If the benchmark metrics are equal to or better than the baselines, then we know we’re meeting or exceeding our goals. • Determines compliance adherence It is easier to demonstrate compliance when you have hard numbers to back you up. • Determines the efficacy of security controls Although reviewing existing security controls is great, looking at key metrics will help us truly understand the effectiveness of such controls.
04-ch04.indd 126
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 4
Chapter 4: Risk Metrics
127
PART I
• Enables benchmark/baseline comparisons To know whether our security progress is trending upward or downward, we need to know what the baseline measuring stick is. Then we conduct additional benchmark measurements to compare with the baselines. The comparison will help determine the direction of our progress. • Enhances accountability Compliance and noncompliance with security/IT systems can occur at the executive, administrative, and user levels. By measuring key metrics, we’ll be able to determine whom to hold accountable for positive and negative actions at all levels of the organization. • Identifies problems One of the critical benefits of metrics is to identify real and potential issues long before they cause significant damage to the business. By discovering issues early, mitigations can be implemented well in advance. • Supports intelligent business decisions Decision-makers need accurate and concise metrics in order to make intelligent decisions that can affect the security of the organization. Think of traffic lights as an example of business intelligence indicators. The simplicity of traffic lights helps inform millions of drivers each day to make intelligent driving decisions. Metrics might use graphics with brief quantitative and qualitative summaries to “back up” the graphic. • Triggers improvements to performance The goal of creating, collecting, and analyzing metrics is simply to use information to improve the security of the organization. All of the preceding bullet points aggregate into that one overarching goal. As with many security initiatives, there’s no need to reinvent the wheel. Take advantage of the information provided by security standards and frameworks. According to the standard ISO/IEC 27004, “Information Security Management—Monitoring, Measurement, Analysis and Evaluation,” you would implement the following steps to measure the effectiveness of information security controls: 1. Select processes and objects for measurement. 2. Determine baselines. 3. Collect data. 4. Develop a measurement method. 5. Interpret measured values. 6. Communicate measurement values.
The next section goes into the specifics of creating, collecting, and analyzing metrics through the usage of KPIs and KRIs.
04-ch04.indd 127
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 4
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
128
KPIs Key performance indicators (KPIs) are quantifiable metrics used to evaluate the success of technologies, processes, or people meeting an organization’s performance goals. One example of a goal might be to reduce IT risk to an acceptable level. Since we’re discussing KPIs in security terms as opposed to business terms, focus on upward/downward trends in security-related activities as opposed to big-picture business outcomes such as revenue, profits, expenses, and so on. Although the types of security metrics can vary across industries and organizations, there are certain security metrics worth gathering, including the following:
• Incident response time to detection (TTD) How long did it take for the organization to detect a real or potential security incident? • Incident response time to remediation (TTR) How long did it take for the organization to eradicate the incident after it was detected? • Malware instances identified How many unique and repeat instances of malware have been detected? • Number of lost or stolen devices How many technological assets have been lost or stolen? • Number of SSL/TLS certificate issues How many certificates were misconfigured, expired, suspended, revoked, or fraudulently used? • Number of vulnerabilities identified per device, OS, and application How many vulnerabilities have been reported on each device type, OS, and application? • Passwords cracked How many passwords have been successfully guessed, stolen, or cracked? • Patch latency How many days elapsed between patches published versus patches installed? • Security issues identified during audits How many insignificant, minor, or major security issues have been identified during in-house and third-party audits? • Unplanned downtime How many seconds, minutes, and hours of unplanned downtime did we have on a weekly, monthly, quarterly, and annual basis? KPIs are at their most effective when they are presented graphically, pleasing to the eye, and aggregated onto business intelligence dashboards much like the various gauges located on your car’s dashboard. Decision-makers and security professionals should be able to immediately understand the trend implications of the KPI and make a decision shortly thereafter.
KRIs Key risk indicators (KRIs) measure the amount of risk an activity brings to an organization. In other words, are certain activities indicating that increased risk exposures are happening or likely to happen? Shown next are well-known key risk indicators that organizations may want to measure:
04-ch04.indd 128
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 4
Chapter 4: Risk Metrics
129
PART I
• Mean time between failure (MTBF) Are hard drive failures happening more frequently since switching hard drive brands? • Mean time to repair (MTTR) Are printer repairs taking longer since switching printer consulting companies? • Network availability Has unplanned network downtime occurred more since the replacement of a crucial firewall device? • Percentage of critical systems missing patches Is this percentage too high due to downsizing the number of IT personnel? • Percentage of IT projects delayed Is this percentage too high due to upper management’s failure to hold the IT manager accountable? • Percentage of IT projects in excess of budget Is this percentage too high due to the IT staff having an inadequate budget? • Percentage of end users who failed e-mail phishing test Is this percentage too high due to poor end-user security training? NOTE If you’re confused about the difference between KPIs and KRIs, think of KPIs as a measure of how well things are going now whereas KRIs can help measure how badly things might turn out in the future.
Prototype and Test Multiple Solutions
Developing, purchasing, or implementing a security solution for an enterprise is a complex and oftentimes daunting task. Does the product do what you want it to do? Does it work with the other systems and applications you have in place? How will it affect network performance? What kind of false positive rate will you see? Oftentimes the only way to really find out what works (and how well it works) is to develop a prototype or conduct a run-off with multiple solutions. The ideal place to start prototyping and testing is within a lab environment. You’ll never be able to completely simulate your enterprise network, but with the use of virtualization and traffic generators, you can at least create a decent starting point for analysis and testing. Implement your candidate security solutions in the lab and then develop test scenarios to examine how well they operate, whether they interfere with business operations, whether they impact traffic flow, and so on. You won’t be able to completely rule out any potential issues that pop up in the production environment, but you should be able to get a clear feeling for which product is best suited to your organization if you’re evaluating it against several others in the lab. If you are evaluating multiple solutions, just be sure to run each of them through the same set of tests. Evaluating different solutions in different scenarios won’t give you a clear comparison. If your business lacks the staff or technological resources to prototype security solutions on-premises, consider using a cloud-hosted sandboxing provider. These providers
04-ch04.indd 129
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 4
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
130
offer isolated, secure, and accessible online environments for customers to install and test various security solutions, including the following:
• Virtual machines • Virtual routers • Virtual switches • Virtual firewalls • Operating systems • Third-party applications • In-house custom code You may want to try out malware analysis or perform quality assurance testing of software patches inside of department-specific virtual machines. NOTE Prototyping security solutions is very useful. Having the opportunity to search for vulnerabilities in an early prototype can reveal serious issues that would be extremely expensive to fix in a finished product.
A lab environment is also a great place to start examining how a combination of tools and techniques can address different security needs. Are there issues with SQL injection attacks on your e-commerce site? Experiment with content filters in the lab using development systems. Want to see what impact a particular packet filter has? Run it in the lab first and measure. When you’ve tested your solution in the lab or have narrowed down your possible solutions from many to a few, or even a single candidate, then it’s time to test it in the production environment. This can be tricky, but when done correctly, it’s probably the best way to truly validate whether a candidate solution will work for your organization. When implementing a security solution in the production environment for the first time, you’ll want to coordinate the effort well—maintenance windows, low traffic times, backup links, and so on. Make sure you have a fallback plan and methods for inserting/ removing the solution being tested rapidly.
Create Benchmarks and Compare to Baselines
Baselines are a captured point of reference used as a comparison for future changes. Such points of reference are valuable in information security because they help us to know if our security controls are trending in the right or wrong direction. Once established and agreed upon, baselines will serve as the measuring stick against which all future measurements are compared. As for the “future measurements,” those are known as benchmarks. Benchmarks are the subsequent measurements that are compared to baselines.
04-ch04.indd 130
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 4
Chapter 4: Risk Metrics
131
PART I
EXAM TIP In other words, benchmarks are simply point-in-time measurements that are only focused on that particular point in time, whereas baselines are point-in-time measurements to which future measurements will be compared.
It is through taking various benchmark measurements that baselines can be established. After all, if multiple benchmark measurements aren’t taken, then it cannot be known what the baseline is. Benchmarks can be a set of performance criteria, a set of conditions, an established and measured process, and so on. Benchmarks have obvious usage for web server response times, backups, batch processing routines, and so on. But how are they useful for security? Just as benchmarks can help you identify performance issues, they can also help identify potential security issues. Let’s examine a few possibilities where benchmarks could be useful from a security perspective. Let’s start with an obvious area—network performance. Most network engineers keep at least a casual eye on the throughput of their routers and switches. They’ll monitor peak flow, average flow, dropped packets, and so on. From a security perspective, that same data can help you identify scans, probes, or data exfiltration attempts. Spikes in incoming traffic flow or spikes on certain protocols/ports could indicate scanning activity. A huge spike in traffic is most likely a DDoS. Outbound traffic spike at 3 a.m.? Could be data exfiltration. The point is, if you know what level of traffic is “normal”— or the baseline—for any given timeframe, then traffic above or below that level could be indicative of an issue. System performance is also another area where monitoring and comparisons to benchmarks could be useful from a security perspective. Spikes in CPU utilization, disk I/O, or increases in application response time could indicate scans, overflow attacks, or other malicious activity. If you know what “normal” looks like, anything well above or well below that threshold could indicate a problem worth investigating. Figure 4-1 shows a fairly simple CPU utilization graph. In this simple graph we see a large spike in CPU usage that is way out of the norm for that system. The question we would need to answer is, what caused that spike? Is there a legitimate reason for the spike, such as a major patching effort or service pack? Did a batch process run? Or did something else cause that CPU spike? EXAM TIP Focus on why benchmarks might be useful from a security perspective—they can be great indicators when something is “off” or not quite right. But you need to have those initial baselines to compare readings and realize when something is off.
If you stretch the definition of benchmark a bit, you can even consider things such as file checksums as indicators. If you checksum the binaries on a system to create a “known, good” benchmark, then unexpected deviations are likely indicators of a serious problem. Benchmarks have been used to measure and evaluate system performance for years—it doesn’t take a lot of work to start using them for security as well.
04-ch04.indd 131
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 4
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
132
Figure 4-1 CPU utilization example
The term benchmark has also been applied by some in the security field to configuration standards, best practices, and recommendations. Even checklists have been referred to as “benchmarks” by some, but you definitely have to stretch the definition of “benchmark” to consider them benchmarks, unless you’re using them as an audit-type measurement. For example, if the “benchmark” you are using is describing how to securely configure an Apache web server, then you can “measure” all the things you did to secure your system against the supplied checklist or recommended steps. With this broad of a definition, almost any security checklist, best practice, or list of recommendations could be used as a “benchmark” and you could measure your “performance” or compliance against it.
Analyze and Interpret Trend Data to Anticipate Cyber Defense Needs
If you’ve been running a firewall or IDS/IPS for any length of time, chances are you have a mountain of log files. Log files are great for incident response, finding out where an attack came from, and noting the types of traffic flowing in and out of your network. Log files are also great for analysis and trending activities; something many security analysts don’t have the time or don’t take the time to do. Cyber-attacks typically don’t pop up out of the blue. Sure, sometimes an attack will start pounding on your firewall or web server with no advance warning, but generally there are signs and indicators leading up to an attack. You may see port scans looking for specific ports. You may see probes for SQL injection vulnerabilities on web servers. That “doorknob-rattling” type of activity can be analyzed to spot trends. Do you see more port-scanning activity on weekends? Weekdays after 3 p.m. local time? Do you
04-ch04.indd 132
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 4
Chapter 4: Risk Metrics
133
NOTE Trend data is a powerful tool for security professionals. Learn to use it to help you anticipate where and when your defenses might need to be augmented.
PART I
always get a spike in traffic after a major vulnerability announcement? If you can start spotting trends and patterns in your data, you can start using that data to mount a proactive defense.
Start analyzing trend data to anticipate the need for cyber defense aids. Are scanning activities starting to overwhelm your older firewall? Do you need to bring on additional personnel on patch Tuesdays? Can you route traffic or split it between defensive systems? If you can start spotting trends and preparing for them rather than reacting to them, you should be able to secure your organization in a more effective manner. Most security analysts find it easier to consolidate their data using a consolidation tool such as Splunk (www.splunk.com), as seen in Figure 4-2. Using consolidation tools that can provide a graphical representation of the data you are analyzing can be extremely useful when sifting through mounds of data.
Figure 4-2 Timeline graph generated using Splunk
04-ch04.indd 133
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 4
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
134
Analyze Security Solution Metrics and Attributes to Ensure They Meet Business Needs
Security solutions must first and foremost protect the business, but they must also avoid having a negative impact on your organization. A firewall that blocks all incoming probes on restricted ports is great, but if it can only handle 256 KBps of traffic, it won’t meet the needs of your organization. As with most any other product, security solutions need to be examined to ensure they meet the current and future needs of your organization. This section takes a look at various security solution metrics such as performance, latency, scalability, capability, usability, maintainability, availability, recoverability, return on investment, and total cost of ownership.
Performance In computer terms, performance is the amount of work a hardware or software component can perform in a given period of time. This can also be stretched to include the work performed by people and processes. When researching potential security solutions, it pays to first enumerate your performance criteria. What throughput must the solution be able to maintain? How many active connections must it support? How many packets per second? Does it need to support Gigabit? Ten Gigabit? When you’re shopping for potential solutions, it helps to determine what you absolutely need to have in terms of coverage and performance and then add a safety margin of 25 percent or more to the performance requirements. That extra buffer may allow your organization to keep using that solution a bit longer because its performance may still be sufficient for your organization long past the time when an “exact fit” solution would be. The extra performance buffer can also help protect your organization should you be targeted with a DDoS.
Latency Another critical factor to consider is the latency introduced by a particular security solution or set of solutions. Latency is that amount of time delay a system introduces as data passes through it (typically expressed in milliseconds). Latency can be a critical issue for any network traffic and is especially critical in audio/video transmission or real-time processing applications. Passing network traffic through any security device, such as a firewall, will introduce latency. After all, latency cannot be avoided. EXAM TIP Latency is not always considered when security solutions are examined, but it should be. The introduction of additional latency due to security solutions can have a very detrimental impact on voice and video services.
In Figure 4-3 we see that traffic passing between a user and a server farm experiences a 100 ms delay every time a packet passes through the firewall between the user and the server farm. The question you must answer is, how much latency can your network traffic tolerate? When examining different security solutions, pay attention to the expected
04-ch04.indd 134
11/03/19 3:11 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 4
Chapter 4: Risk Metrics
135
PART I
5 ms
100 ms any any (msg: "example howdy alert rule"; content:"howdy")
In this example, we tell the system to generate an alert if it sees any TCP packet coming from any source IP address or port going to any source IP address or port where the word “howdy” is found in the contents of the packet. The message we’d like it to alert us with if the word is found is “example howdy alert rule.” Where to place an NIPS/NIDS is always an interesting question. Generally, the discussion comes down to whether to place it inside the organization’s firewall (on the inside of the network), outside of the organization’s firewall (on the outside of the network), or in both locations. Placing the device on the outside of the firewall will mean that it can see all traffic destined for the network and will be able to see any attempted intrusive activity. It may also mean an extremely high number of alerts. Placing it on the inside of the firewall means that a certain amount of traffic will not be seen because the firewall will filter it. This will cut down on the number of alerts generated, but it also means that a number of attempted attacks will be missed that could provide early indicators of
05-ch05.indd 153
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
154
unusual interest in your organization’s network. Putting one on both sides and tuning them for their specific location, so as to look for specific types of traffic, will allow you to see all attempts without being overloaded with too many alerts. NOTE Intrusion detection/prevention systems are common security mechanisms employed today. You should know the different methods used to accomplish intrusion detection/prevention and the different locations where intrusion detection/prevention can take place. In particular, make sure you understand the strengths and weaknesses of each approach as well as each location where an IDS/IPS can be deployed.
One of the best known and most common network intrusion detection/prevention systems is Snort. Snort is an open-source product that combines both signature- and anomaly-based inspection. Although the program is open source, the all-important realtime database of rules is not. The official rules for Snort are generated by the Sourcefire Vulnerability Research Team and distributed by subscription to their customers.
NIDS/NIPS Scenario and Solution
To help solidify the preceding information, let’s go over a few challenge scenarios involving NIDS/NIPS and recommended solutions. Scenario: You are installing an intrusion detection system on your network. Your organization’s budget is small, so you plan on only subscribing to a signature service every other year, figuring that this means you will never be more than a year off the most current database of signatures. Is this strategy wise? Solution: No. This means that for the year you maintain the subscription, you will be protected from current/new threats. The year that you don’t subscribe, you will be vulnerable to all new threats that come along. Even with the subscription service there will be a time lag for new vulnerabilities during which you will be vulnerable to exploits. It is extremely common for exploits to rapidly appear for newly discovered vulnerabilities and for individuals to use these new exploits to check for systems not protected against them. Scenario: If you install a strong firewall and manage it very carefully, blocking everything that is absolutely not needed for your organization, is it really necessary to also install an intrusion detection/prevention system of some sort? Solution: Strictly speaking, if you have a very limited environment with highly restricted traffic (and do not allow general-use functions such as web browsing), and if you monitor the firewall frequently, checking on what the traffic on your network is doing, you might be able to get away with just the firewall. In reality, however, this is seldom the situation, and you will be much safer with layers of protection so that if mechanisms in one level are not sufficient, a second layer of security mechanisms can be relied on.
05-ch05.indd 154
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
155
INE
PART II
Inline network encryptors (INEs) are devices that encrypt sensitive information en route between sources and destinations across insecure networks like the Internet and company WAN links. Although most network encryption is performed prior to delivery, INE appliances receive traffic and encrypt it on the fly. INEs are typically used to transmit highly classified government or military materials; therefore, they are typically certified by the National Security Agency (NSA) as being High Assurance Internet Protocol Encryptor (HAIPE) compliant. The General Dynamics Mission Systems organization manufactures a popular line of INEs called Tactical Local Area Network Encryption (TACLANE) devices, which must be HAIPE complaint. Typical HAIPE devices use a stronger version of IPSec for confidentiality and integrity purposes, while also employing a self-destruct or zeroization of cryptographic keys should a threat be detected. NOTE INE devices are often $10,000, with prices approaching $100,000 based on speed and capabilities. As such, these will not be as commonly used in civilian organizations.
NAC Once upon a time, all desktops were provided by the organization for internal use only. Laptops eventually stretched this by permitting remote access. In either case, the devices were still issued by the company, with configuration and security set up prior to employee usage. With today’s employees increasingly working from personal devices, including desktops, laptops, tablets, and smartphones, organizations are increasing their risk by depending on staff to configure and secure their devices themselves. To provide assurances that users aren’t connecting insecure devices to the organizational network, organizations can implement what is called network access control (NAC). NAC improves network security by employing policies that mandate devices meet certain security minimums before being granted network access. This is similar to an elementary school requiring students to possess a fully updated immunization card prior to gaining admittance. The school is concerned about students bringing dangerous diseases in or taking diseases home with them. Cisco and Microsoft have a lot of history with NAC. Microsoft’s NAC feature—which is known as Network Access Protection (NAP)—can implement health policies with requirements that VPN clients cannot connect to the corporate network unless they have suitable antimalware tools installed, enabled, and updated—in addition to Windows Update and Windows Firewall compliance. Whether users seek connectivity via VPN, IPSec, 802.1X, or DHCP, any devices noncompliant with the health policy are either denied connectivity or quarantined to a restricted network for remediation of security deficiencies. CAUTION It should be noted that Microsoft has removed NAC from their Windows Server 2016 operating system in order to integrate it into their MDM product called Microsoft Intune. Microsoft Intune makes it possible to deploy NAC requirements to internal and external devices.
05-ch05.indd 155
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
156
Although NAC is great for stopping trouble at the door, it does little to stop trouble that has gotten past the door. Also, it doesn’t do anything for company data that has leaked outside the corporate boundary. NAC’s requirement of system hardening is an important step, but more network security controls are needed. The good news is, we have the rest of this chapter to cover topics that help fill in all the gaps left behind by NAC.
SIEM Security information and event management (SIEM) utilities analyze and correlate logs and events from multiple sources as well as provide real-time alerting features, as shown in Figure 5-1. SIEM utilities can also aid in the collection of information for compliance purposes. Before deploying an SIEM, you should identify log sources of critical systems and services in the organization’s network. Critical systems commonly include but are not limited to the following:
• Databases • File servers • Domain controllers • Internet and intranet web services • Web applications • Proxies and filters • Intrusion detection systems • Firewalls • Routers Figure 5-1 SIEM IDS
Firewall
SIEM
Critical alert
Proxy
Web server
05-ch05.indd 156
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
157
PART II
Consider all possible log sources, including application logs, operating system logs, antivirus logs, and malware detection logs. Be sure to configure the SIEM to look at successful and unsuccessful authentication attempts, detected attacks, detected viruses and malware, and general activity such as service requests. Also, consider the expected and actual network sources of connections and requests. Set the initial alert thresholds as something you would think unlikely to occur for non-malicious activity. After deployment, be sure to spend time tuning the SIEM to reduce the number of false positives and irrelevant alerts. Also, be sure to tune for performance and ensure an appropriate amount of resources is free to protect against denial-of-service attacks and to allow for growth. Remember that an SIEM utility producing too many alerts will likely result in valid alerts going unnoticed. An additional security consideration often overlooked is the security of security utilities. Before purchasing an SIEM, review the security of the SIEM service itself. Are the service and data-collection agents communicating in a secure manner with reasonable protections from eavesdropping, modification, and injection? Be sure to frequently update the data-collection agents and SIEM service to protect against newly discovered vulnerabilities. CAUTION SIEM efforts can quickly become bloated with so much data that they become unusable. Take the time to determine exactly what type of information you want to collect, how long you need to maintain it, and so on, before starting an SIEM effort.
Switch Switches are network appliances that connect devices such as workstations, servers, and printers together to form a network. They are an upgraded version of hubs in that they provide increased network performance, security features, flexibility, and management capabilities. Considering how malicious insiders frequently rely on switches to perform network-based attacks, securing the switch is important. Although advanced switch configurations will be detailed later in this chapter, here are some cursory definitions of popular switch security features:
• Virtual LANs (VLANs) VLANs provide multiple benefits, one of which is to secure networks by isolating hosts into separate logical groups. Devices not explicitly permitted access to the VLAN are implicitly blocked—including devices used by hackers. Should hackers gain access, the VLAN’s isolation from the rest of the network will significantly impair how much traffic is visible to a hacker’s unauthorized packet-sniffing tool. • Port security Port security helps filter out unapproved devices by preapproving specific MAC addresses. • Flood guards A switch feature that guards against MAC flooding or denial-ofservice (DoS) attacks. • Loop protection Detects and avoids switch loops by using the Spanning Tree Protocol (STP).
05-ch05.indd 157
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
158
Firewall Because host-based firewalls are covered in Chapter 6, this section focuses on networkbased firewalls—also known as physical firewalls. Perhaps the most important network security device in the organization, a network firewall evaluates incoming and outgoing traffic to determine if the traffic should be allowed or denied entry across a network boundary. Like a security guard at a theme park screening all visitors, a firewall attempts to provide assurances that only authorized traffic is permitted to enter and leave a network. In general, firewalls are more concerned about the traffic coming into a network (ingress) than traffic leaving a network (egress). Firewalls can also maintain a log of permitted and denied network connections to help organizations determine if unauthorized travel is passing through. There are many kinds of firewalls, and they can differ in terms of the following characteristics:
• Generalized or specialized purpose • Depth of packet analysis encompassing a few or several OSI model layers • Architecture (bastion host, dual-homed, multi-homed, or screened host) • Location within the network infrastructure (internal or edge) • Number of network interfaces EXAM TIP Regardless of firewall type, the primary basis by which firewalls make decisions is through the comparison of network traffic to rules. Firewalls contain a list of rules that consist of traffic criteria (type, context, sender, receiver, and so on) and an action such as “allow” or “deny.” Firewalls scan traffic to see if the traffic matches a rule. If a match is found, the firewall performs the action required by the rule, which is to either allow or deny the traffic. If no rule matches the scanned traffic, generally the firewall will drop the traffic on the basis of “implicit deny all,” which means “deny all traffic that does not have an explicit allow rule in place.”
Next is a brief look at some of the more popular types of firewalls. These firewalls essentially vary in terms of security achieved via depth of packet inspection versus the subsequent loss of network performance from the overhead:
• Packet-filtering firewall Considered a basic firewall since it only evaluates the source/destination IP addresses and port numbers (OSI Layer 3 and a smidge of Layer 4) of traffic. Due to the minimal inspection overhead, this firewall is the fastest of the bunch. However, its failure to analyze deeper (OSI Layers 5, 6, and 7) into the packet makes it highly vulnerable to numerous spoofing, fragmenting, and other TCP-based exploits.
05-ch05.indd 158
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
159
PART II
• Stateful firewall An improvement over packet-filtering firewalls, stateful firewalls consider the “state” or history of a connection (OSI Layer 4) as opposed to focusing only on individual packets. These firewalls maintain a connectionstate table that stores details of a connection’s TCP 3-way handshake in order to help determine if subsequent traffic matches both a firewall rule and the connection state data in the table. Whereas a packet-filtering firewall’s rule wouldn’t catch a TCP-based attack, stateful firewalls can determine if attackers are injecting malicious TCP flag packets such as a packet beginning with a SYN/ACK as opposed to a SYN. Such TCP flag patterns may foreshadow packet spoofing and port scanning. The downside to stateful firewalls is that this overhead results in reduced network performance. • Application-level firewall An improvement over stateful firewalls, applicationlevel firewalls can understand the application and protocol data contained in the data portions of the traffic (OSI Layers 5, 6, and 7). Firewalls need to understand the application context of a packet in order to determine if an unapproved application is attempting to bypass the firewall by using an approved port number or IP address. The bad news is, this additional examination of the application portion of traffic will further reduce network performance. • Next-generation firewall Next-generation firewalls (NGFWs) are designed to replace the “traditional firewalls,” which aren’t designed to examine the application/protocol data like stateful and packet-filtering firewalls. In addition to incorporating these application-level firewall capabilities, NGFWs may also add intrusion prevention, user/group-level access, plus the incorporation of intelligence from outside sources like the Internet. The downside is that they are more complex to manage; plus, their increased integration of features can create more single points of failure.
Wireless Controller Enterprise environments may have several or even dozens of wireless access points (WAPs). Manually implementing security configurations on all WAPs can be timeconsuming, error-prone, and lead to inconsistencies. Plus, additional security and networking features are needed in today’s modern environments. To address these concerns, enterprises are implementing wireless controllers that are network appliances or software solutions that enable administrators to centralize security configurations across multiple WAPs simultaneously. Although their features can vary, shown here are the features you may find on wireless controllers:
• Aggregate configurations across all access points • Automated failover and mitigation of wireless interference • Threat detection
05-ch05.indd 159
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
160
• Content filtering • Authentication based on user’s ID and location NOTE Cisco wireless controllers are not only very popular but also provide private and public cloud-based solutions.
Router Routers are devices that connect networks to networks in order to forward traffic based on network addresses such as IP addresses. Unlike traditional switches, which make forwarding decisions based on the MAC addresses in packets (OSI Layer 2), routers utilize the IP protocol (OSI Layer 3), which supports internetworking and path determination. Since routers typically have more networking scope than switches, security exploits can be equally magnified.
Is Everything a Packet?
Like many IT professionals, we’re all guilty of using the word “packet” a little too loosely. Allow me to explain. Purists will rightfully note that referring to all network traffic as “packets” is somewhat inaccurate, since packets are only one portion of the overall data transmission. Let’s unpack this a bit:
• OSI Layer 7, 6, and 5 protocols such as HTTP generate the actual “data” to be transmitted. • OSI Layer 4 protocols such as TCP and UDP create “segments” and “datagrams,” respectively. • OSI Layer 3 protocols such as IP create “packets.” • OSI Layer 2 and 1 protocols such as Ethernet and Wi-Fi create “frames.” In order for the HTTP data to be transmitted across the network, it gets encapsulated inside the TCP segments, which get encapsulated inside an IP packet, and the IP packet is encapsulated inside the Ethernet frame. The frame hits the wire as a series of 1s and 0s. If anything, we should be generalizing all network traffic as frames, not packets! Routers are configured with routing tables, which consist of network destinations and the possible routes the router will choose to efficiently deliver data to those destinations. Since dynamic routers (routers that automatically build their routing tables) broadcast routing table updates to other routers, they should be set up with authentication and encryption channels with other routers to ensure hackers cannot easily set up a rogue
05-ch05.indd 160
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
161
router, or intercept and understand the network details contained within the routers’ traffic. Another security option is to configure static routing tables (which are manually built by an administrator), since these routers don’t need to broadcast their routing tables to other routers. Hackers cannot intercept traffic that is never sent to begin with. To secure a router, it is also recommended to change the default usernames/passwords for logging in and managing the router’s configuration. Also, refrain from using Telnet to the extent possible since it doesn’t support cryptography—use SSH instead.
Although there are different types of proxy servers, most are hardware or software systems that act as connection intermediaries between internal clients and Internet resources. Given the proxy server’s position as a “middleman,” it can cache requested files and websites to provide local content retrieval, conceal client IP addresses for anonymity, filter out malicious or irrelevant websites, and provide the organization with monitoring capabilities. Let’s look at an example of a client accessing the www.mheducation.com website using a proxy server:
PART II
Proxy
1. The client’s web browser generates a request to visit the www.mheducation.com website. 2. The client’s request is delivered to a local proxy server. 3. The proxy server strips away the client’s source IP address and other identifying characteristics, and then forwards the traffic to www.mheducation.com on behalf of the client. 4. The www.mheducation.com website delivers its website to the proxy server. 5. The proxy server may cache the website and other requested files to its local hard drive. 6. The proxy server delivers the www.mheducation.com website to the client’s web browser. 7. Subsequent clients desiring the www.mheducation.com website are likely to receive a response from the proxy server’s cache as opposed to the original on the Internet. This will speed up responses.
Load Balancer Load balancers are network devices or programs that distribute traffic across a group of similar servers, known as a server farm or pool, in order to increase server performance and availability. When users send a request to the load balancer, the load balancer will either forward the communication directly to the most practical server or reply to the user with a referral to the most appropriate server. Despite the server pool being constructed of multiple physical machines, the pool gives the appearance of being just one server due to the load balancer’s clever use of algorithms.
05-ch05.indd 161
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
162
The algorithms are selected based on the needs of the organization. Here are a few popular algorithms:
• Round robin Traffic is distributed to the server pool members sequentially. • Least connections Traffic is distributed to the server pool member with the least amount of connections. • Source IP hash Traffic is distributed to the server pool member based on the client’s source IP address. Typically, the chosen server is located on, or close to, the client’s subnet.
HSM Hardware security modules (HSMs) are devices that provide key generation and safeguarding services, speed up specific cryptographic operations on platforms requiring strong authentication, and provide access control capabilities. They run the gamut from thumbnail-sized USB devices, to internal expansion cards, to network appliances serving the network. Their powerful crytoprocessors can perform key generation for Certificate Authorities (CAs) and SSL/TLS-based connections, which helps speed up the cryptography process while also maintaining cryptographic key confidentiality, integrity, and nonrepudiation. Another important function of HSMs is the prevention of unauthorized applications executing on the local host system or network. When such software is discovered, the HSM will deny the execution, lock down the system, send an alert, or passively log the activity. These are important benefits for large and highly secure environments such as government, military, financial, and other organizations. On the flipside, the right HSM device can be very expensive. HSMs come in many forms and have differing benefits/drawbacks; therefore, security professionals must perform their due diligence before making a vendor/model selection.
MicroSD HSM The smaller versions of their PCI/PCIe, USB, and network appliance counterparts, microSD HSMs are tiny HSM cards that plug into the microSD ports of smart devices such as Android smartphones and tablets. These cards incorporate secure hardware-based authentication and AES/RSA/SHA-2 cryptography capabilities right into your Android smart device—which is a huge boon for military and government workers in particular. Here are some common features found in microSD HSMs:
• Built-in public key infrastructure (PKI) • Device PIN numbers • Encrypted channels set up for local and remote devices • Key and certificate generation • Key backup and restoration • Key restrictions and limits
05-ch05.indd 162
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
163
Application and Protocol-Aware Technologies
WAF Web application firewalls (WAFs) specialize in the monitoring and filtering of unauthorized and malicious traffic sent to and from web applications to provide them with protection against various Internet threats. Unlike traditional firewalls, WAF rules and policies are designed around HTTP/HTTPS traffic since web servers are targeted more than nearly all other IT systems. WAFs can help protect web applications from many kinds of attacks, including the following:
PART II
Application and protocol-aware technologies are those that can identify specific applications that are connected to them in order to collect information about the connection state of those applications. Armed with this information, technologies such as web application firewalls, passive vulnerability scanners, and database monitors are able to tailor their security controls to the applications and protocols in use to improve their security. This section goes over these technologies.
• Buffer overflow • Cookie poisoning • Cross-site scripting • Directory traversal • Hidden field manipulation • SQL injection NOTE Some common examples of web application firewalls are dotDefender, Qualys Cloud Platform, Barracuda WAF, IBM Security AppScan, and Radware’s AppWall.
Most WAFs are implemented inline with traffic having to pass through them to reach the web application. This empowers inline WAFs to stop traffic in real time, yet performance will be reduced and genuine traffic may occasionally be mistakenly blocked. Reversing the pros and cons are out-of-band WAFs. Although these do not block realtime traffic, they do not slow down traffic or interfere with it.
Firewall Packet-filtering, stateful, application-level, and next-generation firewalls were covered in the “Physical and Virtual Network and Security Devices” section, earlier in this chapter.
Passive Vulnerability Scanner Passive vulnerability scanners (PVSs) analyze network traffic in order to non-intrusively discover vulnerabilities with organizational assets. They can perform discovery operations on clients, servers, web applications, network appliances, virtual and cloud-based
05-ch05.indd 163
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
164
systems, and mobile devices, in addition to rooted or jailbroken devices. Once the PVS locks into scanning a particular asset, it’ll gather and point out relevant vulnerability information in order to help you mitigate the vulnerability. Examples of vulnerabilities include critical traffic not being encrypted, system port scans, and missing application and operating systems. The best thing about a PVS is its non-interfering nature; yet, it also suffers from not being able to resolve the issues it discovers. The onus is on you to review the discovered vulnerabilities and mitigate them using separate solutions.
DAM Database access monitors (DAMs), also referred to as database activity monitors, independently monitor the transactions and other activity of database services. DAMs are an important part of a defense-in-depth strategy. Common uses of DAMs include monitoring applications and users for unauthorized or fraudulent activity. Accountability and compliance auditing can also be aided by DAMs. TIP Before deploying and configuring DAMs, it is important to create a plan appropriate for your organization by asking and answering the following questions: Where are the databases in the organization and what data is stored there? What are the potential risks and weaknesses of the databases? Where should database connections be made from and in what manner? What privileged users should have access to the databases?
Several different types of DAMs exist, each gathering data at different levels. Data may be gathered on the network, by libraries, by the operating system, or directly from memory. Sniffing database traffic at the network level provides better isolation but requires the database connections to be unencrypted, which should be avoided if possible. DAMs that gather information directly from memory are a good choice because they require no changes to the current network and are able to intercept any means of access to the database service. If the blocking and prevention of suspected attacks is available, the cost and risk of a successful attack must be weighed against the cost and risk of blocking a legitimate request.
Advanced Network Design (Wired/Wireless)
Security is a process—you can’t “buy” absolute security, as much as many of us would like to. It simply does not exist. Security is also a constantly moving target. As your business needs change and technologies change, so must your approach to security and the steps you take to secure your infrastructure. Security is often at odds with the needs of the business since businesses always want to do “more” and security is largely about finding ways to make you cope with “less.” Employees want access to data any time, from any place, and using any platform they are able to get their hands on at the time. So how does one go about securing an organization facing this type of challenge? A good place to start thinking about and planning for security is in the design and implementation of your network infrastructure. A good network design can absolutely
05-ch05.indd 164
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
165
help in your quest to secure and defend your network and critical resources. Given the amount of remote access, and the variety of client devices within and outside the organization, many network design elements centralize around remote access. We’ll cover several remote access topics, all of which equally apply to wired and wireless networks.
Remote Access PART II
In the modern work environment, the concept of a static workspace with a phone, network jack, and desk is essentially dead. Many organizations are embracing the idea of a truly mobile workforce that can work anytime from anywhere. All they need are their laptops, tablets, smartphones, and network connectivity. It’s a great model for efficiency and productivity, but it’s not a great one for security. Each of those mobile employees must be able to reach back into the organization for e-mail and access to data/resources. Some of those employees are connecting from home, whereas others are connecting from hotels, coffee shops, airport lounges, and so on. The question security practitioners need to ask is, How to allow employees to connect from any place, with multiple platforms, and still maintain some semblance of security? Fortunately, there are steps you can take to design and implement a more secure remote access solution. Segmenting remote access traffic is an important step in the design of your infrastructure. Many organizations treat remote access traffic as potentially hostile and do not allow remote access traffic to come directly into the internal network. One approach is to accept remote connections at the VPN/access gateway, decrypt the traffic there, and then pass the traffic through a firewall and IDS/IPS configuration, as shown in Figure 5-2. This allows for the filtering of remote access traffic (do remote users really need access to port 1433 or 3306?) as well as monitoring of the traffic for suspicious or malicious activity. Although, in theory, anyone making a successful connection to your VPN infrastructure is “legit,” there’s nothing wrong with keeping an eye on their activity, particularly if
Internal network Firewall
VPN gateway
IDS/IPS
Figure 5-2 Segmentation of remote access traffic
05-ch05.indd 165
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
166
you’re looking to protect yourself against infected or compromised hosts. Segmentation also gives you a control point to restrict or reject all remote connections if necessary. Another common security practice is to verify the patch and antivirus (AV) status of any host that connects to the VPN network. For example, Microsoft’s Network Access Protection product can help control a client computer’s access to organizational resources based on whether or not that client meets the defined corporate policy. Is the client fully patched? Is it running an approved AV product? Is that AV product up to date with the latest signatures? If a connecting client is not in compliance, you can bring that client into compliance before allowing it to connect. Remote clients may not be routinely scanned and updated and should be checked before being allowed to connect to any internal resources. Another topic that should be examined in your design is the use of token-based or multifactor authentication. Although by no means perfect, token-based or multifactor authentication systems can add one more layer of complexity to deter and thwart potential attackers. Some organizations shy away from these solutions due to the extra cost and complexity associated with tokens, biometrics, and so on. Your design must take all these factors into account and weigh the risk against the cost to see if deploying something beyond the traditional user ID/password in your remote access solutions is right for your organization. EXAM TIP Understand the risks associated with remote access and the countermeasures for those risks. For example, to ensure your end users do not introduce viruses or malware into your environment, you could use a technology that scans connecting clients for infection and then ensure those clients are patched and running updated antivirus software.
VPN A virtual private network (VPN) offers security by tunneling data across a network through the use of technology that offers a secure means of transport. Although VPN connections typically occur over the Internet, they are sometimes used internally as well due to their cryptography benefits. A wide range of VPN technologies have been developed and employed, each with advantages and disadvantages. VPNs can be implemented using hardware, software, or a combination of both. Table 5-1 describes some common VPN technologies. VPN connections typically involve remote users connecting over the Internet to a corporate network in what is known as remote access VPNs. Organizations also implement site-to-site VPNs to connect sites together over the Internet to cut costs on expensive T1 or T3 links from a telecommunications provider.
IPSec
Internet Protocol Security (IPSec) is a suite of protocols for securing packets that traverse an IP network. IPSec is a set of extensions to IPv4, and is native to IPv6, designed to provide both authentication headers and encapsulating security payloads to offer a variety of protections to packets. IPSec can be used to encrypt just the data portion of
05-ch05.indd 166
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
167
Description
Point-to-PointTunneling Protocol (PPTP)
This basic protocol is based on PPP and was the first protocol supported on Windows. It’s fast and the most commonly used VPN protocol, and it supports most devices and OSs. However, its Microsoft Point-to-Point Encryption (MPPE) produces a less-than-desirable implementation of RC4 and 128-bit maximum key sizes. It supports confidentiality but, unlike the other protocols listed, does not support integrity and nonrepudiation. Implement this protocol only if the other protocols are not available or supported by your infrastructure. PPTP uses port 1723.
Layer 2 Tunneling Protocol (L2TP)
This is the recommended replacement for PPTP. Also, it’s very popular and has stronger encryption than PPTP since it implements IPSec. Unlike PPTP, L2TP’s implementation of IPSec includes 3DES and AES cryptographic support. It also supports most devices and OSs. Implement this protocol instead of PPTP if possible. L2TP uses port 1701.
Secure Socket Tunneling Protocol (SSTP)
More limited in support (Windows Vista+, Windows Server 2008+, BSD, and Ubuntu), this protocol’s best assets are its ability to bypass firewalls that are VPN-restrictive and its usage of SSL/TLS for security. It uses port 443.
Internet Key Exchange version 2 (IKEv2)
This is a very secure and fast protocol with the increased capability of automatically re-establishing lost connections. However, it has limited support (Windows and Blackberry devices), is relatively firewall unfriendly, and can be difficult to implement on the server side.
OpenVPN
This free and open source software is the standard in the open source community. It is supported by most OSs and device types, is fast, and is very secure in its reliance on the OpenSSL library, which includes a variety of strong cryptographic ciphers, such as AES, 3DES, and RC5.
PART II
Technology
Table 5-1 Common VPN Technologies
the traffic (transport mode) or the entire transmission (tunnel mode). Use transport on internal networks and tunnel mode for any traffic leaving an internal network or any traffic leaving a network you consider to be secure. Shown here are some protocols common to IPSec:
• Internet Key Exchange (IKE) A protocol used when setting up IPSec to document the required security association between the parties. • Encapsulated Security Payload (ESP) A protocol from the IPSec suite that provides confidentiality, connectionless integrity, data origin authentication, and protection from replay attacks. • Authentication Header (AH) A protocol from the IPSec suite that provides connectionless integrity, data origin authentication, and protection from replay attacks but does not provide confidentiality. NOTE IPSec was originally designed for VPNs since they both came on the scene around the same time (1990s). Despite this, IPSec is neutral enough in scope that it can encrypt virtually anything.
05-ch05.indd 167
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
168
SSL/TLS
Detailed coverage of Secure Sockets Layer/Transport Layer Security (SSL/TLS) is provided in Chapter 15, so only a brief summary is provided here. SSL is a protocol for securing communication sessions over IP networks, whereas TLS is its more powerful and relevant successor. Both commonly utilize asymmetric, symmetric, key exchange, hashing, and digital signature features to provide authenticity of servers, integrity, and confidentiality of data. SSL creates secure connections between web browsers and web servers over an otherwise insecure network. HTTPS is the outcome of using SSL to encrypt HTTP communications. HTTP uses TCP port 80, and HTTPS uses TCP port 443. As noted earlier, some Windows-based networks may rely on an SSL/TLS variant of a tunneling protocol called SSTP. NOTE SSL/TLS-based VPNs are growing in popularity due to their maturity, firewall friendliness, and ubiquitous support from most devices.
SSH Secure Shell (SSH) is a protocol for obtaining a remote shell session with an operating system over a secured channel, using TCP port 22. Unlike Telnet on port 23, which doesn’t encrypt the authentication or data flow, SSH implements a set of cryptographic ciphers similar to SSL/TLS to secure the connection. It is commonly used on commandline interface (CLI) connections to routers, switches, firewalls, and Linux and Unix servers, given their CLI capabilities. The current version is SSHv2, which modernizes its ciphers with enhanced key sharing and integrity checks via message authentication codes. Although it’s not commonly used for VPN, the OpenSSH protocol has built-in support for VPN connections. More coverage on SSH is provided in Chapter 15. NOTE PuTTY is a very popular SSH client used to connect to both SSH and Telnet-based endpoints. It’s also free and open source!
RDP Created by Microsoft in the late 1990s for its Windows operating systems, Remote Desktop Protocol (RDP) provides a secure, graphical, remote access connection over a network between computers via port 3389. Once the user connects to the destination computer, the user experience transforms from one being attached to the local computer to one sitting directly in front of the remote system with access to that system’s screen, mouse, keyboard, operating system, and programs. It is similar to SSH/Telnet, but the connection is graphical, not CLI based. The following is a list of RDP security features:
• Originally used RC4 encryption but can also support SSL/TLS and AES connections.
05-ch05.indd 168
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
169
PART II
• Network-level authentication (NLA) requires RDP clients to be authenticated in advance of an RDP session. This is common for Active Directory–based Windows domain environments. • Limits users who can log in using RDP. • Uses RDP gateways to restrict access. • Implements multifactor authentication. • Implements logging of connections. • Configures session period and idle period limitations on connected sessions. TIP If you’re working remotely, consider establishing a VPN connection first and then running RDP on top of VPN. Although performance may suffer, you’ll get an extra layer of security from “doubling up” the cryptography.
VNC Unlike RDP, Virtual Network Computing (VNC) is a platform-independent, graphical desktop-sharing protocol that uses the Remote Frame Buffer (RFB) protocol. Given VNC’s vendor neutrality, many technical support departments rely on it to support their Windows and macOS users. VNC relies on a client/server architecture in that the VNC server hosts the desktop sharing, and the VNC client connects to the desktopsharing host. Perhaps due to its broad compatibility benefits, VNC is not secure by default. It is subject to encryption key and password eavesdropping attacks; plus, older versions of VNC capped password lengths at eight characters. Consider implementing UltraVNC, which supports cryptographic plug-ins to improve the encryption strength of a VNC connection. You may also consider tunneling VNC traffic over existing VPNs, DirectAccess, or SSH connections for extra cryptographic strength.
VDI Virtual Desktop Infrastructure (VDI) involves the hosting of a desktop OS within a virtual environment on a centralized server. VDI allows the migration of a user’s entire desktop, including operating system, applications, data, settings, and preferences, into a virtual machine. VDI is an improvement over other client/server models due to its strong platform independence.
The Three Models of VDI
The three main models of VDI operation are as follows:
• Centralized virtual desktops All desktop instances are stored on one or more central servers. This model requires a fair amount of resources on the central servers, depending on how many virtual desktops are being supported. (continued )
05-ch05.indd 169
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
170
• Hosted virtual desktops The virtual desktops are maintained by a service provider (usually in a subscription model). A primary goal of this model is to transfer capital expenses to operating costs. • Remote virtual desktops A virtual machine or image is copied to the local system and run without the need for a constant Internet connection to the hosting server. The local system will typically run an operating system of some sort and a hypervisor capable of supporting the downloaded image. This requires more CPU, memory, and storage on the local system because it must support the virtual desktop and the underlying support system.
Reverse Proxy Unlike proxy servers, which act as an intermediary between internal machine connections to outside resources such as the Internet, reverse proxy servers flip the script by securely providing Internet users with access to servers behind an enterprise firewall. Single sign-on (SSO) capabilities are often paired up with this server to provide intuitive and secure access for remote workers using business and personal devices alike. NOTE A good example of a reverse proxy server is Microsoft’s Web Application Proxy service, which was provided with Windows Server 2012 R2 and later. It supports Active Directory Federation Services (ADFS) for SSO access to internally hosted web applications.
IPv4 and IPv6 Transitional Technologies IPv6 is the intended replacement for the commonly used Internet protocol IPv4. IPv6 brings many improvements, but most prominently a much larger address space of 128 bits (compared to 32 bits in IPv4). Important but less publicized additions to IPv6 include the required support of optional security features such as IPSec. IPSec can provide authentication, integrity, confidentially, and protection against replay attacks. Although IPv6 was standardized in 1998, its multi-decade adoption has only increased in recent years due to the advent of mobile devices and IoT consuming most of the remaining IPv4 addresses. Other factors slowed its adoption, including Network Address Translation (NAT), which has delayed the need for the additional address space provided by IPv6. Because of this, many networks, especially home networks, use NAT routing, which is not supported by IPv6 (which further hinders the adoption of IPv6). Despite adoption issues, IPv6 is here to stay, and security practitioners need to know how to secure IPv6 networks and how to take advantage of the security benefits inherent in IPv6. The IPv6 header is illustrated in Figure 5-3, showing the required elements and their placement in a packet header. IPv6 brings security benefits other than IPSec. Packet fragmentation is only performed by hosts, partially removing a source of common vulnerabilities used to exploit TCP/IP stacks and bypass firewalls. Better support for quality of service (QoS) is built into IPv6, thus improving availability. The larger address range and required use of
05-ch05.indd 170
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
171
IP Version Number (6)
Traffic Class (8 bits)
Flow Label (20 bits)
Payload Length (16 bits)
Next Header (8 bits)
Hop Limit (8 bits)
Source Address (128 Bits) Destination Address (128 bits)
PART II
Figure 5-3 IPv6 packet header
Classless Inter-Domain Routing (CIDR) notation enables better planning and deployment through the easier allocation of addresses and configuration of routes. Although NAT does have some security advantages, the removal of NAT can lead to much-needed improvements in security. NAT generally gives a false sense of security and can be a barrier to the integration of other security measures such as IPSec in transport mode. Before deploying IPv6 on any network, you must give some additional security considerations careful thought. Some older security devices and tools such as firewalls, IDSs, log analyzers, and flow analyzers may not support IPv6, thus enabling attackers to circumvent these security mechanisms. Furthermore, even devices supporting IPv6 may not be able (or configured correctly) to analyze the IPv6 encapsulation of IPv4 packets. Encapsulation of packets is used to maintain backward compatibility for older IPv4 hardware and software. Networks employing NAT should have security policies thoroughly reviewed and updated due to the removal of NAT. Remember to update security devices such as firewalls, IDSs, and analysis tools to account for the additional addresses. Although the ultimate transition to IPv6 won’t take place until we no longer need IPv4, we will be using IPv6 transitional technologies (tunneling) for the foreseeable future, which allow for the friendly coexistence of IPv4 and IPv6 in the same organization. Here are the most common IPv6 transitional technologies:
• 6to4 tunneling Permits tunneling of IPv6 traffic over the IPv4 Internet, assuming there’s no NAT device • Teredo tunneling Permits tunneling of IPv6 traffic over the IPv4 Internet and is NAT friendly • ISATAP tunneling Permits IPv6 traffic within an IPv4 intranet • Dual stack Permits IPv4 and IPv6 to run simultaneously on the same software and devices • GRE tunneling Permits tunneling of IPv6 traffic over IPv4 networks via the generic Routing Encapsulation Protocol NOTE IPv6 has some very specific security advantages over IPv4 (most notably, IPSec and expanded QoS support).
05-ch05.indd 171
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
172
Network Authentication Methods Whereas Chapter 14 will dive deeper into more advanced authentication concepts, this section focuses specifically on network authentication methods. Authentication of users and computers on the network is crucial to assuring only authorized users and devices connect to the organization’s network. As can be expected, there are many network authentication methods to choose from. This section outlines several authentication protocols:
• Password Authentication Protocol (PAP) Used with older dial-up or VPN connections, PAP is considered a weak protocol due to it sending passwords over the network in cleartext. It should be avoided unless the endpoints cannot agree on a stronger method. • Challenge Handshake Authentication Protocol (CHAP) Typically implemented on non-Microsoft devices, CHAP uses a 3-way handshake for authentication. Once the client and the server connect, the server sends a challenge message to the client. The client combines its password with that challenge message and sends a hash value back to the server. The server compares the client’s hash to the information it has in the database and determines if there’s a match. CHAP should be used over PAP wherever possible. However, it is a legacy protocol, so stronger authentication protocols should be favored over it, if possible. • Microsoft Challenge Authentication Protocol (MS-CHAP) Microsoft’s first proprietary implementation of CHAP provides better password storage than CHAP but is otherwise considered weak by today’s standards. • Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2) This upgrade to MS-CHAPv1 provides mutual authentication between endpoints to prevent rogue server attacks and other nonrepudiation and integrity violations. It also uses different keys for sending and receiving. • Extensible Authentication Protocol (EAP) Commonly implemented on VPN and wireless networks, this protocol is a framework for plugging in more powerful hardware and software authentication methods, ranging from smart cards and fingerprint readers to PKIs and certificates. In general, EAP methods provide the strongest level of network authentication. There are multiple variants, including but not limited to the following. • Protected Extensible Authentication Protocol (PEAP) Although EAP supports strong authentication plug-ins such as MS-CHAPv2 and token devices, EAP by itself isn’t strong. In ice cream terms, EAP is the cone and a smart card is the ice cream. The ice cream makes up for the cone’s lack of flavor but certain scenarios call for both the ice cream and the cone to have “flavor.” EAP’s innate insecurities can be mitigated by encapsulating the EAP process inside of a TLS tunnel. The outcome of this is called Protected Extensible Authentication Protocol (PEAP). This protects the authentication process from man-in-themiddle exploits.
05-ch05.indd 172
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
173
• Lightweight Extensible Authentication Protocol (LEAP) This is a Cisco proprietary EAP implementation aimed squarely at wireless networks. It was designed to use Wired Equivalent Privacy (WEP) for security and therefore should be discarded in favor of stronger methods like EAP-PEAP.
802.1x PART II
The 802.1x standard is a port-based network access control method that requires users to authenticate prior to connecting to a wired or wireless network. Originally designed for dial-up networks, it has since grown to support wireless, VPN, and Ethernet switch authentication scenarios. One of the challenges is today’s networks often have too many devices to manage an organization’s authentication, access control, and auditing requirements. To mitigate this, these network devices defer these responsibilities to a central authentication point such as Remote Dial-in User Service (RADIUS) or Terminal Access Controller Access-Control System Plus (TACACS+) servers for processing. These are also known as authentication, authorization, and accounting (AAA) servers since they focus on these three key areas. 802.1x authentication is made up of three components:
• Supplicant The wired or wireless device attempting a network connection (for example, a VPN client). • Authenticator The Ethernet switch or wireless access point that initially receives the supplicant’s connection attempt, which then gets redirected to an authentication server (for example, a VPN server). • Authentication server The RADIUS or TACACS+ centralized authentication point that receives the authentication attempt from the authenticator and processes any AAA policies. RADIUS is somewhat outdated by today’s standards, given its usage of UDP, meager password encryption, and reduced protocol support. Cisco’s TACACS+ uses TCP and supports better password and data encryption; plus, it supports more protocols.
Mesh Networks Mesh networks involve all devices being directly connected to all other network devices in order to increase path redundancy and, thus, availability of the network. Most meshes are implemented on wireless networks and redundant switch and router topologies. Since mesh networks don’t require a centralized device to control all interconnectivity, they are highly tolerant of failures. EXAM TIP Mesh networks should be avoided with wired workstations due to the impracticality of having numerous network cards and cables on each device.
05-ch05.indd 173
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
174
Placement of Hardware, Applications, and Fixed/Mobile Devices Security practitioners all agree that security devices are needed to defend a network from the nearly constant onslaught of hostile Internet-based traffic. Where practitioners differ in their opinions is where security devices should be placed, and in some cases, how many of those devices should be deployed. When examining the design of your network, and considering the placement of security devices, you must think about many different factors:
• What are you protecting? • What type of traffic are you filtering? • How much traffic will be encrypted? • What volume of traffic can you expect? Placement of security devices must take several factors into consideration, such as the purpose of the device, its own survivability, and at what point you want this device to interact with the network traffic. Generally speaking, security devices can be placed either at the network border or internally, both of which provide important security benefits. Using security devices both internally and at the border is an important part of a defense-in-depth strategy. Consider the simple network in Figure 5-4, which shows four different locations where you could consider placing a security device such as an IDS/IPS or firewall. Each location greatly affects what traffic can be seen by security devices, what traffic they can filter/control, and so on. Security devices placed at the network border serve to keep malicious traffic out and to prevent sensitive information from leaving the network. Your first line of defense at the network border should be a firewall. Better security can be achieved by using two
Internet Firewall
Figure 5-4 Possible locations for security devices
05-ch05.indd 174
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
175
PART II
firewalls—an outward-facing stateless firewall with a separate stateful firewall immediately behind it. Place intrusion prevention (or detection) systems immediately behind your firewall, where they can see all of the traffic entering or leaving your network. This arrangement also keeps intrusion prevention systems from generating alerts and wasting resources on traffic blocked by the firewall. Internal networks can be divided into multiple tiers, as described later, and even the most basic networks should be divided into a publicly accessible portion, usually called the DMZ, and a non-publicly accessible internal network. Separate and protect the divisions between network tiers with stateful firewalls and inline IPSs. IDS or IPS devices should also be placed along internal network paths that may be carrying sensitive information such as internal directory services, network storage, or Supervisory Control and Data Acquisition (SCADA) communications. Place devices monitoring network traffic, such as IDSs, on network taps rather than SPAN ports. If security devices are placed on SPAN ports, ensure that the total bandwidth of these ports will not be exceeded at any time under normal circumstances and ensure that your device can handle mirroring all the traffic you want without overloading the switch and dropping packets. Remember to regularly check for updated software and firmware for all devices in the network, especially security devices. Almost all security devices, such as IDSs and IPSs, also require regular updates to their signature databases. EXAM TIP The placement of security devices depends heavily on your objective for those devices. Want to see all traffic coming to your network? Then you’ll need to place your IDS/IPS and sniffers in front of your external firewall. Want to see internal attacks against your server farm? Then you’ll need devices that sit between the server farm and your user base. You will want to understand how the placement of security devices affects your ability to monitor and secure network traffic.
Complex Network Security Solutions for Data Flow
Monitoring data flowing through networks is an important security objective for many organizations. Sensitive information such as customer data, intellectual property, and classified information are of critical importance. Monitoring data flows allows organizations to detect sensitive information leaving the network. Analysis of network traffic also helps in efforts to detect other threats such as malware and botnets. This section covers various data flow topics, including DLP, deep packet inspection, data flow enforcement, network flow (S/flow), and data flow diagrams.
DLP As the name implies, the goal of data loss prevention (DLP) is to monitor, detect, and prevent loss of sensitive data. DLP is managed through policies that identify specific sensitive data types as well as the “allow,” “prompt,” “block,” “encrypt,” “reroute,” and “quarantine” actions to take on data whenever potentially risky behaviors have been detected. These behaviors
05-ch05.indd 175
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
176
include e-mailing, printing, or copying a file. This guards against malicious attacks and accidents as well. Here are common data types to be identified by a DLP policy:
• Financial • Credit card numbers • Debit card numbers • Account information • Bank account numbers • Bank routing numbers • Medical • PII identifiers • Medical terms • Privacy • Driver’s license numbers • National identification numbers • Passport numbers • Social security numbers • Tax identification numbers EXAM TIP In addition to implementing DLP policies on workstations and servers, you can enforce DLP policies at network edges, in addition to content on cloud computing applications, since content is migrating to the cloud at an alarming rate.
Deep Packet Inspection First-generation firewalls examine packet headers for source and destination addressing, but they don’t consider the state of the traffic. Second-generation firewalls examine addressing and the traffic state, but they disregard the data payload. Third-generation firewalls such as application-level and next-generation firewalls perform deep packet inspection (DPI). DPI occurs when application-level and next-generation firewalls scan and analyze the header, state, and data portions of packets before allowing or dropping them. The data payload contains crucial application information needed by firewalls to make the most informed decisions about whether or not packets are malicious or unauthorized in nature. DPI can make decisions not only on individual packets but also larger data flows since the flow is often more telling than the individual packets.
05-ch05.indd 176
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
177
EXAM TIP The downsides to DPI are its difficulty in handling traffic encryption, in addition to the performance hit that results from total traffic analysis.
Data Flow Enforcement PART II
Data flow enforcement refers to the secured and controlled flow of data within a device, between devices within a network, and across other networks. Organizations establish flow control policies for identifying data containing specific security attributes such as Confidential, and the destinations to which that data is authorized to flow (for example, destinations with a security attribute matching the data’s label of Confidential). In addition to the policies, organizations also implement mechanisms to enforce said policies (for example, firewalls, routers, and encrypted tunnels). These policies are enforced via rule sets and configuration settings that govern the actions the network must take upon discovery of data types that are compliant or noncompliant with data flow policies. These enforcement mechanisms may also filter packets and communications messages based on predefined criteria. Taken together, flow control policies and enforcement mechanisms make data flow enforcement pretty straightforward within a system or network; however, difficulties can arise when data must flow between networks—or what they call “cross-domain” data flow. This is because if the source and destination networks have incompatible security policies, security violations may result—or worse, data leakage and other data breaches may occur. NOTE The NIST 800-53 (Rev. 4) standard denotes 23 separate “enhancements” or detailed amendments to the standard. Enhancements 3–23 focus primarily on cross-domain data flow enforcement requirements.
The requirements of data flow enforcement are rather detailed, but here are some general decisions that need to be made:
• Which data types are authorized to flow in a unidirectional or bidirectional manner? • Which data types are not authorized to flow within a system, between systems, and between networks, yet are accessible in their current location? • Which data types, and circumstances, warrant the reassignment of different security attributes to the data? According to NIST Special Publication 800-53 (Rev. 4), “Security Controls and Assessment Procedures for Federal Information Systems and Organizations,” restrictions on data flow are required for the following scenarios:
• Ensuring traffic sent to and from the Internet is encrypted • Blocking outside traffic that claims to originate from the internal network • Restricting web requests to the Internet that are not from the internal web proxy • Limiting data transfers between organizations based on data structures and content
05-ch05.indd 177
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
178
Network Flow Enforcing data flow policies is important, yet it is also important for us to be able to capture, analyze, and understand the data flows. A network flow is a sequence of packets transferred from a sending host to one or more receiving hosts. We use network flow monitoring tools to observe the traffic that is flowing across a network. These tools can help us in several ways, including the following:
• Creating performance baselines and determine deviations from baselines • Identifying network connectivity and performance issues • Identifying security issues • Ensuring quality of service (QoS) • Identifying historical traffic trends Focusing on the security aspects, we can use network flow data to help us identify security issues such as abnormal traffic spikes caused by denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks. Malware may also be discovered via the network flows it generates, the port numbers used, and the Internet-based servers the malware communicates with. Another important aspect of a network monitoring tool is thresholdbased alerts, which are generated based on preconfigured volume levels for “top senders,” “top receivers,” “failed connections,” and so forth. Finally, the network monitoring tool should include an intuitive and comprehensive reporting engine to help us understand the historical and current traffic we’re collecting.
sFlow
Any discussion on network data flow would be remiss without including one of its biggest advocates, called Sampled Flow or, more commonly, sFlow. According to RFC 3176, sFlow is a “method for monitoring traffic in switched and routed networks.” sFlow is a global standard for packet sampling technologies and is currently in version 5. It is supported by numerous hardware and software vendors, including Cisco, HP, Juniper, Arista, Extreme Networks, and a ton of others. Often built into routers and switches, sFlow empowers organizations to gain detailed insights into network data flow usage, routes, traffic and application mixes, in addition to trend analysis and capacity planning. It uses port number 6343. NOTE The authoritative source for all things sFlow, including its maintenance, latest developments, specifications, and product information, is the sFlow.org consortium.
Data Flow Diagram The last section discussed how network monitoring can help us to better understand our network data from a measurement perspective. However, as they say, a picture is worth a thousand words. Wouldn’t we understand our network flows even better if we
05-ch05.indd 178
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
179
built a diagram visually depicting the data flow paths and processes? Data flow diagrams graphically represent the data flow that occurs between computer systems on a network. Figure 5-5 shows an example of a basic data flow diagram. Data flow diagrams help us understand the following data flow functions:
PART II
• What data types are sent by a system • What data types are received by a system • How data flows to and from the sending and receiving systems • Where data is stored • Which systems depend on other systems Although this is just a basic data flow diagram, you are encouraged to create multiple versions based on the level of detail required. Initially, you’ll want to create a basic diagram to give you the broad strokes of a system and then branch out from there as required.
Administrator 1
Quality Assurance 5
Unit Supervisor 2
CRM
Help Desk 4
Programmer 3
Figure 5-5 Data flow diagram
05-ch05.indd 179
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
180
Secure Configuration and Baselining of Networking and Security Components
We’ve discussed all kinds of security and network devices, advanced network design, and security solutions for data flow. The next section covers some general network baselining and configuration lockdown topics. These topics are covered throughout the book, so only a cursory overview is provided here, with more information piecemealed throughout the book.
Network Baselining Before we get started with configuration lockdowns, a great time to start measuring and determining network baselines is right after you build the network. At that point, the technology is in its purest condition. Baselining allows us to document what the normal and acceptable levels of performance are and use this performance level as the measuring stick to determine if subsequent measurements (benchmarks) are better, worse, or equal to the most recent baseline. Since networks are always changing, additional benchmark tests need to be done to see if our performance needs to be returned to the baseline levels, or if a new baseline will need to be created.
Configuration Lockdown We capture network baselines before implementing configuration lockdowns because network baselines are so important that we don’t want anything messing them up. We want to prevent the very configurations that helped shape the baselines from being changed. Configuration lockdown effectively “seals” the configurations into our network devices to prevent unauthorized changes. The lockdown is strict enough that even network and systems administrators are restricted. Because if changes can be made, then baselines are much more likely to suffer integrity violations.
Change Monitoring Even though configuration lockdown does a great job of preventing unauthorized changes to our network devices, the operative word here is “our” devices. Configuration lockdown won’t stop attackers from connecting unapproved laptops into open switch ports or setting up rogue wireless access points. Change monitoring will help us deal with both outcomes. Change monitoring checks for signs of failed or successful attempts at modifying our network’s configuration baselines as well as any signs of unauthorized devices or behaviors being introduced into the network. The change monitoring system might block the unauthorized changes and send an alert, or simply generate the alert for us so we can mitigate the incident ourselves.
Availability Controls The confidentiality, integrity, and availability (CIA) triad teaches us that it’s great to keep secrets, and to be able to trust their veracity, but it won’t do us any good if the secrets aren’t there when we need them. That is why availability represents a whole one-third of the triad. Despite the myriad of topics in this section, we’re really talking about one
05-ch05.indd 180
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
181
thing still—baselines. We’ve created a baseline and then implemented lockdown configurations and change monitoring on the baseline. The baselines would also benefit from availability controls to ensure data is accessible and resistant to failure. Implementing availability controls can be expensive, but failed networks due to lack of availability controls are more expensive. Let’s discuss some availability options:
05-ch05.indd 181
PART II
• Redundant hard drives Hard drive redundancy is achieved with RAID arrays. RAID 1 disk mirroring or RAID 1 disk duplexing can survive a single hard drive failure without data or performance loss, but disk duplexing can survive a controller card loss as well since it relies on two of them. RAID 5 can survive a single drive failure put performs slower after failure. RAID 6 can survive two simultaneous drive failures but will perform slower during failure. RAID 10 (technically RAID 1+0) can survive more than one drive failure and will continue to perform well during the failure. • Redundant NICs Sometimes found in workstations but often found in servers, redundant NICs are like the NIC equivalent of RAID in that you have multiple NICs for performance and fault tolerance reasons. Frequently, this is known as NIC teaming. You might have one primary NIC in use, with other NICs either on standby until the primary NIC fails (Active/Passive), or the primary and secondary NICs work simultaneously for performance reasons (Active/Active), and a third NIC remains on standby until another one fails. • Redundant power supplies These are often found in servers. If one power supply fails, the other one takes over without disruption of data or services. • Redundant servers with a load balancer Often called a server farm, server pool, or a server cluster, using multiple servers allows performance improvements in addition to higher availability should a server fail. Load balancers can help direct traffic to available servers should a preferred server become unavailable. • Redundant ISPs Having redundant ISPs is more important now than ever, considering the amount of public, community, and hybrid cloud computing solutions organizations are utilizing online. If an ISP connection fails, all cloud computing services are unavailable to us unless we have a second ISP to failover to. • Redundant data centers Although some organizations have redundant data centers, we generally experience them through cloud computing providers. Cloud computing providers carefully set up data centers in regions where a single catastrophic event, such as a tsunami, earthquake, tornado, hurricane, or volcano, will only affect one data center (and not other ones). • Generators Generators can supply power to organizations for several hours or even days should they lose power. This is especially critical for healthcare providers like hospitals, where patients’ lives are at stake during power failures. • UPSs Uninterruptible power supplies (UPSs) are commonly connected to servers, routers, switches, and firewalls to ensure they can function for a little while during a power failure or, more likely, provide users with the opportunity to gracefully shut down these units and ride out the storm.
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
182
Network ACLs Access control lists (ACLs) can be defined in different contexts. There’s the file system variety, networking ACLs, and even SQL implementations for that matter. For the sake of this section, we’ll define network ACLs. ACLs are lists of rules that we apply to routers, firewalls, and so on, in order to, for example, define what packets are permitted or denied entry through a network interface. The ACL filtering actions are known for taking IP addresses and port numbers into consideration. The goal is to ensure that unauthorized traffic is not permitted to flow, which, ultimately, will help protect the network from bad guys. Here are some best practices for ACLs:
• Ensure ACLs are listed in the appropriate order—from most specific to least specific—so that rules that should “win” are more likely to win should conflicts arise. • Ensure the implicit deny rule is at the bottom of the ACL. If no other rules exist to allow a connection, the connection will be implicitly denied due to this rule. • Test ACLs on a test network before implementing them on a production network. • Ensure ACLs fulfill the objectives of both the security policy and the organization’s business objectives. Here is a sample Cisco router ACL configuration. Since Telnet is generally frowned upon in favor of SSH, we’ll often need to create an ACL restriction for Telnet. access-list 105 deny tcp any any eq 23 access-list 105 permit ip any any
The first line configures the ACL to restrict Telnet. The second line configures the ACL to permit all other IP traffic. EXAM TIP The CompTIA Advanced Security Practitioner (CASP+) exam may introduce one or two Cisco IOS commands in the questions; therefore, be sure you go over the few commands introduced in this chapter. If you don’t have access to a Cisco switch or router, a great place to look for sample commands is on Cisco’s website.
Software-Defined Networking
Traditional management of network devices is typically performed by the network devices themselves (in other words, in a decentralized manner). There’s no central network governance. Since networks are constantly changing, network devices such as routers respond by not only making changes to themselves but also broadcasting these changes (such as routing table updates) to other routes in order to help them update their respective routing tables. Such updating can take a while; plus, some network devices are configured statically, so they will not dynamically update other devices at all. Software-defined networking (SDN) addresses these concerns, in addition to others, by centralizing the configuration and control of devices. A centralized SDN application or server can push out network changes to the network devices due to changing network
05-ch05.indd 182
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
183
PART II
conditions, or proactively notify the network devices that a change is about to occur. Think of SDN as decoupling the control element of the router from the forwarding element. The control element refers to the router’s responsibility over its internal routing table and protocol operations—such as routing table updates, topology discovery processes, and so on. On the other hand, the forwarding element is the more elementary aspect of the router that simply forwards traffic based on the information in the routing table. The forwarding plane doesn’t make decisions; it just reads the script. SDN is taking over the control plane aspect so that the router is only responsible for the forwarding element. Routers still route, but they are no longer in charge of the rules that define their routing. This has tremendous applications in the real world. Cloud computing providers thrive on SDN since the centralization of network device management will enable automation of network management and configuration changes, in addition to monitoring. SDN also enables the mixing of platforms so that Cisco, Juniper, and Extreme Networks products can all be configured with similar policies. This will improve operational efficiencies, which in turn reduces overall costs, addresses vendor lock-in challenges, cuts costs on hardware, and creates more consistent security configurations on disparate networking devices.
Network Management and Monitoring Tools
It is imperative that CASP+ professionals are diligent about security as it relates to network management and monitoring. Granted, IT professionals will handle the nuts and bolts of network management and monitoring, but they might be a little rough around the edges when it comes to the security context of network management and monitoring. That’s where we come in. Throughout this chapter, we’ve talked about a handful of management and monitoring tools such as SIEM, IDS, IPS, wireless controllers, UTMs, and so on. We will list out a few others here to round off the discussion. Each of these topics will be revisited in more detail in later chapters:
• Auditing Auditing is the practicing of determining who to hold accountable for recorded actions. For example, who logged in? What time did they log in? What resources did they access? What actions did they perform on those resources? What computer did they use to perform these actions? Having access to and understanding this information will allow us to determine who to hold responsible for both good behaviors and bad. Auditing is often performed in response to an organization’s security policy—which was created in response to a state or federal law. It is critical that organizations know what to audit and to what level of detail the auditing should be performed. • Logging Logging is the practice of recording activities into a file for troubleshooting, tracking, and evidence collection purposes. All kinds of products maintain logs—from operating systems, to applications, to network devices such as routers, switches, and even firewalls. For troubleshooting purposes, auditing, and even data retention reasons, logs should be generated, maintained, and retained since it is likely that data retention laws will apply to your organization. Failing to produce logs during an audit can earn the organization a handsome fine or worse.
05-ch05.indd 183
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
184
• Sniffers Like auditing and logging, sniffing is a monitoring technique, only it is focused on capturing and analyzing network traffic as opposed to collecting information that is generated internally on the computer or device. Packet sniffers such as Wireshark are an excellent resource for surveillance purposes, network troubleshooting, or identifying possible malicious packets or attackers on the network. TIP Packet sniffers are capable of stronger forms of not only packet capturing and analysis but also packet injection if you use a special network adapter called AirPcap. It is a bit expensive but well worth the bonus features.
Alerting Most if not all modern network devices are capable of generating and sending alerts to administrators. These alerts may range from a firewall detecting a port scan, to an IPS detecting a SYN flood attack, to a router sending an alert that another router is down. Regardless of the specific alert types, alerting basically boils down to two varieties— alerting at the individual device level and at the overall network level. Although device issues are important, it’s more important to be made aware of issues affecting the overall network. For example, bandwidth utilization is at 100 percent with a suspected cause of a DDoS attack. Alerting is important enough that devices have built-in default alert types and actions; however, these are not likely to be adequate. You will have to write some rules of your own in order to be notified of activities important to you and your business. To that end, standing atop the alerting “Mount Rushmore” is Cisco’s Snort tool. The Snort software is a hugely popular, free, open source IDS/IPS product. Snort rules follow a particular outline:
• Action What is the alert going to do? Usually the action is “Alert.” • Protocol The protocol that was captured by Snort. TCP is common. • Source IP The sending device’s IP address. • Source Port The sending device’s source port number. • Destination IP The receiving device’s IP address • Destination Port The receiving device’s port number. • Rule Options For example, send a message indicating what the rule has detected. Here’s an example of a Snort rule: alert tcp any any -> 192.168.1.100 22
This rule tells Snort to generate an alert whenever any device attempts to connect to 192.168.1.100 on port 22 (which is used by SSH services). It’s one thing to receive alerts because a packet with a certain source/destination IP and port number matched a Snort rule, but does that mean that alert should be generated every time there’s a match? The frequency of an action that caused the alert is just
05-ch05.indd 184
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
185
as important as what the behavior was itself. In other words, a single ICMP ping packet may not be worthy of triggering a Snort alert, but if there’s, let’s say, hundreds or thousands of ICMP ping packets in a short period of time, an alert should be generated because this could indicate a DDoS attack. The trick is to find that balance between alerts that help us and alerts that we collectively drown in. We’ll talk more about this topic in the next section.
As children, we heard the story about the boy who cried wolf. The long and the short of it is the boy learned the hard way that when you report a false threat often enough, no one will pay attention to you when you report a real threat. Many IT gurus complain about receiving an excessive amount of false positive alerts—which are alerts that don’t indicate a threat. Eventually, they grow tired of them and start ignoring the alerts, or they dial down the alert aggression level to reduce the number of alerts or false positives. Although this will solve the alert fatigue issue, they’ll start to experience an even worse issue—false negatives. False negatives are the absence of alerts when a real threat is present.
PART II
Alert Fatigue
EXAM TIP You cannot eliminate all false positives and false negatives. The best you can do is carefully modify your alert thresholds so that they are strict enough to identify obvious threats, yet sensitive enough to notify you of the more vague or potential threats.
Advanced Configuration of Routers, Switches, and Other Network Devices
Network devices such as routers, switches, and printers are growing ever more complex, with ever-increasing remote management features and configuration options. Here are some good security measures to take for any network device:
• Disable any anonymous access to information. • Change the default usernames and passwords. • Disable any unused or unnecessary services or features. • Enforce the use of secure protocols only. A common and very insecure protocol used on many networking devices is Simple Network Management Protocol (SNMP). SNMP is used for remote management and monitoring of network devices and allows the reading and writing of data such as statistics and configuration options. SNMP uses community strings for authentication that are basically passwords transmitted in the clear. SNMP should be disabled unless absolutely required. If SNMP must be enabled, then community write strings should be disabled on all devices possible. Default community strings should always be changed to the maximum possible length and contain both upper- and lowercase letters as well as numbers. Furthermore, all SNMP traffic should be blocked at the network perimeter.
05-ch05.indd 185
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
186
SNMP agents should also be configured to filter SNMP traffic from unauthorized internal hosts. Because all SNMP traffic including community strings is transmitted in the clear, SNMP should be used only on top of other secure protocols providing at least confidentiality and integrity. Efforts are being made to replace the traditional insecure SNMPv1 with the more secure SNMPv3. EXAM TIP Two of the most common vulnerabilities associated with networking devices are failure to change default passwords and failure to secure access to management interfaces and protocols.
Use the following additional guidelines when appropriate for configuring switches and routers:
• Use, but do not rely on, MAC address filtering when possible. • A policy of one MAC address per switch port should be enforced. • Configure ACLs to not permit known-bad traffic, such as inappropriate or unused IP addresses, or internal source IP addresses on external ports. • Ensure passwords for controlled access are required for all interfaces, including the console, AUX, and VTY interfaces. • Do not enable DHCP or BOOTP for edge routers. • Set the correct date and time. • Set up proper logging to a syslog server. • Back up your switch and router configurations.
Transport Security TLS and SSL exist on top of the transport layer, encapsulating application layer protocols. TLS and SSL provide confidentiality and integrity for application layer protocols such as HTTP, SNMP, and SIP. However, because the encryption occurs at the application layer, transport layer headers such as TCP and UDP headers are not encrypted. TLS and SSL can be used to create tunnels for specific applications. TLS and SSL can both be used to create VPNs by tunneling application layer protocols to their destination network. IPSec is actually a collection of protocols to perform various functions. IPSec can provide confidentiality, integrity, and authentication of packets as well as protect against replay attacks. Authentication Headers (AHs) provide authentication, integrity, and protection against replay attacks for entire packets. Encapsulation Security Payload (ESP) provides authentication, integrity, and authentication for data or entire packets, depending on the choice of mode. When in transport mode, encryption occurs at the Internet layer, protecting the transport layer protocols. When in tunneling mode, the entire Internet layer packet is encrypted, and a new IP header created, encapsulating the packet. Both modes
05-ch05.indd 186
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
187
are useful for secure communication between two hosts. Tunneling mode can allow users to connect a single host on an untrusted network to a trusted remote network. Tunneling mode is also used to create VPNs by bridging two fixed, trusted networks. Generally speaking, IPSec provides better security but comes with greater overhead, can be more difficult to deploy, and requires specialized support. Wireless networks, mobile devices, and remote access are much more easily handled by SSL-based VPNs. Additionally, SSL-based VPNs can provide more granular access controls.
VLAN-hopping attacks enable an attacker on one VLAN to gain access to traffic on other VLANs, as shown in Figure 5-6. There are two general types of VLAN-hopping attacks: switch spoofing and double tagging. Although the threat of VLAN-hopping attacks can be mitigated, the best protection is to use separate, dedicated hardware for each VLAN. Some switches have a dynamic trunking negotiation feature called Dynamic Trunking Protocol (DTP) to assist in their deployment. Even when static trunks are manually configured, DTP is still active. It is possible for attackers to abuse this feature and set up a trunk, enabling them to gain access to and inject traffic into other VLANs. This type of attack is called switch spoofing. To prevent switch spoofing, dynamic trunking should be disabled everywhere, if possible, and should never be enabled for any ports connected to end users. Switchport modes should be statically configured to be either access or trunk. DTP can then be disabled by issuing the switchport “nonegotiate” command on certain platforms. A second type of VLAN-hopping attack is called double tagging. Due to backwardcompatibility features in the 802.1q protocol, native VLAN traffic is not tagged by trunk ports. Attackers can exploit this by creating specially crafted packets with two tags. The first tag is stripped off by the trunk port of the first switch. The second tag, however,
PART II
Trunking Security
Target VLAN
Attacker
Attacker sends packets with VLAN ID of target VLAN
Packets forwarded from first switch to switch connected to target VLAN
Figure 5-6 VLAN hopping attack
05-ch05.indd 187
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
188
remains intact and allows the specially crafted packet to hop to a VLAN specified by the attacker. In order to prevent this attack, follow these procedures:
• Explicitly specify the native VLAN as an unused VLAN ID for all trunking ports. • Do not use the native VLAN (VLAN 1) for any access port. • Place any unused ports on a separate, unused VLAN. • Enable tagging of native VLAN traffic for all ports. • Use ingress filtering on edge ports to drop tagged packets.
Port Security We implement port security on switches to provide assurances that only approved devices are permitted to communicate on switchports. This generally involves the whitelisting of approved MAC addresses or, much less commonly, the blacklisting of unapproved MAC addresses. Disabling the port entirely is the most secure option, but that will prevent legitimate devices from plugging in. Port security can be broken down into a few types:
• One-to-one mapping A single MAC address is mapped to a single port. This offers the highest security and requires the most administrative effort. • Many-to-one mapping A range of MAC addresses is mapped to a single port. This offers medium security and requires a medium amount of administrative effort. • Many-to-many mapping A range of MAC addresses is mapped to a range of ports. This offers the lowest security but requires the least amount of administrative effort.
Implementing Port Security
The following example shows the Cisco commands needed to configure port security on a Cisco switch for Fast Ethernet port 0/1. We are whitelisting three specific MAC addresses on the port. Switch# configure terminal Enter configuration commands, one per line. Switch(config)# interface fastethernet 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security
End with CNTL/Z.
maximum 3 mac-address aaaa.bbbb.cccc mac-address bbbb.cccc.aaaa mac-address cccc.aaaa.bbbb
Route Protection Protecting networking routes within an organization and at its borders is critical to security. Attackers exploiting routing protocols and vulnerabilities may gain access to sensitive information, inject traffic, and redirect traffic flows. Successful exploitation may also lead to avenues of attack such as man-in-the-middle or denial-of-service attacks.
05-ch05.indd 188
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
189
PART II
The Open Shortest Path First (OSPF) protocol is primarily used for internal routing. In the OSPF protocol, each node announces its link destinations and cost to its neighbors. Nodes also re-announce received link information so that all the nodes know the network topology. Each node then decides routes by calculating the shortest path. Routing information in OSPF must be exchanged in a secure manner to avoid spoofing attacks. Use only MD5 authentication for the entire network. Authentication keys should be changed on regular basis. Some devices come with simple password-based security enabled and a preconfigured default password. With simple password-based authentication, the password is transmitted in the clear, which should be avoided. Be sure to configure all of the interfaces of OSPF devices to use non-broadcast mode. Non-broadcast mode aids in security through the explicit configuration of valid OSPF neighbors. Autonomous system boundary routers (ASBRs) can filter invalid routes from external sources. Additionally, administrators should be aware of IPv6 ICMP and multicast security implications discussed earlier. Border Gateway Protocol (BGP) is used for interdomain routing between ISPs or sometimes within very large private networks. BGP is typically used to join multiple organizations that are separately owned and managed. Each organization is referred to as an autonomous system (AS) and is assigned an AS number (ASN). Because BGP typically involves routing communication through multiple autonomous systems, routes are chosen based on a number of factors, including local preference. Security in BGP is hampered by the inability to control external security policies and BGP routers. However, the security of BGP can be improved by filtering incoming messages with improper address spaces such as your address space, the Martian address space, and known unallocated address spaces. Explicitly configure BGP peers, and only allow BGP prefix announcements with expected ASNs. Additionally, explicitly configuring the TTL of BGP packets to 255 and only accepting incoming BGP packets with a TTL of 254 will help to ensure that the packets originated from one hop away. Limiting the allowed number of received prefixes helps prevent malicious or accidental denial-ofservice attacks. Attackers, eavesdropping on BGP communications, may learn sensitive information about business relationships. Injection and modification of communications is also a serious threat, as previously discussed. In order to ensure authentication, confidentiality, and integrity for BGP communications, work with neighboring autonomous systems to secure the underlying TCP/IP connections used for the BGP protocol. MD5-based authentication, using shared secret passwords, should be enabled. Additionally, TCP/IP connections may be secured through the use of secure protocols such as IPSec. Routing Information Protocol version 2 (RIPv2) is an older routing protocol intended for smaller, internal networks. RIPv2 is generally easier to configure but has many deficiencies compared to OSPF. Deficiencies include but are not limited to the following:
• Fifteen-hop maximum. • No assigned cost; each hop has a cost of 1. • Slower convergence could lead to availability issues. • Higher bandwidth usage.
05-ch05.indd 189
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
190
If deploying or upgrading a network, consider using OSPF instead. If RIP must be used instead of OSPF, use only RIPv2 because RIP version 1 has even more deficiencies and no support for authentication. When using RIPv2, always enforce MD5-based authentication for updates.
Implementing Route Protection
The following example shows the Cisco commands needed to configure MD5 digest authentication between two Cisco routers (Rtr1) and (Rtr2) to ensure they can validate one another: Rtr1 configure terminal Rtr1(config)# interface ethernet 1/3 Rtr1(config-if)# ip ospf message-digest-key 5 md5 P@ssw0rd Rtr1(config-if)# ip ospf authentication message-digest Rtr2 configure terminal Rtr2(config)# interface ethernet 1/3 Rtr2(config-if)# ip ospf message-digest-key 5 md5 P@ssw0rd Rtr2(config-if)# ip ospf authentication message-digest
DDoS Protection A denial-of-service (DoS) attack involves a single threat actor attacking a system in a way that renders its services unusable. Although this is typically achieved through an overwhelming amount of traffic, it can also occur at the smallest of levels—say, a buffer overflow attack. In this case, the outcome is more important than the cause. If you add multiple threat actors into the equation, DoS attacks are upgraded to distributed denial-of-service (DDoS) attacks. DDoS attacks are more frequent due to their effectiveness of achieving the attacker’s goals of distributing spam, cracking passwords or encryption keys, or, most commonly, disabling the target. DDoS attacks are typically launched by hacker botnets—an army of hundreds, thousands, or millions of systems controlled by a hacker’s command and control (C&C) server. This server in turn controls the botnet machines (bots, zombies, or drones) through the use of malware, typically in the form of a worm or Trojan horse. Upon direction from the hacker, the botnet strikes. Generally, the bots attack with spoofed addresses to confuse the target’s true source. There are numerous countermeasures for DDoS attacks, including the following:
• Patch all network and OS software. • Disable unused services. • Implement TCP intercept. • Use rate limiting to control the rate of inbound traffic. • Use ISP anti-DDoS services. • Block ICMP messages.
05-ch05.indd 190
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
191
• Drop requests. • Absorb the attack with extra bandwidth. • Disable noncritical services.
Remotely Triggered Black Hole PART II
Black hole routing refers to the practice of dropping traffic before it reaches its intended destination. The sender of the traffic is not notified of the dropped packets, and the black hole is not directly observable with network monitoring tools since the black hole never sends replies. The only way to “see” the black hole is through monitoring lost traffic. A remotely triggered black hole (RTBH) is a more advanced type of black hole routing in that ISPs will react to DDoS attack traffic by triggering an immediate routing table update to deny traffic from affecting a destination company network. EXAM TIP There are two types of RTBHs: source-based and destinationbased. The destination-based method runs the risk of blocking legitimate traffic, but source-based RTBHs can mitigate this, assuming we know the exact addresses, the DDoS attacks originate from.
Security Zones
They say that when you chase two rabbits, they both get away. A critical aspect of network design is the creation of security zones. Security zones allow organizations to create a secure environment by choosing appropriate security levels for different networks. There are multiple types of zones, including the following:
• Internet zone Represents the Internet. This is outside our boundary; therefore, we cannot control it. We can only restrict what we send to it or receive from it. • Internet DMZ Represents the edge of our internal network. This zone is created by our edge firewall, which provides a barrier between the Internet and our internal networks. It also serves as a protected yet visible network to the Internet for consumption of our public servers, including DNS, web services, e-mail services, VPN services, and others. • Extranet zone Accessible to partner locations from over the Internet. Has the public visibility of the Internet DMZ but is more restricted from an authentication and authorization perspective like the Intranet zone. • Management zone Contains network, virtualization, and security management systems. • Intranet zone Represents our internal network. This is where most organizational productivity occurs. • Restricted zone Mission-critical systems operate here.
05-ch05.indd 191
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
192
DMZ Multitier network architectures typically have tiers grouped by functionality and arranged by the flow of data. The boundaries between tiers are typically secured using firewalls and other security devices such as IPSs. The key to multitier networking architectures is the deployment of firewalls and proper rules. Proper rules improve security by only allowing communication between adjacent tiers and limiting that communication to essential ports. Thus, in theory, an attacker only has limited access to a single adjacent tier. Multitier network architectures are a good example of employing a defense-in-depth strategy. Figure 5-7 shows the simplest multitier concept, with a DMZ for Internet-visible services separated from the internal network. A common multitier network architecture divides the network into three tiers: the DMZ, the application tier, and the data tier. The DMZ consists of Internet-facing services such as web servers, proxies, e-mail gateways, and public DNS servers. A firewall is typically configured to only allow incoming connections to the public services in the Figure 5-7 Simple DMZ implementation
Internet
DMZ
$ $
$ $
Web
E-mail
E-commerce Internal network
05-ch05.indd 192
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
193
PART II
DMZ. Nonpublic services such as internal web servers, directory services, internal DNS servers, and application servers are placed in the application tier. The application tier is placed behind the DMZ, with a firewall placed in between and configured to only allow incoming connections from the DMZ on ports used by the application servers. Lastly, the data tier is placed behind the application tier and contains services such as database servers, file servers, storage area networks (SANs), network attached storage (NAS), internal DNS servers, and any devices that contain sensitive information. Once again, the data tier is separated from the application tier with a firewall set to allow incoming traffic from only the application tier, on only the ports required to access the data. Sometimes the DMZ and application tiers are combined into a single tier and placed behind a new proxy tier. External requests go to the proxy tier, which then makes appropriate requests to the services in the DMZ tier. EXAM TIP Most organizations have a DMZ between the Internet and their internal network, but how many organizations use a DMZ between their internal users and their server farm? Using the tiered approach to filter and shape traffic flowing between your internal user community and your critical servers can reduce the target profiles of your critical servers.
Separation of Critical Assets In chess, the King starts in the middle of the bottom row, and moves toward the corner to isolate itself from the advancing opposition. Yet, the pawns start on the frontlines and move toward the enemy without regard for isolation. Although important, pawns are simply not as vital as the King or Queen. Organizational assets are no different than anything else in our custody—more important objects require stronger security and isolation than others. The most fundamental of all protections is isolation, since a threat too far away cannot cause us harm. Isolating the more important assets from the lesser important assets is what zoning is all about. If security solutions were free from costs and trade-offs, we would simply secure everything to the utmost. Since this is not the case, we judiciously implement the most security on critical assets, and less security on the other assets. With most enterprises, the critical stuff is on the inside. The Intranet zone is tasked with containing and protecting the internal systems and data with various controls, including physical security, internal firewalls, IDS/IPS, packet sniffers, network encryption, permissions, auditing, and so forth. Yet, the Internet zone threats pose enough risk to our Intranet zone that we stick another zone in between the two—the DMZ as described earlier. The DMZ serves to shield the Intranet zone from the Internet while making resources available to the Internet customers and remote workers. Since the DMZ resources are important, we increase their visibility over Intranet zone resources, yet we still have a perimeter firewall, DMZ, and so forth, to protect those assets. Let’s take a more mixed approach. What type of zone is publicly visible like the DMZ but requires authentication and authorization like the Intranet zone? As stated earlier, the Extranet zone. This zone is often accessed by franchise groups that wish to connect to a parent company’s Extranet portal from anywhere in the world. The portal is accessible over the Internet but only to authenticated users.
05-ch05.indd 193
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
194
The final method of separating critical assets is to use cloud computing services. Some organizations will go the hybrid cloud route by putting the least important assets in the cloud and the more critical assets on-premises. Whichever your approach is, make sure your critical assets are protected with the strongest security controls and are kept reasonably isolated from all the other assets. Also, if going the cloud computing route, make sure your cloud provider meets the compliance requirements needed by your organization and gives you the security, privacy, and administrative controls necessary to adequately protect your critical assets.
Network Segmentation Network segmentation is a basic security tool used as part of practicing a defense-indepth and layered security strategy. The philosophy behind such a strategy is to create layers of security between the organization’s critical or sensitive assets and the outside environment from where attacks might be launched. The idea behind having different layers is that if one layer is penetrated, there remain others still protecting the information or assets. The attacker will have to penetrate each subsequent layer, in turn, which gives security personnel an increased chance to detect the penetration and respond to it. Typically, the outermost layer is considered the network perimeter, which is the boundary between the corporate network and the Internet. The next layer might be the individual operating system security controls on individual hosts. After this may be application security controls regulating who may be able to access specific services. Inside of this is the data, which all of the layers are designed to protect. At each layer, multiple security mechanisms may be in place to help detect intrusive activity and to prevent it from being successful. Defense-in-depth is a complementary and related topic. It involves taking a look at personnel, technology, and operations to create a coordinated approach to implementing security. It includes more than just the layers of security; it also addresses items such as disaster recovery, forensic analysis, and emergency response. Network segmentation can also play a part in this strategy. The idea behind network segmentation is to separate parts of your network into related portions, each of which you trust to the same level or degree. The individuals within each segment have common network requirements and related job functions. Segmentation allows the organization to provide a degree of separation between functions, which is one of the fundamental principles of security. This is also related to the principle of “need to know,” in which an individual is only provided with the minimal amount of information (or authorization) they need to accomplish their job. Segmentation for these purposes addresses the internal threat posed by employees who have access to the organization’s networks. By segmenting the data and services, the organization can limit the amount of damage a single user can cause. Each segment forms a zone that you will monitor separately. You will need to then determine what communication, if any, is required between the zones, and at each one of these communication links you place various access control and monitoring devices (such as firewalls and intrusion detection/prevention systems). An example of where you might see something like this is in the separation of an organization’s business/administrative network and its control systems networks used in operations such as manufacturing,
05-ch05.indd 194
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
195
PART II
power generation/delivery, and water distribution. Because a common vector for infection of systems with malware is for end users to access sites or open e-mail attachments that they shouldn’t, it is important to separate these functions from the control systems. For an interesting study of how control systems may be compromised, even when there is a degree of separation, review the events surrounding the Stuxnet attack that impacted Iran’s nuclear program. One way to accomplish network segmentation is through the implementation of a virtual local area network (VLAN). A VLAN consists of a set of systems, all of which have a common set of requirements and communicate as if they were connected to the same domain, regardless of their actual physical location. The VLAN appears to users to be the same as a LAN. In a VLAN, traffic is controlled so that instead of all connected hosts thinking they are on the same broadcast domain, the switch is divided up so that only certain ports can communicate with each other. Delegation is a related topic, although it has separate goals. Delegation quite simply is the assignment of authority to another person for some specific activity. This may be necessary in a segmented environment because one user may not have authority, or access, to certain services or data. It is not advisable for an individual to simply provide another with their authorization or access control credentials (for example, their user ID/password combination). This would mean that an individual would appear to be somebody else and thus accountability could be lost. Instead, an access control model such as rolebased access control (RBAC) could be utilized to provide a level of granularity sufficient to delegate access to specific roles. EXAM TIP The concepts of defense-in-depth and layered security are common in the security community. Make sure you understand them and how they can aid in security. Also understand the part that network segmentation plays in providing a level of isolation that can limit the damage done if one portion of the corporate network is breached.
Network Access Control
Network access control (NAC) was discussed in a fair amount of detail earlier in the chapter; therefore, only some of the finer details are provided in the upcoming sections on quarantine/remediation, agents, and agentless implementations.
Quarantine/Remediation Since NAC is all about ensuring that devices meet predefined health policy criteria prior to connecting to the network, what happens when the devices aren’t compliant with the policy? The NAC server may either drop the connection entirely until the client resolves the compliance issue or quarantine the client to a restricted network where a remediation server is available to help the client “get compliant.” This usually amounts to the remediation server deploying antimalware definitions or operating system updates to the client. Shortly thereafter, the client can attempt to connect to the production network again and should be granted access.
05-ch05.indd 195
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
196
Persistent/Volatile and Nonpersistent Agents Agent software runs on NAC clients in order to perform authentication and compliance checking prior to connecting to an organization. These agents behave differently depending on what type of agent is in use. Persistent agents reside on the client after connections are severed, whereas nonpersistent agents disappear from a client once a connection is ended. EXAM TIP As a general principle, we use persistent agents on trusted devices and nonpersistent agents on untrusted devices.
Agent vs. Agentless Despite the prevalence of agents, not all clients should use them. Agents are commonly used on trusted devices that reside within or external to the organization for long stretches of time. They provide us with better control, security, and tracking capabilities than agentless solutions. The downside is, agents increase costs and overhead for an organization, particularly for devices that are untrusted, don’t belong to the organization, and are here one minute and gone the next. Typically, the best route to go with unknown/untrusted devices is agentless. Granted, there’s less control and insights into device behaviors, but it also reduces deployment overhead.
Network-Enabled Devices
We’ve spent quite a bit of time going over fan-favorite network devices like switches, routers, firewalls, intrusion detection/prevention systems, and so forth. Yet, other devices, which traditionally hadn’t occupied the realm of networking and information security, may now fall under your list of responsibilities. These devices include building and home automation systems, IP video devices, HVAC controllers, sensors, physical access control systems, A/V systems, and scientific and industrial equipment. What’s changed is, these technologies are now likely to have network interface cards (including Wi-Fi), MAC addresses, IP addresses, protocols, firmware, software, and operating systems—all of which can be vulnerable and exploited by various threats. The upcoming sections talk about these network-enabled devices.
System on a Chip (SoC) SoCs are electronic devices that combine the functions of CPUs, memory, and other hardware onto a single circuit board. Essentially, an entire system is consolidated onto a single chip. Although SoCs are not network-enabled devices in themselves, they provide the core functionality to many such devices, including Internet of Things (IoT) devices, mobile devices, and home appliances. Most importantly, SoCs are critical to some of the topics in this chapter, such as building and home automation systems, HVAC controllers, and industrial equipment.
05-ch05.indd 196
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
197
Building/Home Automation Systems
PART II
Outside of IT, organizations still have the rest of the building to worry about, such as this not-so-small thing called facilities. Management of power, lighting, ventilation, water systems, alarms, and physical security systems can present certain administrative challenges from equipment being proprietary, managed separately from other equipment, and expensive due to the reliance on multiple specialists to keep everything running. These concerns are being addressed due to these technologies adopting many of the protocols, firmware, operating systems, and application programing interfaces (APIs) as regular computers today. Everything from security systems and lighting to refrigerators and watches are connecting to our wireless and wired networks. Given this technological integration, organizations are able to implement unified control centers called building automation systems (BASs). A BAS is a centralized management system to manage and monitor facilities and environmental technologies. Organizations are providing increased employee comfort, productivity, cost-savings, and efficiencies due to better management, monitoring, notifications, logging, and maintenance tasks being performed by an advanced and unified toolset. EXAM TIP Despite their “newness,” building automation systems may be inherently vulnerable due to their occasional similarities to the equipment that hackers have been hacking for decades. For example, SNMP is commonly used by building automation systems due to its emphasis on both management and monitoring. SNMPv3 should be utilized in order to provide the cryptographic support lacking in SNMPv1 and SNMPv2. Proper user account and password management will be needed, firmware and software will need updating, plus configuration baselines and other hardening procedures are needed to lock the BAS down.
IP Video With camera devices built into our laptops, smartphones, and tablets, and even connected externally to a lot of desktop systems, organizations are able to improve both their collaboration and surveillance capabilities. Many organizations are installing IP-based cameras throughout the building to perform video surveillance of critical areas and systems. Although discussed at greater length in Chapter 16, the most common usage of IP video is for video conferencing. With IP video devices, people are able to attend “face-to-face” meetings remotely, teach or attend classes online, and have remote job interviews, all the while saving time and money on travel expenses. Given the prevalence of IP video in today’s business and consumer markets, be mindful of the following considerations:
• IP video is bandwidth-intensive. Make sure you have more bandwidth than you need. • Most IP video conversations lack encryption capabilities, which increases the risk of packet sniffing, man-in-the-middle attacks, and session hijacking. • Implement quality of service (QoS) to guarantee connection quality. • If you’re storing video data long term, make sure you have adequate storage.
05-ch05.indd 197
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
198
HVAC Controllers Heating, ventilation, and air conditioning (HVAC) controllers allow us to centrally control the heating and cooling temperatures for the enterprise. It goes without saying how important the physical comfort of employees is to the success of an organization. To keep everyone happy, organizations typically put their HVAC systems on autopilot. This will help cut operational costs, reduce management overhead, and ensure that employee comfort is maintained throughout business hours. To that end, HVAC systems are configured with “floors” (minimums) and “ceilings” (maximums). For example, if the temperature goes below 72 degrees, the heater turns on to raise the temperature. If the temperature reaches 78 degrees, the A/C turns on to reduce the temperature. The system will probably remain on standby while temperatures are in between those two values. After business hours, the system will turn off to cut down on power usage and reduce wear and tear. Despite the central management provided by HVAC controllers, they are still isolated from the rest of the facilities and IT networks. Our recent coverage of building automation systems calls for the integration of HVAC into the rest of our facilities networks to further centralize management and improve operational efficiencies. We use a protocol called BACnet/IP, abbreviated as B/IP to make BACnet IP-friendly and allow interfacing with BAS networks. NOTE The infamous Target 2013 hack took place as a result of attackers stealing the credentials from a third-party HVAC company that had access to Target’s payment system network. Although the integration of HVAC into our BAS improves our management capabilities, we still need to provide suitable HVAC isolation from the rest of the IP network to prevent breaches such as these.
Sensors Sensors are crucial in our facilities and networks because they allow our technologies to understand important environment measurements and when changes occur. It’s important that sensors quickly react to changes in the environment because changing conditions can affect everything from the performance and availability of systems, to our physical health and safety. In HVAC systems, sensors are used to help measure temperatures, but what about the sensors from a smoke alarm detecting smoke? Sensors can also detect motion, sound, space utilization, air pressure, humidity levels, voltage, oxygen, mold, and even carbon monoxide levels. Since sensors are specific to a type of technology, the risks, threats, and exposures common to them will vary from one technology to the next. A hacker compromising an HVAC is not nearly as dangerous as a compromised smoke alarm or carbon monoxide sensor. Regardless, these things can and will be hacked—it’s just a matter of time. We must perform risk assessments of all equipment, including the facilities equipment that contain physical sensors in order to find vulnerabilities and mitigate them before it’s too late.
05-ch05.indd 198
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
199
Physical Access Control Systems
• Proximity readers The reader is installed in the wall and admits a person into an area if that individual places an approved and activated card onto the reader. This is a convenient method but is subject to people forgetting to bring their cards. • Biometric readers Similar to a proximity reader, but instead people place their finger on the biometric reader, or position their eye in alignment and within range of the reader. This is more convenient than a proximity reader because if the fingerprint feature is used, people are not likely to forget their fingers at home. • Mantraps To prevent unauthorized individuals from tailgating or piggybacking through a door behind other authorized individuals, we can use mantraps. Mantraps are a combination of a room with two doors, one on each end. A mantrap forces authorized staff members to enter the first door alone, provide credentials again in the room, and then exit through the second door before anyone else can enter through the first door. If two individuals try to enter through the first door at the same time, an alert will warn them that one individual must leave the room; otherwise, a security or law enforcement person will be notified. These are more common in highly sensitive environments.
PART II
Physical access control systems help determine if access to a building, area, or room should be permitted or not. As this book will often state, physical security is the most important kind of security there is; therefore, organizations must invest heavily in physical access control systems to protect not only our physical and digital assets, but also the lives of the people and customers in the establishment. Other than common methods like doors and locks, the following are some examples of physical access control systems:
A/V Systems Add audio/video (A/V) systems such as TVs, projectors, surveillance, video-conferencing devices, live-broadcast devices, microphones, and speakers to the long list of devices connected to our networks. Many enterprises have lobbies with a wall-mounted TV broadcasting company products, employee recognition awards, and PowerPoint slides, as well as radios playing music in the background, cameras taking picture IDs of visitors, and an IP camera performing lobby surveillance. The IP camera and TV in particular are likely being controlled remotely by a client or server application. Any A/V systems that are attached to the network infrastructure are subject to malicious attacks. They are subject to DoS attacks and data being intercepted in transit. Also, they can be remotely controlled by a hacker, who can then aim the camera and adjust the camera and microphone sensitivity levels for increased surveillance. If any of these devices have firmware, updating the firmware to the latest version is important as a security countermeasure. Also, basic hardening practices should be observed on the clients or servers that manage these devices remotely, including patching, strong password policies, locking systems when not in use, encrypting traffic between clients and A/V devices, and disabling microphones, cameras, and speakers when not in use.
05-ch05.indd 199
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
200
Scientific/Industrial Equipment If you haven’t noticed by now, just about all technology is connecting to TCP/IP networks. It’s not just home security systems, cars, airplanes, toys, and refrigerators, but also scientific, medical, and industrial equipment. Although this integration with IP provides a host of benefits, including easier management, monitoring, reporting, and communication within and across different business teams, there’s also the increased security and privacy risks that naturally arise from the convenience of integration. Imagine healthcare devices such as MRI machines, CAT scan machines, and X-ray machines being hacked into. Not only can hackers compromise millions of dollars’ worth of medical equipment, but there’s also the risk of electronic health records (EHRs) being leaked or held for ransom. Industrial facilities such as warehouses may have much older equipment that doesn’t support cryptography. This subjects the organization to eavesdropping and various other threats common to plaintext network traffic.
Critical Infrastructure
Critical infrastructure refers to systems that are essential to the health and safety of a society or economy. If something were to happen to the infrastructure of food producers, health services, power generators, telecommunications, defense systems, water supplies, agricultural systems, or pharmaceuticals, our well-being could be in significant danger. With critical infrastructures migrating further into IT wheelhouses, IT and security professionals must have knowledge of the workings of critical infrastructures and how to secure them. As the SCADA worm called Stuxnet made clear to the entire world, if nuclear facilities can be hacked in order to halt nuclear progression, what can’t be hacked? Today’s critical infrastructure systems are increasingly controlled by industrial control systems (ICSs). The most prominent examples are SCADA systems. SCADA systems were originally designed primarily for reliability and safety without security as a primary objective. SCADA systems are typically made up of several sensors for data collection, with a SCADA master system monitoring the sensor data, alerting an operator if a change-of-state (CoS) event occurs. Some SCADA systems incorporate system control functions, allowing for the automated response to CoS events. Because SCADA systems are commonly used to control the physical processes of industrial systems, including critical infrastructure, successful attacks can have a devastating impact in the physical world. For protection against remote attacks, do not connect SCADA systems to the Internet or other networks if you can possibly avoid it—what cannot be reached at all usually cannot be breached. However, sometimes communication over other networks is required. If SCADA systems must be connected to other networks, isolate the SCADA systems as much as possible in the following manner:
• Always protect the SCADA systems from other networks with a firewall. • Configure routers to restrict network traffic via access control lists (ACLs).
05-ch05.indd 200
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
201
• Use VLANs to facilitate secure communication between networks. • Filter traffic based on MAC address (although this can be spoofed). • Closely monitor all traffic passing on the VLANs and networks used for SCADA traffic.
• Replace default passwords with secure passwords. • Do not use the same password for different devices or users. • Change passwords on a regular basis. • Disable unused or unnecessary device features. • Configure banners and device names to reveal no information. • Manage the devices with secure hosts used for no other purpose. • Use physical access control and monitoring. • Perform regular security training and auditing.
PART II
Even isolated SCADA networks are vulnerable from onsite attacks or attacks on management devices. Here are some additional steps that should be taken in order to improve the security of the SCADA devices themselves:
Chapter Review
In this chapter we covered the integration of network and security components, concepts, and architectures to meet organizational security requirements. It began with a large section on physical security devices, which may also have virtual instances available. These physical security devices include UTMs, which consolidate multiple security devices into one. We also provided coverage of IDS/IPS devices, which scan network traffic to detect and stop attacks, respectively. We talked about how INE devices encrypt traffic on the fly over potentially insecure WAN links. We mentioned that NAC systems require connecting systems to comply with health requirements or be subjected to a quarantined status until remediation is provided. SIEM was discussed in terms of how it aggregates log information from multiple sources into a consolidated and analyzed format. We then ventured into more traditional network hardware, such as switches, which connect devices to a network, and physical firewalls, which filter traffic entering and leaving a network. We talked about wireless controllers and how they centralize the configuration and deployment of policies for all of the organization’s wireless access points. We talked about routers and how they connect networks to networks, and we talked about proxy servers, which connect to the Internet on behalf of internal systems. The next topic was load balancers and how they distribute traffic to one of multiple choices of endpoints based on utilization of those endpoints. The last two topics were HSMs and microSD HSMs. HSM devices help secure networks by being a root of trust for key generation as well as key and certificate signing, plus an authentication point for validated applications to be permitted or denied execution.
05-ch05.indd 201
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
202
The next section focused on application and protocol-aware technologies, beginning with WAFs. WAFs are application-level firewalls designed specifically to protect web applications from unauthorized traffic flows. The next topic was passive vulnerability scanners, which attempt to discover vulnerabilities in network traffic without interfering with the traffic flow itself. The last topic in this section was DAMs, which focus on monitoring databases for signs of malicious activity. The third section in this chapter went over advanced network design elements, beginning with remote access. The first remote access topic was VPN and how it enables workers to connect to organizational networks securely from anywhere. That lead us to the next related topic of IPSec, which helps perform the encryption that VPN depends on for security. Another way of securing VPN is through SSL/TLS-based security techniques, which are typically used for web connections. We then ventured over to SSH and the encryption benefits it provides for terminal emulation–based connections. Another popular remote access method is RDP, which is targeted at Windows systems for remote graphical control of other Windows systems. An alternative to RDP is VNC, which is a vendor-neutral remote desktop sharing application commonly used in scenarios where RDP is not practical or supported. We switched gears to discuss VDI, which is a thinclient scenario where clients can access their desktop and application environment on a remote server. We discussed how reverse proxy servers publish internal web applications for external access through the reverse proxy server. Given the steady migration from IPv4 to IPv6, we provided a brief discussion about how that migration can work and the basics of IPv6. We included coverage on various network authentication methods such as PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP, and 802.1x. We discussed mesh networks and their redundant links to all other endpoints. The final topic focused on placement of fixed/mobile devices, hardware, and applications, which centered around locating security systems in carefully chosen locations to maximize our security posture. The next section was on complex network security solutions for data flow. We began the section with coverage of DLP, which uses policies on certain data types to restrict unapproved movement or leakage of sensitive data. We then went into deep packet inspection, which involves application-level firewalls and next-generation firewalls scanning the data portion of packets to identify application fingerprints. We also covered data flow enforcement, focusing on how data may be restricted in terms of movement as well as the directions of movement within and across networks. That led us to a discussion on network flow (sFlow), which focused more on network monitoring considerations and best practices. We finished this section with coverage of data flow diagrams, which provide a visual for understanding data flows throughout the organization. We began the next section on secure configuration and baselining of networking and security components by discussing network baselining. Network baselining helps us identify normal and acceptable network performance levels so that we know what to strive for. Afterward, we covered configuration lockdown to “seal” the baseline configurations to prevent modification at a later date. We talked about change monitoring, which allows us to detect and prevent unauthorized changes to the network baseline. We discussed availability controls, which help keep the systems and their baselines available when needed by end users.
05-ch05.indd 202
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
203
05-ch05.indd 203
PART II
The following section was on software-defined networking, which uses centralized management tools, on-premises or in the cloud, to control the function of networking devices, whereas the devices themselves handle the actual forwarding of data. Another brief section followed on network management and monitoring tools. We began this section discussing the merits and criteria of alerts, particularly from the Snort application since it is very popular. We also went into alert fatigue, which happens whenever too many junk alerts desensitize the interest of administrators. We began the next section with coverage of advanced configurations of routers, switches, and other network devices. Transport security was discussed in order to ensure that network devices require cryptography for traffic in transit. We followed this up with coverage on trunking security, which identifies techniques for preventing both VLAN hopping and switch spoofing. Port security is crucial to switch security since it has the potential to prevent unauthorized users based on their unapproved MAC addresses. We talked about route protection techniques specific to the RIP, OSPF, and BGP routing protocols. DDoS countermeasures include patching, black hole routing, and bandwidth absorption, as well as remotely triggered black holes providing a DDoS countermeasure from the ISP. In the next section we discussed security zones, talking about the DMZ and the isolation it provides to the internal network while slightly exposing the perimeter network to Internet customers and remote workers. We also talked about the need for separating critical assets from the less-critical assets, and finally we talked about network segmentation through VLANs. The next section was on network access control and how it polices non-healthy devices from connecting to the network until they receive assistance from a remediation service, which is typically found on a remediation network. We followed this up with a discussion on persistent versus nonpersistent agents. Persistent agents survive after a connection ends, whereas nonpersistent agents dissolve immediately after the connection is terminated. We finished this section with a discussion on the need for agents on company devices, whereas personal devices can generally do without agents. The next-to-last section in the chapter discussed network-enabled devices, beginning with system on a chip. These all-in-one chips are frequently found on mobile devices and IoT devices. We then moved on to building/home automation systems, which simplify how organizations and residences manage their various non-IT equipment using centralized and automated tools. We talked about IP video, including its benefits, security issues, and mitigations. We covered HVAC controllers and their changing role, from operating in a silo to being integrated with the rest of the organization’s network infrastructure. We discussed the various sensors found in IT and facilities equipment and how they help us discover issues. The next topic was physical access control systems, which lead to mantrap doors, proximity readers, and biometric readers. We went into audio/video systems and the unique challenges they bring to an organization, and we finished the section discussing scientific and industrial equipment such as healthcare and warehouse systems. The final section in the chapter focused on critical infrastructure components such as the industrial control system known as SCADA. We talked about the continued integration of SCADA systems into IP networks and the unique benefits and challenges that brings to the organization.
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
204
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
Physical and Virtual Network and Security Devices • Unified threat management (UTM) incorporates the functions of multiple network and security appliances into a single appliance. • An NIPS/NIDS identifies intrusion attempts by examining network traffic, potentially looking at both the header and contents of packets being transmitted. • Inline network encryptors (INEs) are devices that encrypt sensitive information en route between sources and destinations across insecure networks like the Internet and company WAN links. • NAC improves network security by employing policies that mandate devices meet certain security minimums before being granted network access. • Security information and event management (SIEM) utilities analyze and correlate logs and events from multiple sources as well as provide real-time alerting features. • Switches are network appliances that connect devices such as workstations, servers, and printers together to form a network. • Network firewalls are devices that evaluate incoming and outgoing traffic to determine if the traffic should be allowed or denied entry across a network boundary. • Wireless controllers are network appliances or software solutions that enable administrators to centralize security configurations across multiple WAPs simultaneously. • Routers are devices that connect networks to networks in order to forward traffic based on network addresses such as IP addresses. • Proxy servers are hardware or software systems that act as connection intermediaries between internal clients and Internet resources. • Load balancers are network devices or programs that distribute traffic across a group of similar servers known as a server farm or pool, in order to increase server performance and availability. • Hardware security modules (HSMs) are devices that provide key generation and safeguarding services, speed up specific cryptographic operations on platforms requiring strong authentication, and provide access control capabilities. • MicroSD HSMs are tiny HSM cards that plug into the microSD ports of smart devices such as Android smartphones and tablets.
05-ch05.indd 204
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
205
Application and Protocol-Aware Technologies
Advanced Network Design (Wired/Wireless)
PART II
• Web application firewalls (WAFs) specialize in the monitoring and filtering of unauthorized and malicious traffic sent to and from web applications to provide them with protection against various Internet threats. • Passive vulnerability scanners (PVSs) analyze network traffic in order to nonintrusively discover vulnerabilities with organizational assets. • Database activity monitors (DAMs) monitor the transactions and other activity of database services. • Many organizations treat remote access traffic as potentially hostile and do not allow remote access traffic to come directly into the internal network. • A virtual private network (VPN) offers security by tunneling data across a network through the use of technology that offers a secure means of transport. • Internet Protocol Security (IPSec) is a suite of protocols for securing packets that traverse an IP network. • SSL is a protocol for securing communication sessions over IP networks, whereas TLS is its more powerful and relevant successor. • Secure Shell (SSH) is a protocol for obtaining a remote shell session with an operating system over a secured channel, using TCP port 22. • Remote Desktop Protocol (RDP) provides a secure, graphical, remote access connection over a network between computers via port 3389. • Virtual Network Computing (VNC) is a platform-independent graphical desktop sharing protocol that uses the Remote Frame Buffer (RFB) protocol. • Virtual Desktop Infrastructure (VDI) involves the hosting of a desktop OS within a virtual environment on a centralized server. • Reverse proxy servers provide Internet devices with access to servers behind an enterprise firewall. • PAP is an authentication protocol that sends credentials over the network in plaintext. • CHAP uses a 3-way handshake and an encrypted hash of the password to authenticate to other devices. • MS-CHAP is Microsoft’s first proprietary implementation of CHAP. It provides better password storage than CHAP but is otherwise considered weak by today’s standards. • MS-CHAPv2 provides mutual authentication between endpoints to prevent rogue server attacks and other nonrepudiation and integrity violations. It also uses different keys for sending and receiving.
05-ch05.indd 205
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
206
• EAP is a framework for plugging in more powerful hardware and software authentication methods, ranging from smart cards and fingerprint readers to PKIs and certificates. • PEAP enhances EAP by encrypting it in a TLS tunnel. • LEAP was designed to use Wired Equivalent Privacy (WEP) for security and therefore should be discarded in favor of stronger methods like EAP-PEAP. • The 802.1x standard is a port-based network access control method that requires users to authenticate prior to connecting to a wired or wireless network. • Mesh networks involve all devices being directly connected to all other network devices in order to increase path redundancy and, thus, the availability of the network. • Placement of security devices must take several factors into consideration, such as the purpose of the device, its own survivability, and at what point you want this device to interact with the network traffic.
Complex Network Security Solutions for Data Flow • Monitoring data flows allows organizations to detect sensitive information leaving the network. • The goal of data loss prevention (DLP) is to monitor, detect, and prevent the loss of sensitive data. • Deep packet inspection (DPI) occurs when application-level and next-generation firewalls scan and analyze the header, state, and data portions of packets before allowing or dropping them. • Data flow enforcement refers to the secured and controlled flow of data within a device, between devices within a network, and across other networks. • A network flow is a sequence of packets transferred from a sending host to one or more receiving hosts. • sFlow is a method for monitoring traffic in switched and routed networks. • Data flow diagrams graphically represent the data flow that occurs between computer systems on a network.
Secure Configuration and Baselining of Networking and Security Components • Baselining allows us to document what the normal and acceptable levels of performance are and to use this performance level as the measuring stick for future measurements. • Configuration lockdown seals the configurations into our network devices to prevent unauthorized changes. • Change monitoring checks for signs of failed or successful attempts at modifying our network’s configuration baselines as well as any signs of unauthorized devices or behaviors being introduced into the network.
05-ch05.indd 206
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
207
• Availability controls help ensure data is accessible and resistant to failure. • ACLs are lists of rules that we apply on routers, firewalls, and so on, in order to, for example, define what packets are permitted or denied entry through a network interface.
Software-Defined Networking PART II
• Software-defined networking (SDN) centralizes the configuration and control of network devices. • SDN decouples the control element of network devices from the forwarding element. • The control element refers to the router’s responsibility over its internal routing table and protocol operations. • The forwarding element simply forwards traffic based on the information in the routing table. • Cloud computing providers thrive on SDN since the centralization of network device management will enable automation of network management and configuration changes, in addition to monitoring. • SDN improves operational efficiencies, which in turn reduces overall costs, addresses vendor lock-in challenges, cuts costs on hardware, and creates more consistent security configurations on disparate networking devices.
Network Management and Monitoring Tools • Auditing is the practicing of determining who to hold accountable for recorded actions. • Logging is the practice of recording activities into a file for troubleshooting, tracking, and evidence collection purposes. • Sniffers capture and analyze network traffic. • Network devices send us alerts to keep us aware of changing and malicious conditions that require immediate attention. • Alert fatigue occurs when administrators stop paying attention to alerts due to too many false positives.
Advanced Configuration of Routers, Switches, and Other Network Devices • TLS and SSL provide confidentiality and integrity for application layer protocols such as HTTP, SNMP, and SIP. • Trunking security helps mitigate various switch attacks, including switch spoofing and double-tagging attacks. • Port security helps provide assurances that only approved devices are permitted to communicate on its ports.
05-ch05.indd 207
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
208
• Route protection ensures routing table contents, transmissions, and router configurations are protected from unauthorized access and modification. • DoS attacks involve a single threat actor attacking a system in a way that renders its services unusable. • A remotely triggered black hole (RTBH) is a more advanced type of black hole routing in that ISPs react to DDoS attack traffic by triggering an immediate routing table update to deny traffic from affecting a destination company network.
Security Zones • Security zones allow organizations to create a secure environment by choosing appropriate security levels for different networks. • DMZs are perimeter networks that simultaneously protect the internal network while providing secured access to edge resources. • Separation of critical assets provides the strongest level of isolation to the most important assets. • Network segmentation creates layers of security between the organization’s critical or sensitive assets and the outside environment from which attacks might be launched.
Network Access Control • Clients not compliant with network access control policies are quarantined to a restricted network where they seek remediation for their deficiencies, such as missing Windows updates or antivirus definitions. • Agent software runs on NAC clients in order to perform authentication and compliance checking prior to connecting to an organization. • Persistent agents will reside on the client after connections are severed. • Nonpersistent agents will disappear from a client once a connection is ended. • Agents are commonly used on trusted devices that reside within or external to the organization for long stretches of time. • Agentless clients are common for devices that are not owned by the organization.
Network-Enabled Devices • Network-enabled devices refer to devices that have only recently started integrating with IP networks. • SoCs are electronic devices that combine the functions of CPUs, memory, and other hardware onto a single circuit board. • Building automation systems are centralized management systems that manage and monitor facilities and environmental technologies. • IP-based cameras provide video surveillance of critical areas and systems.
05-ch05.indd 208
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
209
PART II
• Heating, ventilation, and air conditioning (HVAC) controllers allow us to centrally control the heating and cooling temperatures for the enterprise. • Sensors are crucial in our facilities and networks because they allow our technologies to understand important environment measurements and when changes occur. • Physical access control systems help determine if access to a building, area, or room should be permitted or not. • Audio/video (A/V) systems such as TVs, projectors, surveillance, videoconferencing, live-broadcast devices, microphones, and speakers are now routinely connected to the network and are therefore subject to attacks. • Scientific and industrial systems are merging with IP networks and are now subject to the same risks, threats, and vulnerabilities.
Critical Infrastructure • Critical infrastructure refers to systems that are essential to the health and safety of a society or economy. • If something were to attack the infrastructure of food producers, health services, power generators, telecommunications, defense systems, water supplies, agricultural systems, or pharmaceuticals, our well-being could be in significant danger. • SCADA systems are commonly used to control the physical processes of industrial systems, including critical infrastructure.
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. Segmenting remote access traffic allows you to do which of the following? A. Treat remote access traffic as potentially hostile. B. Filter traffic through a firewall and IDS/IPS. C. Verify the patch and antivirus status of remote users before allowing them to
connect to the organizational network. D. All of the above. 2. If you’re looking to get maximum visibility into attacks launched at your organization from hostile Internet sources, where would you place an IDS/IPS? A. Right behind the main firewall between your organization and the Internet B. Between your server farm and user base C. In front of the main firewall between your organization and the Internet D. In the DMZ, preferably next to a web server
05-ch05.indd 209
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
210
3. Which of the following is not a best practice when securing SCADA networks? A. Replace default passwords. B. Filter traffic based on MAC address. C. Place SCADA devices on VLANs with other Internet-visible traffic. D. Perform regular auditing of devices.
4. Which of the following is an advantage of IPv6 over IPv4? A. Smaller address space B. Widely used by most organizations C. Support for IPSec and better QoS capabilities D. Protocol and Type of Service fields in header
5. Which of the following device types is likely to provide multiple security and network services, including DLP, QoS, and VPN services? A. UTM B. Router C. Proxy server D. Firewall
6. Which of the following modern physical access control systems provides consolidated IP-based control over all facilities equipment? A. HVAC controller B. BAS C. SoC D. SCADA
7. Which of the following IPv6 tunneling methods can traverse a NAT device? A. Teredo B. 6to4 C. ISATAP D. SIEM
8. Hardware security modules perform which security functions for an enterprise? (Choose all that apply.) A. Sniffing the network in search of malicious or unapproved traffic B. Safeguarding of keys C. Key generation D. Preventing execution of unauthorized applications
05-ch05.indd 210
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
Chapter 5: Network Security Components, Concepts, and Architectures
211
9. A common multitier network architecture might consist of which of the following layers? A. DMZ, SAN, and VLAN tier B. DMZ, application tier, and data tier C. NAS, DMZ, and data tier D. Public tier, private tier, and FMZ A. Determine the placement of firewalls and other perimeter devices. B. Identify network components and their security needs.
PART II
10. What is the first step in secure infrastructure design?
C. Identify supported protocols. D. Catalog applications that will be used within the network.
11. Which of the following guidelines should be used when configuring routers and switches? A. Do not enable DHCP or BOOTP for edge routers. B. Use Telnet for access to management interfaces. C. Disable MAC filtering on internal switches. D. Configure ACLs to only monitor traffic originating from outside your network.
12. What are the two common types of VLAN-hopping attacks? A. Switch spoofing and double tagging B. MAC switching and reverse tagging C. Route poisoning and DDoS D. ARP spoofing and reverse VLAN injection
13. Where is the Open Shortest Path First (OSPF) routing protocol most commonly used? A. As an internal routing protocol B. Between gateway routers C. Between DMZs and external firewalls D. For dynamic routing updates given to remote access users
Answers 1. D. Segmenting network traffic allows you to treat remote access traffic as potentially hostile, filter traffic through a firewall and IDS/IPS, and verify the patch and antivirus status of remote users before allowing them to connect to the organizational network.
05-ch05.indd 211
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 5
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
212
2. C. The best place to view and analyze attacks originating from Internet sources is on your main network link between your firewall and your Internet connection. 3. C. You specifically want to avoid placing SCADA devices in situations where they are exposed to Internet-visible traffic such as in a DMZ. 4. C. IPv6 has integrated support for IPSec and better QoS capabilities than IPv4. 5. A. UTM devices integrate numerous security and networking functions into a single all-in-one device. 6. B. Building automation systems (BASs) integrate and automate building systems management across an IP network. 7. A. Teredo tunnels can traverse NAT devices. 8. B, C, D. Among other things, HSMs can provide safeguarding of cryptographic keys and key generation services as well as prevent the execution of unauthorized applications. 9. B. A common multitier architecture might consist of a DMZ, application tier, and data tier. 10. B. Identifying network components and their security needs is the first step in secure infrastructure design. 11. A. DHCP and BOOTP should not be enabled on edge routers. 12. A. The two main types of VLAN-hopping attacks are switch spoofing and double tagging. 13. A. The Open Shortest Path First (OSPF) routing protocol is most commonly used as an internal routing protocol.
05-ch05.indd 212
11/03/19 6:58 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CHAPTER
Security Controls for Host Devices
6
This chapter presents the following topics: • Trusted operating system • Endpoint security software • Host hardening • Boot loader protections • Vulnerabilities associated with hardware • Terminal Services/application delivery services
It’s not inline network encryptors, proxy servers, and load balancers that users directly interface with each day but rather the host devices such as desktops and laptops. Given the users’ laser focus on these device types, hackers will be equally focused on attacking them. Naturally, we must match the attacker’s effort with a myriad of security controls that specifically secure host devices. In this chapter, we take a look at trusted operating systems to serve as a starting point for a secure computer. Next, we dive into endpoint security software, which is composed of a variety of security tools designed to secure the local computer. We follow this up with host-hardening techniques, which involve various configurations and changes to default settings to lock down a host device. After that we look at boot loader protections to ensure that a computer boots up securely. The last two sections tackle hardware vulnerabilities as well as Terminal Services and application delivery services. By locking down the host devices, users will be assured of a secure and productive working environment to help achieve company objectives.
Trusted Operating System
The concept of a trusted operating system has been around since even before the days of the DoD Trusted Computer System Evaluation Criteria (TCSEC), known as the “Orange Book.” In the early days of computer security, it was believed that if a trusted computing base (TCB) could be built, it would be able to prevent all security issues from occurring. In other words, if we could just build a truly secure computer system, we
213
06-ch06.indd 213
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
214
could eliminate the issue of security problems. Although this is a laudable goal, the reality of the situation quickly asserted itself—that is, no matter how secure we think we have made the system, something always seems to happen that allows a security event to occur. The discussion turned from attempting to create a completely secure computer system to creating a system in which we can place a certain level of trust. Thus, the Orange Book was developed in which different levels were defined related to varying levels of trust that could be placed in systems certified at those levels. The Orange Book, although containing many interesting concepts that are as valid today as they were when the document was created, was replaced by the Common Criteria (CC), which is a multinational program in which evaluations conducted in one country are accepted by others that also subscribe to the tenets of the CC. At the core of both the Orange Book and the CC is this concept of building a computer system or device in which we can place a certain amount of trust and thus feel more secure about the protection of our systems and the data they process. The problem with this concept is that common operating systems have evolved over the years to maximize ease of use, performance, and reliability. The desire for a general-purpose platform on which to install and run any number of other applications does not lend itself to a trusted environment in which high assurance often equates to a more restrictive environment. This leads to a generalization that if you have an environment requiring maximum flexibility, a trusted platform is not the way to go. In general, somebody wanting to utilize a trusted operating system probably has a requirement for a multilevel environment. Multilevel security is just what its name implies. On the same system you might, for example, have users who have Secret clearance as well as others who have Top-Secret clearance. You will also have information that is labeled as Secret and other information that is Top-Secret stored on the system. The operating system must provide assurances that individuals who have only a Secret clearance are never exposed to information classified as Top-Secret, and so forth. Implementation of such a system requires a method to provide a label on all files (and a similar mechanism for all users) that declares the security level of the data. The trusted operating system will have to make sure that information is never copied from a document labeled Top-Secret to a document labeled Secret because of the potential for disclosing information. In the Common Criteria, the requirements for implementing such a system are described in the Labeled Security Protection Profile. In the older Orange Book, this level of security was enabled through the implementation of mandatory access control (MAC). Some vendors have gone through the process of obtaining a certification verifying compliance with the requirements for multilevel security, resulting in products such as Trusted Solaris. Other products have not gone through the certification, but may still provide an environment of trust allowing for this level of separation. An example of this is Security-Enhanced Linux (SELinux). Microsoft, which has seen many vulnerabilities discovered in its Windows operating systems, attempted to address this issue of trust with its Next-Generation Secure Computing Base (NGSCB) effort. This effort highlighted what has been stated about trusted platforms because it offered users the option of a more secure computing environment, but this came at the expense of giving up a level of control as to what applications and
06-ch06.indd 214
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
215
PART II
files could be run on an NGSCB PC. The Microsoft initiative was announced in 2002 and given the code name Palladium. It would have resulted in a secure “fortress” designed to provide enhanced data protection while ensuring digital rights management and content control. Two years later, Microsoft announced it was shelving the project because of waning interest from consumers, but then turned around and said the project wasn’t dead completely but was just not going to take as prominent a role. A little clarification is important at this point. Another term that is often heard related to the subject of trusted computing is “trustworthy computing.” The two are not the same. A trusted system is one in which a failure of the system will break the security policy upon which the system was designed. A trustworthy system, on the other hand, is one that will not fail. Trustworthy computing is not a new concept, but it has taken on a larger presence due to the Microsoft initiative by the same name. This initiative is designed to help instill more public trust in the company’s software by focusing on the four key pillars of security, privacy, reliability, and business integrity. EXAM TIP Make sure you understand the concept of multilevel security; it is not simply implemented by normal access control mechanisms, such as is seen in most Windows- and Unix-based operating systems. Multilevel security implements multiple classification levels, and the operating system has to maintain separation between these levels of all data and users.
The CC implemented Evaluation Assurance Levels (EALs) to rate operating systems according to their level of security testing and design. Although the CC has deprecated EALs, they still might appear on the exam due to historical relevance. Here is a breakdown of the different EAL levels:
• EAL1: Functionally Tested • EAL2: Structurally Tested • EAL3: Methodically Tested and Checked • EAL4: Methodically Designed, Tested, and Reviewed • EAL5: Semi-formally Designed and Tested • EAL6: Semi-formally Verified Design and Tested • EAL7: Formally Verified Design and Tested EXAM TIP The CC has replaced EALs with Protection Profiles. The reason for this is the widespread belief that many operating system vendors were doctoring their EAL scores by manipulating the evaluation process. As a result, EALs assigned to operating systems should be taken with a grain of salt. Protection Profiles promise to provide greater consistency, repeatability, and objectivity to all evaluation testing to counter such tactics.
06-ch06.indd 215
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
216
Although most users won’t have a need for a highly trusted operating system, you’ll find these systems in various high-security government and military environments. What they lack in functionality and ease of use they make up for with security. Such an operating system will have a steeper learning curve, but this is a necessary sacrifice for the furtherance of national security. What follows in the next few topics are examples of trusted operating systems.
SELinux A project of the National Security Agency (NSA) and the Security-Enhanced Linux (SELinux) community, SELinux is a group of security extensions that can be added to Linux to provide additional security enhancements to the kernel. SELinux provides a mandatory access control (MAC) system that restricts users to policies and rules set by the administrator. It also defines access and rights for all users, applications, processes, and files on the OS. Unlike many OSs, SELinux operates on the principle of default denial, where anything not explicitly allowed is implicitly denied. SELinux is commonly implemented on Android distributions, Red Hat Enterprise Linux, CentOS, Debian, and Ubuntu, among many others. SELinux can operate in one of three modes:
• Disabled SELinux does not load a security policy. • Permissive SELinux displays warnings but does not enforce security policy. • Enforcing SELinux enforces security policy.
SEAndroid As stated previously, SELinux commonly runs on Android, hence the adapted version called SEAndroid. As of Android version 4.4 (KitKat), Android supports SEAndroid with the “enforcing” mode, which means that permission denials are not only logged but also enforced by a security policy. This helps limit malicious or corrupt applications from causing damage to the OS. The benefits described previously for SELinux have been grafted onto the Android OS.
Trusted Solaris Although deprecated now in favor of Solaris Trusted Extensions, Trusted Solaris was a group of security-evaluated OSs based on earlier versions of Solaris. The Solaris Trusted Extensions added enhancements to Trusted Solaris, including accounting, auditing, device allocation, mandatory access control labeling, and role-based access control.
Least Functionality The principle of least privilege (or functionality) is a requirement that only the necessary privileges are granted to users to access resources—nothing more and nothing less. If a task exists that is not explicitly in a user’s job description, they should not be able to perform that task. This helps limit the permissions and rights of users to prevent unauthorized behaviors, not to mention causing accidental damage to their own systems.
06-ch06.indd 216
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
217
It also prevents any malware running on their systems from easily escalating privileges. As a result, least functionality helps achieve the goals of a trusted operating system.
Endpoint Security Software
PART II
Endpoint security refers to a security approach in which each device (that is, endpoint) is responsible for its own security. That is not to say that other layers of security aren’t required, but rather the endpoint must also directly contribute to its own security as well. We have already discussed an example of endpoint security: the host-based firewall. Instead of relying solely on physical network firewalls to filter traffic for all hosts on the network, the host-based firewall implements filtering specifically at the host endpoint. Often, other security mechanisms such as virtual private networks (VPNs) will make it harder for network security devices (such as intrusion detection systems) to do their job because the contents of packages will be encrypted. Therefore, if examination of the contents of a packet is important, it will need to be done at the endpoint. A number of very common software packages are also designed to push protection to the devices, including antimalware, antivirus, anti-spyware, and spam-filtering software, to name a few. We will discuss each of these, and more, in this section.
Antimalware Antimalware software is a general-purpose security tool designed to prevent, detect, and eradicate multiple forms of malware such as viruses, worms, Trojan horses, spyware, and more. The term “malware” is short for malicious software and encompasses a number of different pieces of programming designed to inflict damage on a computer system or its data, to deny use of the system or its resources to authorized users, or to steal sensitive information that may be stored on the computer. NOTE Malware is often mischaracterized as a type of malicious software akin to viruses or worms. To be clear, viruses and worms are a type of malware, and malware is the general category to which viruses, worms, spyware, and so on belong.
For malware to be effective, its malicious intent generally must be concealed from the user. This can be done by attaching the malware to another program, or making it part of the program itself—while still remaining hidden. One of the things that malware will often do is to attempt to replicate itself (in the case of worms and viruses, for example), and often the nefarious purpose may not immediately manifest itself so that the malware can accomplish maximum penetration before it performs its destructive purpose. Although most of us are guilty of calling malware a “virus,” we need to be much more specific for the exam, as shown in the following list:
• Virus Malicious code that replicates after attaching itself to files on a victim’s device. When the victim’s files run, the virus is able to execute its payload. In other words, viruses cannot replicate on their own.
06-ch06.indd 217
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
218
• Worm Self-replicating malicious code that can execute and spread independently of the victim’s applications or files. Unlike viruses, worms replicate on their own with zero human intervention. • Trojan horse Malicious code disguised as seemingly harmless or friendly code. • Spyware Malware that collects sensitive information about infected victims. • Rootkit A stealth-like group of files that seek administrator or root privileges for total and near-invisible control of a device. Some rootkits can obtain kernellevel privileges on the device, which makes them difficult to detect and eradicate. • Ransomware Malicious software that encrypts the victim’s files or threatens to publish them unless the victim pays a timely ransom—usually in the form of cryptocurrency for untraceability. • Keylogger Software (or hardware) that captures a victim’s physical keystrokes on the keyboard. Although not necessarily illegal, many keyloggers are used for capturing passwords and other sensitive information. • Grayware Software that behaves in an irritating or abnormal way, but isn’t classified with the more destructive forms of malware like viruses, worms, and Trojan horses. For example, grayware might change your home page, rearrange your desktop icons, or perform other annoying actions. • Adware Applications that generate unwanted pop-ups or advertisements. Like grayware, adware generally isn’t considered a “major league” form of malware, but that doesn’t mean it can’t be. • Logic bomb A form of malware that only runs after certain conditions are met, such as a specific date/time or when the Calculator application has been launched 15 times. Many security vendors that create antimalware create applications designed to prevent, detect, and remove malware infections. The preferred route is to prevent infection in the first place. Antimalware packages that are designed to prevent installation of malware on a system provide what is known as real-time protection, because in order to prevent infection, the antimalware package must spot an attempt to infect a system and prevent it from occurring. Antimalware packages designed to detect and remove malware will perform scheduled or manual scans of the computer system, which includes all files, programs, and the operating system. Real-time protection requires the antimalware package be run continuously, whereas detect-and-remove antimalware packages can be run on an occasional basis. EXAM TIP Know the different types of malware and the different software applications that will defend against them. Not all products will protect against all types of malware. Some may be designed to protect against spyware or others viruses, and still others may do both.
06-ch06.indd 218
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
219
Antivirus Although most of today’s antimalware tools target multiple forms of malware, many businesses still use tools that are more limited in scope, such as antivirus software. Antivirus software is designed specifically to remediate viruses, worms, and Trojan horses—and that’s about it. Such tools can accomplish their goal in a couple of ways: PART II
• Signature-based detection A detection method that looks for patterns of data known to be part of a virus. This works well for viruses that are already known and are not known to evolve or change—as opposed to polymorphic viruses that can modify themselves in order to avoid signature-based detection. Another method to detect such self-modifying viruses is to analyze code in order to allow for slight variations of known viruses. This will generally allow the antivirus software to detect viruses that are a variant of an older virus, which is quite common. • Heuristic-based detection A detection method based on analysis of code in order to detect previously unknown or new variants of existing viruses. The new viruses that have not been seen before are often referred to as zero-day (or 0-day) viruses or threats. EXAM TIP Sandboxing suspected malicious content is another method of discovering and eradicating malware. A sandbox is a tightly controlled environment that only allows certain access by the program to control the potential for undesirable activity. If the code attempts to do anything that appears to be malicious, an alarm is generated and the program is either deleted or quarantined. If no malicious activity is detected, the file is allowed.
Because virus detection is an inexact science, two possible types of errors can occur. A false-positive error is one in which the antivirus program decides that a certain file is malicious when, in fact, it is not. A false-negative error occurs when the antivirus software decides that a file is safe when it actually does contain malicious content. Obviously, the desire is to limit both of these errors. The challenge is to “tighten” the system to a point so that it catches all (or most) viruses while rejecting as few benign programs as possible. When you’re selecting an antivirus vendor, one important factor to consider is how frequently the database of virus signatures is updated. With variations of viruses and new viruses occurring on a daily basis, it is important that your antivirus software uses the most current list of virus signatures in order to stand a chance of protecting your systems. Most antivirus vendors offer signature updating for some specified initial period of time—for example, one or two years. At the conclusion of this period, a subscription renewal will be required in order to continue to obtain information on new threats. Although it is tempting to let this ongoing expense lapse, this is not generally a good idea because your system would then only be protected against viruses that are known up to the point when you quit receiving updates.
06-ch06.indd 219
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
220
Anti-Spyware Spyware is a special breed of malicious software. It is designed to collect information about the users of the system without their knowledge. The type of information that may be targeted by spyware includes Internet surfing habits (sites that have been visited or queries that have been made), user IDs and passwords for other systems, and personal information that might be useable in an identity theft attempt. EXAM TIP A special type of spyware is keyloggers. A keylogger will record all keystrokes an individual makes, thus providing an exact image of the activity of the user. Although keyloggers are often part of malicious software installed on a system as a result of an individual running a program or clicking a link that they should not have, keyloggers can also be installed by the owner of a computer in order to monitor employees or other individuals who use the system.
Anti-spyware is designed to perform a similar function to antivirus software, except its purpose is to prevent, detect, and remove spyware infections. Windows Defender was originally just an anti-spyware tool but has since incorporated multiple forms of malware eradication into its purview. Anti-spyware software can be employed in a realtime mode to prevent infection by scanning all incoming data and files, attempting to identify spyware before it can be activated on the system. Alternatively, anti-spyware software can be run periodically to scan all files on your system in order to determine if it has already been installed. It will concentrate on operating system files and installed programs. Similar to antivirus software, anti-spyware software looks for known patterns of existing spyware. As a result, anti-spyware software also relies on a database of known threats and requires frequent updates to this database in order to be most effective. Some anti-spyware software does not rely on a database of signatures but instead scans certain areas of an operating system where spyware often resides. Writers of spyware have gotten clever in their attempts to evade anti-spyware detection. Some now have a pair of programs that run (if you were not able to prevent the initial infection) and monitor each other so that if one of the programs is killed, the other part of the pair will immediately respawn it. Some spyware also watches special operating system files (such as the Windows registry), and if the user attempts to restore certain keys the spyware has modified, or attempts to remove registry items it has added, it will quickly set them back again. One trick that may help in removing persistent spyware is to reboot the computer in safe mode and then run the anti-spyware package to allow it to remove the installed spyware.
Spam Filters Spam is the term used to describe unsolicited bulk e-mail messages. It is also often used to refer to unsolicited bulk messages sent via instant messaging, newsgroups, blogs, or any other method that can be used to send a large number of messages. E-mail spam is also sometimes referred to as unsolicited bulk e-mail (UBE). It frequently contains
06-ch06.indd 220
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
221
PART II
commercial content, and this is the reason for sending it in the first place—for quick, easy mass marketing. Increasingly today, e-mail spam is sent using botnets, which are networks of compromised computers that are referred to as bots or zombies. The bots on the compromised systems will stay inactive until they receive a message that activates them, at which time they can be used for mass mailing of spam or other nefarious purposes such as a denial-of-service attack on a system or network. Networks of bots (referred to as botnets) usually number in the thousands but can grow to, without exaggeration, tens of millions of systems, as with the Conficker, Bredolab, and other botnets. Spam is generally not malicious but rather is simply annoying, especially when numerous spam e-mail messages are received daily. Preventing spam from making it to your inbox so that you don’t have to deal with it is the goal of spam filters. Spam filters are basically special versions of the more generic e-mail filters. Spam filtering can be accomplished in several different ways. One simple way is to look at the content of the e-mail and search for special keywords that are often found in spam (such as various drugs, such as Cialis, commonly found in mass-mailing advertising). The problem with keyword searches is the issue discussed before of false positives. Filtering on the characters “cialis” would also cause an e-mail with the word “specialist” to be filtered because the letters are found within it. Users are generally much more forgiving of an occasional spam message slipping through the filter rather than having valid e-mail filtered, so this is a critical issue. Usually, when an e-mail has been identified as spam, it will be sent to a special “quarantine” folder. The user can then periodically check the folder to ensure that legitimate e-mail has not been inadvertently filtered. Another method for filtering spam is to keep a “blacklist” of sites that are known to be friendly to spammers. If e-mail is received from an IP address for one of these sites, it will be filtered. The lists may also contain known addresses for botnets that have been active in the past. An interesting way to populate these blacklists is through the use of spamtraps. These are e-mail addresses that are not real in the sense that they are not assigned to a real person or entity. They are seeded on the Internet so that when spammers attempt to collect lists of e-mail addresses by searching through websites and other locations on the Internet for e-mail addresses, these bogus e-mail addresses are picked up. Any time somebody sends an e-mail to them, because they are not legitimate addresses, it is highly likely that the e-mail is coming from a spammer and the IP address from which the e-mail was generated can be placed on the blacklist. CAUTION It’s highly recommended that you never respond to a spam e-mail. Responding to such an e-mail provides confirmation to the spammer that the e-mail address is legitimate and is being used by a legitimate user who is reading the e-mail. Also, if your e-mail application asks you to display pictures and links, say no. Pictures may get downloaded from malicious sites, which acts like a fish “tugging” the hacker’s “line.” Plus, the links may contain malicious code that hijacks your connections or redirects you to an attacker’s site. Disabling HTML altogether would protect you from many of these e-mail threats.
06-ch06.indd 221
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
222
Individuals who want to avoid having their e-mail harvested from websites can use a method such as modifying their address in such a way that human users will quickly recognize it as an e-mail but automated programs may not. An example of this for a user with the e-mail of [email protected] might be john(at)abcxyzcorp(dot)com. The more generic e-mail filters can be used to block spam but also other incoming or outgoing e-mails. They may block e-mail from sites known to send malicious content, may block based on keywords that might indicate the system is being used for other-than-official purposes, or could filter outgoing traffic based on an analysis of the content to ensure that sensitive company data is not sent (or at least not sent in an unencrypted manner). NOTE One method spammers use to slip by keyword filters is to not include text in the body of the e-mail but rather take a screen capture of the advertisement and include it as an image. Doing this means that the filter simply sees the body as including an image. Some organizations address this by not allowing pictures in the body of incoming e-mail messages, but filtering based on this alone may result in false-positive errors.
Patch Management Managing an organization’s software updates is a classic case of picking your poison. If you patch systems too quickly, you risk breaking your stuff. If you patch systems too slowly due to testing, you risk others breaking your stuff. Although patch management cannot completely solve these challenges, it helps balance the competing desires of testing patches while not waiting too long to deploy them. Shown here are the common types of software updates:
• Security patch Software updates that fix application vulnerabilities • Hotfix Critical updates for various software issues that should not be delayed • Service packs Large collection of updates for a particular product released as one installable package • Rollups Smaller collection of updates for a particular product Patching is necessary because software that is actively supported by vendors, or internal developer teams, is never truly “finished.” There’s always room for improvement, whether the goals are to enhance the software’s reliability, functionality, performance, or, most commonly, security. Software patches are developed by the application vendor, or in-house developer, due to bugs discovered with the software during in-house code testing, public beta testing, or by white hat and black hat hackers alike. Unless software is developed inhouse, updates typically stem from the software vendor’s website. Since updates are published for various operating systems, applications, and even firmware, organizations will sometimes be overwhelmed. The larger the organization, the more unique products they have that require patching. Certain vendors release updates all the time due to increased product popularity (and the resulting attention it receives from hackers).
06-ch06.indd 222
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
223
PART II
Although most products try to help by automatically downloading updates, this effectively kills your patch management solution due to lack of testing, bandwidth control, compliance monitoring, and so forth. Testing updates is key because, as with medications in the pharmaceutical industry, updates should be thoroughly tested after development to ensure no adverse side effects are experienced on production systems. A proper patch management solution involves detecting, assessing, acquiring, testing, deploying, and maintaining software updates. This will help ensure that all operating systems, applications, and firmware continue to receive the latest updates with minimal security risks. Given the strong security focus of software updates, it is critical that organizations take patch management seriously. The patch management steps are as follows:
• Detect Discover missing updates. • Assess Determine issues and resulting mitigations expected from the patch. • Acquire Download the patch. • Test Install and assess the patch on quality assurance systems or virtual machines. • Deploy Distribute the patch to production systems. • Maintain Manage systems by observing any negative effects from updates, and if other security patches are needed. TIP Some good examples of products that offer patch management include Microsoft System Center Configuration Manager, Kaseya Security Patch Management, Solar Winds Patch Manager, and Quest KACE.
HIPS/HIDS Earlier we discussed the use of firewalls to block or filter network traffic to a system. Although this is an important security step to take, it is not sufficient to cover all situations. Some traffic may be totally legitimate based on the firewall rules you set, but may result in an individual being able to exploit a vulnerability within the operating system or an application program. Firewalls are prevention technology; they are designed to prevent a security incident from occurring. Intrusion detection systems (IDSs) were initially designed to detect when your prevention technologies failed, allowing an attacker to gain unauthorized access to your system. Later, as IDS technology evolved, these systems became more sophisticated and were placed in-line so that they did not simply detect when an intrusion occurred but rather could prevent it as well. This led to the development of intrusion prevention systems (IPSs). Early IDS implementations were designed to monitor network or system activity, looking for signs that an intrusion had occurred. If one was detected, the IDS would notify administrators of the intrusion, who could then respond to it. Two basic methods were used to detect intrusive activity. The first, anomaly-based detection, is based on statistical analysis of current network or system activity versus historical norms. Anomalybased systems build a profile of what is normal for a user, system, or network, and any
06-ch06.indd 223
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
224
time current activity falls outside of the norm, an alert is generated. The type of things that might be monitored include the times and specific days a user may log into the system (for example, do they ever access the system on weekends or late at night?), the type of programs a user normally runs, the amount of network traffic that occurs, specific protocols that are frequently (or never) used, and what connections generally occur. If, for example, a session is attempted at midnight on a Saturday, when the user has never accessed the system on a weekend or after 6:00 p.m., this might very well indicate that somebody else is attempting to penetrate the system. The second method to accomplish intrusion detection is based on attack signatures. A signature-based system relies on known attack patterns and monitors for them. Certain commands or sequences of commands may have been identified as methods to gain unauthorized access to a system. If these are ever spotted, it indicates that somebody is attempting to gain unauthorized access to the system or network. These attack patterns are known as signatures, and signature-based systems have long lists of known attack signatures they monitor for. The list will occasionally need to be updated to ensure that the system is using the most current and complete set of signatures. Advantages and disadvantages are associated with both types of systems, and some implementations actually combine both methods in order to try and cover all possible avenues of attack. Signature-based systems suffer from the tremendous disadvantage that they, by definition, must rely on a list of known attack signatures in order to work. If a new vulnerability is discovered (a zero-day exploit), there will not be a signature for it and therefore signature-based systems will not be able to spot it. There will always be a lag between the time a new vulnerability is discovered and the time when vendors are able to create a signature for it and push it out to their customers. During this period of time, the system will be at risk to an exploit taking advantage of this new vulnerability. This is one of the key points to consider when evaluating different vendor IDS and IPS products—how long does it take them to push out new signatures? Because anomaly-based systems do not rely on a signature, they have a better chance of detecting previously unknown attacks—as long as the activity falls outside of the norm for the network, system, or user. One of the problems with systems that strictly use anomalous activity detection is that they need to constantly adapt the profiles used because user, system, and network activity changes over time. What may be normal for you today may no longer be normal if you suddenly change work assignments. Another issue with strictly profile-based systems is that a number of attacks may not appear to be abnormal in terms of the type of traffic they generate and therefore may not be noticed. As a result, many systems combine both types so that all the aforementioned advantages can be used to create the best-possible monitoring situation. IDS and IPS also have the same issues with false-positive and false-negative errors as was discussed before. Tightening an IDS/IPS to spot all intrusive activity so that no false negatives occur (that is, so no intrusion attempts go unnoticed) means that the number of false positives (that is, activity identified as intrusive that in actuality is not) will more than likely increase dramatically. Because an IDS generates an alert when intrusive activity is suspected and because an IPS will block the activity, falsely identifying valid
06-ch06.indd 224
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
225
traffic as intrusive will cause either legitimate work to be blocked or an inordinate number of alert notifications that administrators will have to respond to. Frequently, when the number of alerts generated is high, and most turn out to be false positives, administrators will get into the extremely poor habit of simply ignoring the alerts. Tuning your IDS/IPS for your specific environment is therefore an extremely important activity.
Just as we discussed in the case of firewalls, an IDS or IPS can be placed in various locations. One of them is on the host itself. When it is installed at this level, it is known as a host-based intrusion detection system (HIDS) or host-based intrusion prevention system (HIPS). Some of the original IDSs were HIDSs because they were run on large mainframe computers before the use of PCs became widespread. In addition to monitoring network traffic to and from the system, an HIDS/HIPS may also monitor the programs running on the host and the files that are being accessed by them. It may also monitor regions of memory to ensure only appropriate areas have been modified, and may also keep track of specific information on files, including generating a checksum or hash for them to determine if they have been modified. It is interesting to note that due to its function, an HIDS/HIPS may itself become the object of an intruder who wants to go unnoticed and therefore may attempt to modify the HIDS/HIPS and its data. In addition to human intruders, an HIDS/HIPS may also be useful in detecting and preventing certain types of malware from adversely impacting the host.
PART II
Host-Based Intrusion Detection and Prevention Systems
Data Loss Prevention Data loss prevention (DLP) is, in a way, the opposite of intrusion prevention systems. Think about what intrusion prevention systems do—they detect, notify, and mitigate inbound attacks. They help stop the bad stuff from being brought into the company. As for opposites, what solution could we use to detect, notify, and mitigate good stuff from getting out of the company? In other words, how do we prevent data from being leaked or otherwise falling into unauthorized hands? That’s where data loss prevention comes in. DLP involves the technology, processes, and procedures designed to detect when unauthorized removal of data from a system occurs. Like host-based firewalls, DLPs are often implemented at the endpoint (host level); therefore, the host can determine if unauthorized attempts at destroying, moving, or copying data are taking place. DLP solutions will respond by blocking the transfer or dropping the connection entirely. DLP policies are created that identify sensitive content based on classification, and then actions to take based on which unauthorized behaviors are performed on the content in question. This guards against malicious attacks and accidents as well.
06-ch06.indd 225
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
226
NOTE Microsoft Office 365 has a DLP tool that can prevent the accidental sharing of sensitive information such as credit numbers, driver’s license numbers, and social security numbers.
Host-Based Firewalls In your car, the firewall sits between the passenger compartment and the engine. It is a fireproof barrier that protects the passengers within the car from the dangerous environment under the hood. A computer firewall serves a similar purpose—it is a protective barrier that is designed to shield the computer (the system, user, and data) from the “dangerous” environment it is connected to. This dangerous and hostile environment is the network, which in turn is most likely connected to the Internet. A firewall can reside in different locations. A network firewall will normally sit between the Internet connection and the network, monitoring all traffic that is attempting to flow from one side to the other. A host-based firewall serves a similar purpose, but instead of protecting the entire network, and instead of sitting on the network, it resides on the host itself and only protects the host. Whereas a network firewall will generally be a hardware device running very specific software, a host-based firewall is a piece of software running on the host. Firewalls examine each packet sent or received to determine whether or not to allow it to pass. The decision is based on the rules the administrator of the firewall has set. These rules, in turn, should be based on the security policy for the organization. For example, if certain websites are prohibited based on the organization’s Internet Usage Policy (or the desires of the individual who owns the system), sites such as those containing adult materials or online gambling can be blocked. Typical rules for a firewall will specify any of a combination of things, including the source and/or destination IP address, the source and/or destination port (which in turn often identifies a specific service such as e-mail), a specific protocol (such as TCP or UDP), and the action the firewall is to take if a packet matches the criteria laid out in the rule. EXAM TIP Typical actions include allow, deny, and alert. The rules in a firewall are examined in order, and rules will continue to be checked until a match is found or until no more rules are left. Because of this, the very last rule in the set of rules will generally be the “default” rule, which will specify the activity to take if no other rule was matched. The two extremes for this last rule are to deny all packets that didn’t match another rule and to allow all packets. The first is safer from a security standpoint; the second is a bit friendlier because it means that if there isn’t some rule specifically denying this access, then it will be allowed.
A screen capture of the simple firewall supplied by Microsoft for its Windows 10 operating system is shown in Figure 6-1. As can be seen, the program provides some simple options to choose from in order to establish the level of filtering desired. A finer level of detail can be obtained by going into the Advanced option, but most users never worry about anything beyond this initial screen. In the newer Windows operating systems, the
06-ch06.indd 226
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
227
PART II
Figure 6-1 Windows Defender Firewall with Advanced Security (Windows 10)
firewall is based on the Windows Filtering Platform. This service allows applications to tie into the operating system’s packet processing to provide the ability to filter packets that match specific criteria. It can be controlled through a management console found in the Control Panel under Windows Firewall. It allows the user to select from a series of basic settings, but will also allow advanced control, giving the user the option to identify actions to take for specific services, protocols, ports, users, and addresses. For Linux-based systems, a number of firewalls are available, with the most commonly used one being iptables, which replaced the previous most commonly used package, called ipchains. Iptables provides the functionality to accomplish the same basic functions as those found in commercial network-based firewalls. Common functionality includes the ability to accept or drop packets, to log packets for future examination, and to reject a packet, along with returning an error message to the host sending the package. As an example of the format and construction of firewall rules used by iptables, the rules that would allow WWW (port 80) and SSH (port 22) traffic would look like the following: iptables –-sport iptables –-sport
06-ch06.indd 227
–A INPUT –p tcp 1024:65535 \ -m –A INPUT –p tcp 1024:65535 \ -m
–i eth0 –-dport 22 state –-state NEW –j ACCEPT –i eth0 –-dport 80 state –-state NEW –j ACCEPT
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
228
The specifics of these commands is as follows: -A tells iptables to append the rule to the end of the chain; -p identifies the protocol to match (in this case, TCP); -i identifies the input interface; --dport and --sport specify the destination and source ports, respectively; -m state --state NEW states the packet should be the start of a new connection, and -j ACCEPT tells iptables to stop further processing of the rules and hand the packet over to the application. An important point to note that is not always considered is that a firewall can filter packets that are either entering or leaving the host or network. This allows an individual or organization the opportunity to monitor and control what leaves the host or network, not just what enters it. This is related to, but is not entirely the same as, data exfiltration, which we will discuss later in this chapter. Another consideration from the organization’s point of view is the ability to centrally manage the organization’s host firewalls if they are used. The issue here is whether you really want your users to have the ability to set their own rules on their hosts or whether it is better to have one policy that governs all user machines. If you let the users set their own rules, not only can they allow access to sites that might be prohibited based on the organization’s usage policy, but they might also inadvertently block important sites that could impact the functionality of the system. EXAM TIP Understanding that firewall rules are checked in a specific order is critical for the correct implementation of those rules. You would not want to have the default rule, allowing (or denying) all other traffic, be placed first in your rule set because none of the other rules would ever be checked. Watch carefully the creation and placement of rules that include “any ip address,” “any port,” or “any protocol.”
Special-purpose host-based firewalls, such as host-based application firewalls, are also available for use. The purpose of an application firewall is to monitor traffic originating from or traveling to a specific application. Application firewalls can be more discriminating beyond simply looking at source/destination IP addresses, ports, and protocols. Application firewalls will understand something about the type of information that is generated by or sent to the specific application and can, in fact, make decisions on whether to allow or deny information based on the contents of the connection. EXAM TIP A host-based application firewall will generally be used in conjunction with a packet-filtering host-based firewall instead of replacing it completely. This provides an additional level of filtering to better protect the host because they act on the application layer, which means they can inspect the contents of the traffic, allowing them to block specified content such as certain websites, malicious logic, and attempts to exploit known logical flaws in client software.
06-ch06.indd 228
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
229
Firewall Scenarios and Solutions
Here are a few firewall scenarios to help immerse you a little deeper into strategizing appropriate firewall solutions:
PART II
Scenario: You are installing a network firewall that will examine all incoming and outgoing network traffic. Because you are installing a network firewall, does this eliminate the need to conduct any type of monitoring and filtering at the individual host level? Solution: No. The network firewall can do a lot for your organization’s security, but there are some things it will miss that the hosts can catch. In particular, traffic that is encrypted will not be able to be analyzed by the network firewall, but monitoring and filtering conducted on the host can be done at a level that is postdecryption. Host-based application firewalls in particular are applicable in this context. Scenario: Is it better to centrally manage host-based firewalls and filters or to provide the users the opportunity, and responsibility, to maintain their own systems? Solution: It would be nice if we could trust users to maintain their own firewalls, and to filter traffic appropriately, but the reality of the situation is that because security is not their primary responsibility (nor is it their primary concern), users should not be expected to maintain their own filters and firewalls. In addition, assigning them the responsibility means that you will need to ensure they understand how to do it and know what needs to be done. In most organizations, this is not the norm for users.
Log Monitoring Today’s security professionals should operate under the assumption that host devices have already been compromised. Regardless of how probably such a compromise might be at the moment, operating from the assumption of “implicit compromise” makes sense. A certain amount of nerves is actually healthy for us as security practitioners because it sharpens our senses to perform at their highest level. Having a heightened sense of urgency is needed when we’re competing against a faceless enemy of indeterminate skill, size, motivation, and location. The unavoidable fact is that we cannot prevent all attacks; therefore, we turn to detection, which is epitomized through the discovery and analysis of malicious activities through log monitoring. We have a ton of logs to help us discover potential abuses, yet having so many logs also complicates our ability to detect, analyze, and respond to security breaches in a timely fashion. Just the Windows Event Viewer alone may have over 100,000 records.
06-ch06.indd 229
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
230
Types of Logs
If organizations are going to maximize their log-monitoring capabilities, they must first be aware of the types of logs they have. Shown here are the most common log types:
• Operating system logs • Web server logs • E-mail server logs • Database server logs • Host-firewall logs • Application logs • Packet sniffer logs • Antimalware logs To tame this beast, security professionals should implement a log-monitoring tool that can automate the collection and analysis of various log types. With all the logs under the same roof, malicious event detection becomes much easier; plus, it’ll help us verify the effectiveness of our security controls. EXAM TIP Be aware of the popular log formats. For example, the World Wide Web Consortium (W3C), Extended Log Format (ELF), and NCSA log formats are popular with web servers. Syslog is widely used for device and operating system logging purposes.
Since Windows is the most popular desktop operating system, it’s important to understand both the Event Viewer and the Windows Audit Policies.
Windows Event Viewer
The Windows Event Viewer is a logging tool that records various operating system, security, and application events using descriptions such as “information,” “warning,” “error,” and “critical.” These events are categorized into separate logs, as shown here:
• Application Contains events generated by applications. Useful for troubleshooting application issues. • Security Contains audited events for account logins, resource access, and so on. Useful for auditing and determining accountability of human activities. • Setup Contains setup events such as Windows Update installations. Useful for troubleshooting setup failures.
06-ch06.indd 230
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
231
• System Contains events for operating system and hardware activities. Useful for troubleshooting driver, service, operating system, and hardware issues. This is arguably the most important log in Event Viewer. • Forwarded Events Contains events forwarded from other systems. Useful for aggregating events from servers onto your IT workstations for centralized log monitoring. PART II
NOTE Event Viewer’s security log is particularly important for security professionals due to its abundance of “auditing” events, which can show traces of system or information misuse. More to follow on this in the next section.
Windows Audit Policies
As with most operating systems, Windows has built-in auditing capabilities to help us determine accountability of outcomes—as in who committed the desirable or undesirable actions. Such outcomes may be in reference to successful or failed login attempts, file access, password changes, and so forth. However, many individuals think that auditing is just another word for logging. Is there a difference between the two? In certain contexts, no—but in light of information security, an important distinction does exist. Think of auditing as a specialized type of logging. Logging, in itself, is just an automated collection of records, whereas auditing is more fact-finding in nature. Let’s take a look at three sequential log entries for a Sales employee named John Smith: 1. John Smith successfully logged into the Sales-1 workstation at 7:30 a.m. 2. John Smith successfully used the “Read” permission on the Sales shared folder located on the file server at 7:35 a.m. 3. John Smith failed to access the Human Resources shared folder located on FileServer1 at 7:45 a.m.
Logging simply records these three activities into a log file. Auditing, however, digs deeper. Auditing is a more analytical, security, and human-focused form of logging in that it helps us to piece together a trail of evidence to determine if authorized or unauthorized actions are being conducted by users. In other words, auditing involves not only the generation but also the examination of logs to identify signs of security breaches. In the preceding example, John Smith failed to access the Human Resources share. This begs a few questions:
• Why would John Smith, a Sales user, attempt to access a Human Resources directory? • Was this a deliberate malicious act or an accident? • Is the individual logged in as John Smith actually John Smith or someone else? Through additional generation and review of such records, we’ll be able to reasonably determine if this was an attempted security breach or a false alarm.
06-ch06.indd 231
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
232
Let’s take a look at Windows Group Policy auditing from the perspective of Windows Server Domain Controllers using the Group Policy Management tool. You would then navigate to \Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy for configuration. After configuration, you would visit the Security log under the Event Viewer. Here are some examples of auditing policies:
• Audit account logon events Audits all attempts to log on with a domain user account, regardless from which domain computer the domain user login attempt originated. This policy is preferred over the “Audit logon events” policy below due to its increased scope. • Audit account management Audits account activities such as the creation, modification, and deletion of user accounts, group accounts, and passwords. • Audit directory service access Audits access to Active Directory objects such as OUs and Group Policies, in addition to users, groups, and computers. Think of this as a deeper version of “Audit account management.” • Audit logon events Tracks all attempts to log onto the local computer (say, a Domain Controller), regardless of whether a domain account or a local account was used. • Audit object access Audits access to non–Active Directory objects such as files, folders, registry keys, printers, and services. This is a big one for determining if users are trying to access files/folders from which they are prohibited. • Audit policy change Audits attempts to change user rights assignment policies, audit policies, account policies, or trust policies (in the case of Domain Controllers). • Audit privilege use Audits the exercise of user rights, such as adding workstations to a domain, changing the system time, backing up files and directories, and so on. Often considered a messy and “too much information” policy and therefore not generally recommended. • Audit process tracking Audits the execution and termination of programs, also known as processes. • Audit system events Audits events such as a user restarting or shutting down the computer, or when activities affect the system or security logs in Event Viewer.
Endpoint Detection and Response Traditional antimalware, HIDS/HIPS, and DLP solutions are known for taking immediate eradication and recovery actions upon discovery of malicious code or activities. Although this is a good thing, such quick reactions may deprive us from fully understanding the threat’s scope. In other words, we don’t want to win the battle at the expense of losing the war. Greater threat intelligence must be ascertained, including the determination of the threat’s level of sophistication, and whether or not the threat is capable of using infected endpoints to attack other endpoints.
06-ch06.indd 232
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
233
NOTE Examples of EDR solutions include Symantec’s Endpoint Detection and Response, FireEye’s Endpoint Security, and Guidance Software’s EnCase Endpoint Security.
PART II
Endpoint detection and response (EDR) solutions will attempt to answer these concerns by initially monitoring the threat—collecting event information from memory, processes, the registry, users, files, and networking—and then uploading this data to a local or centralized database. The EDR solution will then correlate the uploaded information with other information already present in the database in order to re-analyze and, potentially, mitigate the previously detected threat from a position of increased strength. Other endpoints should be examined by EDR solutions to ensure similar threats are understood and eradicated in a timely fashion.
Host Hardening
Implementing a series of endpoint security mechanisms as described in the previous section is one approach to securing a computer system. Another, more basic approach is to conduct host-hardening tasks designed to make it harder for attackers to successfully penetrate the system. Often this starts with the basic patching of software, but before attempting to harden the host, the first step should be to identify the purpose of the system—what function does this system provide? Whether the system is a PC for an employee or a network server of some sort, before you can adequately harden the system, you need to know what its intended purpose is. There is a constant struggle between usability and security. In order to determine what steps to take, you have to know what the system will be used for—and possibly of equal importance, what it is not intended to be used for. Defining the standard operating environment for your organization’s systems is your first step in host hardening. This allows you to determine what services and applications are unnecessary and can thus be removed. In addition to unnecessary services and applications, similar efforts should be made when hardening a system to identify unnecessary accounts and to change the names and passwords for default accounts. Shared accounts should be discouraged, and if possible two-factor authentication can be used. An important point to remember is to always use encrypted authentication mechanisms. The access to resources should also be carefully considered in order to protect confidentiality and integrity. Deciding who needs what permissions is an important part of system hardening. This extends to the limiting of privileges, including restricting who has root or administrator privileges and more simply who has write permissions to various files and directories.
Standard Operating Environment/Configuration Baselining It is generally true that the more secure a system is, the less useable it becomes. This is true if for no other reason than hardening your system should include removing applications that are not needed for the system’s intended purpose—which, by definition, means that it is less useable (because you will have removed an application).
06-ch06.indd 233
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
234
If you’ve done a good job in determining the purpose for the system, you should be able to identify what applications and which users need access to the system. Your first hardening step will then be to remove all users and services (programs/applications) not needed for this system. An important aspect of this is identifying the standard environment for employees’ systems. If an organization does not have an identified standard operating environment (SOE), administrators will be hard pressed to maintain the security of systems because there will be so many different existing configurations. If a problem occurs requiring massive reimaging of systems (as sometimes occurs in larger security incidents), organizations without an identified SOE will spend an inordinate amount of time trying to restore the organization’s systems and will most likely not totally succeed. This highlights another advantage of having an SOE—it greatly facilitates restoration or reimaging procedures. A standard operating environment will generally be implemented as a disk image consisting of the operating system (including appropriate service packs and patches) and required applications (also including appropriate patches). The operating system and applications should include their desired configuration. For Windows-based operating systems, the Microsoft Deployment Toolkit (MDT) can be used to create deployment packages that can be used for this purpose. EXAM TIP A key concept to remember is to limit the services available on a system. This is true no matter what the operating system is. The more services that are available (and the more applications that are running), the more vulnerabilities you will need to be concerned with because each application may have one or more vulnerabilities that can be exploited. If you don’t need a specific service, don’t keep it around; otherwise, you may be needlessly exposing your system to possible exploitation.
Application Whitelisting and Blacklisting
An important part of host hardening is ensuring that only authorized applications are allowed to be installed and run. There are two basic approaches to achieving this goal:
• Application whitelisting This is a list of applications that should be permitted for installation and execution. Any applications not on the list are implicitly denied. Firewalls typically adopt this approach by implicitly denying all traffic, while generating exceptions of the traffic you wish to allow. The downside to this method is if you forget to put certain desired applications on the list, they will be prohibited. • Application blacklisting This is a list of applications that should be denied installation and execution. Any applications not on the list are implicitly allowed. This method is frequently used by antimalware tools via definition databases. The advantage of blacklisting is that it’s less likely to block desirable software than whitelisting. Prior to Windows 7, we used to implement Software Restrictions Policies via Group Policy to identify software for whitelisting or blacklisting purposes. This feature was
06-ch06.indd 234
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
235
usurped by Windows 7 Enterprise/Ultimate’s introduction of a Group Policy tool called AppLocker. AppLocker provides additional whitelisting and blacklisting capabilities for the following software scenarios:
NOTE Most experts and industry standards suggest that whitelisting is superior to blacklisting because all the bad stuff is banned by default, with only the chosen few permitted. If you need one example to prove this, imagine making a wedding list of the 7+ billion people who aren’t invited, as opposed to the 100 who are invited!
PART II
• Software that can be executed • Software that can be installed • Scripts that can run • Microsoft Store apps that can be executed
Security/Group Policy Implementation Group Policy is a feature of Windows-based operating systems dating back to Windows 2000. It is a set of rules that provides for centralized management and configuration of the operating system, user configurations, and applications in an Active Directory environment. The result of a Group Policy is to control what users are allowed to do on the system. From a security standpoint, Group Policy can be used to restrict activities that could pose possible security risks, limit access to certain folders, and disable the ability for users to download executable files, thus protecting the system from one avenue through which malware can attack. The Windows 10 operating system has several thousand Group Policy settings, including User Experience Virtualization, Windows Update for Business, and for Microsoft’s latest browser called Microsoft Edge. Based on the Windows OS, the security settings include several important areas, such as Account Policies, Local Policies, Windows Defender Firewall with Advanced Security, Public Key Policies, Application Control Policies, and Advanced Audit Policy Configuration. EXAM TIP On Windows Server systems, the Group Policy Management Console (GPMC) provides a method to manage all aspects of Group Policy for an entire organization, and is in fact the primary access point to Group Policy. The GPMC provides the capability to perform functions such as importing and exporting Group Policy Objects (GPOs), copying and modifying GPOs, and backing up and restoring GPOs.
Command Shell Restrictions Restricting the ability of users to perform certain functions can help ensure that they don’t deliberately or inadvertently cause a breach in system security. This is especially true for operating systems that are more complex and provide greater opportunities for users to make a mistake. One very simple example of restrictions placed on users is those
06-ch06.indd 235
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
236
associated with files in Unix-based operating systems. Users can be restricted so that they can only perform certain operations on files, thus preventing them from modifying or deleting files that they should not be tampering with. A more robust mechanism used to restrict the activities of users is to place them in a restricted command shell. A command shell is nothing more than an interface between the user and the operating system providing access to the resources of the kernel. A command-line shell provides a command-line interface to the operating system, requiring users to type the commands they want to execute. A graphical shell will provide a graphical user interface for users to interact with the system. Common Unix command-line shells include the Bourne shell (sh), Bourne-Again shell (bash), C shell (csh), and Korn shell (ksh). A restricted command shell will have a more limited functionality than a regular command-line shell. For example, the restricted shell might prevent users from running commands with absolute pathnames, keep them from changing environment variables, and not allow them to redirect output. If the bash shell is started with the name rbash or if it is supplied with the --restricted or -r option when run, the shell will become restricted— specifically restricting the user’s ability to set or reset certain path and environment variables, to redirect output using “>” and similar operators, to specify command names containing slashes, and to supply filenames with slashes to various commands.
Patch Management Many of the fundamentals of patch management were discussed earlier in this chapter. What we haven’t quite looked at yet are the methods of patch deployment. This section covers manual and automated methods of deploying patches to an organization’s infrastructure.
Manual
Sacrificing speed for control, organizations sometimes manually deploy patches to their host devices. Manual patching benefits us in a few different ways:
• It places greater emphasis on patch testing in quality assurance labs or virtual machines. • Patches can be staggered to individual groups or departments as opposed to widescale rollouts. This helps prevent issues. • Rollbacks from failed patch deployments are easier as a result of staggered rollouts. This speeds up the recovery from issues. The downside to manual deployment methods is the increased administrative effort involved in manual approval processes.
Automated
Manual patching is fine for smaller environments but it doesn’t bode well for the large ones. Imagine manually approving patches for thousands, tens of thousands, or more devices? Automated patching provides a centralized solution in which local or cloudbased servers automatically deploy patches to devices. As you would expect, automated patching is considerably faster than with the manual approach.
06-ch06.indd 236
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
237
PART II
Frequently used automated patching solutions include Microsoft System Center Configuration Manager and Windows Server Update Services (WSUS). WSUS is popular, effective, and free, since it is an included role in most Windows Server operating systems. Organizations set up a local WSUS server—or a parent-child series of WSUS servers at headquarters and various branch offices—and then configure the Windows devices to connect to the WSUS server via Group Policy configurations. For non-domain-joined devices, consider using Microsoft Intune for a cloud-based solution that offers over-theInternet patching and a variety of other exciting Mobile Device Management features. The downside to automated patching stems from the fact that you’re simultaneously increasing the number of systems that will get patches, and how quickly. This leaves little time to stop a patching problem from spreading too far in a timely fashion. In other words, we may not realize a patching issue until all systems have received the patch, which leads to a nasty rollback process afterward. Scripting and Replication Scripting is becoming increasingly common for automating administrative tasks. It combines the speed benefits of automation with some of the control benefits of manual patching. Scripting also gives the ability to automate tasks in a way that a centralized patching solution could not achieve on its own. That is because we design the administrative code ourselves as opposed to relying solely on the third-party tool’s feature set. NOTE Microsoft PowerShell scripting has matured to a point where Windows Servers no longer need GUIs. Not to mention, Linux has a loyal and longstanding scripting community that has developed innumerable scripts over the decades for every administrative task imaginable, including the deployment of patches.
Regardless of the nature of automated patching or scripting, if you use multiple patching servers to source your patches, be sure the servers converge their patches through an effective replication topology. Patching is too urgent a security control to delay through lack of server synchronization.
Configuring Dedicated Interfaces Certain hosts, such as a server or a technician’s computer, are likely to have multiple network interface cards. One interface is likely provisioned for everyday LAN communications like Internet, e-mail, instant messaging, and the like. Meanwhile, the other interface is used to isolate the critical, behind-the-scenes management and monitoring traffic from the rest of the network. This second interface is referred to as a dedicated interface since it is dedicated to several key administrative functions. The details of these functions will be outlined throughout the next few topics, including out-of-band management, ACLs, and management and data interfaces.
Out-of-Band Management
An out-of-band interface is an example of a dedicated NIC interface through which network traffic is isolated from both the LAN and Internet channels. This is because the out-of-band NIC is designed to carry critical (and sometimes sensitive) administrative
06-ch06.indd 237
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
238
traffic that needs a dedicated link for maximum performance, reliability, and security. Shown here are some features of out-of-band-management:
• Reboot hosts. • Turn on hosts via Wake on LAN. • Install an OS or reimagine a host. • Mount optical media. • Access a host’s firmware. • Monitor the host and network status. There’s not much point to out-of-band management if it is bottlenecked by other areas of the network; therefore, be sure to provide it with adequate performance and reliability via quality-of-service policies. Ensure that traffic is sufficiently isolated from the regular network through subnetting or virtual local area network (VLAN) configurations. Also, when purchasing host devices, consider those with motherboards and NICs that have native support for out-of-band management to enhance your administrative flexibilities.
ACLs
The exact context of access control lists (ACLs) can vary, whether discussing things like file permissions or rules on a router, switch, or firewall. From a file system context, an ACL is a list of privileges that a subject (user) has to an object (resource). From a networking perspective, ACLs are a list of rules regarding traffic flows through an interface based on certain IP addresses and port numbers. NOTE A well-known flaw with network ACLs is the relative ease of circumvention through IP spoofing. However, all is not lost. Hosts may be able to examine and, eventually, drop the traffic sent by a suspected spoofing device. This can be achieved through two different techniques: time-to-live (TTL) and IP identification (IPID) probes. Whenever hosts send IP traffic, the IP packet header contains a value for the TTL and IPID fields. Careful examination, and solicitation, of the TTL and IPID traffic sent by both the spoofing and victim devices will reveal vast differences between these two fields, thus exposing the spoofing device.
For dedicated interfaces, ACLs will need to be carefully configured to ensure that only approved traffic flows to and from the interface, at the exclusion of all others. This will help secure the source and destination nodes in the network communications.
Management Interface
Management interfaces are designed to remotely manage devices through a dedicated physical port on a router, switch, or firewall, or a port logically defined via a switch’s VLAN. In contrast to out-of-band management, management interfaces connect to an internal in-band network to facilitate monitoring and management of devices via a
06-ch06.indd 238
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
239
normal communications channel. Typically, these management interfaces are controlled through a command-line interface (CLI); therefore, you’ll likely use a terminal emulation protocol such as Telnet (insecure) or SSH (secure). It is common practice to use SSH for all management interface communications given its reliance on cryptographic security, including public and private keys, session keys, certificates, and hashing.
Data Interface
PART II
TIP A great tool for Telnet and SSH terminal emulation is PuTTY, which supports various protocols, including rlogin, SCP, SSH, and Telnet.
Unlike the out-of-band and in-band management topics just discussed, data interfaces carry everyday network traffic. From a traditional switch’s perspective, we’re referring to the Ethernet frame headers, whereas routers operate at the IP packet header. However, let’s not mistake everyday hosts and network traffic as being unimportant. A bevy of attack vectors exist on switches, and we’re going to focus our security considerations on switch ports since those are what host devices typically connect to. Here are some examples of security techniques that can be implemented on switch ports:
• Port security Permits traffic to switch ports from predefined MAC addresses only. This guards against unauthorized devices but is easily circumvented by MAC spoofing. • DHCP snooping Restricts DHCP traffic to trusted switch ports only. This guards against rogue DHCP servers. • Dynamic ARP inspection Drops ARP packets from switch ports and incorrect IP-to-MAC mapping. Guards against ARP spoofing. • IP source guard Drops IP packets if the packet’s source IP doesn’t mesh with the switch’s IP-to-MAC bindings. Guards against IP spoofing.
External I/O Restrictions To the untrained eye, it appears that organizations are unnecessarily paranoid about workers bringing external devices or peripherals to work. After all, how much harm can a tiny little flash drive, smartphone, or Bluetooth headset possibly cause? Answer: a lot. Although these devices can potentially carry many threats, they all originate from two primary directions:
• Ingress Bad stuff coming in (malware, password crackers, sniffers, keyloggers) • Egress Good stuff going out (company, medical, and personal data) Security professionals need to be fully aware of the different external devices that people may bring in, plus the risk factors and threats presented by each. In addition, we may need to look into outright preventing such devices from entering the workplace, and denying the devices that slip through from initializing upon attachment to a host device.
06-ch06.indd 239
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
240
This section takes a look at a variety of external devices, including USB, wireless, and audio and video components, plus the mitigations for the threats they introduce.
USB
Since 1996, the Universal Serial Bus (USB) data transfer and power capabilities have permitted the connectivity of virtually every device imaginable to a computer. The ubiquity of USB gives it the rare distinction of being not only the most popular standard for external device connections but also the source of the most device-based threats. Plugging in external devices containing storage such as flash drives, external hard drives, flash cards, smartphones, and tablets makes it easy for both innocent and not-so-innocent users to install malicious code onto a host. This includes malware, keyloggers, password crackers, and packet sniffers. Other USB attacks may seek to steal sensitive materials from the organization. Since most of these devices are small, they can easily be concealed in a pocket, backpack, purse, or box—and thus escape the notice of security staff or surveillance cameras. To combat the USB threats, organizations often use technological means to block or strictly limit the use of USB devices. Figure 6-2 shows an example of restricting removable devices via Windows Group Policy.
Figure 6-2 Group Policy restricting removable devices
06-ch06.indd 240
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
241
USB Restrictions
There are several ways to disable USB devices:
PART II
• Disable USB storage in the registry via careful modification of the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ USBSTOR. • Set the Group Policy option “Prevent installation of removable devices” to Enabled. • Set the Group Policy option “All Removable Storage classes: Deny all access” to Enabled. • Disable USB ports in Device Manager by right-clicking them and selecting Disable Device. • Disable USB ports via the BIOS setup screen. • Disable USB ports on the top or front of the computer case by detaching the internal cable from the motherboard’s USB header. • Uninstall USB storage drivers from Device Manager.
Wireless
Like USB, wireless technologies bring convenience, practicality, and numerous attack vectors to an organization. Unlike their cabled brethren, wireless devices are susceptible to various over-the-air communication attacks, which may result in malware infection, device hijacking, denial-of-service (DoS) attacks, data leakage, and unauthorized network access. The nature of the threats can vary based on whether the device uses radio frequencies such as Bluetooth, near field communication (NFC), radio-frequency identification (RFID), and 802.11 Wi-Fi or the infrared signals used by the infrared data association (IrDA) protocols. This section will cover the threats introduced by these wireless technologies and their mitigations. Bluetooth Bluetooth is a wireless technology standard designed for exchanging information between devices such as mice, keyboards, headsets, smartphones, smart watches, and gaming controllers—at relatively short distances and slow speeds. With various Bluetooth versions out there, devices may range widely in terms of signal range and bandwidth speeds. You may see ranges between 10 and 1,000 feet with speeds between 768 Kbps and 24 Mbps. Keep in mind that 1,000-foot Bluetooth distances are rare and typically achieved by Bluetooth hackers using amplifiers to perform their exploits from well out of sight. Like any wireless technology, Bluetooth is subject to various attack vectors:
• Bluesmacking DoS attack against Bluetooth devices • Bluejacking Delivery of unsolicited messages over Bluetooth to devices in order to install contact information on the victim’s device
06-ch06.indd 241
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
242
• Bluesnarfing • Bluesniffing • Bluebugging • Blueprinting firmware info
Theft of information from a Bluetooth device Seeking out Bluetooth devices Remote controlling other Bluetooth devices Collecting device information such as vendor, model, and
Despite the litany of attack vectors, several countermeasures exist to reduce the threats against Bluetooth devices. One of the best things you can do is keep devices in a nondiscoverable mode to minimize their visibility. Another idea is to change the default PIN code used when pairing Bluetooth devices. Also, disregard any pairing requests from unauthorized devices. If one is available, you should also consider installing a Bluetooth firewall application on your device. Enabling Bluetooth encryption between your device and the computer will help prevent eavesdropping. If possible, ensure the device has antimalware software to guard against various Bluetooth hacking tools. NFC Near field communication (NFC) is a group of communication protocols that permit devices such as smartphones to communicate when they are within 1.6 inches of each other. If you’re ever at a Starbucks drive-thru, you’ll frequently see customers paying for products by holding up their smartphone to the NFC payment reader. NFC payments are catching on due to their convenience, versatility, and having some security enhancements over credit cards. Security benefits include an extremely small signal range (which makes compromise more difficult), PIN/password protection, remote wiping of smartphone to guard against credit card number theft from lost devices, contactless or “bump” payment, credit card number being kept invisible to outsiders, and no credit card magnetic strip needed. Plus, the owner of the NFC card reader does not have access to the customer’s credit card information. Although NFC is generally considered to be more secure than typical credit card payments, there are some downsides, including the following:
• Cost prohibitive, particularly for small businesses, which reduces their competitive edge • Lack of support from many businesses • Hidden security vulnerabilities subjecting NFC to radio frequency interception and DoS attacks There are various mitigations for NFC, including the following:
• Encrypting the channel between the NFC device and the payment machine • Implementing data validation controls to guard against integrity-based attacks • End-user awareness training for NFC risks and best practices • Disabling NFC permanently or only when not in use • Only tapping tags that are physically secured, such as being located behind glass • Use of NFC-supported software with password protection
06-ch06.indd 242
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
243
PART II
IrDA Infrared Data Association (IrDA) created a set of protocols permitting communications between devices using infrared wireless signals. Unlike most wireless communications that use radio waves, infrared is a near-visible form of light. IrDA is generally considered to be accurate, relatively secure (primarily due to line-of-sight requirements), resilient toward interference, and can serve as a limited alternative to Bluetooth/Wi-Fi due to some environments having challenges with radio frequency devices or radio interference. Although sometimes used as a communications method between laptops and printers, IrDA doesn’t see much use due to its limited speed (16 Mbps), range (2 meters), and line-of-sight requirements. IrDA doesn’t implement authentication, authorization, or cryptographic support. Plus, it is possible (although not easy) to eavesdrop on IrDA communication. The best mitigation is to be mindful of device position in relation to other untrusted users or devices to prevent eavesdropping, or switch to another wireless technology such as Bluetooth or Wi-Fi if possible. 802.11 Dating back to 1997, the 802.11 specification has been managed by the Institute of Electrical and Electronics Engineers (IEEE), which helps globally standardize wireless local area network communications. The frequencies used in the various 802.11 standards are commonly 2.4 GHz and 5 GHz; meanwhile, a newer 60 GHz frequency band has emerged. Although 802.11 forms the foundation for Wi-Fi technologies, they are not interchangeable terms. Given the large scope of 802.11 topics and standards, we will flesh these out over the next several sections. Wireless Access Point (WAP) Wireless access points (WAPs) are devices that connect a wireless network to a wired network—which creates a type of wireless network called “infrastructure mode.” If you build a wireless network without a WAP, this is known as an ad-hoc network. In most cases, wireless access points are incorporated into wireless broadband routers. EXAM TIP More on some of these topics later, but be sure to implement wireless encryption such as WPA/2 and MAC filtering, update the firmware, change the default username/password to manage the WAP, and rename/ disable the broadcast of the SSID.
Hotspots Hotspots are wireless networks that are available for public use. These are frequently found at bookstores, coffee shops, hotels, and airports. They are notorious for having little to no wireless security. It is recommended that you establish a VPN connection to secure yourself on hotspots. SSID The service set identifier is a 32-alphanumeric-character identifier used to name a wireless network. This name is broadcasted via a special type of frame called a “beacon frame” that announces the presence of the wireless network. The SSID should be renamed in addition to disabling the broadcasting of it to decrease the visibility of the wireless network.
06-ch06.indd 243
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
244
802.11a The first revision to the 802.11 standard, 802.11a was released in 1999. It uses the orthogonal frequency-division multiplexing (OFDM) modulation method via the 5 GHz frequency with a maximum speed of 54 Mbps. This standard didn’t see a lot of action due to limited indoor range. 802.11b Also released in 1999, 802.11b uses the direct sequence spread spectrum (DSSS) method via the 2.4 GHz frequency band at a top speed of 11 Mbps. Despite its slower speeds, it has excellent indoor range. This standard became the baseline for which technologies would eventually be called “Wi-Fi certified.” 802.11g Released in 2003, 802.11g uses the 2.4 GHz band of 802.11b, but has the 54 Mbps speed of 802.11a. Like 802.11a, it uses the OFDM modulation technique. Given its excellent indoor range, this was a huge hit for many years and is still in use today. 802.11i Released in 2004, 802.11i is a security standard calling for wireless security networks to incorporate the security recommendations included in what is now known as Wi-Fi Protected Access II (WPA2). More to follow on WPA2 later in this section. 802.11n Although sold on the market since the mid-2000s as a draft standard, 802.11n was formally released in 2009 and supports OFDM via both the 2.4 GHz and 5 GHz frequencies. Having support for both frequencies is good because if the 2.4 GHz band has too much interference, we can switch to the less-crowded 5 GHz band. This standard’s speed can scale up to 600 Mbps if all eight multiple-input multiple-output (MIMO) streams are in use. Plus, it has nearly double the indoor range of the previous standards. 802.11ac Released in 2013, 802.11ac uses the 5 GHz band and the OFDM modulation technique. Its reliance on 5 GHz helps it to avoid interference in the “chatty” 2.4 GHz band. It supports some of the fastest speeds on the market at 3+ Gbps and has good indoor range. WEP Wired Equivalent Privacy (WEP) is the original pre-shared key security method for 802.11 networks in the late 1990s and early 2000s. Prior to the pre-shared method, wireless networks used open system authentication in which no password was needed to connect. Given its name, the wireless encryption offered by WEP was equivalent to no encryption via cables. In other words, the goal was to make these two methods “equivalent.” WEP uses a fairly strong and fast symmetric cipher in RC4; however, WEP poorly manages RC4 by forcing it to use static encryption keys. In addition, WEP uses computationally small 24-bit initialization vectors (IVs), which are input values used to add more randomization to encrypted data. As a result, WEP hacking can easily be performed by capturing about 50,000 IVs to successfully crack the WEP key. WEP should be avoided on wireless networks unless no alternatives exist. WPA Wi-Fi Protected Access (WPA) was an interim upgrade over WEP in that it did away with static RC4 encryption keys, in addition to upgrading the IVs to 48 bits. Although WPA still uses RC4, it also supports Temporal Key Integrity Protocol to
06-ch06.indd 244
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
245
provide frequently changing encryption keys, message integrity, and larger IVs. Despite its vast improvements over WEP, WPA can be exploited via de-authentication attacks, offline attacks, or brute-force attacks.
PART II
WPA2 Wi-Fi Protected Access II (WPA2) is the complete representation of the 802.11i wireless security recommendations. Unlike WPA, it replaced RC4 with the globally renowned Advanced Encryption Standard (AES) cipher, while also being supplemented by the Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) cipher. As with WPA, WPA2 supports either Personal or Enterprise mode implementations. WPA2 Personal mode uses pre-shared keys, which are shared across all devices in the entire wireless LAN, whereas WPA2 Enterprise mode includes Extensible Authentication Protocol (EAP) or Remote Authentication Dial-in User Service (RADIUS) for centralized client authentication, including Kerberos, token cards, and so on. The Enterprise mode method is designed for larger organizations with AAA (authentication, authorization, and accounting) servers managing the wireless network, and Personal mode is more common with small office/home office (SOHO) environments in which the WAP controls the wireless security for the network. MAC Filter This is a simple feature on WAPs where we whitelist the “good” wireless MAC addresses or blacklist the “bad” MAC addresses on the wireless network. Although this provides a basic level of protection, hackers can fairly easily circumvent it with MAC spoofing. It is best to supplement this security feature with others. RFID Radio frequency identification (RFID) uses antennas, radio frequencies, and chips (tags) to keep track of an object or person’s location. RFID has many applications, including inventory tracking, access control, asset tracking (such as laptops and smartphones), pet tracking, and people tracking (such as patients in hospitals and inmates in jails). RFID uses a scanning antenna (also known as the reader or interrogator) and a transponder (RFID tag) to store information. For example, a warehouse may require RFID tags to be placed on staff smartphones, as per a mobile device security policy. A warehouse manager can then use an RFID scanner device to remotely monitor the smartphones. EXAM TIP There are two types of RFID tags: active and passive. Active tags are more expensive, yet their built-in battery enables them to broadcast their signal potentially hundreds of meters. Passive tags are cheaper and can only get their power via the nearby “interrogation” of a reader device. This limits a passive tag’s broadcasting capability to, typically, just a few feet.
RFID does introduce some interference and eavesdropping risks due to other readers being capable of picking up the tag’s transmission. Plus, the tag can only broadcast so far, which doesn’t do any good for device theft. Some mitigations for RFID security threats include blocker tags, which seek to DoS unauthorized readers with erroneous tags, and kill switches, which seek to disable tags once activation is no longer required. Also, RFID encryption and authentication are supported on some newer RFID devices.
06-ch06.indd 245
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
246
Drive Mounting
Before users can access any kind of storage device, it must first be mounted. Drive mounting is the process of an OS making files/folders available to users through its file system. File systems display mounted drives as either a disk icon (Windows or macOS) or a directory (Unix/Linux). Although internal storage devices are handled by IT, issues arise from end users freely connecting external hard drives and flash drives to their machines. Since OSs typically “auto-play” connected storage devices, any malware on the drive can automatically run—while simultaneously extracting sensitive data from the company. The easiest countermeasure would be to prevent connectivity of external storage devices entirely; however, that isn’t always an option. Organizations may choose to limit such connectivity to company-owned devices that are already configured with drive encryption and password protection. Another consideration would be to disable auto-play of removable devices to disable processing of any malicious code on the drive. Also, Windows Group Policies can be configured to limit the permissions users have to the drive.
Drive Mapping
Drive mappings treat remote storage like local storage. Rather than having users manually browse to a remote computer to access its storage and content, a user simply clicks the local drive letter that is “mapped” to that remote storage. This makes accessing the remote drive as easy as accessing a local drive. Drive mappings are meant to be convenient and productive, yet such convenience can be a double-edged sword. Some users mistakenly believe the mapped drive is local; therefore, they may store inappropriate or personal content on it. Imagine their shock when other team members come across such content. End-user training can help prevent this from happening. Also, such convenient access to remote storage is extended to attackers. If attackers can just get to the local computer, they can easily catapult themselves to the mapped drive and plunder its content. Mitigations for mapped drives are few but worthwhile. Users need to be reminded to always lock their computer when they step away as well as employ strong password practices. The key is to prevent the attacker from accessing the machine in the first place.
Webcams and Recording Microphones
You’ve often been told to “smile for the camera.” That is now more applicable than ever considering that cameras are built into today’s smartphones, tablets, laptops, portable and nonportable gaming consoles, and IoT devices. As you might expect, some privacy issues have arisen from this:
• Applications often request permissions to a device’s camera/microphone. This subjects nearby users to unexpected (and legal) audio/video capturing with content delivery to third parties. • Device owners can invade the privacy of others by secretly capturing audio/video of them. • Device owners may take pictures of a company’s sensitive material. • Malware may infect the device and perform surveillance on the user.
06-ch06.indd 246
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
247
Mobile device management tools typically have configuration policies for disabling cameras and microphones. If the organization/users can stomach this outcome, it is the best solution to implement. Also, be sure to include all camera and microphone security requirements in a security policy to make it clear to users what devices are allowed and not allowed—and what the acceptable uses are.
PART II
EXAM TIP To counter the malware, be sure to use antivirus software, follow Internet and e-mail security best practices to minimize malware acquisition, and don’t “root” or “jailbreak” your device. In the latter case, you’d be weakening the overall security of the device, which would further subject it to malware infections. As for general applications that require permissions to your camera/microphone, you may be able to suppress some permission requirements through device-hardening techniques. Also, apps may be available on the app store that can perform these hardening techniques for you.
SD Port
Secure Digital (SD) ports support the connection of small portable memory flash cards frequently attached to laptops, mobile devices, and some desktops. As with USB flash media, SD card connections are immediately rewarded with a mounted drive letter. If the OS is set to auto-play the flash card, malware may be able to run immediately—and potentially extract confidential materials from the system. Mitigations for SD port risks include the following:
• Implement removable device Group Policies to suppress SD card connections. • Disable auto-play to prevent malicious code from automatically running. • Prohibit the use of SD card media via a security policy. • Prohibit the connection of external SD readers on PCs.
HDMI and Audio Output
High-Definition Multimedia Interface (HDMI) has blossomed over the past 15 years due to its ability to simultaneously support high-definition video (and now 4K) resolutions and surround sound audio systems—all on one cable. With desktops, laptops, monitors, and TVs frequently having HDMI ports, hackers have found a way to use them against us. Elite hackers are able to use available HDMI ports to hack into monitors to spy on users, steal data, and even manipulate what users see onscreen. Plus, with HDMI supporting Ethernet, attackers may use HDMI-compromised systems to attack other systems on Ethernet networks. The most practical solution at this time is to prohibit access to HDMI ports, or use DVI or DisplayPort technology as a workaround.
File and Disk Encryption It’s tempting to think that file permissions should be enough to secure files. After all, if someone doesn’t have permission to a file, why would it also need to be encrypted? Answer: permissions aren’t pervasive. They effectively disappear when files or drives are
06-ch06.indd 247
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
248
moved to another machine, when attackers boot up machines with an alternate OS or boot media, and when attackers launch horizontal privilege escalation attacks. File encryption typically addresses these concerns by encrypting files using a symmetric encryption key and then protecting the symmetric key with a hidden asymmetric private key. With a few exceptions, only the user with the hidden private key can decrypt the file. Those exceptions are when an encrypted file is shared with another user and when a data recovery agent (DRA)—usually the administrator or root account— attempts to access the file. If an unauthorized user attempts any of these exploits against the encrypted file, it will error out. NOTE A popular file encryption tool is Microsoft’s Encrypting File System (EFS). Unless proactive steps are taken, file encryption carries some negatives. For example, access to an encrypted file is prevented if the private key is corrupted or lost, performance may decrease slightly, and sharing encrypted files can occasionally be tedious.
Disk encryption goes deeper by encrypting the entire internal drive, volume, or external drive. This simplifies the process of bulk file/folder encryption; plus, the drive may gain the protection from Trusted Platform Module (TPM) chips, secure and measured booting methods, and UEFI firmware. As a result, disk protection provides stronger protections against online and offline attacks, as opposed to just file encryption. Like file encryption, loss of private keys or recovery keys can complicate access to the drive, performance will drop a little bit, and moving drives between systems requires some added steps. Also, disk encryption may be vulnerable to what’s known as a cold boot attack. Such an attack involves the hacker obtaining encryption keys from RAM due to the RAM not clearing out in a timely manner during a recent reboot or shutdown operation. Additional attempts to ensure memory is cleared out should be taken, and increased physical security should help prevent access to the machine to thwart such attacks. Careful planning and implementation of file and drive encryption should help mitigate all these challenges. NOTE For additional information about file and disk encryption, refer to Chapter 15.
Firmware Updates Firmware is a combination of low-level instructions and the nonvolatile memory it’s stored on such as electrically erasable programmable read-only memory (EEPROM). Your computer’s BIOS is a good example of a firmware chip. When devices are powered on, firmware guides the device’s startup, self-test, and diagnostic sequences before handing off control to an operating system. In addition to computer BIOSs, other devices have firmware, including network equipment, mobile devices, gaming consoles, smart TVs, appliances, IoT devices, and more.
06-ch06.indd 248
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
249
PART II
Although organizations are generally keen on installing OS and application patches, firmware updates are often neglected. Unlike patches, which address software issues, firmware updates resolve hardware issues. Firmware can have vulnerabilities like any other software, yet the attacks against them can have ramifications on hardware such as permanently DoS’ing the hardware. This is when the firmware is irrecoverably damaged and no longer usable. Although firmware updates are critical to an organization’s overall update strategy, you should first do some research with the firmware vendor before you update. Installing updated firmware carries a slight risk of permanently “bricking” your firmware and, subsequently, the device due to a failed update installation. As a result, you must be sure the update is needed and that you’re comfortable with the installation process. Some firmware updates are optional due to negligible benefits, or limited scope and applicability to customers; meanwhile, firmware updates marked as “critical” or “recommended” should be mandatory. Updates may resolve bugs, add new functions or security features, or increase resilience against various exploits, including rootkits. Rootkits are particularly dangerous since they can take over your machine while concealing themselves in your firmware. Plus, many diagnostic tools wouldn’t think to look in your firmware for threats. You will probably have to manually download the firmware from the vendor; however, some devices can automate this process. Be sure to review the vendor’s website for instructions on backing up the current firmware, if possible, and recovering it in the event of a failed firmware update process. If no such disaster recovery options are available, you’ll want to be especially sure such a firmware upgrade is truly necessary before proceeding.
Boot Loader Protections
Boot loader protections provide assurances that only a trusted boot loader—the program that loads an OS—is permitted to run during a computer’s startup routine. This is important because many of the security controls, such as authentication, permissions, antimalware, and host-based firewalls, are only operational after an OS finishes loading. Boot loaders aren’t protected by those security controls. Looking elsewhere, Basic Input/ Output Systems (BIOSs) offer limited security benefits; plus, many security practitioners are not accustomed to the security features offered by the more recent Unified Extensible Firmware Interface (UEFI) and Trusted Platform Module (TPM) chips. Today’s hackers are attacking OS launches with rootkits, bootkits, alternate OSs, and unapproved storage devices; therefore, we need to provide assurances that only our boot loaders are approved for execution. This section takes a look at various boot loader protections offered by Secure Boot, Measured Launch, Integrity Measurement Architecture, BIOS/UEFI, attestation services, and TPM.
Secure Boot For the better part of the past 40 years, the startup of a computer has been controlled by the BIOS firmware chip. Besides the easily circumvented BIOS password, there’s little else the BIOS offers in the way of startup security. After the BIOS completes its internal
06-ch06.indd 249
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
250
startup routines, it’ll blindly load whatever boot loader it encounters first. To prevent unauthorized boot loaders from starting, we should consider implementing a fairly new security feature called Secure Boot. Secure Boot is made available through UEFI firmware that will only load trusted, digitally signed boot files, as per the original equipment manufacturer (OEM).
Secure Boot Process
Here are the basic steps involved in the Secure Boot process: 1. The computer is turned on. 2. The firmware’s digital signature is validated to assure the host no rootkits are present. 3. The firmware verifies that the boot loader on the storage device has a valid, trusted, and tamper-free digital signature. 4. The firmware starts the trusted boot loader.
Since the hacker’s OS/malware shouldn’t have an approved digital signature, Secure Boot will not load the code. These signatures are stored in memory and must be updated through an OEM-supported database if you want to add unsupported boot/OS code of your own at launch. Windows 8+ and various Linux distributions have added support for Secure Boot. If your UEFI computer also has a BIOS, make sure Secure Boot is enabled in the BIOS if you want to use it.
Measured Launch With malware increasingly infecting devices early in the boot cycle, we require a means to verify the trustworthiness of the boot environment. To the rescue is the Measured Launch (also known as Measured Boot) in which TPM chips measure the cryptographic integrity of several boot components through the use of digital signatures. These TPMdriven Measured Launches are implemented by specific TPM implementations such as Intel’s Trusted Execution Technology (TXT) and the one from the Trusted Computer Group (TCG). Upon startup, the OS will perform a chain of measurements on each boot component’s digital signature and then compare the measurements to those stored in the TPM chip in order to validate the boot process and prevent malware infections. These measurements may include the host’s firmware, OS boot files, certain applications, registry configurations, and even drivers. Upon validation of the boot components, the measurements are stored on the TPM, which will then serve as the baseline values for subsequent bootups. Should a measurement fail, the OS will not load due to its untrusted status. Like Secure Boot, Windows 8+ and various Linux distributions support Measured Launch. Just be mindful that early boot-cycle tests will slow down the bootup a bit.
06-ch06.indd 250
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
251
EXAM TIP Whereas Secure Boot focuses on allowing only authentic OSs to run, Measured Launch scrutinizes the integrity of all boot components. Measured Launch goes even deeper to provide assurances of a trusted OS platform.
Similar to Measured Launch, Integrity Measurement Architecture (IMA) is an open source method frequently used on Linux systems. It helps provide assurances that the Linux OS has a trusted boot environment. IMA works with the Linux kernel to validate OS file integrity prior to loading. After each critical boot file is hashed, its hash measurement is compared to the measurement stored on the TPM chip. If the two don’t match, the file is considered untrusted and does not load—thus the OS will not load.
PART II
Integrity Measurement Architecture
BIOS/UEFI The BIOS is a crucial firmware chip stored on a device’s motherboard that performs the hardware initialization and the subsequent OS startup. The BIOS code is stored on a special ROM chip that contains a small amount of code that can be updated (flashed) whenever the vendor releases an update. The two most important things the BIOS does are performing the Power-On Self-Test (POST) and launching an operating system. In just a second or two, the POST will check the CPU, BIOS, RAM, motherboard, and other hardware to ensure they are functional. Immediately afterward, the BIOS looks for a boot loader to transfer the startup to an operating system. The BIOS doesn’t have much in terms of security, but here are a few features:
• User password The user must supply this password the moment the machine turns on. • Supervisor password The user must supply this password to enter the BIOS setup screen. • LoJack Allows the user to track a lost laptop. It’s pretty well-known as this point that the user and supervisor passwords can easily be erased by pulling the CMOS battery, or by using the CLR_CMOS button or jumper on the device’s motherboard. Addressing the lack of security features, among many others, UEFI firmware is the heir apparent to the aging BIOS. The UEFI can perform the same functions as the BIOS, in addition to the following:
• Faster bootup • Utilization of a GUID Partition Table (QPT) to access larger hard drives (2TB+) and more partitions
06-ch06.indd 251
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
252
• Support for Secure Boot and Measured Boot/Launch • Support for a mouse via the setup utility menu • CPU independence • Ability to use more memory Security professionals will remark about UEFI’s ability to secure the “handoff ” between the hardware initialization and the OS startup, whereas BIOS isn’t concerned about this.
Attestation Services TPM chips provide attestation services to authenticate the identity and integrity of software. Such identification is initially tested by secure OS startup procedures such as Secure Boot and Measured Launch. However, the TPM gets the final say as to the overall trustworthiness of the computing platform. The TPM generates hashes for all critical bootup components, compares the hashes to a list of known hashes, and attests that no tampering has occurred. This information can then be shared with a third party who can independently verify the attested information in a process known as remote attestation. Attestation is also used for verifying that an entity requesting a certificate from a Certificate Authority (CA) is using a private key generated by a valid TPM chip.
TPM Designed by the Trusted Computing Group (TCG), a Trusted Platform Module (TPM) is a secure chip that contains a cryptoprocessor built into modern computer motherboards for the purpose of performing various security functions relating to certificates, symmetric and asymmetric keys, and hashing. Central to TPMs are the builtin public/private key pair known collectively as the endorsement key (EK). This key is signed by a trusted Certificate Authority. In addition, the TPM has another built-in key known as the storage root key (SRK). This key is used to secure the other keys stored in the TPM.
TPM Features
Due to the built-in, and tamper-free, cryptographic keys built into the TPM, TPMs provide root of trust benefits—in other words, it is the entity on which all other trust is based. Basically, if the TPM says something is trustworthy, who are we to argue? However, TPMs provide specific forms of root of trust—chiefly the following:
• Root of trust for reporting Assures entities that the system state is trustworthy • Root of trust for storage Assures entities that secrets remain secret
06-ch06.indd 252
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
253
In essence, TPM chips provide low-level functions that allow more complex features to be supported, including the following:
PART II
• Attestation services • Computing hashes • Generate random numbers • Integrity validation • Key generation and management • Performing public key cryptography functions • Secure storage of keys • Binding storage devices to a particular computer (Microsoft BitLocker) • Sealing the system’s state or configuration to a specific hardware and software configuration to prevent unauthorized changes
Vulnerabilities Associated with Hardware
With all the attention given to software vulnerabilities, attackers often go unnoticed when they exploit hardware vulnerabilities instead. Although far more software vulnerabilities are known and exploited, hardware vulnerabilities are, in some cases, even bigger than software vulnerabilities. Perhaps you heard of the recent and catastrophic CPU vulnerabilities called Meltdown and Spectre? They collectively affected nearly every CPU manufactured in the past two decades! Hardware of various types have vulnerabilities that you should keep an eye out for. Use the following list to guide your efforts:
• Older PCs, laptops, and mobile devices are less likely to be vendor-supported and are more subject to DoS attacks due to slow performance. • Devices without UEFI chips won’t support Secure Boot or Measured Launch features. • Devices without TPM chips won’t support Measured Launch or the strongest drive encryption features. • Devices might have outdated firmware that the vendor isn’t updating anymore. • IoT devices generally have little to no security features configured, or even available. • Jailbroken iOS devices or rooted Android devices reduce security while voiding the warranty. • Manufacturer backdoors allow the vendor easy access to the device—in many cases without your knowledge. • Counterfeit hardware might be sold as a name-brand device unbeknownst to the device owner.
06-ch06.indd 253
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
254
To reduce your risk of hardware vulnerabilities, you should always buy name-brand hardware from trusted distributors. If possible, you should also migrate away from unsupported legacy hardware, which is particularly susceptible to zero-day vulnerabilities. It’s also important that you follow the hardware vendor’s recommendations on proper installation, configuration, and maintenance. Also, don’t forget to update the firmware. Hackers like to target devices with outdated hardware for a reason.
Terminal Services/Application Delivery Services
This topic will be discussed at length in Chapter 13. For a brief summary, Microsoft has renamed Terminal Services as Remote Desktop Services (RDS), which provides desktop and application virtualization services via the Remote Desktop Protocol (RDP). The basic premise behind this is that the client offloads the majority of or all resource responsibilities onto the server, thereby defining the client’s role as a thin client. The degree of resource delegation will vary based on whether the RDS solution is hosting a remote desktop environment (which includes an OS and applications) or a RemoteApp (which includes applications only) for a client’s remote consumption. RDS solutions have many roles, as summarized here:
• Remote Desktop Connection Broker Manages load balancing across RDS session host servers, in addition to reconnections to virtual desktops • Remote Desktop Gateway Manages authorization to virtual desktops • Remote Desktop Licensing Manages RDS client access licenses (CALs) to permit clients access to the RDS solution • Remote Desktop Session Host Allows the server to host RemoteApp connections • Remote Desktop Virtualization Host Permits users to access RemoteApp and virtual desktops • Remote Desktop Web Access Permits users to access RDS through a web browser or the Windows Start menu
Chapter Review
In this chapter, we covered the analysis of scenarios for integrating security controls for host devices to meet security requirements. The first section was on trusted operating systems, which covered the Orange Book, Common Criteria, Evaluation Assurance Levels, Protection Profiles, and a couple Linux-based security modules called SELinux and SEAndroid. We also talked about the Trusted Solaris OS and its replacement in Solaris Trusted Extensions. We wrapped up this section with coverage of least functionality and how it locks down trusted OSs or otherwise provides the minimal permissions required for job/task completion. The next topic for host device security focused on types of endpoint security software. The most fundamental of all types is antimalware software, which covers all malware forms. Although less common, tools such as antivirus and anti-spyware focus more
06-ch06.indd 254
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
255
06-ch06.indd 255
PART II
specifically on certain types of malware. Spam filters are needed on e-mail servers and clients to keep organizational spam under control. Patch management is a useful strategy for installing patches across host devices throughout the organization. Devices also need host-based intrusion prevention and intrusion detective systems to stop threats or alert the organization about threats in progress. A fairly new security control called data loss prevention (DLP) is necessary for ensuring good organizational data doesn’t leave the corporate boundary. Critical to any host is the implementation of a host-based firewall such as the Windows Defender Firewall built into Windows 10. Log monitoring helps detect security breaches that are ongoing or have occurred previously. Lastly, we have endpoint detection response, which focuses on threat intelligence research to ensure we learn more about threats before removing them prematurely. Host hardening is a large topic in itself, yet all of its components have one thing in common—they improve upon the default settings of the device. Fundamental to host hardening is the implementation of standard operating environments, which is typically achieved with OS disk images. This helps ensure consistency across desktop and server builds. Configuration baselining takes that approach to locking down the settings on desktop and server operating systems and applications. Part of these configuration baselines is the whitelisting and/or blacklisting of applications to ensure only appropriate applications are installed on systems. Group Policy plays a strong role in host hardening, given the thousands of user and computer-level options available for system lockdown. Command shell restrictions also harden the system by restricting what commands are available to the end user and IT personnel. Patch management appears again in this section, but only to highlight manual versus automated patch deployment methods. The next several topics touched on requirements for configuring dedicated network interfaces, starting with out-of-band management, which focuses on managing traffic flow away from everyday network traffic. ACLs help to filter packets sent to/from these interfaces. A management interface is an in-band interface for communication with host devices via either a dedicated port or a logical port defined via a VLAN. Data interfaces support communications for everyday host devices, yet still must be locked down with a variety of switch security options. The topic of external I/O restrictions covers USB, a variety of wireless connectivity methods such as Bluetooth, NFC, IrDA, RF, 802.11 (and its various standards and security requirements), and RFID. Storage devices also come in external form, which may result in drive mounting and involves a user automatically accessing the drives contents. Meanwhile, drive mapping allows a user to map a remote, removable storage device located on one drive so it appears as a locally connected device on the user’s computer. Multimedia devices such as webcams, recording mics, and audio outputs also connect to a system externally and come with various security vulnerabilities and mitigations accordingly. SD ports accommodate small flash cards, which bring ingress and egress threats like USB flash drives, and HDMI ports are subject to monitorbased hijacking attacks. File encryption incorporates encryption techniques on files and folders, whereas disk encryption focuses on encrypting entire drives, volumes on drives, and external drives for complete protection against various online and offline attack vectors. The last topic of this section covers the importance of firmware updates on all supported device types.
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
256
The next section of the chapter covered boot loader protections—the first of these being Secure Boot, which focuses on loading only trusted OSs. Next was Measured Launch, which deepens the scope of Secure Boot by doing independent integrity checks on all critical boot components. Integrity Measurement Architecture is similar to Measured Launch but is open source and specific to Linux-based systems. We talked about the legacy BIOS firmware and its replacement in UEFI as well as the various security features offered by it. We talked about TPM chips and how they provide root of trust and attestation services for the host device’s integrity. The second-to-last section covered vulnerabilities associated with hardware. This included coverage of old hardware not supported by vendors as well as hardware lacking UEFI chips and TPMs. It also included coverage of jailbroken or rooted mobile devices as well as counterfeit devices. The last section of the chapter covered Terminal Services and application delivery services. Although certain fundamentals are covered in Chapter 13, we added a little extra to this topic by focusing on Microsoft Remote Desktop Services and its RemoteApp feature.
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
Trusted Operating System • A trusted OS is one we can place a certain level of trust in based on the various levels established by the Orange Book. • The Orange Book was replaced by the Common Criteria (CC), which is a multinational program in which evaluations conducted in one country are accepted by others that also subscribe to the tenets of the CC. • Multilevel security implements multiple classification levels, and the operating system has to maintain separation between these levels of all data and users. • Evaluation Assurance Levels (EALs) rate operating systems according to their level of security testing and design. • CC has replaced EALs with Protection Profiles, which define more accurate and trustworthy assurance levels for operating systems. • SELinux is a group of security extensions that can be added to Linux to provide additional security enhancements to the kernel. • SEAndroid is the SELinux extensions adapted to the Android OS. • Deprecated now in favor of Solaris Trusted Extensions, Trusted Solaris was a group of security-evaluated OSs based on earlier versions of Solaris. • The principle of least functionality is a requirement that only the necessary privileges are granted to users to access resources.
06-ch06.indd 256
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
257
Endpoint Security Software
PART II
• Endpoint security refers to a security approach in which each device is responsible for its own security. • Antimalware software is a general-purpose security tool designed to prevent, detect, and eradicate multiple forms of malware, such as viruses, worms, Trojan horses, spyware, and more. • Antivirus software is designed specifically to remediate viruses, worms, and Trojan horses. • Anti-spyware software specifically targets the removal of spyware. • Spam filters identify malicious or undesirable e-mails and prohibit them from invading the user’s mailboxes. • Patch management is the process of acquiring, testing, deploying, and maintaining a patching solution for an organization’s devices. • HIPS is a host-based program that prevents threats from attacking the system. • HIDS is a host-based program that generates alerts when the system is being attacked. • DLP prevents desirable and sensitive materials from leaving the corporate boundary unless the policy permits it. • Host-based firewalls control which traffic is allowed or denied from entering and exiting the computer. • Log monitoring is the process of examining host logs in order to detect signs of malicious activity on the device. • Endpoint detection and response (EDR) solutions will initially monitor a threat by collecting event information from memory, processes, the registry, users, files, and networking, and then upload this data to a local or centralized database.
Host Hardening • Hardening is designed to make it harder for attackers to successfully penetrate a system. • Standard operating environments include a pre-defined disk image of an operating system, applications, and configurations to provide consistent host device experiences across the organization. • Configuration baselines focus on standardizing configurations across applications or operating systems. Standard operating environments build the machine whereas configuration baselines configure the machine. • Application whitelisting focuses on explicitly allowing only certain applications, to the exclusion of all others.
06-ch06.indd 257
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
258
• Application blacklisting focuses on explicitly denying only certain applications, to the exclusion of all others. • Group Policy is a set of rules that provides for centralized management and configuration of the operating system, user configurations, and applications. • Command shell restrictions limit what commands are available to users and IT personnel. • Manual patch management improves controls, whereas automated patch management improves speed. • Configuring dedicated interfaces is necessary to ensure that an interface is isolated from all other interfaces and traffic flow patterns. This is necessary for management traffic. • Out-of-band management is an example of a dedicated interface in that it requires a separate communications channel. • Network ACLs use packet filters to lock down network interfaces. • A management interface is a dedicated physical port, or VLAN logical port, that permits in-band management of host devices. This doesn’t require an isolated and private communications link. • Data interfaces are the everyday communications channels that exist between hosts and network appliances such as switches. The majority of security features are switch-related to protect the hosts and network from attackers. • External I/O restrictions focus on disabling USB devices to guard against data exfiltration or malware propagation, as well as on the various wireless technologies—from Bluetooth and NFC to 802.11, IrDA, and RFID. • Drive mounting permits users to access the files and folders on the file system. • Drive mapping permits a user to map a drive on another system to a local drive letter on their computer. • Webcam and recording mics should be disabled or used sparingly to prevent spyware or other attacks from hijacking these devices and selling your data. • SD port restrictions should be little to no different from those of USB external drive connections. Ingress and egress threats are equally bad. • HDMI and audio output should be restricted due to the possibility of attackers using these cables to hijack the audio and video output of your devices. • File encryption is necessary for providing independent encryption capabilities to files and folders on a file system, whereas disk encryption encrypts the entire disk, volume, or external drive from various online and offline attacks. • Firmware updates are critical to securing devices from attacks that focus on outdated firmware. Some attacks can brick a device permanently, so this is an important update requirement.
06-ch06.indd 258
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
259
Boot Loader Protections
PART II
• Boot loader protections provide assurances that only trusted boot loaders—the program that loads an OS—are permitted to run during a computer’s startup routine. • Secure Boot is a feature made available through UEFI firmware that will only load trusted, digitally signed boot files, as per the original equipment manufacturer (OEM). • Measured Boot uses TPM chips to measure the cryptographic integrity of several boot components through the use of digital signatures. • Integrity Measurement Architecture (IMA) is an open source method frequently used on Linux systems. • BIOS is a crucial firmware chip stored on device motherboards that perform the hardware initialization and the subsequent OS startup. • UEFI firmware chips add various security features missing from BIOSs, such as faster bootup, larger partition sizes, Secure Boot and Measured Boot, mousedriven setup utility, and the ability to utilize more memory. • TPM chips provide attestation services to authenticate the identity and integrity of software. • TPM is a secure chip that contains a cryptoprocessor built into modern computer motherboards for the purpose of performing various security functions relating to certificates, symmetric and asymmetric keys, and hashing.
Vulnerabilities Associated with Hardware • Hardware vulnerabilities are equal if not more significant than software vulnerabilities, even if there are less of them comparably. • Hardware vulnerabilities include older PCs, devices lacking UEFI and TPMs, outdated firmware, jailbroken or rooted devices, manufacturer backdoors, and counterfeit components.
Terminal Services/Application Delivery Services • Microsoft has renamed Terminal Services as Remote Desktop Services (RDS), which provides desktop and application virtualization services via the Remote Desktop Protocol (RDP). • The client offloads the majority of or all resource responsibilities onto the server, thereby defining the client’s role as a thin client. • RemoteApp is an RDS solution that permits applications to be hosted on the RDS server while accessed remotely by users.
06-ch06.indd 259
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
260
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. In a firewall, where should you place a “default” rule stating that any packet with any source/destination IP address and any source/destination port should be allowed? A. It should be the first rule so that it will always be checked. B. It doesn’t matter where it is placed as long as you have it in the rules somewhere. C. You should never have a rule like this in your rule set. D. It should be the last rule checked.
2. Which of the following is a common firewall found and used on Linux-based machines? A. iptables B. Snort C. Defender D. Check Point
3. You need to generate a rule that allows web-destined traffic to pass through your firewall. Which of the following rules will do that? A. iptables –A INPUT –p tcp –i eth0 –-dport 25 --sport 1024:65535 \ -m state –-state NEW –j REJECT
B. iptables –A INPUT –p tcp –i eth0 –-dport 80
--sport 1024:65535 \ -m state –-state NEW –j REJECT
C. iptables –A INPUT –p tcp –i eth0 –-dport 25
--sport 1024:65535 \ -m state –-state NEW –j ACCEPT
D. iptables –A INPUT –p tcp –i eth0 –-dport 80
--sport 1024:65535 \ -m state –-state NEW –j ACCEPT
4. An operating system is said to implement multilevel security if it: A. Introduces multiple levels of authorization such that users must authenticate
themselves every time they wish to access a file B. Includes multiple layers of security, such as having both firewalls and intrusion detection/prevention systems built into it C. Implements a system where information and users may have multiple levels of security and the system is trusted to prevent users from accessing information they are not authorized to see D. Can be said to be both trustworthy and reliable
06-ch06.indd 260
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
261
5. If you require a trusted operating system environment, as described in this chapter, which of the following operating systems might you consider deploying? A. Windows 2008 Server B. SELinux C. Red Hat Linux D. Windows 7
A. Spyware
PART II
6. Which of the following is a program that replicates itself by attaching to other programs? B. Trojan horse C. Virus D. Worm
7. As a parent, you may be interested in monitoring the activities of your child on your computer system. If you are interested in determining what activities your child is involved in on the computer, which of the following pieces of software might you be tempted to install? A. Trojan horse B. Phishing software C. Firewall D. Keylogger
8. What is one of the major issues with spam filters that rely solely on keyword searches to determine what to filter? A. Keyword searches are too labor intensive and therefore take too long to
accomplish (thus slowing the system response time down). B. Keyword searches may filter e-mail you don’t want to filter because the keyword may be found as part of legitimate text. C. It is hard to define the keywords. D. Keyword searches generally do not work. 9. From a security standpoint, why is having a standard operating environment (SOE) important? A. Without an SOE, administrators will be hard pressed to maintain the security of systems because there could easily be so many different existing configurations that they would not be able to ensure all are patched and secured correctly. B. Having an SOE has nothing to do with security and is purely an administrative tool. C. Having an SOE allows administrators to take advantage of large-scale, bulk ordering of software, thus saving funds. D. Having an SOE is essential in order to implement Active Directory correctly.
06-ch06.indd 261
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
262
10. If you want to implement a restricted shell in a Unix environment, which of the following would you use? A. ksh B. csh C. rbash D. sh
11. Which of the following technologies would be most appropriate in your inventory control efforts? A. RFID B. NFC C. IrDA D. 802.11i
12. From a security standpoint, why might you want to protect your database of inventory items? A. Regenerating it if it is lost can be costly. B. Losing something like this would be an indication of a lack of general security
procedures and processes. C. Because it would contain information on the hardware and software platforms your organization uses and thus would provide an attacker with information that could be used to determine vulnerabilities you might be susceptible to. D. If a software or hardware vendor obtained a copy of it, you might find yourself inundated with sales calls trying to sell you any number of products. 13. If you are in a banking environment, what type of information might you look for in traffic that is leaving your organization in order to protect against data exfiltration by somebody who may have gotten unauthorized access to your system? (Choose all that apply.) A. Files containing strings of 9-digit numbers (which might be social security numbers) or numbers that might represent bank accounts B. Large data files being sent out of your organization in an unencrypted manner C. Files, or even e-mail, that contain numerous occurrences of numbers that could be phone numbers or ZIP codes D. Files or e-mail that contain sequences of digits that could be credit or debit card numbers 14. Which of the following is a common use for Trusted Platform Modules? A. To authenticate and decrypt external storage devices B. To authenticate and decrypt internal storage devices C. To perform antivirus scans D. All of the above
06-ch06.indd 262
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
Chapter 6: Security Controls for Host Devices
263
15. Which type of intrusion detection/prevention system is based on statistical analysis of current network or system activity versus historical norms? A. Signature based B. Abnormal behavior based C. Pattern deviation based D. Anomaly based PART II
16. When a computer turns on, the UEFI checks to make sure that the operating system is on the supported list of digitally signed operating systems. Which of the following features provides this capability? A. BitLocker B. Group Policy C. Measured Launch D. Secure Boot
Answers 1. D. You should have this as the last rule so that if none of the other rules is invoked, the system will fall through to this one and know what to do. 2. A. Iptables is the specific firewall we discussed in the chapter, and it is found in releases of Linux. 3. D. This is the sample rule we showed in the chapter that allows web traffic to pass. 4. C. This is a description of multilevel security. Generally, when somebody wants to utilize trusted operating systems, it is because they want to implement multiple levels of security on the system. 5. B. SELinux is the only one of the operating systems listed that implements mandatory access controls, which allow for multiple levels of security. 6. C. This is the definition of a virus. 7. D. Although you should be careful where you obtain it from, a keylogger will record all keystrokes that your child makes, allowing you to determine what they are doing on the computer. 8. B. Filtering based solely on keywords could mean you filter e-mail that contains legitimate occurrences of the string you are searching for. The chapter used the example of filtering on “cialis,” which is often found in spam related to the sale of drugs; yet this pattern is also found in the word “specialist.” Thus, you might filter a perfectly legitimate e-mail. 9. A. This is the key. If your organization has a large number of systems, without having a standard operating environment, configuration control could quickly get out of hand, and maintaining the security of numerous, disparate systems would become untenable.
06-ch06.indd 263
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 6
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
264
10. C. The rbash command invokes the bash shell in restricted mode. 11. A. RFID was mentioned in this chapter as a technology that can be useful in tracking individual inventory items. 12. C. Knowing what hardware and software you have provides an attacker a tremendous boost in terms of determining what attacks to try against you. 13. A, B, C, D. All of these might very well be indicators of information being sent out of your organization that shouldn’t be. Even e-mails that are not encrypted and that contain more than one account or credit card number could indicate a problem. 14. B. Trusted Platform Modules (TPMs) have many purposes, including authenticating internal storage devices and then decrypting them. 15. D. This is the definition of anomaly-based detection. 16. D. Secure Boot is a UEFI feature that only boots up operating systems that are digitally signed and supported by the vendor.
06-ch06.indd 264
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CHAPTER
Mobile Security Controls
7
This chapter presents the following topics: • Enterprise Mobility Management • Security Implications/Privacy Concerns • Wearable Technology
It goes without saying that mobile devices have permeated the globe in the past decade, with a variety of wearable devices catching fire in the past few years. When you hear people talking about mobile devices and wearables, there’s always that one person who comes out with the Terminator “Skynet” joke, where all the technology in our society coalesces into an artificial intelligence ring—always a threat to the human race. Look around: today’s mobile technologies have been scattered across the environment, into our homes, and are now being worn or implanted into our bodies. On top of this, surveys show that tens of billions of devices will be connected to the Internet by 2020. We’re all going to be hearing a lot more Skynet jokes over the next few years. Our job as security practitioners is to understand this mobile device revolution, the various devices, how they work, how to manage them, and the unique security considerations inherent in their usage at the enterprise. We start this chapter off with enterprise mobility management, which is largely about mobile device management (MDM) tools. Next, we dive into the various security and privacy concerns inherent in an industry populated by devices loaded with cameras, microphones, and radio antennas. We then end the chapter by discussing various wearable technologies and their benefits, in addition to the security risks they bring.
Enterprise Mobility Management
One way or another, all enterprises have to deal with the mobile device “movement”—it’s just a question of how. Should enterprises shoulder the burden of purchasing all mobile devices? Should they transfer the costs to the users? Should they use a mobile device management tool or take their chances managing mobile devices in silos? Better yet, should they disallow mobile devices entirely? Not surprisingly, each path offers a sliding scale of costs versus benefits, and it’s up to the enterprise to choose wisely. Assuming that mobile devices will be permitted at some level, they must be managed. Yet again, it becomes a
265
07-ch07.indd 265
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
266
question of how, because mobile device management is challenging. Here are some challenges that enterprises must consider:
• Budget • Compliance and security policy requirements • Device types and versions • OS types and versions • Inventory management • Logging and auditing • Application management • Patch management • Employee usage patterns One thing we feel fairly certain about is a centralized approach to management is usually the best option because it provides a consistent and comprehensive way of locking down devices to meet security policies and compliance requirements—while still allowing users to be productive. This section covers some of the issues regarding enterprise mobility management and the recommended solutions.
Containerization Mixing business with pleasure is a balancing act in life, as it is with mobile computing. Enterprises routinely face the challenge of corporate data and personal data coexisting on the same device. Enterprises run the risk of either over-managing the device at the expense of personal data or under-managing the device at the expense of corporate data. This is a common occurrence in “bring your own device” (BYOD) scenarios since users accumulate more personal data on devices they own. Containerization addresses this issue by isolating corporate data into a protected and encrypted container stored on the mobile device. Corporate data resides inside the container, and user data resides outside the container. Organizations are now free to manage the corporate data, or the container as a whole, without fear of compromising the personal data. Such management will typically be performed by MDM policies from products such as VMware AirWatch and Microsoft Intune.
Configuration Profiles and Payloads A big part of managing mobile devices is ensuring their complete and timely configuration as per enterprise requirements. Considering the vast differences between devices, and potentially being located anywhere in the world, enterprises are turning to cloudbased MDM platforms to centralize control. MDM tools allow us to create and assign configuration profiles that are, essentially, the next-generation of group policies. Configuration profiles are groups of OS and application settings applied to various devices inside and outside of an enterprise. Configuration profiles can be tailored to specific
07-ch07.indd 266
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
267
device types or generalized across a mix of device types. Let’s take a look at some examples of configuration profiles that VMware AirWatch can add:
PART II
• Android • Apple iOS • Apple macOS • Apple TV • BlackBerry • Chromebook • Symbian • Windows Mobile • Windows PC • Windows Phone NOTE If you’re looking for some recommendations for MDM tools, then VMware AirWatch, MobileIron, SOTI MobiControl, and Microsoft Intune are all great choices. MobileIron and AirWatch in particular are the market leaders.
Let’s say you want to assign a Microsoft Intune configuration profile to an Android device. You could choose from the following configuration profile types:
• Device restrictions • E-mail configuration • Wi-Fi configuration • VPN configuration • SCEP certificate • PKCS certificate • Trusted certificate • Custom For example, if you were to select the “Wi-Fi” profile type and then select “Enterprise,” you would be required to set up the SSID, automatic connection option, SSID broadcast option, and the EAP type, such as EAP-TLS, EAP-TTLS, or PEAP. These individual settings are sometimes called payloads. If we were to choose the “Device Restrictions” profile type, you could choose from a variety of password options, such as minimum length, password expiration, password complexity, biometric support, and so on. You would also be able to choose other generalized options, including disabling the device camera, screen capturing, and default app permissions, among several other options. Figure 7-1 shows a screenshot of creating a configuration profile for an Android device.
07-ch07.indd 267
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
268
Figure 7-1 Microsoft Intune configuration profile
Personally Owned, Corporate-Enabled (POCE) Personally owned, corporate-enabled (POCE) is basically another way of saying BYOD. Over 50 percent of enterprises allow workers to use personal devices to perform workrelated tasks—with this number expected to steadily rise in the next few years. If this is the case, enterprises will typically require the device to be “onboarded” as a condition for allowing it to access the enterprise network. Onboarding formally aligns the device with company policies and requirements. This includes installing apps as well as enabling drive encryption, PIN numbers, biometrics, location, remote backup, remote wiping services, and numerous other device restrictions. The easier this outcome, the more likely enterprises will trust BYOD.
Application Wrapping MDM policies allow us to apply additional protections to mobile applications through a configuration process called application wrapping. Application wrappers are additional security features added to a mobile application that don’t modify the underlying functionality of the application itself. These additional security requirements can include the following:
• User must authenticate to use the application. Even if the application itself doesn’t support authentication, the wrapping can still add the functionality. • Restrict certain data types from being stored on the device. • Restrict who is allowed to download specific applications. EXAM TIP It’s important to emphasize that application wrapping allows enterprises to apply additional security requirements atop an application without changing the application’s look or functionality.
07-ch07.indd 268
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
269
Remote Assistance Access
VNC
For enterprises not wishing to use MDM remote assistance capabilities, Virtual Network Computing (VNC) is another option. Discussed in more detail in Chapter 5, VNC’s graphical desktop-sharing capabilities can work for mobile devices because it specializes in vendor neutrality. If we install mobile versions of VNC on mobile devices, we can either support those mobile devices remotely or use the mobile devices themselves to support other devices.
PART II
MDM tools often provide the capability for IT departments to remotely assist users with their mobile devices. Through remote assistance, helpers can access the user’s device screen, observe settings and monitor performance, install or remove applications, and set up e-mail, VPN, or Wi-Fi services. The helper will also have the convenience of using a full-sized desktop to perform remote assistance on a user’s mobile device. As an example, VMware AirWatch offers this through its Remote Management tool, and Microsoft Intune performs remote assistance through a TeamViewer plug-in.
NOTE As discussed in Chapter 5, remember that VNC uses the Remote Frame Buffer (RFB) protocol for remote assistance capabilities.
Screen Mirroring
Sometimes called “screen casting” or just “casting,” screen mirroring involves projecting a copy of a device’s screen contents over a network to another screen, such as a monitor, TV, or projector. For example, if you’ve ever wanted to cast your smartphone’s pictures or videos onto a TV to enlarge them, screen mirroring makes sense. As a general principle, technical support folks’ frown upon screen mirroring for troubleshooting end-user devices since there are a few hoops to jump through. Most support professionals would prefer a dedicated remote management tool instead.
Application, Content, and Data Management MDM tools have other capabilities when it comes to managing and securing applications and data. They can control the deployment of applications to the mobile devices. Typically, the MDM pushes out the application to specific user or device groups, as defined in the MDM console. In the case of Microsoft Intune, user and device groups are created and populated in Microsoft Azure, with Microsoft Intune subsequently assigning applications to the groups. Using the MDM console, we can track a specific application deployment, discover which users have the application, and see if anyone had trouble receiving the application. NOTE Enterprises may publish a “business” app store with hand-picked applications freely available to users for download. These applications may be developed in-house, integrated from other official app stores, or thirdparty applications manually uploaded to the store. The Microsoft Store for Business is a good example of this.
07-ch07.indd 269
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
270
MDM products often have the ability to create application configuration policies that, assuming the application supports them, permit deployment of applications to include custom configurations and security options. If the application doesn’t support such policies, you may be able to use a software development kit to add support to the application. Also, based on application support, MDM tools often provide another feature called application protection policies, which create restrictions on what applications can do to corporate-owned data. Here are some examples:
• Prevent or limit applications from running on jailbroken or rooted devices. • Prevent protected applications from copying data to unprotected applications. • Prevent protected applications from executing other privileges on corporate data such as saving, e-mailing, and copying and pasting content. • Require additional authentication requirements to access the application. • Wipe out company data without affecting the application. In addition to these policies and profiles, we can also create compliance policies and conditional access policies. Here’s a brief summary of each:
• Compliance policy Regardless of whether or not device configurations were implemented by a configuration profile, compliance policies ensure that configurations match their requirements. Compliance policies are often criteria for meeting a conditional access policy. • Conditional access policy These policies stipulate that a user cannot connect to a certain application and its data unless the requirements of the conditional access policy are met. For example, the condition might be the device has to be compliant with the requirements of a compliance policy beforehand. Failing that requirement, the device will not be granted access to an application. NOTE It makes sense that conditional access policies have compliance requirements. After all, would you want your user’s insecure and virus-ridden devices accessing corporate applications and data? That’s a recipe for disaster!
Over-the-Air Updates (Software/Firmware) The term “over-the-air updates” refers to the centralized and wireless distribution of new software, firmware, certificates, and encryption keys to mobile devices. It may also be called “over-the-air programming” or “over-the-air provisioning” (OTAP). OTAP generally provides this wireless service via short message service (SMS) text messages. Once the OTAP message is sent to a device, the update process begins. EXAM TIP Any devices subject to OTAP are prohibited from rejecting the updates. Should the update be prevented somehow, the device is subject to removal from the channel.
07-ch07.indd 270
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
271
Remote Wiping
• Employee loses device or has it stolen Since the employee still works for the company, organizations may want to back up enterprise and personal data to a cloud location so that both parties can regain access to it, and then send a factory-reset remote wipe signal to the device. If a stranger finds the device, no useful data remains. • Employee resigns or is terminated Since the individual no longer works for the company, if the ex-employee still has a company device, or has enterprise data on a personal device, the organization will need to exercise a backup process to back up the enterprise data and then think carefully about how to do the remote wipe. Should they remote-wipe the entire device, including the ex-employee’s personal data, or just wipe out the enterprise data? Organizations are usually protected in all outcomes due to the ex-employee’s signed consent, but that doesn’t mean that enterprises should delete the individual’s personal data also.
PART II
Remote wiping is the process of sending a signal to a remote device to erase specified data. This action may remove enterprise and personal data by factory-resetting the device. In other cases, only the enterprise data is wiped. Our remote wipe capabilities, and the circumstances warranting the remote wipe, help determine whether to wipe out all data or just enterprise data. As you might expect, remote wiping is typically performed through MDM tools. If a remote wipe is needed, the enterprise should send a remote backup signal to back the data up to a cloud computing provider. Upon completion, the data can then be wiped. Here are some conditions that warrant remote wiping:
SCEP Simple Certificate Enrollment Protocol (SCEP) provides an easy process for network equipment, software, and mobile devices to enroll in digital certificates. The word “simple” in the SCEP acronym refers to the minimal intervention required by network administrators to provision SCEP enrollment services and for users to utilize it. You may recall earlier that one of the Microsoft Intune configuration profile choices was called “SCEP Certificate.” Figure 7-2 shows an example of an SCEP configuration profile being created. In many cases, an MDM platform will push out a pre-shared secret to the devices, which the devices use to submit a digital certificate request to a Certificate Authority (CA) server. Upon verification of the pre-shared secret, the CA issues a certificate to the requesting device. Another request method involves the requestor submitting a request to the CA, which requires a CA administrator to manually approve. Either way, once the requestor has a certificate, they are free to use it for authenticated and secured communications with other devices on the network. One of the knocks on SCEP is an unauthorized user might use the pre-shared secret to request their own device to get a certificate. One way to counter this threat is to have different pre-shared secrets for different devices, as opposed to having one pre-shared secret for all of them.
07-ch07.indd 271
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
272
Figure 7-2 Microsoft Intune SCEP Certificate profile
BYOD Bring your own device (BYOD) is the process of allowing employees to bring in their own personal devices, such as laptops, smartphones, and tablets, to work in order to access enterprise applications and data. This is one of the more polarizing topics in the modern IT era due to its fairly even split of advantages and disadvantages.
Advantages and Disadvantages of BYOD
Here are the positives and negatives of using BYOD:
• Advantages The most obvious benefit is the significant cost savings to the enterprise. At the time of this writing, the iPhone XS Max is $1,099. Many enterprises are more than happy for employees to pay that cost themselves. Also, increased productivity will result from people being more familiar with devices they personally own. Such familiarity also leads to reduced training costs. Employees also feel more appreciated due to being trusted to bring their own technology to work. This can lead to a greater sense of morale for an enterprise. Employees also can use one device for enterprise and personal reasons, as opposed to needing two devices to separate business from pleasure.
07-ch07.indd 272
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
273
PART II
• Disadvantages Although there are a lot of advantages to BYOD, many businesses refuse with every fiber of their being to adopt it. The biggest disadvantages revolve around security, privacy, and device configurations. Personal devices spend a lot of time on home or public Wi-Fi networks where they might acquire malware, and then they bring that malware to the enterprise network. Another issue is that a lost device is almost certainly going to be found by an unauthorized party who can access the device’s data. If an employee moves on from the company, they take their personal device (and all enterprise apps/data) home with them. Last, many organizations struggle with standardizing the various application and operating system configurations across the different device and OS types across a given region. Although MDM tools can help out these issues, many enterprises don’t have the budget for them.
COPE The opposite of BYOD, corporate-owned, personally enabled (COPE) occurs when the enterprise purchases and owns the device, yet provides it to users for both enterprise and personal usage. Although the user gets to enjoy the device for personal usage, MDM tools may require security configurations such as drive encryption and PINs as conditions for accessing corporate e-mail. Enterprises are sacrificing the cost savings of BYOD for increased control, security, and privacy benefits.
CYOD Choose your own device (CYOD) is BYOD with a twist. Rather than allowing employees to bring whichever personal devices they want to work, the CYOD model only permits a limited selection of devices. For example, the enterprise may have only tested company applications and processes on the latest Apple iPhones and Samsung Galaxy S and Note series. As long as users bring one of those devices to work, they will be permitted enterprise access. Think of CYOD as looser than COPE but stricter than BYOD.
VPN With mobile devices often used by teleworkers and telecommuters, employees will occasionally require secured remote access over the Internet to the enterprise environment. MDM tools can provide preconfigured VPN configuration profiles to enrolled devices to ensure their successful connectivity to enterprise VPNs. Here are some common settings that go into VPN configuration profiles:
• Connection name Example: Work VPN • VPN server IP address or FQDN Example: 55.55.55.55 • Authentication method Example: username/password or certificates • Connection type Example: Cisco AnyConnect, Check Point Capsule, SonicWall
07-ch07.indd 273
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
274
EXAM TIP Ensure that mobile devices use appropriate VPN tunneling, encryption, and authentication methods. For example, L2TP or OpenVPN for tunneling, IPSec or SSL for encryption, and MS-CHAPv2 or EAP-based methods are typically the best choices.
Application Permissions Since we discussed application management earlier in this chapter, we’ll take a different approach here. Much to our chagrin, most mobile applications on the Android, iOS, and Microsoft app stores will not work unless we grant various device permissions to them. These permission requirements may include access to the device’s camera, microphone, call logs, e-mail, SMS messages, location data, application list, and various others. Although users generally have the first right of refusal, many users feel compelled to accept the permission requirements or forfeit all usage of the application. Although such forfeiture is likely, some software will work if you suppress certain permissions. Check your mobile device’s settings to see if you can individually suppress some application permissions. There are also third-party applications available that can help you with permissions management.
Side Loading Mobile applications are typically downloaded and installed from official app stores such as the Android, iOS, and Microsoft stores. Since these applications are vetted by the app store vendor, they will be inherently trusted by the mobile device for installation. However, some applications will be developed in-house or acquired from a third-party website. In neither case are the applications available on the app stores, so your device’s OS will likely prohibit its installation. On Android and Microsoft mobile devices, users can enable an OS configuration called side loading. Side loading is the process of installing applications from sources outside the official app stores. More often than not, this is necessary for when enterprises develop their own in-house applications. Keep in mind that side loading places the device at risk; therefore, only enable it if you have to. TIP Although iOS does not have a built-in side-loading feature, users can use “Xcode” on macOS or “Cydia Impactor” on various OSs to set up side loading. Or, as they say, they can just “jailbreak” it. More on that later in this chapter.
Unsigned Apps/System Apps Although the vendors of official app stores inspect applications before publishing them, an application’s developer is responsible for digitally signing the application. The purposes behind the digital signature are to allow us to verify the integrity of the application
07-ch07.indd 274
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
275
and to prove the software’s origin—which is generally the software publisher. Here are explanations of these goals:
PART II
• Integrity The application’s signature allows us to verify that the application is in its original and tamper-free condition. The developer runs the application through a cryptographic hashing function that produces a message digest value. This value is linked bit-for-bit to the application’s code. With this hash value attached to the application, if it passes our hash verification check, we can feel reasonably assured that the application has maintained integrity. Should the hashes not match, this results in an integrity violation. • Nonrepudiation The application’s signature allows us to verify who signed the application and that the signer cannot deny having signed the application. In other words, it represents proof of the application’s origin. After the application developer produces the hash value for their application, they encrypt the hash value with their secret asymmetric private key. The outcome of this is called a digital signature. Should the receiver of the public key successfully decrypt the encrypted hash value, it proves that the owner of the private key signed the application—thus nonrepudiation has been achieved. If digital signatures give us these assurances, the question becomes what should we do about unsigned applications? In some cases, nothing, since unsigned applications are not intrinsically harmful. Yet, certain enterprises automatically forbid the usage of unsigned applications—and for good reason. Whether it’s unsigned applications, e-mails, certificates, or device drivers, unsigned code could infect systems with malware. System apps are tools and accessories that are built into mobile devices. Although these apps are not likely to be dangerous, they might exercise undesirable permissions on the device, plus chew up unnecessary storage. As they say, when it doubt, leave it out. Remove the applications if you can. Since mobile devices often makes this difficult or impossible by default, you may have to contact the mobile device or application vendor for further assistance.
Context-Aware Management The “old way” of securing devices considered nothing but a user’s credentials and group membership. If those considerations were met, the user was granted access at all times. The “new way” of securing devices requires additional considerations before access is granted. To that end, context-aware management applies restrictive policies to mobile devices based on certain device conditions, like location and the time of day. Since mobile devices travel between hostile and non-hostile networks, or might be lost or stolen, credentials are no longer sufficient on their own. Device circumstances should be factored into authorization decisions since credentials can be compromised quite easily in many scenarios. This section goes over a few of those circumstances, including geolocation, geofencing, user behavior, and time-based restrictions.
07-ch07.indd 275
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
276
Geolocation and Geofencing
A device’s location changes everything when it comes to its risks and threats; therefore, security controls must adapt to the device’s location “context.” As you’d expect, devices are considerably more secure within the enterprise environment than outside of it. However, we’ve benefited from decades of all enterprise devices being located at the enterprise. Laptops broke the mold by taking business productivity on the road, and then mobile and personal devices stretched it out further. Now, people and devices are everywhere. Many professionals work from home or travel to customer sites, while enjoying the hostile public Wi-Fi networks at coffee shops, hotels, and airports. Enterprises need to know where mobile equipment is located so they can track its usage as well as apply the right security controls at the right times. Two location contexts that are frequently misunderstood or mistakenly used interchangeably are geolocation and geofencing. Although they aren’t the same, they are quite easy to grasp:
• Geolocation The process of identifying a device’s geographical location by using GPS or cell towers. Once a device is located, the enterprise can apply security controls on it such as geofencing, which is covered next. • Geofencing The process of creating a logical or virtual boundary around a mobile device. A device’s security controls will adapt dynamically based on the device’s proximity to the geofence—which might encompass a single physical campus. Should a device leave the campus’s geofence, additional restrictions may apply to the device to protect its data. EXAM TIP To summarize, we use geolocation to locate and track mobile devices. Geofences are a security control we implement on the located devices.
User Behavior
In addition to device location, a user’s daily behavior with a device provides important contextual information when it comes to security. Like most people, employees follow a predictable routine with their devices. They use certain applications every day—one or two applications in particular—while ignoring most others. With this behavior exhibited and tracked over time, an MDM stores it as a baseline. If users deviate from the behavior by not using the usual applications—while accessing never-used applications—the MDM suspects the device has been accessed by an unauthorized individual. Therefore, security policies will immediately kick in to lock the device down. NOTE Most of us have probably experienced our bank or credit card being denied while making a purchase on vacation. Our bank is accustomed to us using the card closer to home; therefore, they locked it out just in case the card got stolen. People often get mad at their banks for this, but imagine if the card were actually stolen and not locked out?
07-ch07.indd 276
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
277
Time-Based Restrictions
PART II
Time factors are increasingly used as criteria for device restrictions. Time-based restrictions apply certain security controls on a device based on what time it is. Historically, time restrictions were limited to logon hours. For example, a front desk administrator is permitted to log in between 7:00 a.m. and 4:00 p.m. Pacific Time. Prior to and after this logon period, the user cannot access anything on the network. By today’s standards, logon hours are too blunt an instrument and would benefit from a more surgical feature. The good news is MDM tools are generally quite capable of limiting access as opposed to outright denial, or additional authentication steps may be required for a user to be granted access at certain times.
Security Restrictions
The whole point of context-aware management is for security configurations to be adequate and adaptable to changing conditions. Restricting or limiting device functions isn’t difficult in itself. However, applying the appropriate amount of restriction, at the right time, while allowing your users to be perfectly productive—there lies the rub.
Security Implications/Privacy Concerns
If you ask enterprises why they prohibit personal devices from accessing enterprise resources, security and privacy issues always come up. Many of these enterprises might change their tune if they learned how powerful cloud-based MDM solutions are today. Armed with these new and improved technologies, enterprises can reasonably solve security and privacy concerns. All it takes is the right tools, strategies, and people to make it happen. In this section, we cover a mix of security and privacy concerns, plus their associated mitigations.
Data Storage The next several topics center around data storage. Given the ubiquity of mobile devices, coupled with the coexistence of enterprise and personal data, mobile data storage security takes on a greater urgency. There are different types of mobile data storage options to consider, and we need to understand each of their security considerations. These storage options range from nonremovable and removable storage, to cloud-based and even uncontrolled storage. Let’s start off with nonremovable storage.
Nonremovable Storage
Nonremovable storage is built into mobile devices such as smartphones and tablets, and cannot be removed or altered. Today’s mobile devices typically ship with 32GB, 64GB, or 128GB storage sizes, with even higher options available. If the device ships with 64GB of internal storage, that is all the internal storage the device will ever have. This storage typically houses the most important content, such as the OS, pre-installed applications, and other system software. If it’s supported, you should enable drive encryption. Today’s drive encryption options are almost always going to utilize the Advanced Encryption Standard (AES) cipher, which is the gold standard in symmetric encryption.
07-ch07.indd 277
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
278
Removable Storage
Removable storage refers to the external storage cards that can be added or replaced in a mobile device to increase the available storage. Various forms of secure digital (SD) cards are used, with microSD being one of the more popular formats. If you were to add a 512-GB microSD card to a Samsung Galaxy Note 9, this 512 GB of storage will be in addition to the 512 GB of internal/nonremovable storage that the device comes with. Drive encryption and password protection are the most common security options available for removable storage. You can also train users to avoid storing sensitive materials on the removable storage, unless it cannot be avoided.
Cloud Storage
Although the options and storage capacity can vary widely, cloud storage is often used for backing up a mobile device’s settings, application data, photos and videos, purchase history, and other items. This is helpful not only for backup purposes but also to compensate for any lack of storage or storage options in the mobile device itself. Many smartphones are sold with free cloud storage accounts specifically for this reason. Be mindful of the fact that cloud providers will limit what types of data you can store in the cloud. Popular examples of cloud storage include Apple’s iCloud, Google Drive, and Microsoft OneDrive. Typically, when users store content on a mobile device, it automatically synchronizes with the cloud storage provider. Try to figure out if the synchronization process uses encryption, and if the data stored in the cloud is also encrypted. Also, try to resist having the synchronization pre-authenticated because a lost or stolen device will make it easy for the other party to access the cloud account. TIP Although cloud computing providers are capable of powerful storage security options, they generally won’t do it for free. For example, rather than using Microsoft OneDrive, look into OneDrive for Business or Azure Storage for more storage, better collaboration, and security features. Instead of Google Drive, look into the G Suite Business or Enterprise products. The business products not only provide better storage and security options but also far more compliance and regulatory capabilities.
Transfer/Backup Data to Uncontrolled Storage
Frequently, devices back up their data to public or free cloud-based accounts. Products such as Microsoft OneDrive, Google Drive, and Dropbox provide free cloud storage services. Although you’ll receive basic services such as some free storage, file management, recycle bin, content sharing, and basic file versioning, you don’t get much “control” over the actual storage. Drive failures, backup and restoration, drive encryption, file system permissions, server hardening, and so on are all handled by the cloud provider. Unless you subscribe all the way up to Microsoft Azure or Amazon Web Services (AWS) cloud storage solutions, there’s not much you can do about the lack of control outside of keeping your sensitive data off of the cloud or buffering the cloud with on-premises storage.
07-ch07.indd 278
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
279
EXAM TIP Concerns about lack of cloud storage control is one of the primary reasons why enterprises implement hybrid clouds, where they use a combination of on-premises and cloud solutions. For enterprises even more concerned, they avoid Internet cloud storage solutions entirely.
USB OTG
PART II
Most people think of the USB port on their smartphone or tablet as strictly for charging or data transfer purposes. Much to the surprise of many, today’s smartphones and tablets often support USB On-the-Go (OTG), which is an older standard that permits USB devices to “host” other USB devices. When smartphones or tablets connect to other USB devices, those devices are now being hosted by the smart device. Shown next are the devices that can plug into a smart device for additional interactive features:
• Cellular adapters • Charge other smartphones • Digital cameras • Flash drives • Game controllers • Keyboards • Local area network adapters • Mice • Musical equipment • Printers In reference to these items, the smartphone or tablet would act as the “master” device, and the flash drive would act as the “slave” device. Due to USB OTG’s device-to-device data transferring capabilities, malware may be transferred between two smart devices, or between a flash drive and a smartphone. Physical restrictions of peripheral connections to smart devices, in addition to intelligent monitoring tools, are the best security countermeasures.
Device Loss/Theft Mobile devices, particularly smartphones, are prone to being forgotten or stolen. Businesses have to plan for mobile devices eventually falling into unauthorized hands. When a device loss incident occurs, the enterprise will be best served by implementing the following security practices:
• GPS/cell tower tracking To possibly locate and recover the device • Drive encryption with PIN protection To prevent access to the device • Biometric authentication To prevent access to the device
07-ch07.indd 279
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
280
• Remote data backup to cloud To recover data from the device prior to remote wiping • Remote wipe To remove the data before the unauthorized user gets ahold of it
Hardware Anti-Tampering Hardware anti-tampering technologies resist deliberate attempts at causing disruption to or malfunction of a device. Examples of hardware that contain anti-tampering capabilities are secure crytoprocessors such as smart cards, TPM chips, and hardware security modules (HSMs). These chips both contain sensitive information and have access to sensitive information located elsewhere; therefore, they resist tampering by only permitting internal software functions to access sensitive information. In other words, we cannot access the sensitive information (such as built-in private keys) through external means. Some tamper-resistant chips will go as far as “self-destructing,” as in zeroing out the data, should sufficient tampering activities be detected.
eFuse
A common example of hardware tampering takes place whenever hackers try to revert a device’s firmware to an earlier version. Earlier versions of firmware have vulnerabilities that can be exploited. To the rescue is an IBM-invented technology called eFuse, which supports the reprogramming of a computer chip’s programming. Akin to a circuit tripping whenever you plug in a hair dryer too powerful for an outlet, eFuse will “trip” the attempt at downgrading the firmware to a previous version. eFuse has an elaborate builtin tracking mechanism to help it determine forward firmware upgrades versus backward downgrades. Although designed for other purposes, eFuse can be used for hardware antitampering capabilities. NOTE Hardware anti-tampering techniques are not bulletproof. Many avenues of exploitation exist, including freezing devices, applying radiation to trigger errors, and supplying higher-than-expected voltages.
TPM Trusted Platform Module (TPM) chips were covered extensively in Chapter 6, in the section on boot loader protections. As it relates to mobile devices, TPM chips serve much the same purposes as they would with their larger PC and laptop brethren. The TPM 2.0 mobile reference architecture explains how TPM 2.0 chips can be implemented in mobile devices to address various security challenges.
Rooting and Jailbreaking Although most technicians probably won’t correct you for using “rooting” and “jailbreaking” interchangeably, these two terms are actually quite different. Not only do they apply to different OSs, but they’re also different in their respective outcomes. We’ll get into
07-ch07.indd 280
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
281
PART II
more detail next, but basically rooting achieves a deeper level of privilege escalation on Android devices than jailbreaking does for iOS devices. Jailbreaking refers to the process of removing certain security restrictions from iOS devices such as iPhones and iPads. Jailbreaking involves installing iOS kernel patches to escalate the user’s privileges on the device. By jailbreaking, users will be able to download third-party software from outside the official Apple App Store, in addition to adding third-party extensions and themes. In other words, jailbreaking enables the type of software installations that we talked about earlier, called side loading. Since jailbreaking loosens the restrictions on software installation, malware is more likely to get into the device. To get a fuller grasp of the risk factors brought about by jailbreaking, here is the official list from Apple’s support website:
• Security vulnerabilities • Instability • Shortened battery life • Unreliable voice and data • Disruption of services • Inability to apply future software updates CAUTION Jailbreaking an iOS device is a violation of the iOS end-user software license agreement. As a result, Apple may void the warranty and refuse to service the device.
Unlike jailbreaking, rooting grants actual root-level privileges to the Android OS. Since Android is a Linux-based distribution, Android is an open source OS, unlike iOS, which is closed source. As a result, rooting an Android device grants the user complete control over the device. Rooting can even allow the user to remove the OS entirely and replace it with a new one. Rooting also permits CPU overclocking, memory flashing, new OS GUI skins, and easier removal of built-in software. As with jailbreaking Apple devices, rooting will likely result in the Android device’s warranty being voided, in addition to many of the additional security and device issues discussed with jailbreaking. Therefore, jailbreaking and rooting are not recommended practices. NOTE Unbeknownst to a lot of users, a jailbroken iOS device is equivalent to a non-rooted Android device. In other words, an out-of-the-box Android device already supports third-party software, extensions, and theme installations without needing to be rooted. At most, you’ll simply need to configure an option in the Android settings.
Enterprises are combating jailbreaking and rooting concerns through security policies and training. If people jailbreak or root company devices, or use jailbroken or rooted personal devices to access corporate resources, disciplinary action may result, which can
07-ch07.indd 281
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
282
include employee termination. Organizations will need to raise awareness about the negative security effects that can result from jailbreaking or rooting devices.
Push Notification Services Push notifications are important messages sent to mobile devices by an application publisher or an enterprise MDM system. An application publisher’s notification can range from sports scores and news updates to weather and environment alerts. In some cases, push notifications may even be sent by governments. On the other hand, MDM tools will deliver messages generated by enterprise administrators, which may contain warnings about a current security threat or a recommended action for users to take. For maximum deliverability, push notifications are often sent using firewall and devicefriendly protocols such as SSL/TSL. This ensures that the message makes it through and maintains integrity and a verifiable delivery origin for trust purposes. EXAM TIP Push notifications are a powerful way of alerting users since the messages intrusively pop up on the users’ front screen. Users cannot help but see these messages.
Geotagging Geotagging is the process of attaching geographically related information to common media types such as pictures, videos, SMS messages, and even websites. Since geotagging is largely about location, much of the geotagging attributes relate to the location of something. The following are some examples of geotagging properties for a photo:
• Business name and address • Latitude and longitude coordinates • Altitude • Timestamp Geotagging is also commonly used by hikers to track the route they’ve taken through a mountainous area—which can also assist others in locating the hikers should they get lost. Social media applications like Facebook and Instagram make frequent use of geotagging software like Foursquare. Foursquare users often tag some data and then publish it to popular social media platforms for all their friends to see. The security consequences of this are enormous. Attackers on social media sites may observe your geotagging data to determine your current whereabouts. If it says, “John Smith has checked into JFK airport,” a social media attacker might use this as a window of opportunity to burglarize your home. It is recommended that unless absolutely necessary, geotagging should be disabled on smartphones and on social media websites.
07-ch07.indd 282
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
283
CAUTION A well-known geotagging precedent was established in 2007 when members of the U.S. Army took pictures of four helicopters. These photos were posted on social media with location-based data attached. The opposition discovered these photos and used the geotagged information to locate the helicopters. They promptly destroyed them with mortars.
Enterprise workers frequently turn to real-time messaging services such as SMS texting and instant messaging (IM) for communication. Many IM tools such as Facebook Messenger, WhatsApp, Skype, Google Allo, and Signal support a protocol called Signal Protocol. Developed by Open Whisper Systems in 2013, Signal Protocol (formerly known as TextSecure) provides encryption capabilities for IM, voice, and video calls. Signal Protocol also provides authentication, perfect forward secrecy (PFS), and nonrepudiation services. It is important to add encryption support to IM conversations due to the sensitivity of information that may be transmitted—and subsequently captured by packet sniffers.
PART II
Encrypted Instant Messaging Apps
Tokenization Imagine if you could buy something from Target by using your mobile device’s stored credit card, but you pay using a substituted number as opposed to the actual credit card number? Welcome to the clever payment security feature that is tokenization. Tokenization is the process of using a non-sensitive value (token) as a substitute for the original sensitive value (credit card number). The token, which is randomly generated by a tokenization system, is mapped to the credit card number. Tokenization significantly reduces the risks involved in utilizing mobile payment options.
Buying Groceries at Target
To get a better sense of tokenization, let’s go through a common example: buying groceries at Target. Let’s say you’re at Target and you want to pay for groceries using your iPhone’s Apple Pay app. Apple Pay will transfer the funds wirelessly via near-field communications (NFC) from the iPhone to the Target payment machine. Keep in mind that your actual credit card was already associated with the Apple Pay application prior to arriving at Target. As a result, your phone already has been issued a token by the credit card company. You place your iPhone next to the Target payment machine to have the Apple Pay application initiate the payment process using your credit card. (continued )
07-ch07.indd 283
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
284
However, the payment information you’re sending to Target via the NFC channel is your credit card’s “token,” not the actual credit card number itself. This is good news, because if someone steals the token in transit, it would be extremely difficult for them to do anything useful with it since it’s, for all intents and purposes, a randomly generated number. Upon Target’s receipt of the token, the Target payment machine will query your credit card company to verify that this token value is affiliated with your credit card, which, in turn, is affiliated with the iPhone’s Apple Pay account. In other words, Target asks your credit card company if this token is any good. Provided that the credit card company/token query checks out, Target will accept that your token is affiliated with your actual credit card number, and thus will use the token to charge your credit card for the payment of the groceries. The complexities of the transaction are hidden from both the buyer and the Target cashier. All either of you see is an iPhone being placed within inches of the Target payment machine, and two seconds later the display reads “Payment approved.” This functionality is also supported by Samsung Pay, Google Wallet, and others. To add an additional layer of security to tokenization, consider implementing a PIN, fingerprint reader, or iris scanning on the mobile device, just in case an attacker apprehends your device and tries to buy things with it.
OEM/Carrier Android Fragmentation Ironically, the overwhelming global success of the Google Android OS has contributed to, arguably, its most consistent criticism—Android fragmentation. Android fragmentation refers to the wide disparity of active Android OS versions still in use due to many older Android devices being prevented by Google from updating to the latest Android version. According to StatCounter, as of December 2018, here is the global market share percentage breakdown of different Android versions: Android Version
07-ch07.indd 284
Percentage
Android 6.0 Marshmallow
20.56%
Android 7.0 Nougat
15.72%
Android 8.0 Oreo
14.99%
Android 5.1 Lollipop
13.96%
Android 8.1 Oreo
12.36%
Android 7.1 Nougat
9.96%
Android 4.4 KitKat
5.54%
Android 5.0 Lollipop
3.36%
Android 4.2 Jelly Bean
1.27%
Other
2.29%
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
285
NOTE The bad news is not only are older Android devices deprived of the latest OS and security benefits included with newer Android OSs, but Google also expires their support for older Android OSs. That means no more security patches. Unpatched vulnerabilities leave older Android devices highly exploitable. As a result, people are either forced to get newer devices, try their luck with the older device, or switch over to iOS. This is one of the reasons why businesses tend to favor iOS devices, particularly in the U.S.
PART II
For those not counting, that is at least 10 different Android versions actively used in the global market. The primary reason for this is that Android manufacturers (and Google) aren’t going to make as much money if everyone can use the same smartphones and tablets forever; therefore, people are incentivized to get new smart devices in order to get the newest version of Android. Apple also blocks iOS upgrades on older iPhones and iPads for the same reasons, yet they don’t suffer nearly the same degree of fragmentation as Android since Apple is the only company that makes both Apple devices and the iOS operating system.
Mobile Payment What was pure sacrilege just a few years ago has now become trendy, even commonplace—people submitting mobile payments via smartphones and smart watches. Admittedly, many people use mobile payment because it’s trendy, but there are practical advantages also, as listed next:
• People who use mobile payment report it to be more convenient than using cards or cash. • Lines are statistically shorter in stores that support them. • It is more secure than cash or credit/debit payments because actual financial details don’t have to be transmitted between the mobile device and payment machine. • It reduces payment machine expenses for merchants. • It integrates a company’s loyalty and reward programs into the mobile payment application. • It leaves a data trail (much like a website cookie), which can be utilized by an organization to optimize inventories, learn customer payment patterns, and glean product interests, which leads to improved personalization of products and customer service. If only it were that simple. Mobile payment has both positives and negatives. We’ll dive into the details in the upcoming sections on NFC-enabled transactions, inductanceenabled transactions, mobile wallets, and peripheral-enabled readers.
07-ch07.indd 285
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
286
NFC-Enabled Transactions
Various mobile payment applications such as Android Pay, Apple Pay, Samsung Pay, Visa PayWave, and MasterCard PayPass support NFC payments. NFC payments are common because they are “contactless” and secure. They are contactless because the payment transactions are transmitted wirelessly without physical contact between mobile devices and the retailer’s payment machine. They are secure for a few reasons:
• Extremely limited range of NFC signals—which is about four centimeters. • Encrypted channels are established between mobile devices and payment machines. • NFC chips are only engaged during the few seconds of the financial transaction. The attacker would not be able to do anything if the phone is locked or not in use. These security benefits don’t make NFC unhackable, however, because nothing ever is that secure. NFC communications can suffer from deliberate interference from the attacker, payments theoretically can be intercepted, and devices can be stolen. Malware may be present on the mobile device, which can extract mobile payment details. Therefore, be sure to run antimalware scans and remove undesirable applications. Despite these risk factors, NFC can be thought of as, overall, a secure form of mobile payment.
Inductance-Enabled Transactions
Mobile devices that have NFC antennas are inductance-enabled devices. NFC antennas use inductance, which is achieved by a wrapped coil of wire, to generate a very small magnetic field on the order of centimeters. Through this small magnetic field, a wireless connection can be established between mobile devices and payment machines.
Mobile Wallets
Mobile wallets are “virtual” wallets that store payment card information on mobile devices. Instead of carrying credit or debit cards in your wallet or purse, you can simply carry your smartphone or wear a smart watch, and use the mobile wallets stored on the devices. We discussed several mobile wallet technologies in the previous section on NFC, and we already discussed the tokenization process of transmitting tokens instead of the actual payment card information via the NFC channel. We also discussed the inherent risk factors of NFC, which are also equally attached to mobile wallets as well. The long and the short of it: mobile wallets offer multiple benefits over physical wallets.
Peripheral-Enabled Payments (Credit Card Readers)
If you’ve ever gone to that little mobile screen repair hut at the mall, or ordered pizza for delivery, you may have noticed a new payment trend involving credit card readers being physically attached to smartphones and tablets. The merchant downloads and registers a certain payment application, and then they attach the credit card reader device to their smartphone or tablet, and instantly they’ve turned their smart device into a “portable register.” Needless to say, this creates convenient payment opportunities for both buyers and sellers because credit card transactions can take place practically anywhere.
07-ch07.indd 286
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
287
Tethering
PART II
NOTE The opportunity for breaches largely involve compromising the credit card reader itself. Much like how attackers install skimmers on gas station card readers or ATM card readers, attackers are tampering with credit card readers to launch backdoor attacks that can intercept mobile payments. Merchants will need to physically inspect their credit card reader devices to ensure they haven’t been tampered with. They should also check their financial statements to make sure they haven’t been “shorted” on money supposedly paid to them.
Tethering is the process of sharing a wireless Internet connection to other devices via the Wi-Fi, USB, or Bluetooth protocols. Laptops and tablet devices frequently find themselves in situations where no public Wi-Fi hotspots or private Wi-Fi networks are available, yet they still require Internet. Most 3G/4G-enabled smartphones have an option to turn on a mobile hotspot capability so that nearby wireless devices can use either Wi-Fi, Bluetooth, or a USB cable to connect to the smartphone—which “tethers” those devices to the smartphone. The smartphone will then pass the device’s connections through to the Internet using the smartphone’s 3G/4G cellular capabilities. Since Wi-Fi is the most common and readily understood option, the subsequent sections focus on the less common tethering options, such as USB and Bluetooth.
USB
Although not the most common tethering option due to its lack of convenience, USB tethering has two things going for it. One, it’ll work in the extremely unlikely scenario that another wireless device doesn’t support either Wi-Fi or Bluetooth. Two, and far more likely, the user wants the network security that only a cable can bring.
Spectrum Management
In the context of tethering, spectrum management is the process of ensuring that cellular radio-based data transmissions don’t overly consume the radio frequency spectrum. We’re not so worried about Wi-Fi and Bluetooth because they use short-range radio waves. Smartphones, on the other hand, use the longer range 3G/4G-based cellular radio signals that can clutter up and create interference with devices across a much broader geographical area than mere Wi-Fi and Bluetooth can. So, what does this have to do with tethering? By tethering multiple devices to a smartphone’s individual mobile hotspot, the one smartphone transmits its 4G signal to the Internet. Meanwhile, the other tethered devices are sticking with their Wi-Fi or Bluetooth signals as they communicate with the smartphone. Instead of having dozens or hundreds of devices generating 4G radio traffic, you have only a handful of smartphone hotspots generating the traffic. This helps minimize the long-range interference and clutter in a given geographical area—hence, the spectrum is being managed.
07-ch07.indd 287
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
288
NOTE Spectrum management is like carpooling. Rather than having eight people driving eight cars, which clutters up the highway, you cram eight people into one van to reduce the number of vehicles on the road. With tethering, we’re cramming several wireless device connections into one tethered connection to reduce radio frequency spectrum traffic.
Bluetooth 3.0 vs. 4.1
Bluetooth tethering is not as common as Wi-Fi due to, historically speaking, its hit-ormiss support, limited range, limited performance, non-optimized power consumption, and interference with the smartphone’s cellular signals. Luckily, recent advances with the Bluetooth protocols have addressed these concerns, thereby making Bluetooth a viable replacement for Wi-Fi-based tethering. The following list shows the evolution of Bluetooth as it relates to tethering:
• Bluetooth 3.0 Improved power conservation, plus transmission speeds reached a theoretical 24 Mbps. • Bluetooth 4.0 New low-energy feature supports minimal power output while retaining good range. • Bluetooth 4.1 Interferes less with 4G LTE. NOTE For information about Bluetooth security, see Chapter 6.
Authentication As with desktops, servers, and laptops, authentication methods are needed when accessing mobile devices. Today’s mobile devices have multiple authentication methods to choose from, including swipe patterns, gestures, PINs, and biometrics. In this section, we explore each of these authentication options.
Swipe Patterns
Swipe patterns typically involve a user tracing their finger across a series of dots in a specified order. Although this is more secure than simply swiping your finger vertically or horizontally in one direction to unlock your screen, it doesn’t offer much more security than preventing “pocket dialing,” which occurs when you inadvertently call someone while the phone is in your pocket. Otherwise, hackers will either guess your swipe pattern or they’ll watch you enter it from afar.
Gestures
Gestures are basically a better version of swipe patterns. With gestures, a more complex series of finger motions are performed on the screen, typically on a chosen photo— hence, the alternate name of this authentication method being “picture passwords.”
07-ch07.indd 288
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
289
Gestures may include drawing a line between two objects within the picture, drawing a circle around an object in the picture, double-tapping an area, or pressing and holding another area. With many picture passwords, three unique and correct gestures are required to unlock a device.
Similar to swipe patterns, gestures can also be compromised through brute-force/ guessing attacks, or the attacker can simply watch you perform the gestures and commits them to memory.
PART II
EXAM TIP The picture and gestures are set up by the user in advance, and are stored on the mobile device. When the user performs the gestures, the system will compare the inputted gestures to the gestures stored on the device. If they match, the user has authenticated themselves to the device.
PIN Codes
PIN codes are generally preferred over swipe patterns and gestures because they are computationally more complex. They are much like a regular password, except you’re limited to just numbers. If available, choose a six-digit PIN versus a four-digit PIN to make brute-force attacks more difficult. Like swipe patterns and gestures, PIN codes are also susceptible to shoulder surfing, key loggers, and social engineering; therefore, it is highly recommended that you complement PIN codes with biometrics (multifactor authentication), which we discuss in the next section.
Biometrics
Swipe patterns, gestures, and PIN codes all have one thing in common—they are something you know. Things that are known to you can be known to others as well. As such, they are not strong authentication methods by themselves. Biometrics, or “something you are,” rely on a human’s biological characteristics, such as fingerprints, retina scans, iris scans, and facial recognition scans. Unlike the “something you know” methods discussed earlier, a person’s fingerprint is uniquely their own and, as such, is difficult for someone else to replicate. Keep in mind that authentication is only considered strong if the method makes it difficult for someone else to impersonate you. Also, if you use fingerprint readers, you’re not likely to “forget” your finger at home. On the flipside, PIN codes can be mentally forgotten and smart cards can be left at home. The convenience, availability, and uniqueness of biometric authentication methods make them a strong option, which is why many modern smartphones have built-in fingerprint and iris scanners. NOTE Biometrics is covered extensively in Chapter 14. We’ll summarize the remaining biometric topics for thoroughness.
07-ch07.indd 289
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
290
Facial Scans If supported by a mobile device, this scan records facial features such as the nose, chin, forehead, and the contours of eye sockets. Facial recognition may experience challenges handling lighting changes, facial expression changes, and facial hair or makeup changes. It may even have difficulties handling identical twins. Fingerprint Scans Very commonly supported by mobile devices, fingerprint scans capture the impression from the ridges of a person’s finger. Fingerprints are generally more accurate than facial scans since fingers don’t change all that much; meanwhile, faces can be modified in many ways. Yet, fingerprint scanning is falling out of favor due to more hygienic, accurate, and convenient methods such as iris scans. Iris Scans Increasingly common with mobile devices such as the newest Samsung Galaxy and iPhone X devices, this scan type identifies the colored ring-shaped portion surrounding the pupil of the eye. This is considered the most accurate biometric method due to the iris being internal, being randomly generated during early human development, producing minimal false-positives (authenticating the wrong person), and minimal false-negatives (not authenticating the right person). It’s also compatible with certain eyewear like contacts and glasses, unlike retinal scans.
Malware Much to the surprise of many users, mobile devices not only get malware, but a ton of it. This really shouldn’t surprise anyone because malware developers have always targeted the popular products, and mobile devices are the most popular computing product in the world. The good news is, mobile devices are inherently more resistant to malware than PCs since mobile OSs place users behind restricted sandboxes (hence where all the prickly jailbreaking and rooting take place). Here are some antimalware recommendations to consider:
• Install and update antimalware software. • Run antimalware scans frequently. • Prohibit jailbreaking and rooting of devices. • Download the latest firmware/OS updates. • Avoid websites with malicious content. • Avoid side-loading/third-party software installations unless absolutely necessary.
Unauthorized Domain Bridging Most enterprise laptops have two network adapters—one Ethernet and the other Wi-Fi. Unbeknownst to enterprise staff, that laptop might be simultaneously connected to both the enterprise wired network and their public Wi-Fi hotspot network. Trouble arises when the Wi-Fi hotspot extends outside into the parking lot and next door to another organization.
07-ch07.indd 290
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
291
Unauthorized domain bridging occurs when unauthorized Wi-Fi users connect through the dual-network-connected employee to reach the corporate wired network. This dual-network-connected employee acts as a “bridge” between the Wi-Fi and the corporate wired network. Operating systems can be configured to prevent network bridging.
Baseband Radio/SoC PART II
Baseband processors, also known as baseband system on a chip (SoC), are hybrid CPU/ RAM/firmware chips on mobile devices that handle their cellular radio communications. The good news is, they are not the most frequently attacked chips in the world; however, their proprietary nature makes them difficult to perform security assessments on to determine vulnerabilities and subsequent mitigations. Reverse engineering efforts have discovered that baseband processors may be vulnerable to backdoor attacks.
Augmented Reality Unlike virtual reality, which completely replaces your real-world perception with a digital one, augmented reality merely adds digital enhancements to your real-world perception. Augmented reality technology enhances or “augments” your real world by adding auditory, visual, haptic, and other digital sensory elements so that it feels like new environmental elements have been physically added into your current space. NOTE A good example of this is the Microsoft HoloLens mixed reality headset, which people wear on their head and suddenly find themselves in their living room playing Minecraft, and yet the Minecraft world has been superimposed all over their floor, coffee table, and sofa. They clearly see their living room furniture, but also the Minecraft world digitally integrated within their real-world experience.
From a security perspective, augmented reality devices are constantly scanning the physical environment and “taking notes.” They don’t simply add stuff to your real-world experience; they’re also extracting information from it. For example, if you’re walking around and you look at someone, the augmented reality device can immediately pull up publicly available information about that individual. The fact that publicly available information is so quickly accessible for augmented reality devices is understandably bothersome to some.
SMS/MMS/Messaging Short message service (SMS) is frequently used by mobile devices to deliver text messages over mobile networks like Verizon, AT&T, and T-Mobile. Encryption is supported by certain carriers but is typically not enabled. On the other hand, multimedia messaging service (MMS) is enhanced to support not only texting but also pictures and videos. Due to SMS/MMS typically lacking encryption, SMS/MMS conversations are highly vulnerable to eavesdropping and spoofing attacks.
07-ch07.indd 291
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
292
To combat the encryption challenges, many are turning to IM tools like Facebook Messenger, WhatsApp, and Signal for their encryption capabilities.
Wearable Technology
As if mobile devices weren’t enough, now we’re wearing them! Wearable technology refers to smart devices that are either worn or implanted into the body. Wearable devices such as watches, fitness bands, and headsets are all the rage today. However, having these intelligent devices worn on our bodies should raise some questions as to what information, if any, they are collecting. Who is the information being shared with? Are others, unbeknownst to us, illegally capturing our information wirelessly? We briefly discuss several wearable devices in the following sections while factoring in basic features and any relevant security and privacy concerns.
Cameras Cameras often serve as wearable technology for law enforcement, who often wear body cameras on their helmets, glasses, or torsos in order to record the events in which officers are involved. Unfortunately, attackers employ this technology for nefarious reasons— committing crimes, performing unauthorized surveillance, data theft, and information reconnaissance. There are also potential legal issues regarding consent (or the lack thereof ), search and seizure considerations, and facial recognition risks.
Watches Typically referred to as smart watches, these are mobile computing devices that we wear on our wrists like a watch. More like a smartphone than a watch, smart watches are touch screen devices that run a mobile-based operating system like Apple’s Watch OS or Google’s Wear OS, and typically support numerous capabilities, such as the following:
• Address book • Alarms • Calculator • Calendar • Caller ID • Camera • Clock • Dial and answer function • Heart and sleep monitor • Music player • Panic mode
07-ch07.indd 292
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
293
• Recording • SMS notifications • Stand up reminders
Since smart watches often have built-in Wi-Fi and Bluetooth, security and privacy issues are inevitable. Bluetooth may allow an unauthorized device to pair with the smart watch, which can lead to stolen e-mails and address book entries. The risk is amplified if the watch has built-in 4G capabilities since the range far exceeds that of Bluetooth. Also, the data synchronization between smartphones and smart watches is not likely to be encrypted. If smart watches provide any built-in data security controls, be sure to implement them.
PART II
TIP Smart watches like the Apple Watch are at their best when paired up with a smartphone like the Apple iPhone since phone calls, messages, and media functions are in sync and equally manageable from both ends.
Fitness Devices Unlike smart watches, fitness devices—often referred to as fitness bands—specialize in tracking physical fitness data points such as number of steps taken or climbed, number of minutes of exercise, walking speed, heart rate, and even caloric intake. They are worn like a smart watch and include basic watch functions, but will not have the other smart capabilities inherent in smart watches.
Glasses In a way representing today’s version of bifocals, smart glasses are digitally enhanced glasses that contain an extra lens for augmenting your environment with helpful digital information. You can look through the normal lens as you would with glasses, or engage the digital lens area to see additional information such as contacts, messages, weather information, and people and landmark data. This has exciting applications for many industries due to its ability to immediately record information, display or deliver video streams between users, real-time translation, navigation and location benefits, inventory management, and more. Law enforcement officers are increasingly using them as body cameras. Plus there are the tremendous benefits already being experienced in the healthcare industry due to picture and video capabilities, data synchronization with other devices, consultation benefits, and more. NOTE By far the most well-known smart glasses unit is Google Glass. Google Glass saw limited sales and exposure due to cost and its relatively bulky design. However, it laid the foundation for what has become a growing smart glasses industry.
07-ch07.indd 293
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
294
Privacy concerns are rampant, particularly regarding facial recognition. People are rightfully concerned that people wearing smart glasses will immediately be able to look at someone and download all their public information without their consent or knowledge. There are also concerns about people recording the visual and auditory components of random or private conversations.
Medical Sensors/Devices Whereas fitness devices are great for basic health and health monitoring, medical devices are network-connected devices whose sensors are able to capture more advanced medical data, such as the following:
• Blood pressure • Brain activity • Glucose • Hydration • Motion • Orientation • Oxygen level • Pulse/EKG • Respiration • Temperature • Weight Perhaps best part of all, due to their network connectivity, medical wearables are able to alert helpers during emergency circumstances. CAUTION Be aware that anything to do with medical information is subject to HIPAA security and privacy concerns. Be sure that medical devices are not disclosing medical information in insecure ways, with unauthorized individuals. If encryption of these data transmissions is supported, be sure to implement them.
Headsets Headsets are generally the least technologically advanced wearable on this list since they largely include only a microphone and speakers for voice conversations. They may support Bluetooth wireless, voice activation, simulated surround-sound capability, and noise cancellation, and they may be waterproof and vibrate for a more immersive gaming experience. The most likely security issue arises from unauthorized voice recording software on the mobile device, computer, or telephone system.
07-ch07.indd 294
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
295
Security Implications As indicated throughout this section, wearable technologies are not without security risks. In this section we cover several security implications, including remote activation or deactivation of features, cryptography concerns, reconnaissance, data theft, privacy, and forensics. Wearable technologies are often vulnerable due to their reliance on Bluetooth for paireddevice communications. If a smart watch has its Bluetooth discovery and pairing options enabled, attackers might be able to illegitimately pair with the smart watch to steal data at rest and intercept data in transit. Worse, attackers may remotely deactivate sensors on medical devices, which can disrupt critical communications between patients and healthcare providers. If possible, disable discovery and pairing options after all required pairings have taken place. If available, firmware updates can also resolve certain wireless security vulnerabilities.
PART II
Unauthorized Remote Activation/Deactivation of Devices or Features
Encrypted and Unencrypted Communication Concerns
We touched on this a little bit earlier, and the news isn’t going to get a whole lot better. What is apparent not just with wearables, but with IoT in general, is that much of this stuff is just not designed with security in mind. They’re designed to have useful features and be easy to use. The odds are slim that ordinary wearables are going to support encryption capabilities. If they do, you should enable encryption, particularly on smart watch, smart glasses, and medical device communications. If wearables don’t support encryption, consider either not using the wearables or limiting their usage to certain job roles and environments to minimize data breaches.
Physical Reconnaissance
Physical reconnaissance occurs when attackers use wearable technology to gather information about an environment or its people. Body cameras can work but lack the discretion to be proper physical reconnaissance devices. For reconnaissance to be effective, the attacker’s wearables should blend in and not draw any attention to the attacker. Smart glasses are perfect for this, particularly since they have evolved to the point of looking like normal glasses. Attackers are using smart glasses to collect information about the people in a room, the devices they’re using, gestures on devices, PIN code combinations on devices and doors, and so on. Attackers can just record everything in the room and then replay the entire feed at a later time. Users will need to exercise discretion themselves when they are performing gestures on devices or entering in PIN codes. Perhaps they can use one hand to cover the other, the screen, or the authentication inputs so attackers can’t witness their gestures from afar.
Personal Data Theft
Although the lack of encryption creates a data-in-transit issue, what about data at rest on the devices? Attackers may be able to remotely pair with a device and extract the data. Worse, if they steal the data, what can you do about it? In the unlikely event that remote backup and remote wipe features are available, you can engage them immediately.
07-ch07.indd 295
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
296
If drive encryption is enabled, implement that in advance. Otherwise, continue to be mindful of Bluetooth discovery and pairing modes, and check to make sure no unauthorized devices are listed as paired with your device. Every once in a while, back up your data and factory-reset your device to clean it out of any unauthorized software or malware.
Health Privacy
Fitness devices, particularly medical devices, generate, store, and transmit a lot of electronic health information about their owners. Hospitals, hospices, and retirement/nursery homes are the most likely candidates to use such medical devices. These organizations live and breath by the decrees of HIPAA, and if HIPAA requires specific security and privacy controls for the protection of a patient’s physical and electronic health records, we must ensure that wearables do that to the extent possible. If possible, use wearable technologies that offer encryption of data in transit and at rest. Also, limit sharing of electronic health information with other users and devices, unless sharing is compelled by job requirements or law. The key with HIPAA is to not allow unauthorized use, storage, transmission, and disclosure of medical information under any circumstances. As discussed earlier in this book, HIPAA fines can be quite painful.
Digital Forensics of Collected Data
Digital forensics is the practice of collecting, preserving, and analyzing digital evidence in order to understand all aspects of a digital crime. Typically, digital forensic processes are implemented on consistent technology types, such as computers, smartphones, tablets, fax machines, printers, and so forth. Wearable technologies are a different story in that they are quite new, lack standardization, and are subject to various operating system and software adaptations, which can create compatibility issues with digital forensic toolkits. Here is a list of data that can be forensically collected from certain wearable devices:
• Audio • Connected devices • Contacts • Messaging interactions • Locations and destinations • Phone calls • Photos • Search history • Social media activity • Sync information • Videos • Web browsing history If you fulfill a forensic-type role in your enterprise, consider researching the market on forensic toolkits that support the types of wearables your users have.
07-ch07.indd 296
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
297
Chapter Review
07-ch07.indd 297
PART II
In this chapter, we talked about integrating security controls into mobile and small form factor devices to meet enterprise security requirements. We began by talking about enterprise mobility management, which focuses on mobile device management tools, their capabilities, and the mobile devices they manage. The first topic of the mobile device management section was containerization, which provides a means of locking corporate data into an isolated encrypted space to allow management of the container without affecting the personal data. The next topic talked about MDM configuration profiles for mobile devices and the specific configuration payloads specified in the profiles. Profiles and payloads are the primary mobile device management configuration features. We then talked about personally owned, corporate-enabled device scenarios, where people are bringing their devices to work to be onboarded by the enterprise for a managed mobile computing experience. The next topic was application wrapping, which involves MDM tools adding “wrappers” to deployed applications in order to add additional security features to them that are otherwise not included with the applications themselves. Remote assistance techniques such as VNC and screen mirroring were covered next. Remote assistance tools like VNC allow IT and security staff to remotely assist users with various type types of devices, including mobile devices. Screen mirroring allows a user to “cast” their screen content to an IT professional’s screen for support purposes. After remote assistance, we went into application, content, and data management techniques in which MDM tools deploy mobile applications to devices, which are then protected through application configuration policies and application protection policies. This is largely about limiting the privileges that applications have with enterprise data. We also went into compliance policies and conditional access policies to ensure that user devices are configured to a required standard in order to grant them access to enterprise resources. Next, we covered over-the-air updates regarding software and firmware. Mobile devices, being wireless, can receive application or firmware updates via a centralized MDM tool to ensure compliance with security requirements. The next topic on remote wiping discussed how data on lost or stolen devices can be remotely deleted to protect the data from falling into unauthorized hands. We talked about SCEP, which simplifies the process of network and mobile devices requesting and receiving certificates from Certificate Authority (CA) servers. After that, we talked about BYOD and the various positives and negatives of bringing your own devices to work. After BYOD was COPE, which reverses BYOD by having enterprises purchase the device for users but enabling them for personal usage. We then added coverage of CYOD, which empowers users to choose and bring their own devices to work, but for the device to connect to the enterprise data it must be a pre-approved device for the sake of standardization and management. The next covered topic was VPN. We discussed the different tunneling, encryption, and authentication protocols available for connecting to work networks remotely and securely. Next up was application permissions, which centralize on the device permissions mobile applications require as a condition for running on mobile devices. Then we went into side loading, which permits the installation of third-party software from outside official app stores if the appropriate settings are enabled on the mobile OS.
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
298
Related to side loading is the concept of unsigned applications and system applications. It is not recommended that you side-load unsigned applications; therefore, procedures exist to generate a digital signature for an application. Context-aware management goes beyond automatic authorization after authentication by requiring that a user’s device, time, location, and behaviors comply with appropriate conditions or “contexts” prior to resource access being authorized. The next section began a new category of topics focusing on security implications and privacy concerns—the first of which was the data storage topic of nonremovable storage. We talked about removable storage and recommendations on what data to put on it, data backup and recovery options, plus encryption. Next was cloud computing storage, with suggestions regarding permissions, sharing, authentication, and using business-orientated cloud storage providers as opposed to free ones. After that we talked about transferring or backing up data to uncontrolled storage locations. We recommended using a higherend cloud service such as Microsoft Azure or Amazon AWS to receive more control over your storage than a public service like OneDrive or Dropbox. Then we talked about USB OTG, which involves attaching external peripherals to USB mobile devices, including cameras, flash drives, keyboards, or gaming controllers to gain additional features on mobile devices. The next topic was device loss or theft and the various countermeasures we can employ to combat it, including device tracking, encryption, biometrics, remote backup, and remote wiping. We talked about hardware anti-tampering crytoprocessors such as smart cards, TPMs, and HSMs. We also talked about the eFuse anti-tampering technology, which trips a mobile device if a hacker attempts to downgrade the firmware to a previous version. We revisited TPMs and their key generation and key storage benefits briefly since they were covered in a previous chapter. We followed this up with risky privilege escalation techniques called rooting and jailbreaking, which apply to Android and iOS devices, respectively. Push notification services help protect mobile devices by sending warnings straight to people’s devices about security threats or pending updates. Geotagging was also discussed—in particular, how tagging our pictures and videos with geographical metadata and then putting it on social media networks is a risky practice. We discussed using encrypted instant messaging apps like Facebook Messenger and WhatsApp to substitute for the lack of encryption supported by most mainstream IM applications. Tokenization was covered to go over the process of mobile devices using substituted numbers (tokens) as opposed to actual payment information to pay for things using mobile devices. The next topic was OEM/carrier Android fragmentation, which dealt with the overwhelming popularity of Android but also the 10+ different versions of Android still running in the market, which harms Android’s security and support capabilities. We switched gears to talk about various mobile payment options, including the typical NFC-enabled mobile payment transfers, which use coiled wires to generate the inductance needed to generate and transmit the wireless signal. We ended that topic by talking about peripheral-enabled payments with credit card readers. In other words, people are attaching credit card readers directly to their smartphones to enable payment with credit cards anywhere. The next subject was tethering, which involves a mobile device setting up a public Wi-Fi hotspot to allow other devices to access the Internet through the wireless host.
07-ch07.indd 298
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
299
07-ch07.indd 299
PART II
USB tethering is supported in case you want a more secure connection. Spectrum management involves limiting cellular radio wave transmissions to tethering hosts so that local devices use Wi-Fi and Bluetooth signals. We then talked about Bluetooth versions 3.0 and higher to illustrate their various tethering pros and cons. After tethering, we talked about authentication topics such as the simple swipe patterns on mobile devices, and then the more advanced gesture-based authentication methods. We then went into the more commonplace PIN codes and an even stronger option in biometrics, which supports fingerprint scans, retina scans, iris scans, and facial recognition authentication. We briefly talked about malware and antimalware suggestions. Next we talked about unauthorized domain bridging, which involves a mobile device connected to Wi-Fi and the corporate Ethernet LAN simultaneously, and thus permitting wireless users to connect to the corporate LAN through the mobile device’s network bridge. Next, we talked about baseband radio and system on a chip (SoC), which are important cellular chips built into mobile devices that handle all cellular mobile and data transfers. Next up was augmented reality, which focuses on adding digitally enhanced content into our realworld experiences through smart glasses or similar devices. We touched on some of the security and privacy issues surrounding augmented reality. After that, we hit upon SMS/ MMS messaging capabilities to indicate their prevalence but also their general lack of encryption capabilities. The last section of the chapter focused on wearable technologies, beginning with cameras. Law enforcement officers often wear body cameras on their suits to track the various situations they find themselves in. The next topic was smart watches, their numerous benefits and security risk factors, including Bluetooth hacks, and unencrypted data transmission to/from smartphones. Then we went into fitness devices, which are designed to track a person’s health data more thoroughly than typical smart watches can. Next, we discussed smart glasses and their various location and navigation capabilities, access to contacts, people research, audio and video recording, and so much more. We then went into much more powerful versions of fitness devices, such as medical devices with their various sensors. We talked about the life-and-death benefits these provide to patients as well as the various security considerations relevant to them. The last wearable was headsets, which are your everyday headsets that people wear for voice calling while working at a front desk or customer service position. The final subtopic was security implications as a result of wearable technologies. We went into the risk of attackers remotely activating or deactivating key features on wearable devices such as device synchronization and unpairing devices. Next, we talked about the lack of encryption and what alternatives, if any, are appropriate to deal with that challenge. We then talked about the physical reconnaissance that body cameras and smart glasses can perform to spy on a person and an environment without anyone knowing you’re collecting tons of data about them. We then went into personal data theft considerations often arising from Bluetooth and remote attackers. Then we talked about health privacy issues that can arise from fitness devices and medical devices generating, storing, and transmitting health information about people over networks. Finally, we touched on digital forensic considerations for gathering evidence from wearable devices.
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
300
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
Enterprise Mobility Management • A centralized approach to management provides a consistent and comprehensive way of locking down devices to meet security policies and compliance requirements, while still allowing users to be productive. • Containerization isolates corporate data into a protected and encrypted container stored on the mobile device. • Configuration profiles are groups of OS and application settings applied to various devices inside and outside of an enterprise. Payloads are the individual settings in the configuration profiles. • Personally owned, corporate-enabled (POCE) is BYOD but with official enterprise onboarding requirements to ensure the device is properly managed. • Application wrappers are additional security features added to a mobile application that don’t modify the underlying functionality of the application itself. • Remote assistance permits helpers to access the user’s device screen, observe settings and monitor performance, install or remove applications, set up e-mail, and configure VPN or Wi-Fi services. • VNC is a graphical desktop sharing tool that permits remote management of other devices. It uses the Remote Frame Buffer (RFB) protocol for remote assistance. • MDM products often have the ability to create application configuration policies, which, assuming the application supports them, permit deployment of applications to include custom configurations and security options. • Over-the-air updates refer to the centralized and wireless distribution of new software, firmware, certificates, and encryption keys to mobile devices. • Remote wiping is the process of sending a signal to a remote device to erase specified data. • Simple Certificate Enrollment Protocol (SCEP) provides an easy process for network equipment, software, and mobile devices to enroll in digital certificates. • BYOD is the process of allowing employees to bring in their own personal devices such as laptops, smartphones, and tablets to work in order to access enterprise applications and data. • COPE occurs when the enterprise purchases and owns the devices, yet provides them to users for both enterprise and personal usage. • CYOD allows users to bring their own devices to work, but they must comply with a pre-selected list of devices for standardization.
07-ch07.indd 300
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
301
PART II
• With mobile devices often used by teleworkers and telecommuters, employees will occasionally require secure VPN access over the Internet to the enterprise environment. • Many mobile applications require application permissions such as access to the device’s camera, microphone, call logs, e-mail, SMS messages, location data, application list, and so on. • Side loading is the process of installing applications from sources outside the official app stores. • The vendors of official app stores inspect applications before publishing them; an application’s developer is responsible for digitally signing the application. • Context-aware management applies restrictive policies to mobile devices based on certain device conditions like location or time of day. • Geolocation is the process of identifying a device’s geographical location by using GPS or cell towers. • Geofencing is the process of creating a logical or virtual boundary around a mobile device. • If user behaviors on mobile devices deviate from the expected norm, MDMs may deny authentication to protect the enterprise. • Time-based restrictions apply certain security controls on a device based on what time it is.
Security Implications/Privacy Concerns • Nonremovable storage is built into mobile devices such as smartphones and tablets, and cannot be removed. • Removable storage refers to the external storage cards that can be added or replaced in a mobile device to increase the available storage. • Cloud storage is often used for backing up a mobile device’s settings, application data, photos and videos, purchase history, and so on. • Free cloud services provide basic services such as limited free storage, file management, recycle bin, content sharing, and basic file versioning. You don’t get much “control” over the actual storage. • USB On-the-Go (OTG) is an older standard that permits USB devices to “host” other USB devices. • Mobile devices, particularly smartphones, are prone to being forgotten or stolen. • Hardware anti-tampering technologies resist deliberate attempts at causing disruption to or malfunction of a device. • eFuse supports the reprogramming of a computer chip’s programming if adverse conditions, such as tampering, are detected.
07-ch07.indd 301
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
302
• TPM chips are built into most motherboards to generate and store encryption keys in order to provide root of trust capabilities for devices using encrypted hard drives. • Jailbreaking refers to the process of removing certain security restrictions from iOS devices such as iPhones and iPads. • Rooting grants actual root-level privileges to the Android OS. • Push notifications are important messages sent to mobile devices by an application publisher or an enterprise MDM system. • Geotagging is the process of attaching geographically related information to common media types such as pictures, videos, SMS messages, and even websites. • It is important to add encryption support to IM conversations due to the sensitivity of information that may be transmitted and subsequently captured by packet sniffers. • Tokenization is the process of using a non-sensitive value (token) as a substitute for the original sensitive value (credit card number). • Android fragmentation refers to the wide disparity of active Android OS versions still in use due to many older Android devices being prevented by Google from updating to the latest Android version. • People are frequently using their smartphones and smart watches to submit mobile payments via their mobile devices’ payment applications. • NFC payments are common because they are “contactless” and secure. • NFC antennas use inductance, which is achieved by a wrapped coil of wire, to generate a very small magnetic field on the order of centimeters. Through this small magnetic field, a wireless connection can be established between mobile devices and payment machines. • Mobile wallets are “virtual” wallets that store payment card information on mobile devices. • Peripheral-enabled payments involve attaching credit card readers to smartphones in order to process credit cards. • Tethering is the process of sharing a wireless Internet connection to other devices via the Wi-Fi, USB, or Bluetooth protocol. • USB cables bring security to tethering, which cannot be achieved with wireless signals. • Spectrum management is the process of ensuring that cellular radio–based data transmissions don’t overly consume the radio frequency spectrum. • Bluetooth tethering is not as common as Wi-Fi due to, historically speaking, its hit-or-miss support, limited range, limited performance, non-optimized power consumption, and interference with the smartphone’s cellular signals. Recent Bluetooth versions have resolved these issues.
07-ch07.indd 302
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
303
PART II
• Today’s mobile devices have multiple authentication methods to choose from, including swipe patterns, gestures, PINs, and biometrics. • Swipe patterns typically involve a user tracing their finger across a series of dots in a specified order. • Gestures may include drawing a line between two objects within the picture, drawing a circle around an object in the picture, double-tapping an area, or pressing and holding another area. • PIN codes are generally preferred over swipe patterns and gestures because they are computationally more complex. • Biometrics, known as “something you are,” rely on scanning a human’s biological characteristics, such as fingerprint, retina, iris, and facial recognition scans. • Mobile devices are inherently more resistant to malware than PCs since mobile OSs place users behind restricted sandboxes. • Unauthorized domain bridging occurs when unauthorized Wi-Fi users connect through the dual-network-connected employee to reach the corporate wired network. • A baseband processor, also known as baseband system on a chip (SoC), is a hybrid CPU/RAM/firmware chip on mobile devices that handles its cellular radio communications. • Augmented reality technology enhances or “augments” your real world by adding auditory, visual, haptic, and other digital sensory elements so that it feels like new environmental elements have been physically added into your current space. • SMS messages are generally unencrypted and include text only. • MMS messages are also generally unencrypted and can include pictures and videos.
Wearable Technology • Wearable technology refers to smart devices that are either worn or implanted into the body. • Cameras often serve as wearable technology for law enforcement officers, who often wear body cameras on their helmets, glasses, or torsos in order to record the events in which they are involved. • Smart watches are mobile computing devices that we wear on our wrists like a watch. • Fitness devices specialize in tracking physical fitness data points such as number of steps taken or climbed, number of minutes of exercise, walking speed, heart rate, and even caloric intake. • Smart glasses are digitally enhanced glasses that contain an extra lens for augmenting your environment with helpful digital information.
07-ch07.indd 303
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
304
• Medical devices are network-connected devices whose sensors are able to capture more advanced medical data, including blood pressure, glucose, and respiration. • Headsets are generally the least technologically advanced wearables we discussed since they largely include only a microphone and speakers for voice conversations. • If a smart watch has its Bluetooth discovery and pairing options enabled, attackers might be able to illegitimately pair with the smart watch to steal data at rest and intercept data in transit. • If wearables don’t support encryption, consider either not using the wearables or limiting their usage to certain job roles and environments to minimize data breaches. • Physical reconnaissance occurs when attackers use wearable technology to gather information about an environment or its people. • Attackers may be able to remotely pair with a device and extract its data. • Fitness devices, particularly medical devices, generate, store, and transmit a lot of electronic health information about their owners. • Digital forensics is the practice of collecting, preserving, and analyzing digital evidence in order to understand all aspects of a digital crime.
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. Which of the following mobile device strategies specifically involves users buying their own mobile device based on an enterprise’s preselected list? A. BYOD B. CYOD C. COPE D. SCEP
2. Which of the following statements about jailbreaking and rooting are correct? (Choose all that apply.) A. Jailbreaking is for iOS; rooting is for Android. B. Rooting is for iOS; jailbreaking is for Android. C. Jailbreaking provides root-level privileges to the mobile OS. D. Rooting voids the warranty on the mobile device. E. Jailbreaking increases the security of the mobile OS.
07-ch07.indd 304
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
305
3. Which of the following provides an isolated encrypted space on mobile devices for storing enterprise data? A. TPM B. HSM C. Virtual machine D. Containerization PART II
4. When attempting to install third-party applications outside of an official application store onto a mobile device, you receive an error preventing the installation. Which of the following will best solve the issue? A. Firmware upgrade B. Containerization C. Side loading D. Application wrapping
5. Which of the following capabilities of MDM ensures devices receive the settings they require? A. Plug-ins B. Configuration profiles C. Tokens D. SoCs
6. Which of the following best describes augmented reality? A. Users’ perception of their real-world environment is completely replaced by a
digital reality. B. Users’ perception of their real-world environment is enhanced by digital elements. C. Users’ devices and appliances are all networked together, forming a smart home. D. Users’ devices and appliances are all networked together, forming a smart business. 7. Which of the following is a common method for enrolling network and mobile devices with digital certificates from a Certificate Authority? A. SCEP B. VNC C. OSCP D. OpenCert
07-ch07.indd 305
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
306
8. Which of the following biometric factors is considered the most accurate? A. Retina scan B. Facial scan C. Iris scan D. Fingerprint scan
9. Which wireless protocol is most commonly used to make mobile payments at various retail locations? A. Wi-Fi B. NFC C. LTE D. Bluetooth
10. Which of the following options are available to tether devices to a smartphone’s mobile hotspot? (Choose all that apply.) A. USB B. Bluetooth C. NFC D. Wi-Fi
11. Which remote access protocol is associated with VNC for remote assistance purposes? A. RDP B. SSH C. RPC D. RFB
12. Which of the following technologies refers to locating a device’s geographical location by using GPS or cell towers? A. Geotagging B. Geofencing C. Geolocation D. Geosensing
13. Which of the following best describes mobile payment tokenization? A. The process of a mobile device sending payment information to a payment
machine B. The process of a mobile device receiving confirmation of payment from the payment machine C. The process of a mobile device encrypting the payment information D. The process of a mobile device using a non-sensitive payment value as a substitute for the original sensitive payment value
07-ch07.indd 306
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7
Chapter 7: Mobile Security Controls
307
Answers 1. B. Choose your own device (CYOD) involves users buying their own mobile device based on an enterprise’s preselected list. 2. A, D. Jailbreaking is for iOS, and rooting is for Android. Also, rooting voids the warranty on the mobile device.
4. C. Side loading enables the permission to install third-party applications from outside official application stores.
PART II
3. D. Containerization provides an isolated encrypted space on mobile devices for storing enterprise data.
5. B. Configuration profiles deploy OS and application configurations to mobile devices. 6. B. Users’ perception of their real-world environment is enhanced by digital elements. 7. A. SCEP provides enrollment of certificates for network and mobile devices from Certificate Authority servers. 8. C. Iris scanners are considered the most accurate. 9. B. NFC is the most commonly used for its short range and security. 10. A, B, D. USB, Bluetooth, and Wi-Fi are all supported for mobile tethering. 11. D. RFB Remote Frame Buffer is the protocol used by VNC. 12. C. Geolocation refers to locating a device’s geographical location by using GPS or cell towers. 13. D. Mobile payment tokenization is the process of a mobile device using a nonsensitive payment value as a substitute for the original sensitive payment value.
07-ch07.indd 307
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 7 Blind Folio: 308
This page intentionally left blank
07-ch07.indd 308
11/03/19 7:01 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CHAPTER
Software Vulnerabilities and Security Controls
8
This chapter presents the following topics: • Application security design considerations • Specific application issues • Application sandboxing • Secure encrypted enclaves • Database activity monitors • Web application firewalls • Client-side processing vs. server-side processing • Operating system vulnerabilities • Firmware vulnerabilities
Although vulnerability and security control initiatives for host, mobile, and small form factor devices are very important, let’s face it, applications are the reason why we use computer systems. It is the application that performs the desired work. Yet, applications— popular ones in particular—are increasingly researched and probed for vulnerabilities as well as attacked with application-specific exploits and malware. With more applications in use than ever, we CASP+ professionals must respond with increasing application vulnerability research and iron-clad mitigations. Initial hacking efforts were aimed at the network and operating system layers in an attempt to gain control over the system and processes that were running. As the network and operating system layers achieved better security, hackers turned their sights to the applications being run on those systems. Application security is the collection of efforts designed to provide protection to the applications used in the enterprise. Whether a standalone application (such as an e-mail or database server) or an application designed around a web server (a web application), commercial software or homegrown, all applications should be considered potential targets. The basics of security for applications revolve around the issue of software bugs. Errors in software are referred to as “bugs,” and a software bug can have many manifestations— from no issues to catastrophic failure. Many times, the effects are not immediate, but
309
08-ch08.indd 309
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
310
may result in issues in another section of the code or program operation. A bug that can be exploited is referred to as a “software vulnerability.” Vulnerabilities are elements of software that result in an exploitable weakness and can lead to the software performing in a manner not intended by the developer. Not all bugs create vulnerabilities, nor do all vulnerabilities directly result in errors. Often, the error is caused in one section of code but not manifested until an entirely different section is processed. No matter how you look at it, applications have a plethora of vulnerabilities that require diligence on our part to discover and mitigate before hackers cause irrecoverable harm to the organization. In this chapter, we first take a look at application security design considerations. Afterward, we venture into specific application issues, application sandboxing, secure encrypted enclaves, database activity monitoring, and web application firewalls. Finally, we cover client-side and server-side processing of web content as well as operating system and firmware vulnerabilities.
Application Security Design Considerations
Given the collective desires of managers, IT/security folks, and end users, web applications are quickly becoming the norm. In many ways, they’re more cost-effective, in addition to being easier to plan, design, implement, access, and use than traditional applications. They make working remotely, while using multiple device types, effortless for a growing number of professionals. Web applications are applications hosted on a private or public web server, which is accessed by a user’s web browser application. Web applications may be used for e-commerce, file storage, collaboration, learning management systems (LMSs), content management systems (CMSs), virtual classrooms, and more. This is a highly scalable architecture and is widely used throughout most enterprises. There are many advantages to this scheme, including ease of deployment (because most client devices have built-in web browsers) as well as web-based standards to ensure the secure and consistent delivery of data. Web applications are not without their risks. There’s a long history of design and programming issues that have led to countless security breaches and data loss. Some of the largest-ever hacker breaches occurred on web servers due to their public visibility and content value. Yet, many of these security issues are avoidable. The use of a secure development life-cycle process coupled with knowledge of the causes and solutions for common errors can go a long way to improve the security of software developed as web applications. NOTE The Open Web Application Security Project (OWASP) is an organization that is focused on improving the state of security in web applications. OWASP is vendor neutral and works as a collective mind built from hundreds of volunteers across the world. One of its specific projects is a list of common errors—the OWASP Top Ten project—that details the most commonly found errors in web applications. Using this list for awareness and as a checklist can significantly improve web application security in an enterprise.
08-ch08.indd 310
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
311
Software development and security should go hand in hand. However, that often doesn’t happen because secure code isn’t produced by security personnel, but rather software developers. Secure application programming should be led by people with an understanding of how to include security as a consideration during the design, default, and deployment phases. The next sections touch on each of these topics.
Secure by Design PART II
Security begins at the design stage. To create a system that is secure by design involves ensuring that the application has considered the threat environment it will be operating within and that it appropriately uses available technology to achieve security. The design of an application can have a huge effect on its attack surface. Attack surface is a term used to describe all the aspects of software accessible to a user, whether by design or not. CAUTION Many programs need to write user data to a disk location for later use. Where to store the data is a design function. If a protected directory is chosen, requiring administrative privileges to write, then this design choice can result in forcing a section of the code to be run with admin privileges. Unnecessary use of administrative privilege results in unnecessary risk from others exploiting the code sections that operate with administrative rights.
Many attributes comprise secure by design. Secure software does not build itself; it is constructed per a design, and a poor design can lead to security-related decisions that provide poor outcomes. When designing software, one must take the environment of use into account. An Internet-facing application has a lot of exposure; therefore, it potentially brings a wide range of threats to an application. Such variety of threats has resulted in threat modeling—a methodology of developing an understanding of and communicating essential information concerning the various threats to a specific piece of software.
Secure by Default Secure by default refers to the principle that when deployed in a default configuration, security is maintained. Security functionality should not be a user-selectable option requiring user interaction to invoke it. In other words, security should be more proactive than reactive. One method of securing an application by default is in minimizing default program functionality, thus reducing the attack surface of the application. If certain options are not commonly used, disabling them by default reduces the code being invoked during a default installation, and this also reduces the opportunity for attackers to exploit the application. EXAM TIP A current example of secure by default is in the deployment profile of Windows 10 and Windows Server 2019. Many program options, such as FTP server, are not installed during a default setup. If an administrator needs FTP services on a server, then it can be installed. Otherwise, having the functionality disabled prevents it from being an attack vector.
08-ch08.indd 311
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
312
Secure by default is relative to the typical or default deployment of a product or application. A key aspect in understanding the level of security needed is found by examining the specific threat environment that the software may run in as deployed. The threats to an Internet-facing application are different from those of an application being deployed within an organization. Secure by default also includes an assessment of the functional needs of the application as designed and deployed. Out of the box, Internet Explorer has a different level of functionality on Microsoft Windows Server than it does on a Windows client-based OS. Turning off some functions in the server environment is done to prevent unnecessary elements being exposed to attackers. For example, consider disabling Java scripts, VB scripts, and ActiveX controls. Although these may be important for a client system to enhance a user’s browsing experience, browsing from a server is more restrictive because of the damage an issue could cause.
Secure by Deployment Software is designed, developed, and tested in an operational vacuum. Once it is deployed, the interaction with other processes, users, and security features creates opportunities to avoid or bypass security controls. Configuring the system so that items such as automatic updates occur seamlessly is important. During installation, software will often create accounts and passwords used as part of the installation process. Deleting, disabling, or renaming these accounts at the conclusion of setup prevents them from being used by unauthorized personnel. Forcing changes of passwords associated with any resident accounts created by the software is another lesson learned.
Specific Application Issues
Applications are a popular target for several reasons. First, they are typically developed by personnel with less resources and training than the major OS and networking vendors. The second reason is that applications also tend to have the information that today’s hackers desire. Hacking takes resources, and today those resources are provided by criminal enterprises and governments. One for stealing information for resale, and the other for stealing information for competitive gain. In both cases, the applications are where the valuable information is accessible. In the past, the information was gained by getting into the network and OS layers, but today those avenues are much harder to exploit. At the same time, the growth of web applications, typically developed with much less emphasis on security, has accelerated, thus providing attackers a fertile bed of opportunity. Applications are programs that respond to a series of inputs, perform some form of computation, and respond via an output process. Different applications have different input, computation, and output requirements. Speaking of input, input validation is a vital security development concept that should be incorporated into all software. Yet, most applications suffer from some form of input validation risk. Inputs that aren’t validated can allow an adversary to send inputs that force a program outside its design, resulting in unexpected behaviors.
08-ch08.indd 312
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
313
Many common types of vulnerabilities can be mitigated via input validation. From injection attacks (XSS, SQL, or command) to canonicalization attacks, arithmetic attacks, and buffer overflow attacks, input validation offers an application a way to mitigate these forms of attack. One key principle is to consider all input to be malicious until it has been cleaned or proven otherwise. What follows in the upcoming sections are examples of specific application issues, beginning with insecure direct object references. Then we’ll cover cross-site scripting, cross-site request forgery, SQL injection, and several other topics.
A direct object reference occurs when an application request refers to the actual name of objects such as files, folders, database, or storage elements. If these object references are left unchecked by the application, attackers can manipulate the requests to gain access to unauthorized resources, or access authorized resources in unauthorized ways. To address this threat, consider implementing access control checks to ensure users are authorized to access the requested object. Also use per-user or per-session indirect object references to prevent hackers from directly accessing unauthorized resources.
PART II
Insecure Direct Object References
Cross-Site Scripting (XSS) One of the most widespread website attacks stems from cross-site scripting. Cross-site scripting involves attackers discovering and exploiting vulnerabilities on websites in order to inject malicious code—typically JavaScript. Cross-site scripting is abbreviated XSS to distinguish it from cascading style sheets (abbreviated CSS). Attackers take advantage of poor input validation controls on a website to covertly inject the malicious code. Positioned like a landmine, the attacker’s hope is for unsuspecting users to visit the website and run the malicious code. Once the victim’s web browser runs the malicious code, it can lead to stolen cookies, stolen session IDs, session hijacking, malware installation, and bypassed access controls.
XSS Vulnerabilities
There are three general types of XSS vulnerabilities:
• Nonpersistent (reflected) vulnerability The attacker creates a URL link that contains malicious code, which then gets sent to a particular user (usually through e-mail) to run. Upon clicking the link, the user is redirected to the website, which then “reflects” the script back to the user’s browser for processing. The attack is considered nonpersistent because it only affects the user who received the malicious link. The term “reflected” stems from script reflecting off the website and running within the user’s browser. This is the more common variety of vulnerability. (continued )
08-ch08.indd 313
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
314
• Persistent (stored) vulnerability Unlike the reflected attack, which is sent to the user and then reflects off the website, stored attacks begin at the website. The attacker starts off by injecting the malicious code into a website’s message board or search field. When a user visits the website and stumbles upon the code, the code executes. This may result in stealing the user’s cookie for impersonation purposes. This is said to be a “persistent” vulnerability due to the script surviving, or persisting, on the website for an extended period of time. The term “stored” arises from the malicious code being stored on the target website. This is not as common as the reflected attack, but it is more devastating. • Document Object Model–based (DOM-based) vulnerability The reflected and stored cross-site scripting vulnerabilities have one thing in common—they take advantage of a website’s vulnerability. The DOM-based attack goes the opposite route by using JavaScript to exploit vulnerabilities in the client’s web browser—after which the web browser then runs the malicious JavaScript code.
The CompTIA Advanced Security Practitioner (CASP+) exam is known for displaying exhibits containing malicious code (XSS, SQL injection, and so on), and you will be tasked with understanding some basics of the attack, such as its type and outcome. Here’s an example of XSS code that will attempt to steal the victim’s cookie:
There are a variety of methods for combating XSS attacks. Comprehensive code review processes and input validation are musts. Also, anti-XSS library functions can be used to handle input from users. Before any user input is processed or used, it should be sanitized by removing scripting elements. Another precaution that can be taken by users is to disable scripts using something like NoScript for Firefox, although this does limit what one can do/experience on the Web. Patching web browsers and servers can mitigate certain XSS vulnerabilities; in addition, these tools can be updated to newer versions. EXAM TIP Implementing a web application firewall (WAF) can help filter out XSS attacks. More to follow on WAFs later in this chapter.
Cross-Site Request Forgery (CSRF) In a sense, cross-site request forgery (CSRF) attacks are the reverse of XSS attacks because CSRF takes advantage of the website’s trust of the user’s browser as opposed to the client’s trust in the website (XSS). Also known as session riding, CSRF attacks are the result of malicious code found in e-mails, websites, or instant messages that results in a user’s web browser executing undesired actions on a site to which the user is already authenticated.
08-ch08.indd 314
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
315
The term “forgery” is used since the attacker forces the user to run malicious code against the trusted site—unbeknownst to the user—and the site believes the code originates from the user’s browser. This attack frequently takes advantage of websites that have a “keep me logged in” check box, such as bank and social media sites. The following is an example of this:
2. The attacker puts the request into a link, which gets delivered to the user via e-mail. 3. The victim clicks the link, which sends the malicious request to the bank server.
PART II
1. The attacker crafts a forged request that will transfer $2,500 from the victim’s bank to the attacker.
4. The bank server processes the request to deliver $2,500 from the user’s account to the attacker.
Countermeasures for CSRF can be highly technical and go beyond the scope of the CASP+ exam, but here are some best practices to consider:
• Use anti-CSRF tokens. • Use “same site cookies” if web browsers support them. • Require users to click the “log off ” button on websites as opposed to just closing the window. • Prevent browsers from caching usernames/passwords. • Do not include “remember me” or “keep me logged in” buttons on websites. • Implement plug-ins such as NoScript.
Clickjacking Clickjacking is an attack where a user is tricked into clicking something on a web page and then a different operation is performed, as shown in Figure 8-1. The user may think he is clicking a button to perform a specific action, but a hidden form activates a different set of code than expected by the user. A common form of clickjacking is when an attacker creates a transparent page with hidden buttons that overlap the visible buttons. Because the hidden layer is an authentic page, actions are authentic and traced to the user, not the attacker. Client-side browser extensions such as NoScript and Ghostery can be used to detect clickjacking and other exploits. Clickjacking can and should be addressed from the site owner’s perspective. It is possible to take a couple actions that can reduce the possibility of clickjacking—or at least make clickjacking more difficult to create. The first is the use of the X-FRAMEOPTIONS header, which controls whether or not a site can be embedded within a frame. Using the DENY option prevents the content from appearing in a frame; the SAMEORIGIN option only allows a site to be framed by same-origin web pages. A less effective approach is the use of JavaScript frame-busting methods, although attackers can disable these by setting SECURITY=RESTRICTED on their iframe to disable the JavaScript frame-busting defense.
08-ch08.indd 315
11/03/19 3:13 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
316
Figure 8-1 Clickjacking
This site is visible and made to align with your bank or other site. Sites are aligned to exactly overlay.
cel CanY
Your bank or other target is put in an invisible frame on top.
Entries you think are going to “Specials of the Day” site are being sent to “Your Bank” site without your knowledge.
Session Management The Hypertext Transfer Protocol (HTTP) is stateless by design. Each HTTP GET or POST request is in the form of a new TCP connection, and may go to a different web server in a web farm environment. If the user experience from page to page requires information transfer, this must be done either through a session ID or other set of state information passed with the requests from the client. This is referred to as session management, which is typically performed through the use of cookies. There are several security aspects to session management. An unauthorized eavesdropper could use session information to perform a session hijack. Although there are many techniques for session hijacking, here are a few high-level hijacking concepts to be aware of:
• Session fixation attack The attacker lures the user into authentication with a known planted session ID and then hijacks the session afterward. The attacker may initiate this by providing the user with a link containing a valid session ID that the user then clicks, which will “fixate” the user with the session ID. The session ID may be baked into the URL, cookie, or a hidden form field. • Session prediction attack The attacker “predicts” session IDs through guessing or brute-force techniques. • Session ID sniffing The attacker sniffs network traffic that contains session IDs.
08-ch08.indd 316
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
317
• TCP segment hijacking The attacker sniffs network traffic to establish and predict future patterns regarding TCP SYN and ACK flags, in addition to sequence numbers and acknowledge numbers. This is considered “network-level” hijacking, as opposed to the prior three methods, which are commonly known as “application-level” hijacking.
• Implement the logout feature on websites to ensure sessions are expired. • Generate session IDs after login and accept session IDs generated by the server only. • Use secure security protocols such as SSL/TLS, SSH, Kerberos, and IPSec. • Use different username/passwords for different accounts. • Use longer session IDs than the ones generated by previous algorithms. • Provide end-user security training. • Employ anti-malware scans. • Engage in patch management. • Employ session timeouts. • Force reauthentication after a certain period of time.
PART II
To protect against session hijacking, consider implementing the following security recommendations:
NOTE Popular tools for session hijacking include Burp Suite, OWASP ZAP, and sslstrip.
Input Validation Input validation is possibly the most powerful security tool a developer can wield. A wide range of attacks take advantage of the fact that users get to provide input to a computer program and they don’t necessarily have to provide the input the program is asking for. Buffer overflows have been one of the most storied vulnerabilities found in software. Buffer overflows are a prime example of the effect of not validating input before use. Input validation can be described in a simple way. Developers should ensure that all input is proper in form and length before processing or using it in any fashion. Also, all input should be considered malicious until proven otherwise. Although seemingly simple, in practice this can be difficult to do. Parsers and other processes can intervene, affecting an application’s ability with respect to detecting input issues. Several specific issues need to be addressed as part of input validation. The simplest is data length. Data input occurs for a purpose, and the application should have an idea of how long the data input should be. Validating the input length is important—if it is too long, it can overwrite the buffer and result in failure. After screening for length, the more difficult task of screening for content begins. Content screening can take several forms. There is whitelist screening, where only acceptable items are passed. There is blacklist screening, where disallowed objects are
08-ch08.indd 317
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
318
removed or rejected. The problem with whitelist screening is that this form of screening is better performed with a checklist-type user interface and requires user interaction as applications change. Blacklist screening is difficult in many cases because of Unicode and other forms of encoding, canonicalization, and multiple encoding to obfuscate what should be excluded. Verifying the format of an item using tools such as regular expressions can be used for some items (e-mail, SSNs, phone numbers, and so no). Numbers can be checked with check digits, or limit checks (greater or less than a specific value). Content checks (such as date ranges for birthdays) and consistency checks (for example, making sure the ZIP code and state match) can be performed to screen data. In the long term, forms of whitelist screening will have to be developed because the list of desired applications is finite, whereas the list of all possible undesired applications could be considered near infinite when you add in the issues of obfuscation. The challenge is in developing a methodology for whitelisting that automates the process and does not inconvenience the end user.
SQL Injection SQL injection is an injection attack designed to attack the database associated with a web application. There can be several different databases, each with important information. A user database with user access information can be harvested to obtain system credentials. An application database can be harvested to obtain application information. The objective of a SQL injection could also be destructive, such as deleting records or dropping tables. Here’s an example of a SQL injection command dropping a table called “users”: SELECT firstName, lastName FROM users WHERE userID='x'; DROP TABLE users;--';
This is a devastating SQL injection command because the table being dropped is the users table!
SQL Injection Samples
Testing for SQL injection vulnerabilities can be performed using some common test vectors:
• ‘ or 1=1— • “ or 1=1— • or 1=1— • ‘or ‘a’=’a • “ or “a”=”a • ‘) or (‘a’=’a Note that the use of single or double quotes is SQL implementation dependent because syntactic differences exist between the major database engines. If an error message is generated, the information in the message is examined as to whether it could be used to attempt an actual exploit against the database.
08-ch08.indd 318
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
319
PART II
SQL injection is one of the most common attack vectors used today. It can provide direct access to the database, which can allow even greater plundering than applicationlevel access. The vast majority of SQL injection attacks occur because of a combination of poor input validation and inline SQL calls. Programs will build a specific query based on user input and pass that query on to the database. Several methods can be used to access data from a database via an application program. The easiest to design and program is a query string with user input that is passed over a database connection and the records returned. The problem with this method is that the user input can completely alter the SQL query, and this can be difficult to detect or remove without significant input validation. More secure is the method of stored procedures, but this requires additional programming experience and more comprehensive design effort. NOTE Popular SQL injection tools include sqlmap, SQL Power Injector, The Mole, and jSQL Injection.
Defending against SQL injection requires a variety of countermeasures, including the following:
• Implementing input validation • Disabling commands like xp_cmdshell • Suppressing error messages or customizing error messages • Ensuring database accounts use least privileges • Monitoring SQL statements to identify any statements that look malicious • Using parameterized queries • Escaping user-supplied input
Improper Error and Exception Handling Errors are a natural part of software. Not all contingencies can be foreseen, and error handling is an essential element in secure coding. All exceptions and errors should be trapped and handled. In the process of handling the error, if information is passed back to the user, it should meet several criteria. First, the information should be clear and actionable by the end user. Cryptic messages, or generic “contact your administrator” messages, do nothing but frustrate the user. From a security perspective, it is very important not to provide information that gives up sensitive data. Paths to resources, databases, or other items that could be used by an attacker should not be disclosed. A common error is when the user enters incorrect credentials for access. If the user ID is correct but the password is wrong, confirming a password error tells a potential attacker that he got the user ID correct. The proper procedure is to tell the user that there is an authentication error, without identifying which field is wrong.
08-ch08.indd 319
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
320
CAUTION You’ll notice that some error messages today go from one extreme to the other by displaying useless messages like “Error,” “Something happened,” or the infamous blank error message. Although such messages will improve security, they don’t provide any other benefits.
Privilege Escalation Hacking a computer system is not a quick sit-at-the-keyboard-and-type-your-way-in Hollywood-style endeavor. There is a process for attacking a system, beginning with reconnaissance, moving to gain a foothold, and then escalating privilege to gain a level of control necessary to achieve an objective. All processes that run on a computer system do so under the label of a specific named account. Each account has a set level of privileges that it can use when accessing various resources. Typically end users have fairly limited privileges because they do not need to routinely perform many actions. Named accounts serve a variety of purposes, one of which is to regulate the level of control a user can have when interacting with a system. Shared resources, such as file systems, can have areas that are usable by different accounts, blocking other users from accessing these files. Only one account has the ability to see all and do all in the system: the root or administrator account. A typical goal of many hackers is to achieve root or administrator status, because this allows them unfettered access to all system resources. As root they can start, stop, and change anything, including log files. Root accounts are typically protected with strong passwords, and access is logged and alerted to system operators. This makes direct logging into these accounts not a viable option. Another way of gaining higher access is to exploit a vulnerability in an application that is running with elevated privileges. The exploit that allows arbitrary code to be run does so at the elevated privilege level of the application program, and does so under the application program’s legitimate credentials, thus reducing the alert footprint significantly. This is why vulnerabilities associated with privilege escalation are highly sought after by hackers. EXAM TIP Two forms of privilege escalation can occur as a result of a vulnerability exploitation event. The first, and more commonly sought after, is the vertical escalation (or elevation). In this form the goal is to obtain a higher level of access than the current user possesses. The second is horizontal escalation, a form where user1 can perform the actions as user2. It is important to note that horizontal escalation is much less common than vertical escalation and is generally limited to web applications. This form of escalation is useful when manipulating records through a flawed bank web application.
Improper Storage of Sensitive Data Applications frequently have data that could be considered sensitive, or of high value to an attacker. Passwords, encryption keys, paths, and other elements that the application needs to run correctly are common examples—but would cause harm if published.
08-ch08.indd 320
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
321
PART II
Maintaining these secrets is a key element of maintaining security associated with an application. There are many ways to store sensitive information, and like most things in life, the simple methods have drawbacks. A simple encoding of a secret in strings inside the executable code has two distinct disadvantages. First, it makes strings difficult to change. The second and potentially more serious problem is that strings can be discovered via reverse engineering and code examination. This has led to the rule “no hard-coded passwords,” because numerous applications have fallen prey to this vulnerability. A hard-coded password is discoverable and, once known, is next to impossible to change without changing the code—and hence becomes a glaring vulnerability. This same issue applies to cryptographic keys because they, too, have been revealed in the same fashion. Storing the data in a configuration file does not significantly improve the situation. Configuration files are frequently discovered, and if the secret is one that is common among installations, then simply obtaining a copy of the program in demo mode allows information as to how to obtain the secrets from a licensed version. Not only are configuration files sensitive, so are some forms of operational files. Printer files, whether a temporary file on a print server or a job file stored on a digital printer, can represent an opportunity for data leakage. Accessing a print queue, or set of temporary files, can result in data release.
Fuzzing/Fault Injection Fuzzing is a software testing methodology used to detect input validation errors. This is a very powerful tool that is frequently automated to test a wide range of inputs against an interface. The basic concept is that one prepares a large set of input data to test a large range of potential input validation errors. The fuzzing framework then presents this to the application and monitors the system for exceptions. The code that results in exceptions is then examined for potential exploitability. A wide range of systems can be fuzzed—databases, shared memory, file systems—in essence anything with an input. Fuzz testing has become a very powerful testing tool. Fuzzing is the mechanism that has found the majority of operating system bugs. The challenge for testers is how to build the dataset of inputs for testing. Originally the datasets were built randomly, but over time, the value of specific structures became apparent. Using a variable string length, followed by a payload, allows the tester to find exploitable buffer overflows. Specific sets of numbers can test for numerical overflows. EXAM TIP Since fuzzing will test for web application input validation flaws, implementing stronger input validation controls is an excellent countermeasure to fuzzing. Also, consider using a web application firewall (WAF) from a provider such as Barracuda or Cloudflare.
A related testing methodology is fault injection. Fault injection is the specific injection of faults into code, which can be done with inline code for testing, to verify correct handling of specific fault conditions. When inline code is used for testing, this code is removed before compiling for production, but this extra step is still an important and useful tool to verify correct handling of critical errors.
08-ch08.indd 321
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
322
Secure Cookie Storage and Transmission Cookies are an important part of web applications. Cookies provide client-managed storage in the form of text files that enable a web browser to locally store information from a web application. Cookies are often vulnerable with web browsers, and many methods of stealing cookies have been developed and exploited. It should be assumed that adversaries can get access to the cookies associated with an application. This places two burdens on application designers and developers. First, secrets stored in cookies must be encrypted. Simple encoding is not encrypting, so actual encryption methods should be used. The second condition is that essential information should not be stored in the cookie, but rather on the application server itself. The cookie can store a pointer to the location on the server. By using the cookie to store a reference pointer (or session ID), the secrets associated with the cookie can be safely managed on the server side of the application. When e-commerce was first being developed, cookies were widely used to directly store the shopping cart contents for users. Web applications that stored the prices in this fashion found themselves vulnerable to having the prices changed on the client. As with all things web related, transmission of data between client and server are often in clear text and subject to observation. To address this issue, all sensitive communications should be done over secure channels with SSL/TLS designed specifically for this functionality. Although sparsely used early in the Web, primarily for performance concerns, SSL has entered into mainstream usage today. In a modern IT enterprise, there is really no reason not to use SSL all the time, and there have been industry calls for SSL everywhere. This will place at least a reasonable level of complexity on an attacker going after application data transfers.
Buffer Overflow A buffer overflow vulnerability is a result of poor coding practices on the part of the developer. It occurs when any program reads input into a buffer (an area of memory) and does not validate the input for correct length. The potential for a buffer overflow exists any time data is read into a memory location; if the size of the data being read is larger than the destination, then an overflow occurs, overwriting the memory buffer and potentially damaging other values or introducing executable code. The exploit concept is simple: An attacker develops an executable program that performs some action on the target machine and appends this code to a legitimate response to a program on the target machine. When the target machine reads through the toolong response, a buffer-overflow condition can result in the original program’s failure. The extra data past the original buffer length can be malicious code that is now in the machine’s memory, awaiting execution. If the attacker executes it correctly, the program can skip into the attacker’s code, running it instead of crashing. Buffer overflow mitigations come in several forms, including the following:
• Bounds checking The application checks an allocated block of memory to prevent inputted code from exceeding the allocated space. • Canary values Like canaries that didn’t survive in a mine, a canary value is an added value that, if destroyed, symbolizes that the buffer preceding it in memory was overflowed.
08-ch08.indd 322
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
323
• Tagging A method of tagging data types in memory. Tags serve as a nonexecutable barrier to prevent buffer overflows.
Memory Leaks
PART II
EXAM TIP A well-known type of buffer over attack is called the no-operation (NOP) sled. Attackers flood an application with a series of NOP instructions meant to bypass having to know the exact memory addresses along the way to its final memory destination. If you use a packet sniffer, you may be able to detect NOP sleds through the presence of multiple strings of “90”.
Computer programs use memory for a wide range of purposes, but one dynamic use is in the storage of objects, variables, and other resources. When an application has a need for more memory resources, it can request additional memory from the operating system. When the application is done with memory it has requested, how the memory is returned to the operating system is language dependent. Some programming languages (Java and C#, for instance) have automatic garbage collection capability that reclaims and returns memory when objects are no longer used. Other languages, such as C and C++, require the program itself to manage the allocation and deallocation of memory. Failure to correctly manage memory can result in continued requests until the shared resource is exhausted. It may be in small steps, 1KB at a time, but in long-running programs even a small memory leak can have significant consequences. Better code review and development practices can help prevent memory leaks, in addition to the implementation of software patches.
Integer Overflows Integer overflow errors occur when a number is too large to be stored in the variable. Also called arithmetic overflows, these errors can occur in many ways. The first is in the simple concept that a given number will require a specific size of register or variable to store the value. The second issue lies in how numbers are represented digitally. If the most significant bit of a number is used to represent the sign of a number, then adding two large positive numbers can cause this bit to flip, making the result negative. This overflow condition is not automatically trapped in all languages and can result in some spectacular errors. The consequences of storage can be less than obvious as well. Consider an order entry system that has numeric values for unit price, quantity, and total price. It could be possible to roll over the total price and not the quantity, enabling an attacker to order a large quantity of an individual item and get it for a negative price (refund?). This type of error can be caught in several ways. First, all math should be checked prior to use. This will result in overflows being caught and then handled as exceptions. A second check—and one that should be a routine check—is output validation. Whenever you have an output of a function, it is important to validate the output value as landing in an expected range. In the case of the order entry error previously described, a negative total price should trigger an exception. Combining a series of security checks is the time-honored principle of defense in depth.
08-ch08.indd 323
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
324
Race Conditions Race conditions are software flaws that arise from different threads or processes having a dependence on an object or resource that affects another thread or process. A classic race condition is when one thread depends on a value (A) from another function that is actively being changed by a separate process. The first process cannot complete its work until the second process changes the value of A. If the second function is waiting for the first function to finish, a lock is created by the two processes and their interdependence. These conditions can be difficult to predict and find.
Time of Check
When software is going to update or change some aspect of a resource, it is common to check the item before change. A common example is the checking to see if a file exists before creating the file. Based on the results of the check, a future action is performed. Should something change between the time of the check and the future use (that is, another process creates the file), an exception can occur at the future action.
Time of Use
Using a shared resource without locking the resource from other activity can create issues if multiple threads attempt simultaneous use that is precluded by the resource type. It is possible for multiple threads to read the same areas of a database, but updates, writes, and deletes are activities that cannot be shared across threads. Locking mechanisms are needed in these cases, yet performance may be an issue. Managing locking at an appropriate granular level is necessary to manage performance impacts from required time-ofuse locks. NOTE A time-of-check/time-of-use race condition occurs when something influences the condition of a resource between the time of check and the time of use, thus invalidating the time-of-check results. This can result in software performing an invalid action based on invalid time-of-use results.
Resource Exhaustion Resource exhaustion is a form of denial of service, where a required resource to perform some specific action is not available at the time of need. Shared resources are particularly vulnerable to this form of attack. A SYN flood attack is a resource-exhaustion attack. In a SYN flood, the multitude of SYN packets consume the system resources used to open connections. Many times, resource-exhaustion vulnerabilities stem from design issues, where protocols or architecture did not consider the handling of excessive demand and the resultant effects. This makes corrective action for these examples more difficult because the solution must be created out of band. A common programming error involves nested loops that consistently use some form of resource without releasing previous use. Memory leaks are an example of this form of resource exhaustion. The end result of most resource-exhaustion attacks is a denial of service associated with the service being provided by the function under attack.
08-ch08.indd 324
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
325
EXAM TIP Prevention of resource-exhaustion attacks requires one of two activities: Either the attack is recognized and further resource use on the part of the attacker is denied at least temporarily or, as resources are consumed, they are throttled in a manner to prevent rapid consumption.
As detailed in Chapter 7, geotagging involves attaching geographical identification properties (location, coordinates, place names, and timestamps) to media such as photos, websites, videos, and so on. Certain applications like Foursquare are well known for their geotagging capabilities, particularly for publishing on social media platforms like Facebook. Some attackers on social media sites observe your geotagging data to determine your current whereabouts. It is recommended that unless absolutely necessary, geotagging should be disabled on smartphones and on social media websites.
PART II
Geotagging
Data Remnants Confidential materials are often grouped together to simplify data retention, security, and destruction requirements. When the time comes, the organization will need to properly remove the data from its online and offline storage containers. Data, however, is not as simple to remove as just “deleting” it. It is often believed that deleting data means that all of the data just disappears. The data often remains where it is; what actually occurred was the “pointers” to the data were removed. NOTE A file’s “pointers” are like the table of contents or index in a book. Such pointers indicate on which pages in a book to find certain stuff. As you would expect, removing something from the table of contents or index does not remove the actual book pages themselves.
When pointers are removed during a file deletion, the file system now considers the still-occupied space as “unoccupied,” thus making it available for use. Any information that remains after file deletion or destruction techniques is known as a data remnant. As a benefit, data remnants provide businesses (and forensic investigators) with an opportunity to reconstruct lost data; yet it also provides attackers with the same opportunity. To properly dispose of data to ensure little to no data remnants remain, consider the follow data-destruction techniques:
• Overwriting Involves the replacement of the 1’s and 0’s on the storage medium with a different pattern of 1’s and 0’s to render the original data unrecoverable. It is recommended that this process be repeated several times to ensure effectiveness. Physical destruction techniques are generally preferred. • Degaussing Performed by sending a powerful magnetic force to the storage medium to destroy the information (and sometimes other physical components of the drive as well).
08-ch08.indd 325
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
326
• Encryption Drive encryption, and the subsequent destruction of the decryption key, makes the information on the drive essentially unrecoverable. This is a cheap and fast alternative to other destructive techniques. • Physical destruction Involves physically destroying the drive by shredding it, “burning” it with powerful chemicals, drilling holes in it, or incinerating it. This is the best technique, although typically the most expensive.
Use of Third-Party Libraries Modern web applications are complex programs with many difficult challenges related to security. Ensuring technically challenging functionality such as authentication, authorization, and encryption can take a toll on designers, and these have been areas that are prime for errors. One method of reducing development time and improving code quality and security is through the use of vetted library functions for these complex areas. A long-standing policy shared among security professionals is, “Thou shall not roll your own crypto,” which is an homage to the difficulty in properly implementing cryptographic routines in a secure and correct fashion. Standard libraries with vetted calls to handle these complex functions exist and should be employed as part of a secure development process. There are numerous vetted and secure libraries for use in applications, including the following:
• Microsoft Web Protection Library (runtime protection from XSS and SQL injection) • OWASP Enterprise Security API input data validation and output encoding functions • OWASP AntiSamy • OWASP CSRFGuard The use of tools such as these remove much of the tedium associated with secure coding and allow developers to focus on the actual application development as opposed to the secure implementation of functions.
Code Reuse Code reuse involves the authorized use of someone else’s proven code, or knowledge about code, to improve your software development efforts. It can save time and resources as well as help create more usable, functional, and secure software overall. Oftentimes, the reusable code is stored within an organization for repurposing in the future; yet the reusable code is more likely to be sourced from third-party software development kits (SDKs) and software libraries.
08-ch08.indd 326
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
327
Application Sandboxing
PART II
Application sandboxing is a mechanism to constrain an application into a confined area during execution. Limited access to the OS and persistent items, such as user files, permissions, and other resources, will limit the damage a malicious application can cause. The objective of the confinement can range from complete isolation to limited isolation, depending on the security needs. There are a variety of methods to implement sandboxing, from virtual machines (which sandbox a whole machine) to application-specific sandboxing (for example, JavaScript in a browser). Although virtual machines are commonly used, recent advances in virtualization have introduced operating system virtualization—or containerization—into many operating systems, including Windows 10 and Windows Server 2016. Containers provide application isolation benefits without requiring nearly as many resources as virtual machines.
Secure Encrypted Enclaves
With malware increasing in complexity, operating systems (OSs) should operate under the assumption that they are already infected. An OS under the control of malware is a scary proposition for any system owner; therefore, a method is needed to ensure that malware-infected kernels cannot compromise the entire OS. This “safe” portion of the OS that is isolated from the malware is known as a secure encrypted enclave. These secure enclaves use a separate coprocessor from the system’s main processor to prevent the main processor from having direct access to information stored in the secure encrypted enclave. Such information may include encryption keys, biometric information, and so forth. This topic is discussed in more detail in Chapter 13.
Database Activity Monitors and Web Application Firewalls
Discussed in more detail in Chapter 5, database activity monitors (DAMs) independently monitor the transactions and other activity of database services. DAMs are important because databases contain some of the most important information in the organization; therefore, many attacks concentrate on databases. Common uses of DAMs include monitoring applications and users for unauthorized or fraudulent activity, such as SQL injection attacks. Accountability and compliance auditing can also be aided by DAMs. Also discussed in more detail in Chapter 5 is the usage of web application firewalls (WAFs). WAFs are firewalls created for web applications to impart HTTP-specific rules to guard against a variety of attack vectors, including everything from cross-site scripting and session hijacking to SQL injection and file injection attacks. Web applications are both easily accessible and stacked with valuable data; therefore, they routinely endure more attack vectors than most targets.
08-ch08.indd 327
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
328
Client-Side Processing vs. Server-Side Processing
Client-side processing versus server-side processing is a classic case of input validation. Although client-side processing has many advantages, it is not appropriate as a standalone security solution. Client-side processing can be circumvented by a proxy between the client and the server, and values can be changed. This does not mean client-side processing is without value. Client-side processing is very useful when it comes to user experience, because it is faster than a round trip to the server. The best practice is a form of client-side processing to validate and correct inputs on the client machine, thus affording the user the best user experience. The material is then rechecked for appropriate input on the server before processing. This server-side check acts as the real input validation, preventing any input overflow or canonicalization errors. The key element behind input validation is that one cannot trust the client for proper input, so one cannot trust the client for validation either. The true culprit is not just the client, but also any machines that may be between the client and the server, including proxies. Any processing before the server can be changed during transmission, so the only secure way to verify input validation is on the server side of the conversation. TIP A developer or tester can use a proxy server to intercept communications between a client and server application. Proxy clients exist that enable users to inspect and change traffic after the browser, but before the server, thus enabling the client traffic to be changed during transmission. OWASP has published the WebScarab project to specifically assist testers in this endeavor.
JSON/REST JavaScript Object Notation (JSON) is a language-independent data format derived from JavaScript. It utilizes a simple text format for the storage and exchange of data between a browser and web applications. JSON is similar to Extensible Markup Language (XML), yet JSON’s lack of verbosity makes it a popular alternative to XML. Representational State Transfer (REST) is a framework that relies on various web protocols to define how clients and servers can exchange web resources with a high degree of interoperability. REST is often preferred over SOAP since it is lighter weight, consumes less bandwidth, works with more tools, and has better scalability. Any web services that use REST are referred to as “RESTful APIs.” The following security techniques should be considered for JSON/REST web services communications:
• Use API keys to prevent service hijacking, which can lead to DoS conditions. • Implement access control at API endpoints. • Implement audit logs. • Employ input validation.
08-ch08.indd 328
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
329
• Restrict HTTP methods to only allow GET, POST, and PUT. • Use HTTPS to secure the communication’s channel. • Use nonverbose error messages. • Utilize JSON web tokens for the security token, which can then be digitally signed for integrity.
Browser extensions, also known as add-ons or plug-ins, are tiny programs connected to a web browser to provide extra functionality. Browser extensions can run the gamut, from providing translation services to blocking web ads. Although extensions typically don’t modify the interface, some extensions include toolbars, which are typically visible on the top portion of the web browser. Most browser extensions are made available through app stores, such as with Chrome’s Web Store. In this section, we cover a few technologies that provide functionality to browser extensions.
PART II
Browser Extensions
ActiveX
Released in 1996, ActiveX is a Microsoft software framework designed for Internet Explorer, built on object-oriented programming technologies, for the purpose of running dynamic media content. ActiveX repurposed its Component Object Model (COM) and Object Linking and Embedding (OLE) technologies to facilitate the running of programs, or ActiveX controls, inside the browser itself. Such controls permitted the browser to display videos, animations, and documents directly from the browser without requiring separate software. Controversial from the start, ActiveX controls run on the local computer with the same security privileges as the currently logged-on user, thus providing potential loopholes into your system for attackers. Although ActiveX is still supported by Internet Explorer 11, its days are numbered. The Microsoft store no longer supports ActiveX, and Microsoft’s newest Edge browser does not support ActiveX. For security purposes, you may want to make sure that ActiveX support is disabled on your browser.
Java Applets
Developed by Sun Microsystems in 1995, Java applets are small platform-independent and Internet-based programs accessible within a web browser. More accurately, the Java program, or “bytecode,” would execute within a Java virtual machine (JVM), which was a separate process from the web browser. Such isolation helped provide a baseline of security between the web browser and the operating system. Although Java applets are in the process of being deprecated in favor of JavaScript, they are a relic of an earlier time when web pages were static and didn’t do much of anything. Java applets helped usher in the current generation of dynamic website applications that are chockfull of rich multimedia content. It’s important to keep in mind that, like ActiveX controls, Java applets may be hostile in nature and can cause damage to a machine if downloaded, so care must be taken in their usage. Options exist within web browsers to disable Java applets to improve host security.
08-ch08.indd 329
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
330
HTML5 Created in 2008, HTML5 is the fifth generation of the HTML markup language, which is used for describing the contents and appearance of web pages. HTML5 has been enhanced to support more multimedia capabilities, added mobile device support, plus many other features. Although HTML5 is comparable to Adobe Flash in certain ways, and is, essentially, the de facto replacement to Flash, HTML5 cannot do everything that Flash does—hence the need for supplementing HTML5 with JavaScript or Cascading Style Sheet (CSS) content. With HTML5’s new features also come new security risks—one of which is called cross-domain trusts. This feature permits websites from different DNS domains to communicate between iframes in your web browser. Such integration across websites will embolden malware writers to exploit cross-domain trust vulnerabilities. Plus, with HTML5’s increased reliance on client-side input validation, servers might fall prey to an increase in client-side attacks. Servers and web browsers will need to be programmed and configured to ensure input validation is also performed on the server.
AJAX AJAX is an acronym for Asynchronous JavaScript and XML and is a common programming methodology used to improve the end-user experience in web applications. AJAX is an intricate combination of technologies that can add complexity in an application. It can also increase the workload on the client machine. AJAX is a combination of the following technologies, and security issues associated with any of these can manifest themselves in an AJAX environment:
• HTML or XHTML with CSS for presentation • DOM for dynamic presentation and interaction with data • JSON or XML for data exchange • XSLT for data manipulation • XMLHttp Request object for asynchronous communication • JavaScript to unite technologies together AJAX techniques can run into issues crossing domains because of the same origin policy, which is a security concept designed to prevent scripts from operating across different domains; scripts that attempt to access methods and properties are limited to staying within the script’s origin domain.
SOAP Developed by Microsoft while relying on XML, SOAP is a specification for exchanging information associated with web services. Using a combination of protocols (including XML, HTTP, and SMTP), SOAP can transmit messages across the Web. SOAP acts as
08-ch08.indd 330
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
331
PART II
a specifically designed messaging framework between applications. SOAP creates a web services application stack that defines what is in a message, how to process the message, application-defined data types, and a convention to describe procedure calls and responses. This information is then used to define communications between applications. SOAP was created as an object access protocol with three major characteristics: extensibility, neutrality, and independence. SOAP can be extended with security and WSRouting protocols. SOAP can be used across a wide range of transport protocols, including TCP, HTTP, and SMTP. The independent nature of SOAP, and its basis in XML, allows it to be used with virtually any programming language or model. A SOAP message has two major components: the envelope and the body. The envelope defines the elements of the body so that a web service understands how to interpret a message. The body element contains call-and-response information as well as a fault element containing error information. The typical SOAP exchange involves a request message and a reply message. The Web Service Definition Language (WSDL) describes a web service and the format of requests processed using SOAP. EXAM TIP SOAP is the communication language of web services, and WSDL is the way we describe the communication details and the applicationspecific messages that can be sent in SOAP. WSDL, like SOAP, is encoded using XML-based grammar. WSDL is much more than a mere instruction manual on how to use the web service it describes. Web services development software can process a WSDL document and automatically generate the SOAP messages needed to invoke a specific service.
For example, you log into your organization’s online learning management system (LMS) portal in order to click a link that launches a virtual classroom session hosted by Adobe Connect. Upon you clicking the link, the LMS then packages both the link request and your authentication data into a Security Assertion Markup Language (SAML) format, which then gets encapsulated into a SOAP message for transmission to the Adobe Connect server over an HTTP connection. As you can see, SOAP provides a means of exchanging structured information. A SOAP message is a basic XML document made up of the following components:
• Envelope Categorizes the XML document as a SOAP message • Header Stores header information • Body Contains call-and-response data • Fault Provides error information during message processing From a security perspective, SOAP will benefit from web services security (WSSecurity), which is a security extension for SOAP messages. WS-Security can specify signing SOAP messages for integrity, encrypt messages for confidentiality, and attach security tokens to identify the sender.
08-ch08.indd 331
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
332
State Management Web applications commonly rely on an external form of state management. This is because, by design, the Web itself is stateless, not knowing the previous page or data. State can be managed in a variety of manners, but the two primary means are both via cookies—with the state being maintained either in the cookie itself or on the server via a lookup process. For some applications, keeping the actual state in the cookie can make sense, because if the manipulation of the state via the cookie does not cause harm, this can lessen the burden on the server itself. But as many an e-commerce vendor has learned, keeping a shopping cart in a cookie and relying on the prices in the cookie are two different things. Keeping the items in a shopping cart in a cookie can enable a better web experience. But when it comes time to check out, it is imperative that the server validate the critical input before use. In the case of the shopping cart, this would mean not relying on the client for pricing, but rather on the secure price stored in the server. Keeping prices in a cookie and relying on them can result in a disaster when the prices are altered to a penny or a negative number, thus creating a refund condition.
JavaScript JavaScript is a scripting language developed by Netscape and designed to be operated within a browser instance. The primary purpose of JavaScript is to enable features such as validation of forms before they are submitted to the server. Enterprising programmers have found many other uses for JavaScript, such as manipulating the browser history files (now prohibited by design). JavaScript actually runs within the browser, and the code is executed by the browser itself. This has led to compatibility problems, and not just between vendors, such as Microsoft and Mozilla, but between browser versions. Security settings in Internet Explorer are created by a series of zones, allowing differing levels of control over .NET functionality, ActiveX functionality, and Java functionality. Unfortunately, these settings can be changed by a Trojan program, altering the browser (without alerting the user) and lowering the security settings. In Firefox, using the NoScript plugin is a solution to this, but the reduced functionality leads to other issues—it can break many applications and requires more diligent user intervention. EXAM TIP A common use of JavaScript is in the validation of screens before submission over the Web. This is a form of client-side validation, and although convenient it should never be relied upon as a sole inputvalidation mechanism. For security purposes, the only input validation that is meaningful is server-side validation because it precludes input from being changed “post browser.”
Although JavaScript was designed not to be able to access files or network resources directly, except through the browser functions, it has not proven to be as secure as desired. This fault traces back to a similar fault in the Java language, where security was added on without the benefit of a comprehensive security model. Therefore, although designers put thought and common sense into the design of JavaScript, the lack of a comprehensive security model left some security holes. For instance, a form could submit itself via
08-ch08.indd 332
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
333
PART II
e-mail to an undisclosed recipient, for either eavesdropping, spamming, or causing other problems—imagine your machine sending death threat e-mails to high-level government officials from a rogue JavaScript implementation. Further, most browsers do not have a mechanism to halt a running script, short of aborting the browser instance, and even this may not be possible if the browser has stopped responding to commands. Malicious Java scripts can do many things, including opening two new windows every time you close one, each with the code to open two more. There is no way out of this, short of killing the browser process from the operating system. Java scripts can also trick users into thinking they are communicating with one entity when in fact they are communicating with another. For example, a window may open asking whether you want to download and execute the new update from http://www.microsoft.com…./update.exe, but what is covered by the ellipsis (…) is actually “www.microsoft.com.attacker.org/”. The hope is that you’ll assume this is a Microsoft address that is cut short due to space restrictions on the display.
Operating System Vulnerabilities
Regardless of the OS you’re using, it will have vulnerabilities—and a lot of them. Don’t believe any vendor hype that suggests otherwise. Although operating system vulnerabilities is a large topic in itself, we broke it down nice and easy for you:
• Unnecessary services When in doubt, leave it out. If you’re running a Windows IIS web server, you can probably disable NetBIOS and SMB services. Unnecessary services lead to open ports, which lead to malicious vulnerability research and exploitation. Disable any services that are not required. • Encryption One of the golden rules of cryptography is that you do not make your own cryptographic algorithms. The odds are miniscule that you’ll invent something better. Not only should you use other cryptographic algorithms, but its important to use the right ones. For symmetric encryption, AES is always a great choice. Same with RSA, ECC, or a variation of the two for asymmetric encryption. SHA-256 or better is a safe bet with hashing. IPSec is a strong choice for VPN. TLS 1.2 or 1.3 should be used for secure web communications, and at least WPA/2 personal or enterprise should be used for wireless communications. • Hardening Hardening is about changing default settings. Although this is by no means an exhaustive list, Windows hardening may involve modifying registry settings, group policies such as password policies, account lockout policies, auditing, user rights assignment, and AppLocker settings. Also, don’t forget to enable BitLocker drive encryption and Encrypting File System (EFS). In Linux, consider locking the boot directory, disabling USB support, removing unnecessary software packages, hardening the SSH service, enabling SELinux for kernel protection, and modifying default permissions. • Open ports Although some open ports are necessary, such as ports 80/443 for web servers, ports 25/110/143 for e-mail servers, and so on, make sure no stragglers are open. Such ports could be a sign of backdoor Trojan horses, or unnecessary services still enabled.
08-ch08.indd 333
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
334
• Patch Patch management is a bit of a double-edge sword. If you install patches immediately after release, you risk system reliability issues due to lack of quality assurance patch testing. If you perform lengthy quality assurance testing, you risk leaving your systems open for exploitation. The trick is to balance the need for thorough quality assurance testing with the need for expedient patch management. Most patches target vulnerabilities; therefore, it is imperative that they are deployed into the production environment as soon as possible. EXAM TIP Operating system vulnerabilities are a lot like fashion. It’s all about the current styles. The only way to find out what vulnerabilities are current is to go out there and do a little “window shopping.” Do some research on current vulnerabilities using websites like SecurityTracker, SecurityFocus, and the CVE database. Most vulnerability websites refer to the CVE database as the authoritative source; therefore, you may want to spend extra time there for more detailed descriptions of vulnerabilities. Armed with this information, apply the recommended mitigations before hackers exploit them.
Firmware Vulnerabilities
Often tossed aside in favor of mitigating operating system vulnerabilities, outdated firmware can produce serious vulnerabilities. It is alarming how infrequently technicians update system firmware. There are three misguided beliefs driving this administrative pattern:
• Firmware updates don’t provide any noticeable benefits. • The risk of bricking the firmware entirely outweighs the benefits. • The current firmware works just fine, so “if it ain’t broke, don’t fix it.” Although it’s true that firmware updates generally don’t add new functionality or features, they often mitigate security issues. That, in itself, is worth the update every time. Many bulletins out there describe hackers exploiting network appliances with older firmware. Not only should we update the firmware, but we need to account for just how many devices have firmware. These devices include the following:
• Workstations/servers • Routers/switches/firewalls • NAS systems • Mobile devices • Smart TVs • Hard drives • Optical drives • Expansion cards/peripherals
08-ch08.indd 334
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
335
• Cameras • Scanners • Gaming consoles
Chapter Review
08-ch08.indd 335
PART II
In this chapter, we covered the selection of appropriate security controls given software vulnerability scenarios. The first section began with a discussion on application security design considerations such as applications and solutions being secure by design, secure by default, and secure by deployment. The next section went into numerous application issues, beginning with insecure direct object references, which can be addressed by the application developer. Then we talked about common web application vulnerabilities for cross-site scripting and crosssite request forgery, which are heavily reliant on input validation countermeasures. Next, we talked about clickjacking, which tricks users into clicking on malicious web content. We then went into session management concepts like the usage of HTTP, session IDs, and how session hijacking works. We talked about input validation and how it can prevent many of the common web application attack vectors. SQL injection was discussed and how it exploits input validation weaknesses in web applications, leading to database breaches. Next was improper error and exception handling and how verbose error messages provide too much information for attackers to take advantage of. We discussed privilege escalation and how it allows attackers to increase their permissions/rights to have more powerful access on systems. We talked about improper storage of sensitive data regarding lack of encryption or password protection of sensitive content. Next was fuzzing/fault injections, which provide a way of testing a system with junk commands to see how it responds. We talked about secure cookie storage and transmission to ensure proper construction and transmission of cookies, in addition to encrypted channels with HTTPS. We talked about the ageless buffer overflow attacks and how they can be used in a DoS attack against an application or allow attackers to take control of the application. Memory leaks are bad because they can deprive a system of memory resources. Integer overflows are caused by calculations too complex for processing, which can lead to system or application crashes. We discussed race conditions, which involve out-of-order issues with the processing of software instructions. The next topic was resource exhaustion and how systems can crash if deprived of their primary resources. We discussed geotagging and the privacy issues it creates. Data remnants are leftover pieces of data after deletion operations have completed. We discussed the use of third-party libraries to augment our software development processes, as well as code reuse to provide increased efficiency and consistency of coding. The next section went into application sandboxing and its various incarnations, including the usage of virtual machines or containers for isolation purposes. Sandboxing can be done on-premises or in the cloud. Another section went into secure encrypted enclaves, describing the isolation of a portion of the OS should the kernel become compromised. This is achieved through the use of a separate processor assigned to the isolated portion of the OS.
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
336
The next section tackled database activity monitors (DAMs), which are vital for monitoring database activity, including queries and responses, while also checking for SQL injection commands. We then had a section on web application firewalls (WAFs) and the specific role they play in guarding our valuable but vulnerable web applications. Web applications are targeted so often that they require their own defense-in-depth strategy, which includes the use of web application firewalls. The next topic covered client-side processing versus server-side processing of web content. Client-side processing provides better performance and functionality for the users, whereas server-side processing improves security. We also went into various web services methods like JSON/REST, HTML5, AJAX, JavaScript, and SOAP. We talked about browser extensions, including the soon-to-be deprecated ActiveX controls and Java applets. We also talked about state management of web sessions. We ended the chapter on operating system vulnerabilities, including the need for hardening, disabling unnecessary services and ports, enabling encryption, and improving patch management. We also touched on firmware vulnerabilities and the need to update firmware to improve security.
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
Application Security Design Considerations • Secure by design means that an application has considered the threat environment it will be operating within and that it appropriately uses available technology to achieve security. • Secure by default refers to the principle that when an application is deployed in a default configuration, security is maintained. • Secure by deployment means that an application is deployed into an environment that will support the security goals of the application.
Specific Application Issues • A direct object reference occurs when an application request refers to the actual name of objects, such as files, folders, database, or storage elements. • Cross-site scripting involves attackers discovering and exploiting vulnerabilities on websites in order to inject malicious code—typically JavaScript. • CSRF attacks are the result of malicious code found in e-mails, websites, or instant messages and cause a user’s web browser to execute undesired actions on a site to which the user is already authenticated. • Clickjacking is an attack where a user is tricked into clicking something on a web page, causing a different operation than the one expected to be performed.
08-ch08.indd 336
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
337
PART II
• State management is generally performed through the use of cookies and session IDs. • Input validation involves screening all input to ensure it is in proper form and length before processing. • SQL injection is designed to attack the database associated with a web application. • Improper error and exception handling occurs when an error message provides too much information to the attacker, thus revealing vulnerabilities. • Privilege escalation seeks to elevate the privileges of the currently logged-on user to a higher level to increase control over the compromised system. • Improper storage of sensitive data occurs when data is not encrypted or password-protected in storage. • Fuzzing is a software testing methodology used to detect input validation errors. • Cookies provide client-managed storage in the form of text files that enable a web browser to locally store information from a web application. • Buffer overflows occur when the size of the data being read is larger than the destination buffer, which causes an overflow condition resulting in application failure. • Memory leaks result in the failure of an application to correctly manage memory, which can lead to a memory shortage. • Integer overflow errors occur when a number is too large to be stored in the variable. • Race conditions are software flaws that arise from different threads or processes having a dependence on an object or resource that affects another thread or process. • Resource exhaustion is a form of denial of service, where a required resource to perform some specific action is not available at the time of need. • Geotagging involves attaching geographical identification properties (location, coordinates, place names, and timestamps) to media such as photos, websites, videos, and so on. • Data remnants are any unwanted pieces of information that remain after a deletion operation. • Use of third-party libraries helps reduce development time and improves code quality and security. • Code reuse involves the authorized use of someone else’s proven code, or knowledge about code, to improve your software development efforts.
Application Sandboxing • Application sandboxing is a mechanism to constrain an application into a confined area during execution. • Limited access to the OS and persistent items, such as user files, permissions, and other resources, will limit the damage a malicious application can cause.
08-ch08.indd 337
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
338
• Although virtual machines are commonly used, recent advances in virtualization have introduced operating system virtualization—or containerization—into many OSs, including Windows 10 and Windows Server 2016.
Secure Encrypted Enclaves • With malware increasing in complexity, operating systems should operate under the assumption that they are already infected. • Secure enclaves use a separate coprocessor from the system’s main processor to prevent the main processor from having direct access to information stored in the secure encrypted enclave.
Database Activity Monitors • Database activity monitors independently monitor the transactions and other activity of database services. • Common uses of DAMs include monitoring applications and users for unauthorized or fraudulent activity such as SQL injection attacks.
Web Application Firewalls • WAFs are firewalls created for web applications to impart HTTP-specific rules to guard against a variety of attack vectors, including everything from cross-site scripting and session hijacking to SQL injection and file injection attacks. • Web applications are both easily accessible and stacked with valuable data; therefore, they routinely endure more attack vectors than most targets.
Client-Side Processing vs. Server-Side Processing • Client-side processing is very useful when it comes to user experience, because it is faster than a round trip to the server. • Server-side processing acts as the real input validation, preventing any input overflow or canonicalization errors. • JavaScript Object Notation (JSON) is a language-independent data format derived from JavaScript. It utilizes a simple text format for the storage and exchange of data between a browser and web applications. • Representational State Transfer (REST) is a framework that relies on various web protocols to define how clients and servers can exchange web resources with a high degree of interoperability. • Browser extensions, also known as add-ons or plug-ins, are tiny programs connected to a web browser to provide extra functionality. • ActiveX is a Microsoft software framework designed for Internet Explorer, built on object-oriented programming technologies, for the purpose of running dynamic media content.
08-ch08.indd 338
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
339
PART II
• Java applets are small platform-independent and Internet-based programs accessible within a web browser. • HTML5 is the fifth generation of the HTML markup language, which is used for describing the contents and appearance of web pages. HTML5 has been enhanced to support more multimedia capabilities, added mobile device support, plus many other features. • AJAX is an acronym for Asynchronous JavaScript and XML and is a common programming methodology used to improve the end-user experience in web applications. • SOAP is a specification for exchanging information associated with web services. • State can be managed in a variety of manners, but the two primary means are both via cookies, with the state being maintained either in the cookie or on the server via a lookup process. • JavaScript is a scripting language developed by Netscape and designed to be operated within a browser instance.
Operating System Vulnerabilities • Operating system vulnerabilities can include unnecessary services, lack of encryption, lack of hardening, open ports, and missing patches.
Firmware Vulnerabilities • Firmware vulnerabilities generally result in serious security issues. • Firmware updates generally don’t add new functionality or features; they often mitigate security issues.
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. Which of the following is not a web application security design consideration? A. Secure by design B. Secure by test C. Secure by deployment D. Secure by default
2. Input validation can be employed to guard against all of the following errors except which ones? (Check all that apply.) A. Buffer overflow B. TOCTOU race conditions
08-ch08.indd 339
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
340
C. Privilege escalation D. SQL injections
3. You are concerned about users of your web application being subjected to a clickjacking-type attack. What is the best defense you can offer? A. Use the SECURITY=RESTRICTED header. B. Use a cookie with an encrypted session ID. C. Use a JavaScript frame-busting script to prevent iframe incorporation. D. Use the X-FRAME-OPTIONS header.
4. Using hex encoding of Unicode input is associated with which of the following? A. SQL injection B. Directory traversal attack C. Cross-site scripting D. Canonicalization error
5. A cross-site scripting attack is characterized by which of the following? A. Application code that returns user input in HTML without validation checking B. A hidden layer to trick a user into clicking an undesired option C. The alteration of code used against a database D. Cookie stealing
6. To constrain an application to a confined area during execution is a reference to: A. Application quarantining B. Tests to detect memory leaks C. Input validation D. Sandboxing
7. You are the application designer for a new web application at work. Where is the preferred location to store the key used for encrypting data in the application? A. Store it in a config file, so it can be changed if needed. B. Put it in a database during the install and allow only the application to have
read access. C. Store it on the server, but force a new, fresh random key with each install for uniqueness. D. Store it on the server, protected from all but the application by ACL. 8. During application testing, fault injection can be used to search for which of the following? A. Off-by-one errors in loops B. Correct handling of specific errors
08-ch08.indd 340
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
341
C. Buffer-overflow errors D. Arithmetic errors
9. To ensure a fast and seamless user experience, AJAX is being used on the client side. With this configuration, where is the best location for input validation and why? A. On the server, because AJAX takes extra bandwidth for checks
customer experience C. On the server, because this prevents post-browser attack D. On the client, because AJAX blocks post-browser attacks 10. There has been a lot of talk recently concerning buffer overflows at your firm. Management has decreed zero tolerance for buffer overflows in all future code. Is this possible, and why or why not? A. Yes, it has been done; it just requires careful examination of all buffer inputs. B. Yes, there is a library call to fix it. C. No, this is one of the errors that is almost impossible to completely remove. D. No, legacy code makes this impossible. 11. You are testing an application for arithmetic errors. What is your best tool? A. Fault injection B. A fuzzing framework C. Code walkthroughs D. Use of specific library calls for math functions 12. You are receiving reports of a random locking up of your application that you cannot replicate. What is the most likely cause? A. Injection flaw B. Memory leak C. Buffer overflow D. Race condition 13. You have a corporate standard requirement that all in-house software must have a standard auto-update module that checks for and applies code updates automatically. This is an example of what? A. An application security framework B. Secure by deployment C. Secure by default D. Coding standards
08-ch08.indd 341
PART II
B. On the client, because AJAX can speed up the work, thus improving the
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
342
14. Your application is going to e-mail results to other users based on program logic. To perform this function, you incorporate a set of library calls to an e-mail program requiring administrative access permissions to perform the task. What type of attack should you be concerned with in employing this methodology? A. Impersonation attack B. Improper storage of sensitive data attack C. Fuzzing attack D. Privilege-escalation attack
15. Your newest application has been having a variety of issues with conflicts and bugs. Management has decided to sandbox the application. What are the important details that need to be known to correctly sandbox the application? A. Exact enumeration and details of system resources needed by the application B. The language the application is written in C. The default storage location of the executables and config data D. How big the memory footprint is
Answers 1. B. Testing cannot add security to an application; it can only catch where holes are. It is possible to miss holes with incomplete testing; hence, you can’t test security into software. 2. B, C. Input validation is of no use in detecting time-of-check/time-of-use race conditions, nor will it help detect cases of privilege escalation. 3. D. The X-FRAME-OPTIONS header with the DENY or SAMEORIGIN option is the best server-side defense against clickjacking-type attacks. 4. D. Canonicalization errors are those that exploit the process by which application programs manipulate strings to a base form, creating a foundational representation of the input, to avoid input validation detection of invalid input. 5. A. Cross-site scripting involves inserting scripts into user inputs to get them to run on a server to return altered HTML pages. 6. D. Application sandboxing is a mechanism to constrain an application into a confined area during execution. 7. C. All secrets need to be stored in a protected form on a server, away from unauthorized access. The addition of the random changing element prevents someone from learning the secret from another installation (such as a demo install) and using this knowledge to break a production installation. 8. B. Fault injection is used to test the correct handling of exceptions. 9. C. The only place input validation for security reasons can be properly done is on the server because the responses are editable via proxy machines between the client and the server.
08-ch08.indd 342
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8
Chapter 8: Software Vulnerabilities and Security Controls
343
10. A. Buffer overflows are completely preventable, and numerous software projects have shown this. The key is in using multiple methodologies to defend against this type of coding error, including walkthroughs, library call utilization, and fuzzing. 11. B. A fuzzing framework is the best tool for input validation errors, of which arithmetic errors are one example.
13. B. Having auto-update capability improves the security of the application because it is deployed in an enterprise; hence, secure by deployment is the best answer. 14. D. A failure that occurs during the escalated privilege function of the e-mail library could result in an exploitable privilege escalation against the application.
PART II
12. D. Race conditions are the types of errors hardest to replicate, and they leave no obvious signs, such as increased memory use.
15. A. To properly sandbox the application, one needs to know what interactions it must have with outside resources to function as built. These elements can then be used to determine safe access.
08-ch08.indd 343
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 8 Blind Folio: 344
This page intentionally left blank
08-ch08.indd 344
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9 Blind Folio: 345
PART III
Enterprise Security Operations Chapter 9 Chapter 10 Chapter 11
09-ch09.indd 345
Security Assessments Security Assessment Tools Incident Response and Recovery Procedures
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9 Blind Folio: 346
This page intentionally left blank
09-ch09.indd 346
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CHAPTER
Security Assessments
9
This chapter presents the following topics: • Security assessment methods • Security assessment types
The complexity of both defending and attacking information systems is often equally underestimated. If many movies are to be believed, the penetration of systems is as simple as opening up a series of command-line interfaces and typing at warp speed. In just a few seconds, the infamous green “Access Granted” message comes up and the hacker takes a bow. No reconnaissance, probing, or security assessments needed—just skip straight to the treasure chest. The irony facing the targets of hacking, and the malicious hackers themselves, is the prerequisite need for performing security assessments. Security practitioners must perform security assessments in order to discover and mitigate vulnerabilities—while hackers perform the same assessments in order to discover and attack vulnerabilities. Although movies tend to skip the assessment aspects for plotline acceleration, we cannot overstate the importance of performing security assessments on organizational systems—not to mention that many regulations also include requirements for organizations to perform security assessments. This chapter will focus on the scenarios and methods surrounding proper security assessments. The point of a security assessment is to ensure that proper safeguards and security controls are in place for organizational assets. Assessments ensure many things, including that systems are patched, applications are not vulnerable, and networks are locked down. Many different approaches and methods fall under that very broad umbrella of “security assessments.” Some methods are best at addressing broad concerns whereas others are very specific in nature.
Security Assessment Methods
Security assessments are broad in both scope and depth. There are many organizational assets to assess plus multiple methods of assessing those assets. We may be assessing data, applications, hosts, internal and perimeter network security, physical security, policies,
347
09-ch09.indd 347
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
348
procedures, training, and, of course, people. Such assessments can be performed on local or cloud-based assets, while being performed by local security experts or outsourced to a security consulting team. Various methods are discussed in this section, including malware sandboxing, memory dumping, runtime debugging, and more.
Malware Sandboxing Although there is some risk in deliberately grabbing a piece of malware, or what appears to be malware, and putting it “under the microscope,” malware sandboxing is a necessary requirement for rounding off your malware defenses. Despite our various antimalware tools being equipped with powerful signature and heuristic engines for malware remediation, these tools won’t find everything—not even close. NOTE In 2014, Symantec (the maker of Norton Antivirus) made the boldest of statements by telling the Wall Street Journal that antivirus is dead. Symantec backed this statement up by saying that typical antivirus tools detect only about 45 percent of all attacks.
Before you uninstall that antivirus software and flee to the hills in fear, be aware that the point of this admission was not to decry antivirus software but rather to raise awareness that today’s malware resistance requires more than just antivirus software. Malware sandboxing is a necessary complement to our antimalware portfolio, allowing us to isolate real or potential malicious code into a safe and restricted environment for analysis. If you consider that over 300 million new malware threats are created every year, a large chunk of them will not yet be discovered by the mainstream antimalware security vendors. Many of the organizations under our charge—the very targets of such malware— must put on the white coats and discover/mitigate some of the malware themselves. If successful, we may be able to prevent or minimize the damage done by zero-day malware threats (that is, pieces of malware that have yet to be discovered and mitigated by the responsible vendors). Without vendor remediation, we’re on our own. Organizations may choose to build their own internal malware sandboxing environment or use proven vendor products like Cuckoo Sandbox and Sophos Sandstorm. NOTE Refer to Chapter 13 for more information about cloud-based malware sandboxing solutions.
Memory Dumping Ever wonder what purpose was served by the notoriously vague “Blue Screen of Death” occasionally experienced on Windows machines during system crashes? Technically known as a “stop error,” this seemingly useless message often contains a subtle but important line on the bottom that reads “Beginning dump of physical memory.” This indicates that RAM contents are being downloaded to a memory dump file on the hard drive to permit offline crash analysis.
09-ch09.indd 348
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
Chapter 9: Security Assessments
349
So, what does this have to do with security assessments? Simply take that same concept of analyzing memory dumps, but look for other things—say, cryptographic keys, certificates, usernames, passwords, and hashes. Memory dumps are an example of a security assessment in that they help organizations proactively discover and mitigate memory and application vulnerabilities before they’re exploited by malicious hackers. NOTE A popular open source tool for memory dumping is DumpIt, which works together with the Volatility framework. This tool combination is supported on most versions of Windows, Linux, and macOS.
Runtime Debugging PART III
If runtime refers to the execution or running phase of an application, then runtime debugging refers to debugging the application during its runtime. Unlike memory dumping, which involves the analysis of software content after it has been dumped from memory to the hard drive, runtime debugging refers to analyzing code while it is actively running in memory. This provides live insight into possible inaccuracies of an application’s syntax while also revealing software vulnerabilities. Table 9-1 shows a comparison of different memory/runtime debugging tools.
Reconnaissance Most of the time, hackers have to “do their homework” before they can successfully gain access to a target system. Reconnaissance (sometimes known as footprinting) is the first stage of hacking, and it consumes roughly 90 percent of all the time spent on hacking—malicious and ethical varieties included. Reconnaissance is the methodical process of collecting as much information about a target as possible before attempting to hack them. Such data collection will help guide the direction of the hack, possibly reveal vulnerabilities, and determine which tools and techniques will be needed to successfully complete the hack. Most reconnaissance is passive in nature in that it is performed without direct interaction with the target. This involves gathering intel from various Internet sources, including the target’s website, vendors, competitors, and even job search sites. Active reconnaissance or footprinting requires the hacker to interact with the target through direct communication or visitation. This may be necessary for data collection that couldn’t be performed passively. Tool
OS
License
Languages
Deleaker
Windows
Commercial
C++, C#, and .NET
AddressSanitizer
Linux and macOS
Free and open source
C, C++
TotalView
Unix and macOS
Commercial
C, C++, FORTRAN
Mtrace
Linux
Free and open source
C, C++
Table 9-1 Memory/Runtime Debugging Tools
09-ch09.indd 349
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
350
Reconnaissance requires hackers to acquire a large amount of target information to successfully complete the hack. Part of the reason for this is to achieve the dual benefit of successful target penetration while remaining invisible. Unlike the morbidly named “suicide hackers,” who will sacrifice their anonymity for the furtherance of the hacking mission, most hackers don’t want to get caught. As a result, proper reconnaissance can take days, weeks, or even months to complete. NOTE Reconnaissance is one of the five stages of hacking, which are reconnaissance, scanning, gaining access, maintaining access, and clearing tracks.
Information about customers, employees, products, trade secrets, company plans, and so on, can be found from a variety of data sources. Here are some examples of the sources used in reconnaissance efforts:
• Search engines • Google hacking • Web services • Social networking sites • Website footprinting • E-mail footprinting • Competitive intelligence • Whois footprinting • DNS footprinting • Network footprinting • Social engineering
Fingerprinting The high-level information obtained from reconnaissance is important, but it’s only a starting point. Specific details about target systems are also needed to successfully gain access. Fingerprinting will help carry us over the finish line through interactive scanning of networks and devices in order to learn important details like pingable systems, open ports, running services, banner grabbing, operating systems, network shares, accounts, and much more. Without those details in hand, we cannot know which exact vulnerabilities exist for exploitation. Consider Nmap, which is a port-scanning tool that works for TCP and UDP services. It can test for ICMP acceptance, identify services running on discovered ports, and even produce an educated guess as to the application and operating system being examined. Quickly producing an accurate fingerprint is very important to a potential attacker.
09-ch09.indd 350
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
Chapter 9: Security Assessments
351
If an attacker is looking for vulnerable Linux systems, they don’t want to waste time attempting to exploit Windows or Solaris systems. If an attacker is looking for web servers running IIS 6 or later, then Apache-based web servers are not interesting at the moment. From a security officer perspective, fingerprinting tools can be a great way to “see” what’s on your network. Scanning your own network will help you identify systems running unnecessary services, systems that do not appear on current inventories (and should not be connected to the network), and so on. The following are examples of some tools you’ll rely on during your fingerprinting exercises in the field:
PART III
• Ping sweepers Angry IP Scanner, Nmap, NetScanTools Pro • Open ports Nmap, NetScanTools Pro, Hping, SuperScan • Running services Nmap, NetScanTools Pro • Banner grabbing Netcraft, ID Serve, Netcat, Telnet, NetScanTools Pro • Operating systems Nmap, NetScanTools Pro • Network shares SuperScan, NetScanTools Pro • User accounts SuperScan, NetScanTools Pro • Mobile fingerprinters Fing, IP Scanner
Code Review Code review is essentially proofreading of source code. Code reviews are intended to find programming errors and poor coding practices that can lead to vulnerabilities such as buffer overflows, memory leaks, unhandled exceptions, and so on. Code reviews can be done in various ways, ranging from the informal (one programmer looks over the shoulder of a fellow developer) to the extremely formal (such as a team walkthrough of an entire code base). Code reviews can be performed manually, but tools exist that provide automated code review capabilities. These automated review tools can be used to scan large codebases and identify potential issues or areas where issues may exist. Developers can then focus in on those areas without having to scan the entire codebase manually. Automated scanning followed by manual review is a widely accepted common practice that provides good coverage for far less “cost” than a manual review of the entire codebase. The key benefit to code reviews is to find and address bugs and vulnerabilities as soon as possible—preferably before the software even enters formal testing. The earlier in the development process a bug can be caught and addressed, the cheaper is it to fix. Consider Microsoft Word—if a bug is caught in development, it is far, far cheaper to correct it there than it is to correct the bug in a released product. Addressing the bug in development may involve a few developers and a few lines of code with comments. Addressing that same bug in a released product involves code revisions, configuration management, regression testing, patch development, patch note development, and so on. As you can see, the sheer amount of effort required to address bugs post-production encourages many organizations to perform code reviews early and often during the development cycle.
09-ch09.indd 351
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
352
Social Engineering Social engineering is a broad term that describes “human hacking”—or what is sometimes called “no-tech hacking.” Social engineering techniques focus on manipulating or compromising people into revealing confidential information. The attacker seeks to convince people to circumvent or ignore existing security protocols, reveal sensitive data, grant access where none should be given, and so on. For example, someone attempting to access a particular organization’s infrastructure may call the organization’s help desk and impersonate an actual user in an attempt to get the user’s password reset to something the attacker will know. EXAM TIP Social engineering is a technique that targets people, not technology. Strong security can be circumvented by tricking a user into revealing their password or clicking a link.
Social engineering does not always have to involve direct contact or direct interaction. Social engineering can be performed via e-mail—ever gotten an e-mail informing you that your bank account or e-mail account has been compromised and you must log in right away and verify all your credentials? Phishing is social engineering via e-mail. The goal of phishing is to trick the user into either giving away information they shouldn’t (such as login credentials and bank account numbers), clicking links, or running software they shouldn’t. You may also have seen “scareware” ads that pop up, informing you that your system is infected and you need to install and run a specific software package that will “clean up and protect” your system. Social engineering is a technique that is typically negotiated for use in a vulnerability or penetration test. Many penetration testers make heavy use of social engineering techniques because bypassing the human component of a security system is easier than bypassing the technology. Imagine how many of your users would give their login and password to someone from the “help desk” or “IT” when asked? It only takes a single person to make a bad decision and allow an attacker to bypass tens of thousands of dollars in security technology. CAUTION Although social engineering is often successful in the real world, extreme care must be observed during penetration tests. Victims of authorized social engineering may be unaware of the penetration test and therefore may feel exploited and harassed by both the penetration tester and their respective employer. Obviously, this could lead to legal issues. As a result, penetration testers may want to play it safe with their social engineering techniques.
Human-Based Social Engineering
Human-based social engineering is a form of social engineering that requires more direct interaction with people. This section describes the various human-based social engineering techniques utilized by attackers.
09-ch09.indd 352
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
Chapter 9: Security Assessments
353
Dumpster Diving Dumpster diving involves attackers digging through a victim’s trash to obtain confidential information. Valuable information can be found from discarded bills or other financial documents, calendars, organizational charts, printed e-mails, flash media, diagrams, contacts, and more. NOTE Attackers don’t limit their pilferage to just trash. They’ll also search through printer bins, recycling bins, or even the paperwork left on desks (or under keyboards) for information.
Eavesdropping Eavesdropping involves the unauthorized interception of communications between other parties. The intercepted materials can be in written, auditory, or video form, and obtained over the phone, through e-mail, instant messaging, SMS, or in person. Eavesdropping mitigations include strong physical security controls, encrypted communication lines, paper shredding, and regular security awareness training.
PART III
Countermeasures include implementing a clean desk policy to ensure all confidential data materials are removed from the desks and are locked inside of them. Plus, adequate paper-shredding practices should be implemented through cross-cutting or preferably micro-cutting paper shredders.
Impersonation Impersonation is the practice of pretending to be someone else. This is the oldest, most common, and most powerful form of social engineering because it quickly establishes trust between attacker and target. Trust is the key to convincing people to willingly provide attackers with confidential information. Typically, the attacker will impersonate a legitimate individual such as a family member, friend, colleague, end user, important user, help desk, management, or even a celebrity. The best countermeasure for impersonation is security awareness training because it’ll help victims spot and deflect impersonation attempts. Piggybacking Piggybacking takes place when unauthorized individuals trick an authorized individual into allowing them access into a restricted area. This is necessary due to the unauthorized user having no other means of traversing such checkpoints on their own. Piggybacking generally involves the consent of the authorized individual to permit access into the area due to the bogus excuse of a forgotten ID badge. Strong physical security controls like security guards, ID badges, and mantrap doors can reduce piggybacking attacks. Tailgating To the untrained eye, tailgating and piggybacking are the same thing. The key difference being piggybacking occurs with the victim’s consent, whereas tailgating does not. The attacker may pull this off by wearing a fake badge so that nobody pays any mind to the apparent stranger. NOTE Remember, piggybacking and tailgating differ only in consent versus nonconsent. In both instances, attackers follow victims into the restricted area.
09-ch09.indd 353
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
354
Reverse Social Engineering Most social engineering attacks follow the same pattern— the attacker initiates contact with a victim to extract confidential information. Although “going first” provides the attacker with some advantages, the boldness of it might tip off the victim. As a workaround, a more covert baiting technique can be employed. Reverse social engineering occurs when attackers trick victims into initiating contact with the attackers. The victim is less likely to suspect a scam because they initiated the dialogue. To pull this off, the attacker creates a situation in which the victim is likely to contact the attacker for help. For example, the attacker may put a business card on the victim’s keyboard offering computer repair services. The attacker then breaks the victim’s computer in some way so that the victim will call the phone number requesting assistance with the computer. The subtle nature of this ploy accelerates the victim’s trust with the attacker. Physical security and security awareness training are important to offset this threat. Shoulder Surfing Shoulder surfing is the act of observing someone inputting their credentials into a system. The attacker’s goal is to learn all—or a portion of—the input provided by victims in order to illegally access their account. Even if just a few characters of the password are known, the attacker could plug the known portion into a password cracker to potentially solve the remainder. This is known as a rule-based password attack. Camera-equipped smartphones can zoom in and take pictures or videos of passwords and PIN numbers as they’re being typed. Skimmers are also frequently used to capture inputted credentials at gas stations, banks, and wherever else credit card/debit transactions are performed. Users need to be aware of their surroundings during login scenarios. To mitigate shoulder surfing, users can use privacy screens, keystroke interference software, and keyboard privacy shields that impair the visibility of the keys. They should also cover PIN number keypads as they’re typing. Switching to biometrics or token-based authentication can also minimize the shoulder surfing threat. Vishing Often referred to as the voice equivalent of phishing, vishing is the process of calling people on the phone while pretending to be a trusted entity such as a friend, colleague, family member, customer service, and so on. Like with phishing, the attacker’s goal is to extract confidential information from the victim. Since victims have become fairly keen on e-mail-based phishing techniques, attackers are increasingly reliant on the more personal touch provided by a friendly and professional voice on the phone. This leads to more trust by the victim. Countermeasures include the following:
• Using caller ID • Using screening services • Letting phone calls go to voice mail • Sharing your phone number with a limited amount of people • Limiting the information you provide over the phone
09-ch09.indd 354
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
Chapter 9: Security Assessments
355
NOTE Vishing only differs from phishing in that vishing uses voice tools like telephones.
Computer-Based Social Engineering
Computer-based social engineering involves attackers socially engineering their targets through computers. This provides a few benefits including the ability to reach the target from afar, while also improving the attacker’s ability to shield their own identity. The following section goes over several examples of computer-based social engineering tactics. PART III
Phishing Phishing is social engineering via e-mail and one of the original Internet attack vectors. Typically, the goal of phishing is to use e-mail to trick victims into revealing confidential account and financial information through malicious links, filling out website forms, or running software they shouldn’t. The e-mail may suggest that the user’s eBay account has been suspended due to inactivity, malicious activity, or access by an unauthorized device. Then to re-enable the account, the user is advised to click a friendly looking link labeled www.ebay.com, visit a mirrored site that looks like eBay, and then fill out a form chock-full of sensitive information questions. Phishing can be broken down into multiple varieties, including the following:
• Spear phishing Attackers target a specific individual as opposed to the random individuals targeted by regular phishing. • Whaling Attackers target important individuals such as executives, politicians, or celebrities. • Pharming Attackers use phishing e-mails to redirect victims to hacker websites. CAUTION Since executives are frequent targets of whaling, be sure to provide them with extra security protections and education to offset the increased risk to them.
Using anti-phishing tools like Netcraft, Microsoft SmartScreen filter, and PhishTank is a strong defense. In addition, awareness of the following phishing signs is also advised:
• Sender’s e-mail address is in your address book. • Sender’s e-mail address appears auto-generated. • Sender’s domain name doesn’t match the stated organization. • Request is urgent. • Poor grammar. • Attachments. • Hyperlinks.
09-ch09.indd 355
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
356
Spam Spam is an electronic form of unsolicited message that arrives through e-mail. Over 90 percent of the world’s e-mails sent every day is spam. Spam exists to advertise products or make unsubstantiated claims, while preying on the gullibility of inexperienced computer users. Although some spam is harmless, other spam messages may contain malicious HTML code, attachments, links, and malware. Even though most people can spot spam a mile away, it is so easily and cheaply generated that spammers can turn a profit on just a minority of victims. You can expect this to continue indefinitely. Spam countermeasures include user awareness training, anti-spam filters, using e-mail addresses that are difficult to guess by spam generators, and keeping your e-mail address private. TIP Most spam messages provide a false link at the message bottom to “unsubscribe” from the spam. Use this against the spammer by creating a spam filter that blocks out all e-mails containing “unsubscribe.” This will block most spam messages, although it may also block legitimate e-mails that provide you with unsubscribe features. To prevent legitimate e-mails containing “unsubscribe” from being blocked, be sure to exclude them from your blacklist.
Pop-Ups Pop-ups are website windows that suddenly “pop up” to offer the user a prize or request log in to a website. Although these are often harmless, they may be a sign of adware, spyware, or malicious code on the website. As a result, these should be blocked by a pop-up blocker, or avoided altogether. Hoax Letters Hoax letters are e-mails that may falsely claim that a particular piece of malware is in circulation and therefore some kind of action must be taken. The trouble with this is not the false advertisement but rather the cure—“download this particular antivirus software to protect yourself from the malware.” Training users on the signs of hoax e-mails, blocking them, and disregarding them are usually suitable mitigations. You can also look up the hoax e-mails on the Internet to see if they have been verified as false. Chain Letters Unlike hoax letters, chain letters generally aren’t preaching doom and gloom—rather they make requests about forwarding the message to a certain number of users so that donations are made or awareness is raised regarding a supposed cause. Even though most of these chain letters are based on false pretenses, they create more of a privacy, distraction, or inbox space issue than being outright dangerous. The same defensive approach we take with hoax letters will apply here as well. Spim Spim is a spinoff of spam that sends unsolicited messages through instant messenger clients as opposed to e-mail. Although automated, these messages often appear human-generated to improve their credibility. Typically, the messages will start off with a story such as being new in town looking to network, or advertise adult materials or other products. The goal is to acquire confidential information, spread malware, or take over the victim’s machine—just like with spam or phishing attacks. Security training will educate users on how to spot, block, or disregard spim messages.
09-ch09.indd 356
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
Chapter 9: Security Assessments
357
CAUTION It is easy to get confused by spim versus smishing. Spim sends out unsolicited instant messages, whereas smishing sends out unsolicited SMS messages.
Mobile-Based Social Engineering
Malicious Mobile Apps With millions of apps on the Google and Apple app stores, it’s inevitable that some apps exist for the sole purpose of infecting users with malware while harvesting their credentials. To the outsider, the app appears like any other. It’ll be usable, well-reviewed, supported, and probably even enjoyable. Limiting or preventing app downloads as well as carefully choosing apps from trusted sources with verifiable code signatures are the best mitigations to deal with this threat.
PART III
Given the billions of mobile devices permeating the globe, it only makes sense for attackers to add mobile-based social engineering tactics to their repertoire. With people relying on their smartphones and tablets to download applications from app stores—while also spending many hours each week interacting with family members, friends, and colleagues through social media applications—hackers are using these tools to launch social engineering attacks against the mobile device owners. This section will cover the different mobile-based social engineering techniques employed by hackers.
Repackaged Mobile Apps Some attackers will repackage legitimate apps with malware and then upload them again to the app stores in order to attract downloads and spread malware. If you ever do an app search and notice multiple versions of the same exact app, beware. The countermeasures to this are similar to those made earlier regarding malicious mobile apps. Smishing Smishing is similar to phishing and spimming; however, it involves sending unsolicited SMS messages to targets. Attackers are increasingly relying on this tactic since most people are more responsive to SMS messages than e-mails and voice mails. Its goals are similar to that of other phishing-related attacks; therefore, user awareness training requirements should be observed.
Pivoting Pivoting is the process of compromising a host in order to use that host to compromise other hosts on the network. This is necessary because the other hosts are likely inaccessible until the first host is compromised. The first host is essentially a base that the hacker sets up shop on in order to traverse the network from an inside trusted position. Although Metasploit is the most well-known tool for pivoting attacks, Netcat (Ncat), proxy servers, SSH port forwarding, Burp Suite, and even various backdoor Trojan horses can pull this off. NOTE Pivoting is sometimes referred to as daisy-chaining or transitive attacks.
09-ch09.indd 357
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
358
Mitigations to pivoting include configuring firewall rules, IDS/IPS rules, patching, implementing the principle of least privilege, limiting account rights, and locking down ports.
Open Source Intelligence Open source intelligence (OSINT) refers to the collection of valuable information from public sources. As described earlier in the reconnaissance section, attackers and penetration testers will typically “case the establishment” by frequenting various Internet and non-Internet sources for information about targets. The following sections cover a few different open source intelligence locations.
Social Media
Opinions about social media typically range from it being a great tool for networking, customer engagement, promoting products, and recruitment, to it being a time-wasting distraction with a plethora of privacy issues. To the more trained eye, social media can be very dangerous to businesses and individuals. Several years ago, the U.S. government issued a warning about the severe risks that social media presents at the government and organizational levels, and the need for a collective response to the challenges. Some of these challenges include:
• Lack of social media policies Without a social media policy, organizations have little to no enforcement over how their staff members use social media products like Facebook, Twitter, LinkedIn, Snapchat, Instagram, and YouTube. Not to mention, users are less likely to understand proper usage of social media with respect to their employer—which puts the organization at greater risk. Social media policies not only provide for these directives but they also may include best practices and guidance. • Mobile apps (privacy) Ever wonder why there isn’t much privacy in social media? Because social media and privacy literally have opposite meanings. Social media is about sharing information, whereas privacy is about not sharing information. In a strong sense, there is no such thing as social media privacy. More importantly, social media mobile apps typically collect an egregious amount of user information, including texts, call logs, camera access, microphone access, contacts, location, photos, and more. • Data leakage Social media is all about publishing and consuming content in a social setting. People often lose their inhibitions in cyberspace; therefore, they may feel free to share information more aggressively—possibly confidential business information—with friends, family, colleagues (and strangers). The trouble arises when information reaches the wrong people due to the transitive nature of information flow on social media platforms (as in points A and C connect through B). Not to mention, not all “friends” on social media platforms are who they claim to be. Whatever the cause, when information gets into the wrong hands, it has “leaked.”
09-ch09.indd 358
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
Chapter 9: Security Assessments
359
PART III
• Profile squatting/evil twin attacks Profile squatting or evil twin attacks occur when attackers create a fake social media profile that impersonates another individual. It is effortless to create a profile with a real person’s name, upload that individual’s picture into the profile, and populate the profile with that individual’s information. This allows attackers to befriend family members, colleagues, and friends in order to acquire confidential information from them— or worse. • Malware Social media platforms are rife with pictures, links, friend requests, and—we’ve saved the best for last—irresistible video content. Ever wonder where the videos come from? Or why there are so many videos of the hilarious or shocking variety circulating the feeds? Some of it is used to infect people with malware. One of the easiest ways to give people malware is by first giving them what they want. Videos, pictures, and links can contain malicious software, or redirect you to a place that contains the malware. • Social engineering As described previously with evil twin and malware attacks, social engineering is incredibly easy to perform on social media due to the simplicity of impersonating others and sharing irresistible content. • Lack of privacy In addition to the preceding comments on mobile apps, social media platforms have a combination of complex and frequently changing privacy controls. Social media companies aren’t going to make as much money if they make it easy for customers to disable all data collection and ad placements. The complexity and changing of privacy controls are vital to the social media company’s survival.
Whois
Whois is a global database of registered domain names and all related registration and ownership details of those domains. This information includes the following:
• Domain details • Domain registration and expiration dates • DNS servers • Network ID range • Registrant contact name, e-mail, phone number, address • Administrative contact name, e-mail, phone number, address • Technical contact name, e-mail, phone number, address • DNSSEC signature status • Autonomous system (AS) router information NOTE Whois used to be built into the Windows command line many years ago but has since been utilized primarily by web-based tools.
09-ch09.indd 359
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
360
When website owners register a domain name such as www.microsoft.com, by default the information will be published online in a public database made available by several regional Internet registries (RIR), including the following:
• American Registry for Internet Numbers (ARIN) Covers the U.S., Canada, parts of the Caribbean region, and Antarctica • African Network Information Center (AFRINIC) Covers Africa • Asia-Pacific Network Information Centre (APNIC) Covers Asia, Australia, New Zealand, and other adjacent countries • Latin America and Caribbean Network Information Centre (LACNIC) Covers Latin America and other parts of the Caribbean • Réseaux IP Européens Network Coordination Centre (RIPE NCC) Covers Europe, Russia, West Asia, and Central Asia The earlier section on reconnaissance described how hackers, pen testers, and security consultants will use a variety of Internet sources to profile an organization for information and vulnerabilities. Whois is one of the first consulted resources due to the value and accessibility of its information. Administrative and technical contact details like names, e-mail addresses, phone numbers, and addresses can provide footprinters with social engineering opportunities. Plus, the registered IP address range provides pingable and port-scanning targets for vulnerability assessments. SmartWhois is a popular downloadable Whois tool that aggregates all Whois information for a particular domain. Also consider web-based tools like whois.icann.org and ww.whois.net. Arguments exist for the preservation of a public Whois database, although some suggest it should be improved or eradicated entirely. Those in favor of it point to the benefits to law enforcement, who need domain contact details to conduct Internet crime investigations. Others believe going public with information helps legitimize an organization. Yet, others suggest that the public information gives spammers and other social engineers a buffet of information from which to exploit organizations.
Routing Tables
Before we get into routing tables, we’ll provide a quick primer on routers. Routers are critical infrastructure devices that forward information from one network to another. This common process of connecting networks to networks is known as internetworking— which is where the “Internet” term originated. TIP From an OSI perspective, routers operate at Layer 3 (Network layer), which is responsible for logical addressing and path determination processes.
Since most source and destination systems are not located on the same network, routers are used to bridge the gap. Granted, a Layer 3 Ethernet switch can perform basic routing functions, but it is not a complete substitute for a router. Whether you’re traveling to work or routing traffic across an internetwork, many paths to the destination can exist. It’s the job of routers to know which network destinations
09-ch09.indd 360
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
Chapter 9: Security Assessments
361
exist, which routing paths (routes) exist to the destinations, and which routes are the best choice at any given moment. Routers make decisions based on the information stored in a routing table. Routing tables store a combination of destinations and the routes to those destinations for a given router. Routing tables are built and managed by two different methods:
PART III
• Static routing This occurs when a person manually programs the routes and destinations into a routing table. Its advantages include increased control over traffic, security improvements, and reduction of traffic. The disadvantages include increased workload on administrators and the increased time it takes for a network to adapt to a downed router. We generally use static routing for smaller internetworks. • Dynamic routing This involves routers using dynamic routing protocols to automatically broadcast routing table updates to other routers. The automation of this reduces an administrator’s workload, while also improving reaction times for downed routers. The downside is it decreases security (due to hackers potentially hijacking the routing table updates) and increases traffic loads. We generally use dynamic routing for larger internetworks. EXAM TIP Know the differences between static routing and dynamic routing.
Several protocols are used to communicate routing table updates between routers:
• Routing Information Protocol (RIP) • Open Shortest Path First (OSPF) • Border Gateway Protocol (BGP) • Exterior Gateway Protocol (EGP) • Interior Gateway Routing Protocol (IGRP) • Enhanced Interior Gateway Routing Protocol (EIGRP) • Intermediate System–to–Intermediate System (IS-IS) Although dynamic routing protocols make life easier for administrators, their chatty nature exposes the organization to some risk. Hackers may be looking to intercept routing table update traffic—or inject malicious update traffic of their own—to compromise other routing tables and redirect traffic to a destination of the hacker’s choosing. To mitigate these risks, routers can employ authentication methods to ensure communications come from trusted routers, and that the information itself maintains integrity. Although plaintext authentication results in passing credentials between routers, this can easily be intercepted by any packet sniffer. A better choice is to use MD5 authentication or key chains because these will ensure passwords don’t traverse the network in cleartext.
09-ch09.indd 361
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
362
DNS Records
DNS records are vital to the functionality of a network. They provide important system identifiers to help clients translate system hostnames to IP addresses, reverse IP addresses to hostnames, and to help clients locate servers that provide special services. Not surprisingly, malicious and ethical hackers will attempt to harvest DNS records early on in their vulnerability assessments in order to progress to the more important later stages of vulnerability assessments. Several types of DNS records are important to understand. Table 9-2 shows the most common DNS record types. NOTE If possible, acquiring the HINFO record is a big score for a hacker, given the fingerprinting details it provides.
Since DNS records are stored in zone files located on DNS servers, hackers and pen testers will use a variety of DNS footprinting and enumeration techniques to acquire them. Based on the security posture of the DNS servers, we may be able to acquire a lot of records or—more likely—very few. Learning IP addresses and hostnames can be achieved in a few different ways. Assuming we learned the target’s IP address range from a Whois lookup, we may be able to use a ping sweeping tool like Angry IP Scanner to not only determine live pingable systems but to also perform DNS reverse lookups on the IP addresses. As stated previously, reverse lookups resolve IP addresses to names. Another option is to use Nmap to perform a list scan, which, like Angry IP Scanner, will perform a DNS reverse lookup on a range of hosts. The biggest challenge is performing these scans without being detected by the IDS/IPS appliances on the network. A third and less likely option is to request a DNS zone transfer of all DNS records from the target’s DNS server. Keep in mind that any administrator worth their salt will configure DNS servers to only allow DNS zone transfers to other trusted DNS servers. Record Type
Purpose
SOA (Start of Authority)
Specifies authoritative information about DNS zone
NS (Name Server)
Specifies DNS servers authoritative for the zone
A (Answer)
Provides a hostname-to-IPv4-address mapping
AAAA (Answer)
Provides a hostname-to-IPv6-address mapping
PTR (Pointer)
Provides an IP address-to-hostname mapping
MX (Mail Exchange)
Specifies a mail-server-to-domain mapping
CNAME (Canonical Name)
Specifies an alias-to-actual-hostname mapping
SRV (Service)
Identifies which servers provide key services, such as domain controllers, KMS servers, and so on
TXT (Text)
Generic text that may be used to identify domain ownership
HINFO (Host Info)
Specifies a system’s CPU and type of operating system
Table 9-2 DNS Record Types
09-ch09.indd 362
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
Chapter 9: Security Assessments
363
In other words, such a zone transfer should fail for us. Although it’s unlikely to work, it’s still worth trying. A popular tool for performing zone transfers is nslookup. A sample nslookup process is shown next: 1. Type nslookup at the Windows command prompt. 2. Type server dns1.example.com to connect to an example.com DNS server. 3. Type set type=any to indicate that you are interested in all available records. 4. Type ls -d example.com to attempt to transfer all available records from the example.com zone.
Search Engines
Although it may seem a bit cliché, using a search engine like Google, Bing, Yahoo, Ask. com, and even DuckDuckGo is a great way to extract information about a target. Organizations are often unaware of the valuable information that exists about them on the Internet, including technology platforms, organizational details, employee details, external and internal login portals, error messages, and even the occasional password file. Although most search engines have advanced search operators to help filter search results based on keywords in website titles, addresses, domain names, file types, and more, Google is unquestionably the best search engine to use. Google’s advanced operators are so richly designed that entire books, and web pages, are dedicated to the art and science of “Google hacking,” which is used to create the most advanced search queries possible on the Internet. These queries will help you find virtually anything about a target that is published online. Table 9-3 provides several Google hacking examples. Operator
Purpose
Allintitle:
Filters results to those websites with all of the search keywords in the title
Intitle:
Filters results to pages containing the search keyword in the title
Allinurl:
Filters results to those with all of the search keywords in the URL
Inurl:
Filters results to pages containing the search keyword in the URL
Cache:
Shows the web pages stored in the Google cache
Link:
Shows web pages that have links to the specified web page
Related:
Shows web pages that are related to a specified web page
Info:
Shows some information that Google has about a specified web page
Site:
Filters results to those websites in the specified domain
Location:
Shows information for a specific location
PART III
Another option for enumerating the DNS records located in zone files is to use a webbased DNS lookup tool such as DNSstuff.com or the tools from www.ultratools.com. Web-based tools are often easier to use for organizing the information better.
Table 9-3 Google Hacking Techniques
09-ch09.indd 363
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
364
Additional search engines like Shodan and Censys are helpful for vulnerability scans in that they target devices like servers, routers, IoT devices, and so on. CAUTION Google sometimes sends CAPTCHAs in your direction after you run a few Google hacking commands. These are designed to make sure you are a human and not a bot running the commands.
Security Assessment Types
This chapter is about methods of security assessments and types of security assessments. What’s the difference? In the context of this book, think of it as “what” versus “when.” Hitting a homerun is what we did; while playing baseball is when we did it. Methods describe the actual technical procedures demonstrated in the security assessment, whereas types describe the scenario in which the methods were employed. If memory dumping is what we did, a penetration test represents when we did the memory dump. The upcoming sections discuss various types of security assessments.
Penetration Testing A penetration test (or pen test) simulates an attack from a malicious outsider—probing your network and systems for a way in (often any way in). Pen tests are often the most aggressive form of security testing and can take on many forms, depending on what is considered “in” or “out” of scope. For example, some pen tests simply seek to find a way into the network—any way in. This can range from an attack across network links, to having a tester physically break in to the building, to social engineering and anything in between. Other pen tests are limited—only attacks across network links are allowed, with no physical attacks. Regardless of the scope and allowed methods, the goal of a penetration test is the same—to determine if an attacker can bypass your security and access your systems. Unlike a vulnerability assessment, which typically just catalogs vulnerabilities, a penetration test will attempt to exploit vulnerabilities to see how much access that vulnerability allows. Penetration tests are very useful in that they can do the following:
• Show relationships between a series of “low-risk” items that can be sequentially exploited to gain access (making them a “high-risk” item in the aggregate). • Be used to test the training of employees, the effectiveness of your security measures, and the ability of your staff to detect and respond to potential attackers. • Often identify and test vulnerabilities that are difficult or even impossible to detect with traditional scanning tools. Well-known security testing methodologies exist from various organizations to help standardize our approach to penetration testing or vulnerability assessments. Take a look at the Open Web Application Security Project (OWASP), the Open Source Security Testing Methodology Manual (OSSTMM), the Information Systems Security Assessment Framework (ISSAF), and EC-Council’s Licensed Penetration Tester (LPT) methodology for process guidance.
09-ch09.indd 364
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
Chapter 9: Security Assessments
365
Black Box Testing
PART III
Black box testing is a software-testing technique that basically consists of finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. Black box techniques test the functionality of the software, usually from an external or user perspective. Testers using black box techniques typically have no knowledge of the internal workings of the software they are testing. They treat the entire software package as a “black box”—they enter input and look at the output. They have no visibility into how the data is processed inside the application, only the output that comes back to them. Tests cases for black box testing are typically constructed around intended functionality (what the software is supposed to do) and focus on providing both valid and invalid inputs. Black box software testing techniques are very useful for examining any web-based application. Web-based applications are typically subjected to a barrage of valid/invalid/ malformed/malicious input from the moment they are exposed to public traffic. By performing black box testing before an application is released, developers can hopefully find and correct errors in the development or testing stages. Black box testing can also be applied to networks or systems. Pen tests and vulnerability assessments are often performed from a purely external perspective, where the testers have no inside knowledge of the network or systems they are examining.
White Box Testing
White box testing is almost the polar opposite of black box testing. Sometimes called “clear box testing,” white box techniques test the internal structures and processing within an application for bugs, vulnerabilities, and so on. A white box tester will have detailed knowledge of the application they are examining—they’ll develop test cases designed to exercise each path, decision tree, input field, and processing routine of the application. White box testing is often used to test paths within an application (if X, then go do this; if Y, then go do that), data flows, decision trees, and so on. Sometimes the term white box testing is applied to network assessments where the tester will have detailed knowledge of the network, including but not limited to IP addresses, network routes, and valid user credentials. In those cases, the tester is typically referred to as a “white hat.” EXAM TIP The key difference between black box and white box testing is the perspective and knowledge. Black box testing has no knowledge of the inner workings and tests from an external perspective. White box testing has detailed knowledge of the inner workings and tests from an internal perspective.
Gray Box Testing
In a gray box test, the testers will typically have some knowledge of the software, network, or systems they are testing. Gray box testing can be very efficient and effective because testers can often quickly eliminate entire testing paths, test cases, and toolsets because they have some inside knowledge and can rule out things that simply won’t work and are not worth trying.
09-ch09.indd 365
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
366
Vulnerability Assessment Vulnerability assessments are a series of tests and scans performed on organizational resources to discover vulnerabilities. A vulnerability assessment is designed to answer the following questions: Do we have issues? How many? How bad are they? A wellperformed vulnerability assessment should identify and evaluate the vulnerabilities in the system, network, application, or process being examined. EXAM TIP Although vulnerability assessments and penetration tests sound similar, they are not the same thing. Penetration testing seeks to exploit vulnerabilities, whereas vulnerability assessments simply discover them.
Although many people think “network” or “application” when the term vulnerability assessment is mentioned, in reality vulnerability assessments can and are performed on anything from public water supplies, to transportation systems, to production processes. Although there are many different kinds of vulnerability assessments, shown next are some processes common to a vulnerability assessment:
• Defining and classifying the network, system(s), or processes What will be examined, what value does it have, and what capabilities does it have? • Valuation How important is this system as compared to that system? How important is something to the organization? And so on. • Threat identification What are the potential threats, how bad are they, and how serious would it be if someone were able to exploit those vulnerabilities? • Mitigation strategies How does one reduce the risk from the discovered vulnerabilities and how can the network/system/process be better protected? A vulnerability assessment is good for evaluating the security posture of your network, critical systems, and so on. Being able to identify the threats and quantify their impact can help determine what mitigation/protection strategies to pursue. Vulnerability assessments can help determine where to spend security budgets, where to devote manpower, and can even be used to help obtain additional resources. Often the first step in securing your network or systems is finding out how badly it is broken.
Self-Assessment Although it’s important for organizations to have third parties conduct the vulnerability assessments to prevent bias, there’s no law that says organizations cannot “also” perform vulnerability or penetration assessments on themselves. In fact, once a penetration tester completes their pen test, they will often advise the client to perform security assessments on themselves as a form of risk mitigation.
09-ch09.indd 366
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
Chapter 9: Security Assessments
367
Tabletop Exercises
Part of any self-assessment is the initial tabletop exercise, which brings together securityminded people and other stakeholders to the table to discuss their roles and ideas for a particular situation such as a security assessment. They may go over things like preferred tools, techniques, targets, and the time and place of assessments. NOTE Tabletop exercises are merely a meeting of the minds. No actual assessments or attacks are conducted at this point.
Internal and External Audits PART III
Vulnerability assessments and penetration tests focus on the negatives in that they either look for vulnerabilities or look for ways to exploit vulnerabilities. Security audits focus more on the positives in that they are looking to measure the efficacy of security controls for systems, facilities, personnel and processes. In other words, are the security controls for these assets compliant with a formal set of requirements set forth by a standard such as SAS 70 (replaced with SSAE), PCI DSS, GLBA, ISO 27000 series, or FISMA? Security audits tend to look for the following:
• Policy weaknesses • Physical security gaps • Disaster recovery plans • Business continuity plans • Access control mechanisms As with other security assessment methods, a combination of external audits to eliminate bias—and internal audits to ensure the audit complies with internal security policy requirements—will provide organizations with a strong and balanced approach to determining the strength of their security controls.
Color-Team Exercises Color-team exercises turn security assessments into the most effective demonstration of an organization’s security strengths and weaknesses—an actual competition or game between the “good guys” and the “bad guys.” The offensive bad guys simulate attacks against the network, whereas the defensive good guys respond to the attack with analysis while measuring the efficacy of security controls. To be clear, all participants are hired security professionals working toward a common goal. The differences are denoted by the roles of these separate teams, as detailed in the next section.
09-ch09.indd 367
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
368
Red Team
The red team is made up of offensive penetration testers or security experts who are tasked with simulating attacks against organizational systems. Footprinting the target as well as scanning and gaining access to systems are all fair game. They depict black hat hackers by starting off with little to no knowledge about the target—nor are they given much access. They have to start from scratch, which is akin to black box testing.
Blue Team
The blue team is made up of defensive penetration testers or security experts who respond to the red team’s attacks. Their job is to anticipate and observe red team attacks, measure the effect the attacks have on the systems, and determine any gaps in security controls that were exploited by the red team. They will look at logs, reports, packet-sniffing captures, and, if available, powerful security information event management (SIEM) tools that can correlate security events from various angles.
White Team
Think of the white team as the referees, because this team’s job is to oversee the red team’s attacks and blue team’s defensive methods, successes, and failures. They make sure that both sides are following the rules.
Chapter Review
This chapter is the first of two chapters that address enterprise security operations in the context of conducting security assessments using the appropriate methods. Security assessments are vital because if we don’t test an organization’s security posture, we cannot determine the organization’s readiness to withstand attacks from malicious hackers. We cannot turn weaknesses into strengths if we haven’t determined the weaknesses. We began with the first of many security assessment methods: malware sandboxing. It’s important for organizations to isolate and discover malware themselves rather than relying on third parties to do it all for them. Next, we talked about memory dumping and runtime debugging. These topics make clear the importance of analyzing archived and live code to check for vulnerabilities that can be exploited by attackers. We also discussed reconnaissance for high-level information gathering, and fingerprinting for lowlevel system-specific data collecting. Code reviews are important for discovering and correcting flaws with software before they are committed into the finished product. We provided extensive coverage of social engineering due to human beings being the weakest link in security. Pivoting was described as a form of transitive attack in which an attacker compromises one system in order to daisy-chain from that system to another more important target. We next discussed open source intelligence topics like social media. Social media is a treasure trove for attackers, given the value and accessibility of information. Whois lookups are also easy and accessible for attackers to determine important domain information about an organization. We discussed routing tables and how they provide a virtual map of the network for an attacker’s benefit. Coverage of DNS records
09-ch09.indd 368
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
Chapter 9: Security Assessments
369
PART III
was also provided due to their importance in establishing a list of specific targets for hackers to compromise. We wrapped this section up with coverage on search engines and how we can utilize complex search queries to fine-tune the results provided by target websites. The last half of the chapter focused on security assessment types, which can be broken into two camps—penetration testing and vulnerability assessments. Penetration testing is the practice of simulating hacker attacks on targets to help them understand their weaknesses and improve their security. We touched on multiple types of penetration tests, including black box, white box, and gray box. Black box tests start with the attacker knowing nothing about the target, gray box tests provide the attacker with some knowledge of the target, and white box tests provide the attacker with complete knowledge of the target. Vulnerability assessments differ by only discovering vulnerabilities, not actually attacking them. Although most vulnerability assessments are conducted by third parties, organizations should complement those third-party assessments with self-assessments. Tabletop exercises help to brainstorm the ideas of an eventual assessment. Internal and external audits help determine the strengths and weaknesses of security controls for an organization. Finally, we talked about color-team exercises, which implement a combination of offensive and defensive teams for a 360-degree approach to security assessments. The red team attacks the network, the blue team defends the network, and the white team referees both sides. The next chapter focuses on the specific tools used to perform different methods and types of security assessments. These tools are delineated based on network tool type, host tool type, and physical security tool.
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
Security Assessment Methods • Malware sandboxing is the practice of isolating real or potential malicious code into a safe and restricted environment for analysis. • Memory dumping helps organizations proactively discover and mitigate memory and application vulnerabilities by dumping software to the hard drive for offline analysis. • Runtime debugging allows us to analyze code while it is actively running in memory. • Reconnaissance is the methodical process of collecting as much information about a target as possible before attempting to hack it. • Fingerprinting is the process of determining specific details about a system, including port numbers, services, operating systems, vulnerabilities, and accounts. • Code review is the proofreading of source code to discover and mitigate software vulnerabilities before they make it into the finished product.
09-ch09.indd 369
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
370
• Social engineering focuses on manipulating or compromising people into revealing confidential information. • Dumpster diving involves digging through people’s trash to find confidential information. • Eavesdropping entails the unauthorized interception of communications between other parties. • Impersonation occurs when people pretend to be someone else. • Piggybacking takes place when unauthorized individuals trick an authorized individual into consenting to give them access into a restricted area. • Tailgating takes place when unauthorized individuals trick an authorized individual into providing access into a restricted area without their consent. • Reverse social engineering tricks victims into first initiating dialogue with the attacker. • Shoulder surfing involves observing someone entering in credentials. • Vishing is the process of calling people on the phone while pretending to be a trusted entity. • Phishing uses e-mail to trick victims into revealing confidential account and financial information through malicious links, filling out website forms, or running software they shouldn’t. • Spear phishing targets a specific individual as opposed to the random individuals targeted by regular phishing attacks. • Whaling targets important individuals like executives, politicians, or celebrities. • Pharming uses phishing e-mails to redirect victims to hacker websites. • Spam is an electronic form of unsolicited message that arrives through e-mail. • Pop-ups are website windows that suddenly “pop up” to offer the user a prize or request logging in to a website. • Hoax letters are e-mails that may falsely claim that a particular piece of malware is in circulation; therefore, some kind of action must be taken. • Chain letters make requests about forwarding a message to a certain number of users so that donations are made or awareness is raised regarding a supposed cause. • Spim is a spinoff of spam that sends unsolicited messages through instant messaging clients as opposed to e-mail. • Malicious mobile apps appear friendly but have malicious intentions on app stores. • Repackaged mobile apps are normal apps that are repackaged as malware and then upload again to an app store. • Smishing involves sending unsolicited SMS messages to targets.
09-ch09.indd 370
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
Chapter 9: Security Assessments
371
PART III
• Pivoting is the process of compromising a host in order to use that host to compromise other hosts on the network. • Open source intelligence (OSINT) refers to the collection of valuable information from public sources. • Social media is a frequent target for information due to its value, accessibility, and the inherent social engineering opportunities uniquely afforded to it. • Whois is a global database of registered domain names and all related registration and ownership details of those domains. • Routing tables are records on a router that contain route and network destination information. • DNS records provide important system identifiers to help clients translate system hostnames to IP addresses as well as reverse IP addresses to hostnames, and to help clients locate servers that provide special services. • Search engines provide easy access to information about a target.
Security Assessment Types • Penetration testing is the practice of simulating attacks on organizational targets in order to prepare organizations for malicious hackers. • Black box testing simulates black hat hackers by starting off penetration tests without prior knowledge of the organizational network. • White box testing simulates a malicious administrator who has complete knowledge of the network. • Gray box testing simulates a malicious non-administrator who has partial knowledge of the network. • Vulnerability assessments employ various techniques to discover vulnerabilities but do not exploit them. • Self-assessments are in-house vulnerability assessments conducted by local staff. • Tabletop exercises are brainstorming sessions conducted by security professionals and other stakeholders to discuss an upcoming security assessment. • Internal and external audits involve third-party and local security staff to audit the strengths and weaknesses of security controls. • Color-team exercises pit offensive versus defensive penetration testers to ensure a complete security posture is assessed. • Red team testers simulate malicious hacking attacks. • Blue team testers respond to the red team attacks with analysis techniques. • White team testers referee the red and blue teams.
09-ch09.indd 371
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
372
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. A port-scanning tool like Nmap looks for which types of ports? (Choose all that apply.) A. Only closed ports B. Only open ports C. Only filtered ports D. All of the above
2. Which protocols do port scanners most commonly scan? A. ICMP and SNMP B. TCP and SNMP C. UDP and TCP D. UDP and RIP
3. Which of the following is performed by organizations to isolate and discover new forms of malware? A. Malware dumping B. Malware debugging C. Malware sandboxing D. Code review
4. Utilizing open source intelligence sites like Facebook to gather target information is an example of which of the following? (Choose all that apply.) A. Fingerprinting B. Footprinting C. Reconnaissance D. Social engineering
5. Which of the following is the best solution for ensuring that software still in development is secure “out of the box”? A. Memory dumping B. Runtime debugging C. Code review D. Reconnaissance
09-ch09.indd 372
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
Chapter 9: Security Assessments
373
6. In order to access an important server at the headquarters, a hacker first uses Metasploit to establish a connection on a workstation located at a branch office. Which of the following techniques will the hacker consider employing? A. Pivoting B. Sandboxing C. DNS harvesting D. Whois
7. Which of the following is a popular tool used for pivoting? A. Nmap B. Angry IP Scanner D. Metasploit
8. Which of the following is not a typical step in a vulnerability assessment? A. Valuation of examined systems
PART III
C. Nessus
B. Threat identification C. Exploiting vulnerabilities to penetrate systems D. Developing mitigation strategies
9. A penetration test usually simulates an attack from which of the following? A. A malicious outsider B. Malware and worms C. A rival organization D. ICMP floods
10. Which of the following are true statements concerning a tester using black box testing techniques? (Choose all that apply.) A. Has detailed knowledge of function calls inside the software being tested B. Has some knowledge of function calls inside the software being tested C. Has no knowledge of function calls inside the software being tested D. Simulates the attack methods utilized by black hat hackers
11. Fingerprinting is often: A. One of the first steps in an assessment B. Rarely used by professional penetration testers C. Used in conjunction with dictionary files D. Only performed on Linux-based systems
09-ch09.indd 373
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
374
12. Code reviews are intended to: A. Find programming errors and poor coding practices B. Validate placement of punctuation C. Catch bugs after software is released D. Count lines of code
13. Which of the following are true statements concerning the use of social engineering as a technique? (Choose all that apply.) A. It targets Facebook and Twitter accounts. B. It bypasses firewalls by tunneling traffic. C. It attacks the human element and not technology. D. It is best mitigated through security awareness training.
14. Which of the following box test types is best for simulating a rogue administrator attacking the organization? A. White box B. Black box C. Gray box D. Red box
15. Google hacking is an example of which of the following? (Choose all that apply.) A. Hacking Google B. Using Google to perform advanced searches on the Internet C. Using Google to access cached copies of websites D. Using Google to limit results according to a specific domain
16. Which of the following are examples of human-based social engineering? (Choose all that apply.) A. Dumpster diving B. Tailgating C. Phishing D. Spam E. Spim
17. Which of the following are examples of computer-based social engineering? (Choose all that apply.) A. Dumpster diving B. Tailgating C. Phishing D. Spam E. Spim
09-ch09.indd 374
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
Chapter 9: Security Assessments
375
18. Which of the following is an example of mobile-based social engineering? A. Spim B. Spam C. Phishing D. Smishing
19. Which of the following are reasons that organizations conduct penetration tests? (Choose all that apply.) A. Regulatory requirements B. Damage control from recent hack C. To improve security to reduce hacking risk
20. Which vulnerability are hackers hoping to take advantage of while searching for the target’s DNS records? (Choose the best answer.) A. DNS server is missing patches.
PART III
D. All of the above
B. DNS server doesn’t have DNSSEC enabled. C. DNS server supports zone replication to any entity. D. None of the above.
21. Why are some organizations using static routing as opposed to dynamic routing? (Choose all that apply.) A. Static routing requires less administrative effort. B. Static routing generates less traffic. C. Static routing is more secure. D. Static routing automatically encrypts all traffic. E. All of the above.
Answers 1. D. Nmap looks for open ports, closed ports, and ports filtered by a firewall. 2. C. Port scanners typically scan for TCP and UDP protocols due to ports being assigned at the Transport layer of the OSI model. 3. C. Malware sandboxing takes place when organizations isolate and analyze real or potential malware themselves. 4. B, C. Footprinting and reconnaissance typically utilize open source intelligence websites and are often interchangeable terms. 5. C. Code review takes place during an application’s development in order to discover and mitigate flaws before the product is finalized.
09-ch09.indd 375
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 9
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
376
6. A. Pivoting is a daisy-chaining concept in which hackers compromise one host in order to use that host to compromise other hosts. 7. D. The Metasploit Framework is one of the most popular hacking tools for pivoting. 8. C. Vulnerabilities scans primarily discover vulnerabilities. Penetration tests exploit vulnerabilities. 9. A. A malicious outsider is the most likely hacker to attack an organization; therefore, in most cases, this is the most appropriate hacker to simulate during a penetration test. 10. C, D. Black box testers typically have no knowledge of function calls inside the software being tested. They are recruited to simulate the hacking techniques utilized by black hat hackers. 11. A. Fingerprinting identifies key system details and therefore is often one of the first steps in an assessment. 12. A. Code reviews are designed to find programming errors and poor coding practices before software is fully released. 13. A, C, D. Social engineering targets the human element, which can also be done over targets like Facebook and Twitter. It is best mitigated through security awareness training. 14. A. White box tests simulate the attacks that could be done by a powerful internal employee like an administrator. 15. B, C, D. Google hacking advanced searches include accessing cached copies of websites and limiting the results to a particular domain. 16. A, B. Dumpster diving and tailgating are examples of human-based social engineering. 17. C, D, E. Phishing, spam, and spim are all examples of computer-based social engineering since computers are used to conduct the social engineering. 18. D. Smishing involves the usage of SMS to send unsolicited messages to targets. 19. D. Regulations, damage control, and reducing hacking risks are all good reasons to conduct penetration tests. 20. C. Hackers are hoping that administrators forgot to disable zone replication to any server while configuring the DNS server settings. 21. B, C. Static routing generates less traffic and is more secure than dynamic routing.
09-ch09.indd 376
11/03/19 3:14 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
10
CHAPTER
Security Assessment Tools This chapter presents the following topics: • Network tool types • Host tool types • Physical security tools
Spend enough time in the security career field and at some point you will either conduct an assessment, create an RFP (Request for Proposal) for assessments, respond to an assessment RFP, or examine the results of an assessment. Assessments play a large role in security because they can be one of the best tools you have to find issues and vulnerabilities before the “bad guys” do. On a more frequent basis, as a security professional you might be presented with a scenario and need to choose the appropriate approach or tool for the job. The previous chapter focused on security assessment methods and types, but not much on the tools themselves. In this chapter, we’ll explore some common tools and methods for conducting assessments and other security tasks.
Network Tool Types
Network tools are a vital part of any security professional’s skillset. You may not be an assessment professional who spends most of your career examining networks looking for vulnerabilities––but you can use many of the same tools for internal assessment activities, tracking down infected systems, spotting inappropriate behavior, and so on. Knowing the right tool for the job can be critical to performing effectively. Although some tools are described as “Swiss army knives” that perform several functions, you will typically use a variety of tools throughout security assessment duties. The tools in this section use the network to scan, collect, analysis, and distribute data for intelligence purposes.
Port Scanners A port scanner is a tool designed to scan one or more systems to determine which TCP/ UDP ports are “open,” “closed,” or “filtered.” The most important port status is open since it indicates that a service is actively listening for, and will accept, incoming connections from other systems. Port scanners are available for all modern desktop/server OSs,
377
10-ch10.indd 377
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
378
smartphones, and tablets. Having a good port-scanning tool in your toolset––and knowing how to use it––is beneficial for routine systems administration, penetration testing, and vulnerability assessments. EXAM TIP Nmap is unquestionably the most popular and acclaimed portscanning tool in the industry. If you want to practice port scanning, Nmap is a great first choice.
Port scanners can be used for the following:
• Live systems Search for “live” hosts on a network. This is sometimes known as a “ping sweep” since you’re pinging groups of systems. Most port scanners give you the ability to perform a quick scan using ICMP, TCP, or UDP packets to search for active hosts on a given network or network segment. ICMP is still very popular for this task, but with the default blocking of ICMP in many modern operating systems, such as Windows 10, users are increasingly turning to TCP or UDP scans for these tasks. • Open ports Port scanners are most often used to identify any open ports on a host, group of hosts, or network. By scanning a large number of ports over a large number of hosts, a port scanner can provide you (or an attacker) with a very good picture of what services are running on which hosts on your network. Scans be done for the “default” set of popular ports, a large range of ports, or every possible port (from 1 to 65535). • Specific ports Only looking for web servers? Mail servers? Port scanners can also be configured to just look for specific services. • Identify services Some port scanners can help identify the services running on open ports based on information returned by the service or the port/service assigned (if standards have been followed). For example, a service running on port 80 is likely to be a web server. • TCP/UDP services Most port scanners can perform scans for both TCP and UDP services, although some tools do not allow you to scan for both protocols at the same time. When you find open ports with running services, you’ll need to determine the following:
• If those services should be running at all • If they should be running on the system(s) you found them on • If anything can be done to limit which connections are allowed to those services For example, you may want to scan your network for any system accepting connections on TCP port 1433 (Microsoft SQL Server). If you find a system accepting
10-ch10.indd 378
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
379
connections on TCP port 1433 in your Sales group, chances are someone has installed something they shouldn’t have (or someone installed something for them).
Three-Way Handshake
• SYN The client sends a TCP segment to the web server with its SYN flag turned on and the destination port field set to 80. The SYN flag and port 80 indicate the client’s intention to establish a connection with the web server on port 80. In other words, the client is saying, “Hello, I would like to connect with you on port 80. Are you open?” • SYN/ACK The web server responds to the client by sending a TCP segment with its SYN and ACK flags turned on. The ACK flag acknowledges the receipt of the client’s SYN flag, and the web server’s SYN flag indicates the desire to have a connection with the client. What the server is saying is, “Yes, I am open on port 80 and I would like to connect with you, too.” • ACK The client responds to the web server with its ACK flag turned on to acknowledge receipt of the web server’s SYN flag. Assuming the web server receives this final ACK flag, the client and the web server are now officially connected.
PART III
So, how exactly does a port scan work? Typical port scans are really just TCP 3-way handshakes being repeated over and over again. However, before we get into port scans, some background on TCP––and the TCP 3-way handshake––is in order. TCP is a connection-oriented protocol that relies upon handshakes, acknowledgements, flow control, traffic resubmissions, and graceful tear-downs of communication. All of these characteristics reflect TCP’s desire for a perfect connection. The initial handshake (formally known as the TCP 3-way handshake) is TCP’s first step in a connection. This is not only critical to network connectivity but also to port scanning. See Figure 10-1 for a visual representation of the TCP 3-way handshake, followed by an explanation of its steps.
Every time a TCP-based application wishes to establish a new connection to an application on another computer, the 3-way handshake is attempted. However, what
Figure 10-1 TCP 3-way handshake (a successful connection established)
Step 1 Step 2 Step 3
SYN SYN/ACK ACK
Client
Web Server Scenario: The client wishes to connect to the web server on port 80.
10-ch10.indd 379
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
380
Figure 10-2 TCP 3-way handshake rejection (port closed)
Step 1 Step 2
SYN RST
Client
Domain Controller Scenario: The client is denied connectivity on the domain controller on port 80.
if the connection attempt fails due to the destination port number being closed? See Figure 10-2 for an example.
• SYN The client sends a TCP segment to the web server with its SYN flag turned on and the destination port field set to 80. The SYN flag and port 80 indicate the client’s intention to synchronize (connect) with the web server on port 80. In other words, the client is saying, “Hello, I would like to connect with you on port 80. Are you open?” • RST The web server responds to the client by sending a TCP segment with its RST flag turned on. The RST flag indicates that the web server is not open on port 80 and therefore will not allow a connection on this port. This is a normal and acceptable response to a connection request for a closed port. Do not be surprised at the abundance of closed ports on systems. Most ports will be closed by default with only a handful of them open. This is not only normal but a security best practice. TIP Know the handshake steps by heart. They are important for most information security exams.
Now that you understand the TCP 3-way handshake, let’s circle back to port scans. Port scans perform either the TCP 3-way handshake for each port to determine port status or some variation of this. For example, let’s assume we’re running a standard TCP connect scan against 192.168.1.20 for ports 1–10000. The scanner will attempt to create a TCP connection to each port in the range 1–10000 on 192.168.1.20. When the scanner sends out a SYN packet, it waits for the responding SYN/ACK. If a SYN/ACK is received, the scanner will attempt to complete the 3-way handshake and mark the port as “open.” If the sent packet times out, or an RST packet is received, the scanner will likely mark that port as “closed.” If an “administratively prohibited” message or something similar comes back, the scanner may mark that port as “filtered.” Filtered means that the port scanner cannot definitively determine whether the port is open or closed due to the
10-ch10.indd 380
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
381
likely presence of a firewall protecting the port. When the scan is complete, the scanner will present the results in a summary format—listing the ports that are open, closed, filtered, and so on. By examining the responses from each port, you can typically deduce a bit more information about the system(s) you are scanning, as detailed here:
PART III
• Open Open ports accept connections. If you can connect to these with a port scanner, the ports are not being filtered at the network level. However, there are instances where you may find a port that is marked as “open” by a port scanner that will immediately drop your connections if you attempt to connect to it in some other manner. For example, port 22 for SSH may appear “open” to a port scanner but will immediately drop your SSH connections. In such a case, the service is likely being filtered by a host-based firewall or a firewall capability within the service itself. • Closed You will typically see this response when the scanned target returns an RST packet. • Filtered You will typically see this response when an “ICMP unreachable” error is returned. This usually indicates that the port is being filtered by a firewall or other device. • Additional types Some port scanners will attempt to further classify responses, such as dropped, blocked, denied, timeout, and so on. These are fairly tool specific and you should refer to any documentation or help file that accompanies that port scanner for additional information. In general, you will want to run your scanning efforts multiple times using different options to ensure you get a better and more accurate picture. Not to mention, if you’re looking to perform scans that give you the results you want, while minimizing your risk of being detected by intrusion detection systems (IDSs) or intrusion prevention systems (IPSs), more customized port scans may be in order. The different types of port scans include the following:
• TCP full connect scan This completes the 3-way handshake. • SYN scan Also known as a stealth or half-open scan, this sends a TCP segment to the target with the SYN flag turned on. Since it doesn’t complete the 3-way shake, no connections are recorded, which reduces its visibility to tracking tools. • NULL scan Sends a TCP segment to the target with zero flags turned on. • FIN scan Sends a TCP segment to the target with the FIN flag turned on. • XMAS scan Sends a TCP segment to the target with the FIN, URG, and PUSH flags turned on. NOTE Tools like Nmap and Hping are well known for their implementations of the preceding port scan types. The most popular port scan is the SYN scan due to it being nearly as good as a TCP full connect scan while reducing visibility.
10-ch10.indd 381
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
382
The point of varying port scans is to simultaneously elicit responses from stubborn computers while also minimizing the risk of detection. Evading IDS or IPS tools is an important goal for hackers; therefore, it should be for us as well. You’ll want to run both TCP and UDP scans as well. You may need to alter your scanning approach to use multiple techniques at different times of the day/night to ensure complete coverage. The bad guys are doing this against your network right now, so you might as well use the same tools they do to see what they see. Port scanners can also be very useful for testing firewall configurations because the results of the port scans can show you exactly which ports are open, which ones you allow through, which ports are carrying services, and so on. So, how do you defend against port scans? Well, it’s tough. Port scans are pretty much a part of the Internet traffic landscape now. Although you can block IP addresses that scan you, most organizations don’t because they run the risk of an attacker spoofing source addresses as decoys for other scanning activity. The best defense is to carefully control what traffic you let in and out of your network, using firewalls, network filters, and host filters. Then carefully monitor any traffic that you do allow in. Unfortunately, there is far more information concerning port scanners, port scanning techniques, defenses, and so on than we have room for in this chapter. This is merely a small introduction to the topic, and we highly recommend you do additional research if the topic interests you. TIP The key to effective use of port scanners is to run them multiple times at different times and on different days. Your network looks different in the early hours of the morning than it does later in the afternoon. Run port scans on weekends, at night, during lunch, on holidays, and so on. Most scanners have a machine output option that makes it easy to import results into a database for easy comparison between scans.
Figure 10-3 shows a screenshot of an Nmap port scan.
Vulnerability Scanners A vulnerability scanner is a program designed to scan systems for weaknesses. These weaknesses can include misconfigurations, outdated software, missing patches, default user accounts, and so on. There are essentially three main categories of vulnerability scanners: network, host, and application. A network vulnerability scanner scans hosts for issues across their network connections. Typically, a network scanner will either contain or use a port scanner to perform an initial assessment of the network to determine which hosts are alive and which services are open on those hosts. Each system and service is then scanned. Network scanners are very broad tools that can run potentially thousands of checks, depending on the OS and services being examined. This makes them a very good “broad sweep” for network visible vulnerabilities. Due to the number of checks they can perform, network scanners can generate a great deal of traffic––and a large number of con-
10-ch10.indd 382
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
383
PART III
Figure 10-3 Nmap port scan
nections to the systems being examined––so care should be taken to minimize the impact on production systems and production networks. Network scanners are essentially the equivalent of a Swiss army knife for assessments. They do lots of tasks and are extremely useful to have around—they may not be as good as a tool dedicated to examining one specific type of service, but if you can only run a single tool to examine your network for vulnerabilities, you’ll want that tool to be a network vulnerability scanner. Figure 10-4 shows a screenshot of Nessus from Tenable Network Security, a very popular network vulnerability scanner. Bottom line: if you need to perform a broad sweep for vulnerabilities on one or more hosts across the network, a network vulnerability scanner is the right tool for the job. TIP Selecting the right type of vulnerability scanner isn’t that difficult. Just focus on what types of vulnerabilities you need to scan for and how you will be accessing the host/services/applications being scanned. It’s also worth noting that to do a thorough job, you will likely need both network-based and host-based scanners—particularly for critical assets. Host- and networkbased scanners perform different tests and provide visibility into different types of vulnerabilities. If you want to ensure the best coverage, you’ll need to run both.
10-ch10.indd 383
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
384
Figure 10-4 Nessus vulnerability scanner
Application vulnerability scanners are designed to look for vulnerabilities in applications or certain types of applications. Application scanners are some of the most specialized scanners—even though they contain hundreds or even thousands of checks, they only look for misconfigurations or vulnerabilities in a specific type of application. Arguably the most popular types of application scanners are designed to test for weaknesses and vulnerabilities in web-based applications. Web applications are designed to be visible, interact with users, and accept and process user input—all things that make them attractive targets for attackers. As such, a relatively large number of web application scanners is available, ranging from open source products like OpenVAS to subscription products such as Nessus. To be an effective web application scanner, the tool must be able to perform thousands of checks for vulnerabilities, misconfigurations, default content, settings, issues, and so on, with a variety of web technologies, from IIS to Apache to PHP to ASP and everything in between. Application scanners are usually capable of performing advanced checks, such as SQL injection or JavaScript injection, which require interacting with the web application being examined and modifying requests and responses based on feedback from the application. Figure 10-5 shows a screenshot of Acunetix WVS (Web Vulnerability Scanner), an application scanner specifically for web technologies. Bottom line: if you want to examine a specific application or multiple instances of the same type of application (such as a website), an application scanner is the tool of choice.
10-ch10.indd 384
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
385
PART III
Figure 10-5 Acunetix Web Vulnerability Scanner
CAUTION Scanners are not perfect. Sometimes they will erroneously report things as an issue when they really are not a problem—and other times they won’t report an issue at all. A false positive is an incorrect finding—something that is incorrectly reported as a vulnerability. The scanner tells you there is a problem when in reality nothing is wrong. A false negative is when the scanner fails to report a vulnerability that actually does exist—the scanner simply missed the problem or didn’t report it as a problem.
Database vulnerability scanners are another type of specialty scanner—as the name suggests they are designed to look for vulnerabilities and misconfigurations with databases. Software version, user permissions, poor passwords, accounts with no passwords, table permissions, database permissions, and so on can all be closely examined by a database scanner such as Scuba or AppDetective. If your organization does any application development, you may also wish to integrate the use of a source code scanner such as Fortify 360 SCA. A source code scanner actually looks through the source code of a program to identify potential vulnerabilities, such as input fields that are not filtered, improper or a lack of bounds checking, possible buffer overflows, and so on. These tools are fairly specialized because you must have the actual source code of the application to test—a source code scanner does you no good on a finished, compiled product.
10-ch10.indd 385
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
386
Protocol Analyzers A protocol analyzer is a tool (hardware or software based) that can be used to capture and analyze traffic passing over a communications channel, such as a network. Although protocol analyzers exist for many types of communication channels, such as telecommunications traffic and system buses, the most common use of a protocol analyzer is for the capture and examination of network traffic. In the networking world, this is most commonly referred to as a packet analyzer or sniffer. Sniffers can be used to capture and analyze wired or wireless traffic and can be software based (most common) or a dedicated hardware/software platform.
Wired
Although there are many popular packet sniffers to use on wired networks, such as Tcpdump, Windump, and EtherApe, Wireshark is on a different level. Books written for Wireshark? Check. Wireshark courses? Check. International conventions attracting worldwide audiences? Check. Yes, it’s that popular. Although Wireshark is not limited to wired packet sniffing, it is unquestionably the most popular tool, and a very good one to start with. It certainly doesn’t hurt that it is open source and free to download and use too. See Figure 10-6 for a screenshot of Wireshark.
Figure 10-6 Wireshark capture
10-ch10.indd 386
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
387
PART III
There are two different types of packing sniffing on wired networks. The first is passive sniffing, and the other is active sniffing. Although extremely unlikely, passive sniffing occurs when the attacker is sniffing traffic sent over a legacy Ethernet hub. Since hubs unintelligently forward all traffic to all systems all the time, sniffers can very easily capture all traffic regardless of which port the sniffer is plugged into. Active sniffing occurs when sniffers are capturing traffic sent through Ethernet switches. Since switches only forward traffic to intended machines, a sniffer will only see traffic sent directly to or from its NIC, or any multicast and broadcast traffic sent through the switch. In other words, there will be a gaping hole regarding all the unicast traffic that the sniffer doesn’t see. As a result, the sniffer would have to be connected into a mirrored or SPAN port on the switch to receive that traffic. Malicious hackers probably won’t have the luxury of connecting their sniffer to such generous ports on the switch; therefore, they may have to perform “active sniffing” attacks on the network. Some of these attacks target the switch so that the switch unknowingly forwards traffic to the attacker’s computer for capturing. Here are several examples of active sniffing attacks:
• ARP poisoning • ARP spoofing • MAC flooding • DHCP starvation • Rogue DHCP server • DNS poisoning • Switch port stealing Capabilities of packet analyzers vary greatly—some do nothing more than simple packet capture whereas others attempt to reconstruct entire TCP/IP sessions with decoded packets and color-coded traffic streams. From a security perspective, protocol analyzers are very useful and allow us to discover what’s transpiring on the network:
• Are any systems on the network transmitting traffic on a specific port? • Are any packets being sent to an address at a rival company? • Are any employees streaming YouTube videos all day? • Want to find the system that’s flooding the local network with broadcast traffic? A protocol analyzer can help you discover all these issues and more—if you have the analyzer plugged into the right location of your network and can “see” the traffic you are concerned about. Most organizations will have multiple points in the network where traffic can be sniffed—in the core switch, between the user base and the server farm, between remote users and the core network, between the organization and any link to the Internet, and so on. Knowing how to ensure the sniffer can “see” the traffic you want to analyze, knowing where to place the analyzer, and knowing how to use the analyzer are all keys to getting the best results from a protocol analyzer.
10-ch10.indd 387
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
388
NOTE Protocol analyzers come in many variants—from free to costing many thousands of dollars. All protocol analyzers do essentially the same thing—capture network traffic. The differences between them are typically performance related, although some analyzers may have additional capabilities, such as being able to reconstruct specific TCP sessions from a traffic capture.
Wireless
Whereas switched Ethernet networks have certain challenges when it comes to sniffing— most of which are solved through switch SPAN or mirrored ports––wireless networks are an inherently easier variety to sniff due to their tendency to broadcast signals in all directions. Since wireless networks move traffic around like hubs, anyone in range with a sniffer has the potential to capture the traffic. On the other hand, if wireless isolation mode is enabled on the wireless access point or router, packet capturing will be restricted due to the inability for wireless devices to see one another. Even though Wireshark’s namesake gives the appearance of being a wired-only tool, it is perfectly capable of capturing wireless traffic. This is especially true if the Wireshark device is equipped with the expensive but fabled AirPcap adapter, which is the crème de la crème of wireless capture devices. Your packet capturing, injection, analysis, and performance capabilities will be unmatched with this device. When you run packet sniffers, it’s important to keep an eye out for important and potentially dangerous traffic, including the following:
• Wireless authentication traffic such as probe requests and probe responses. WPA/WPA2 hacking techniques like to exploit wireless handshakes. • Wireless beacon frames sent by wireless access point or routers. These may advertise SSIDs, which can be intercepted by hackers. • Reverse DNS traffic (may indicate a sniffer, port scanner, or ping sweeper nearby) profiling the network. • RST packets may indicate port scans. • Customized TCP segments with unusual patterns of SYN, ACK, RST, FIN, PSH, URG flags. These are signs of port scanners. • Packet fragmentation is a sign of a port scanner or a possible attempt at evading IDS or IPS tools. • Unexplained encrypted traffic. • Rogue or evil twin access points. Rogue access points are unauthorized hacker access points, whereas evil twin access points are a type of rogue access point that impersonates a well-known access point such as one found at a coffee shop, hotel, or book store. • Unexplained surges or sags in traffic levels. Could be a sign of DOS or DDOS conditions.
10-ch10.indd 388
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
389
SCAP Scanners The Security Content Automation Protocol (SCAP) is a protocol that employs existing open security standards in order to conduct vulnerability scans––while measuring and ranking the discovered vulnerabilities according to predetermined baselines. SCAP utilizes the following standards:
PART III
• Common Vulnerabilities and Exposures (CVE) Published list of cybersecurity vulnerabilities • Common Configuration Enumeration (CCE) Published list of configuration issues • Common Platform Enumeration (CPE) Standardizes the naming of various software platforms • Common Vulnerability Scoring System (CVSS) Standardizes the scoring of vulnerabilities • Extensible Configuration Checklist Description Format (XCCDF) XML format used to standardize methods of describing system configuration policies, evaluation of systems, mitigations, and policy compliance • Open Vulnerability and Assessment Language (OVAL) Standard for vulnerability assessments, reporting, and delivery mechanisms of system vulnerabilities OpenSCAP is a well-known collection of open source tools for applying the standards and methods of SCAP. Using the OpenSCAP scanner, you’ll be able to conduct vulnerability assessments and assign criticality rankings to discovered vulnerabilities while measuring a system’s compliance––or deviation––from OpenSCAP’s built-in security policies. The following is a high-level process of utilizing OpenSCAP on Kali Linux: 1. Download and deploy OpenSCAP onto a Kali Linux VM. 2. Download latest OVAL definitions for scanner. 3. Use OpenSCAP to evaluate a target based on OVAL definitions. 4. Create and view a report based on the evaluation results.
Network Enumerators Pinging tools will tell us if a system is up or down––port scanners will tell us about port status, services, and maybe the OS––but network enumerators can tell us about the users, groups, shares, auditing options, and other finer details about systems. It is a deeper level of scanning that often comes just as we gain access to a target system. On insecure systems, this type of information can be pulled from anonymous queries to LDAP services, anonymous connections to Windows systems, Active Directory searches, scans to determine what service is actually running on a given port, and so on. This type of information is very useful to would-be attackers, and your job as a security
10-ch10.indd 389
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
390
professional is to prevent attackers from accessing this type of information. An easy way to start that process is to run network enumeration tools yourself to see what your network might look like to an untrusted outsider or trusted insider. Using network enumeration tools can show you how much information is available on your network and highlight which systems need to be secured, what services need to be disabled/restricted, and so on. Most general vulnerability scanners, such as Nessus, will perform network enumeration as part of their “default” scan settings, and port scanners, such as Nmap, will attempt to identify the operating system and application running on examined systems. Here are some examples of popular enumeration tools:
• NetScanTools Pro • SuperScan • Nsauditor • OpUtils • Finger TIP NetScanTools Pro is one of the more impressive network-scanning tools you will ever see. You can download a trial version of it and get a good sense of how many different things it can do.
Fuzzers Have you ever looked at a web page and thought, “Wonder what happens if I enter a bunch of random characters for my password?” If you’ve actually tried this, then you’ve “fuzzed.” A fuzzer is a testing tool used to find implementation bugs in software by submitting malformed or semi-malformed data to an application in an automated fashion. For example, if you have a web application with a login field, a fuzzer would send random (or semi-random) strings of data to the username and password fields and examine the application’s reaction to that data. Did the application crash? Did it report an error back? What kind of error? Was it a buffer overflow? A denial-of-service condition? From a security standpoint, fuzzers are typically used to examine web applications, custom applications, or any other system that accepts and processes user input. Fuzzers can be run at any time, but ideally they would be used during application development where the cost of detecting and correcting bugs is typically cheaper. A fuzzer can’t replace a good quality-control process, code walkthrough, debugging, and so on, but it can be a very powerful automated tool that augments these classic software assurance techniques. The primary issue with fuzzing is it tends to find only the simpler faults within software, although sometimes those bugs turn out to be serious, exploitable bugs. TIP Fuzzers are available from both open source and commercial sources such as OWASP’s ZAP, Burp Suite, W3af, and WebScarab.
10-ch10.indd 390
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
391
HTTP Interceptors
PART III
An HTTP interceptor is, quite simply, a tool that captures web traffic between the source (usually a browser) and the destination (usually a website). HTTP interceptors are usually called web proxy tools because they serve as an on-host proxy, capturing web traffic after it passes out of and before it passes in to the browser. Most interceptors run on the local host using a local port (such as 8080) and require the user to configure their browser or connection settings to point to the interceptor as the proxy for HTTP/HTTPS traffic. Most interceptors will also handle certificate and SSL negotiations for any sessions passing through them. Interceptors are great tools for examining web applications because they allow the examiner to do things the browser would not. Let’s say the client-side code for a website limits the length of a client-supplied username to 20 characters. The browser would help enforce that limit and would reject any username longer than 20 characters. When the user clicks Submit on their browser, the request passes to the interceptor first, and now the user has a chance to modify the submitted data free from any restrictions the browser might try to enforce. Using the interceptor, the examiner could manually modify the submitted username and make it 200 characters in length—or even 2,000—before passing it off to the web server. If the developers haven’t done a good job of filtering user input on both the client and server sides of their application, then an unexpected input of 2,000 characters in a 20-character field could cause a problem. Interceptors can also be used to modify URLs, change cookie values, modify data fields, and so on, with any web traffic passing through the proxy. Interceptors give you a tool to examine almost every aspect of how a web application processes traffic passing between the browser and web server. Figure 10-7 shows a screenshot of Burp Suite, a popular HTTP interceptor.
Exploitation Tools/Frameworks Attack tools/frameworks typically go one step beyond a vulnerability scanner. Whereas a vulnerability scanner can tell you about a possible issue or where a definite issue exists, an attack tool will allow you to try and exploit that discovered vulnerability. For example, a vulnerability scanner might tell you that your remote system is vulnerable to a certain buffer overflow attack, but an attack tool/framework will actually launch an attack against the vulnerable target and attempt to exploit the buffer overflow (possibly giving you a remote shell on the vulnerable system). Attack tools and assessment frameworks typically have some type of limited vulnerability-scanning capability—usually to just verify vulnerabilities that the attack tool can exploit. From a security standpoint, attack tools and frameworks are sometimes avoided because they actually use buffer overflows and such to exploit vulnerabilities; therefore, they can have unintended consequences, such as crashing the service being examined or corrupting data. However, they can still be useful for taking the data in a vulnerability scan from a discussion about what an attacker might be able to do into a discussion about what an attacker definitely could do and would have access to. Sometimes showing the access that can be gained by exploiting a vulnerability is far more powerful than simply talking about it. Many different attack tools are available from both public and commercial
10-ch10.indd 391
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
392
Figure 10-7 Burp Suite
sources, such as Metasploit (available in both open source and commercial versions) and Core Impact (commercial only). EXAM TIP Attacking tools/frameworks can be used for assessment purposes, but they’re typically used for penetration tests, where the testers are looking to move beyond the “it looks like this vulnerability exists” approach and into the “here’s the access I can gain and what I can do when I take advantage of this vulnerability” approach.
One common issue associated with attack tools is the level of knowledge required to use them effectively. Anyone can download and run the tools, but you definitely need more than a rudimentary level of knowledge to be able to first identify a vulnerability and then select an appropriate exploit to test/validate that vulnerability. Selecting the wrong exploit or payload could result in crashing the service (or system) being examined, corrupting data, or having a similarly undesirable impact. Some attack tools (including Core Impact and Metasploit) make this process much easier because they pair vulnerability
10-ch10.indd 392
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
393
tests with appropriate exploits and payloads that can usually be executed with minimal damage. Attack tools/frameworks are also available now in live CD format and in prebuilt distributions. For example, Kali Linux is a bootable live CD that contains a large variety of packaged assessment, scanning, and exploit tools. The live CD format allows you to boot from the CD into a functional assessment environment using almost any available platform.
Visualization Tools
PART III
The only thing more difficult than finding a needle in a haystack is finding specific needles in stacks of needles. If organizations are going to make sense of all the raw data they generate daily, they’ll be greatly aided by the many visualization tools that specialize in converting raw data into visual formats. Utilizing tools that provide visual aids, analysis, and interpretations of raw data will simultaneously expedite and deepen our level of understanding of the data we’ve collected. We’ll more quickly grasp key performance indicators regarding clients, servers, and network appliances––in addition to data flow patterns at the LAN, WAN, Wi-Fi, and Internet levels. Although no tool is perfect, there are certain visualization types to look for in a tool, including the following:
• Dashboards • Reports • Business intelligence • Data mining • Filters • Pivoting • Analytics • Classic and modern data charts Tcpdump is a good command-line packet sniffer for capturing and displaying raw packet data, but SteelCentral Packet Analyzer can comb through millions of packets and provide hundreds of detailed graphical views on the captured traffic. SteelCentral Packet Analyzer is shown in Figure 10-8. An example of an open source monitoring and visualization tool is Cacti, which uses SNMP to collect data about various network appliances. SolarWinds has a laundry list of networking and security tools, including its popular Network Performance Monitor (NPM).
Log Reduction and Analysis Tools Although visualization tools are important for assimilating raw network data into visual formats, organizations must also have tools and processes for eliminating or ignoring data they don’t care about. Log reduction simultaneously filters out junk data while ensuring important data is brought into focus and analyzed. This could mean earmarking
10-ch10.indd 393
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
394
Figure 10-8 SteelCentral Packet Analyzer
only certain data types for logging, or combing through the logs after the fact and eliminating anything superfluous or unnecessary. Since data is generated from various sources across the network, organizations are increasingly turning to security information and event management (SIEM) log analysis tools for the trifecta of automated data aggregation, event correlation, and detailed reporting. SIEM tools have connections to various network appliances and servers in order to build a more complete picture of network and host activities. Such logs stem from applications, operating systems, antimalware, security logs, and others. For example, LogRhythm’s NetGen SIEM––according to the company’s website–– focuses on capturing forensic data and machine learning (ML) data, performing threat intelligence, and integrating security orchestration, automation, and response workflows. For more information about SIEM, see Chapter 5.
Host Tool Types
Whereas the previous sections discussed network tool types in relation to security assessments, the sections that follow focus on host tool types and their role in helping organizations perform security assessments on host systems.
Password Crackers Part of security assessments is testing the strength of user passwords on a given system. Password crackers are specialized tools designed to essentially “guess” passwords. If you have a password file and know how it was created (what operating system it came from,
10-ch10.indd 394
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
395
how the passwords are stored, and so on), then you simply feed that password file into the appropriate password cracker, set the options, and let it run. Password crackers essentially “guess” passwords by taking a hash the cracker has created and comparing it against the hash in the password file to see if they match. Password crackers typically can operate in four common modes:
PART III
• Dictionary file The cracker uses a dictionary file—a list of words that can range from the very broad (the entire Oxford dictionary) to the very specific (NFL teams). The password cracker takes each word in the file, computes a hash for that word, and then compares the calculated hash to the value stored in the password file. • Hybrid mode The cracker uses a dictionary file but then performs common substitutions on the words such as replacing the letter o with a zero. Some crackers also do permutations of dictionary words and letters or add special characters to the end of each dictionary word (for example, password123). • Brute force You tell the cracker the max length of the password and the set of characters you’d like it to use, and the cracker tries every possible combination of characters (a, aa, aaa, aaaa, b, bb, bbb, and so on). Brute-force attacks can take a very long time to execute. • Rainbow tables Rainbow tables are precomputed hashes. Essentially these are huge files with possible passwords and their corresponding hashes. Rainbow tables can potentially save an enormous amount of time because the password cracker is now simply attempting to match the hash of the password being cracked and a value it pulls from the rainbow table—the cracker doesn’t have to compute the hash anymore because it has already been done and is stored in the rainbow table. Password crackers have benefited more than any other assessment tool by the increase in readily available computing power. Multicore processers are now able to crack passwords in a fraction of the time it took three or four years ago. The advent of cloud computing has added a whole new level of speed to the practice of cracking passwords. Most cloud services allow you to rent massive amounts of computing power by the hour. Now any attacker can run massively parallel password-cracking operations at speeds that were previously only available to government entities. As a security professional, you might use password crackers to test the strength of user passwords or test compliance with company policy. You will likely not want to run an exhaustive password-cracking effort where you attempt to crack every single password in a massive brute-force attack. A cracking effort that uses a dictionary attack or hybrid attack up to 14 characters will likely be sufficient to reveal any weak passwords that might comply with company policy—just enough to be allowed but still weak enough that they might be guessed by an attacker and should be changed. There are several good password crackers, such as John the Ripper, THC-Hydra, Cain and Abel, Brutus, and L0phtCrack. See John the Ripper in Figure 10-9.
10-ch10.indd 395
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
396
Figure 10-9 John the Ripper
Password cracking can be performed against pretty much anything that contains a stored password—such as a configuration file or database. A side note worth examining is the use of brute-force tools. In traditional password-cracking efforts, you have the encrypted or hashed passwords and are trying to determine what they are by calculating your own hashes and making comparisons to what’s stored in the file. In brute-force efforts, you’re also trying to match the password, but it’s typically done through a login mechanism and without the computation of any hashes. Many brute-force tools, such as THC-Hydra, can perform multithreaded, brute-force attacks against a variety of protocols, such as SSH, FTP, HTTP, HTTPS, SMB, and so on. Other tools such as Cain and Abel can capture password hashes as they are transmitted across the wire (or through the air) and then perform cracking efforts.
Vulnerability Scanners Host vulnerability scanners are designed to run on a specific host and look for vulnerabilities and misconfigurations on that host. Host scanners tend to be more specialized because they’re looking for issues associated with a specific operating system or set of operating systems. A good example of a host scanner is the Microsoft Baseline Security Analyzer (MBSA), shown in Figure 10-10. MBSA is designed to examine the security state of a Windows host and offer guidance to address any vulnerabilities, misconfigurations, or missing patches. Although MBSA can be run against remote systems across the network, it is typically run on the host being examined and requires you to have access to that local host (at the Administrator level). The primary thing to remember about host scanners is that they are typically looking for vulnerabilities on the system they are running on. Bottom line: if you want to scan a specific host for vulnerabilities, weak password policies, or unchanged passwords, and you have direct access to the host, a host vulnerability scanner might be just the tool to use. It’s worth noting that some tools (such as Nessus) really cross the line between network- and host-based scanners. If you supply Nessus with host/login/domain credentials, it can perform many checks that would be considered “host based.”
10-ch10.indd 396
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
397
PART III
Figure 10-10 Microsoft Baseline Security Analyzer
Command-Line Tools The return to our centralized computing roots brought about by the cloud computing and virtualization revolutions is not the only example of history repeating itself. The command line has also come back with a vengeance. In certain management respects, the command-line interface (CLI) has already overtaken the graphical user interface (GUI). The CLI’s popularity is apparent with the global proliferation of Linux solutions, various scripting languages, and tools; plus, Microsoft’s PowerShell, Server Core, and Nano Server products continue to make waves with their minimalist approaches. Today’s CLIs have become central to our management of servers, network appliances, and the implementation of automation and orchestration solutions. Despite the depth of tasks that can be handled by today’s CLIs, this section will focus on certain command-line tools that can help us perform security assessments, in addition to routine network troubleshooting.
Ping
We do basic two-way communication tests all the time with our cell phones (“Hi, can you hear me?” “Yes, can you hear me?”) just like we do with computer networks. The ping tool allows hosts to send test communication packets to one another and measure
10-ch10.indd 397
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
398
the success rate and performance of the responses. Ping is generally the first tool we use for basic connectivity troubleshooting. Here is an example of the ping process using the TCP/IP model:
• Someone types “ping www.google.com” at the CLI. • Ping resolves the www.google.com name to an IP address. • Ping uses an application layer protocol called Echo to generate an Echo Request. Echo Requests are requests to ping a target such as www.google.com. • Ping does not use a transport layer protocol; therefore, the Internet layer protocol ICMP is used to encapsulate the Echo Request inside of an ICMP packet. The ICMP packet header contains the crucial connection characteristics about ping, such as round trip (milliseconds), time to live (TTL), and so on. • The ICMP packet gets encapsulated inside a frame from the Ethernet, Wi-Fi, or some other network access layer protocol. • The frame gets sent to the target, which then responds to the Echo Request with an Echo Reply. See Figure 10-11 for a ping example. Ping uses several switches, including -t for continuous pinging, -l for specifying packet size, and -4 or -6 to choose which version of IP to ping with. The important skill in working with ping is understanding the output:
• Reply Indicates a reply to the original sender’s Echo Request. • Bytes The size of the ping packet.
Figure 10-11 Ping
10-ch10.indd 398
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
399
• Time (latency) Time measured in milliseconds (thousands of a second) it takes for the combined Echo Request and Echo Reply to complete. Also known as round trip, only the total latency between source and destination is calculated. • TTL The number of routers (hops) a packet can cross before it expires. • Requested Timed Out Indicates the ping communication failed. • Destination Unreachable Ping could not locate a route to the destination network. • Jitter Variation of latency between ping packets. For example, packet 1 has a 10ms latency, and packet 2 has a 75ms latency. This gap is an example of high jitter. • Packet Loss Indicates one or more packets were dropped in route to their destination. PART III
For assessment purposes, security professionals will frequently perform “ping sweeps” by pinging an entire range of IP addresses. This is an easy way to determine all of the live hosts available on a particular subnet. A well-known ping sweeper is Angry IP Scanner, which can also perform reverse DNS lookups to determine hostnames. Although not specifically a ping sweeper, Nmap is perfectly capable of performing them, too. Here is the command for a Nmap ping sweep: Nmap -sn 192.168.1.1/24
If you’re running the tool on Linux, remember to use nmap and not Nmap; Linux commands are case-sensitive.
Tracert/Traceroute
Although ping is great for performing basic connectivity tests, its quick results come at the expense of details. For example, ping is not good at narrowing down the sources of issues such as the following:
• Request timed-out errors • Jitter • High latency • TTL expired in transit In all these cases, ping is unable to determine if an issue stems from the source, destination, or something in between. All ping can tell us is requests are timing out, there’s jitter, replies have high latency, and the TTL for a packet is expiring for some reason. Windows Tracert or Linux traceroute (hereafter loosely described as trace route for simplicity) can help us isolate issue sources by digging deeper with the Echo and ICMP protocols. Here are the features of trace routing:
• Traces the route taken by packets from each router in sequence until traffic reaches the destination
10-ch10.indd 399
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
400
• Pings each router three times in sequence • Shows the hostnames and IP addresses of the routers See Figure 10-12 for a trace route example. Since trace route shows the latency between the source and each sequential router, you can reasonably deduce that the first router to show high latency or jitter is the likely culprit of a bad connection. Since Windows trace route commands can take 30–60 seconds to complete, you can speed things up by using the -d switch to suppress reverse DNS lookups. You won’t see the hostnames of routers anymore, but the trace route results will speed up significantly. For more powerful trace route tools, check out the graphical Path Analyzer Pro and VisualRoute products.
Pathping
Just like trace route is a more thorough ping tool, pathping is a more thorough trace route tool. Pathping digs even deeper by pinging all routers in a path 100 times, shows the round trip in addition to individual latencies for the Echo Request and Echo Replies, plus it indicates packet loss statistics. The individual latencies feature helps us to understand if a connectivity problem is caused by our route to the target or the target’s route to us. Despite pathping’s obvious strengths, its scans can take a while. Due to all the diagnostics, it can take several minutes for some pathping commands to complete. Not to mention, not all routers tolerate pathpings due to the abundance of ICMP packets mimicking the appearance of ICMP flood attacks. See Figure 10-13 for a pathping example.
Figure 10-12 Windows trace route
10-ch10.indd 400
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
401
PART III
Figure 10-13 Pathping
In the pathping figure, you’ll notice that the command output defaulted to IPv6. In the increasingly common circumstance where the sender, receiver, and the network in between all fully support IPv6, Windows will “prefer” IPv6. This is also true for regular pinging and trace routing as well.
Ipconfig/Ifconfig
Ipconfig (for Windows) and ifconfig (for Unix/Linux) allow us to view our IP configuration. Based on which switches we use with Ipconfig, we can view the following IP configuration data:
• IP address • Subnet mask • Default gateway • DNS servers • WINS servers • MAC address • DHCP lease period
10-ch10.indd 401
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
402
Figure 10-14 Ipconfig
In addition to viewing all of the IP configuration (/all), we can also release the IP configuration back to the DHCP server (/release), renew the IP configuration from the DHCP server (/renew), flush the DNS cache (/flushdns), display the DNS cache (/displaydns), and register our hostname/IP with the DNS server (/registerdns). See Figure 10-14 for an Ipconfig example. On the other hand, ifconfig (which stands for interface configuration) is available on Unix/Linux-based operating systems and displays the IP address, subnet mask, default gateway, broadcast address, and a few network transmission error types. It also gives you the ability to disable/enable the NIC as well as change the MAC address of the NIC. The most common command you’ll run with this tool is ifconfig -a.
10-ch10.indd 402
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
403
Nslookup/Dig
Nslookup and dig are tools that we can use in both Windows and Linux for performing DNS lookups. They can help us verify DNS server functionality, the presence of records on a DNS server, possibly allow updating of records on a DNS server, and even transfer a DNS zone from the server to a client (if allowed). By allowing us to observe the availability of certain records in the DNS zone files, we can enumerate or footprint DNS servers to assess their relative security. See Figure 10-15 for an nslookup example.
Netstat
Netstat (short for network statistics) allows us to view connection statuses, port availability, protocol statistics, and routing table data for Windows, Unix/Linux, and macOS. Its most common usage is to check for open ports for TCP/UDP and connection statuses. Figure 10-16 shows a Netstat example. Otherwise, here are some common switches: Shows connections and listening ports Shows Ethernet statistics Shows fully qualified domain names (FQDNs) for connected targets Shows the local routing table
PART III
• Netstat /a • Netstat /e • Netstat /f • Netstat /r
Netstat can benefit security assessments by determining our open ports, daily connections to other hosts, and whether any ports or connections deviate from the norm. Unrecognized ports or connection addresses can indicate the presence of a backdoor trojan horse.
Figure 10-15 Nslookup
10-ch10.indd 403
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
404
Figure 10-16 Netstat
10-ch10.indd 404
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
405
Local Exploitation Tools/Frameworks As discussed in a previous section regarding exploitation tools/frameworks, security assessments can go beyond searching for vulnerabilities and start to physically penetrate them. The most well-known exploitation framework is Metasploit, which is made of various modules, including the following:
• Payloads • Exploits • Encoders • NOPS • Auxiliary PART III
Although it is capable of common things like fuzzing, launching buffer overflow attacks, and escalating privileges on specific host computers, Metasploit is a complete penetration testing tool. It is also both popular and extensive enough to be the subject of many technical books (and the personal obsession of many hackers). Despite its penetration-testing leaning, it is equally effective as a vulnerability scanner due to all the information it can discover about host systems.
SCAP Tools As discussed earlier, SCAP is all about utilizing existing security standards for a unified approach to vulnerability assessments and measurements. SCAP tools tend to support both network and hosts due to vulnerability assessments usually being broad in scope. Since SCAP tools should be NIST approved, a glance at NIST’s SCAP validation program website will show you all of the accredited SCAP tools, including Rapid’s Nexpose 6, Red Hat’s OpenSCAP 1, and Microsoft’s System Center Configuration Manager SCAP extensions.
File Integrity Monitoring File integrity monitoring (FIM) ensures that operating system, application, and data files maintain their intended state. To verify that files are accurate and tamper-free, a popular tool like Tripwire can use hashes, modification dates, file sizes, or other file attributes to determine what a file’s “baseline” condition should look like. It’ll then attempt to detect and remediate any unauthorized changes. FIM tools like Tripwire, and others, utilize policies to determine which files to monitor, baselines to compare before/after state changes to files, alerts to notify us of changes, and reports for demonstrating regulatory compliance. Windows also has a built-in FIM tool called System File Checker (SFC) that allows us to scan key operating system files for integrity violations. The most common SFC command to run is SFC /scannow. If it finds any issues, it’ll attempt to revert the file (or files) back to its original condition.
10-ch10.indd 405
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
406
Log Analysis Tools The previous section “Log Reduction and Analysis Tools” described log analysis from a more global organizational scope. Although SIEM tools are great for aggregating and analyzing log files from various networks, network devices, and hosts, tools can also have a stronger focus on individual host log analysis. For example, the Windows Event Viewer provides a local logging and basic analytical capability for security assessments. Event Viewer has a nice feature called “Subscriptions” that allows administrators to hand-pick which hosts to “subscribe” to, and then which events IDs and sources to collect and have forwarded to the administrator’s host. These events can also be filtered and collected based on their status as being “Critical,” “Error,” “Warning,” or “Information” events. This is, in a sense, like a poor-man’s SIEM tool due to the aggregation capabilities. Other tools that perform log analysis include SolarWinds Event & Log Manager, ManageEngine’s EventLog Analyzer, and LOGalyze, NetVizura’s EventLog Analyzer.
Antivirus Although antivirus software was already covered in Chapter 6, it was discussed as a security control rather than as a method of security assessment. Whether we’re discussing antivirus, anti-spam, or anti-spyware tools, it’s important that we assess the functionality of these tools’ alerting and logging systems. Previous or current malware may be suppressing the capability of our antimalware tools to notify us and log detected threats. As a result, we should double-check the configuration of these tools to ensure there are no signs of tampering. Also, be sure to verify that the real-time protection feature is set, and that scheduled quick or full scans are still set to their original values. Even if real-time protection doesn’t turn up anything, it’s important to do manual quick and full virus scans once in a while to catch malware missed by scheduled scans. You may also want to consider switching up tools once in a while. At the time of this writing, you should be able to research the top antimalware solutions according to studies published by AV Comparatives and AV Test, as well as PCMag by visiting their respective websites.
Reverse Engineering Tools Reverse engineering is the process of disassembling a finished product or process into its building blocks in order understand how the outcome was achieved from start to finish. Whether we’re discussing reverse engineering an operating system, application, hardware device, or a security breach, we’re trying to figure out which steps lead to the completed outcome. Sometimes the hardest thing for a security professional to do is to think like a hacker. Oftentimes we get so wrapped up in locking down, restricting, and patching that we forget to take a second to look at our solutions from the opposite perspective. If you step back and think about it, the most important question you can ask yourself is likely to be, “How would I defeat this security solution?” You’ve probably heard the term reverse engineer applied to things such as malware (taking it apart to see what it does and how it works), but how often have you thought
10-ch10.indd 406
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
407
about reverse engineering your own security solutions? It might be difficult for you to do if you helped design, construct, and implement the solution, but if you’ve inherited systems or security solutions, it shouldn’t be as difficult. Here are a few steps to help get you started:
PART III
• Look at what the system does What does the system you’re examining actually do? What inputs does it take? What are the outputs? • Determine how the solution impacts network traffic Assuming the solution does interact with traffic, how does it do this? What types of traffic will it let in? What does it block? Does it matter which direction the traffic is flowing? • Encryption How does the system handle encrypted traffic? Does it handle encrypted traffic at all? Or does it just pass encrypted traffic through without looking at it? • Determine what the system tells you about itself Does it have services running? Does it have banners on those services? Can you connect to the system remotely? • Communication Is the system a single entity or a group of resources? If it’s a group, do the resources communicate? Can you tell how they communicate? If you try and interfere with the communications, what happens? • Reactive capabilities Although it’s a bit trickier to test without actually generating some suspicious/malicious traffic, does the system have any capability to react to traffic that you generate? Does it block your source address after a port scan? Does it block your source address after multiple port scans? Does it block your source address after multiple failed login attempts? Does it block your activity after SQL injection attempts? Do you get blocked after attempting to execute DoS attacks? If you can take an objective look at your system and how it functions, you should be better able to understand its possible weaknesses (and correct them). But what practical use is reverse engineering in the security field? How about creating an attack tree/plan for a penetration test? Imagine you are being asked to perform a penetration test on your organization or another organization. To perform a thorough test, you need to understand the environment you’ll be examining. What are the entry points? How many network links are there? Are there wireless access points? Are there dedicated links to other organizations? Remote sites? The chances of you (as a tester) getting a detailed map and a full description of the environment—including firewalls in use, use or lack of IDS/ IPS, and so on—are slim to none (unless you are performing the test against your own organization and already have access to those items). If you try to look at your organization from a purely external perspective, you can start to piece together bits of information to build your own picture. IP blocks can be pulled from DNS and Whois records. Perhaps you can drive around or walk the facility looking for access points. When you’ve built your own “picture” of what you think the entry points are, you can start to build out a testing plan. External IPs you’ve uncovered can be scanned and probed. Tracing to those IPs may give you an idea of where the firewall is. Walking the firewall will help you determine what services are allowed through.
10-ch10.indd 407
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
408
Finding the e-mail servers may allow you to attempt a phishing attack (if permitted). Reverse engineering the solution in that case is really just an attempt to “discover” how your organization works and connects so that you can then flip that around and try to find a way to break in through one of those paths. EXAM TIP Reverse engineering or deconstructing existing security solutions is an excellent way to identify entry points and weaknesses. If you can break down your own systems and correct the issues you find, you will be that much more effective against actual attackers.
There are also the software considerations for reverse engineering. Although closed source applications often tout the benefits of being “closed,” various reverse engineering tools exist in order to reverse engineer the compiled code into its original source code. This helps us to better understand not only how the application works, but also its security posture and how vulnerabilities may be exploited. Although a previous topic already talked about malware sandboxing, such sandboxing is actually a form of malware reverse engineering. By isolating the malware into a safe place, we’re able to execute a formal malware analysis process to determine the malware’s origin, functionalities, and system impact. This includes static malware analysis, which focuses on the malware code, and dynamic malware analysis, which focuses on the malware’s behavioral aspects––or the effect the code has on the machine. Popular software reverse engineering tools include IDA-Pro, Jad Debugger, Olly Debugger, and Immunity Debugger.
Physical Security Tools
All this stuff about assessing operating systems and applications is great, but physical security is the most important security there is. It is critical that we perform security assessments of our physical security environment. Let’s take a look at a few examples of physical security tools for assessment purposes.
Lock Picks Although lock picks are used to unlock or “pick” a lock on a door, we can also use the lock picks to test a lock’s resistance to lock picking. Although this could work, it is advisable you hire a locksmith to test your locks rather than save money and risk damaging the locking mechanisms yourself. Hiring a locksmith will give you the answers you seek and spare you the trouble. If you would rather avoid the attacking and assessment risks of lock picking altogether, consider using some of these more modern alternatives to door locks:
• Radio frequency identification (RFID) lock Door unlocks via a key fob or card. • Cipher lock Door unlocks by entering in a code.
10-ch10.indd 408
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
409
• Biometric lock Door unlocks by using a variety of biological characteristics, including fingerprint, handprint, iris or retina scan, and voice activation. • Bluetooth lock Door unlocks through a Bluetooth signal sent to/from a certain smartphone.
RFID Tools
PART III
RFID uses electromagnetic fields to track virtually anything, including technological assets, employees, patients, children, animals, smart appliances, and even car key fobs. Anyone or anything installed with an appropriate tag or chip can be traced by sensor devices in walls, doors, cameras, or even handheld scanning equipment. Although RFID was designed with these laudable goals in mind, attackers may use RFID against us by unlawfully reading and stealing information from an RFID tag or chip. Today’s generation of pickpockets are performing electronic pickpocketing just by walking by people at a grocery store or train station. As a result, some people have resorted to buying RFIDblocking wallets and other RFID-blocking devices. Part of our security assessments should include the testing of our RFID sensor devices, in addition to the tags and chips throughout the environment an attacker may attempt to compromise. Our assessments should investigate any privacy and authentication features of any RFID equipment since those are the two most important and, by extension, vulnerable of RFID features. Last but not least, research the latest trends, vulnerabilities, and exploits on the Internet in order to get a leg up on the competition.
IR Cameras Infrared radiation (IR) cameras use infrared energy to form an image so that the camera can “see” in the dark. Since attackers may use the cover of darkness to stealthily walk around a physical area, IR cameras are used to detect motion in dark areas. Smarter IR cameras have the ability to adjust the intensity of their LEDs so that a person’s face doesn’t turn overly bright when he or she approaches the camera. Assessing the effectiveness of IR cameras is as simple as walking around near them when the room is dark to see how the device functions. If possible, you may be able to fine-tune the IR camera’s settings in order to get better black/white contrast.
Chapter Review
This chapter is the second of two chapters that addresses enterprise security operations but in the context of analyzing a scenario or output and selecting the appropriate tool for a security assessment. Although there are many methods of conducting security assessments, there are also a considerable number of tools to choose from. Without knowing which tools to use, and how to use them, the security assessment method chosen will not matter.
10-ch10.indd 409
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
410
The first section of this chapter began with network tool types such as port scanners. Port scanners are needed to determine which ports are open on a target. Once we know which ports are open, we run vulnerability scanners to determine which vulnerabilities exist on the open ports. We also provided coverage on protocol analyzers––wired and wireless varieties––in order to ascertain who is talking to whom, and what are they saying to each other. SCAP scanners were discussed due to the automation and standardization benefits they bring to vulnerability assessments. Network enumerators help us to get more information about targets such as network shares, audit policy settings, user accounts, services, and so forth. Fuzzers allow us to send random commands to a target to see how it responds. The responses are often indicative of specific software or operating system platforms, in addition to possible vulnerabilities. HTTP interceptors provide vulnerability assessment staff with the ability to intercept and modify web requests so that they can test for any possibly misconfigurations or vulnerabilities of web server applications. We also talked about exploitation tools/frameworks that can help us from an assessment perspective. We discussed visualization tools in the context of data collection so that we have visual interpretations of otherwise massive quantities of raw data. We ended this section with log reduction and analysis tools that allow us to reduce logs to manageable sizes by eliminating or preventing the accumulation of junk data. The log data that remains can be analyzed for clues about normal and abnormal network behaviors. The second section focused on host tool types, beginning with password crackers. Password crackers make it possible to “guess” seemingly random passwords that would be too difficult for a human to figure out on their own. We discussed vulnerability scanners again but in the context of scanning individual hosts for vulnerabilities as opposed to network-level scanning. We discussed various command-line interface tools like ping, trace route, pathping, netstat, ipconfig, ifconfig, nslookup/dig in order to learn more about a host’s connectivity qualities, states, open ports, and so forth. We looked at local exploitation tools/frameworks with a stronger focus on Metasploit, considering its notoriety as both an assessment and full-block penetration testing toolkit. We talked about SCAP tools in a prior section; therefore, we followed that up with coverage on a few popular SCAP tools. We then went over file integrity monitoring capabilities from Tripwire and Microsoft’s SFC to ensure that critical files maintain their integrity. Host log analysis tools were discussed with the focus being on the Windows Event Viewer, given its popularity and value to the majority of computers out there. Coverage was provided on recommended antivirus solutions and best practices regarding assessments. We also talked about reverse engineering tools for malware and applications so that we can better learn how applications and malware work. We ended the section talking about physical security tools because physical security is still king. Lock picks can be used to pick a lock as well as to assess the resistance a lock has to picking. We talked about RFID tools and how they need to be assessed given how the modern generation hacker can exploit RFID tags and chips that are scattered throughout our organizations. The last topic we discussed was IR cameras and how they need to be assessed to provide assurances that they can detect people walking around restricted areas in the dark.
10-ch10.indd 410
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
411
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
Network Tool Types
PART III
• Port scanners are tools designed to scan one or more systems to determine which TCP/UDP ports are “open,” “closed,” or “filtered.” • The TCP 3-way handshake is the handshaking process conducted by the TCP protocol just before it connects to another computer. It is composed of a SYN, SYN/ACK, and then ACK. • Vulnerability scanners are programs designed to scan systems for weaknesses. • Protocol analyzers are tools (hardware or software based) that can be used to capture and analyze traffic passing over a communications channel, such as a network. • Security Content Automation Protocol (SCAP) is a protocol that employs existing open security standards in order to conduct vulnerability scans––while measuring and ranking the discovered vulnerabilities according to predetermined baselines. • Network enumerators scan systems and give us more details such as usernames, groups, shares, and audit options. • Fuzzers are testing tools used to find implementation bugs in software by submitting malformed or semi-malformed data to an application in an automated fashion. • HTTP interceptors capture web traffic between the source web browser and the destination website. • Exploitation tools/frameworks can exploit discovered vulnerabilities. • Visualization tools specialize in converting raw data into useful visual aids. • Log reduction filters out junk data while ensuring important data is brought into focus and analyzed. • Log analysis tools can help aggregate data, correlate it, and perform detailed reporting.
Host Tool Types • Password crackers are specialized tools designed to essentially “guess” passwords. • Host vulnerability scanners are designed to run on a specific host and look for vulnerabilities and misconfigurations on that host. • Command-line tools can be used to perform routine network troubleshooting in addition to security assessments.
10-ch10.indd 411
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
412
• Local exploitation tools/frameworks can exploit the vulnerabilities located on specific host computers. • SCAP tools utilize existing security standards for a unified approach to vulnerability assessments and measurements. • File integrity monitoring (FIM) ensures that operating system, application, and data files maintain their intended state. • Host log analysis tools focus on analyzing the logged content stored on a local computer. • Antivirus tools must be assessed for signs of tampering by malware aiming to disable the alerting/notification/real-time protection features of antivirus tools. • Reverse engineering is the process of disassembling a finished product or process into its building blocks in order understand how the outcome was achieved from start to finish.
Physical Security Tools • Lock picks can be used both to pick a lock and to test a lock’s resistance to lock picking. • RFID uses electromagnetic fields to track virtually anything, including technological assets, employees, patients, children, animals, smart appliances, and even car key fobs. • Infrared radiation (IR) cameras use infrared energy to form an image so that the camera can “see” in the dark.
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. Two of the main types of vulnerability scanners are: A. Host-based and port scanners B. Network-based and password crackers C. Switch port analyzers and host-based scanners D. Network-based and host-based scanners
2. When discussing protocol analyzers with your colleague, which of the following points are true? (Choose all that apply.) A. Are software based B. Are hardware based C. Place network interfaces in promiscuous mode D. Only work on switched networks
10-ch10.indd 412
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
413
3. Which of the following are common purposes for using protocol analyzers? (Choose all that apply.) A. To examine network traffic for duplicate IP addresses B. To find the source of an ARP spoofing attack in your network C. To look for unauthorized computers connected to your network D. All of the above
4. Which of the following is a dedicated network vulnerability scanner? A. Nmap B. Nessus C. Tripwire
5. After performing basic footprinting and fingerprinting exercises, you are ready to enumerate the network. Network enumerators scan the network and collect which of the following?
PART III
D. Iptables
A. Visible shares B. User accounts C. Visible services D. All of the above
6. As part of a security assessment, you want to test the strength of your passwords by using password crackers. Which of the following will try all possible combinations of characters up to a certain length? A. Brute-force attack B. Birthday attack C. Dictionary attack D. Rainbow table
7. Password crackers will get the most benefit from which of the following? A. Available memory B. Long dictionary files C. Solid-state drives D. A fast multicore processor
8. Before compromising a web application, you decide to perform a fuzzing attack first. What is the purpose of fuzzers? A. Sending random strings of text to input fields B. Forking multiple requests to test load-balancing capabilities C. Testing the strength of SSL ciphers in use D. Validating user-supplied input
10-ch10.indd 413
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
414
9. An HTTP interceptor will allow you to modify: A. Web requests on the server B. Data passing from the browser to the web server only C. Data passing from the web server to the browser only D. Data passing between the browser and the web server in either direction
10. Which of the following is a popular attack framework? A. Acunetix B. Metasploit C. Nmap D. John the Ripper
11. Which of the following is the correct sequence in the TCP 3-way handshake? A. SYN, ACK, SYN B. SYN, SYN/ACK, SYN C. SYN, SYN/ACK, ACK D. SYN, ACK, ACK
12. Which of the following is the typical sequence of a failed TCP 3-way handshake? A. SYN, FIN B. SYN, RST C. SYN, ACK, RST D. SYN, ACK, FIN
13. In order to conduct a port scan without the visibility of typical TCP connect scans, we will use Nmap’s SYN scan. The SYN scan is also known as which of the following? (Choose all that apply.) A. Stealth scan B. Smart scan C. Covert scan D. Half-open scan
14. Which protocols are used by ping and Tracert? (Choose all that apply.) A. UDP B. ECHO C. ICMP D. TCP
10-ch10.indd 414
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
Chapter 10: Security Assessment Tools
415
15. Before capturing traffic on a wired network with a protocol analyzer, which of the following are good practices? (Choose all that apply.) A. Installing the AirPcap adapter B. Putting the NIC in promiscuous mode C. Using a protocol analyzer that is compatible with your NIC’s chipset D. Injecting traffic as needed to trigger responses from network targets
16. IR cameras are most useful for which of the following scenarios? A. Discovering attackers in bright rooms B. Discovering attackers in dark rooms C. Discovering attackers through walls
17. Rainbow tables aid a password-cracking tool by providing which of the following capabilities? A. Brute-force cracking
PART III
D. Discovering attackers through sound
B. Dictionary cracking C. Reversing hashes into plaintext D. Birthday attacks
18. Which of the following are examples of file integrity monitoring tools? (Choose all that apply.) A. Tripwire B. System file checker (SFC) C. Nmap D. Event Viewer
19. To reduce the risk of lock picking, which mitigations could you consider implementing? (Choose all that apply.) A. Use lock picks to test your lock’s resistance to lock picking. B. Have a locksmith test the locks for you. C. Switch lock to a biometric door lock. D. Switch lock to a Bluetooth door lock. E. All of the above.
20. SIEM tools are designed to provide which of the following benefits? (Choose all that apply.) A. Aggregate logs from multiple sources B. Correlate logs from multiple sources C. Encrypt logs D. All of the above
10-ch10.indd 415
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 10
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
416
Answers 1. D. Network-based and host-based are the two main types of vulnerability scanners. 2. A, B, C. Protocol analyzers can be hardware or software based, plus they put NICs in promiscuous mode so they can capture more data. 3. D. Protocol analyzers can be used for all of these purposes. 4. B. Nessus is the only product here that is dedicated to vulnerability scanning. 5. D. Network enumerators may discover shares, user accounts, and services. 6. A. Brute-force attacks try all possible combinations of characters up to a certain length. 7. D. A fast multicore processor will provide the most benefit. 8. A. Send random strings of text at input fields. 9. D. Data passing between the browser and the web server in both directions. 10. B. Metasploit is the most well-known attacking framework. 11. C. SYN, SYN/ACK, ACK. 12. B. SYN, RST. 13. A, D. Stealth scan and half-open scan. 14. B, C. ECHO and ICMP. 15. B, C, D. Putting the NIC in promiscuous mode, using an analyzer compatible with your NIC’s chipset, and using carefully planned traffic injection. 16. B. Discovering attackers in dark rooms. 17. C. Reversing hashes into plaintext. 18. A, B. Tripwire and SFC. 19. E. All of these are good ideas. 20. A, B. Aggregate logs from multiple sources and correlate them.
10-ch10.indd 416
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CHAPTER
Incident Response and Recovery Procedures
11
This chapter presents the following topics: • E-discovery • Data breach • Facilitate incident detection and response • Incident and emergency response • Incident response support tools • Severity of incident or breach • Post-incident response
No matter how vigilant an organization is, security incidents will eventually occur. Organizations create incident response procedures in advance to prepare for this inevitability. Incident response is the set of procedures used to react to computer incidents. An incident is defined as anything that occurs outside the normal range. To effectively deal with computer incidents, several conditions are required. First, the concept of what’s “normal” for a system is necessary to understand. Second, the enterprise must have a set of planned responses in the form of procedures to use when the system departs from normal conditions. Without proper preparation, response, and recovery efforts, the actions necessary for incident response are unlikely to be enacted in an effective manner. Some incidents are criminal in nature; therefore, digital forensic investigations may need to be conducted. Evidence can be highly perishable, so incident response must be efficient and precise. Incident response procedures must include requirements for who collects, preserves, and analyzes the evidence. After all evidence requirements have been met, the incident response procedures must provide a process for restoring organizational functionality back to normal. There are many facets to incident response and recovery procedures, and you can count on this chapter to provide the necessary coverage on e-discovery, data breaches, incident detection and response, emergency response, support tools, incident severity, and post-incident responses.
417
11-ch11.indd 417
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
418
E-Discovery
E-discovery is the electronic discovery of evidence. Typically, this term is associated with civil procedures. As in most aspects of enterprise operations, proper preparation is the key to success. Preparation implies policies and procedures, and these items need to be addressed before their use becomes important. E-discovery is about producing records based on a subject, an event, a person, and so on. A common e-discovery request will ask for any documents, files, e-mails (in print or electronic form) associated with, for example, a person’s name, an order number, an event that occurred, or any other strange, non-indexed reference. The key point here is “non-indexed,” because we seldom manage our records in a manner associated with the e-discovery recovery request. EXAM TIP Incident response is the set of actions security personnel perform in response to a wide range of triggering events. These actions are vast and varied because they have to deal with a wide range of causes and consequences. Through the use of a structured framework, coupled with properly prepared processes, incident response becomes a manageable task. Without proper preparation, this task can quickly become impossible and rather expensive.
E-discovery is a task that does not scale well. In large organizations, e-discovery can pose a significant challenge. One of the driving factors behind the challenge is the 90-day clock. Most e-discovery periods are 90 days long, and failure to produce within the 90-day window can bring sanctions and penalties. The second issue becomes one of data size. In large companies with considerable quantities of information, specific information to a specific incident, order, or person, will represent a very small segment of the total information volume. Finding this information becomes a needle-in-a-haystack issue. Technology has come to the rescue in the form of specialized systems designed to assist in the archiving and indexing of e-mails, files, and other data sources. Indexing is done all the time in preparation for when it is actually needed. Because an e-discovery request may specify information in a manner that is different from its storage, one of the challenges is in finding all the relevant records. A request for all e-mails associated with Joe Smith may include the following:
• All e-mails sent by Joe • All e-mails received by Joe • All e-mails that mention Joe in the e-mail itself The first two are relatively simple with most modern mail systems. The last one is problematic—how do you find all the e-mails that mention Joe? This is where the skills of digital forensics can enter the picture.
Electronic Inventory and Asset Control Asset management deals with the management of assets of an organization. An asset is defined as any item of value to the enterprise, including information. It is essential for a company to identify, track, classify, and assign ownership for the most important assets.
11-ch11.indd 418
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
419
The main idea behind asset management is to ensure that the assets are protected, and the assignment of responsibility to a party on an asset-by-asset basis provides a means of accountability and ownership. In the case of information-based assets, the rules are no different and, in fact, possibly even more important. In the case of a physical asset, at least someone in the organization typically has some form of physical custody of the item. In the case of electronic information, data is more of an intangible asset, making direct control over custody more challenging. With the proliferation of mobile devices and remote workers, inventories and asset control have more ground to cover. Organizations are meeting this challenge head on with cloud-based mobile device management (MDM) products like VMware AirWatch and Microsoft Intune. MDM tools typically have the ability to perform the following tasks: PART III
• Perform hardware and software inventories • Deploy applications • Update operating systems and applications • Deploy configuration, conditional access, and compliance policies • Perform remote wiping • Provide endpoint protection EXAM TIP Using GPS or cell tower tracking, organizations can track the location of lost or stolen mobile devices in order to possibly repossess them, or send remote backup and remote wipe commands to protect the organization’s data interests.
Data Retention Policies A data retention policy dictates the systematic review, retention, and destruction of data in the enterprise. Data may not need to be stored indefinitely, and different types of data have different storage requirements. This policy should identify the requirements by data type of storage, both in terms of time and manner, as well as how data should ultimately be destroyed. Most business records have a limited business life, after which the cost of maintaining the data outweighs its usefulness. Countering this desire to eliminate undesired storage costs are the rules and regulations associated with specific data types. Contracts, billing documentation, and financial and tax records are normally prescribed to be kept for seven years after creation or last use. The requirements of data retention are often compelled by state and federal regulations. Laws such as Sarbanes-Oxley prescribe retention periods for specific accounting information. These laws were created in response to scandals that involved the destruction of crucial records to avoid adverse legal actions. In most circumstances today, in the event that data is shown to be destroyed or otherwise not made available to legal proceedings, judges can instruct juries to consider that the data did exist and that it could be considered damaging to the withholder’s case. One of the key factors used to determine what evidence is expected in a legal case revolves around the issue of data retention.
11-ch11.indd 419
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
420
Does a firm have a policy? Does it follow this policy? Is it reasonable with respect to laws and regulations? These are all factors in determining what data is reasonable to expect in a legal case. NOTE Data retention policies can play a key role in determining what information is expected to be produced in legal proceedings. Having a data retention policy that follows laws and regulations associated with information types, and one that is followed by the data owners, can help define what is reasonable to expect in terms of data production in a court case. Not following a retention policy (that is, not destroying data when permitted) can lead to having to produce more information in legal proceedings. Failure to uniformly follow a data retention policy can result in questions related to corruption in the case.
Data Recovery and Storage As the saying goes, there are two types of hard drives—the dead and the dying. The storage of data on physical devices is not a foolproof operation. In some cases, devices can fail, causing errors in the structure of the data storage system and making the stored data impossible to retrieve using normal operating system methods. Data recovery is the process of recovering data from damaged, failed, corrupted, or inaccessible storage devices when it cannot be accessed using normal data access methods. Data recovery may be required due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system. Specialized toolsets can rebuild the logical file system and, in extreme cases, can rebuild datasets from pieces recovered on damaged media. For instance, the data from a broken CD or DVD can be recovered and put on a fresh device. These are expensive and time-consuming tasks requiring special skillsets and tools and are typically not performed by most IT organizations, but rather are outsourced. Data storage strategies, including backups to provide for recovery in the event of primary storage failure, are foundational security elements in an enterprise. Distributing storage of data across an enterprise to provide redundancy and improved local performance can enhance operations, but also can have security implications. Security requirements need to follow the data, and distributing the data means distributing the requirements as well. There is a natural separation and sharing of responsibilities when it comes to data management. Data owners are responsible for determining data requirements in terms of access, lifetime, and usage. The security team is responsible for determining the controls necessary to protect the data per the business-determined protection requirements. The IT staff is responsible for the operational implementation of the business and security requirements with respect to logical and physical systems. As an example, the court case Oracle America v. Google required e-discovery of Google e-mails. Since organizations typically have retention and archival policies regarding corporate e-mail, Google was able to cooperate by providing all requested data.
11-ch11.indd 420
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
421
Data Ownership and Handling
Legal Holds
PART III
Assigning data owners and establishing responsibility for all custodial duties are key elements in managing an information asset. In most cases, these will not be performed by someone in IT because, although their responsibility may lie in activities such as backups and integrity management, the actual retention, sharing, and other decisions associated with the asset belong with the data owner. Data owners are typically department managers who make decisions on how certain data should be used and managed, whereas data custodians are the IT personnel who implement the decisions made by the data owners. Establishing data ownership responsibilities and aligning this with the direct business impact of the information will assist in making the proper data-handling decisions. Deciding who should have access to what specific elements of data is necessary before enforcing this requirement through rules such as access control or firewall rules. Data ownership usefully creates a single point of contact (POC) during incident response situations whenever timely advice is needed on specific data recovery efforts.
The excuse of “my dog ate my homework” didn’t work with your elementary school teacher, nor will the premature destruction of potential evidence sit well with the legal system. There may come a time when an attorney compels an organization to place a legal hold on specified data types to prevent deletion. A legal hold is a process that permits organizational compliance with legal directives to preserve all digital and paper records in anticipation of possible litigation. Any data retention policies that had previously earmarked legally requested data for destruction are immediately and indefinitely suspended until all relevant litigation has concluded. To ensure compliance with legal hold requirements, an e-discovery policy is created that includes detailed requirements on the legal identification, preservation, collection, processing, review, and production of requested information. It should also include specifications on tagging data with standardized legal labels to facilitate efficient organization, discovery, and recovery of the data required by the legal hold. As an example, an organization receives a letter from a law firm titled “Legal Hold Notice” with a description of “Do Not Destroy Stated Documents.” This letter then goes on to instruct the receiving organization to legally hold all required documents and suspend data destruction. Such records may include e-mails, writings, graphics, communications, graphs, sound, video tapes, photographs, discs, e-mails, calendars, and so forth. NOTE To be clear, legal holds do not guarantee that data will actually be collected. Its primary objective is to ensure that required data is available should it “need” to be collected.
Data Breach
A data breach is the release of information to an unauthorized party or environment. It is also referred to as a data leak, data leakage, information disclosure, or data spill. Any loss of control over data can be considered a breach until it is determined that the data cannot
11-ch11.indd 421
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
422
be obtained by an unauthorized party. Data breaches can be the result of an accident or intentional act. Any time that sensitive or protected information is copied, transmitted, viewed, stolen, or accessed by an unauthorized party, a data breach has occurred. Financial losses for data breaches can be in the millions, potentially hundreds of millions of dollars. For example, in November and December of 2013, 40 million Target customers had data from their credit and debit cards stolen by hackers. In response to this, Target hired a third-party forensics firm to investigate the crime. The investigation determined that the hackers stole a Target HVAC username/password, which allowed remote access to Target’s payment network. With these credentials, attackers loaded up malware on the point-of-sales (POS) terminals, which stole the financial data. It is estimated that the total cost of the Target breach was between 250 and 300 million dollars. When data breaches have been detected, an incident response team should implement the procedures described in an incident response plan, which typically includes the following stages:
• Discover and report • Confirm • Investigate • Recover • Lessoned learned These five stages of incident response will be covered in the “Incident Response Team” section, later in the chapter. NOTE Many states have data breach notification laws, the most famous being California Senate Bill 1386 (SB 1386). These laws stipulate the actions an enterprise must take in the event of a data breach. These activities include actions such as reporting and the notification of affected parties. One of the best defenses against the loss of control of information is in the process of encryption. A lost backup tape set being shipped offsite could be considered a breach, because a third party could examine the information if it came into possession of the lost data. If the backup set is encrypted, then a party encountering the set cannot examine the actual data. In many states, this is sufficient to prevent triggering the data breach law.
Detection and Collection The first step in incident response is detecting the incident. Detection may involve the examination of hardware and software alerts, surveillance cameras, various logs (such as system, application, and security logs), network traffic, error messages, and feedback from employees and customers. Also, if security baselines are in place, look for anything that indicates deviation. These initial efforts are important because detected incidents must be supported by evidence in order to substantiate a potentially worrisome and resource-intensive response process.
11-ch11.indd 422
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
423
If the individual (or individuals) responsible for detecting the incident is not on the incident response team (IRT), they must notify the IRT at once in order for the IRT’s first responders to report immediately to the incident scene. Members of the IRT often include a representative from the security, IT, and HR departments to balance out skillsets and responsibilities. IRT members will need to be able to ask and document the answers to the following questions:
• What type of event is this? • Is the event ongoing? • Which people, facilities, systems, and data are potentially affected? • Has the incident caused actual exposure/losses, or has it potentially done so? • Is a response necessary? PART III
Once you determine which system or systems were affected by a data breach, you should label the systems, interview all individuals with access to these systems, and leave the systems in their original power state. In other words, if it’s on, leave it on; if it’s off, leave it off. CAUTION Evidence collection can be severely impaired if the system’s original power state is changed. Leave it “as is” until the conclusion of the incident response process.
Evidence is highly perishable; therefore, you should begin collecting it as soon as possible. Shown here is a summary of sources from where evidence can be collected:
• E-mail • Smartphones • Computers • GPS devices • Visited websites • Social media • Wearables • Printers • Network appliances • IoT devices With all the information being collected, it can be challenging to determine which evidence is important and should be preserved. At this point, the safe bet will be to keep all of it until it is more carefully analyzed. More detail on evidence collection methods will be discussed later in this chapter in the “Incident and Emergency Response” section.
11-ch11.indd 423
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
424
After evidence has been collected, it needs to be analyzed. The manner of analysis will vary depending on whether it’s being performed by a professional computer forensic investigator or the organization’s security practitioner. In either case, the nature of the breach will need to be classified and a priority level assigned in order to ensure that the appropriate level of attention and resources are provided to the incident. Also, certain data details will need to be determined, such as any possible attacker tracks, timeline of activities, scope of compromise, and information about the attacker’s tools or techniques.
Mitigation and Response One should consider the fact that all stored data is subject to breach or compromise. Given this assumption the question becomes, what is the best mitigation strategy to reduce the risk associated with breach or compromise? Data requires protection when in three states: in storage, in transit, and during processing. The risk from each phase of the data life cycle differs due to several factors. Time is one factor; data tends to spend more time in storage, and hence is subject to breach or compromise over longer time periods. Data spends less time in transit and processing. Quantity is a second factor. Data in storage tends to offer a greater quantity to breach or compromise than that in transit, and even less in processing. If records are being compromised while being processed, then only records being processed are subjected to risk. The last factor is access. Different protection mechanisms exist in each of the domains, and this has a direct effect on the risk associated with breach or compromise. Operating systems tend to have very tight controls to prevent cross-process data issues such as error and contamination. This plays toward security as well. The next aspect of processing risk is within process access, and a variety of attack techniques address this channel specifically. Data in transit is subject to breach or compromise from a variety of network-level attacks and vulnerabilities. Some of these are under the control of the enterprise, and some are not. The gold standard to prevent data loss from breach or compromise is encryption. When properly employed, encryption can protect data during storage, in transit, and even during processing in some cases. Data that is encrypted no longer has direct value to an unauthorized party, for without the appropriate key there isn’t access to the data; all that is accessible are apparently random values. The purpose of encryption is not to make it impossible to obtain the data, but rather to increase the work factor involved to a level that makes obtaining the data not viable in either economic or time-based terms. Any sensitive information being sent over a network should be encrypted because the network cannot guarantee that unauthorized parties do not have access to data being transmitted across a network. For wireless networks, this is obvious, but the same issues can exist within a wired network with respect to unauthorized parties. Although HTTPS is far from perfect security, it does provide a reasonable level of protection for many Internet-based data transfers. The use of virtual private networking (VPN) technology expands this level of protection from World Wide Web–associated data transfers to the more general case of network transfer of data.
Minimize
Data minimization efforts can play a key role in both operational efficiency and security. One of the first rules associated with data is, don’t keep what you don’t need. A simple example of this is the case of spam remediation. If spam is separated from e-mail before
11-ch11.indd 424
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
425
PART III
it hits a mailbox, one can assert that it is not mail and not subject to storage, backup, or data retention issues. Because spam can comprise more than 50 percent of incoming mail, this can dramatically improve operational efficiency both in terms of speed and cost. This same principle holds true for other forms of information. When a credit card transaction is being processed, there are data elements required for the actual transaction, but once the transaction is approved, they have no further business value. Storing this information provides no business value, yet it does represent a risk in the case of a data breach. For credit card information, the rules and regulations associated with data elements are governed by contract and managed by the Payment Card Industry Data Security Specification (PCI DSS). Data storage should be governed not by what you can store, but by the business need to store. What is not stored is not subject to breach, and minimizing storage to only what is supported by business need reduces the risk and cost to the enterprise. Minimization efforts should begin before data even hits a system, let alone before a breach occurs. During system design, the appropriate security controls are determined and deployed, with periodic audits to ensure compliance. These controls are based on the sensitivity of the information being protected. One tool that can be used to assist in the selection of controls is a data classification scheme. Not all data is equally important, nor is it equally damaging in the event of loss. Developing and deploying a data classification scheme can assist in preventative planning efforts when designing security for data elements.
Isolate
Whenever you read about wildfires, responders are always quick to point out the fire’s containment level. In other words, what percentage of the fire is surrounded by a barrier—as in no longer expected to spread? The ultimate goal is 100 percent containment. Data breaches are much like a fire in that once they occur, it is paramount that the breach be contained, or, as they say in security parlance, isolated. The method of isolation depends on the nature of the security breach. Isolation techniques may include the following:
• Disconnect affected computers. • Disconnect affected communication device(s). • Isolate and encrypt all mission-critical data on affected systems. • Change passwords on affected systems. • Quarantine affected computers into a “containment VLAN.” CAUTION It is important to note that isolation of an issue is not a resolution but rather a step toward resolution. Once the issue is isolated, you will be able to focus on eradication of the data breach’s cause.
Recovery/Reconstitution Recovery efforts from a data breach involve several specific elements. First, the cause of the breach needs to be determined and resolved. This is typically done through an incident response mechanism. Second, the data, if sensitive and subject to misuse, needs to
11-ch11.indd 425
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
426
be examined in the context of how it was lost, who would have access, and what business measures need to be taken to mitigate specific business damage as a result of the release. This may involve the changing of business plans if the release makes them suspect or subject to adverse impacts. A key aspect in data breaches and many incidents is that of external communications. It is important to have a communications expert familiar with dealing with the press, with the language nuances necessary to convey the correct information and not inflame the situation. Many firms attempt to use their legal counsel for this, but generally speaking the precise language used by an attorney is not useful from a PR standpoint; therefore, a more nuanced communicator may provide a better image. In many cases of crisis management, it is not the crisis that determines the final costs but the reaction to and communication of details after the initial crisis. A recent case in point was a breach of Zappos, an online shoe vendor. Its response was so nuanced that the story turned from a breach story into a “how Zappos handled their customers” story—truly a win for the firm during the crisis.
Disclosure After a data breach has been fully resolved, it is time to disclose all relevant data breach details to business stakeholders, which may include your immediate manager, senior management, and human resources, in addition to team leads from various departments. An incident response report form will be filled out that documents various incident information, including the following:
• Incident identification information Includes responder’s name, title, contact information, location, and time of incident • Summary of incident Includes type of incident detected, such as DOS, malware, unauthorized access, and so on • Notification Includes parties that were notified, such as HR, senior management, legal counsel, and public affairs • Actions Includes detection measures, isolation measures, evidence collected, eradication measures, and recovery measures • Follow-up Includes self-assessment of response compared to prescribed procedures, plus recommendations for future responses
Facilitate Incident Detection and Response
When a data breach occurs, the firm must be ready to respond immediately. The time to formulate plans and procedures was before the event because many factors will be driving timelines, including the business risk associated with the data loss, customer pressure, and regulatory pressure. The actions will, in most cases, be performed as part of the incident response action, but it is important to realize that breaches are separate from incidents. An incident may include a breach, but some incidents do not. By definition, any breach is an incident. Incident response teams (IRTs) are focused on the incident and follow mostly technical steps to limit the damage and return everything to a normal
11-ch11.indd 426
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
427
PART III
operating state. A data breach has an independent life of its own and may last longer than a typical incident. Part of the reason for the extended timelines involves regulatory steps and notification of customers and regulatory groups. Detection begins with the point in time where the incident is discovered and it becomes a breach because of the nature of the incident. This is a data collection effort involving how the incident occurred, what data is known to be involved (even preliminary information), and what systems are involved. From this data, the next efforts are to identify system and data owners so that they can be notified and included in the planning of remediation and repair. Frequently this will involve personnel from the business that are directly affected and the appropriate IT staff associated with the involved systems. Mitigation efforts are the immediate countermeasures performed, including the disconnecting of the leak. Stopping the leak while in progress can reduce the loss and risk. If personally identifiable information (PII) or personal health information (PHI) is being posted publicly, removing this public posting can reduce the temporal component of the exposure, also potentially reducing the risk. Concurrently with the mitigation efforts, the evaluation efforts can commence. Evaluation efforts include work performed to determine what has actually happened, how much has been disclosed, and what systems are at risk. This information is used to prioritize the response actions. The response stage includes the actions necessary to resolve the breach, restore the involved systems, and perform the appropriate notifications.
Internal and External Both internal and external parties are involved in data breach issues. If external customer information is compromised, the external customers will need to be notified and, in some cases, receive assistance with respect to their risk. It is not uncommon for a firm to offer credit-monitoring services to affected external entities. Internal entities have risks as well. If customer data is compromised, such as customer login information, the internal systems need to take this into account and manage the business expectations concerning how to address this. In some cases, it would be the disabling of an account. In others, it might be a wholesale change of login credentials. Breaches can be the result of both internal and external actors. By convention, all access to systems is via accounts associated with internal entities. Different accounts have different levels of access associated with the business requirements of the account holder. For obvious reasons, system administrators, database administrators, and other key users have wide-sweeping access capability, making their accounts attractive targets for unauthorized use. If the account holder of one of these accounts performs unauthorized activity, the damage can be severe. It is important to more closely monitor accounts with greater levels of access to provide appropriate levels of protection. An insider user has a couple of advantages over outside adversaries. First, they already have account access on a system. Second, in the case of power accounts, such as admin accounts, they have significant breach capability. Most importantly, the insider typically has a level of internal knowledge associated with the information necessary for exploitation. An outsider who wishes to obtain information needs to acquire access to the system via credentials as well as have an understanding of where the desired information is stored and how it can be obtained.
11-ch11.indd 427
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
428
Criminal Actions The primary goal behind preparing for incident response is the successful and efficient handling of the incident, including returning the system to a proper operating condition. In the case of dealing with criminal actions, additional steps may need to be taken to ensure that legal actions against the criminal are not precluded by the incident response team’s desire to return the system to a normal operating condition. Successful prosecution of a criminal will rest upon evidence that is presented in court. This evidence will be subject to challenge by the defense attorney; if any “issues” are associated with the fidelity of the data collection effort, in most cases the evidence will be suppressed or not allowed. The best way to obtain criminal evidence is to let law enforcement collect the evidence. Any time evidence is used in legal proceedings, either criminal or civil, one of the challenges will be to the chain of custody. Because evidence can be altered or tampered with, it needs to be controlled from the time of collection until the time of use in legal proceedings. This control is in the form of a documented chain of custody that can detail where the evidence has been and who has done what with it every moment, from collection to court.
Hunt Teaming They sometimes say in sports that the best defense is a good offense. Traditional security processes concentrate on locking down the defense. Hunt teaming takes the opposite approach of focusing on what the offense is doing. Hunt teaming is a comprehensive process of security teams seeking out any signs of attack against the organizational network. Security teams will search for signs of compromise, which may include unusual changes to audit logs, locked-out accounts, malware backdoors, changes to critical files, and slow Internet or devices—not to mention keeping an eye out for strange administrator account patterns or any signs of unapproved software and network traffic. The key to hunt teaming is being proactive. By looking at all attack vectors for signs of malicious activities, organizations may reveal anomalies that might’ve been missed had they maintained the more typical reactionary security posture. The danger with solely relying on reactive solutions is that they block, alert, or log malicious activities after they come knocking. Although such outcomes are desirable, a more offensive approach might have eliminated the threat before it got a chance to attack. Hunt teaming converts the organization from the hunted to the hunter. EXAM TIP Although both hunt teaming and penetration testing are considered “offensive security,” they are very different. Penetration testing involves simulating an attack against the network, whereas hunt teaming merely hunts down signs of attackers and attacks.
Behavioral Analytics Behavioral analytics is the process of measuring and identifying how entities typically act, or behave, and later comparing these measured behaviors to future samples to potentially spot deviations. For example, if a website typically receives 1,500 hits per hour, and then increases to 2,500 hits per hour, this change of behavior could indicate either a distributed
11-ch11.indd 428
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
429
denial of service attack (DDOS) or a healthy increase in traffic levels due to increased brand awareness. Our job is not only to capture the typical and atypical behaviors, but to decide whether the causes and effects are malicious, desirable, or unremarkable. Since networks are always changing, patience and discipline must be exercised in order to refrain from flagging every measured deviation as signs of malicious activity. Yet, don’t overlook deviations either. Hidden beneath the surface may be an attack in progress.
Heuristic Analytics
PART III
Unlike behavioral analytics, which focuses on measuring, comparing, and analyzing a set of before and after data points, heuristic analytics intelligently gathers data points from various host and network data sources within a specific environment. It then scores each of these data points relative to one another to determine if the entity is threatening, potentially threating, or not threatening in nature. Antivirus, intrusion detection systems, and intrusion prevention systems frequently utilize heuristic capabilities in order to spot zero-day or unknown attack vectors that would go unnoticed by signature-based detection measures.
Establish and Review System, Audit, and Security Logs System administrators should enable logging on all significant systems so that data can be collected as to system performance and operation. This same data will be useful during an incident because anomalies in this data can provide evidence of abnormal activity, its source, and its cause. A basis of understanding “normal” in an enterprise system is an essential element in determining that an incident has occurred. The incident response team will need to examine data to determine what happened, what systems were affected, and the extent of the damage. One of the main sources of information will come from log files. Enabling logging is not sufficient on its own. Log files have no value unless their contents are examined, analyzed, and acted upon. With a myriad of log files across the enterprise, an automated solution to log file collection and analysis is necessary in most enterprises. Security tools exist that permit the monitoring of large log file systems, including the automated generation of alerts based on a complex set of rules. Security information event management (SIEM) is the name of this class of device. SIEMs are database structures designed to assist the security operators in determining what systems need attention and what aspects need further investigation. SIEM solutions are a critical component of automated security systems used in continuous monitoring, as described in Chapter 9. These systems act as a centralized hub of security information, providing the security personnel the information associated with the status of systems, controls, and security-related activity.
Incident and Emergency Response
Incident response is a term used to describe the steps an organization performs in reaction to any situation determined to be abnormal in the operation of a computer system. The causes of incidents are many—from the environment (storms), to errors on the part of users, to unauthorized actions by unauthorized users, to name a few. Although the
11-ch11.indd 429
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
430
causes may be many, the results can be organized into classes. A low-impact incident may not result in any significant risk exposure, so no action other than repairing of the broken system is needed. A moderate risk incident will require greater scrutiny and response efforts, with a high-level risk exposure incident requiring the greatest scrutiny. To manage incidents when they occur, a table of guidelines for the incident response team needs to be created to assist in determining the level. Two major elements play a role in determining the level of response. Information criticality is the primary determinant, and this comes from the data classification effort discussed earlier and the quantity of data involved. The loss of one administrator password is less serious than the loss of all of them. The second factor involves a business decision on how this incident plays into current business operations. A series of breaches, whether minor or not, indicates a pattern that can have PR and regulatory issues.
Chain of Custody As they say, the burden of proof is on the accuser. If a suspect of an organizational attack is brought to trial, the prosecution must prove the suspect’s guilt rather than the defense prove the suspect’s innocence. However, evidence must survive the long and perilous journey to court to be of any value to the prosecution. If there are any signs of tampering or contamination of evidence from its collection to presentation in court, it will be deemed inadmissible. As you would expect, this could destroy the prosecution’s case and allow a guilty attacker to go free. In order to prevent early dismissal of evidence, a legally defined chain of custody process must be followed by all collectors and analysts of evidence. Chain of custody is a detailed record of evidence handling from its collection, preservation, and analysis, to presentation in court and disposal. It documents who handled the evidence, the time and date of its collection, any transfers between parties, and the reason behind the transfer. The evidence itself can be collected for many crimes, including the following:
• Computer fraud • Network intrusion • E-mail threats and harassment • Software piracy • Telecommunications fraud • Identity theft EXAM TIP Chain of custody can maintain many types of evidence in computer crimes, including digital data, paper effects, internal and external storage devices, photographs, e-mails, GPS tracks, captured audio/video, telephone systems, audio recorders, pagers, MP3 players, multifunction machines, and more. Be sure that any evidence you collect, transport, and analyze is following all predefined legal procedures to maximize its chances of admissibility.
11-ch11.indd 430
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
431
Digital Forensics Digital forensics is the application of scientific methods to electronic data systems for the purposes of gathering specific information from a system. If this information is to be relied upon, it needs to be accurate. Digital forensics began in the law enforcement realm, but civil cases and e-discovery have resulted in significant civil applications. The key to forensics is the application of a structured, step-by-step, documented process for both data collection and analysis. The admission of scientific evidence in court is governed by either the Frye Standard or, in federal court, the Daubert Standard. The majority of U.S. courts have adopted a form of Rule 702 of the Federal Rules of Evidence, which follows:
• The expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue • The testimony is based on sufficient facts or data • The testimony is the product of reliable principles and methods • The expert has reliably applied the principles and methods to the facts of the case
PART III
RULE 702. TESTIMONY BY EXPERT WITNESSES A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:
The forensic handling of electronic evidence is not dissimilar to that of normal forensic evidence handling. The primary purpose behind the strict procedures is to prevent any alteration of the evidence that could occur as part of collection or processing. In the case of digital evidence, this is especially true, because any action performed through the operating system can result in the alteration of data on the system—potentially changing or deleting the evidence that is sought. For this reason, once a decision is made that a machine needs to be subjected to forensic analysis, it is best to use trained personnel and not just have a system administrator log on and examine the system. The sensitivity to undetectable alteration, deletion, or creation of data makes clearly defining contents per a point in time difficult in digital systems. As described in an earlier section, a legal hold represents an order to preserve data in an unaltered state from a given point of time. For practical reasons, a litigation hold request needs to specify the range of data requested. Requesting that all data be preserved would require offline storage of the entire system and all its data, which except in the smallest of enterprises becomes time consuming and expensive.
Digital Forensics Process To ensure the trustworthiness of digital forensics results, a repeatable process needs to be followed. The following nine steps comprise a standard digital forensics process model: 1. Identification The recognition of an incident from indicators and a determination of its type 2. Preparation The preparation of tools, techniques, search warrants, and monitoring authorizations and management support
11-ch11.indd 431
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
432
3. Approach strategy The development of a strategy to use in order to maximize the collection of untainted evidence associated with the goal of the investigation 4. Preservation The isolation, securing, and preservation of the state of physical and digital evidence 5. Collection The recording of the physical scene and duplicate digital evidence using standardized and accepted procedures 6. Examination An in-depth systematic search of evidence relating to the goals of the investigation 7. Analysis The determination of the significance, the reconstruction of fragments of data, and the drawing of conclusions based on evidence found 8. Presentation The preparation of the summary and explanation of conclusions 9. Returning of evidence Steps to ensure both physical and digital property are returned to the proper owners
As the investigation moves through these steps, two things happen. As you progress, the quantity of data decreases and the relevancy of the retained data increases with respect to the total volume of data. When digital evidence is being collected, it is important to use proper techniques and tools. The use of write blockers when making forensic copies, hashing and verifying hash matches, documenting, handling, as well as storing and protecting media from environmental change factors, are some of the key elements. The tools for making forensic copies (or bit-by-bit copies) are different from normal backup utilities and are important to employ correctly to get hidden partitions, slack and free space, and other artifacts. The detail necessary points to either using specially trained personnel or outsourcing the work to a forensics specialty firm.
Making a Working Copy
Because digital information is so easy to alter, the original data is never used for analysis. A forensic copy is made of all original media. In some cases, two copies are made to facilitate analysis because most duplication equipment can make two copies in the same amount of time as one. Assuming that the original media needs to be returned to use, one of the copies will serve as the original and the second copy as a working copy. Before any analysis is performed, a new working copy can be created to preclude any analysis of the original media. The steps are as follows: 1. The original data is hashed and the hash value is recorded. 2. The original media is copied, bit by bit, and a hash of the copy is generated. If the hashes match, the copies match. 3. The copy is now used to make working copies, with hash verification before each analysis to ensure the copy is valid.
11-ch11.indd 432
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
433
Digital forensics is a large topic; therefore, it would be impossible to provide complete coverage of it in one section alone. However, shown next are some general best practices to consider when performing digital forensic response procedures:
Privacy Policy Violations
PART III
• Capture the disk image. • Capture memory contents. • Capture network traffic/logs. • Capture video evidence. • Record time offset as compared to GMT time zone. • Generate hashes. • Create screenshots. • Identify witnesses of evidence collection and veracity. • Track man hours and expenses for billing and damage assessment purposes.
Privacy is a separate issue from security, but it shares many traits and foundational elements. You can have security without privacy, but you really can’t have privacy without a foundation of security. Privacy is the exercise of control over what other entities know about you. In the normal course of business, there can be significant amounts of information that a user wishes to be private (not spread beyond immediate business use). Examples include financial information, medical information, plans for future events, and so on. Whenever data breaches result in privacy impact, it can kick off mandatory notification procedures to the victims. Not to mention, the failure of an organization to secure the information it has been entrusted with can lead to lawsuits, fines, government investigations, and bad publicity. All of these outcomes are negative and can lead to business impairment. Personally identifiable information (PII) and personal health information (PHI) are two common kinds of privacy data that may be held by a firm. To ensure that this form of data is properly safeguarded, a privacy impact assessment (PIA) should be performed. The purpose of the PIA is to determine the risks associated with the collection, use, and storage of PII. The PIA should also examine whether the proper controls and safeguards are in place to protect PII from disclosure or compromise. EXAM TIP A PIA will examine people, process, and technology factors with respect to the proper safekeeping of PII. Any time significant changes occur in systems, business operations, or people, a new PIA needs to be conducted to ensure continued protection.
11-ch11.indd 433
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
434
Continuity of Operations Although continuity of operations could be used in a corporate context (which negates the more contextually accurate terminology of business continuity plans and disaster recovery plans), this section will focus on its more literal government and public usage. A continuity of operations plan refers to an organization’s processes for maintaining functionality in the event of a serious event—only the organization we’re referring to here is the government. Business continuity plans and disaster recovery plans have a reduced scope in that they focus on maintaining continuity of operations for private sector organizations—which are mostly driven by profit. Yet the government has to concern itself with public disaster recovery plans for the health and safety of its people during adverse events. For example, when hurricanes are forecasted to land at certain coastlines, state and federal government officials enact continuity of operations plans to allocate emergency resources and shelters as well as enact evacuation protocols to protect the public from the impending storm. This also includes the subsequent recovery and funding efforts following the disaster. NOTE Continuity of operations plans are typically made up of certain components, including protecting essential functions and key personnel, providing alternate work sites, establishing communications plans, training, testing, and exercises, and protecting vital records, systems, and equipment.
Disaster Recovery Disaster recovery involves the policies, staff, tools, and procedures to enable the timely recovery of an organization’s technological infrastructure from disruptive events. Yet, disasters seldom happen, so organizations often don’t pay much attention to them until a disaster catches them off guard. Recent acts of terrorism, hurricanes, tsunamis, and stronger compliance laws have helped create a greater sense of urgency regarding worse-case scenario planning. Disaster recovery plans are created to drive the requirements and technological implementations to successfully recover an organization from a disaster event. Disaster recovery must account for many technological areas, including the following:
• Computer emergency response plan This includes communication processes and recommended actions during computer emergencies. • Succession plan Describes next-in-command leadership if immediate leadership is not available. • Data Describes all important data and classifications. • Critical services Describes all mission-critical services and the priority order in which they should be restored. • Restoration timelines Describes recovery time objectives for various disaster events. • Data backup/restoration plan Describes the data that is backed up, backup media and location, backup frequency, and recovery methods and timelines.
11-ch11.indd 434
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
435
• Equipment replacement plan Describes which equipment is most needed as well as where to acquire that equipment in the event of losses. • Public/notification management Details the process for notifying the media of adverse events that are of public interest.
Incident Response Team
PART III
Although the initial response to an incident may be done by an individual, such as a system administrator, the complete handling of an incident typically takes an entire team. An incident response team is a group of people who prepare for and respond to any emergency incident, such as a natural disaster or an interruption of business operations. A computer security incident response team is typically formed of key members that bring a wide range of skills to bear in the response effort within an organization. Incident response teams are common in corporations as well as in public service organizations. Incident response team members ideally are trained and prepared to fulfill the roles required by the specific situation (for example, to serve as incident commander in the event of a large-scale public emergency). Incident response teams are frequently dynamically sized to the scale and nature of an incident. As the size of an incident grows, and as more resources are drawn into the event, the command of the situation may shift through several phases. In a small-scale event, or in the case of a small firm, usually only a volunteer or ad-hoc team may exist to respond. In cases where the incident spreads beyond the local control of the incident response team, higher-level resources through industry groups and government groups exist to assist in the incident. To function in a timely and efficient manner, ideally a team has already defined a protocol or set of actions to perform to mitigate the negative effects of most common forms of incidents.
Types of Incident Response Teams
The various types of incident response teams (IRTs) are as follows:
• Central IRT Handles all incidents for the organization, which is usually either a small organization or one that is centrally located. • Distributed IRT Responsible for a logical or physical segment of the infrastructure, usually of a large organization or one that is geographically dispersed. • Coordinating IRT A combination of central IRT and distributed IRT. Generally, the central team provides guidance to distributed IRTs, develops policies and standards, and so on. The distributed team manages and implements incident response activities within its area of responsibility. • Outsourced IRT A type of IRT that may be fully or partially outsourced. Typically, this is found where technical resources are not available locally.
11-ch11.indd 435
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
436
Discover and report
Figure 11-1 Incident response cycle Lessons learned
Recover
Confirm
Investigate
Many models exist for the steps to perform during an incident. One model is the fivestep incident response cycle shown in Figure 11-1. Here are the five key steps: 1. Discover and report Organizations should administer an incident-reporting process to make sure that potential security breaches as well as routine application problems are reported and resolved as quickly as possible. Employees should be trained on how to report system problems. Almost all incidents are first discovered by users finding abnormal conditions. The proper reporting of these observations begins the process. 2. Confirm Specialists or incident response team members review the incident report to confirm whether or not a security incident has occurred. Detailed notes should be taken and retained because they could be critically valuable for later investigation. Incidents are classified as Low, Moderate, or High, and this information is used to prioritize the initial response. 3. Investigate An incident response team composed of network, system, and application specialists should investigate the incident in detail to determine the extent of the incident and to devise a recovery plan. The composition of this team is incident specific. 4. Recover The investigation is complete and documented at this point in time. The cause of the incident has been addressed and steps are taken to return the systems and applications to operational status. 5. Lessons learned Also known as the after-action report (AAR), this is the postmortem session designed to collect lessons learned and assign action items to correct weaknesses and to suggest ways to improve.
The key to incident response is having a plan previously established. Key individuals should be trained, and the plan needs to be tested before it is used in an incident response. A good plan lays out the following:
11-ch11.indd 436
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
437
• What needs to be done (in a step-by-step fashion) • Who needs to do it (and hence be trained) • An analysis of communications and other senior management activities
Order of Volatility The collection of electronic data can be a difficult task. In some cases, such as volatile data, there may only be one chance to collect it before it becomes lost forever. Volatile information such as the RAM can disappear in a matter of nanoseconds; therefore, data collection should occur in the order of volatility or lifetime of the data. Here is the order of volatility of digital information in a system from most-to-least volatile: 2. Routing tables, ARP cache, process tables, kernel statistics 3. Memory (RAM) 4. Temporary file system or swap space
PART III
1. CPU, cache, and register contents
5. Data on hard disk 6. Remotely logged data 7. Data stored on archival media or backups EXAM TIP Some great tools for collecting volatile data include FTK imager, Volatility, Autopsy/Sleuth Kit, and EnCase/Digital Intelligence.
Incident Response Support Tools
When responding to a security incident, you will call upon certain software tools to gather information about the incident in order to implement appropriate mitigations. Although the following are by no means all the tools you’ll use in the industry, the CASP+ exam requires knowledge of them in particular:
• dd • tcpdump • nbtstat • netstat • nc (Netcat) • memdump • tshark • foremost
11-ch11.indd 437
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
438
dd One of the inherent advantages of digital forensics is the simplicity of making copies of evidence. This permits analysis of the copy without affecting the original. According to its man page, dd is used for converting and copying files. It is a well-known Unix/Linux command-line tool often used in forensics for capturing raw images of files, folders, partitions, and drives. Typically, a disk-level image is made so that all data is available at one time for analysis during a data breach. The following is an example of cloning one hard drive to another: dd if=/dev/sda of=/dev/sdb
The dd tool is capable of many operations. For more information about dd capabilities, take a look at the help file shown in Figure 11-2.
Figure 11-2 Example of dd
11-ch11.indd 438
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
439
An enhanced version of dd was created, called dcfldd, that adds new capabilities— some of which benefit forensic operations, including the following:
• Multiple output files • Split outputs • Hashing on the fly • More flexible imaging • Displaying the progress of operations
tcpdump PART III
The tcpdump command-line tool is commonly used on Unix/Linux operating systems to capture network packets transferred over networks. Typically, you’ll want to run it in “monitor mode” for a particular interface so that you can start capturing and displaying live network traffic, as shown in Figure 11-3. As another example, to capture traffic from a specific port, use the following command: tcpdump -i eth0 port 22
Figure 11-3 Example of tcpdump
11-ch11.indd 439
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
440
nbtstat Also known as NetBIOS over TCP/IP, the nbtstat tool allows troubleshooting of NetBIOS-related issues by displaying TCP/IP connections and protocol statistics based on NetBIOS network activity. NetBIOS, which stands for Network Basic Input/Output System, is a legacy Microsoft service that permits older applications based on the NetBIOS application programming interface (API) to communicate with each other within a local area network (LAN). It was designed in the early 1980s and occupies the fifth layer of the OSI model (the Session layer). See Figure 11-4 for an example of output showing the local computer name and domain/workgroup membership. To troubleshooting NetBIOS name resolution issues, nbtstat provides the following commands:
• nbtstat -c Lists contents of NetBIOS name cache and IP addresses • nbtstat -n Lists locally registered NetBIOS names • nbtstat -r Lists all names resolved by Windows Internet Naming Service (WINS) and through broadcasting • nbtstat -R Purges and reloads the remote cache name table • nbtstat -s Lists current NetBIOS sessions, status, and statistics • nbtstat -S Lists sessions table with destination IP addresses
Figure 11-4 Example of nbtstat
11-ch11.indd 440
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
441
netstat Netstat, which stands for network statistics, is a command-line tool designed to display generalized network connections and protocol statistics for the TCP/IP protocol suite. Available in Windows, Unix, Linux, and macOS operating systems, this utility can display TCP/UDP listening ports, established connections, Ethernet statistics, and routing protocol table information, and it supports many command filters. The following are some sample netstat command switches:
PART III
• netstat -a Displays all connections and listening ports • netstat -b Displays the application/service executable file responsible for creating connections or listening ports • netstat -e Displays Ethernet statistics • netstat -f Displays fully qualified domain names (FQDNs) for destination addresses • netstat -n Displays addresses and ports in numerical form • netstat -r Displays the Windows routing table • netstat -s Displays per-protocol stats See Figure 11-5 for an example of netstat showing listening ports and established connections.
Figure 11-5 Example of netstat
11-ch11.indd 441
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
442
nc (Netcat) Often referred to as the “Swiss army knife” utility, nc (or netcat, as its sometimes known) is a Unix/Linux command-line tool designed to connect to or host various types of network connections with other systems. Equally capable of running in “server mode” to host connections or in “client mode” to connect to servers, nc is also capable of performing port scanning, file transfers, listening on ports, and being set up as a backdoor for remote connectivity. The following is an example of a command that demonstrates how to connect to a server called fileserver1.example.com on port 25: nc fileserver1.example.com 25
For an example of setting up nc in listening mode for port 1234, refer to Figure 11-6.
memdump Evidence of data breaches is often found in physical memory—yet data residing in memory is highly volatile. Plus, data is easier to analyze when dumped from memory to a less-volatile and robust storage medium. Enter memdump, a Linux command-line tool that can dump physical and kernel memory contents to both local storage and network locations—the latter of which is the preferred method in order to prevent changing all the memory in the file system cache. The following are examples of memdump switches:
• -k Dumps kernel memory instead of physical memory • -b Specified buffer size per memory read operation
Figure 11-6 Example of nc
11-ch11.indd 442
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
443
• -d Specifies number of memory bytes to dump • -v Enables verbose logging of memory dump TIP A great alternative to memdump is the DumpIt utility, which is often paired with the Volatility framework for memory dump/analysis processes.
tshark
tshark -i eth0
PART III
For a command-line version of Wireshark, take a look at tshark. The tshark utility is a network protocol analyzer that captures network traffic from a live network. It can also read packets that were previously captured and saved into capture files. It supports the PCAP file format, which is also supported by Wireshark and tcpdump. The following is an example of tshark capturing traffic on the eth0 interface: In Figure 11-7, you’ll see some sample tshark output.
Figure 11-7 Example of tshark
11-ch11.indd 443
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
444
Foremost Foremost is a forensic data recovery command-line tool used on Linux, primarily for law enforcement to recover deleted or corrupted data from drives. It can work on disk image files created by dd, Safeback, and EnCase, plus work with the local hard disks directly. Despite its forensics leaning, it can also be used for general data recovery operations. Using a process known as “file carving,” foremost is able to skip past the file system to recovery files and load them into memory. It can recover files from the following file systems:
• Ext3 • NTFS • FAT file systems • iPhone file system Let’s say you want to recover a recently deleted JPEG file. Here is one of the commands you would type: foremost -t jpeg -i /dev/sda1
Severity of Incident or Breach
Whenever an incident or breach occurs, organizations have to respond with an appropriate level of resources and urgency. The severity of an incident will govern how aggressively we respond, just as our earlier assessment of risks, threats, and vulnerabilities resulted in proactively implementing the very security controls aimed at preventing incidents such as these. Incidents are the price we pay for being unable to adequately mitigate those factors. To respond to an incident, we need to know what we’re dealing with in terms of the scope of the incident, its impact to the organization in terms of downtime and costs, plus the legal ramifications. This section provides coverage of each of these topics.
Scope The scope defines the extent of an area affected or how widespread an incident or breach is. For example, is one person unable to log into the domain controller, a whole department, or the entire organization? Along with impact, scope needs to be one of the first two things understood early on in order to properly prioritize detection, escalation, mitigation, and recovery procedures. An incident that only affects one person will typically garner a comparatively abridged response, as opposed to incidents that affect dozens of workers.
Impact Even more important than scope is the impact of an incident. Impact defines the effect of an incident on business processes. For example, an entire department is unable to log into the domain controller and therefore cannot access any company applications. The scope of the issue is one department; however, nobody in that department can work. Therefore, the incident’s impact is quite serious.
11-ch11.indd 444
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
445
EXAM TIP If the scope of an incident increases, so does the resulting impact.
Cost Security incidents can be very expensive, particularly when they affect mission-critical assets. Calculating the cost of incidents can be tricky due to the number of direct and indirect cost factors to consider, such as losing customer data, company downtime, and legal fees. Then there’s the cost of hiring forensic investigators, compromised trade secrets, and even the cost of damaged reputations. The cost of incidents is also affected by the following factors: PART III
• Industry your organization belongs to Security breaches in the medical field are the most expensive, followed by financial services and media. • Region For economic and cost of living reasons, certain regions have an inherently more expensive data breach potential than others. The U.S. and Canada lead the way in being the most expensive regions for data breaches. • Containment How quickly an organization responds to a breach can significantly impact the final cost of the breach. EXAM TIP For a more accurate and efficient calculation of costs, it helps to know the value of the assets prior to a breach. Determining asset value was talked about in Chapter 3.
Downtime Businesses are going to experience some downtime throughout the months, quarters, and years. Maintaining 100 percent availability is quite rare, with costs not typically outweighing the benefits. The trick is managing and delivering on expectations in terms of the amount of planned and unplanned downtime customers can expect during a given period of time. This is typically indicated in the organization’s service level agreement (SLA). Businesses spend a lot of money ensuring they fulfill their availability requirements because when a serious incident knocks the organization offline, it also might knock down the reputation of the business an expensive peg or two. This is why organizations must aggressively produce and reinforce business continuity plans and disaster recovery plans. For more information about downtime, see Chapter 5.
Legal Ramifications During incidents and breaches, organizations must fear not only the customers’ wrath but also any potential legal consequences. Depending on the organization’s level of negligence, it can receive stiff fines, penalties, or in extreme cases jail time for executives. Although states have notification laws compelling organizations to notify affected customers of data breaches, many organizations suppress notifications by covering up attacks.
11-ch11.indd 445
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
446
Companies know all too well that they can do everything right in terms of security and privacy management, yet it only takes one big hack to deal a death blow to their ability to survive. The following are some other consequences experienced as a result of data breaches:
• Reduced reputation • Reduced competitive capabilities • Reduced customer trust • Reduced revenue CAUTION Compliance violations can sting. HIPAA violations can cost up to $50,000 per violation or record. GLBA can penalize financial institutions with up to five years’ imprisonment, steep fines, or both. Fines can reach $100,000 for each violation. Officers and directors can be fined up to $10,000 each.
Post-Incident Response
Just when you thought you were all done putting out the big fire, now comes the fun part—review and documentation time. This phase is important because you get an opportunity to learn from your mistakes, make decisions that can help improve your security going forward, and implement the required changes for the betterment of the organization. This section covers root-cause analysis, lessons learned, and the after-action report.
Root-Cause Analysis Security practitioners can be called upon to resolve most security incidents to get the business back to normal. Yet, there will be times when no one knows what caused the issue in the first place. This is not a preferred outcome because central to the postincident response process is identifying lessons learned as well as creating an after-action report to put those lessons into motion. That cannot happen if you haven’t identified the true cause of the incident. Just wiping out a virus with an antivirus tool is, more less, treatment of the symptom as opposed to curing the condition. Where did the virus come from? How did it get here? Why did it get here? Who is responsible? To help us answer those questions, and to reach that point of deeper understanding, we perform a process known as root-cause analysis. According to NIST, root-cause analysis is “a principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.” It seeks to determine—for a particular issue or problem—what the true and original source of the issue is. Let’s see this play out with an example: 1. Technician A argues that missing antivirus definitions are the cause of the user’s virus infection. 2. Technician B argues that the antivirus definitions were missing because no users or technicians thought to turn on the auto-update feature for the antivirus software.
11-ch11.indd 446
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
447
3. Technician C argues that although these suggestions are contributing factors, they are not the root cause. The following are more appropriate root causes (because there can and usually will be more than one): a. The lack of a security policy that defines requirements for antivirus scans
and updates. b. The lack of a procedures document that details the methods of antivirus scans, updates, and safe Internet browsing. c. The lack of an end-user training process to raise awareness of the policy and procedures to reduce the threat of malware infections.
Above all else, you look below the surface to cure the condition, not treat the symptom. Because, if antivirus scans aren’t being performed regularly, and definition updates aren’t kept up to date, you will continue to have malware infections even after you initially eradicate the current one. The root cause of the preceding issue wasn’t so much technical but rather managerial. Management needs to enforce security policies, ensure procedures are understood, and enact end-user training processes to ensure prevention, detection, and mitigation of the threats. Poor management was the root cause.
PART III
EXAM TIP The key to root-cause analysis is to keep asking the same question over and over: “What was the direct thing that made this happen?” This allows you to subdivide the immediate issue into its smaller pieces until you arrive at the root of it all.
Lessons Learned Root-cause analysis primarily focuses on identifying the issue source. This information is one of multiple inputs you’ll want to take into the lessons learned phase of post-incident response. Lessons learned give us an opportunity to evaluate our mistakes, our successes, assess what happened during the incident, and describe how the organization has dealt with resolving the issue. Ultimately, the goal is to identify what steps are needed in order to improve our ability to prevent, detect, and mitigate incidents going forward. To help get us there, we turn to the after-action report.
After-Action Report We can all agree that it’s important to identify an issue’s root cause—and learn some valuable lessons along the way—but we need a vehicle to set those lessons learned into motion. Enter the after-action report. The after-action report implements the security recommendations gleaned from the lessons learned report. This will call for improvements or changes to the following areas:
• Policies, procedures, awareness • Cybersecurity training • Hardware/software configurations
11-ch11.indd 447
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
448
• Security funding • Monitoring • Vulnerability/penetration testing • Auditing • Business continuity plans • Disaster recovery plans • Incident management • Change management
Chapter Review
In this chapter, we covered the implementation of incident response and recovery procedures for various scenarios. The first section began with e-discovery, which describes the process of acquiring digital information for evidence purposes. To support e-discovery initiatives, we perform electronic inventories and asset control of all data to simplify indexing and searching for data when it’s legally requested. We also talked about data retention policies and the need to hold onto certain types of data for a certain number of years before it can be destroyed. We then talked about data recovery and storage techniques to ensure the availability of data during and after a loss event takes place. Data ownership was also discussed to distinguish the responsibilities between the owners, who classify data and delegate who is to provide security controls to the data, and the data custodians, who implement those security controls on the data. We then finished the section with legal holds and how they require specified data types to remain despite any content that has already aged past its data retention period. The next section focused on data breaches. This began a dissection of incident response processes that start with the detection of the breach and the collection of data to support the existence of the breach. We then talked about analyzing the data to ensure we understand the scope and impact of the breach. We then touched on mitigation of the breach, which involves isolating the breach to a limited area, and limiting the damage it causes, as well as various mitigation techniques to ensure eradication of the threat. We then talked about recovery and reconstitution of data and systems from damage or losses, general response procedures, and disclosure of incident details to stakeholders, law enforcement, and the media. The third section of the chapter talked about facilitating incident detection and response. Hunt teaming takes an offensive approach to detecting threats. Heuristics and behavioral analytics study the behaviors and patterns of network traffic and software functionality to detect possible or confirmed malicious activity. We then looked at reviewing system, audit, and security logs for signs of attackers knocking on the door or having already penetrated the organization’s security controls. We then moved on to incident and emergency response measures, beginning with chain of custody and its requirements to track access, control, and movement of evidence to preserve its integrity for possible court admission. We also talked about the process of
11-ch11.indd 448
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
449
PART III
performing a forensic analysis of compromised systems. We then discussed continuity of operations planning, which involves recovering from public disaster events, and then disaster recovery, which focuses on technological recovery for private sector businesses. Incident response teams were covered to point out their roles and responsibilities for carrying out incident response plans. Finally, we finished the section talking about the order of volatility, which describes the order in which evidence should be collected before it disappears. The next section described incident response support tools such as dd, which is a file/ disk-copying tool, tcpdump for packet capturing, nbtstat for NetBIOS troubleshooting, netstat for TCP/IP connection statuses, nc for observing local and remote connections, memdump for memory dumping and analysis, tshark for a command-line version of Wireshark sniffing, and foremost, which is a tool for recovering deleted or corrupted data from drives. The next section talked about the severity of incidents or breaches. We talked about scope, which describes how broad an issue is, and then impact, which describes the loss of business functionalities caused by the breach. Next was cost, which involves the financial damages suffered, including the cost of recovery. Then we talked about the impact and requirements of downtime, and then finally the legal ramifications that result from data breaches and incidents. The final section of the chapter discussed post-incident responses, beginning with root-cause analysis, which seeks to understand the original cause of issues. We then talked about lessons learned, which involve gathering all information about the breach, including positives, negatives, and the need for changes to improve security in the future. We finished the chapter with a discussion of after-action reports, which take the lessons learned and apply them to the organization in order to improve security during future incidents.
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
E-Discovery • E-discovery is the electronic discovery of evidence. • E-discovery is about producing records based on a subject, an event, a person, and so on. • Most e-discovery periods are 90 days long, and failure to produce in the 90-day window can bring sanctions and penalties. • Asset management deals with the management of the assets of an organization. • It is essential for a company to identify, track, classify, and assign ownership for its most important assets. • A data retention policy dictates the systematic review, retention, and destruction of data in the enterprise.
11-ch11.indd 449
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
450
• Contracts, billing documentation, and financial and tax records are normally prescribed to be kept for seven years after creation or last use. • Data recovery is the process of recovering data from damaged, failed, corrupted, or inaccessible storage devices when it cannot be accessed using normal data access methods. • Data storage strategies, including backups to provide for recovery in the event of primary storage failure, are foundational security elements in an enterprise. • Assigning data owners and establishing responsibility for all custodial duties are key elements in managing an information asset. • Data owners are typically department managers that make decisions on how certain data should be used and managed, whereas data custodians are the IT personnel who implement the decisions made by the data owners. • A legal hold is a process that permits organizational compliance with legal directives to preserve all digital and paper records in anticipation of possible litigation. • Any data retention policies that had previously earmarked legally requested data for destruction are immediately and indefinitely suspended until all relevant litigation has concluded.
Data Breach • A data breach is the release of information to an unauthorized party or environment. • Detection of breaches may involve the examination of hardware and software alerts, surveillance cameras, logs (system, application, and security), network traffic, error messages, and feedback from employees and customers. • Evidence is highly perishable; therefore, you should begin collecting it as soon as possible. • Data breach analysis involves classifying the breach and assigning a priority level in order to ensure that the appropriate levels of attention and resources are provided to the incident. • The gold standard to prevent data loss from breach or compromise is encryption. When properly employed, encryption can protect data during storage, in transit, and even during processing in some cases. • Data minimization efforts can play a key role in both operational efficiency and security. One of the first rules associated with data is “don’t keep what you don’t need.” • Isolation involves containing the incident to a limited area to prevent spreading. • After a data breach has been fully resolved, it is time to disclose all relevant data breach details to business stakeholders, which may include your immediate manager, senior management, and human resources, in addition to team leads from various departments.
11-ch11.indd 450
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
451
Facilitate Incident Detection and Response
11-ch11.indd 451
PART III
• When a data breach occurs, the firm must be ready to respond immediately. • The time to formulate plans and procedures was before the event because many factors will be driving timelines, including the business risk associated with the data loss, customer pressure, and regulatory pressure. • Detection begins at the point in time when the incident is discovered, and it becomes a breach because of the nature of the incident. • Mitigation efforts are the immediate countermeasures performed. • Both internal and external parties are involved in data breach issues. • The primary goal behind preparing for incident response is the successful and efficient handling of the incident, including returning the system to a proper operating condition. • The best way to obtain criminal evidence is to let law enforcement collect the evidence. • Evidence will be subject to challenges by the defense attorney; if any “issues” are associated with the fidelity of the data collection effort, in most cases the evidence will be suppressed or not allowed. • Hunt teaming is a comprehensive process of security teams seeking out any signs of attack against the organizational network. • Security teams will search for signs of compromise, which may include unusual changes to audit logs, locked-out accounts, malware backdoors, changes to critical files, and slow Internet or devices—not to mention keeping an eye out for strange administrator account patterns or any signs of unapproved software and network traffic. • The key to hunt teaming is being proactive. By looking at all attack vectors for signs of malicious activities, organizations may reveal anomalies that might’ve been missed had they maintained the more typical reactionary security posture. • Behavioral analytics is the process of measuring and identifying how entities typically act, or behave, and later comparing these measured behaviors to future samples to potentially spot deviations. • Heuristic analytics intelligently gathers data points from various host and network data sources within a specific environment. It then scores each of these data points relative to one another to determine if the entity is threatening, potentially threating, or not threatening in nature. • System administrators should enable logging on all significant systems so that data can be collected as to system performance and operation. • Enabling logging is not sufficient on its own. Log files have no value unless their contents are examined, analyzed, and acted upon. • SIEM solutions are a critical component of automated security systems used in continuous monitoring.
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
452
Incident and Emergency Response • Incident response is the term used to describe the steps an organization performs in reaction to any situation determined to be abnormal in the operation of a computer system. • Chain of custody is a detailed record of evidence handling, from its collection, preservation, and analysis, to presentation in court and disposal. • Digital forensics is the application of scientific methods to electronic data systems for the purposes of gathering specific information from a system. • A continuity of operations plan refers to a government’s processes for maintaining functionality in the event of a serious public event. • Business continuity plans and disaster recovery plans have a reduced scope in that they focus on maintaining continuity of operations for private sector organizations—which are mostly driven by profit. Yet the government has to concern itself with public disaster recovery plans for the health and safety of its people during adverse events. • Disaster recovery involves the policies, staff, tools, and procedures to enable the timely recovery of an organization’s technological infrastructure from disruptive events. • An incident response team is a group of people who prepare for and respond to any emergency incident, such as a natural disaster or an interruption of business operations. • The order of volatility describes the order in which digital evidence should be collected before it disappears.
Incident Response Support Tools • When responding to a security incident, you will call upon certain software tools to gather information about the incident in order to implement appropriate mitigations. • dd is used for converting and copying files. • The tcpdump command-line tool is commonly used on Unix/Linux operating systems to capture network packets transferred over networks. • The nbtstat tool allows troubleshooting of NetBIOS-related issues by displaying TCP/IP connections and protocol statistics based on NetBIOS network activity. • The netstat tool is a command-line tool designed to display generalized network connections and protocol statistics for the TCP/IP protocol suite. • The nc tool is a Unix/Linux command-line utility designed to connect to or host various types of network connections with other systems. • The memdump tool is a Linux command-line utility that can dump physical and kernel memory contents to both local storage and network locations.
11-ch11.indd 452
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
453
• The tshark utility is a network protocol analyzer that captures network traffic from a live network or can read packets that were previously captured and saved into capture files. • Foremost is a forensic data recovery command-line tool used on Linux primarily for law enforcement to recover deleted or corrupted data from drives.
Severity of Incident or Breach
PART III
• The severity of an incident will govern how aggressively you respond, just as the earlier assessment of risks, threats, and vulnerabilities resulted in proactively implementing the very security controls aimed at preventing incidents. • The scope defines the extent of an area affected or how widespread an incident or breach is. • Impact defines the effect of an incident on business processes. • Calculating the cost of incidents can be tricky due to the number of direct and indirect cost factors to consider, such as losing customer data, company downtime, and legal fees. Then there’s the cost of hiring forensic investigators, compromised trade secrets, and even damaged reputation. • Downtime involves managing and delivering on expectations in terms of the amount of planned and unplanned availability customers can expect during a given period of time. • Legal ramifications for data breaches can involve stiff fines, penalties, or in extreme cases jail time for executives.
Post-Incident Response • Root-cause analysis seeks to determine the root cause (or causes) of a problem. • Lessons learned give us an opportunity to evaluate your mistakes, your successes, assess what happened during the incident, and describe how the organization has dealt with resolving the issue. • The after-action report implements the security recommendations gleaned from the lessons learned report.
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. Which of the following governs the review, retention, and destruction of data in the enterprise? A. Document retention policy B. Data destruction policy
11-ch11.indd 453
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
454
C. Compliance policy D. Incident response policy
2. You are a member of a team that is going to perform a forensics capture of a desktop PC. Which is the best order of capture? A. RAM, hard drive, DVD B. Thumb drive, hard drive, RAM C. Hard drive, RAM, DVD D. Hard drive, thumb drive, RAM
3. What term is associated with the protection of forensic evidence? A. Data analysis B. Data retention C. Chain of custody D. Hashing
4. Removal of unneeded PII from a database is an example of what? A. HIPAA compliance B. Encryption C. Privacy control D. Data minimization
5. Which type of incident response team (IRT) is associated with a regional office? A. Central IRT B. Distributed IRT C. Coordinating IRT D. Outsourced IRT
6. To protect confidential data from exposure during a breach, the best solution is: A. Hashing B. Encryption C. Anonymization of records D. Mitigation
7. The use of ______ can assist in the collection and analysis of log file data to help determine the organization’s security posture. A. PIA B. signature analysis C. data minimization D. SIEM
11-ch11.indd 454
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
455
8. An abnormal condition detected in a computer system is referred to as what? A. Event B. Alarm C. Incident D. False positive
9. Data retention times are specified by which of the following? (Select all that apply.) A. Laws and regulations B. Actual practice in the enterprise C. Security policy
10. A web server is suspected of being compromised, and the incident response team suggests that it be fixed. What are elements associated with fixing the server? (Select all that apply.)
PART III
D. Corporate legal department
A. Do a directory search for changed information to see if it is compromised. B. Make a forensic backup copy for analysis. C. Reapply all patches to the server and then return it to service. D. Perform a system restore from a known good copy.
11. A security incident where confidential data is copied, viewed, or stolen by an unauthorized party is a: A. Security breach B. PII violation C. Data breach D. Security failure
12. The last step of an incident response effort is: A. Recovery B. Assignment of blame C. Lessons learned D. Customer notification
13. Who is the best party to be a data owner? A. CIO B. Business management associated with the data C. System administrator D. Database administrator
11-ch11.indd 455
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
456
14. The placing of data into groups associated with risk for the purposes of managing security is known as what? A. Data ownership B. Data management C. Data retention D. Data classification
15. A company has just migrated to a new business recordkeeping system as part of a merger. This will necessitate the repeating of what process? A. PIA B. PII C. PHI D. PCI
16. The group of people who prepare, train for, and respond to emergency incidents are referred to as which of the following? A. Incident containment team B. Incident response team C. Incident investigation team D. Incident management team
17. The salvaging of data from a damaged or corrupted secondary storage media that cannot be used in a normal access mode is an example of what? A. Data recovery B. Data restoration C. Data cleansing D. Data management
18. A set of backup tapes is lost off an overnight shipping truck and has been deemed to be unrecoverable by the shipping company. Which of the following statements is true? A. This is a data breach. B. This is not a data breach because the files are truly lost and are not in the
hands of another party. C. This is not a data breach because backup tapes are not truly data to outsiders. D. This is not a data breach because the tapes are not labeled as to firm, only a code number.
11-ch11.indd 456
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
Chapter 11: Incident Response and Recovery Procedures
457
19. The development of a plan to use in the collection of evidence is which step in the forensics process? A. Preparation B. Approach strategy C. Collection D. Analysis
20. In a large enterprise, e-discovery is best handled via which of the following? A. A separate department B. Outsourcing C. Specialty appliances
Answers
PART III
D. Large in-house legal staff
1. A. The document retention policy (or data retention policy) governs all aspects of data/document retention. 2. A. The most volatile is RAM, which is first, followed by hard drive and DVD. 3. C. Chain of custody is associated with preserving and protecting evidence. 4. D. Not storing unneeded data is an example of data minimization. 5. B. A local independent IRT is part of a distributed IRT structure. 6. B. Data that is encrypted is not readable if lost, and although the bits may be lost, the information is not. 7. D. Security incident event management (SIEM) solutions can be programmed with alerts. 8. C. The term “incident” is used to describe any abnormal event in a system. 9. A, D. Laws and regulations (A) are one source of information; advice from the firm’s legal department (D) is another. 10. B, D. Making a forensic backup copy for analysis (B) is correct because this step is one of the first steps in an incident response, and recovery can occur by restoring from a known good image (D). 11. C. This is the definition of data breach. 12. C. The last step is a lessons learned session, where process improvements are discussed. 13. B. The best data owner is business management of the portion of the business involved in the data—it has the best visibility as to the business purpose and requirements.
11-ch11.indd 457
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 11
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
458
14. D. Data classification is the assignment of data into different groups of security requirement levels. 15. A. A PIA (privacy impact assessment) needs to be redone after any material change in people, process, or technology. 16. B. This is the definition of an incident response team. 17. A. Data recovery is the salvaging of data from broken storage media, whether the broken aspect is either physical or logical. 18. A. A data breach is the loss of control over data, regardless of the form or cause. 19. B. The development of an approach or plan associated with strategizing the acts to be pursued is the “approach strategy” step. 20. C. Because of scale issues, specialty appliances are necessary to handle the volumes of data in the time period allotted.
11-ch11.indd 458
11/03/19 3:15 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12 Blind Folio: 459
PART IV
Technical Integration of Enterprise Security Chapter 12 Chapter 13 Chapter 14 Chapter 15 Chapter 16
12-ch12.indd 459
Hosts, Storage, Networks, and Applications Cloud and Virtualization Authentication and Authorization Cryptographic Techniques Securing Communications and Collaboration
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12 Blind Folio: 460
This page intentionally left blank
12-ch12.indd 460
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
12
CHAPTER
Hosts, Storage, Networks, and Applications
This chapter presents the following topics: • Adapt Data Flow Security to Meet Changing Business Needs • Adhere to Standards (Popular, Open, De Facto) • Interoperability Issues • Resilience Issues • Data Security Considerations • Resources Provisioning and Deprovisioning • Design Considerations During Mergers, Acquisitions, and Demergers/Divestitures • Network Secure Segmentation and Delegation • Logical Deployment Diagram and Corresponding Physical Deployment Diagram of All Relevant Devices • Security and Privacy Considerations of Storage Integration • Security Implications of Integrating Enterprise Applications
Throughout this book, we’ve talked extensively about many individual pieces of security controls and methods. Understanding that, we’re now ready to fit them together into a single security jigsaw puzzle. Integrating everything will create an entirely new set of challenges because the viewpoints on enterprise security risks, threats, exploits, vulnerabilities, and exposures change when you switch your focus from the “parts” to the “whole.” Whether those challenges involve responding to changing business needs, interoperability, resilience, data security, or resource provisioning (just to name a few), security practitioners must remain stoic in the face of the occasional adversities suffered when integrating enterprise hosts, storage, networks, and applications into the enterprise’s secure architecture.
461
12-ch12.indd 461
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
462
Adapt Data Flow Security to Meet Changing Business Needs
Enterprises are like a river in that you can never step into the same one twice. Each day, enterprise stakeholders gather into conference rooms and proudly state which wasteful practices need to be abandoned as well as which better practices will be implemented going forward. Enterprises are always changing—sometimes changes are planned, and in other cases they happen quite abruptly. As the needs of the enterprise change, IT and security implementations will sometimes have to change, too. As it relates to data flow, enterprises need to start off with a strong security foundation so that future changes can be easily worked in, properly and quickly. Weaker security foundations react poorly to change because no existing framework is in place to support the changes. The topics of this section focus on securing data flow, whether it is in response to changes or not. Although the detection of sensitive data leaving an organization’s network is crucial, protecting and preventing such data from departing the network is equally important. The protection of sensitive data is part of a multilayer defense-in-depth strategy. In order to protect sensitive data, first create a security profile by identifying potentially sensitive information and answering the following questions:
• What applications are used to access this information? • How is the information stored? • What security measures are in place to secure the stored information? • How is the information transmitted over the network? • Is authentication and authorization enforced at all levels of access? • Are authentication credentials transmitted securely? • Are strong password policies enforced? • What encryption algorithms are used? • How are the encryption keys protected? After creating a security profile, evaluate your current security posture and identify any potential weaknesses. Remember to follow a defense-in-depth strategy by ensuring confidentiality, integrity, authentication, and authorization using multiple methods at every possible level. Your first line of defense is the use of strong authentication and authorization at all levels. This involves strong access controls at all levels of access, including physical, local account, remote account, database, and all services and applications. Do not pass authentication credentials in the clear. For example, do not use the Telnet service; instead, use a secure protocol such as SSH. Do not authenticate users or grant authorization based on IP address, because this can be easily spoofed. Additionally, remote users should connect to the organization’s network using secure technologies such as VPNs or VLANs. Protect the confidentiality of sensitive information at all levels, including how it is stored on disk and how it is transmitted over the network. Using tight access control and authorization is a good first step. Additionally, sensitive data should always be encrypted
12-ch12.indd 462
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
463
PART IV
when stored on disk or transmitted over the network. If encryption keys are stored on the disk, verify that they are strongly protected at multiple levels as well. For example, ensure that permissions and access control methods protecting the keys are as strong as possible. Additionally, protect encryption keys with passwords so that keys do not exist on disk in an unencrypted manner. Verify that all applications accessing sensitive data are using well-known, secure encryption methods providing both confidentiality and integrity. For example, do not use FTP to access sensitive information; instead, use a secure protocol such as SFTP. Furthermore, use only the latest and most secure protocols. For example, configure SFTP clients and servers to only use the SSH 2 protocol, because it is significantly more secure than the older SSH 1.x protocols. Do not use products with proprietary or secret encryption or authentication methods because they may contain security vulnerabilities and are not as thoroughly tested as commonly accepted protocols. Security through obscurity should not be considered reliable, especially when it comes to complex cryptographic algorithms. Isolate sensitive information as much as possible. Separate the network traffic into multiple VLANs, grouped by the type and sensitivity of information being transmitted. Do not store sensitive information and publicly available information on the same devices. Do not run any unnecessary or unrelated services on devices storing sensitive information. Furthermore, as a security professional, it is your job to ensure that all operating systems and applications, especially those accessing sensitive information, are up to date with the latest software. Subscribing to bug and vulnerability mailing lists is also a very good idea. EXAM TIP You cannot design a security solution that does not allow for changes in data flows and traffic patterns. A well-designed security solution should leave room for expansion and modification.
Adhere to Standards (Popular, Open, De Facto)
Since we already discussed security policy standards a bit at the beginning of the book (Chapter 2), we’ll just do a quick review here. Remember, standards are the mandatory requirements in support of a policy. For example, if a password policy states that all office employees must change their domain passwords every 90 days, that is a compulsory standard of the password policy. After 90 days, the password will expire and the user will be required to change it or be prohibited from logging in. The whole point of standards is to say, “You need to do this in order to be compliant with objectives.” EXAM TIP Remember that standards should be reviewed on occasion and, if necessary, revised. At some point you might decide that employees should start changing their passwords every 45 days. It’s not official until that requirement is documented in the policy as a standard. After the standard has been redefined, make sure everyone knows about it.
12-ch12.indd 463
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
464
Although password policies, and their subsequent standards, are created internally, you probably recall from earlier chapters that enterprises are motivated by various external factors to create these password policies in the first place. For legal, competitive, or good old-fashioned commonsense reasons, enterprises will implement the requirements, specifications, or guidelines created by various standards organizations. Standards organizations exist for every industry, with requirements for practically every product that ever gets made. NOTE Some of these standards organizations are formal (like the ISO), industry-based (like the IEEE), or technology-specific, as the World Wide Web Consortium (W3C) is with web technology.
Although many industry standards in information technology and security are voluntary, there are also regulations out there such as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS) that make compulsory standards—as in mandatory, or risk being fined, shut down, or possibly incurring jail time. Some of these standards organizations have country-specific scope, such as the U.S. National Institute of Standards Technology (NIST) and the American National Standards Institute (ANSI), or international scope, such as the International Organization for Standardization (ISO) and the Institute of Electrical and Electronics Engineers (IEEE).
Popular Standards
Although there are too many to name, here are some of the more popular standards:
• HIPAA A U.S.-based law created in the mid-1990s that contains strict requirements for the security and privacy of medical information. This is enforced on all healthcare providers, healthcare insurance companies, billing clearinghouses, and any establishments that handle medical information. • PCI DSS Created by several international credit card companies to globally standardize security requirements for all companies that process credit card payments and card holder data. This is not a law, yet failure to uphold its requirements can lead to stiff fines or other penalties. Also, some states treat certain portions of it as law. • NIST 800 Series A U.S. government publication of cybersecurity requirements primarily aimed at government and military systems. Many private sector organizations voluntarily implement NIST 800 series standards to enhance their own security programs, while also trying to outshine the competition. • ANSI The primary standards organization in the U.S. (with international influence) for various industries, including security, which is handled by the Homeland Defense and Security Standardization Collaborative (HDSSC) panel.
12-ch12.indd 464
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
465
• ISO As the world’s largest standards organization, the ISO creates standards for virtually every industry, including security (ISO 27000 series), farming, bicycles, textiles, food safety, and countless more. • IEEE An international group that standardizes electrical, electronic, telecommunications, computer engineering, and other similar fields.
Now, with the major standards groups out of the way, let’s tackle some other topics concerning standards, such as open standards, adherence to standards, competing standards, lack of standards, and de facto standards.
Open Standards
• Be created by relevant experts and members, not internal staff • Be developed under an internationally respected open process • Open for public review and debate • Easy to access and adopt • Allow anyone affected by the standard to contribute to its development • No hidden patents
PART IV
Although there is much debate as to what definitively makes a standard “open” rather than closed, we’ll generalize the definition by saying that open standards are publicly available, royalty-free, and don’t contain many, if any, licensing limitations. According to the OASIS website—which is a well-known open standards organization—these are some key criteria for an open standard to be adopted:
NOTE The open standard’s “door” should always be open. Collaboration should be encouraged, and the standard should undergo a consistent peer review process.
Adherence to Standards Recall from earlier that some standards are voluntary while others are obligatory—the former not being legally enforceable, whereas the latter is. For example, Amazon AWS is accredited by ISO to be compliant with a well-known voluntary security standard called ISO 27001. In order for Amazon to maintain this accreditation, they must routinely submit to various ISO 27001 documentation requirements. Failure to do so isn’t a criminal offense; rather, Amazon will simply lose the ISO 27001 accreditation. Failing to adhere to voluntary standards can be a big blow to an enterprise’s reputation, given the respectability brought by standards accreditations.
12-ch12.indd 465
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
466
In contrast, compulsory standards are legally enforced, with negligence resulting in legal ramifications. For example, if a HIPAA “reasonable cause violation” occurs at a hospital, the hospital can be fined $1,000 to $50,000 per incident. In more extreme cases, organizations can be forced to close their doors, with possible prosecution of key executives.
Competing Standards Competing standards are two or more standards that are available to use to address the same issues. Here are some examples of competing standards:
• AES vs. Serpent symmetric cryptography ciphers to encrypt bulk traffic • RSA vs. ECC asymmetric cryptography ciphers to perform key exchange • RSA vs. DSA digital signature algorithms to encrypt a digital certificate • MD5 vs. SHA-1 hashing cryptography ciphers to generate a message digest for a digital certificate • SSH vs. SSL security standards to secure FTP file transmissions • ITIL vs. ITSM for IT service management standards • NIST vs. ISO for risk management frameworks As you can see, we have many choices among standards, with the onus on us to research and compare these choices to make the wisest decision for our enterprise. For example, security practitioners should research the merits of MD5 vs. SHA-1 before implementation. Such research will likely lead to SHA-1 being the best choice since MD5 is considered relatively insecure.
Lack of Standards Since new types of technologies are constantly entering the marketplace, it takes time for standards to come along to, well, standardize things. A few new technological developments still lacking standards are Internet of Things (IoT) and blockchain. With IoT flooding homes and businesses with billions of devices per year, and blockchain raring to take over encrypted financial transactions, it would certainly behoove us to have some well-established standards to stabilize these burgeoning industries. Until such official guidance comes along, it is still our responsibility to ascertain recommendations, processes, procedures, and guidelines for securely implementing nonstandardized technologies. Management will not consider the excuse of “It’s not my fault; blockchain isn’t standardized yet, so…” as anything but an excuse.
De Facto Standards De facto standards are those that are widely accepted by an industry but no formal standardization process has been undertaken yet. A common example of a de facto standard is the QWERTY keyboard pattern, which dates back to typewriters. The only purpose to the QWERTY format was to prevent adjacent keys on typewriters from jamming into one another. This issue does not exist on modern keyboards and touchscreen devices, yet
12-ch12.indd 466
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
467
we’re still using the QWERTY keyboard pattern out of habit. The thinking is that de facto standards became “standard” in the first place due to lack of competition early on in the standard’s implementation. Without competition, formalities tend to fall by the wayside. EXAM TIP The “opposite” of de facto standards are de jure standards. De jure standards are official since they’ve been formally ratified by a standards organization. A common example is the TCP/IP protocol suite, which is endorsed by the Internet Engineering Task Force (IETF) organization. Keep in mind that although de jure standards should be given priority over de facto standards, a healthy blend of the two is generally your best bet.
Interoperability Issues
PART IV
All too often, interoperability issues occur due to hardware or software components not being able to properly communicate with other hardware and software. It’s often a “generational” thing, where old stuff (legacy) has a hard time interacting with new stuff. Applications designed to support certain protocols and APIs may conflict with another application’s unique requirements. The opportunity for interoperability challenges are extensive if you factor in the variety of applications and hardware out there. Some applications may be developed in-house, or acquired through a commercial vendor. Other applications may be tailor-made for an enterprise by a commercial provider; yet others may be open source applications collectively made by a global community of developers. Finally, interoperability issues can arise from differences in terms of data formats and querying methods between applications and databases. The upcoming sections explore each of these topics in more detail.
Legacy Systems and Software/Current Systems Let’s face it, nearly every organization has a few legacy systems, and some are downright ancient. Legacy systems are older applications or hardware that are no longer supported by the vendor, yet are still in use by an enterprise. Inexperienced IT and security professionals may view this as laziness or incompetence on the part of the enterprise, but there is generally more to the story. Here are some examples of why enterprises are often reluctant or unable to part with their legacy systems:
• Functional If it ain’t broke, why fix it? • Budget The replacement product is expensive. • User acceptance Users will typically fight tooth and nail to preserve their tools and workflows. Change, as they say, is difficult. • Downtime Migrating to a new tool can create downtime, which can lead to lost revenue, morale issues, and finger pointing. • Justification A system being “old” will not compel most users to abandon it if it can still get from point “A” to point “B.” Users must be convinced on merit, such as improvements to productivity, ease of use, security, and maybe working remotely, before they will warm up to a new tool.
12-ch12.indd 467
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
468
Despite these challenges, there are valid reasons to get away from legacy systems. Let’s take a look at some of those reasons:
• Knowledge gaps The designers or implementers of the legacy systems may have moved on from the enterprise and taken their expertise with them. With little to no documentation left behind, expertise on legacy systems may be severely limited. • Lack of vendor support Vendors of legacy software are no longer releasing security updates. That is a big problem because applications with unpatched vulnerabilities turn the organizational into a sitting duck. The same can be said for legacy hardware because vendors are no longer releasing firmware updates. • Poor integration Legacy products may lack support for cryptography methods such as SSH, TLS, AES, and RSA, which can fail security policy requirements. Also, they may require older protocols no longer supported by newer systems. So, legacy systems may have difficulty talking to newer systems, or may not be able to do so securely. • Slow hardware Legacy systems may require older operating systems that have better compatibility with older hardware. Older hardware is more likely to fail and is therefore a liability. • Compatibility Many older applications are not compatible with newer OSs.
Alright, Now What?
Clearly, there are multiple sides to the legacy system story. Although we can safely say that all roads lead to migrating away from legacy systems, how do we secure the ones we still have to support? One of the most important things you do can do is isolate them. Maybe put them on their own VLAN with a network firewall and zero Internet connectivity. Also, to the extent possible, harden these systems and applications. That means removing any unnecessary applications, disabling services, and closing ports. A great idea would be to create a virtual machine (VM) with a modern OS like Windows 10 Enterprise and then isolate the legacy system into a fully patched, hardened, and malware-protected VM. Limit physical access to the legacy system and monitor all incoming/outgoing traffic regarding the system to spot malicious activities.
Application Requirements Do you know what rules the enterprise? Not users, and not systems—but applications. It is the application that retrieves a website, downloads a file, prints to a printer, delivers e-mail and instant messages, pays a bill, pings a server, and so forth. As such, what applications want, applications get. That’s why we still see the occasional mainframe,
12-ch12.indd 468
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
469
Windows XP or older machine, Internet Explorer 6, and nuclear codes stored on floppy disks. When it comes to interoperability issues, we need to understand application requirements first. Here is a list of common application requirements:
• Requires Microsoft Windows XP and earlier OSs • Requires 1024×768 video resolution at 16-bit color • Requires a Microsoft SQL Server 2008 database • Requires a certain .NET Framework • Requires Internet Explorer 6.0 • Requires Microsoft Internet Information Services 5.0 • Requires FTP, HTTP, or Telnet (non-encrypted protocols) • Requires administrator or root privileges on a system • Requires Adobe Flash or Java • Requires disabled User Account Control
PART IV
For basic Windows application compatibility issues, try running the compatibility troubleshooting wizard by right-clicking an application and selecting “Troubleshoot Compatibility.” The wizard may offer compatibility solutions or suggestions. For more advanced compatibility issues, check out the Microsoft Application Compatibility toolkit, which is designed to assess and mitigate more complex application compatibility issues. Figure 12-1 shows a screenshot of the Microsoft Application Compatibility Toolkit generating an application fix for an application that does not work natively in Windows 10. The thing about compatibility fixes is, in some cases, you can only fake it so far before you just have to give the application the native environment it’s designed for. Since running a legacy OS is risky, it’s recommended that you install applications into a VM that contains an OS more appropriate to the application’s design. TIP If a legacy application will run on everything from Windows 95 to Windows 7, run it on a Windows 7 VM. The later the OS, the less security risk posed to the enterprise.
Software Types Since many interoperability issues are caused by software, they’re also likely to be mitigated by software, too. In order to prevent, understand, and mitigate the types of interoperability challenges enterprises can experience, it helps to know the different software types and their relative benefits and drawbacks. The next few sections discuss in-house, commercial, tailored commercial, and open source software products.
12-ch12.indd 469
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
470
Figure 12-1 Microsoft Application Compatibility Toolkit
In-House Developed
In-house developed applications are applications that are developed internally by the enterprise. Many enterprises have a team of developers who plan, test, deploy, update, and support applications for the enterprise. Although cost savings can be a driver, customization drives most in-house development initiatives. Nothing will prevent or solve interoperability issues quite like an application designed from the ground up to fit into this particular enterprise. There is also the initial benefit of the in-house application not being immediately known to the hacker community. Unlike commercial applications, little to no open source intelligence will be available on the Internet for a hacker’s perusal. The downside is the organization is liable for all development, updating, and supporting processes, as opposed to leaning on commercial providers. This, in some cases, can be more expensive than going the commercial route.
12-ch12.indd 470
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
471
CAUTION Enterprises have to think in advance about the worst-case scenario: what if the developer(s) of an in-house application decide to move on from the company? This will heighten the importance of creating extensive documentation, in addition to hiring additional developers, so that enterprises always have a card to play.
Commercial
Commercial applications are programs that are developed by third-party organizations such as Apple, Adobe, and Microsoft. Commercial applications, sometimes referred to as commercial off-the-shelf (COTS) applications, are often purchased by organizations for cost benefits, product maturity and relevance, various support services, and the fact that the tool is available now. In most cases, however, COTS applications will lack the customization provided by in-house applications; therefore, certain interoperability issues may be created, or previous issues still remain to be solved.
Tailored Commercial
Unlike typical commercial applications, tailored commercial software is almost completely customizable right out of the box. This is because the software is put together by several interchangeable modules; like Legos, this permits an enterprise to add or subtract the necessary elements to create a tight fit for the enterprise’s needs. Tailored commercial applications provide much of the customization capabilities of in-house applications— which should go a long way in either preventing or resolve interoperability issues—yet it also provides some of the risk transference benefits inherent in outsourcing an application to a third party. On the flipside, there could be cost issues, and tailored commercial software is still well-known to the Internet—and vulnerable—like other COTS applications.
PART IV
CAUTION Unlike the more obscure in-house applications, COTS applications are well-documented throughout various open source intelligence resources. Hackers will have more information to operate on to launch their attacks.
NOTE Hospitals and educational institutions are frequent customers of tailored commercial software.
Open Source
Perhaps the software type with the highest risk/reward ratio for enterprise adoption is open source software. The developers of open source software permit anyone to analyze, modify, and distribute the source code free of charge. The most obvious benefit to enterprises is the price tag, yet enterprises may also experience better quality code, customization, global peer review, and faster time-to-market on code updates and new features.
12-ch12.indd 471
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
472
The fact that open source code is “open” allows an expert programmer to modify the code to fit the needs of the enterprise. This could help address interoperability issues. Despite its obvious benefits, open source software tends to be weak on the support side of things, probably has a less user-friendly interface as compared to commercial software, and may be “orphaned” by the developers who have decided to move on from the project.
Standard Data Formats A constant irritation to application interoperability efforts is data formats. Naturally, applications tend to have their own file format, and, not surprisingly, they favor it. For example, Adobe Reader is designed to work with PDFs, and Microsoft Word works best with DOCX and DOC formats. Although those file formats are supported by other applications, here are some other well-known file formats that are designed for interoperability:
• OpenDocument Format (ODF) • ASCII • Tab-delimited format • Comma-Separated Values (CSV) • Extensible Markup Language (XML) • Trusted Data Format (TDF) • Portable Network Graphics (PNG) • Hypertext Markup Language (HTML) In addition to supported file formats, interoperability must also consider encoding mechanisms such as cryptography and compression. NOTE ISO 8601 standardizes date and time formats, which is important for enterprises whose applications communicate across international boundaries.
Protocols and APIs It’s the age-old problem—two applications can’t talk to each other because one application prefers one set of protocols and APIs, and the other supports a different set. There are two general ways to address this:
• Use applications that support interoperability-friendly protocols. • Use a broker service that acts as a middleman to broker what are, otherwise, incompatible protocols and APIs.
12-ch12.indd 472
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
473
In the case of the first solution, enterprises could implement applications that natively support well-known interoperability protocols such as HTTP, SSL/TLS, SOAP, REST, XML, and JSON. Failing that, and the application cannot be programmatically compelled to support such protocols, we can turn to the second solution. Broker services are designed to permit interoperability between incompatible software, OSs, and hardware. In other words, applications communicate with the broker service using their native protocols and APIs, and then the broker will convert the information into a protocol or API understood by target systems. EXAM TIP A company called Object Management Group (OMG) has developed an open object-oriented standard architecture called Common Object Request Broker Architecture (CORBA) that permits applications to communicate with each other regardless of where each application is located, who developed it, what programming language it uses, and which platform it runs on. The applications don’t need to adapt their native behaviors; rather, the CORBA broker will package whatever applications send into a format that can be deciphered by other applications and systems.
If too much focus is granted to the interoperability of diverse applications, systems, and hardware, resiliency may fall by the wayside. Little good will come out of integration projects if a system crash leads to noticeable downtime. Enterprise resilience initially focuses on preventing service disruptions, while also quickly detecting and recovering from the ones that did occur. In this section, we’re going to take a look at several factors that influence enterprise resiliency, including heterogeneous components, automation and orchestration, distribution of critical assets, persistence and nonpersistence of data, redundancy and high availability, and assumed likelihoods of attacks.
PART IV
Resilience Issues
Use of Heterogeneous Components Whereas homogenous components describe systems that use the same types of components, heterogeneous components go the opposite route in referring to systems that use different components (for example, having a mix of Windows and macOS operating systems in a common environment). Although this is common and, superficially, not a big deal, heterogeneous environments are inherently less resilient because dissimilar systems lead to more complexity, less predictability, and less efficiency, which will hinder the necessary responsiveness required by resilient enterprises. Resiliency leans heavily on all systems and components working together in a streamlined fashion so that adverse conditions can be met with swift and automatic recovery processes. It is important for enterprises to reduce the heterogeneity of systems, or bridge them through broker services, in order to successfully facilitate the resilient prevention, detection, and recovery from security incidents or data breaches.
12-ch12.indd 473
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
474
Course of Action Automation/Orchestration Whether resiliency events are unplanned (server outage) or planned (server maintenance), they can lead to downtime. We can respond to these events in a few ways:
• Manually An IT or security expert personally intervenes to address a resiliency event. • Automation A task runs to respond to a single predetermined resiliency event. A good example is a failover cluster automatically failing over to a passive server should the active server become unavailable. • Orchestration This is normally what people are referring to when they mention “automation.” Unlike automation, which manages one thing at a time, orchestration refers to the management of many things at once. Think of orchestration as a symphony conductor ensuring all orchestra musicians are playing the right parts at the right moments. Orchestration is far greater in scope than automation. Applied to resiliency events, orchestration systems can automate multiple aspects of resiliency event monitoring, reporting, testing, and workflow automation—such as with IBM’s Resiliency Orchestration product. EXAM TIP Orchestration provides the best resiliency capabilities due to its bird’s-eye view of not only the immediate event location, but also of event corollary sources such as adjacent network appliances and servers. The ability to understand both the “cause” and the “effect” of resiliency events, while automatically responding with recovery controls, is worth its weight in gold. Cloud computing providers are, perhaps, the biggest advocates of orchestration systems due to both their scale and scope of operations.
Distribution of Critical Assets Every enterprise has critical assets. Critical assets are defined as those that carry a high risk of failure, and thereby major consequences should the failure occur. The prevailing wisdom is that critical assets should never be located on shared systems because such collocation could result in the loss of all residing critical assets should the shared system experience a failure. To combat this risk, critical assets should be distributed across nonshared systems or locations to minimize the scope of critical asset losses. EXAM TIP Going from one extreme to the other isn’t always a good idea. Although distributing critical assets is wise, distributing them too far can make them too unwieldy to manage. The trick is to balance the two extremes to prevent collocation risks, while not distributing them too far and wide.
Persistence and Nonpersistence of Data In order to maximize data resiliency, enterprises need to understand the types and nature of their data. For example, data can exist in different states, such as persistent or nonpersistent. Persistent data can be thought of in different ways; for example, it can be data
12-ch12.indd 474
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
475
that rarely changes, or data that maintains its state despite application or system shutdowns. Nonpersistent data can be defined as data that frequently changes, or does not maintain its state during application or system shutdowns. How enterprises define these terms is important because the outcome will help enterprises prioritize data types and their subsequent resiliency controls. Infrequently accessed data is more likely to be in an archived state—and a less-urgent level of resiliency— whereas frequently accessed data is more urgent and given prioritized resiliency treatment. Organizational security policies will define which data types require which levels of resiliency, as well as the needed security and availability controls to achieve those resiliency requirements.
Redundancy/High Availability
PART IV
A major contributor to resiliency issues is insufficient redundancy. Achieving redundancy is simple in theory, but how many enterprises really enjoy buying multiple instances of everything? Redundancy uses duplication of systems so that a failure of one system will result in the automatic transfer of services to a backup system. Although a system fails, the overall solution survives. When enterprise systems implement redundancy, it leads to a designed state called high availability. To be clear, redundancy is the input, whereas high availability is the output. Enterprises need to think about what their high availability goals are in order to know how much investment to place in redundancy to achieve their high availability goals. Table 12-1 provides a list of availability percentages and the amount of downtime that contributes to those percentages. NOTE Since 100 percent availability is generally too expensive to achieve, enterprises often strive for high availability percentages ranging from 99.9 to 99.999 percent. Now, playing devil’s advocate, when the cost of redundancy investments exceeds the costs incurred from system failures, a cost-tobenefits analysis makes a clear case that reducing redundancy investment is a financially wiser decision. The key is to perform the cost-to-benefits analysis prior to making the redundancy investment so we can find the right balance of redundancy investment and availability goals.
Table 12-1 Availability Percentages
12-ch12.indd 475
Availability Percentage
Downtime Per Year
99% (2 nines)
3.65 days
99.9% (3 nines)
8.77 hours
99.99% (4 nines)
52.60 minutes
99.999% (5 nines)
5.26 minutes
99.9999% (6 nines)
31.56 seconds
99.99999% (7 nines)
3.16 seconds
99.999999% (8 nines)
315.58 milliseconds
99.9999999% (9 nines)
31.56 milliseconds
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
476
Assumed Likelihood of Attack Redundancy is very important to achieving resilient enterprise solutions, yet hacker attacks can put a damper on any integration projects hoping to achieve a desired level of resiliency. Determining the likelihood of attacks takes into consideration both our vulnerabilities and the threats themselves. All technologies have vulnerabilities, and the onus is on us to understand the nature of a newly integrated technology’s vulnerabilities, plus any new vulnerabilities that are generated because of the integration. Knowledge of vulnerabilities allows us to understand the chances a hacker will be successful should they attempt an attack. Also, we must perform some threat intelligence and reconnaissance efforts in order to determine what are the hot threats out there, the vulnerabilities and systems they’re known to attack, and their relative skill levels. CAUTION It is tempting to make immediate generalizations on system vulnerabilities and threats in order to quickly determine the likelihood of attacks. This not only achieves nothing, but it’ll endanger your enterprise. Be thorough and do your homework first.
Data Security Considerations
One of the tendencies during system integration projects is to just get the systems talking to each other and worry about security another day. Users will often stoke that fire by thanking us for skipping the tedious security aspects, while many security-allergic managers will quietly celebrate the lackadaisical security because systems are talking and no one is complaining. Multiple times throughout this book, we’ve hammered home the point that security must be baked into system implementations, not just sprinkled on at a later date. This section focuses on multiple security considerations during integration, including data remnants, aggregation, isolation, ownership, sovereignty, and volume.
Data Remnants We covered several topics relating to data remnants in Chapter 8. We discussed what it is in addition to several data remnant disposal techniques, such as drive overwriting, degaussing, encrypting, and physically destroying the drives that contain data remnants. In Chapter 18, we’ll go into more detail on the exact methods of physical drive destruction, including shredding, disintegrating, and melting the drives. As it relates to integration of new systems, we should determine what data, if any, currently resides on the new system’s hard drive. If there’s confidential information on it, we may have to revisit some of the preceding destruction techniques to ensure all sensitive materials are completely eradicated. Enterprises shouldn’t unnecessarily integrate new systems into the infrastructure if they contain sensitive materials. EXAM TIP Physical destruction of hard drives is the most complete way of eradicating data remnants.
12-ch12.indd 476
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
477
Data Aggregation There are multiple ways to consider data aggregation. First, data aggregation can be thought of as the compilation of data from multiple sources into a summarized report format. As it relates to data security considerations, having a centralized database of information enables enterprises to determine how processes at the micro (employee) and macro (enterprise) levels are contributing to the enterprise’s security posture. This data can help us address several questions regarding the enterprise’s data security practices:
• Is the enterprise following adequate data security practices? • Which users are failing to uphold data security requirements? • What types of infractions are the most common? • Has the organization taken corrective action on data security failures? • Do any users have too much or too little security privileges on company resources?
CAUTION We talked earlier about enterprises distributing their critical assets to prevent this very problem caused by data aggregation. Failure to suitably isolate your assets puts the enterprise at risk of a considerable data breach. It’s one thing if a little bit of data is breached, but imagine if most enterprise data is part of the same breach? Target learned this the hard way during their infamous holiday season hack of 2013.
PART IV
The other way of looking at data aggregation is the occurrence of information being centralized to a point where it creates risk. When a considerable amount of enterprise resources is aggregated into a single location, attackers are now standing in an all-youcan-eat buffet line.
Data Isolation Data isolation is the process of controlling user access to data that is located in the same environment as other data and users. It follows the principle of least privilege, which means not only are users prevented from accessing data outside of their restricted “bubble,” but this affects administrators as well. Compliance standards such as PCI DSS have network segmentation requirements that seek to isolate users, systems, and environments with access to cardholder data from other users, systems, and environments that don’t require access to cardholder data. Had Target adequately segmented their networks in 2013, they may have avoided the infamous 2013 hack. EXAM TIP Often the best way to implement data isolation solutions is to seek requirements and best practices from compliance laws and industry standards. They often include detailed write-ups on the exact nature of data isolation.
12-ch12.indd 477
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
478
Data Ownership Data ownership was already covered in Chapter 11. Therefore, rather than reiterate it all, we’re going to add on the relevant enterprise application integration portion here. When we’re integrating new enterprise applications into the infrastructure, new data will be created, and other data might be migrated in. Ownership of these data types should be determined in advance of the integration to ensure the enterprise knows who is accountable for making decisions on how certain data should be classified, managed, and used by the enterprise. This individual will likely be a department supervisor or director, who will also serve as a point of contact (POC) for any issues concerning ownership of the data in a particular enterprise application. EXAM TIP Data owners should take notes from legal or regulatory laws affecting the organization. Such compliance considerations can help steer their decision-making processes, including how data should be classified, audited, accessed, and secured, as per industry and state/federal requirements and best practices.
Data Sovereignty Since data sovereignty was also just covered in Chapter 11, we’re going to take the same incremental approach here as we just did with data ownership. Since enterprises are often global organizations, enterprise applications might connect to users and systems located in other countries. Although the organization may be headquartered in the U.S., once that U.S. data makes its way over to England, England may subject that data to its own data sovereignty laws. In other words, the data owner in the U.S. may now find themselves subservient to the “custodian” of the data located in England. In most cases, the destination country will cooperate with the data’s country of origin, but stranger things have happened. Enterprises must understand international laws, relations, and the processes that must be implemented to safely transmit data “across the pond” without fear of losing adequate control over it.
Data Volume As they say, the bigger they are, the harder they fall. Most enterprises will have terabytes, if not petabytes of data. Sometimes that cannot be avoided; yet, many enterprises both generate and hold onto data they no longer need. This presents unnecessary risk for the organization. For one, it eats up disk space and slows down storage. Second, it increases the attack surface of a server, since there’s more information that can be compromised. Enterprises should run storage reports to track data that is not accessed and determine if it should be removed. NOTE Don’t forget about data retention laws. No matter how “useless” data may seem, if it falls under the scope of a data retention law, do not remove it.
12-ch12.indd 478
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
479
Resources Provisioning and Deprovisioning
Enterprises are increasingly moving on-premises resources into cloud computing platforms such as Microsoft Azure and Amazon AWS. Just as likely, enterprises will use these same cloud tools to provision new resources. Cloud environments are especially adept at resource provisioning and deprovisioning tasks, ranging from account management to building servers. On the other hand, cloud consumers are often sharing cloud resources with other consumers; therefore, the provider is often reluctant to properly sanitize or eradicate data remnants stored in shared spaces out of fear of inadvertently harming another customer’s data. As with on-premises administrators, cloud-based administrators can delegate provisioning tasks to other staff members based on their membership to certain cloud roles. Provisioning tasks can also be split between cloud-based and on-premises administration due to the prevalence of hybrid cloud environments. In this section, we look at various provisioning considerations for users, servers, virtual devices, applications, and data remnants.
Users PART IV
Enterprises are increasingly implementing role separation processes that require multiple employees to complete the process. In this case, one employee creates a user account, a second one resets passwords or unlocks accounts, and a third staff member disables or deletes accounts. User provisioning processes typically include building user accounts from account templates in order to prepopulate the accounts with important properties, group memberships, and their respective privileges. When an account reaches the end of its lifecycle due to employee termination or resignation, enterprises typically disable the account to prevent account/resource tampering while a replacement employee is hired. Disabling accounts is typically wiser than deletion because a disabled account can be easily reprovisioned to the replacement employee with all account properties, group memberships, and privileges bestowed to the replacement employee. Simply rename the disabled account to the new hire’s name, re-enable the account, and the new hire will inherit all the access needed by their new role. EXAM TIP Account provisioning tasks can be performed by a cloud administrator, on-premises administrator, or both, depending on whether the user accounts are cloud-only, federated, or synchronized.
Servers Whether on-premises or in the cloud, enterprises are increasingly provisioning servers as VMs. Particularly in cloud environments, this task can easily be delegated to members of certain cloud-based roles. Since cloud environments have, figuratively speaking, unlimited resources, provisioning servers is often as simple as telling a cloud platform to generate a new VM. The VM generation process typically consists of a simple wizard. It’ll likely ask you to name the VM, pick an OS (such as Windows Server 2019 or a Linux
12-ch12.indd 479
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
480
distribution), number of CPU cores, RAM, and disk space, and then you wait a few minutes for the process to complete. One of the benefits of VM provisioning is that you can craft a “perfected” VM that already includes all patches, required software, and hardening options. We can then use this VM as a template for generating future VMs. The cost of generating cloud-based VMs is relatively cheap, quick, and secure. Deprovisioning is even easier. You can just select the VM and delete it. With the VM gone, you cannot be charged for it anymore.
Virtual Devices Virtual devices can refer to many things, including VMs and the VM building blocks, such as a virtual CPU, virtual RAM, and a virtual hard disk. It could also refer to virtual switches, virtual routers, or firewalls. Whatever the virtual device, it will be hosted by a physical server or maybe by another VM pretending to be a physical server in a process known as nested virtualization. With cloud computing environments, administrators can indirectly provision physical resources by choosing virtual hardware. For example, when building a cloud-based VM, the administrator can select virtual CPU cores, RAM, and disk space. Although these are virtual devices, physical hardware will be allocated behind the scenes for the virtual devices to do the work required by the VM. With virtual devices increasingly integrating with enterprise environments, care must be taken as to which virtual devices are added to which virtual machines. Careful delegation of administrative controls will ensure that only authorized individuals can perform these tasks. In addition, cloud computing providers charge organizations based on utilization; therefore, any unneeded virtual devices should be removed in order to prevent unnecessary charges from accruing.
Applications Today’s workers want to access their enterprise applications from anywhere, at any time, using any device. Enterprises are accommodating this need by subscribing to cloudhosted applications. These applications are as easy to access as a web e-mail account. Plus, the cloud provider will handle the provisioning aspects of the application immediately after the subscription process has completed. As administrators, we’re able to control which users are able to access the application as well as what privileges they’ll have within the application. As with VMs and virtual devices, any unneeded applications should be promptly removed since they may harbor sensitive data materials, in addition to accruing unnecessary charges.
Data Remnants Cloud computing environments may have trouble employing comprehensive sanitization methods to data remnants because data is typically located in virtual spaces shared by multiple cloud consumers. To properly eradicate the data involves more destructive sanitation practices that might destroy both the immediate customer’s data remnants in addition to other customer data stored on that same drive. For more information about data remnants, revisit the coverage provided on this subject in Chapter 8.
12-ch12.indd 480
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
481
Design Considerations During Mergers, Acquisitions, and Demergers/Divestitures
12-ch12.indd 481
PART IV
Black hat hackers have a confession to make—they like targeting enterprises undergoing mergers, acquisitions, demergers, and divestitures. Why? Because they know that enterprise security postures nose-dive during major business marriages and divorces. With everyone scrambling just to get systems functional and stay above water, security is the last thing on anyone’s mind. Security will likely get put on the backburner until things calm down. Hackers will try to strike while the iron is hot. Any time there is a corporate restructuring, there is an opportunity for attackers to take advantage of the resulting confusion to try and gain unauthorized access to company systems and information. Several types of changes can take place that in particular can lead to security issues. Mergers occur when two organizations agree to combine as a single company rather than remain separately owned. The combining of two corporate cultures into one will lead to some level of confusion as the employees from both adjust to the newly combined environment. This is especially true when the two entities have a separate outlook or approach to information security. Acquisitions are similar to mergers but have a slightly different meaning. An acquisition is the purchase of a company by another. In this case, generally the company acquired will “blend into” the corporate structure of the purchasing entity. Regulations and policies in place in the acquiring entity will need to be learned by the new entity, and during the transition period there is an opportunity for others to exploit the situation. Demergers are basically the opposite of mergers. They result in the separation of various business operations into other components. The operations may go to a subsidiary, or they may be transferred to a new company. In either case, the confusion surrounding the creation of a new structure can provide a fertile field for attackers to exploit. The security professional needs to be concerned with a number of issues concerning acquisitions and mergers. Who will have what access to the critical assets and information owned by the organization? What will the organization’s new security policy be? What are the user requirements for access to the corporate network (user agreements, training, and so on)? What are the reporting procedures for suspected security incidents, and who will be part of the incident response team? One of the most immediate concerns will be, what exactly are the assets that need to be protected and what, if any, new regulations or requirements does the joining of the entities bring with it? As organizations are combined, both will be bringing the threats to their organization with them. Therefore, there may be more potential threats than there were before the combining of the two organizations. Demergers bring a different set of issues with them. Instead of what new regulations may need to be followed, in a demerger the question may very well be, what regulations still need to be followed? A very important issue will be who is in charge of security for both organizations. If there had been a single security office before, now there will need to be two. How are the original security assets distributed between the two new entities? Will one organization keep all security personnel, leaving the other to start fresh? However the split is accomplished, there is a real opportunity for external entities to take advantage of the confusion that will potentially exist.
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
482
Another issue will be in determining what security policies are still applicable and what ones might need to be changed in order to meet the needs of the new entities. Whether the change that takes place is a merger, acquisition, or demerger, security personnel should prepare as far in advance as possible the security plan for the new organization(s) and be prepared for the inevitable issues that will arise that had been missed in the planning process. EXAM TIP Understand the various ways that a merger, acquisition, or demerger can impact an organization. What processes, procedures, or guidelines might be impacted by the restructuring of an organization? Know why restructuring of an organization can lead to security issues.
Network Secure Segmentation and Delegation
When merging with or acquiring another company, it may be useful to consider network segmentation to keep a degree of separation between the different entities to help alleviate some of the potential for introducing security vulnerabilities. Network segmentation is a basic security tool used as part of practicing a defense-indepth and layered security strategy. The philosophy behind such a strategy is to create layers of security between the organization’s critical or sensitive assets and the outside environment from which attacks might be launched. The idea behind having different layers is that if one layer is penetrated, there remain others still protecting the information or assets. The attacker will have to penetrate each subsequent layer, in turn, which gives security personnel an increased chance to detect the penetration and respond to it. Typically, the outermost layer is considered the network perimeter, which is the boundary between the corporate network and the Internet. The next layer might be the individual operating system security controls on individual hosts. After this may be application security controls regulating who may be able to access specific services. Inside of this is the data, which all of the layers are designed to protect. At each layer, multiple security mechanisms may be in place to help detect intrusive activity and to prevent it from being successful. Defense in depth is a complementary and related topic. It involves taking a look at personnel, technology, and operations to create a coordinated approach to implementing security. It includes more than just the layers of security; it also addresses items such as disaster recovery, forensic analysis, and emergency response. Network segmentation can also play a part in this strategy. The idea behind network segmentation is to separate parts of your network into related portions, each of which you trust to the same level or degree. The individuals within each segment have common network requirements and related job functions. Segmentation allows the organization to provide a degree of separation between functions, which is one of the fundamental principles of security. This is also related to the principle of “need to know,” in which an individual is only provided with the minimal amount of information (or authorization) that they need to accomplish their job. Segmentation for these purposes addresses the internal threat posed by employees who have access to the organization’s networks. By segmenting the data and services, the organization can limit the amount of
12-ch12.indd 482
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
483
PART IV
damage a single user can cause. Each segment forms a zone that you will monitor separately. You will need to then determine what communication, if any, is required between the zones, and at each one of these communication links you place various access control and monitoring devices (such as firewalls and intrusion detection/prevention systems). An example of where you might see something like this is in the separation of an organization’s business/administrative network and its control systems networks used in operations such as manufacturing, power generation/delivery, and water distribution. Because a common vector for infection of systems with malware is for end users to access sites or open e-mail attachments that they should not, it is important to separate these functions from the control systems. For an interesting study of how control systems may be compromised, even when there is a degree of separation, review the events surrounding the Stuxnet attack that impacted Iran’s nuclear program. One way to accomplish network segmentation is through the implementation of a virtual local area network (VLAN). A VLAN consists of a set of systems, all of which have a common set of requirements and communicate as if they were connected to the same domain regardless of their actual physical location. The VLAN appears to users to be the same as a LAN. In a VLAN, a traffic is controlled so that instead of all connected hosts thinking they are on the same broadcast domain, the switch is divided up so that only certain ports can communicate with each other. Delegation is a related topic, although it has separate goals. Delegation quite simply is the assignment of authority to another person for some specific activity. This may be necessary in a segmented environment because one user may not have authority, or access, to certain services or data. It is not advisable for an individual to simply provide another with their authorization or access control credentials (for example, their user ID/password combination). This would mean that an individual would appear to be somebody else and thus accountability could be lost. Instead, an access control model such as rolebased access control (RBAC) could be utilized to provide a level of granularity sufficient to delegate access to specific roles. EXAM TIP The concepts of defense in depth and layered security are common in the security community. Make sure you understand them and how they can aid in security. Also understand the part that network segmentation plays in providing a level of isolation that can limit the damage done if one portion of the corporate network is breached.
Logical Deployment Diagram and Corresponding Physical Deployment Diagram of All Relevant Devices
A logical deployment diagram describes network resources and the desired network topology in a logical manner, with a focus on showing connections between devices in a readable manner. Typically, a logical deployment diagram is created first, after which a physical deployment diagram is then created. Physical deployment diagrams specify the exact position and placement of network servers, routers, links, and other resources.
12-ch12.indd 483
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
484
After development of a physical deployment diagram, ensure that it matches the logical deployment diagram. It is common for intended or accidental changes to be made during the actual deployment of network hardware. Because of this, it is important to update both the logical and physical deployment diagrams as they are rolled out and when they are finished. As network additions and changes are made over time, be sure to continuously update the deployment diagrams. Additionally, the network layout should be audited regularly to ensure it is in agreement with both the physical and logical deployment diagrams.
Security and Privacy Considerations of Storage Integration
Organizations of all sizes, and even some individual users, require network-based storage solutions. Although fully fledged servers can provide network access to internal storage, the use of dedicated network-based storage has many advantages. Dedicated devices can ease the deployment and maintenance requirements of providing access to networkbased storage. Separating devices providing file storage from other network services can reduce the impact of a single service being compromised. Additionally, dedicated devices have a single purpose and need not run the myriad of other network and local services provided by fully fledged servers, thus improving security. Restricting access also reduces risk, as Figure 12-2 shows. By only allowing application servers to connect to networkattached storage (NAS), an organization can reduce the risk of direct compromise or infection from the user population. The other main type of dedicated storage solution is the storage area network (SAN). NAS devices run common network file system services such as SMB/CIFS, NFS, FTP, SFTP, and AFP. As such, it is important to be well versed in the secure configuration of whatever file system services are enabled. Proper planning is required, and the security of a device’s available network file system services should be investigated before purchase. Anonymous access to network storage should never be enabled. Restricting access by Figure 12-2 Restricting direct user access to networkattached storage
Users
NAS Application servers
12-ch12.indd 484
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
485
IP address can be part of a defense-in-depth strategy but should never be relied on due to the ease of spoofing. If username-and-password-based authentication is used, ensure that the authentication is done in a secure manner. Policies requiring the encryption of transmitted passwords and password hashes should be enforced. For example, SMB/CIFS has optional LanMan authentication for older clients and should always be disabled. NFSv4 is significantly more secure than previous versions of NFS and mandates the use of several security measures such as Kerberos-based authentication. NAS devices should never be exposed to the Internet, and they should be restricted to a separate VLAN if possible. Secure protocols such as SFTP should always be used in place of insecure options such as FTP. As with all network-attached devices, unnecessary, unused, or insecure services such as SNMP should be disabled. EXAM TIP Understand how network storage can be secured and protected from unauthorized access. Remember to consider separate VLANs for storage traffic and limiting access to data traffic between data silos and application servers.
12-ch12.indd 485
PART IV
Despite the similar acronym, SAN should not be confused with NAS. A pure SAN device exposes the storage as a block device and appears as a physical drive to the client. This type of configuration allows for greater flexibility. Any standard file system may be used, and the disks may be more easily moved from one device to another. SANs can be connected over Fiber Channel (FC) or an Ethernet TCP/IP network. SANs also have disaster recovery benefits by providing options for storage replication to remote sites. Before a SAN is purchased, planning is important, and the available security features should be investigated. Just as with NAS devices, unnecessary protocols should be disabled and secure authentication methods should be used. Additionally, a SAN should never be exposed to the Internet, and should be kept on a separate dedicated network, if possible, for both isolation and performance. IPSec should always be used to secure SAN communications over IP for both confidentiality and integrity. Zoning is used to create groups of host and storage nodes. When using zoning, members can only communicate with other members in the same zone. For flexibility, members may belong to multiple zones. Zoning is a good security practice; however, there are a few issues to be aware of. Zoning can be implemented in hardware or software, referred to as hard zoning and soft zoning, respectively. Soft zoning is vulnerable if an attacker knows or can guess the Fiber Channel address of a device outside its zone. Zoning identification can be done using the port World Wide Name (pWWN) or the Domain, Port (D,P), or both. Zoning configurations should use pWWN identification exclusively, if possible. Identification by pWWN prevents unauthorized zoning access by the rearrangement of cables. To reduce the risk of pWWN spoofing, pWWNs should be mapped to physical ports using Device Connection Control (DCC) policies. SANs employ logical unit number (LUN) masking as a means to control authorization by making a LUN only available to certain hosts. The pWWN of a server’s host bus adapter (HBA) is used to configure LUN masking. LUN masking is usually implemented at the HBA level, which is vulnerable to any attack compromising the HBA. Better security is achieved when LUN masking is implemented at the storage controller and at the HBA.
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
486
Security Implications of Integrating Enterprise Applications
Enterprises are typically large organizations with hundreds or thousands of employees. There are a lot of customers, products, configuration databases, and content access and sharing to manage. Enterprises are looking to powerful tools to address these concerns. You’ll be hardpressed to find many enterprises that don’t have at least one of the following tools:
• Customer relationship management (CRM) • Enterprise resource planning (ERP) • Configuration management database (CMDB) • Content management system (CMS) No matter how powerful tools are, they mustn’t work in insecure silos. Security practitioners must not only integrate enterprise applications into the existing architecture, but they must ensure enterprise security processes are baked into each step in the project’s lifecycle to ensure a seamless and low-risk deployment. Tool vulnerabilities will need to be identified and mitigated early on as well. Other security considerations for enterprise applications are presented in the subsequent sections.
CRM Customer relationship management (CRM) models are typically implemented via a software suite and facilitate interactions with customers, customer service, technical support, and other areas of the business. Given the scope of CRM tools, a stampede of sensitive customer data will be generated, used, shared, and stored by enterprise employees. It goes without saying that it is very important we secure the CRM environment. Plus, with the legal pressures emanating from compliance laws to provide security and privacy assurances for data, organizations can ill afford to come up short. As enterprises increasingly migrate to cloud-based CRM tools such as Salesforce, HubSpot, FreeAgent, and NetSuite CRM+, customer data will constantly traverse the Internet. Plus, because the data is located in the cloud, it is exposed to a global attack base. Given these challenges, we must ask the CRM provider a few questions:
• Does the application support at least TLS v1.1 to secure data in transit? • Can VPN connections be utilized to securely access the server and data in the event SSL/TLS is not supported? • Does the CRM provider support encryption of customer data in storage? • What type of role-based access control is provided so we can delegate resource access to CRM features and customer data? NOTE CRM tools frequently integrate with other enterprise applications; therefore, we’ll need to make sure those applications are equally secured.
12-ch12.indd 486
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
487
ERP Enterprise resource planning (ERP) is business process management software that permits enterprises to use a consolidated platform of business application modules to manage enterprise-wide activities such as customer service, human resources, accounting, sales, payroll, purchase orders, and many more. Like CRM, ERP implementations will run the gamut from on-premises to cloud-based, to hybrid cloud implementations and outsourced technology providers. When it comes to the integration of ERP solutions, we must factor in several security considerations:
PART IV
• Segregation of roles and duties To prevent privilege abuses, and unnecessary monopolization of business processes, enterprises are increasingly adopting a segregated approach to roles and duties. With this model, staff members cannot complete all steps in a process on their own. Other staff members are needed to complete the remaining steps. For example, one employee is permitted to back up the ERP solution, whereas a second employee is permitted to restore it. Neither can perform both tasks. Once the roles and duties have been sorted out, role-based access control has a framework to manage privileges, which is discussed next. • Access control Given the multitude of departmental functions maintained in ERP software, role-based access control should be implemented to control access to resources based on an individual’s enterprise role. Once user accounts are created, they are added to groups, with the groups assigned specific roles that best fit the tasks and responsibilities required of that user group. Additional roles can be added to a user, or subtracted or modified as needed. Be sure to only provide users with the access they need—nothing more and nothing less. • ERP vulnerability scanning Like any complex tool, ERP software is likely to have many vulnerabilities. ERP vulnerability scanning tools are designed to assess ERP software for vulnerabilities such as poor configurations, access control deficiencies, unnecessary services or modules, missing updates, and other insecure components. A good vulnerability scanner will verify the ERP tools with vendor requirements and other industry standards. As with any decent vulnerability scanner, ERP tools will generate detailed reports with the most severe vulnerabilities at the top.
CMDB Configuration management databases (CMDBs) automatically track the state of enterprise assets such as hardware, software, policies, documentation, networks, and staff throughout the lifecycle of these assets—in addition to managing and tracking the relationships between these assets. Given CMDBs’ oversight of asset configurations and activity histories, they are particularly adept at integrating incident management, impact analysis, root cause analysis, and change management across enterprise assets and activities.
12-ch12.indd 487
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
488
NOTE The highly recommended ServiceNow tool is an example of a CMDB.
CMS Content management systems (CMSs) are typically web-based applications that encourage enterprise-wide collaboration with web applications and documentation between multiple contributors creating, editing, and publishing content. CMS platforms are often used to integrate with other enterprise applications, including e-mail servers, database servers, in-house applications, and more. The connections CMS tools have with other enterprise applications make them an interesting target for hackers looking to launch transitive attacks through the CMS connector to the other enterprise applications. CMS tools have similar security requirements to ERPs, including role-based access control and CMS vulnerability scanning tools. Here are some other security recommendations that would benefit any CMS implementation:
• Keep it up to date with security patches. • Implement a robust server backup strategy. • Add third-party applications, plug-ins, and in-house custom code only as needed. • Use strong authentication and password policies. • Implement a CMS-specific application firewall. NOTE Microsoft SharePoint Server is a well-known CMS tool that includes numerous features, such as sites, document and picture libraries, wikis, surveys, workflows, search engine, social media, business intelligence dashboards, and much more. It has been reported to have 190 million users across 200,000 organizations.
Integration Enablers Integration enablers are services that ensure enterprise applications can communicate and integrate with the infrastructure. In this section, we cover enablers such as directory services, Domain Name System, Service Oriented Architecture, and Enterprise Service Bus.
Directory Services
Directory services are centralized identity and access management systems that store information about network objects, in addition to providing authentication, authorization, location, management, and auditing services upon those network objects. These objects include user accounts, group accounts, device accounts, account activities, and security policies. User accounts are created here, added to groups, and assigned permissions to resources as befits the enterprise.
12-ch12.indd 488
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
489
Directory services, such as Microsoft Active Directory, help facilitate the ability of enterprise applications to locate information, as well as to manage and share that information with other applications and services, thus providing an integrated solution for enterprise applications. EXAM TIP Directory services products further aid in integration projects due to their single sign-on (SSO) capabilities which permit users to log on to the network with one set of credentials to access all authorized enterprise applications.
DNS
The Domain Name System (DNS) is a critical part of our Internet infrastructure, mapping names to IP addresses. DNS servers have been in use since the early days of the Internet, and very little emphasis was placed on security during its design and implementation despite its importance to the flow of network traffic. Several industry standard checklists are available for securing DNS (examples can be found at TechNet, DISA, and NIST). For a quick reference, here is a basic checklist for securing DNS services: PART IV
• Keep the DNS software up to date. • Change the version string to provide no useful information. • Separate internal and external DNS servers. • Restrict allowed transactions by client IP address, but do not rely on this due to spoofing attacks. • Use Transaction Signature (TSIG) to authenticate transactions. • Disable or restrict zone transfers as tightly as possible. • Disable or restrict dynamic updates as tightly as possible. • Enable logging and analyze the logs regularly. • Implement Domain Name System Security Extensions (DNSSEC) and sign zones. Enabling dynamic updates allows clients to automatically register and update records on a DNS server. Dynamic updates are usually disabled by default and should remain disabled if not needed. However, dynamic updates may be necessary or desirable in order to reduce the administrative overhead for clients that move frequently or have dynamically assigned IP addresses. If dynamic updates are enabled, follow the checklist to restrict dynamic updates by IP address and, most importantly, use TSIG for dynamic updates. Another good strategy for deploying DNS is to place your primary external name server behind one or more secondary name servers, only exposing the secondary name servers to the Internet. The primary name server should be restricted to communicate only with the secondary name servers. Thus, if the exposed secondary name server is compromised, your primary database will still remain secure.
12-ch12.indd 489
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
490
EXAM TIP DNSSEC allows you to “sign” your zones, which provides origin authentication and data integrity. When used properly, it can help prevent attacks such as DNS cache poisoning.
SOA
Service Oriented Architecture (SOA) is a set of requirements and principles to facilitate the development of interoperable software services. Examples of standardized SOA frameworks include web services, SOAP, WCF, RPC, and CORBA. Using SOA improves interoperability and reuse of components because communication is done in a manner that’s operating system and programming language agnostic. SOA calls for authentication to be performed at the software service level with centrally managed identity credentials. Because SOA is a guiding set of principles, the security of the final product is not guaranteed. Great care must be taken when designing, implementing, and deploying a SOA for your organization’s specific needs. SOA implementations can suffer from a variety of flaws, such as the following:
• Insecure authentication • Unprotected communications • Disclosure of information • Injection of malicious input • Replay attack vulnerabilities • Denial of service • Insecure deployment There is no silver bullet to ensure a secure SOA. Every project has different requirements and requires careful planning, review, and development. Standards with a focus on security, such as WS-Security, are discussed in Chapter 18. During planning and development, remember the following principles in order to mitigate these risks:
• Require authentication when possible. • Always require authentication for sensitive functions. • Use certificates for mutual authentication. • Properly filter invalid or malicious input. • Use prepared queries when accessing databases. • Use XML gateways. • Use secure XML parser options. • Use the latest versions of secure protocols such TLS v1.1 and above. • Use XML signing and encryption. • Disable verbose fault messages in production systems.
12-ch12.indd 490
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
491
• Use signatures with timestamps or nonces. • Require security testing during implementation. • Never expose SOA services to the Internet. • Isolate SOA services on VLANs whenever possible. • Log and analyze authentication requests and general errors. NOTE SOA is essentially packaging business processes as services. SOA defines and provisions a framework that allows different applications to contribute to those services.
ESB
PART IV
Enterprise Service Bus (ESB) is a type of architecture for facilitating communications between applications or web services in a SOA. An ESB has two main components: connectors and a routing engine. Connectors are primarily responsible for passing messages and data between services and the routing engine. Messages and data should be passed in a secure manner, meaning confidentiality, integrity, authentication, and availability should be used whenever possible and appropriate. The confidentiality and integrity of messages may be ensured by using secure protocols such as TLS v1.1 and above. Secure protocols should be used for all messages passed over the network between services, connecters, and the routing engine. Alternatively, strong cryptographic algorithms can be used to sign and encrypt messages, although this must be done carefully to avoid security vulnerabilities. To further limit the risk of exposing sensitive information, one or more dedicated VLANs should be used for the transmission of information on an ESB. Authentication may be provided through the use of certificates or usernames and passwords. Mutual authentication should be incorporated, if possible, using both client and server certificates. A good defense-in-depth strategy is to provide multiple levels of authentication. Tight access controls should be enforced, ensuring that the authenticated user or host has permission to access the requested sensitive information or functions. Providing confidentiality, authentication, and authorization is a good first step toward ensuring integrity. Additionally, all components should always check for and filter corrupt or malicious input. This includes checking both the size and format of messages, as well as ensuring that data types are correct and within expected ranges. Denial-of-service attacks may target any of the architecture components, including services, connectors, and the routing engine. To help ensure availability, policies should be enforced that limit the rate of messages at the application layer. Appropriate limits should also be placed on bandwidth usage at the network level using firewalls, routers, and switches. Additionally, message-passing rates and bandwidth usage should be monitored for the preemptive detection and response to threats. NOTE ESB facilities SOA implementation, but remember that ESBs can use protocols besides HTTP.
12-ch12.indd 491
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
492
Chapter Review
In this chapter, we covered various aspects of integrating hosts, storage, networks, and applications into a secure enterprise architecture. We began with coverage on adapting data flow security to meet changing business needs by responding with several security controls, including secure authentication, disk encryption, VLANs, SSH, and SFTP. The next section provided coverage on a mixture of open and closed standards such as ISO, IEEE, W3C, HIPAA, PCI DSS, NIST, and ANSI. Also, regarding standards, we talked about the need for enterprises to adhere to both voluntary and obligatory standards, understanding their choices among competing standards and making smart decisions, and to follow industry best practices when standards don’t exist for a technology (for example, IoT and Blockchain). We also talked about the relevance of “non-standards” such as de facto standards. We transitioned from standards to interoperability issues, many of which are caused by legacy systems being incompatible with current systems. We talked about understanding application requirements in order to identify if an interoperability issue stems from a missing dependency. We identified the interoperability pros and the cons of various application types, including in-house developed, commercial, tailored commercial, and open source applications. We touched on using standard data formats to bridge application differences together, and the need for using brokering services to resolve interoperability issues with applications with dissimilar protocols and APIs. The next section focused on resilience issues, beginning with the use of heterogeneous components, which involves the usage of different components such as a mixture of Windows 10 and macOS. We touched on course of actions to take in response to resulting resiliency issues, including manual mitigations, or automated and orchestrated responses to improve response times. This includes distributing critical assets to prevent total loss from individual failures, and adjusting security controls as needed for enterprise data identified as persistent or nonpersistent. We talked about the need for redundant components at the LAN and WAN levels to achieve high availability requirements. The last topic of this section involved due diligence requirements in order to properly determine likelihood of attacks that can affect enterprise resiliency. After resiliency issues, we began coverage on data security considerations. The first of these was data remnants, which involve the various software and physical techniques of destroying data or the drives containing the data to eradicate all required data. We talked about the security risks inherent in aggregating so much data that hackers can hit too many birds with one stone, as well as the need for data to be isolated not only in terms of who can access it but also who can administrate it. Data ownership was briefly revisited to incorporate its importance during integration projects, the international data sovereignty considerations of data being owned by one country but stored in another country, and the risks involved in storing too much data that isn’t required. The next brief section discussed resource provisioning and deprovisioning considerations regarding cloud-based and on-premises user accounts, physical and virtual servers, virtual devices, and applications. Many enterprises have adopted a hybrid cloud approach of provisioning some resources on-premises, with others hosted in the cloud. We discussed application provisioning in the cloud, along with authentication considerations. We ended the section revisiting data remnants, but from the perspective of cloud computing.
12-ch12.indd 492
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
493
PART IV
Cloud providers make the removal of data remnants difficult due to resource sharing among many clients. After all of these provisioned resources reach the end of their lifecycle, deprovisioning tasks will run to ensure their swift removal from the systems. Next, we began a series of single-topic sections, the first of which was security design considerations during mergers, acquisitions, demergers, and divestitures. The key to major changes like these is understanding the various ways that a merger, acquisition, or demerger can impact an organization in terms of processes, procedures, and guidelines— always remembering to consider the risks and performing gap analyses prior to and after the major business change takes place. We ventured over to network secure segmentation and delegation, where we talked about using VLANs, different security zones, defensein-depth approaches, and the implementation of role-based access control to delegate which employees have which permissions on integrated systems. Next, we discussed a few considerations on logical deployment diagrams and corresponding physical deployment diagrams of all relevant devices such as servers, routers, links, and other resources. We then began coverage on security and privacy considerations on storage integration, which included a lot of information on NAS and SAN systems. This included information about accessing storage with protocols such as SMB/CIFS, NFS, FTP, SFTP, and AFP, SAN zoning principles, port World Wide Names, LUNs, and HBAs. We transitioned to security implications of integrating enterprise applications such as CRM, ERP, CMDB, and CMS. Much of this consisted of access control considerations, vulnerability scanning, and the segregation of roles and duties. The final section focused on integration enablers such as directory services for its various authentication, authorization, auditing, and management capabilities. DNS was covered due to its location services, SOA for the development of interoperable software services, and ESB to help facilitate communications between applications or web services within SOA environments.
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
Adapt Data Flow Security to Meet Changing Business Needs • As the needs of the enterprise change, IT and security implementations will have to quickly adapt. • Enterprises must start off with a strong security foundation so that future changes can be easily worked in, properly and quickly. • Weaker security foundations react poorly to change because no existing framework is in place to support the changes.
Adhere to Standards (Popular, Open, De Facto) • Standards are the mandatory requirements in support of a policy. • Standards should be reviewed on occasion and, if necessary, revised. • Popular standards include HIPAA, PCI DSS, and NIST 800 series. • Popular standards organizations include ANSI, ISO, and IEEE.
12-ch12.indd 493
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
494
• Competing standards are two or more standards available to us to address the same issues. • A few new technological developments still lacking standards are Internet of Things (IoT) and blockchain. • De facto standards are those that are widely accepted by an industry but haven’t undertaken any formal standardization process.
Interoperability Issues • Legacy systems are older applications and hardware that are no longer supported by the vendor, yet are still in use by an enterprise. • When it comes to interoperability issues, we need to understand application requirements. • In-house developed applications are ones developed internally by the enterprise. • Commercial applications are programs developed by third-party organizations such as Apple, Adobe, and Microsoft. • Tailored commercial software is almost completely customizable right out of the box. • The developers of open source software permit anyone to analyze, modify, and distribute the source code free of charge. • Enterprises can address interoperability issues by using standard data formats such as ODF, PDF, TDF, PNG, HTML, CSV, XML, ASCII, and tab-delimited format. • Protocol and API interoperability challenges can be addressed by using applications that support interoperability-friendly protocols or using a broker service that acts as a middleman to broker what are, otherwise, incompatible protocols and APIs.
Resilience Issues • Enterprise resilience focuses on preventing service disruptions, while also quickly detecting and recovering from the ones that do occur. • The term heterogeneous components refers to systems that use different components. • Enterprises can respond to resiliency issues by implementing manual mitigations or using automation task runs, or orchestration systems can automatically take care of them. • Critical assets should be distributed across nonshared systems or locations to minimize the scope of critical asset losses. • Persistent data can be thought of in different ways: it can be data that rarely changes or data that maintains its state despite application or system shutdowns. Nonpersistent data can be defined as data that frequently changes or that does not maintain its state during application or system shutdowns.
12-ch12.indd 494
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
495
• Redundancy uses duplication of systems so that a failure of one system will result in the automatic transfer of services to a backup system. • Determining likelihood of attacks takes into consideration both vulnerabilities and the threats themselves.
Data Security Considerations
Resources Provisioning and Deprovisioning
PART IV
• Data remnants can be destroyed through drive overwriting, degaussing, encrypting, or physically destroying the drives that contain the remnants. • Data aggregation is the compilation of data from multiple sources into a summarized report format. • Data isolation is the process of controlling user access to data that is located in the same environment as other data and users. • The data owner’s knowledge of data types can help with integrations by ensuring the enterprise knows who is accountable for making decisions on how certain data should be classified, managed, and used by the enterprise. • Data sovereignty stipulates that once data has been collected on foreign soil, it is subject to the laws of that particular nation. • Too much data volume increases the attack surface of a server since there’s more information to be compromised. • Account provisioning tasks can be performed by a cloud administrator, onpremises administrator, or both, depending on whether the user accounts are cloud-only, federated, or synchronized. • Whether on-premises or in the cloud, servers are increasingly being provisioned as VMs by many enterprises. • Virtual devices can refer to many things, including VMs as well as VM building blocks, such as virtual CPUs, RAM, and hard disks. • Applications are increasingly being provisioned in the cloud due to the speed of deployment, ease of access, and the simplicity of controlling access to applications. • Cloud computing environments may have trouble employing comprehensive sanitization methods to data remnants because data is typically located in virtual spaces shared by multiple cloud consumers.
Design Considerations During Mergers, Acquisitions, and Demergers/Divestitures • Any time there is a corporate restructuring, there is an opportunity for attackers to take advantage of the resulting confusion to try and gain unauthorized access to company systems and information. • Security design considerations should factor in what processes, procedures, or guidelines might be impacted by the restructuring of an organization.
12-ch12.indd 495
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
496
Network Secure Segmentation and Delegation • Segmentation is needed to keep a degree of separation between the different entities to help alleviate some of the potential for introducing security vulnerabilities. • Network segmentation is a basic security tool used as part of practicing a defensein-depth and layered security strategy. • A VLAN consists of a set of systems, all of which have a common set of requirements and communicate as if they were connected to the same domain, regardless of their actual physical location. • Delegation is the assignment of authority to another person for some specific activity.
Logical Deployment Diagram and Corresponding Physical Deployment Diagram of All Relevant Devices • A logical deployment diagram describes network resources and the desired network topology in a logical manner, with a focus on showing connections between devices in a readable manner. • Typically, a logical deployment diagram is created first, after which a physical deployment diagram is created. • Physical deployment diagrams specify the exact position and placement of network servers, routers, links, and other resources. • The network layout should be audited regularly to ensure it is in agreement with both the physical and logical deployment diagrams.
Security and Privacy Considerations of Storage Integration • NAS devices run common network file system services such as SMB/CIFS, NFS, FTP, SFTP, and AFP. • Policies requiring the encryption of transmitted passwords and password hashes should be enforced. • SAN devices expose the storage as a block device and appear as a physical drive to the client. • Zoning is used to create groups of host and storage nodes. • Zoning can be implemented in both hardware and software, referred to as hard zoning and soft zoning, respectively. • Zoning identification can be done using the port World Wide Name (pWWN) or the Domain, Port (D,P), or both. • SANs employ logical unit number (LUN) masking as a means to control authorization by making a LUN only available to certain hosts.
12-ch12.indd 496
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
497
Security Implications of Integrating Enterprise Applications
PART IV
• CRMs are models, typically implemented via a software suite, that facilitate interactions with customers, customer service, technical support, and other areas of the business. • Enterprise resource planning (ERP) is business process management software that permits enterprises to use a consolidated platform of business application modules to manage enterprise-wide activities such as customer service, human resources, accounting, sales, payroll, purchase orders, and many more. • Configuration management databases (CMDBs) automatically track the state of enterprise assets such as hardware, software, policies, documentation, networks, and staff throughout the lifecycle of these assets—in addition to managing and tracking the relationships between these assets. • Content management systems (CMSs) are typically web-based applications that encourage enterprise-wide collaboration with web applications and documentation between multiple contributors creating, editing, and publishing content. • Integration enablers are services that ensure enterprise applications can communicate and integrate with the infrastructure. • Directory services are centralized identity and access management systems that store information about network objects, in addition to providing authentication, authorization, location, management, and auditing services upon those network objects. • The Domain Name System (DNS) is a critical part of our Internet infrastructure, mapping names to IP addresses. • Service Oriented Architecture (SOA) is a set of requirements and principles to facilitate the development of interoperable software services. • Enterprise Service Bus (ESB) is a type of architecture for facilitating communications between applications or web services in SOA.
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. Which of the following is not a common network file system service that is typically supported by NAS devices? A. SMB/CIFS B. AFP C. SFTP D. LanMan
12-ch12.indd 497
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
498
2. In zoning discussions, what does pWWN stand for? A. Process World Wide Name B. Port World Wide Name C. Physical World Wide Name D. Packet World Wide Name
3. An ESB consists of which two main components? A. VLANs and a SAN B. Connectors and a routing engine C. Authentication servers and application servers D. Protocol translators and central management
4. Which of the following is not an example of a standardized SOA framework? A. SOAP B. CORBA C. WCF D. LDAP
5. Which of the following regulations is aimed at sensitive information in the healthcare industry? A. FISMA B. HIPAA C. GLBA D. SOX
6. Which of the following sets standards for U.S. government systems? A. FISMA B. HIPAA C. GLBA D. SOX
7. Which of the following is an immediate concern for security professionals when a merger or acquisition occurs? A. When will the activity occur? B. Who will security personnel report to? C. How will the security function change? D. Who will have what access to the critical assets and information owned by
the organization?
12-ch12.indd 498
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
Chapter 12: Hosts, Storage, Networks, and Applications
499
8. Which of the following is the primary security reason for network segmentation? A. To provide centralized control over the network to allow for a more consistent
12-ch12.indd 499
PART IV
monitoring process B. To spread the monitoring of the network out so that it can be conducted more effectively C. To encourage diversity among software and hardware technology to make it harder for attackers to use a single technique to gain unauthorized access D. To separate the network into different pieces so that if a portion of the network is penetrated, the other portions may still remain secure 9. Which of the following standards are considered official? A. De facto standards B. Open standards C. De jure standards D. None of the above 10. Which of the following applications helps manage enterprise resources? A. CMS B. CRM C. ERP D. CMDB 11. Which of the following applications helps manage relationships with customers? A. CMS B. CRM C. ERP D. CMDB 12. Which of the following technologies currently lack standards? (Choose all that apply.) A. IoT B. Blockchain C. Wi-Fi D. Bluetooth 13. Which of the following best describes data that has been collected on foreign soil and is therefore subject to the laws of that particular nation? A. Data ownership B. Data hold C. Data remnants D. Data sovereignty
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 12
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
500
Answers 1. D. LanMan is the hash used by Windows to store passwords in versions prior to NT. 2. B. pWWN stands for port World Wide Name. 3. B. An ESB (Enterprise Service Bus) consists of connectors and a routing engine. 4. D. Lightweight Directory Access Protocol (LDAP) is an application protocol for querying and modifying data of directory services—it is not an example of a standardized SOA framework. 5. B. HIPAA is the Health Insurance Portability and Accountability Act. 6. A. The Federal Information Security Management Act sets security standards for government systems. 7. D. One of the most immediate concerns of security personnel is to determine who will have what access to the sensitive information stored and processed by the new organization formed by the merger or acquisition. 8. D. The immediate and primary reason for network segmentation from a security standpoint is to separate portions of the network into various pieces so that if one portion is penetrated, it will give access to only a subset of the entire network. 9. C. De jure standards are considered official standards due to being ratified by standards companies. 10. C. Enterprise resource planning (ERP) systems help manage enterprise resources. 11. B. Customer relationship management (CRM) helps manage relationships with customers. 12. A, B. IoT (Internet of Things) and blockchain still do not have any industry standards. 13. D. Data sovereignty describes data that has been collected on foreign soil and is therefore subject to the laws of that particular nation.
12-ch12.indd 500
11/03/19 7:03 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
13
CHAPTER
Cloud and Virtualization This chapter presents the following topics: • Cloud computing basics • Virtualization basics • Technical deployment models (outsourcing/insourcing/managed services/partnerships) • Security advantages and disadvantages of virtualization • Cloud-augmented security services • Vulnerabilities associated with the commingling of hosts with different security requirements • Data security considerations • Resources provisioning and deprovisioning
Cloud computing and virtualization are textbook examples of how the more things change, the more they stay the same. For IT folks who have been around a while, this new paradigm of centralized computing might seem familiar. A few decades ago, the computing landscape was ruled by centralized mainframe computers. As shown in Figure 13-1, these large and powerful machines hoarded all of the processing, storage, and memory operations to themselves. The user’s computer terminal that sent input to and received output from the mainframe was little more than just a monitor and keyboard. Such minimization of the end-user device gave rise to the term “dumb terminal.” However, living by the mainframe also meant dying by the mainframe. The terminals couldn’t perform any tasks if the single mainframe failed. This dependence on a centralized endpoint became an unsustainable single point of failure. To reduce the risks of this early form of centralized computing, a more decentralized client/server model allowed for a balanced distribution of the computing workloads across clients and servers. As depicted in Figure 13-2, these computers could perform some tasks independently of one another, albeit not nearly as well as when taken together. Although this shifted the focus away from the hierarchal computing model, computing operations were localized to the organizational boundary. While the client/server model is still popular today, the organizational boundary is increasingly viewed as an obstacle in the areas of worker productivity, cost-effectiveness, and team collaboration. To that end, this past decade has seen a groundswell of technological and workplace productivity
501
13-ch13.indd 501
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
502
Figure 13-1 Centralized mainframe model
Mainframe
Dumb Terminals
Figure 13-2 Client/server architecture
Server
Clients
13-ch13.indd 502
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
503
trends including high-speed Internet, personal and mobile devices, teleworking, and telecommuting. These technologies have extended the organizational boundary to wherever the user goes. Many of today’s businesses have a patchwork quilt of desires, including cost cutting, remote worker productivity, and ubiquitous tool access, while maintaining strict control over company assets. Cloud computing and virtualization are the strongest candidates to make all of these goals a reality. They are today’s expression of the centralized ideals that originated from mainframes—only without most of the hassles. Figure 13-3 depicts cloud computing. Although virtualization is not exclusive to cloud computing, its inherent cost savings and administrative flexibilities are the perfect anecdote to the (arguably) radical methodologies of cloud computing. Once again, computing workloads are being aggregated onto central powerful servers with our web browsers presiding over dumb terminals. Unlike mainframes, which limit productivity to a single work area, today’s centralized server and Internet solutions shift the scope of business and worker productivity onto a global stage. Yet, they reduce the single-point-of-failure concerns of mainframes while also dissolving the organizational perimeter to one without boundaries. PART IV
Tablet
Figure 13-3 Cloud computing
Virtual Desktop
Smartphone
Virtual Server
Cloud
Laptop
13-ch13.indd 503
PC
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
504
Cloud computing and virtualization—particularly cloud computing—are polarizing concepts that people either love or hate. To the skeptic, they represent everything that is evil about the world: a conspiracy bringing a mass of wealth, control, data aggregation, data selling, and surveillance to a global cartel of computing superpowers. Not that these concerns are entirely unfounded, but many of our enlightened population are harnessing these computing forces for good—while also securing their organizations from threats in the process. These technologies are not intrinsically evil and, more importantly, they’ve come far enough along in the past decade or so that they are capable of providing a wealth of solutions that positively affect our pocketbook, technology portfolio, personnel options, and, most importantly, business objectives. Like anything else, there are risks, threats, and vulnerabilities—but that is why having comprehensive knowledge of our choices will allow us to tailor-fit the right cloud and virtualization features to the unique security requirements of our organization. This chapter focuses on the integration of cloud and virtualization technologies into a secure enterprise environment. It covers some of the basics of these technologies while also diving into technical deployment models, security advantages and disadvantages of virtualization, cloud-augmented security services, vulnerabilities, data security considerations, as well as resource provisioning and deprovisioning.
Cloud Computing Basics
NIST Special Publication 800-145 defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” With that being about as official a definition as you can get, let’s unpack the key aspects of it:
• Ubiquitous Applications and data are accessible from anywhere. • On-demand Applications and data are accessible at any time. • Shared pool Resources are allocated or deallocated from a dynamic and large pool that is shared by multiple subscribers. • Rapid provisioning Resources are provided in a timely fashion to maximize performance and cost-effectiveness. • Minimal management effort Many cloud vendors provide a comprehensive “managed service” or “managed security service” to reduce the management responsibilities of the cloud subscribers. Cloud computing delivers capabilities and computing resources without the end user having any idea where the resources being used to deliver those services are located or how those resources are configured. Naturally, this makes most security and IT personnel extremely nervous. How do you know those resources are secure? Who is watching them? How secure are they? Where is my data being processed and stored?
13-ch13.indd 504
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
505
Who else has access to it? Let’s examine some of the advantages and possible issues of cloud computing.
Advantages Associated with Cloud Computing In theory, cloud computing should save your organization time, manpower, and money. Although these should be carefully weighed against the potential risks and lack of control, there are some advantages to consider when examining cloud services:
13-ch13.indd 505
PART IV
• Availability Cloud providers invest heavily into their infrastructures to ensure maximum service uptime and speedy recoverability during outages. With cloud services, you often have the ability to recover services quickly and provision instances in multiple data centers to maximize availability. This can usually be done far cheaper (because it’s virtual) than if your organization were deploying physical servers in multiple locations. Look for availability expectations and requirements in the SLA. • Dispersal and replication of data Cloud services can be designed to disperse and replicate data over a range of virtual instances. Although this may increase the risk of losing some data or having chunks of data compromised, it can help to ensure the majority of your data is always available and accessible to your organization. • DDoS protection By design, cloud services should be more resistant to DDoS attacks. If one part of the cloud is under fire, resources can be shifted to service requests from a different part of the cloud—provided the equipment exists and is configured to do so. • Better visibility into threat profiles When configured to do so, a cloud environment can provide a great deal of threat intelligence. A cloud is essentially a big group of servers, and at any given moment some of those servers are being scanned, probed, or even attacked. By monitoring attack traffic carefully, a cloud service provider is able to gain significant visibility into current and rising attack trends. If the cloud provider has a well-trained and competent security staff, they may even be able to better protect your servers in the cloud than you would at your own organization. A cloud provider may be able to identify a rising attack trend and neutralize it before it can reach your virtual servers, whereas your organization may only discover the attack trend when it hits your servers for the first time. • Use of private clouds If your organization is overly sensitive to sharing resources, you may wish to consider the use of a private cloud. Private clouds are essentially reserved resources used only for your organization—your own little cloud. This will be considerably more expensive but should also carry less exposure and should enable your organization to better define the security, processing, handling of data, and so on that occurs within your cloud.
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
506
Issues Associated with Cloud Computing Here are some of the more common issues and potential disadvantages associated with cloud computing solutions:
• Loss of physical control With a cloud solution, your services and data are figuratively in “the clouds” are far as you are concerned. Although you can control which geographical region hosts your cloud services, you may not be able to control exactly how those services are provided. You also may have no way to know if weather, war, or natural disasters will affect the data center supporting you because you likely won’t know which data center it is. • Must trust the vendor’s security model We must ask ourselves and the cloud provider how its cloud is secured, what technologies it is using, and how the cloud is monitored. Increasingly, infrastructure as service models are becoming black boxes to the customer. Subscribers are, somewhat, being forced by vendors to accept that the cloud is being secured and being watched over by competent personnel. However, the onus is on us to verify the cloud provider’s compliance with any regulations such as HIPAA, FIPS, PCI DSS, GLBA, and so forth. • Proprietary models Proprietary technologies will likely come up during your discussions with a cloud service provider. Yes, the provider has a right to protect its technology and its operations, but if a large number of your questions and concerns are answered with, “Don’t worry, we have that covered, but it’s all proprietary so we can’t talk about it,” then consider another provider. Make sure your vendor isn’t using “proprietary” excuses to cover up negligence and incompetence. • Support for investigations If you’re unable to obtain all the answers you need yourself, you may have difficulty getting support from your cloud provider for investigations that require manpower-intense activities such as forensic examination. If your service gets compromised, your data gets corrupted, or you suspect foul play, what support can your cloud provider offer? What is it required to offer? And what will it provide “for an additional fee”? Not everyone considers the “what if ” scenarios critically enough when examining service contracts—but we all should. • Inability to respond to audit findings Any time you outsource a critical service, you give up a degree of access and control. Give up too much, and you may find that you’re unable to adequately address or remediate findings from an audit, such as a PCI DSS compliance audit. • What happens to your data Although major cloud products like Amazon AWS and Microsoft Azure give us increased control over data security and management, don’t assume they all do. You must inquire about the nature of the controls and the responsibilities that lie with the provider and subscriber respectively. You must also inquire about encryption of data in use, in transit, and in storage. How long
13-ch13.indd 506
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
507
EXAM TIP How data is managed, protected, replicated, and deleted are major factors to consider when examining cloud services. You must know how your data is managed and be confident that the cloud-based security matches the criticality and sensitivity of your data.
PART IV
is the data archived? How is it backed up? What happens to your data when you delete it—is it really gone? What happens to your data if you cancel the contract? Data has value—in some cases a great deal of value. Knowing exactly how your data is handled in a cloud service environment is important. If you have specific concerns, be sure they are addressed ahead of time and make sure your service agreement covers any concerns or special requirements you may have. • Deprovisioning When you’ve finished with a project and decide to remove a server from the cloud, migrate from one cloud provider to another, or even cancel a line of service: How is the virtual server deprovisioned? What steps are taken to ensure those virtual machines are reused? Are backups purged as well? How does the provider make sure your presence is well and truly “gone” from that cloud? • Data remnants What happens when that server, or your data, is deleted in the cloud? Are files securely deleted with contents overwritten? Or does your provider just perform a simple delete that may delete the file record but leaves partial file contents on the disk? Chances are your servers and your data resided on the same physical drives as another organization’s servers and data; therefore, the data destruction mechanisms may not be super aggressive. Also, the provider is unlikely to be degaussing drives after you cancel your service and delete your servers. So how can you make sure your data is truly gone and that nothing remains behind when you leave?
Virtualization Basics
In many respects, virtualization is the other side of the coin shared by cloud computing. Virtualization is the act of creating a virtual or simulated version of real things like computers, devices, operating systems, or applications. For example, a hypervisor program can virtualize hardware into software versions of CPUs, RAM, hard drives, and NICs so that we can install and run multiple isolated operating systems instances on the same set of physical hardware. As shown in Figure 13-4, these virtual machines (VMs) behave like separate physical computers; therefore, each VM can contain its own operating system. Virtualization has come a long way since its days spent in test beds and development labs. Organizations that used to swear by racks and racks of dedicated iron are increasingly turning to virtualization to save money, reduce server count, and maximize utilization of hardware. Sounds great, right? Well, that depends on how you look at it. Virtual environments, like any other environment, have their own risks, security concerns, and special considerations. The upcoming sections discuss cloud computing and virtualization in more detail.
13-ch13.indd 507
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
508
Figure 13-4 Virtual machines
VM1
VM2
Applications
Applications
Guest OS
Guest OS
Hypervisor
Hardware (CPU, RAM, DISK, NIC)
Technical Deployment Models (Outsourcing/ Insourcing/Managed Services/Partnership)
This section focuses primarily on the security considerations of cloud computing technical deployment models, while deferring most of the virtualization considerations for later sections. Cloud computing includes a variety of deployment models that permit organizations to strike the best balance between cost, control, responsibility, security, and features. Virtualization can be thought of as a feature of deployment models, particularly in the case of private cloud networks. Organizations will also need to factor in the benefits and security considerations of outsourcing cloud-based and/or virtualization services to a third party, insourcing the security benefits of cloud and virtualization internally, utilizing a managed service provider for security services, or creating a joint cloud venture with partners.
Cloud and Virtualization Considerations and Hosting Options Most cloud computing solutions are Internet based, yet virtualization equally permeates the Internet and on-premises infrastructures of organizations. It can almost be said that all cloud computing involves virtualization, but not all virtualization involves cloud computing. There are many cloud computing hosting options to choose from—some of which may or may not involve virtualization. These options differ in several ways,
13-ch13.indd 508
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
509
including cost, configuration controls, resource isolation, security features, and locations of data, servers, and applications. Although it is easier and, perhaps, more cost-effective for an outsourced Internet provider to deliver these options to an organization, many businesses successfully implement these capabilities on-premises. As you will see, cloud computing is a patchwork of computer networking features as opposed to being a single and entirely new capability in itself. What follows are some of the technical deployment models that security practitioners must choose from to balance the cost, productivity, and security requirements of the organization.
Public
One of the more common reasons to utilize public cloud computing services is the combination of cost benefits and simplicity. The public cloud computing model involves a public organization providing cloud services to paying customers (either pay-as-you-go or subscription-based customers) or non-paying customers. Whereas paying customers typically enjoy more features and security, customers using free services may lose important features like encryption, access control, compliance, and auditing.
PART IV
NOTE Microsoft Azure provides many popular public cloud offerings including Azure Active Directory (AD). This is useful for organizations that want to utilize a cloud-based AD while minimizing or eliminating some of the capital expenses of buying and setting up local AD servers. You can also pair up the Azure AD environment with an on-premises AD to produce a hybrid cloud. You’ll learn more about hybrid cloud models later in this section.
The public cloud provider will generally host all of the services itself, while occasionally offloading some of these services to other providers. Organizations and people gravitate toward public cloud solutions due to the transference of most responsibilities to the cloud provider. These organizations must also exercise caution with regard to public cloud computing due to the inherent security risks attributed to a solely Internet-based solution. Other examples of public cloud products include Amazon Web Services (AWS), Google Cloud Platform, and IBM Cloud. At the time of this writing, AWS is the cloud computing market leader, but the Microsoft Cloud products, including Azure and Office 365, are fast on its heels. Pros and Cons of Public Cloud Computing As with any form of cloud computing, a public cloud has well-known strengths and weaknesses. Here’s a breakdown of pros and cons of public cloud computing: Pros
• Accessibility The infrastructure is immediately available and accessible from clients anywhere at any time. • Scalability Scaling up and out provisions resources at higher and more cost-effective amounts to the customer. This can improve the customer’s own performance and availability requirements, which is an important tenant of the CIA triad.
13-ch13.indd 509
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
510
• Capital expenses The cloud subscriber utilizes the provider’s back-end hardware and thus reduces the need for local server purchases. • Pay per use Like for electricity and water, the customer is typically billed based on resource usage, not necessarily resource availability (the former being more cost-effective). • Economies of scale Large-scale providers can generally produce more output at less cost; therefore, they’re better positioned to secure their infrastructure than private organizations. This, in turn, enhances their capability to comply with numerous security accreditations like HIPAA, FIPS, PCI DSS, SOX, and so on. Cons
• Security and privacy Hackers may target the cloud; customers lose some control over data; and there are inherent vulnerabilities associated with resource sharing. • Performance Fluctuations of Internet connectivity, and the demands of other cloud tenants, can negatively affect performance. • Configuration Some public cloud solutions significantly limit the configuration options available to the tenants. • Reliability Hackers sometimes target cloud networks, thus potentially reducing their reliability.
Private
Whether it’s skepticism of the public cloud’s inherent security challenges or pressure from laws and regulatory requirements, organizations might feel compelled to adopt an internal private cloud. This model allows the local organization to be the sole beneficiary of an infrastructure that duplicates many of the public cloud benefits like on-demand self-servicing, ubiquitous network access, resource pooling, rapid elasticity, agility, and service measuring. The local organization, or a third party, can maintain the on-premises cloud infrastructure. The main component of private cloud computing is that the local organization does not share the benefits of this cloud network with other organizations— hence the term “private.” Many leading technology companies sell private cloud solutions, including Amazon, Cisco, Dell, HP, IBM, Microsoft, NetApp, Oracle, Red Hat, and VMware. For example, a Microsoft private cloud might be composed of a combination of Microsoft Remote Desktop Services (RDS) and Microsoft Hyper-V Server. Pros and Cons of Private Cloud Computing Unlike a public cloud, a private cloud enjoys many of the benefits inherent with on-premises computing environments, but it also has some of its negatives as well. Here’s a list of pros and cons of private cloud computing: Pros
• Control A locally focused cloud infrastructure allows many of the control benefits of an on-premises infrastructure.
13-ch13.indd 510
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
511
• Security With in-house equipment, focus, and control, security postures resemble most other on-premises infrastructures. • Reliability Internet connectivity, or lack thereof, won’t have the same impact to a private cloud as it would public and hybrid cloud configurations. Cons
• Private Since the cloud is not hosted on the Internet, the ubiquitous access benefits typified by public clouds can be more difficult to provide to remote workers. • Capital expense The private cloud is composed of locally owned equipment, thus increasing costs to the organization. • Operational expenses The local organization owns, operates, and maintains the equipment and therefore incurs all of the day-to-day costs of business. • Scalability Organizations might lack sufficient hardware to deal with sudden spikes in resource demand. • Disaster recovery If a data center lacks suitable replication—or an alternate hot site to replicate to—a large-scale disaster event can render that site inoperable. As the name implies, hybrid cloud computing is a combination of multiple cloud models such as the public, private, and community cloud models. An organization might utilize a local server solution in addition to outsourcing other aspects of that solution to a cloud provider. This allows organizations to experience the best of both words, whereby the most critical data is kept on the premises to meet organizational security requirements, while still enjoying the various benefits offered by public cloud computing.
PART IV
Hybrid
NOTE As an example, a university might have a local Microsoft Exchange Server that stores faculty and student mailboxes while utilizing a Microsoft cloud-based Exchange Online solution for alumni student mailboxes. Policies, rules, administration, and data are jointly shared between Microsoft and the local organization. The key element to hybrid cloud computing is the commingling of two or more models. If two models exist as nonintegrated entities, they do not form a hybrid cloud.
Pros and Cons of Hybrid Cloud Computing By not going “all in” with public or private cloud computing, a hybrid cloud shares the strengths and weaknesses of both methods. Here’s a list of pros and cons of hybrid clouds: Pros
• Balance Organizations can use a private cloud for stricter security requirements and a public cloud for less-strict security requirements.
13-ch13.indd 511
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
512
• Cloud bursting As demands for private cloud resources exceed the supply, the organization can redistribute or “burst” the excess demand onto a public cloud to stabilize performance. • Accessibility When users are working remotely, they can easily reach the public cloud as needed. Cons
• Cost The expenses incurred from the private cloud setup offset some of the cost-savings of the public cloud. • Complexity With multiple cloud models requiring a synergistic setup, more knowledge and skills are required for proper configuration, maintenance, and recovery. • Security Although many public cloud computing vendors provide considerable behind-the-scenes security benefits, not all of them do. Plus, not all private organizations are masters of securing private cloud infrastructures.
Community
Community cloud computing is a model that involves a group of organizations that collectively own, share, or consume a common cloud computing infrastructure as a result of mutual interests like software interfaces and security features. For example, a broad network of doctors and hospitals might consume a healthcare-specific cloud computing network that aggregates the input and sharing of electronic health records, data analysis, and HIPAA/HITECH compliance requirements. Due to the depth of interactions between the community of organizations, security policies, controls, and responsibilities need to be established up front to avoid future issues. NOTE One of the market leaders in community cloud offerings is the Salesforce Community Cloud.
Pros and Cons of Community Cloud Computing Community clouds have some pros and cons that security professionals need to be aware of to help organizations make informed decisions. Refer to the following list for the pros and cons of community clouds: Pros
• Cost More cost-effective than a private cloud. • Outsourced Management can be delegated to a third party. • Universal tools The tools are accessible by both suppliers and consumers of the cloud infrastructure.
13-ch13.indd 512
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
513
Cons
• Cost More expensive than a public cloud. • Sharing Infrastructure elements including bandwidth and storage are potentially shared across a pool of organizations.
Multitenancy
If you consider the fact that millions of times a day, all around the world, people line up at shared ATM machines to deposit or withdraw money, then multitenancy isn’t much of a stretch. Multitenancy involves cloud organizations making a shared set of resources available to multiple organizations and customers. The cloud servers will share out a common virtualized environment to multiple tenants while also providing the logical isolation and control set needed by customers. The primary motivation behind multitenancy is the cost benefits to the cloud provider in the form of automated software provisioning and shared resources. When cloud providers save money through these conservation efforts, they pass on those savings to the customers.
PART IV
EXAM TIP Multitenancy has the advantages of cost reduction via resources being shared across clients, single platform management, simplified capacity management, and reduced maintenance complexities due to the shared resource ecosystem. The disadvantages also stem from those shared resources which create a single point of failure, tenant breaches potentially affecting multiple tenants, reduced flexibility from a configuration standpoint, and the greater complexities that come with creating a single environment for everyone.
It is important that the cloud provider allocate adequate resources for the shared spaces of multiple tenants. Resource demands will only go up in the future, and it’s important that individual tenants are equally isolated and provisioned enough with resources to prevent one tenant from hoarding resources at another’s expense.
Single Tenancy
If security requirements dictate increased privacy and isolation of cloud-based resources, single tenancy is the way to go. The cloud provider will grant each customer its own virtualized software environment to ensure more privacy, performance, and control requirements are upheld to a greater standard. This is similar to renting an office building to one company as opposed to multiple organizations occupying separate suites within a building. The prioritization and allocation of resources to a single tenant will increase the cloud provider’s costs; therefore, the customer can expect costs to be passed on to them. NOTE With cost-effectiveness being a critical factor in choosing a cloudbased solution, most customers will opt for the cheaper multitenancy solutions.
13-ch13.indd 513
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
514
On-premises vs. Hosted We have been using on-premises IT infrastructures for decades. For many IT and security personnel, the inherent control and privacy benefits provided by on-premises solutions outweigh the flashier but riskier benefits of hosted cloud computing. Although hosted cloud computing typically provides greater scalability, availability, elasticity, accessibility, and cost-effective benefits, an on-premises (or private) cloud is essentially a modernized version of on-premises computing. An on-premises cloud provides some of the benefits of a hosted cloud, but without some risks. A private cloud might be all the “cloud” such on-premises loyalists can stomach. On the other hand, the people cutting the checks probably won’t care about the practicalities of a Linux server hosted on-premises versus in a hosted cloud. What decisions makers want is for the organization to achieve its business objectives in the most costeffective, simple, efficient, and risk-averse ways as possible. More often than not, hosted cloud environments will provide for all of those deliverables. Whether justified or not, the managerial viewpoint on IT personnel, infrastructures, power and A/C requirements, data centers, and so forth has become strained at best. A growing number of businesses would rather transfer some of those “costs” to a third party and let them worry about it all. NOTE The saying “People don’t want to buy a quarter-inch drill, they want a quarter-inch hole” applies here.
There’s no arguing that on-premises computing comes with the greatest level of control and insight over our digital assets. For many organizations with strict compliance requirements, this might be not only the best option but the only option. Yet, with organizational assets increasingly being outsourced to a hosted cloud environment, organizations are benefitting from the increased focus on business objectives as opposed to sharing that focus with an on-premises infrastructure. Okay, truth time: there’s an elephant in the room, and it’s about time we address it. For the local technical staff, the prospect of outsourced IT and security solutions is generating some anxiety. Many feel outright disdain toward outsourced cloud computing solutions, and who can blame them? Nobody wants to potentially lose their job to someone else—particularly at little to no fault of their own. However, it’s not all doom and gloom because you probably already know exactly what to do—add cloud computing and virtualization to your skillset! Become the provider of the outsourced IT solutions as opposed to the victim of it. Local IT jobs aren’t so much “disappearing” as they are being converted into something new and, possibly, transferred to someone else. Be that someone else! There are more employment opportunities for cloud and virtualization positions than qualified applicants to fill them. We’re living in a new generation of technologies and opportunities. Your preexisting knowledge, skills, and abilities put you in prime position to capitalize on this movement—but only if you are willing to adapt to the new environment.
13-ch13.indd 514
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
515
Cloud Service Models In the previous section we discussed cloud deployment models such as public, private, hybrid, and community clouds. The next step is to go over cloud service models. These are the particular services being offered to us by the deployment models. These services are what the customer directly interacts with and benefits from. A public cloud in itself is really just someone else’s data center. What we’re looking for are the particular software, platform, and infrastructure services being provided to us by that data center.
Software as a Service (SaaS)
When cloud computing providers offer applications to customers to use, they are providing software as a service (SaaS). Common features of SaaS include web-based e-mail, file storage and sharing, video conferencing, learning management systems (LMS), and others. This is not only the most common cloud computing service model but also the one that is designed for end users. The cloud provider has all management responsibilities of SaaS, whereas our job is to simply use the software. NOTE Examples of popular SaaS products include Microsoft Office 365, Google G Suite, Salesforce, Slack, Box, and DocuSign.
Whereas SaaS requires the mere use of the cloud provider’s software within a limited set of confines, platform as a service (PaaS) gives us a lower-level virtual environment—or platform—so we can host software of our choosing, including locally developed or clouddeveloped applications, guest operating systems, web services, databases, and directory services. Although we don’t have direct control over the host operating system, or its hardware, we do have responsibility over the applications and data contained within.
PART IV
Platform as a Service (PaaS)
NOTE Amazon AWS, Microsoft Azure, Mendix, and Oracle Cloud are popular PaaS products.
Infrastructure as a Service (IaaS)
Infrastructure as a service (IaaS) provides customers with direct access to the cloud provider’s infrastructure. This includes resources like processing, memory, storage, load balancers, firewalls, and VLANs. Put another way, IaaS is almost like an outsourced data center. Although we don’t have direct control over the overall cloud infrastructure, we do have control over host operating systems, storage, and various other networking equipment. NOTE Examples of IaaS include Microsoft Azure, Amazon AWS, Google Compute Engine, and Rackspace Open Cloud. In addition, some products provide more than one service model, such as Microsoft Azure and Amazon AWS both offering PaaS and IaaS.
13-ch13.indd 515
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
516
Security Advantages and Disadvantages of Virtualization
Virtualization is a complex topic with security as one of its many components. However, what exactly is virtualization? This section introduces the benefits and disadvantages to virtualization, in addition to tying in all the security advantages and disadvantages inherent in the usage of virtualization.
Advantages of Virtualizing Although most IT departments look at virtualization as primarily a money-saving technology, virtualization does bring some unique capabilities that enhance security, recovery, and survivability. Let’s examine the following advantages of virtualization:
• Cost reduction • Server consolidation • Utilization of resources • Security • Disaster recovery • Server provisioning • Application isolation • Extended support for legacy applications Although some of these seem like considerable advantages, we’ll see later how some of these same capabilities could be disadvantages in the wrong situation. Data centralization is another potential security advantage associated with virtualization. As you move to virtualize servers, the need to store data on specific hardware sets or endpoints can decrease as you migrate toward centralized storage. Centralizing data provides a much smaller attack surface—the fewer places data is stored, the fewer places you have to worry about securing and protecting. If your security staff can focus on a few central data stores, it should have more time to ensure they are patched, secured, monitored, backed up, and so on. CAUTION Consolidation can also bring risks such as a greater impact when a failure occurs, more users accessing the same resources, and the attractiveness of a target with more eggs in one basket. But these disadvantages can usually be overcome with careful planning and good policies, processes, and procedures.
Cost Reduction
Cost reduction is often the overwhelming driver behind virtualization. In theory, a virtualized infrastructure consumes less power, can be managed by a smaller workforce, is easier to manage and maintain, and is more “efficient” in serving your enterprise. Of the factors to consider in cost reduction, the two most often examined and quoted to justify
13-ch13.indd 516
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
517
return on investment (ROI) are reduced power consumption and reduced headcount. Most virtualization projects make the assumption that 100 lightly used physical servers will consume more power than 20 larger, heavily utilized servers. For example, if we assume 100 physical servers with an average of 750 watts per server and a consolidation ratio of 5:1, we might have in excess of $200,000 a year in power and cooling savings with a cost per kilowatt hour of around 10 cents. Some utility companies even offer incentives and rebates for virtualization, which can add to potential cost savings. By contrast, many organizations make the assumption that with fewer physical servers and an “easier” to manage infrastructure they will be able to reduce headcount. This is not always the case—especially if your current staff is not familiar with virtualization. In most cases, you still have the same number of “servers” to manage—they’re just not running on their own dedicated platforms anymore.
Server Consolidation
PART IV
Server consolidation is a typically undisputed benefit of virtualization. The main point of virtualization is to take server instances with 10 to 15 percent utilization off of dedicated hardware platforms and move them to an environment where they share resources. Condensing 100 physical servers down to 20 smaller servers reduces the amount of physical space needed to support business functions—which can be a direct cost savings in overhead if you are leasing data center space. Server consolidation does come at a cost, though—the more you want to consolidate your environment, the “beefier” your virtualization servers will need to be in terms of CPU and memory. Chances are these servers will run at higher utilization and likely produce more heat, which may change the spot cooling requirements for your equipment racks. Organizations will often closely examine virtualization before a major equipment refresh because it can make a great deal of sense to replace 100 old physical servers with a virtualized environment supported by 20 new, more capable servers. EXAM TIP The strongest advantage of virtualization is cost savings—from reduction in energy usage, reduction in hardware platforms, and reduction in personnel.
Utilization of Resources
A primary goal of any virtualization project is to increase the utilization of resources. Prime candidates for virtualization include any dedicated server running at 15 percent or less average utilization. A well-designed virtualization solution takes a whole series of underutilized servers and places them in an environment where CPU and memory can be shared between them. In theory, when we convert these physical servers using only 15 percent of their available CPU resources, we can have four of these virtual instances sharing the same CPU, for a 60 percent utilization average (assuming the servers are not always tasked at the same level at the exact same time). In a similar fashion, RAM can be shared among the same servers. If each physical machine contained 8GB and only used 2GB or less consistently, we could potentially have four of the virtual conversions sharing 12GB, which allows us to dedicate 2GB to each virtual machine and leave 4GB for dynamic allocation.
13-ch13.indd 517
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
518
Security
Virtualization can also have some significant benefits to security. Virtualization makes it far easier to develop production and development baselines because virtual machines tend to use the same “generic hardware.” Production servers can be easily copied or cloned for use in testing of patches, fixes, and so on. Those same virtual servers can be quickly rolled back to a known good configuration in the event of corruption or compromise. Testing of “what if ” scenarios no longer requires the purchase of additional racks of identical hardware. Production environments can be cloned and then safely scanned for vulnerabilities without impacting customers. Instant snapshots of a system’s running state can be taken for forensics or incident response. Virtual machines can be configured to revert to a known good state on reboot. Although some of these seem like considerable advantages, we’ll see later how some of these same capabilities could be disadvantages in the wrong situation. Data centralization is another potential security advantage associated with virtualization. As you move to virtualize servers, the need to store data on specific hardware sets or endpoints can decrease as you migrate toward centralized storage. Centralizing data provides a much smaller attack surface—the fewer places data is stored, the fewer places you have to worry about securing and protecting. If your security staff can focus on a few central data stores, it should have more time to ensure they are patched, secured, monitored, backed up, and so on. Of course, consolidation can also bring risks such as a greater impact when a failure occurs, more users accessing the same resources, and the attractiveness of a target with more eggs in one basket. But these disadvantages can usually be overcome with careful planning and good policies, processes, and procedures. Another security benefit is the hardware abstraction that virtualization provides. Virtual machines have limited direct access to the actual hardware they are running on. The hardware abstraction offered by hypervisors provides each virtual machine with a more “generic” set of “hardware”—a virtual network interface card (NIC) instead of a physical one, filtered (or no) access to peripherals, limited (or no) direct access to disks, and so on. From a security perspective, this means fewer drivers to patch and maintain, less chance of a rogue or infected driver being installed, less chance of certain types of attacks being successful, and less chance of a hardware failure forcing you to modify the configuration of all the virtual machines running on that hardware. If the platform running your hypervisor fails or is compromised, you can easily migrate your virtual machines (VMs) over to a different platform. The hardware abstraction is taken care of at the hypervisor level and should have little to no impact on your VMs.
Disaster Recovery
Disaster recovery can be greatly enhanced by a virtualized environment. In the right environment, virtual machines can be migrated from one platform to another while they are still running (transferring from one data center to another in anticipation of a hurricane, for example). Virtual machines can be cloned, transferred, and redeployed far easier than physical machines because you don’t need identical hardware to stand up a cloned virtual machine—just compatible hardware and the correct version of your virtualization software.
13-ch13.indd 518
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
519
Recovery times with virtualized environments can be in terms of minutes versus hours or even days when restoring an entire server from a tape archive. Virtualization is not a silver bullet—you still must plan for redundancy, migration, failover, failback, restoration, and so on. However, virtualization, when properly implemented, can help speed up the recovery process. EXAM TIP Virtualized infrastructures can typically be restored very quickly in response to disasters, security incidents, and so on. The abstraction used between the hardware and the virtualized systems themselves can greatly reduce recovery times.
Server Provisioning
Application Isolation
Best practices will tell you an ideal scenario is to run one critical service on one server— this decreases the attack footprint of that server, reduces the chance of service A getting compromised through an attack on service B, and so on. With a physical server environment, this is rarely possible because the additional expense is too prohibitive, particularly for smaller organizations. With virtualization and server consolidation, the concept of dedicating a server to a specific critical service becomes a possible reality. Separating critical functions such as web servers, mail servers, and DNS servers onto separate virtual systems allows administrators and security personnel to deploy and configure those virtual servers to support a specific service rather than having to compromise and configure the server to run multiple critical services. You can also isolate sensitive applications to their own servers and tightly restrict access to those servers.
PART IV
Virtualization provides some significant advantages when it comes to server provisioning. Need to add an additional server? With a virtual environment, you can deploy one from a template or clone an existing virtual server in a matter of minutes. This is particularly convenient when you have a set of “master” or “golden” server images in your inventory—you can have a fully patched, production-ready server in a fraction of the time it would take to deploy a new server running on physical hardware. This rapid deployment capability is particularly useful in development environments or for addressing a specific need for additional capacity on a temporary basis.
Extended Support for Legacy Applications
Still running some obscure, custom application on Windows NT and praying the hardware it’s on doesn’t die? You can migrate that NT server over to a virtual environment and potentially extend its use. Although it may take some tweaking with certain hypervisors, older operating systems and applications can often be migrated to the virtual environment far easier than they can to new physical environments. In an ideal world you would be able to ditch ancient operating systems and applications, but in reality, there are cases where you simply have to maintain something well beyond its projected “useful” life. In many cases, virtualization can help you do just that.
13-ch13.indd 519
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
520
Disadvantages of Virtualizing Although it may seem like a very attractive solution, organizations need to carefully consider virtualization and weigh the true costs and potential risks. Let’s examine the following disadvantages of virtualization:
• Hidden costs • Personnel • Server consolidation • Virtual server sprawl • Security configuration
Hidden Costs
When considering the cost benefits of virtualization, organizations sometimes fail to factor in all the upfront costs associated with virtualization. There are licenses for virtualization platforms to buy, new management tools, training costs to get personnel up to speed, a familiarization period in which the organization will likely see decreased performance, and so on. When consolidating, you may need a much “larger” and more powerful server platform than you are used to ordering. Although there will be fewer servers, they will be far more expensive on a per-unit basis. There’s even a chance your preferred hardware vendor doesn’t have the hardware you’ll need or the hardware isn’t supported by the hypervisor you’ve chosen. When examining the cost-benefit or ROI from virtualization, it is critical that companies carefully consider all the costs that will go into the project.
Personnel
Great IT people can do anything—after all, it’s just a server, right? Far too many organizations leap into virtualization without first making sure their existing staff is ready for such a dramatic shift in operations. Virtualization requires a new knowledge set. Not only does your IT staff now need to know how to manage your existing server base (which you just converted to virtual machines), but now they need to learn new management tools, resource planning, management of shared resources such as CPU, disk, and memory, new monitoring tools, and so on. Chances are your organization will need to either bring in new personnel or spend a fair amount of time and money training your existing staff. While your existing staff is adjusting to the migration, they will likely be operating in a less efficient manner until they become more familiar with the new environment. Virtualization also introduces a new layer of complexity with troubleshooting issues or performance problems. The e-mail server is running slowly. Is it the virtual machine, or is the host server overloaded? Network connections are being terminated prematurely on web servers. Is it the virtual machine, or is the physical network interface going bad? Is the cable loose? Is some other virtual machine flooding the interface? This additional layer can make root-cause analysis much more difficult and could even slow down problem resolution.
13-ch13.indd 520
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
521
EXAM TIP While in theory administrative headcount could be reduced through virtualization, in reality this rarely happens. Your staff is still maintaining a large number of servers—they’re just not running on individual hardware platforms anymore.
Server Consolidation
Wasn’t reducing the number of servers a good thing? It can be, but it can also be a fairly significant potential negative. Hardware failures can have a much larger impact when multiple virtual servers are running on a single physical platform. This can be somewhat mitigated through the use of failover technologies, RAID, redundant power supplies, and so on, but it is still a serious risk that becomes more critical as more critical business functions rely on the same physical hardware.
Virtual Server Sprawl
PART IV
Standing up a new physical server is a fairly significant task, whereas standing up a new virtual server is a few mouse clicks. Need a new development server? Click. Need to set up a web server for a marketing campaign? Click. The ease with which virtual servers are created has led to server sprawl in many virtual environments. The ease with which virtual machines can be created presents the very real possibility that your virtual environment can quickly outgrow your organization’s ability to manage it. Fortunately, this is somewhat mitigated by available resources—when you run out of memory and disk space, you can’t create any more virtual servers.
Security Configuration
Does your organization’s security staff know how to secure and monitor a virtual environment? How will they monitor traffic passing from one virtual machine to another inside the same physical platform? Are you separating virtual machines that process and store sensitive data from Internet-facing virtual machines? Can you maintain separation of duties between network and security controls in a virtualized environment? Is there a risk that someone will compromise the virtualization platform itself? And what will happen if that occurs? Will your virtualized environment be compatible with your existing security controls (such as IDS/IPS)? What sort of changes will you need to make to your security strategy? As virtualization continues to grow in popularity, we’ll continue to see a growth in the risks and attacks targeted specifically at virtual environments, including the hypervisor itself. Virtualization carries a whole new set of risks—make sure your organization weighs them carefully and addresses them before setting up a new virtual environment. EXAM TIP Monitoring and managing a virtualized server farm is a very unique challenge that many security personnel will not be familiar with. The ability to create new instances quickly and with little oversight is a significant security risk that comes from using virtualization.
13-ch13.indd 521
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
522
Type 1 vs. Type 2 Hypervisors Now that we’ve discussed some of the generalized advantages, disadvantages, and security considerations brought about by virtualization, we’re going to move on to more specific security objectives. Hypervisors are a critical component of virtualization that also include their own security considerations. Simply stated, hypervisors are thin layers of software that imitate hardware. For example, hypervisor software can mimic the behavior of CPUs so that the “virtual CPU” behaves like a real CPU. The same goes for virtual RAM, hard drives, network interface cards, optical drives, and BIOS/UEFI firmware. As VMs interact with hypervisors, they believe they’re dealing with actual hardware. This illusion created by hypervisors makes it possible to host multiple VMs—which contain guest operating systems—simultaneously on the same hardware. The ramifications of running multiple OSs simultaneously on hardware has spawned entire industries, careers, and numerous practical benefits for organizations and customers alike. Hypervisors vary by type in that they can act as an intermediary between the VMs and the host operating system, or between the VMs and the actual hardware. From the VM’s perspective, there’s no difference. Yet, from our perspective the choice between hypervisor types will influence security and performance outcomes. It is important to understand the pros and cons of the different hypervisor types, which we’ll cover next.
Type 1 Hypervisor
This server-based hypervisor sits between the VMs and the hardware. Type 1 hypervisors are also known as “bare-metal” hypervisors since they directly interact with hardware. Because this hypervisor does not have to communicate through a thick host operating system to reach the hardware, the physical server will have reduced hardware requirements, faster performance, and the increased capacity to run more VMs. The server’s smaller footprint significantly reduces its attack surface; therefore, security is markedly improved. Figure 13-5 shows an example of a Type 1 hypervisor. This is the primary hypervisor running on servers in data centers—forming the nexus of private cloud computing networks for countless organizations. Frequently, these data centers have excess, or unused, servers undergoing the conversion of physical to virtual, which then gets swallowed up by the remaining servers running Type 1 hypervisors. This process is typically known as “data center consolidation.”
Figure 13-5 Type 1 hypervisor
VM1
VM2
Hypervisor
Hardware
13-ch13.indd 522
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
523
NOTE Popular Type 1 hypervisor products include VMware ESXi, Microsoft Hyper-V Server 2016, and Citrix XenServer. VMware has been the virtualization market leader for many years.
Type 2 Hypervisor
Although this type of hypervisor can run on servers, it is more appropriate for clients. Type 2 hypervisors are different from Type 1 in that they communicate with a host operating system, which in turn communicates with the hardware. As a result, the software’s larger footprint will hurt performance and increase the attack surface. Although attackers can inject malware into the VMs of both Type 1 and Type 2 hypervisors, Type 2, as shown in Figure 13-6, has greater malware potential due to it having both the VM and the host operating system at the hacker’s disposal. The extra options leave the computer vulnerable to a total takeover by the attacker. Servers should not tolerate such risks; yet, the more rudimentary needs of clients, such as hardware testing, software testing, training, and application compatibility, make it a suitable fit.
Containers
PART IV
NOTE VMware Workstation/Fusion/Player, Microsoft Client Hyper-V, Oracle VirtualBox, and Parallels Desktop are the top choices for Type 2 hypervisors.
Among other things, containers do for operating systems what VMs do for computers— reduce the number of them. Rather than being an outright replacement to virtualization, containers are a different form of virtualization in which the OS itself (not the hardware) is virtualized into multiple independent OS slices. Containers store application binary and config files, along with dependent software components. In other words, containers isolate apps from one another yet share the same overall operating system. This provides both isolation and performance benefits. Figure 13-6 Type 2 hypervisor
VM1
VM2
Hypervisor
Host OS
Hardware
13-ch13.indd 523
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
524
Figure 13-7 Containers
Container 1
Container 2
Container 3
App A
App B
App C
Binaries/Libraries
Binaries/Libraries
Binaries/Libraries
Container Engine (Docker)
Host OS
Hardware (CPUs, RAM, Disk, NIC)
Microsoft recently debuted its version of the popular and vendor-neutral Docker container engine with Windows 10 and Windows Server 2016. Containers are shown in Figure 13-7. NOTE Not only do Windows and Linux offer containerization capabilities, but most public cloud providers offer containerization as a managed service as well.
As with any form of virtualization, the goal is typically to provide good things in small packages—only in this case good things in even smaller packages. In addition to container virtualization (also known as operating system virtualization), there are other virtualization types, including the following:
• Hardware virtualization • Desktop virtualization • Application virtualization Unlike hardware virtualization, which uses a hypervisor to virtualize a physical computer into one or more virtual machines, containers typically virtualize a shared OS kernel into multiple virtualized kernel slices. Think of each slice as a mini operating system being provided to an application. These slices are presented to users and applications as if they were separate isolated operating systems—when in fact they are only portions of a single OS.
13-ch13.indd 524
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
525
Since having multiple VMs means having multiple OSs, and containers typically share only one OS kernel, containers provide organizations with many benefits, including the following:
• They can squeeze more apps onto servers due to containers sharing an OS versus VMs requiring their own OS. • They can significantly reduce a host’s footprint due to containers sharing one OS. • Containers can be exported to other systems for immediate adoption. • They can reduce host total cost of ownership due to having a smaller footprint to maintain. Such a windfall of capabilities will extend the productivity, life, and usefulness of computers. Diminishing the footprint of the computer also adds the bonus of reducing a host’s attack surface, which will prove to be an attractive option for security professionals and systems administrators. Another type of containerization, rather than sharing a kernel, provides a separate kernel instance to a container residing inside of a VM. This form of containerization commingles the best of hardware-based virtualization with operating system virtualization. PART IV
NOTE According to a study by 451 Research, containers will grow at the rate of 40 percent per year until 2020, when it will become an estimated 2.7-billion-dollar industry.
vTPM A virtual Trusted Platform Module (vTPM) is a piece of software that simulates the capabilities of a physical TPM chip. This is important for VMs because, just like their physical TPM counterparts, vTPMs will allow VMs to provide attestation of their state, generate and store cryptographic keys, passwords, certificates, and provide platform authentication to ascertain its overall trust worthiness. Each VM could have its own vTPM even if the host computer doesn’t have an actual TPM chip. NOTE It is important to note that vTPMs are not a complete replacement for physical TPM chips. There are certain situations wherse vTPMs don’t fully measure up to the certificate and key validation benefits of physical TPMs.
Hyper-Converged Infrastructure (HCI) A hyper-converged infrastructure (HCI) takes converged infrastructures (CIs) to another level. Whereas a CI aggregates vendor-specific compute, network, and storage resources into a single box or appliance, HCI essentially virtualizes CIs into a software-defined solution. Similar to using hypervisor tools to convert physical hardware into virtual instances, an HCI can use a commercial off-the-shelf (COTS) management tool to virtualize and
13-ch13.indd 525
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
526
manage these all-in-one CIs in a more flexible, agile, vendor-neutral, and efficient data center. This helps to simplify the infrastructure as well as reduce rack space, power consumption, and total cost of ownership. Due to the aggregation benefits of HCI, security risks suffer the usual ramifications of centralization. With HCI being an all-in-one management capability, security exploitation only has to compromise the top level in order to breach the entire HCI. With the HCI hardware being managed as one big software whole, it becomes more difficult to individually secure each of its layers. There are several recommendations for securing an HCI, including the following:
• Implement delegation and strong access control for each HCI administrative interface to adhere to the principle of least privilege. • Use a balanced mix of hardware and software vendor products wherever possible to avoid vendor-specific threats, exploits, and vulnerabilities compromising the entire HCI. • Utilize a layered security approach to the HCI to protect it from malware, eavesdropping, unauthorized access, modification, and disclosure of transmitted data. NOTE Companies like Nutanix and SimpliVity (now part of HPE) helped usher in this booming industry. VMware has become a major player with its introduction of the HCI solution VMware vSAN.
Virtual Desktop Infrastructure (VDI) Virtual Desktop Infrastructure is the practice of hosting a desktop OS within a virtual environment on a centralized server (see Figure 13-8). Using VDI, administrators are able to migrate a user’s entire desktop, including operating system, applications, data, settings, and preferences, to a virtual machine. Although similar to other client/server computing models, VDI goes a step further in that it can often be implemented so that remote access is technology independent and, in some cases, allows access from mobile or low-power devices.
Three Models of VDI
The three main models of VDI operate as follows: • Centralized virtual desktops In this VDI model, all desktop instances are stored on one or more central servers. Data is typically stored on attached storage systems such as SANs or RAID subsystems. This model requires a fair amount of resources on the central servers, depending on how many virtual desktops are being supported. • Hosted virtual desktops In this VDI model, the virtual desktops are maintained by a service provider (usually in a subscription model). A primary goal of this model is to transfer capital expenses to operating costs and hopefully reduce expenses at the same time.
13-ch13.indd 526
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
527
Centralized Virtual Desktop
C IT RIX NetScaler Serve
r
C IT RIX NetScaler Serve
r
C IT RIX NetScaler Serve
r
C IT RIX NetScaler Serve
r
C IT RIX NetScaler Serve
r
C IT RIX NetScaler Serve
r
C IT RIX NetScaler Serve
r
C IT RIX NetScaler Serve
r
Directory
Management Server
PART IV
Virtualization Infrastructure
Clients
Figure 13-8 VDI
• Remote virtual desktops In a remote VDI environment, an image is copied to the local system and run without the need for a constant Internet connection to the hosting server. The local system will typically run an operating system of some sort and a hypervisor capable of supporting the downloaded image. This requires more CPU, memory, and storage on the local system because it must support the virtual desktop and the underlying support system. Remote VDI is portable and allows users to operate without constant network connectivity. In most cases, it is required to reconnect periodically to be either refreshed or replaced.
13-ch13.indd 527
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
528
Housing the desktop environment onto central servers reduces the number of assets that need securing as opposed to securing assets that are spread out across an entire organization of computers. However, the reliance on a network or Internet connection to the VDI server can be problematic if bandwidth or connectivity should become impaired. EXAM TIP Know the three main models of VDI: centralized, hosted, and remote.
Terminal Services Terminal Services (or Remote Desktop Services, as Microsoft now calls it) is quite simply a method for allowing users to access applications on a remote system across the network. Depending on the implementation, one application, multiple applications, or even the entire user interface is made available to a remote user through the network connection. Input is taken from the user at the client side (which can be a full-featured desktop system or a thin client of some sort) and processing takes place on the server side (or system hosting the application). EXAM TIP Terminal Services and VDI are different. Under Terminal Services, the user is accessing applications hosted on a remote server. Under VDI, the user is accessing a virtualized desktop platform.
As with any network service, the security of a Terminal Services implementation depends on how restricted access is to the listening service and how well secured and maintained the hosting server is. A Terminal Server by its very nature needs to allow remote access to be useful. When the service is visible to the Internet and untrusted IP addresses (as it usually is), it is crucial to monitor incoming connections with intrusion detection and prevention systems (IDS/IPS) and ensure connections to the service are filtered as much as possible.
Secure Enclaves and Volumes Whether we’re talking data or volumes that contain data, many security requirements call for the encryption of data in use. Since data-in-use encryption solutions are beginning to catch up with encryption solutions for data in transit and data in storage, organizations are increasingly able to ensure that data spends little to no time in an unencrypted state. Much of data-in-use security focuses on protecting a system’s data from that very system. To guard against a compromised OS, secure enclaves use a separate coprocessor (also known as a secure enclave processor) from a device’s main processor to prevent the main processor from having direct or unauthenticated access to sensitive content such as cryptographic keys and biometric information. This coprocessor or secure enclave implements various cryptographic and authentication functions to ensure the user and OS are given authorized access to data.
13-ch13.indd 528
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
529
Securing Terminal Services Here are some simple steps that can be taken to secure Terminal Services:
PART IV
• Force the use of encryption for all connections to the service (VPN, TLS, and so on). • Set time limits on user connections to prevent users from walking away and leaving sessions unattended and unused. • Restrict the number of active connections to prevent flooding of server resources. • Limit capabilities and permissions of users connecting to the service (use per-user permissions, if possible). • Never implement Terminal Services on a server running another critical service (such as SMTP, web server, DNS, Active Directory, and so on). • Encrypt client data on the Terminal Server itself. • Separate applications among multiple Terminal Servers where possible, particularly if the application is open to public traffic. • Filter IP addresses allowed to connect to the services (if possible). • Require strong credentials for logons and implement multifactor authentication where possible. • Restrict the user accounts that can actually log in to the Terminal Service where possible. • Consider preventing administrators from logging in via Terminal Services (push them to log in only via the most secure methods). • Configure account lockout policies to deter brute-force attacks (especially on Terminal Services that are open to the Internet). • Closely monitor log files for failed logins, privilege escalations, or other signs of malicious or inappropriate activity. • Ensure Terminal Servers are patched and maintained.
NOTE iPhones (and their Touch ID capabilities) helped popularize secure enclaves.
In a sense, secure volumes are the opposite of secure enclaves, yet they provide a similar goal—secure data. Secure volumes are encrypted and hidden when not in use, and then decrypted when in use. In the end, the drive is in its most secure state when it needs to be, much like what secure enclaves do for data.
13-ch13.indd 529
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
530
Cloud-Augmented Security Services
All over the world, organizations and customers are placing their data inside cloud computing data centers. Whether the needs include file storage, learning management systems (LMS), online meeting rooms, or virtual machine lab environments, cloud computing has a solution. Considering that such solutions are typically Internet based, what control do we have over the protection of that data? Do we have control or must we rely solely on the cloud provider’s due diligence? Today’s cloud computing market is rife with tools that provide subscribers with various security services and controls like role-based access control for applications and data, auditing of access, strong identification and authentication services, antimalware scanning—essentially all the benefits that stem from on-premises security tools. Not to mention, many cloud providers offer security services that specifically cater to the subscriber’s cloud-hosted data.
Antimalware Similar to using local antimalware tools for on-premises malware scans, cloud-based antimalware tools exist for the detection and eradication of malware in the cloud. Using cloud tools puts little to no burden on the client due to the tools being hosted on the cloud. For this same reason, the cloud antimalware company is also responsible for all application patching, upgrading, and maintenance requirements. Yet, the diversity of vendors and tools will yield varying degrees of control and insight into antimalware operations. Although cloud computing tools have evolved in terms of subscriber controls and capabilities, on-premises tools are likely to yield more control and insight. There’s also the Internet connectivity, or lack thereof, which can be the difference between accessing the antimalware tools or not. Finally, cloud providers continue to attract more malware attention from hackers due to the astronomical amount of data they possess. NOTE Popular cloud-based antimalware tools include Core CloudInspect, Qualys Cloud Platform, CloudPassage Halo, Symantec Cloud Workload Protection, and many others from the same vendors that offer your favorite on-premises antimalware tools.
Vulnerability Scanning Cloud computing environments are just as vulnerable to attack as anything else. In fact, an argument could be made that they are more vulnerable than on-premises environments due to the volume and richness of their data. Take burglary as an example. If the chances of success were equal—would a robber prefer to rob a local convenience store or a bank? They both have valuables, but banks are likely to have even more. It doesn’t necessarily make the bank more “vulnerable,” but the frequency of attacks will affect the frequency of successes just as much as the bank’s relative vulnerability to those attacks.
13-ch13.indd 530
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
531
Organizations need to get ahead of the game with vulnerability assessments. Rather than wait for the black hat hackers to perform vulnerability scans on the cloud network, the cloud providers and subscribers should perform this vital important task early on. The vulnerability scans will proactively reveal many of the vulnerabilities that hackers might exploit—only we’re going to mitigate those vulnerabilities beforehand. That is the primary advantage of performing vulnerability scans. Cloud-based vulnerability scans work like traditional antimalware scans in that the scanning engine will enumerate an operation system, service, or program and then compare what it sees to a database of approved or unapproved signatures, anomalies, and heuristiclike behaviors. These vulnerability lists will stem from not only the cloud vendor’s personal reserves but also from well-known vulnerability databases such as the Common Vulnerabilities and Exposures (CVE) and the National Vulnerability Database (NVD). NOTE Many vendors have created cloud-based vulnerability scanning tools, including Qualys Cloud Platform, Netsparker Cloud, BeyondTrust’s BeyondSaaS, and ImmuniWeb. As with most cloud-based security solutions, subscribers enjoy the benefits of the tool being hosted online, automated patching, tool upgrades, maintenance, dependable availability, and disaster recovery being the vendor’s responsibility. PART IV
The downside to cloud-based vulnerability scanning is the reliance on the vendor to produce a tool that integrates well with other cloud-based products. Does the tool have access to a reputable vulnerability database like the CVE and the NVD? Does the tool provide strong reporting capabilities? Can it integrate with patch management solutions? NOTE As with many things, the strengths and weaknesses of cloud computing are generally the same thing. Strength—hosted online; weakness—hosted online. Be mindful of this pattern with any IT investment so that you don’t leave any security stones unturned.
Sandboxing Sandboxing allows for the separation of programs or files from a more generalized computing environment for testing and verification purposes. A good example of this is a disconnected sheep dip computer, which is used in highly secure environments for testing of suspicious or malicious files from external media like floppies, CDs, and flash drives before the files can be introduced to the production network. Another more common example involves the usage of virtual machines to provide isolation of files and programs from the host operating system’s point of view. CAUTION Some individuals use sandboxing for more nefarious software piracy reasons like isolating “key generators” and “cracks” inside of virtual machines due to the inherent malware risk they carry. Not only is it illegal to pirate software but it’s also dangerous to your computer. Malware is frequently disguised as software piracy tools that could escape the VM and attack your host OS. Simply stated: do not pirate software!
13-ch13.indd 531
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
532
As with antimalware, vulnerability scanning, and so on, many organizations are utilizing cloud-based sandboxes for application- and file-testing purposes. The benefits of cloud sandboxing include the following:
• Ubiquitous access and availability • Improved scalability • SSL/TLS inspection services • Dynamic back-end reputation database • Cost-effective Downsides to cloud-based sandboxing include possible restrictions within the sandbox, plus incompatibilities with other cloud or on-premises tools. Do your homework before committing to a provider. NOTE When in doubt, choose a sandboxing solution from reputable companies like Symantec, Sophos, Cyren, or Zscaler.
Content Filtering Rather than utilizing a local server for filtering web-based content, organizations can leverage the content-filtering services of a cloud provider. The rules governing the content filtering can be blanketed to the entire organization or controlled on a case-by-case basis. For example, a rule might block social media platforms like Facebook and Twitter while permitting LinkedIn for customer outreach purposes. In other cases, restrictions may be reduced or lifted entirely if appropriate credentials are supplied. The key to this service is not just the content filtering but the fact that it is being outsourced to an Internet-based cloud computing provider. As a result, organizations will enjoy the customary cloud benefits, including scalability, ubiquitous access, patching, upgrades, and maintenance. The downside stems from the relative lack of control in securing the cloud-based application and/or the OS providing the content filtering services. Also, if there are issues with the service, organizations will have to rely on the cloud provider’s knowledge, skills, and abilities to resolve the matter. Such lack of control can prove to be difficult for IT and security professionals.
Cloud Security Broker According to the research firm Gartner, by 2020, 60 percent of large enterprises will use a cloud access security broker. Typically, this is a cloud-based security policy environment that resides between an organization’s on-premises network and some other cloud provider’s network. It helps organizations with cloud policy enforcement, malware protection, DLP services, compliance alignment, and measuring service usage. This is particularly helpful for organizations that are uncomfortable or unfamiliar with navigating the multifaceted landscape of cloud computing. In a sense, cloud security brokers are
13-ch13.indd 532
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
533
like lawyers or investment brokers helping customers out with the complexities of legal or financial systems, respectively.
Security as a Service (SECaaS) As organizations build up trust in cloud organizations, they start relying on them for more services—in this case security services. As the name implies, SECaaS is a series of security services provided to consumers by a cloud provider. Many organizations don’t have full-time security professionals; therefore, they often place their security faith in network or systems administrators. Although highly skilled, such administrators are unlikely to be security experts. Such organizations may be better served to outsource security responsibilities to a managed security service provider. Organizations can derive several benefits from SECaaS, including the following:
For more information about managed security service providers, see Chapter 1.
PART IV
• Cost effective • Dedicated security experts • Reduced in-house management • Malware reputation databases • Faster provisioning
Vulnerabilities Associated with the Commingling of Hosts with Different Security Requirements
Chances are, if you’re operating in a virtual or cloud-based environment, you’re going to have services operating at different trust levels on the same physical resources—for example, an e-mail service running alongside a blog website, which is running on the same physical platform as an e-commerce site. Each of these has a different threat profile and each will have different security requirements. If you are considering operating in this type of environment (or already are), then here are some significant potential vulnerabilities you should address:
• Resource sharing You definitely need to understand how resource usage and resource sharing are addressed by your provider. If you require a significant burst in resources at the same time other clients also need a significant burst, you may end up overloading the cloud and reducing availability for all the applications, unless your provider has taken the necessary precautions. • Data commingling You must understand how your data is stored. Is your CRM data stored in the same database as the content of the Chinchilla farmer’s forum? Are they separate databases but still in the same instance of MySQL? What steps has your provider taken to ensure data from other clients does not mingle with yours or that a breach in another client’s data store does not affect yours as well?
13-ch13.indd 533
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
534
Be sure to consider where the data is stored physically—are your VMs using the same storage devices as other clients? Are you sharing logical unit numbers (LUNs)? • Live VM migration Sometimes the running, or storage, of a VM needs to be migrated to a different host. This can occur during host failures, storage failures, or for maintenance or upgrade reasons. Regardless, the VM is vulnerable during this transitory period; therefore, confidentiality, integrity, and availability controls should be implemented for the VM’s protection. If not, migrated VMs can be hijacked and redirected to other hacker or victim machines for various purposes. • Data remnants What happens when that server or your data is deleted? Are files securely deleted with contents overwritten? Does your provider or on-premises administrator just use a simple delete operation that may delete the file record but leaves partial file contents on the disk? In the case of cloud computing, chances are your servers and your data resided on the same physical drives as another organization’s servers and data. You can pretty much guarantee your provider is not degaussing drives after you cancel your service and delete your servers. So how can you make sure your data is really, really gone and that nothing remains behind when you leave? EXAM TIP You must know exactly how your data is handled and be comfortable that the security in place in the cloud, or on-premises, matches the criticality and sensitivity of your data.
• Network separation Another thing to closely consider is the network configuration in use at your provider. Ideally you would not be sharing a physical NIC with VMs operating in a less secure state than your VMs, but this may not be the case. You should ensure your provider is taking adequate steps to separate your network traffic from other user traffic. • Development vs. production In a physical environment that you control, you can take great efforts to ensure that your development and production environments are not connected. How can you get this same level of assurance in a cloud environment? How can you ensure your production systems are not running alongside another organization’s development systems on the same physical resources? • Use of encryption Encrypting data is good—as long as it’s done properly. You need to know how your provider manages encryption in a multitenant situation. Do all customers share the same encryption keys? Can you get your own unique key? How does the provider handle key storage and recovery? If your data is more sensitive than other tenants, can your provider offer a greater level of encryption and protection for your data? • VM escape Ideally the hypervisor keeps all virtual machines separate—in other words, system A can’t talk to or interact with system B unless you want it to. As with any new technology, new attack techniques are developed, and within
13-ch13.indd 534
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
535
virtual environments “VM escape” attacks are designed to allow an attacker to break out of a virtual machine and interact with the hypervisor itself. If an attacker is successful and can interact directly with the hypervisor, they have the potential to interact with and control any of the virtual machines running on that hypervisor. Gaining access to the hypervisor puts the attacker in a very unique spot—because they are between the physical hardware and the virtual machine, they could potentially bypass most (if not all) of the security controls implemented on the virtual machines. • Privilege elevation Virtual environments do not remove all risk of privilege escalation—unfortunately they actually create additional risk in some cases. The hypervisor sits between the physical hardware and the guest operating system. As it does so, the calls it makes between the guest OS and hardware could contain flaws that allow attackers to escalate privileges on the guest OS. For example, an older version of VMware did not correctly handle the “Trap flag” for virtual CPUs. This specific type of privilege escalation related to the virtual hardware, and the hypervisor would not be present if running an operating system directly on physical hardware. PART IV
EXAM TIP Network separation is often violated by cloud service providers. Having a separate network interface for each virtual machine is often too costly and impractical for hosting providers to follow this best practice.
Data Security Considerations
If you ask a group of cloud cynics what they don’t like about cloud computing, one of the things they’ll point out is the lack of data security. Repeat the same question to a group of cloud evangelists and they’ll likely point to the abundance of data security. So, who’s right? The irony of cloud computing data security is that, in many ways, it is simultaneously more and less secure than on-premises computing. Whereas most organizations implement technology and security in support of their data, the cloud organization’s technology and security are the product itself. As a result, you can expect considerably more investment into these areas than from a non-cloud organization. Since the world is their customer, cloud computing providers often have several or even dozens of compliance accreditations and more servers, engineers, physical security, logical security, environmental controls, failover systems, generators, redundant ISPs, and even redundant data centers. Such investment should improve resistance toward threats. Yet, as we’ll see in the next section, you can be more resistant to threats, but that does not necessarily equate to being hacked less. Despite cloud computing and virtualization infrastructures being some of the largest and most secure in the world, they’re victims of their own success. Many cloud computing vulnerabilities are unraveled due to the cloud’s skyrocketing popularity. The sheer abundance of data housed in cloud computing data centers makes them irresistible to attackers. Hackers are no different from fishermen—they go where the action is.
13-ch13.indd 535
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
536
It is wise to consider the popularity of a cloud and virtualization solution because more popular products are likely to be compromised more. As a result, you’ll have more security bulletins, websites, articles, message boards, and a larger customer base available to you to enhance your knowledge of a provider’s vulnerabilities and exploits. This is crucial for helping security practitioners decide which cloud computing provider is the best fit for an organization’s data security needs. A common source of cloud computing and virtualization vulnerabilities stems from the resource-sharing model they both rely on. For the sake of cost-effectiveness, cloud providers are frequently going to share physical and virtual resources with their customers. This cost savings gets passed on to the customers, but at the customer’s expense of less security and isolation. In the following sections, we discuss a few vulnerabilities common to the single-server and single-platform hosting methods.
Vulnerabilities Associated with a Single Server Hosting Multiple Data Types You’ve just completed a major hosting effort and migrated your organization’s website, mail service, and external DNS services to a large, commercial hosting environment. Taking advantage of this outsourced cloud infrastructure should reduce costs, reduce the burden on the IT staff at your location, and free up some resources to focus on your core business activities, right? It just may, but where did your organization’s virtual machines really end up? Unless you negotiated for your own private cloud, chances are your organization’s virtual instances are running on the same physical equipment as some other organization’s virtual instances. What are those other organizations? How secure are their systems? What type of traffic will they attract? Unfortunately, outsourcing your virtual environment can carry some significant risks, and impacts to another organization’s instances may very well end up impacting yours as well. Here is a sampling of risks and impacts to consider:
• Competition for resources Your virtual instances will be competing for resources with every other instance on that physical platform. Some steps can be taken to limit the amount of CPU, storage, and memory any given instance can use, so make sure your provider has taken those steps. You don’t want your instances to be crawling because another virtual machine on the same physical server is calculating pi to the zillionth digit and using every available CPU cycle. • Network resources Physical servers only have so many NICs. A physical server that is hosting 20 virtual servers may only have two to four NICs. If other virtual servers are hosting very-bandwidth-intensive applications such as video streaming or file hosting, your instances on that physical server can be impacted. Make sure your provider has taken steps to ensure your virtual machines get their share of available bandwidth. • Trickle-down effect If other virtual servers get attacked, your servers could feel the impact as well. Resource-flooding attacks, DDoS, overflows, and so on could affect the load on the physical machine, which in turn affects your virtual systems.
13-ch13.indd 536
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
537
• Traffic filtering between VMs What steps has your provider taken to limit traffic passing between VMs? If a virtual machine gets compromised, does the attacker now have an unfiltered path between the compromised VM and your VMs? • Hardware failure In the physical world, hardware failures are inevitable— make sure your hosting provider addresses the risks to your satisfaction with high availability technology, redundancy, failover capabilities, backups, and so on. Another key to consider here is order of recovery—if the server hosting your organization’s VMs fails and must be recovered completely, what order will the provider recover the VMs in? Is your organization first on the recovery list? Last? EXAM TIP Understand the risks associated with hosting virtual machines from multiple organizations on the same physical platform. Remember our earlier lesson about running simultaneous updates and antivirus scans within a single organization? Now consider managing something like that across multiple companies with no direct business relationships.
Vulnerabilities Associated with a Single Platform Hosting Multiple Companies’ Virtual Machines
PART IV
If your organization is considering hosting virtual machines with an outside vendor, do a thorough investigation of that vendor. Examine its security posture, review its maintenance procedures, and ensure it can address (in writing) your concerns. Ensure your service contract addresses availability, reliability, accessibility, and security.
Didn’t we just cover this? Well, not really—for this discussion, let’s assume “virtualization platform” is the software used to create and operate the virtual environment. The most common virtualization platform is VMware, and it has become the de facto standard for most organizations. Although VMware might be the most popular, there are other wellestablished virtualization platforms such as Microsoft’s Hyper-V, Xen, and KVM. Most of the vulnerabilities associated with the use of a single platform are similar to the ones we just discussed for using a single physical server—attacks can affect VMs other than the one being targeted, failures can affect multiple VMs, an insecure platform can lead to a compromise of all the VMs, and so on. However, there are a few vulnerabilities that apply more to the virtual platform than to a single physical server:
• Misconfigured platform Issues in the configuration of the virtualization platform can have dire consequences for every VM running on that platform. If the platform is not patched, managed, and configured correctly, every VM could be at risk. How often is it updated? How are the network connections segmented? How is the platform itself being secured and monitored? • Separation of duties Are the same people securing, configuring, and operating that virtualization platform? Are those same people also securing and maintaining the virtual machines on that platform? Is the platform ever audited or examined by a third party? When administrators of a virtualization platform make mistakes, cut corners, or don’t follow best practices, they place every VM on their systems at risk.
13-ch13.indd 537
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
538
• Application of security policies to network interfaces At some point the virtualization platform will connect to physical network connections. Although it’s critical to secure those interfaces in accordance with an established security policy, things must be taken one step further when dealing with virtualization platforms. With VMs, network interfaces can be changed and port assignments modified at will. Can the virtualization platform ensure the security policy is applied consistently in such a fluid environment? Does the virtualization platform support or integrate with any security policy management tools? • Access to the platform itself A platform is only as secure as its weakest user. Who has direct access to the virtualization platform supporting the VMs? Can end users access the platform directly? Can they access parts of the platform? The safety, reliability, and security of an entire virtualization platform can be impacted by a single intentional or unintentional user action. NOTE Anything that impacts a single server can be bad, but things that impact the virtualization platform can be infinitely worse. A great platform that is poorly configured and poorly maintained could be a serious risk to your organization—particularly if you are relying on an outside group to maintain and configure that platform.
Resources Provisioning and Deprovisioning
To the extent possible, security practitioners must assist their respective organizations with the provisioning of needed resources and the deprovisioning of unneeded resources. As a general principle, cloud computing and virtualization solutions are designed to automate much of the provisioning and deprovisioning aspects. However, some solutions provide consumers with greater control over operating systems, applications, and data. With respect to organizational security policies and processes, security professionals should follow some best practices with regard to the security of the virtual devices, VMs, and data remnants.
Virtual Devices Many things can be provisioned on a VM, including virtual devices and compute resources like CPUs, RAM, storage, network interface cards, and so forth. Cloud providers will typically control this, but due to customer demands and compliance requirements, customers are increasingly given control over physical or virtual device allocation. A good example of this stems from Microsoft Azure granting tenants the ability to allocate CPUs, storage, and memory to the provisioning of VMs. Once demand is reduced or becomes nonexistent for VMs, allocated resources should be deprovisioned for security and billing reasons.
Data Remnants Despite reassuring terms like file deletion and storage formatting, data is rarely completely destroyed. Any residual data remaining after deletion is known as a data remnant. Considering how cloud-based storage is frequently shared by multiple organizations,
13-ch13.indd 538
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
539
not only is the opportunity for data remnants relatively high, but so is the risk of co-tenants having unauthorized access to data remnants. The trouble with the cloud computing form of data remnants is our lack of physical access to the storage. On-premises environments afford us the ability to eradicate data remnants by physically destroying the storage devices. These physical destruction methods include drive pulverizing or shredding, drilling holes, and degaussing or running magnetics through the drives. With cloud computing, we are likely to be limited to software-based techniques like data overwriting or encryption of the content. Although these can be powerful ways of dealing with data remnants, nothing beats physical destruction. NOTE Due to certain limitations of customer control over data remnants, it is important for SLAs to explain what, if any, mitigations exist for the handling of data remnants. If zeroing out or encryption options are available, we must explore the strongest versions of these techniques to ensure the unauthorized access to data remnants are kept to a minimum.
Chapter Review
13-ch13.indd 539
PART IV
This chapter covered the integration of cloud and virtualization technologies into a secure enterprise architecture. These topics are particularly popular and important; therefore, every effort was made to provide extensive coverage of its many concepts. We began with coverage of cloud computing and virtualization basics by first defining them, followed by covering their advantages and disadvantages. Then we tackled a broader set of topics with technical deployment models and how they can be outsourced, insourced, managed security services, or services shared by multiple organizations. We also talked about cloud and virtualization considerations and hosting options like public, private, hybrid, and community clouds. These options vary in terms of the solution being hosted by a cloud provider for cost-effectiveness, scalability, availability, and simplicity reasons versus being hosted locally for increased control and security—or a combination of hosted versus on-premises varieties. In the case of multitenancy and single tenancy, these considerations delineate the need for cost-effective resource sharing between organizations versus the more expensive but dedicated resource allocation to organizations. We also touched on cloud service models such as software as a service, which provides services aimed at the end user; platform as a service for the developers, database admins, and website admins; and infrastructure as a service for systems and cloud administrators. The next section covered security advantages and disadvantages of virtualization. We touched on the Type 1 bare-metal hypervisors commonly used on servers as well as Type 2 for workstations. We also covered the virtualization of operating systems, which is provided by a relatively new feature called containers. This was followed by virtual TPMs whose benefits are designed for VMs. We covered hyper-converged infrastructures, which take all of the converged infrastructure capabilities and virtualizes them into a software-defined solution. The “Virtual Desktop Infrastructure (VDI)” section covered the hosting of desktop OSs within a virtual environment on a centralized server. Finally, we discussed the data encryption benefits brought about by secure enclaves and volumes.
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
540
The section on cloud-augmented security services started off with coverage of cloud antimalware solutions. With more applications and data moving into the cloud, it became imperative for antimalware solutions to become cloud based. We also covered the importance of performing vulnerability scans on cloud infrastructures to discover and mitigate vulnerabilities before hackers exploit them. Another benefit of cloud-augmented security services is the usage of cloud sandboxes. Cloud sandboxes allow us to upload malware into a cloud-based virtual environment and analyze the malware from a safe distance. Content filtering of unauthorized or restricted web-based content is another service offered by many cloud providers. Cloud security brokers are increasingly helping organizations broker the complexities of policy enforcement and various other security services between cloud providers and their consumers. Speaking of security services, managed security service providers are offering subscribers full-time security services—or more formally “security as a service”—to offset any lack of security skills by cloud consumers. We then covered a relatively brief section on vulnerabilities associated with the commingling of hosts with different security requirements. This includes a vulnerability called “VM escape,” which involves malware escaping a VM through the hypervisor to attack the host computer. Privilege escalation seeks to elevate an attacker’s privileges on a host to execute their malicious software. Live VM migrations can be hijacked in transit by hackers. Last, we covered how data remnants can remain whenever deleted data or software does not result in complete removal of information. The next section focused on data security considerations, starting with the vulnerabilities associated with a single server hosting multiple data types. This was followed by vulnerabilities associated with a single platform hosting multiple data types. With the former, we’re discussing the host machine itself, whereas with the latter we’re focusing on the virtualization technology being used on the machine. The final section covered resource provisioning and deprovisioning of virtual devices and data remnants. With virtual devices, care must be taken to ensure their proper allocation, in addition to timely removal. Data remnants must be minimized or destroyed to the extent possible to ensure separate organizations aren’t coming across data that doesn’t belong to them. Chapter 14 delves into concepts that are equally important in cloud, virtualization, and everything in between—authentication and authorization. Whether we’re talking about login and access to cloud-based systems, federated environments, virtual machines, or on-premises systems, powerful authentication and authorization mechanisms must be put into place to properly ascertain the identification, authentication, authorization, and access control mechanisms needed to provide secure access to resources. Providing good guys with the required access to resources while denying the bad guys access is what good security is all about.
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
13-ch13.indd 540
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
541
Cloud Computing Basics • According to NIST, cloud computing is defined as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” • Advantages of cloud computing include availability, dispersal and replication of data, DDoS protection, better visibility into threat profiles, and the use of private internal cloud networks for those organizations that are more risk averse or have heightened privacy and security requirements. • Disadvantages of cloud computing include the loss of physical control over assets, having to trust the vendor’s security model, possible proprietary models, lack of support for investigations, the inability to respond to audit findings, uncertainty of data handling, poor deprovisioning of unneeded resources, and data remnants.
Virtualization Basics PART IV
• Virtualization is the act of creating a virtual or simulated version of real things like computers, devices, operating systems, or applications. • Hypervisors can virtualize hardware into software versions of CPUs, RAM, hard drives, and NICs, so that we can install and run multiple isolated operating systems instances on the same set of physical hardware.
Technical Deployment Models (Outsourcing/ Insourcing/Managed Services/Partnership) • Public cloud computing involves a public organization providing cloud services to paying customers (pay-as-you-go or subscription-based) or nonpaying customers. • Private cloud computing allows the local organization to be the sole beneficiary of an infrastructure that duplicates many of the public cloud benefits like on-demand self-servicing, ubiquitous network access, resource pooling, rapid elasticity, agility, and service measuring. • Hybrid cloud computing is a combination of multiple cloud models such as public, private, and community cloud models. • Community cloud computing is a model that involves a group of organizations that collectively own, share, or consume a common cloud computing infrastructure as a result of mutual interests like software interfaces and security features. • Multitenancy involves cloud organizations making a shared set of resources available to multiple organizations and customers. • Single tenancy grants each customer their own virtualized software environment to ensure more privacy and performance and that control requirements are held to a greater standard.
13-ch13.indd 541
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
542
• Organizations must choose between using hosted cloud solutions versus on-premises solutions. • Hosted cloud provides greater scalability, availability, elasticity, accessibility, and cost-effective benefits. • On-premises or private cloud provides the organization with greater control over assets to ensure privacy. • The three primary cloud service models are software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). • SaaS offers applications for end-user consumption. • PaaS gives us a lower-level virtual environment—or platform—so we can host software of our choosing, including locally developed or cloud-developed applications, guest operating systems, web services, databases, and directory services. • IaaS provides customers with direct access to the cloud provider’s infrastructure, including compute resources like CPUs, memory, storage, and so forth.
Security Advantages and Disadvantages of Virtualization • Cost reduction is often the overwhelming driver behind virtualization. • Server consolidation seeks to condense underutilized servers by converting their OSs to virtual machines and then moving them to an environment where they share resources. • Utilization of resources maximizes hardware productivity and minimizes waste. • Baselining of VMs, and then cloning them, leads to improved standardization in production environments. • Disaster recovery is easier and more productive with VMs being easily cloned, migrated, transferred, recovered, and redeployed as needed. • Provisioning of servers is enhanced due to the creation and cloning of VM templates for future deployment needs. • Application isolation is made easier due to VMs having their own OS. • Legacy applications are more easily supported in VMs due to the VM supporting older OSs. • Disadvantages of virtualization begin with hidden costs such as licenses, new management tools, training costs, and more powerful hardware to support server consolidation. • Personnel are often undertrained for the virtualization of an organization. • Server consolidation can lead to multiple VM outages during hardware failures. • Virtual server sprawl results from too many VMs being created and not eventually removed.
13-ch13.indd 542
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
543
PART IV
• Security losses can occur if IT and security staff are unfamiliar with the specifics of virtualization security. • Two hypervisor types exist: Type 1 and Type 2 hypervisors. • Type 1 hypervisors are server-based hypervisors that sit between the VMs and the hardware. • Type 2 hypervisors are client-based hypervisors that sit between the VMs and the host operating system. • Containers virtualize the operating system into multiple slices so that applications receive similar isolation benefits as with VMs, but with a drastically reduced hardware footprint. • Virtual TPMs (vTPMs) are pieces of software that simulate the capabilities of a physical TPM chip in order to provide VMs with TPM-like capabilities. • Hyper-converged infrastructures (HCIs) virtualize converged infrastructures into a software-defined solution. • Virtual Desktop Infrastructure (VDI) is the practice of hosting a desktop OS within a virtual environment on a centralized server. • Terminal Services is a method for allowing users to access applications on a remote system across the network. • Secure enclaves and volumes provide various cryptographic capabilities for the protection of OSs, applications, and data.
Cloud-Augmented Security Services • Antimalware solutions exist in the cloud to scan, detect, and eradicate malware from the cloud. • Vulnerability scanning involves scanning the cloud environment for various vulnerabilities that are eventually mitigated. • Sandboxing allows for the separation of programs or files from a more generalized computing environment for testing and verification purposes. • Content-filtering engines exist in cloud environments to prevent access to unauthorized or restricted websites. • Cloud security brokers are cloud-based security policy environments that reside between an organization’s on-premises network and some other cloud provider’s network. • Security as a service (SECaaS) is a series of security services provided to consumers by a cloud provider. • Managed security service providers are third-party organizations that provide dedicated security services to cloud subscribers.
13-ch13.indd 543
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
544
Vulnerabilities Associated with the Commingling of Hosts with Different Security Requirements • Resource sharing can lead to overburdening of server resources due to unexpected demands between tenants. • Data commingling can lead to unintentional sharing of data between tenants if proper isolation techniques are not observed by the cloud provider. • Live migrations are susceptible to session hijacking while the data is in transit. • Data remnants may result due to a lack of sufficient data deletion techniques by the cloud provider. • Network separation may be inadequately provided to the tenants by the cloud provider, which can lead to inadvertent crossover of tenant traffic. • Development and production environments may not have the same level of disconnection from one another as that provided on-premises environments. • Use of encryption may be improperly managed, thus making data more vulnerable to cryptoanalysis attacks. • VM escape is when malware escapes the VM, goes through the hypervisor, and attacks the host computer. • Privilege escalation allows attackers to enhance their privileges on a system to run more powerful attacking tools.
Data Security Considerations • There are many vulnerabilities associated with a single server hosting multiple data types, including competition for resources. • Network resources are scarce; therefore, virtual NIC or bandwidth shortages can take place. • The trickle-down effect of attacks to the physical host, or against other tenants, may result in negative impact to your own VMs. • Traffic filtering between VMs may be inadequate, thus allowing malicious traffic to pass between VMs. • Hardware failures can lead to VM outages. • There are many vulnerabilities associated with a single platform hosting multiple companies’ virtual machines, including a misconfigured platform. • Separation of duties needs to be observed to prevent any cloud engineer from having an excess of privileges that could lead to extensive failures when mistakes take place. • Application of security policies to network interfaces is needed to prevent unnecessary or insecure modifications to network interfaces. • Access to the virtualization platform itself needs to be carefully controlled.
13-ch13.indd 544
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
545
Resources Provisioning and Deprovisioning • Cloud and virtualization resources need to be provisioned as needed, and deprovisioned when no longer needed, for maximum productivity and cost-effectiveness. • Virtual devices involve the allocation of compute resources like CPUs, RAM, storage, network interface cards, and so forth. They must be provisioned and deprovisioned in a timely manner. • Data remnants must be kept to a minimum, or eradicated completely, to prevent disclosure of sensitive data to unauthorized parties.
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. Which of the following is the most likely factor for most organizations when considering virtualization? B. Cost reduction C. Personnel
PART IV
A. Security
D. Performance
2. Your organization is looking to consolidate 20 physical servers into a virtualized infrastructure. Each physical server contains a 2 GHz processor with 8GB of RAM and averages 50 percent memory utilization and 17 percent CPU utilization. At a minimum, how many 2 GHz processors will you need in your virtualized infrastructure to handle this CPU load? A. 2 B. 3 C. 4 D. 5
3. Which of the following is an advantage of separate physical servers over virtualized servers? A. Reduced recovery times. B. Hardware failures only affect services on a single platform. C. Better use of computing resources. D. Significant energy savings.
13-ch13.indd 545
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
546
4. Your organization is considering migrating a group of 100 physical servers to a virtualized infrastructure using a 5:1 consolidation ratio. If each of the physical servers costs $0.50 a day to power and cool, and the virtual servers will cost $2.25 a day to power and cool, how much money every 30 days will your organization save in power and cooling costs by virtualizing? A. $50.25 B. $110.00 C. $150.00 D. $155.25
5. You’ve been asked to create an initial configuration for the server that will be used in an upcoming virtualization project. Which of the following hardware platforms would be the most logical choice if reliability and redundancy are the primary concerns? A. Dual 2.5 GHz Xeon, 128GB non-ECC RAM, RAID 5, redundant power
supplies B. Dual 2.5 GHz Xeon, 128GB ECC RAM, RAID 0, redundant power supplies C. Single 2.5 GHz Xeon, 128GB non-ECC RAM, RAID 0, redundant power supplies D. Dual 2.5 GHz Xeon, 128GB ECC RAM, RAID 5, redundant power supplies 6. You’ve been asked to configure the antivirus and patching schedules for 100 virtualized servers running on 10 physical virtualization servers. If patching and antivirus scanning take 30 minutes per server, how long will it take to update/ scan all 100 virtual machines, assuming no more than two are patching/scanning at the same time on any given virtualization server? A. 1.5 hours B. 2.5 hours C. 3 hours D. 4 hours 7. Traditional security approaches might not be effective in a virtual environment for which of the following reasons? A. Network traffic can pass between virtual machines without leaving the virtualization server. B. Virtual machines can be rolled back to potential vulnerable states within minutes. C. Third-party tools might not be able to interact with the hypervisor to see memory, CPU usage, and so on. D. All of the above.
13-ch13.indd 546
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
547
8. Which of the following is not a potential vulnerability associated with hosting multiple companies’ virtual machines on a single physical server? A. Hardware failure B. Resource flooding attacks C. Competition for resources D. Double-tagging
9. Which of the following is not a virtualization platform? A. Xen B. ISA C. Hyper-V D. KVM
A. Password audit B. Software inventory C. PCI compliance audit
PART IV
10. You are reviewing service contracts for potential cloud providers and want to ensure the provider has adequate response support for auditing findings that may require changes to your cloud environment. Which of the following activities might generate a significant number of actionable audit findings that would require support from your cloud provider?
D. Antimalware scan
11. When implemented correctly, cloud services can provide some degree of protection from what type of attacks based on the inherent nature of cloud services? A. DDoS B. Buffer overflows C. Brute-force attacks D. Man-in-the-middle attacks
12. When reviewing a cloud services contract, which provisions should you consider regarding the storage and handling of sensitive data? A. Encryption of data at rest B. Separation of data from other organizations C. Encryption of data in transit D. All of the above
13-ch13.indd 547
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
548
13. While designing your organization’s disaster recovery plan, you are asked to weigh the advantages of cloud services over a traditional “warm” site. Which of the following advantages of cloud computing will allow your organization to recover faster in the event of a disaster than if your organization was using a “warm” site? A. Resiliency and resistance to DDoS attacks B. Dispersal and replication of data C. Provisioning of instances in multiple data centers D. Private clouds and encryption of your organization’s data
14. Your organization is terminating its contract with a cloud services provider. To ensure your data is removed completely from the cloud environment, you should ask the provider to attest to removal of your data from which of the following? A. Tapes and other removable media B. Backup systems C. Instances in multiple data centers D. All of the above
15. Which Virtual Desktop Infrastructure model would you recommend for use in an environment where network connections are not completely reliable? A. Hosted virtual desktops B. Remote virtual desktops C. Centralized virtual desktops D. Public cloud
16. Which of the following hypervisor types involves the guest OS communicating with the hypervisor, which then communicates with the host OS? A. Type 1 B. Type 2 C. VMware ESXi D. Type 3
17. Your organization wants to deploy an e-mail server with the most important mailboxes stored on-premises and less critical mailboxes stored on a hosted cloud environment. Which of the following selections should you choose? A. Public cloud B. Private cloud C. Hybrid cloud D. Community cloud
13-ch13.indd 548
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
Chapter 13: Cloud and Virtualization
549
18. Which of the following are common vulnerabilities associated with commingling of hosts with different security requirements? A. VM escape B. Privilege escalation C. Live VM migration D. Data remnants E. All of the above
19. Your organization has begun an enterprise-wide physical-to-virtual (P2V) conversion of its collaboration servers. You want to implement a security feature that will attest to the state of the virtual machine, generate and store cryptographic keys, passwords, and certificates, and perform platform authentication. Which of the following is the best answer? A. Hypervisor B. TPM C. UEFI
20. Containers are increasingly being implemented in order to provide similar application isolation benefits to that of VMs but with significantly reduced hardware requirements. Which of the following virtualization types best describes containers?
PART IV
D. vTPM
A. Hardware virtualization B. OS virtualization C. Desktop virtualization D. Application virtualization
Answers 1. B. Cost reduction is often the overwhelming factor for most organizations when considering virtualization. 2. C. The calculated load is 6.8 GHz, and to achieve this load you must have 8 GHz, or four CPUs at 2 GHz each. If 20 servers have 2 GHz CPUs, which equals, in a sense, 40 GHz in total, they are collectively running at 17 percent utilization. Therefore, if you multiply 40 GHz by 17 percent, you get an effective 6.8 GHz across all servers combined. 3. B. When separate physical servers are in use, hardware failures tend to only affect the services running on the physical server in question. 4. C. $150 is the correct amount. The physical servers cost $1,500 to operate over a 30-day period, and the virtual servers cost $1,350 over a 30-day period. 5. D. The server with dual 2.5 GHz Xeon, 128GB ECC RAM, RAID 5, and redundant power supplies provides the most reliability and redundancy.
13-ch13.indd 549
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 13
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
550
6. B. If each system takes 30 minutes, you have 10 virtual servers on a physical server, and you run two virtual servers at a time, it will take 2.5 hours to update/scan all 100 servers. 7. D. All are reasons that traditional security approaches may not be effective in a virtual environment. 8. D. Double-tagging is a vulnerability associated with VLANs. 9. B. ISA is not a virtualization platform and, in security circles, often stands for Internet Security and Acceleration Server (a Microsoft product). 10. C. A PCI compliance audit has the potential to generate a significant number of actionable audit findings that require changes to supported encryption levels, handling of client input, and so on. 11. A. By the nature of their design, cloud services can provide natural protection from DDoS attacks. When the services are spread out over multiple data centers, it becomes much harder for an attacker to overwhelm the available resources. 12. D. When reviewing a cloud services contract, you should ensure the contract addresses encryption of data at rest, separation of data from other organizations, and encryption of data in transit. 13. C. Provisioning of instances in multiple data centers is a natural advantage for cloud services when it comes to disaster recovery. Warm sites have similar equipment, but do not typically have the data or applications required to be a full-fledged “hot” site. When multiple instances are provisioned in a cloud, you essentially have “instant” recovery, as the chances of all those instances being disabled by the same disaster decreases as you create more instances in multiple data centers. 14. D. All of the above. You should ask your cloud provider to attest to the removal of your organization’s data from all tapes and removable media, backup systems, and instances in multiple data centers. 15. B. Remote virtual desktops typically run an image of the remote desktop on local resources. If the network connection is lost, users can still continue to work under this model. 16. B. Type 2 hypervisors use a host OS as the intermediary between the hypervisor and the hardware. 17. C. Hybrid clouds typically utilize a connected combination of public and private cloud computing. 18. E. VM escape, privilege escalation, live VM migration, and data remnants are all examples of vulnerabilities associated with commingling hosts with different security requirements. 19. D. vTPMs allow VMs to utilize many of the benefits of physical TPMs, including attestation to the state of the VM, generating and storing cryptographic keys, passwords, and certificates, and performing platform authentication. 20. B. Containers are an example of OS virtualization because the host OS is being broken down into multiple kernel slices, which simulates the appearance of multiple OSs.
13-ch13.indd 550
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
14
CHAPTER
Authentication and Authorization This chapter presents the following topics: • Authentication • Authorization • Attestation • Identity proofing • Identity propagation • Federation • Trust models
Since time immemorial, people have stood upon their soapboxes and declared, “I am me.” Predictably, others countered with, “Okay, well how do I know that?” This was once a relatively straightforward question to answer because the users, devices, and resources were generally housed in the same building or, at worst, in separate company buildings. Plus, hackers weren’t nearly as numerous and powerful as they are now. As a result, authentication requirements weren’t very strict or complicated in nature. This is a more challenging question today because the access control landscape has to account for a greater level of benefactors and threats. Consider the following:
• We have billions of users and devices. • Technology no longer augments worker tasks but rather is the center of all tasks. • Users are working from everywhere. • Users have several devices, including personal and business desktops, laptops, smartphones, and tablets. • These devices may have mixed OSs and applications. • These devices may have mixed security requirements and configurations. • Users are accessing on-premises and cloud-based resources. • Users are connecting through public and private wired and wireless networks. • Organizations are connecting to other organizations, including the cloud, for resource-sharing purposes.
551
14-ch14.indd 551
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
552
Access control is no longer a simple thing. It must be, to say the least, surgical to accommodate all of these competing demands—not to mention that we have to account for the contrarian dynamics of access being secure and easy to use, social networking that maintains privacy, customers becoming the products, and user accounts being located at one company while the resources are at another. Today’s challenge is to expand on the fundamental authentication and authorization pillars with the latest advances in single sign-on (SSO), federation, and authorization protocols so that only the rightful users of accounts are granted the requisite levels of access to company assets—regardless of where those assets may be. Hackers are equal parts clever and tenacious; therefore, you will have to exercise every tool at your disposal to ensure that user accounts and access are not breached. Since an organization’s facilities, equipment, programs, and data are valuable—and oftentimes sensitive—access must be tightly controlled. It begins with businesses identifying and properly classifying their assets, determining which departments and roles are entitled to access those assets, and then placing the appropriate users into those roles. After the resources and users are properly organized, privileges are granted to the roles or the users belonging to the roles. This will help establish privilege expectations and barriers for who is supposed to have access. Comparatively, one could argue that the fundamentals of access control aren’t that difficult. The more problematic aspect is the accurate determination that the individual who claims to be an authorized user actually is that user. How does a system truly know that the person claiming a certain identity really is that person? Is a correct password all an attacker needs to impersonate an authorized user? The first section will warm us up with coverage of authentication fundamentals, and subsequent sections will tackle the more advanced topics.
Authentication
Identification and authentication are often mistakenly used as interchangeable terms. The reality is these are two different steps of the same process. Here’s a breakdown of these two important components:
• Identity The account entity that a user, device, or service is claiming to be. For example, “jsmith” is the identity for John Smith. It is what makes one user, device, or service account different from others. Identities and accounts are terms often used interchangeably. For the purposes of this discussion, we’ll focus on user identities. • Identification The process of a user, device, or service claiming an identity. As a common example, when a user wishes to log in to a server, they supply their username to the server in the form of “jsmith”. The user’s action of stating or claiming to be “jsmith” is known as identification. To be clear, identification only covers the “claiming” of an identity. However, anyone can claim to be someone; therefore, verification of the claim is an important next step.
14-ch14.indd 552
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
Chapter 14: Authentication and Authorization
553
• Authentication The process of verifying the legitimacy of a claimed identity. If users claim to have a certain identity, authentication is how a system determines if the claimed identity really belongs to the individual making the claim. For example, John Smith supplements the “jsmith” identity with the password of “P@ssw0rd” to the server. The server then verifies that the “jsmith” username and “P@ssw0rd” password are a valid match. If username/password is the only authentication client, the server will be satisfied that the “jsmith” user account is being used by a legitimate and authorized user. This process is obviously flawed because if someone else has the “jsmith” password, the server will still consider the identification and authentication process successful.
Authentication Factors
PART IV
Authentication factors are unique categories of credentials that allow the determination that a user is who they claim to be. The strength of an authentication system can be equally attributed to its variety as well as complexity. Although it’s important to have longer and more complex passwords, pairing up passwords with smart cards is a more significant upgrade than merely converting a weak password into a stronger one. Passwords and smart cards are examples of authentication factors, and two different ones at that. This section will cover the different types of authentication factors. Although authentication covers user accounts, device accounts, and service accounts, we’ll primarily focus on user accounts for the purpose of these discussions.
Knowledge Factors
Knowledge factors authenticate users based on something the user knows that no one else is likely to know. For example, passwords, personal identification numbers (PINs), passphrases, and challenge responses (mother’s maiden name) are all examples of knowledge factors. Passwords are, by far, the most common knowledge factor; therefore, this section will focus on it. When the user’s account is created, or their password needs to be changed, the user is given a unique opportunity to choose the password. Since the user is expected to craft this password in secret—while utilizing various complexity, length, and nondisclosure practices—no one else but the user should know the password. A common example of a user being authenticated based on a knowledge factor is when the user correctly logs in to a smartphone using a PIN. EXAM TIP Don’t confuse varieties of a factor with varieties of factors. Passwords and PINs are two examples of the same factor (knowledgebased), not examples of two different factors. Pairing up passwords with a second factor such as smart cards (possession factor) will suffice as twofactor authentication.
14-ch14.indd 553
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
554
Despite the popularity of knowledge factors, they are also considered the weakest form of authentication due to the relative ease of hackers cracking or stealing passwords. To mitigate this risk, the following password recommendations should be observed:
• Password length Just adding one extra character to a password makes it exponentially more difficult to crack. Strive for a comfortable minimum password length, typically between 8 and 12 characters. Upper limits of 16 characters are common, but anything substantially longer will likely be counterproductive. Keep in mind that longer passwords may result in more account lockouts, password resets, and passwords being written down. This reduces security rather than improving it. • Password complexity A password that utilizes at least three of the four unique character sets (uppercase, lowercase, numbers, and special characters) is typically said to be complex. Complexity requirements typically bake in minimum password lengths as well, but that is generally handled by a separate passwordlength policy requirement. • Passphrases Rather than creating passwords that are too complicated to remember, you might create passwords that are easier to remember while also being longer. These passwords are generally a collection of words as opposed to random strings of characters. For instance, “ThisIsAReallyReallyL0ngP@ssw0rd” is an example of a passphrase. If done correctly, these can be nearly impossible to crack while being relatively easy for users to remember. • Password frequency Passwords should be changed every one to three months, or less, to outpace hacker cracking efforts. There are some branches of the military that change their passwords as frequently as every 10 days. The frequency of password changes should be balanced with the difficulty of remembering passwords, increased account lockouts, and calls to the help desk. • Default passwords In other words, don’t use common default passwords. Many websites catalog the most popular common passwords (much like baby name books), so you must ensure that your default passwords are globally unique and quickly changed. Hackers use these websites; therefore, you might counter with blacklisting the default passwords on these sites. • Encryption Passwords should be encrypted in storage and in transmission; otherwise, hackers will have an easier time obtaining them. • Multiple factors When combined, two or more factors of average strength offer more security than a single factor of greater strength. At minimum, combine passwords with smart cards or use PINs with fingerprint scans. • Password vaults These vaults store passwords in an encrypted format, not only for security’s sake, but also for SSO purposes as well. The downside is if the attacker compromises any of the passwords in the vault, they are likely to inherit the same one-password-for-all-resources access that the victim(s) enjoyed.
14-ch14.indd 554
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
Chapter 14: Authentication and Authorization
555
• Password policy Password policies should mandate much of the preceding recommendations while also teaching users how to avoid disclosing their passwords to others. NOTE The key to a healthy password policy is balance. If password complexity, frequency, or length is too short or too long, security is nullified. Find the balancing point where security is suitably achieved without sacrificing user productivity.
Possession Factors
Possession factors authenticate a user based on something only that user is likely to possess. In the non-CASP sense, think of everyday items that we keep close to the vest, like keys, ID badges, bank cards, driver’s licenses, social security cards, birth certificates, and passports. In the world of CASP+, possession factors can be broken down into objects that interface with the computer either directly (connected tokens) or indirectly (disconnected tokens).
PART IV
Connected Tokens Connected tokens are objects such as smart cards and USB tokens that must be physically connected to the computer to function. Smart cards contain memory chips that store private user data such as certificates and private keys, which allows the user to be authenticated by a server without having to input any information. To protect against smart card loss, PINs are added to provide a two-factor or multifactor solution. Although smart cards themselves are cheap, the smart card readers that plug into a computer can be expensive and are therefore avoided by some organizations. In contrast, USB tokens are more affordable and less complex because they plug directly into a USB port and don’t require extra hardware purchases. Disconnected Tokens Disconnected tokens are not physically connected to the computer at all. Users typically hold these tokens, which generate a pseudorandom code on their built-in screens—which is then entered into a secure login screen for authentication purposes. NOTE A common example of a disconnected token is the RSA SecureID token, which is popular with the government and military. This device uses an algorithm that typically generates a unique code at fixed intervals every 60 seconds. This same algorithm is used on a secure server often at a remote location (for example, an e-mail server).
Inherent Factors
Inherent factors identify human-based characteristics that are physiologically or behaviorally linked to the individuals themselves. Physiological characteristics identify “something you are,” whereas behavioral characteristics identify “something you do.” These characteristics are inherent to the users regardless of their knowledge of information or possession of objects.
14-ch14.indd 555
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
556
Physiological Characteristics Physiological characteristics are unique to each individual. A biometric system is needed to scan and collect a sample of a person’s hand, finger, face, eyes, DNA, or even a vein, which gets stored in a database. For example, when people place their finger on a fingerprint reader, the captured fingerprint gets compared to the known copy stored in the database. If the submitted sample matches the database copy, the system authenticates the user. Here are some examples of physiological characteristics:
• DNA scan Although still in its infancy and designed for ultra-secure environments, this scan method promises to be extremely accurate and relatively foolproof due to the uniqueness of the human genome. A blood test containing a subject’s genetic profile may be necessary to gain admittance to an area or access secure systems. • Facial scan This scan records facial features such as the nose, chin, forehead, and the contours of eye sockets. • Fingerprint scan This scan captures the impression from the ridges of a person’s finger. • Iris scan This scan type identifies the colored ring-shaped portion surrounding the pupil of the eye. This is widely considered the most preferred biometric method due to the iris being internal, being randomly generated during early human development, producing minimal false-positive and false-negative outcomes, and being compatible with certain eyewear like contacts and glasses. • Palm scan This scan is designed to capture the palm and all fingers, including all lines, wrinkles, and ridges in the palm. • Retina scan Unlike an iris scan, a retina scan captures the unique patterns of blood vessels in the retina. Although common, this method measures up poorly to other biometric methods, especially in comparison to iris scans, due to issues with accuracy and user friendliness. • Vascular scan Somewhat similar to a retina scan, vascular pattern recognition is a type of scan that typically involves scanning the blood vessels from a person’s fingers, palm, or face. Behavioral Characteristics Behavioral characteristics use biometric systems to scan and collect samples of what the person does. Although not as plentiful as behavioral characteristics, the following are some behavioral samples:
• Keystroke biometrics Describes the unique typing pattern of an individual. This includes speed, pattern of keys used, pace, pauses, and transitions between keys. Even if the user types the password correctly, they may be denied access if the keystrokes don’t match the stored keystroke pattern. • Voice recognition Also known as speaker recognition, this scan type identifies the speaker through the acoustic features of speech that are uniquely shaped by an individual’s throat and mouth, plus the behavior patterns of speaking inherent in pitch and speaking style.
14-ch14.indd 556
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
Chapter 14: Authentication and Authorization
557
• Mouse dynamics People use computer pointing devices differently. Some favor the left button versus right button for single- and double-clicking. Other behaviors captured and examined are time of day usage, length of usage, pointer sensitivities, cursor types, middle wheel usage, and more. These are all factored into an individual’s mouse movement profile. • Signature dynamics Captures a person’s writing pattern, which includes usage of X and Y spatial coordinates, pen/pencil pressure, as well as acceleration and deceleration patterns. • Cognitive biometrics Rather than “non-reactive” biometric methods such as fingerprints and iris scans, cognitive biometrics measures a person’s cognitive (state of mind) response to external stimuli such as a photograph of a family member, music, or other object. It’s like a lie detector test since a person’s brain will react to a song they like in a consistently positive and predictable way regardless of intention.
Certificate-Based Authentication PART IV
Digital certificates are standard digital containers used to pass information between parties. A digital certificate contains at a minimum a Distinguished Name (DN) and an associated public key—with the entire certificate being signed by a trusted third party. Certificates are used to pass public keys between parties, and through the application of public key cryptography, identity can be established. Assume Alice wishes to verify her identity to Bob. She can pass her certificate with her public key to Bob, and he can do the same in return. Using the public keys, the two entities can pass a secret to each other that only they can read. Using a handshake, the two parties not only can determine the veracity of the other’s identity, but can also generate a session key used to secure the communication channel. EXAM TIP The certificates are created and formatted based on the X.509 standard, which outlines the necessary fields of a certificate and the possible values that can be inserted into the fields. X.509 version 3 is the most current version of the standard.
Certificate-based authentication systems require a fairly extensive infrastructure in the form of public key infrastructures (PKIs). They are also subject to various threats, including certificate theft and man-in-the-middle-type attacks. In spite of some of these difficulties, certificate-based authentication is still the most widely used method of authentication on the Web. HTTPS connections are examples of certificate-based authentications. Certificate-based authentication can address the authentication issues via hierarchies of trust. The use of a PKI establishes a trust relationship between an entity and the certificate authorities it chooses to trust. If a trust relationship can be established between a trusted Certificate Authority (CA) and the CA issuing the certificate of the user in question, then the certificate can be assumed to be valid.
14-ch14.indd 557
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
558
SSL/TLS Certificate-Based Authentication Certificates are used to establish SSL/TLS-based connections. High-assurance SSL uses a combination of an extended-validation SSL certificate and a high-security browser. This enables a method to differentiate between levels of certificate trust, with extended validation certificates representing greater trust. This provides reasonable assurance for the end user that the entity they are connecting to is indeed the entity represented by the URL. Note that this is still single-sided authentication and is subject to man-in-themiddle attacks. Eliminating this attack vector would require a mutual authentication methodology, where both sides of the communication authenticate themselves. The issue with adopting this solution Internet-wide is one of scale. Although there is a limited number of banks and other servers one would connect to via SSL/TLS, the number of individual clients is many orders of magnitude greater, thus dramatically increasing the scale challenges of PKI for the server side of the mutual authentication chain. Figure 14-1 illustrates an SSL/TLS handshake, showing the use of certificates to validate identity in a single-sided authentication. One of the advantages of using certificatebased authentication with systems such as SSL/TLS is the integration of the methodology into browsers and applications, making it transparent to the end user. Here’s a detailed explanation of the SSL/TLS process: 1. The client sends to the server the client’s SSL version number, cipher settings, and session-specific data. 2. The server sends to the client the server’s SSL version number, cipher settings, session-specific data, and its own certificate. If the resource requested requires client authentication, the server requests the client’s certificate. 3. The client authenticates the server using the information it has received. If the server cannot be authenticated, the user is warned of the problem and informed that an encrypted and authenticated connection cannot be established. 4. The client encrypts a seed value with the server’s public key (from certificate— step 2) and sends it to the server. If the server requested client authentication, the client also sends the client certificate. 5. If the server requested client authentication, the server attempts to authenticate the client certificate. If the client certificate cannot be authenticated, the session ends. 1
5
2 4
3
6
8 9 7
Client
SSL session
Server
7
Figure 14-1 SSL/TLS handshake
14-ch14.indd 558
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
Chapter 14: Authentication and Authorization
559
6. The server uses its private key to decrypt the secret and then performs a series of steps (which the client also performs) to generate a master secret. The required steps depend on the cryptographic method used for key exchange. 7. Both the client and the server use the master secret to generate the session key, which is a symmetric key used to encrypt and decrypt information exchanged during the SSL session. 8. The client sends a message informing the server that future messages from the client will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the client portion of the handshake is finished. 9. The server sends a message informing the client that future messages from the server will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the server portion of the handshake is finished. 10. The SSL handshake is now complete and the session can begin.
Single Sign-On PART IV
Single sign-on (SSO) is a subset of a federated identity management system where a user’s credentials are trusted across multiple distinct systems. SSO can be accomplished through a variety of mechanisms, including Kerberos-based systems, token-based systems, and separate applications. In each of these cases, the role of SSO is to connect a user to a collection of authentication tokens via a single set of credentials convenient to the user. Kerberos is a common authentication system that is used in both Windows and Linux systems. By definition, when users log on to a Kerberos system and get a Ticket-Granting Ticket (TGT) and then use that ticket to get service tickets, they are participating in a form of SSO. The Kerberos-generated TGT acts as a set of credentials that is then manifested in other systems via the service tickets. A token-based system is one where access to the SSO is via a token, as opposed to a password-based mechanism. Tokens, whether they are one-time password (OTP) or smartcard based, are used to increase security levels over standard password-based mechanisms. The risk of unauthorized access is reduced from threats directed at weaknesses of password systems, but the rest of the SSO security is not generally affected. The use of third-party applications ranges from custom web-based solutions deployed in enterprises to act as SSO gateways, to systems such as OpenID. Facebook can even be used as an SSO. EXAM TIP SSO has both advantages and disadvantages. The advantages of SSO include reduced password fatigue, reduced time entering credentials across multiple systems, reduced IT help desk costs from password resets, and centralized auditing of authentication activity. The primary disadvantage is that the failure of security of the SSO credentials can result in the loss of the “keys to the kingdom” (that is, all of the user’s connected accounts).
14-ch14.indd 559
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
560
802.1x The IEEE 802.1x standard is a port-based network access control method that prevents users from connecting to a network until they are authenticated. Although originally designed for wired networks, the standard equally applies to wireless networks. If left alone, Ethernet switches and wireless access points will gladly handle all authentication requirements for wired and wireless devices, respectively. However, networks have far too many of these devices to easily standardize ID verification, access control, and auditing capabilities for the enterprise. To mitigate this, Ethernet switches or wireless access points can be configured to yield these responsibilities to a central authentication point such as Remote Authentication Dial-in User Service (RADIUS) or Terminal Access Controller Access-Control System Plus (TACACS+) servers for processing. These are also known as Authentication, Authorization and Accounting (AAA) servers since they specialize in ID verification, access control, and auditing capabilities. AAA servers don’t merely standardize security but also enhance it through the use of powerful protocols and methods like EAP-TLS, PEAP-TLS, certificates, PKI, and hardware-based authentication methods. The 802.1x authentication involves three components:
• Supplicant The wired or wireless device attempting a network connection. • Authenticator The Ethernet switch or wireless access point that initially receives the supplicant’s connection attempt, which then gets redirected to an authentication server. • Authentication server The RADIUS or TACACS+ centralized authentication point that receives the authentication attempt from the authenticator and processes any AAA policies. EXAM TIP RADIUS (vendor neutral) is an older standard designed for overseeing dial-up networks and therefore isn’t as feature-rich or secure as TACACS+ (Cisco proprietary). RADIUS uses UDP, encrypts only passwords, and combines authentication and authorization processes, whereas TACACS+ uses TCP, encrypts entire data packets, and separates authentication, authorization, and accounting processes into separate steps. DIAMETER was designed to replace RADIUS (note the math humor here!) but it never took off due to lack of hardware support.
Context-Aware Authentication Imagine a situation where a hacker correctly types a victim’s password but is denied authentication anyway. Context-aware authentication builds on conventional authentication methods by also considering the user’s technological and environmental characteristics (patterns)—all of which are known to the context-aware authentication system.
14-ch14.indd 560
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
Chapter 14: Authentication and Authorization
561
Although there are variations in context-aware authentication requirements, passwords will be buffered by additional authentication criteria such as the following:
• Trusted device • Time of day • Geographical position • Time zone • Installed OS • Installed apps • Running processes Since it would be difficult for the hacker to impersonate all of the user’s patterns, authentication is more persuasively assured.
Push-Based Authentication PART IV
Quick, what’s an easy way to implement a possession-based authentication solution without having to buy the users anything? Simple—leverage their smartphones. Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) have one compelling attribute to them, and that is people are only too happy to spend several hundred dollars on a device that never leaves their pocket. What does this have to do with push-based authentication? Push-based authentication takes advantage of smartphones by pushing out a special access code to the user’s device that the user must input to a form in order to authenticate to a system. Let’s say you want to create a Microsoft Office 365 E5 trial account. Microsoft will ask you for your mobile phone number so it can text you a code. Once you input the code, you are able to complete the Office 365 trial subscription process. Having the phone (possession) and the code (knowledge) will serve as a type of two-factor authentication. Any form of two- or three-factor authentication is better than one-factor authentication.
Authorization
The whole point of authentication is to help us reach a point where we can decide what, if any, resources the identified individual should be granted access to—and the level of access they be granted to said resources. Authorization spells out the “what” and the “how much” access the authenticated user should be granted. This section will cover more modern authorization topics such as OAuth, XACML, and SPML. NOTE Authorization practices are often implemented through methods such as discretionary access control (DAC), role-based access control (RBAC), rule-based access control, and mandatory access control (MAC). These were already covered in Chapter 2, so we will not repeat them here.
14-ch14.indd 561
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
562
OAuth OAuth is a token-based authorization standard that permits an end user’s resources or account information to be shared with third parties without their password also being shared. This is extremely common with social media applications like Facebook, Twitter, LinkedIn, and Foursquare. NOTE OpenID and OAuth are often confused with each other and mistakenly used interchangeably. OpenID is a protocol for authentication, whereas OAuth is for authorization. In other words, OpenID decides who you are, and OAuth decides what the authenticated identity can do.
Say you’re logged in to the Salesforce website and looking to apply a signature to a form. Another party, DocuSign, sends you a dialog box requesting permission to access certain information from your Salesforce account—while also being able to perform requests on your behalf at any time. Upon clicking “Allow,” you have granted DocuSign (a third party) the necessary permissions to acquire data and perform signatures through the Salesforce website. Here’s a brief summary of OAuth technical steps: 1. DocuSign directs the user to a Salesforce authorization page where Salesforce prompts the user to allow or deny DocuSign permission to Salesforce.com resources. 2. User clicks Allow, which advises the Salesforce authorization page that DocuSign will be permitted to exercise certain permissions on the Salesforce website on behalf of the Salesforce user. 3. The Salesforce authorization page generates an authorization token that is then sent to DocuSign. 4. DocuSign connects to Salesforce.com with the authorization token and exercises its granted permissions on Salesforce (chiefly the right to collet some Salesforce data and apply DocuSign digital signatures on behalf of the Salesforce user).
XACML Based on XML, the eXtensible Access Control Markup Language (XACML) defines an access control policy language to standardize the exchange of security policies and access privileges between web vendors. XACML has been ratified by the OASIS standards organization and is currently in draft as version 3.0. The primary purpose of XACML is to translate simple statements—such as “Can John Doe access his own medical records at ACME Hospital?”—into a machine-readable format that can be used across multiple vendors, thus automating the access control policy process. EXAM TIP XACML consists of a hierarchy of policysets containing policies composed of rules. The components of a rule include a target, an effect (permit or deny), a condition (optional), obligations, and advice.
14-ch14.indd 562
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
Chapter 14: Authentication and Authorization
563
SPML Service Provisioning Markup Language (SPML) permits the sharing of user, resource, and service provisioning information among a group of organizations. The objective of SPML is to enable organizations to quickly set up user interfaces for web services in an automated manner. The use of an open standard enables vendor neutrality and reduces custom provisioning interfaces.
Attestation
PART IV
Attestation is the act of certifying some element to be true and doing so in a fashion that provides a form of evidence as to its authenticity. Attestation with respect to authentication involves the use of standards and messages. For instance, when using certificatebased authentication, one can attest to the validity of the certificate, and based on the trust relationship established by the PKI chain, one can attest to the authenticity of the binding of the public key to the named entity on the certificate. Then, based on the principle that the private key is indeed still private, if not revoked, the validity of signed objects is demonstrated. The use of a standards-based system to manage the delivery of credentials addresses implementation issues. If we have two cases of attestation—one performed by someone saying “Trust me, it’s true” and the other backed by standards and proven protocol exchanges designed to provide traceable trust—it is obvious which method one should trust.
Identity Proofing
At first glance, identity proofing looks a lot like authentication. After all, if authentication is the process of verifying IDs, then identity proofing is, well, proofing identities, right? Yes, but the contexts of these two topics are quite different. Let’s look a little deeper. For authentication to happen, the user must already have credentials. For example, an employee named John Smith has a username of “jsmith” with a password of “P@ssw0rd”. As a result, John Smith can attempt to log on to a system with those credentials, which then gets authenticated by a server. However, what happens prior to John Smith receiving these credentials? More importantly, how does he earn his credentials in the first place? That’s where identity proofing comes in. Identity proofing verifies people’s identities before an organization issues them accounts and credentials. At the beginning of John Smith’s employment, he had to go through an identity proofing process to prove to the organization that he actually is John Smith. This involves either submitting proofs in person or remotely. In more crucial scenarios, in-person identity proofing is needed for physical submission of critical documents like a social security card, birth certificate, driver’s license, passport, and proof of address. For less critical scenarios, remote online identity proofing can be performed by e-mailing some or all of the same important documents. After John Smith has successfully completed the identity proofing process, the organization feels comfortable enough to generate a user account identity on John Smith’s behalf with a corresponding password—that John Smith changes at first login. Not only has John Smith passed the identity proofing test, but him changing the password to one
14-ch14.indd 563
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
564
that only he knows provides strong assurance that successful logins with the John Smith account must have been initiated by him. NOTE Remember, authentication takes place after a user has acquired credentials, whereas identity proofing takes place before a user acquires credentials.
Identity Propagation
Many organizations have applications that share information and workloads with one another while having different authentication engines. This can be a challenge when an identity from one authentication source wishes to access resources located at another authentication source. A possible solution is to distribute identities across disparate authentication systems in what is known as identity propagation. Assuming all parties support distributed identities and have a trust relationship with one another, identity propagation seeks to exchange identity information between dissimilar authentication systems while preserving the properties of such identities. Exchanging identities across different authentication systems also helps to preserve audit trails. IBM’s Customer Information Control System (CICS) supports identity propagation.
Federation
Advanced authentication tools, techniques, and concepts are important elements of an enterprise security program. All processes in IT systems operate under the context of an ID. Identity management begins with an identification step to establish an ID and then a series of management steps to utilize the ID. The management steps include the authentication, authorization, and maintenance of IDs. In simple standalone systems, all of these functions are handled by an operating system. In complex enterprises, different elements are utilized to handle different aspects of identity management. Federated identity management involves a common set of policies, practices, standards, and protocols used to manage the processes involved in identifying users and managing trust relationships in distributed IT systems. The objective of federated identity management systems is to permit users from one domain to seamlessly use that domain’s credentials to access resources located at another domain without having to resort to a separate identity verification step involving user interaction. Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data. In a federated system, there is a need to exchange authentication and authorization information between Identity Providers and Service Providers. An Identity Provider can offer assertions that can be used by a Service Provider in the course of ensuring appropriate access control functions. Identity management systems begin as simple password/authentication/access control mechanisms on individual systems. As the number of interconnected systems grows, a need arises for a unified, centralized management structure. A federated approach is one
14-ch14.indd 564
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
Chapter 14: Authentication and Authorization
565
that provides authentication and authorization information across multiple distinct system boundaries. Identity management systems are complex sets of components, including elements that manage identities, provision/deprovision accounts, implement access control mechanisms, implement protocols, and utilize standards. NOTE Federated identity management does not guarantee security in itself. Federated identity management is an extremely broad topic with numerous solutions—and each has its own security profile. It is important to understand the security requirements, the security capabilities of the federated solution, and how they can be connected into a secure solution.
SAML
Figure 14-2 SAML components
PART IV
SAML is a standard for exchanging authentication and authorization information between security domains. Developed by OASIS (an international consortium that drives web service standards), the current version of SAML is 2.0. This version unites SAML 1.1, the Liberty Alliance Identity Federation Framework, and the Shibboleth 1.3 Framework under a single framework. SAML is defined in terms of assertions, protocols, bindings, and profiles (see Figure 14-2).
Profiles Collection of specific Bindings, Protocols, and Assertions
Bindings Mapping of SAML onto standard messages
Protocols Requests and responses of assertions
Assertions Authentication, attribute and entitlement information
14-ch14.indd 565
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
566
SAML is built using existing industry standards. This enables widespread application and adoption with a minimum of additional foundational elements. The standards used in SAML include the following:
• Extensible Markup Language (XML) Base standard of SAML. • XML schema SAML assertions and protocols. • XML signature Used for SAML digital signatures. • XML encryption Used in SAML 2.0 to provide for encryption capabilities. • Hypertext Transfer Protocol (HTTP) SAML’s communications protocol. • SOAP SAML uses SOAP 1.1 to move objects via HTTP. EXAM TIP Advantages of SAML-based authentication include the following: Platform neutral Improved user experience Strong commercial and open source support Reduced costs
SAML works as shown in Figure 14-3. A user requests authentication from an Identity Provider (IdP), which becomes an asserting party across a trust relationship to a Service Provider (SP), which then can use the asserted credentials in making an access control decision concerning the user.
Identity Provider (IdP)/Asserting party
Trust relationship
Authentication
Service Provider (SP)/ Relying party
Access services
Figure 14-3 SAML-based authentication
14-ch14.indd 566
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
Chapter 14: Authentication and Authorization
567
OpenID OpenID provides users with a mechanism to consolidate their various digital identities. OpenID is an open standard that connects end users, OpenID providers (OPs), and relying parties (RPs), and allows end users to be authenticated in a decentralized manner. This eliminates the need for each service to provide its own authentication mechanism and for users to access multiple systems. OpenID systems operate around the mechanism of an OpenID provider (OP) that offers a service to enable end-user communication of credentials to relying parties. An end user establishes an identity relationship with an OP. Then, when the end user wishes access to a website that allows OpenID connections, they can provide a reference to their established identity with the OP. The website (RP) uses the OpenID information provided by the end user to establish a connection to the OP. The end user then has the option of providing credentials and trust for the RP to use them. If both are positive, the authentication is considered valid.
Shibboleth PART IV
Shibboleth is an open source and web-based federated identity solution that is very popular worldwide. It facilitates an organization’s users to use only one account and authentication process to access web-based resources that are located across different organizations or divisions. Universities commonly use SSO products due to their geographical spread, complexity, and concentration of users. Shibboleth allows users to log on one time with their usual—let’s say Active Directory—user account to access resources located at different parts of the shared federation between the user’s organization and the resource’s organization. The local organization maintains and authenticates the local user and then controls the transmission of authenticated user information to the other organization, which then handles the resource authorization steps. Shibboleth’s identity provider and service provider are implementations of the SAML protocol—which handles the exchange of authentication and authorization information between said identity and service providers. SSO products can be confusing, so let’s take a look at the following list of Shibboleth components for simplification:
• Home organization The local organization that contains users who wish to access resources located at other resource organizations. • Resource organization The resource organization contains the resources to be accessed by users located at the home organization. • Home user A user whose account is located at the home organization and wishes to access resources located at the resource organization. • Web browser Web-based software used by the home organization’s user to access resources located at the resource organization. • Target resource The resource that is located at the resource organization.
14-ch14.indd 567
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
568
• Identity provider The identity service that is located at the home organization and is responsible for authenticating local users who wish to access resources located at the resource organization. This service is also responsible for directing the authenticated user information to the resource provider. • Service provider Located at the resource organization, this service is responsible for protecting its resources by requiring users from other home organizations to be authenticated and then redirected to the resource organization for authorization to protected resources. • Discovery service Occasionally needed by service providers to locate other identity providers. Now that we’ve covered the building blocks of Shibboleth, let’s see the process of a user requesting access to a resource. Shibboleth’s process of using SAML to grant access to federated resources is as follows: 1. The user attempts a connection to the resource organization in order to access resources. 2. The resource organization’s service provider generates an authentication request, which then gets sent, along with the user, to the home organization’s identity provider. 3. The identity provider authenticates the user and generates an authentication response, which then gets sent, along with the user, to the resource organization’s service provider. 4. The service provider validates the authentication response and then permits access to the user’s requested resource.
WAYF Where Are You From (WAYF) is a centralized SSO implementation frequently used by university federations to anchor resource access between federated partners. Unlike some SSO methods, WAYF acts as a proxy between federated identity providers and service providers. See Figure 14-4 and the following process: 1. A home organization user sends a communication request to the federated partner’s service provider. 2. The federated partner’s service provider directs the user to a WAYF management service. 3. The WAYF service then asks the user, “Where are you from?” Based on the answer, the WAYF service directs the user, along with an authentication request, to the user’s identity provider located at the home organization.
14-ch14.indd 568
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
Chapter 14: Authentication and Authorization
569
Web Client
Figure 14-4 WAYF diagram
WAYF
W
AY
W
FR
AY
ep ly
FR
eq ue st
Attempt connection to Service Provider
Service Provider
Authentication Request Authentication Reply
Identity Provider
5. The service provider processes the authenticated information and then authorizes the user’s resource access.
PART IV
4. The home organization’s identity provider then authenticates the user and, based on user consent, forwards the authenticated information to the federated partner’s service provider.
Trust Models
Before we dive into trust models, let’s warm up with a quick analogy. How can a stranger abruptly show up at a nightclub, present a driver’s license to the security guard, and gain admittance in a manner of seconds? The answer is, in a word, trust. The security guard trusts the DMV’s identity proofing and authentication requirements, and the DMV provided the customer with a driver’s license due to compliance with those requirements; therefore, the security guard trusts that the customer is who they say they are. The DMV driver’s license system allows quick ID verification and exercise of privileges with little to no hassle. Each state government has its own group of DMV locations (hierarchical trust model), and licenses issued by one state are also valid in other states—or even in some other countries (cross-certification trust model). Imagine if state-issued IDs are taken out of the equation, and various nightclubs formed a shared ID system with each other and the customers; this would be akin to a peer-to-peer trust model. With that as the backdrop, let’s take a look at some trust models such as hierarchical, cross-certification, and peer to peer. Then we will delve into some more particular examples such as RADIUS, LDAP, and Active Directory.
14-ch14.indd 569
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
570
Hierarchical Trust Model Trust models define the unique relationships between issuers and recipients of digital certificates. Although unlikely, some organizations have a single live Certificate Authority (CA) server that issues all certificates within an organization. More commonly, security and scalability concerns will call for the implementation of a hierarchical trust model. This model involves a tiered or hierarchical group of servers collectively issuing certificates to subjects, while also fostering trust among them. The hierarchical trust model begins with the root CA, which is at the center of the public key infrastructure (PKI). It generates a public/private key pair and then digitally signs its own certificate with its hidden private key. In other words, “I am the root CA because I said so.” For security reasons, the root CA is taken offline; meanwhile, one or more subordinate CAs are created to perform the daily certificate issuance, verification, and revocation duties. Subordinate CAs can also be broken down into lower-level subordinate servers, thus forming a third layer or level in the hierarchy. The root server represents the first level, whereas the second-level CAs might be based on region, and the third-level CAs might be based on specific purpose, such as issuing certificates for smart cards, IPSec, EFS, and so on.
CA Trust Chain
As a simple example, to create the necessary hierarchical trust, the root CA digitally signs the subordinate CAs’ certificates, and the subordinate CAs will digitally sign the certificates they issue to subjects, such as the example.com domain. In other words, customers will trust the www.example.com website because the ABC subordinate CA server signed the www.example.com certificate, and the ABC subordinate CA server should be trusted because its certificate was signed by the ABC root CA server. Since customers trust the ABC root CA server, they will implicitly trust all servers and resources beneath it. Trust relationships are extended down the hierarchy but verified up the hierarchy. If you were to connect two or more hierarchical PKIs together, you would have a crosscertification trust model. In other words, the CAs or subordinate CAs from one hierarchy trust the CAs or subordinate CAs from another hierarchy. Whether resulting from partnerships, acquisitions, or mergers, organizations often merge their PKIs in order to facilitate web-based resource access without having to rebuild the PKIs from the ground up. Despite the convenience benefits of cross-certification, it doesn’t scale well due to the complexity that results from more servers having to explicitly trust more servers.
Peer-to-Peer Trust Model Rather than having PKIs creating a centralized hierarchy of trust relationships that begin/ end with the root CA, e-mail protocols such as PGP and OpenPGP utilize a peer-to-peer trust model. This model uses a decentralized approach, where all resource form trust relationships directly with all other resources. No one server has the single responsibility
14-ch14.indd 570
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
Chapter 14: Authentication and Authorization
571
of knowing everyone else; rather, each server or resource can vouch for the others in a mesh-like topology. This is achieved by each server signing all other servers’ certificates. This helps to avoid the single points of failure common with PKIs if, for example, the root or subordinate CAs should be compromised or unavailable.
RADIUS Configurations With incarnations dating back to the early 1990s, the Remote Authentication Dial-In User Service (RADIUS) Internet protocol began as an AAA server back in the dial-up networking heyday. RADIUS servers, which generally use port 1812, served as a “big brother” to dial-up servers by centrally managing remote access policies for an organization’s (or ISP’s) group of dial-up servers. Organizations often had many dial-up servers, or the servers were geographically spread out; therefore, a centralized solution was needed to reduce complexity while easing administration. This is an example of a successful dialup connection using RADIUS: 1. User initiates authentication to the dial-up server. 2. Dial-up server responds with authentication requirements dictated by the RADIUS server’s AAA policy. 4. Dial-up server delivers user’s reply to the RADIUS server for verification. 5. RADIUS server responds with Accept, Reject, or Challenge, which gets sent back to the dial-up server.
PART IV
3. User replies with required authenticated information.
6. Dial-up server passes the server’s Accept, Reject, or Challenge response to the client. The client’s connection is either allowed, disallowed, or pending an additional authentication response to the RADIUS server’s challenge.
In this example, the client only deals with the dial-up server, and the RADIUS server only deals with the dial-up server. Therefore, from the perspective of the RADIUS server, the dial-up server is the “RADIUS client.” Since dial-up networking is pretty rare today, RADIUS added AAA support for the new generation of RADIUS clients such as VPN servers, Wi-Fi access points, and even 802.1x-compliant Ethernet switches. The authentication and authorization components of RADIUS are described in RFC 2865, while accounting is covered in RFC 2866. Without RADIUS, these servers, switches, and access points would be independently responsible for managing their own policies. RADIUS solutions often stand alone in a hierarchical-type trust model, yet the implementation of RADIUS proxy servers can be used to load-balance traffic across multiple RADIUS servers within an organization—or even across RADIUS servers located in other RADIUS realms.
LDAP Lightweight Directory Access Protocol (LDAP) is a directory service protocol for information storage and retrieval from LDAP-based databases. LDAP typically uses port 389 and is supported by a variety of commonly used directory service products such as
14-ch14.indd 571
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
572
Microsoft’s Active Directory (AD), OpenLDAP, OpenDS, and others. Be aware that as a security professional, it is your job to research and secure your specific LDAP software. Here are some general best practices for securing LDAP software:
• Do not use deprecated SSL encryption for LDAP; instead, use SASL or TLS. • Disable old account entries in a timely manner. • Don’t delete old accounts to prevent reusing old identifiers (disable them instead). • If delegation of authority is required, do not use password sharing. • Avoid storing passwords in a way that would allow the cleartext password to be reconstructed. • Passwords should be hashed with a good salt. • Use care when enforcing password policies to provide availability and prevent accidental account lockouts. • Use replication to back up data and provide availability. • Implement replication in different physical or logical locations. • Use a separate LDAP server for publicly accessible information. • Limit the size of search results if possible. • Secure the server operating system with standard security best practices. • Protect the LDAP data store with tight permissions and encryption. • Do not run LDAP or other services with unnecessary permissions. • Configure resource limits such as file descriptors and TCP connections to ensure availability.
AD Microsoft Active Directory (AD) is a popular directory service product created by Microsoft for the management of Windows domains. AD is used in Windows domain networks and included with most versions of Windows Server since Windows 2000. Active Directory uses LDAP and Kerberos for authentication and authorization of users and computers within a Windows domain. Perhaps the most important aspect to securing Active Directory lies in correct planning and delegation of administration. Delegation is usually done in order to match the organizational structure and to meet operational as well as legal requirements. Two kinds of administrative responsibilities can be delegated: service management and data management. A good plan for the delegation of authority increases security by ensuring isolation and autonomy of data and services. For each department within the organization, determine the most suitable level of autonomy and isolation. Multiple organizational units should be used when data autonomy is desired. For domain-level service autonomy, employ multiple domains.
14-ch14.indd 572
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
Chapter 14: Authentication and Authorization
573
Use separate forests for service isolation, forest-level service autonomy, and data isolation. When installing a domain controller, follow these best practices:
• Use automated installation processes to ensure predictable, repeatable, and secure deployments. • Use the NTFS file system. • Disable all network transport protocols besides TCP/IP. • Install and secure DNS. • Do not install IIS, SMTP, or other unnecessary services. • Use strong passwords. • Disable nonessential services. • Test for and disable anonymous Active Directory access.
EXAM TIP When properly implemented, directory services such as Active Directory can push some administrative tasks down to the lowest level, which can help improve the overall security posture of your organization. For example, allowing a local administrator to disable or temporarily suspend an account when a user is out of the office for an extended period of time can help protect that account from being compromised and used during the user’s absence.
PART IV
In addition to these best practices, be sure to audit your Active Directory service regularly. In addition to ensuring that your Active Directory services are not compromised, auditing will verify that isolation and autonomy are implemented as desired as well as track important security-relevant changes. You can find more extensive checklists for securing Active Directory online at Microsoft TechNet and SANS.
Chapter Review
This chapter covered the different scenarios of integrating and troubleshooting advanced authentication and authorization technologies to support enterprise security objectives. We began this section with a comprehensive overview of the fundamentals of authentication, including identity, identification, and authentication terminologies. We then went over various authentication factors, such as knowledge-based factors like passwords, PINs, passphrases, and challenge-response questions. We then included some general password recommendations given the popularity of passwords today. Next, we touched on possession factors like connected and disconnected tokens as well as inherent factors like physiological and behavioral characteristics of humans. The next section touched on more complex examples of authentication topics, beginning with certificate-based authentication and the SSL/TLS handshaking process. The next topic, which anchors much of the topics of the chapter, was SSO. This SSO section touched on Kerberos, token-based systems, OpenID, and even Facebook as potential
14-ch14.indd 573
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
574
examples of SSO implementations. We next dove into a somewhat misunderstood protocol called 802.1x, which facilitates port-based authentication for both wireless and wired networks. Other topics like context-aware authentication revealed a seemingly strange situation in which a hacker correctly types a victim’s password and still gets denied entry due to the rest of the logon scenario lacking the appropriate context (time of day, geographical location, and so on). Push-based authentication involves sending access codes to users’ mobile devices to validate their logon attempts. The next section temporarily switched to a discussion of authorization. Whereas authentication verifies user identities, authorization decides what privileges are granted to identities. Coverage of OAuth opened the section, which permits resource access between third parties without them sharing passwords with one another. XACML is one of many XML languages, which in this case is used for access control policies and rights between web partners. The section on SPML covered the provisioning of user interfaces for web services between web partners in an automated manner. We then briefly discussed attestation and how popular systems like PKI make it possible for web systems to certify the veracity of identity claims. Next was a section on identity proofing and how it focuses on the preliminary steps a user must go through to prove their identity for an organization they work for. Unlike authentication, this step takes place before a user is assigned credentials. The next brief section focused on identity propagation and how organizations must occasionally share credentials between their various authentication engines to simplify authentication and auditing across company boundaries. The section on federations began by focusing on users using their account from a home organization to access resources located at a different resource organization. Protocols like SAML were discussed, which permits the exchange of authentication and authorization information between these different organizations. Then we covered OpenID, which focuses on the consolidation of digital identities for decentralized authentication solutions between federated partners. Next, we discussed the Shibboleth federated identity management product and how it uses SAML to federate the various campuses of university networks. Then we discussed a Shibboleth variant called WAYF, which uses an outside federation server to federate the relationship between two different organizations. The final section talked about trust models, which dictate the flow of relationships between the producers and consumers of digital certificates. This includes the single CA trust model, hierarchical trust model, cross-certification hierarchies, and peer-to-peer trust model. We then provided more specific examples of trust models in the cases of RADIUS, LDAP, and Microsoft’s Active Directory.
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
Authentication • An identity is the account entity that a user, device, or service is claiming to be. • Identification is the process of a user, device, or service claiming an identity.
14-ch14.indd 574
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
Chapter 14: Authentication and Authorization
575
PART IV
• Authentication is the process of verifying the legitimacy of a claimed identity. • Authentication factors are unique categories of credentials that allow the determination that a user is who they claim to be. • Knowledge factors authenticate users based on something the user knows that no one else is likely to know, such as passwords, PINs, passphrases, and challengeresponse questions. • Possession factors authenticate users based on something only that user is likely to possess, such as connected tokens (smart cards) and disconnected tokens (RSA SecureID tokens). • Inherent factors identify human-based characteristics that are physiologically or behaviorally linked to the individuals themselves. • Physiological characteristics are unique to each individual, such as DNA, facial complexion, palms and fingerprints, eye irises and retinas, and veins. • Behavioral characteristics use biometric systems to scan and collect samples of what the person does, such as keystroke biometrics, voice recognition, mouse dynamics, signature dynamics, and cognitive biometrics. • Digital certificates are electronic documents used to provide attribution of a public key to a user, computer, or service. • Single sign-on (SSO) is a subset of a federated identity management system where a user’s credentials are trusted across multiple distinct systems. • The IEEE 802.1x standard is a port-based network access control method that prevents users from connecting to a wired or wireless network until they are authenticated. • Context-aware authentication builds on conventional authentication methods by also considering the user’s technological and environmental characteristics (patterns)—all of which are known to the context-aware authentication system. • Push-based authentication takes advantage of smartphones by pushing out a special access code to the user’s device that the user must input to a form in order to authenticate to a system.
Authorization • Authorization determines the access scope and permissions a user has to resources. • OAuth is a token-based authorization standard that permits an end user’s resources or account information to be shared with third parties without also sharing their password. • XACML defines an access control policy language to standardize the exchange of security policies and access privileges between web vendors. • SPML permits the sharing of user, resource, and service provisioning information among a group of organizations.
14-ch14.indd 575
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
576
Attestation • Attestation is the act of certifying some element to be true and doing so in a fashion that provides a form of evidence as to its authenticity.
Identity Proofing • Identity proofing verifies people’s identities before an organization issues them accounts and credentials.
Identity Propagation • Identity propagation distributes identities across disparate authentication systems to preserve the properties of accounts and their audit trails.
Federation • Federations are groups of trusted organizational networks that permit users from one network to seamlessly use that network’s credentials to access resources located at another network without having to resort to a separate identityverification step involving user interaction. • SAML is a standard for exchanging authentication and authorization information between security domains. • OpenID provides users with a mechanism to consolidate their various digital identities. • Shibboleth is an open source and web-based federated identity solution that is very popular worldwide. • WAYF is a centralized SSO implementation frequently used by university federations to anchor resource access between federated partners.
Trust Models • Trust models define the unique relationships between issuers and recipients of digital certificates. • Single CAs issue all certificates within an organization. • Hierarchical trust models involve a tiered or hierarchical group of servers collectively issuing certificates to subjects—while also fostering trust among them. • Cross-certification trust models involve the CAs from one hierarchical trust model trusting the CAs from another hierarchical trust model. • Peer-to-peer trust models use a decentralized approach where all resources form trust relationships directly with all other resources. • RADIUS is a protocol that centralizes authentication, authorization, and accounting services across remote access solutions.
14-ch14.indd 576
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
Chapter 14: Authentication and Authorization
577
• LDAP is a directory service protocol for information storage and retrieval from LDAP-based directory service databases. • Microsoft Active Directory is a popular directory service product created by Microsoft for the management of Windows domains.
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. ______ defines a declarative access control policy language implemented in XML and a processing model that describes how to interpret the policies. A. SAML B. XACML C. SOAP D. SSO PART IV
2. Your firm needs to purchase a third-party application to assist in the exchange of authentication and authorization data between security domains. You want to ensure interoperability, so you insist that the vendor’s solutions are compliant with the _____ standard. A. SPML B. XML C. SAML D. SSO
3. Which of the following uses public key cryptography to provide a secure means of authentication? A. Basic authentication B. Digest authentication C. Form-based authentication D. Certificate-based authentication
4. To use XACML, one needs to have a defined set of which of the following? A. Envelope, body, and fault elements B. Policysets containing policies composed of rules C. Profiles, bindings, and protocols D. Identity Provider (IdP), Service Provider (SP), and asserting party
14-ch14.indd 577
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
578
5. The advantages of SSO include which of the following? (Choose all that apply.) A. Reduced help desk costs B. Improved security from SAML integration C. Reduced complexity of authentication system D. Improved end-user experience
6. SPML is used for what purpose in the enterprise? A. As a mechanism to consolidate digital identities across federated boundaries B. To trust credentials across multiple distinct systems C. To automate the provisioning of web service requests D. As a declarative access control policy language
7. Which of the following standards defines profiles, bindings, protocols, and assertions? A. SOAP B. XACML C. SPML D. SAML
8. As part of an acquisition of a smaller firm, you now have some IT systems that have federated authentication based on the older Liberty Alliance Identity Federation Framework. You need to integrate this into your existing enterprise solution based on SAML 1.1. What is the best course of action for the enterprise as a whole? (Choose all that apply.) A. Upgrade all federated authentication to a SAML 2.0–compliant solution. B. Nothing, because the two systems are already compatible. C. Examine both SAML and Liberty Alliance and pick the best solution for
your circumstances. D. Move to an SPML-based solution. 9. Advantages of a SAML-based authentication system include which of the following? (Select all that apply.) A. A single, synchronized password across all systems B. Platform-neutral authentication C. Reduced costs D. Reduced authentication system complexity 10. An attestation is _________________________. A. a statement certifying some element to be true B. used to explain details behind assumed facts
14-ch14.indd 578
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
Chapter 14: Authentication and Authorization
579
C. an element of SAML D. an element of certificate-based authentication
11. Certificate-based authentication systems are characterized by which of the following? (Select all that apply.) A. A fairly extensive infrastructure in the form of public key infrastructures (PKIs) B. A trust relationship between a user and a service provider C. A Distinguished Name and an associated public key, with the entire certificate
14-ch14.indd 579
PART IV
being signed by a trusted third party D. XML 12. Certificate-based authentication uses which of the following to establish proof of identity? (Select all that apply.) A. SAML elements B. Public key cryptography C. XML D. Trust relationships with third parties 13. Your firm has a requirement to protect against man-in-the-middle attacks on SSL connections. The easiest method of doing this would be through the use of which of the following? (Select the best single answer.) A. Digital certificate-based authentication B. SAML C. Mutual authentication D. SSL/TLS handshake 14. Examples of SSO include which of the following? (Select all that apply.) A. Kerberos B. OpenID systems C. SOAP D. WSDL 15. A user requests authentication from an Identity Provider (IdP), which becomes an asserting party across a trust relationship to a Service Provider (SP), which then can use the asserted credentials in making an access control decision for the user. This describes which standard? A. SPML B. XACML C. SSO D. SAML
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
580
16. OASIS is a standards group responsible for which standards? (Select all that apply.) A. SAML B. XACML C. SOAP D. SPML
17. Which method uses a separate federated identity management system to broker resource access between service providers and identity providers? A. Active Directory B. Kerberos C. SOAP D. WAYF
18. XML is used in which standards? (Select all that apply.) A. SAML B. SSO C. SMTP D. XACML
19. Which of the following IEEE protocols provides port-based authentication for Wi-Fi and wired networks? A. 802.1x B. 802.11 C. SPML D. LDAP
20. What is the correct correlation between the OpenID and OAuth standards? A. OpenID and OAuth both handle authentication. B. OpenID handles authentication, and OAuth handles authorization. C. OpenID handles authorization, and OAuth handles authentication. D. OpenID and OAuth both handle authorization.
Answers 1. B. XACML stands for eXtensible Access Control Markup Language. It is a declarative access control policy language implemented in XML and a processing model that describes how to interpret the policies. 2. C. Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between security domains. 3. D. Certificate-based authentication is the most secure authentication scheme. A certificate-based authentication scheme uses public key cryptography and a digital certificate to authenticate a user.
14-ch14.indd 580
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14
Chapter 14: Authentication and Authorization
581
4. B. XACML consists of a hierarchy of policysets containing policies composed of rules. 5. A, D. Single sign-on can reduce help desk costs through reduced password reset requests, and it improves the end-user experience because of the reduced number of passwords to remember. 6. C. SPML permits the sharing of user, resource, and service provisioning information between a group of organizations. It enables organizations to quickly set up user interfaces for web services in an automated manner. 7. D. SAML is defined in terms of assertions, protocols, bindings, and profiles. 8. A. SAML 2.0 integrates Liberty Alliance Identity Federation Framework elements. 9. B, C. Advantages of SAML-based authentication include a platform-neutral, improved user experience; strong commercial and open source support; and reduced costs. 10. A. Attestation is the act of certifying some element to be true and doing so in some fashion that provides a form of evidence as to its veracity.
12. B, D. Public key cryptography, backed by the trust relationship associated with certificate chains, establishes the proof of identity in certificate-based authentication systems.
PART IV
11. A, C. Certificate-based authentication is based on public key cryptography and uses PKI to connect public keys to owners. It is composed of elements such as a Distinguished Name and an associated public key, with the entire certificate being signed by a trusted third party.
13. C. Mutual authentication provides a level of security against man-in-the-middle attacks during the handshake process. 14. A, B. Kerberos is an enterprise-level SSO. OpenID is an open standard that defines the use of third parties as authentication systems and can be used to build an SSO. An example is when users employ Facebook to log in to other applications. 15. D. Identity Providers (IdPs) and Service Providers (SPs) are elements of SAML. 16. A, B, D. OASIS is responsible for SAML, SPML, and XACML, as well as other standards. 17. D. Where Are You From (WAYF) is a centralized SSO implementation frequently used by university federations to anchor resource access between federated partners. Unlike some SSO methods, WAYF acts as a proxy between federated identity providers and service providers. 18. A, D. SAML and XACML are both constructed using XML. 19. A. 802.1x provides port-based authentication for Wi-Fi and wired networks. 20. B. OpenID provides authentication services, whereas OAuth provides authorization services.
14-ch14.indd 581
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 14 Blind Folio: 582
This page intentionally left blank
14-ch14.indd 582
11/03/19 3:16 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
15
CHAPTER
Cryptographic Techniques This chapter presents the following topics: • Cryptography fundamentals • Cryptography techniques • Cryptography implementations
To the novice, cryptography seems little more than an exciting game of writing and solving codes—a technical indulgence of sorts. Yet, cryptography is a full-fledged scientific field, and a rather intricate field at that. Its practitioners, cryptographers, aren’t your typical geeks either—these are scientists with PhDs whose work could end up enhancing the security of millions of people and devices around the world. The good news is CASP doesn’t require practitioners to be cryptography majors in order to implement cryptographic solutions for organizational assets. This chapter introduces the use of cryptographic tools and techniques to secure systems and data in the enterprise. Several factors need to be considered when choosing the appropriate cryptographic method to protect data. Although the exam objectives don’t call for a cryptography primer, we’ll start off with some basics before digging into the more complex topics.
Cryptography Fundamentals
For the purposes of information security, cryptography is the science of hiding information or making it unreadable to unauthorized parties. Whether information is at rest or in transit, cryptography obscures information by enciphering it into an unreadable format. Analogous to unlocking a door with a specific key, only those in possession of the required cryptographic key will be able to convert the unreadable information back into its readable format. Without the key, neither unauthorized nor authorized parties will be able to read the encoded data. Here’s a list of basic cryptography terms:
• Encryption Process of converting readable information into an unreadable format. • Decryption Process of converting unreadable information into a readable format. • Plaintext/cleartext Information in a readable format. • Ciphertext Information in an unreadable format.
583
15-ch15.indd 583
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
584
• Algorithm A step-by-step mathematical process. In the field of cryptography, a cipher is an example of an algorithm that can encrypt and/or decrypt data. Put another way, all ciphers are implementations of algorithms, but not all algorithms are implemented as ciphers. • Cipher A cryptographic algorithm that performs a specific method of encryption or decryption. AES, RSA, and SHA-2 are examples of ciphers. • Key A small secretive piece of alphanumerical information fed into a cipher to turn a cipher’s predictable plaintext/ciphertext patterns into outcomes unpredictable to those without the key—while being predictable to those in possession of the key.
Goals of Cryptography Before we get into the nuts and bolts of cryptography, it’s important to understand its primary goals. Beyond the obvious goal of “hide data from bad guys,” what specific goals are we looking to achieve? This section briefly describes the key goals achieved through cryptography.
Confidentiality
Maintaining confidentiality of sensitive data is often the first goal that comes to mind when people think of cryptography. Confidentiality provides assurances that only authorized individuals can access sensitive materials. More specifically, only the individuals with the appropriate symmetric or asymmetric key can decrypt data. Cryptography is not the only security control that provides confidentiality, but it’s one of the more notable examples. NOTE Confidentiality is maintained when we encrypt files, folders, hard drives, external storage, e-mail, Wi-Fi traffic, and online purchases.
On the other hand, being “authorized” does not mean anything if an unauthorized user acquires the decryption key and starts decrypting stuff. Cryptography is only as good as your ability to ensure that the keys themselves are kept confidential.
Integrity
Often overshadowed by the attention given to confidentiality, integrity is a critical aspect of secure communications. Although confidentiality protects secrets, what good is a secret if we cannot trust its accuracy? The motto of integrity is to “say what you mean and mean what you say,” and that applies equally to information security. Stated in security terms, integrity protects messages from unauthorized modification—while also providing a means of verifying the accuracy of messages. Devices in a secure communication need to know that the messages are being received in their original, accurate, and tamper-free condition.
15-ch15.indd 584
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
585
Since integrity focuses on accuracy as opposed to access control, integrity is achieved through the verification of cryptographic hashes. These hash values are produced as a result of any input that is fed into a hashing cipher such as an MD5 or SHA-2 cipher. The resulting output is a special kind of ciphertext known as a hash or message digest. Hash ciphers themselves are also special in that they don’t use keys. This means that once the data is encrypted, it is not meant to be decrypted. Hashing a message does not encrypt the message; rather, hashing generates an encrypted value that is attributed to a message. That encrypted value is called a hash. Although more details on hashing will be covered in a later section, hashing allows us to verify data integrity so precisely that the modification of a single binary bit would be flagged as an integrity violation. Hashing mechanisms are trusted to a point where forensic investigators routinely use hashes to prove the integrity of evidence in a court of law. NOTE The use of digital signatures achieves multiple goals; one of the goals is to permit users to verify the integrity of device drivers, e-mails, and applications.
Nonrepudiation
PART IV
With assurances provided for the confidentiality and integrity of data, what else can possibly remain? Simple—proof of origin. What good is a secret message if we can’t verify its source? In other words, can the sender of a secret message provide us with a means of verifying that they, in fact, sent us the message? This outcome is known as nonrepudiation, which is the assurance that a message, action, or activity originated from the stated source. Nonrepudiation prevents someone from denying their role in a transaction. This is the IT equivalent of people signing receipts. As with integrity, nonrepudiation is achieved through the use of digital signatures (more details to follow in the “Digital Signatures” section later in this chapter). NOTE Digitally signing messages is no different from signing a receipt after you pay for a meal with a credit card. The restaurant doesn’t want the liability of customers denying the legitimacy of a transaction and thus asking for a refund. By the restaurant matching your signature on the receipt to your signature on your driver’s license or credit card, it would be difficult for you to deny that you signed the receipt. In other words, you cannot repudiate the charge.
Authentication
Similar to the importance of preventing unauthorized individuals from acquiring private cryptographic keys, we must also ensure our credentials do not end up in the wrong hands. Whenever we wish to log in to a computer, we must submit our identification (username) and proof of identification (password, smart card, biological trait) for authentication purposes. It is extremely important that the authentication process is protected
15-ch15.indd 585
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
586
from confidentiality, integrity, and nonrepudiation violations. Through the usage of multiple cryptographic processes, we are provided with a strong level of assurance that the authentication of our credentials was not compromised. NOTE Whether you’re logging in to a computer locally or over the network, using an Internet bank site, or unlocking a locally encrypted hard drive, cryptography is used to secure the authentication process from unintended parties.
Cryptographic Techniques
Many cryptographic tools and techniques can be used to secure data in the enterprise. Choosing the appropriate cryptographic method involves considering the type of data, the sensitivity of the data, the value of the data, and the threats to the data. This section dives into a variety of cryptographic techniques to ensure that you are able to decide which techniques are appropriate given a scenario.
Symmetric Key Encryption Methods Symmetric key encryption is characterized by the use of the same key for both encryption and decryption (see Figure 15-1). Numerous algorithms support symmetric key encryption, but the true security is dependent on the protection of the key used for encryption and decryption.
Advantages
Largely due to relatively small key sizes—typically between 128 and 256 bits—symmetric key encryption has the advantage of being fast. This is important for bulk encryption situations such as with VPN, Wi-Fi, online purchases, storage, and file encryption. Symmetric key encryption is also easier to manage on solo platforms (that is, disk encryption), where sharing of keys is not an issue and thus alleviates a dependency on a public key infrastructure (PKI) solution. EXAM TIP Symmetric algorithms are faster than asymmetric (public key) methods and therefore are commonly used for large amounts of data, such as in drive encryption and securing communication channels.
Shared secret: Key
Figure 15-1 Symmetric key encryption system
Ciphertext
Plaintext
15-ch15.indd 586
Shared secret: Key
Encryption
Decryption
Plaintext
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
587
Disadvantages
EXAM TIP Selecting the appropriate encryption method involves first determining the type of data, block or stream, and then the appropriate method based on usage. For bulk usage, the speed of symmetric encryption makes it the preferred method. For distributing keys to parties over open channels, public key encryption has advantages. In many cases, a combination of methods is used to garner the advantages of both public key and symmetric systems.
PART IV
The use of a common key creates a problem where the encryption key needs to be protected. A symmetric key provides confidentiality for other data, but it cannot protect itself. Should the key become compromised, not only are current messages compromised, but previous messages are also potentially compromised. Key management is essential for symmetric encryption because the key must be securely passed to all authorized parties. Because these parties are usually physically separate, a key management method is critical to ensure the keys are shared and exchanged easily. For operations such as hard drive encryption, the computer’s built-in Trusted Platform Module (TPM) provides secure storage for cryptographic keys and certificates. The TPM is used by many applications, including Microsoft’s BitLocker Drive Encryption tool. In the case of symmetric key cryptography, if the encrypted data needs to be shared between two parties, then a secure method for exchanging the key between them is needed. In the case of an encrypted channel such as SSL/TLS, the symmetric key exchange can be performed during the channel setup using an asymmetric key exchange method. In other words, the asymmetric keys of one party can be used to encrypt and securely transmit the symmetric key to the other party. The symmetric key exchanged between both parties is known as the session key. A more detailed description of the SSL/TLS process will be provided in the upcoming SSL/TLS section.
Symmetric Algorithms
The most popular symmetric encryption algorithm in use today (at least in the United States) is Advanced Encryption Standard (AES). Other symmetric algorithms include DES, 3DES, RC4, RC5, RC6, IDEA, Skipjack, Twofish, Blowfish, Serpent, and CAST. With the exception of RC4, the rest of these are known as block methods because they work on blocks (grouped bits) of data. Common block sizes are 64 bits or 128 bits. Block ciphers must operate on blocks of data, and if the data is less than a complete block, it will need to be padded to reach a required block size. If high-speed cryptography is needed, stream ciphers are preferred due to their reduced overhead. Since symmetric stream ciphers operate on individual bits as opposed to large blocks of data, they generally outperform block ciphers. The most common symmetric stream ciphers are RC4, which is for software, and A5/1, which is used in Global System for Mobile Communications (GSM) cellphones.
15-ch15.indd 587
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
588
Data Encryption Standard (DES) Although insecure by today’s standards, the DES block cipher was a major player in the late 1970s cryptography industry. With 8 bits of its 64-bit key being used for parity, the DES key length is only 56 bits. It performs 16 rounds of processing on each block of input, thus producing a 64-bit block of ciphertext. Since DES was considered relatively insecure from the start, 3DES and eventually AES were brought in as replacements. 3DES (Triple DES) Published in the late 1990s, 3DES is the use of the DES block cipher three times on each block of data (see Figure 15-2). It has key sizes in 56-bit, 112-bit, and 168-bit varieties—while effectively performing 48 rounds of processing on each 64-bit message block. Several variants use either two or three keys. The multipleround method used in 3DES is an encryption step, a decryption step, and then a final encryption step. The order of steps is reversed for decryption. The usage of multiple keys per block has been shown to be more effective than three successive encryption steps in sequence. Although 3DES has always been considered powerful, its reputation for being slow led to a replacement algorithm being created called Advanced Encryption Standard (AES). Advanced Encryption Standard (AES) Also created in the late 1990s, the Advanced Encryption Standard (AES) is a symmetric block cipher with 128-bit, 192-bit, or 256bit keys, which performs either 10, 12, or 14 rounds of processing on 128-bit message blocks. AES was developed from an international competition to replace the aging DES and 3DES algorithms. The winner of the competition was an algorithm called Rijndael, which beat out several worthy finalists including MARS, RC6, Serpent, and Twofish. Although Rijndael is the scientific name for AES, AES is the term most people use. Triple DES (3DES)
Figure 15-2 3DES methodology
Plaintext
Plaintext
Key A
Key A Encryption
Decryption
Decryption
Encryption
Key B
Key B
Key C
Key C Encryption
Decryption Ciphertext
15-ch15.indd 588
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
589
AES is the only publicly available cipher approved by the U.S. government for topsecret data. AES also does a great job of being both fast and secure—beating out 3DES in both departments. This helps explain why AES has spread like wildfire since the early 2000s—being used in the majority of symmetric encryption scenarios, including TLS, Wi-Fi networks, Microsoft BitLocker, Microsoft EFS, and so forth. EXAM TIP AES is the poster boy of symmetric algorithms and is therefore most likely the correct choice for desired symmetric solutions on exam questions.
International Data Encryption Algorithm (IDEA) Published in the early 1990s, the International Data Encryption Algorithm (IDEA) is a symmetric block cipher that uses a 128-bit key size and performs 8.5 rounds of processing on 64-bit message blocks. It never became the replacement to DES as it was intended due to the sobering effects its patent/royalties had on adoption. When the patent expired in 2012, it become more widely known for its adoption in the PGP and OpenPGP products.
PART IV
CAST-128 and CAST-256 CAST-128 was released in 1996 and is a symmetric block cipher with either 40-bit or 128-bit keys, utilizing 12 or 16 rounds of processing on 64-bit message blocks. CAST-128 was most notably used in GPG and PGP e-mail applications. CAST-256 was released in 1998 and is mostly a stronger version of CAST-128 in that it utilizes key sizes of 128, 160, 192, 224, and 256 bits. It performs 48 rounds of processing on 128-bit message blocks. It was one of the contestants in the international AES competition. Although it was not one of the five finalists, it is still a powerful and popular algorithm available for royalty-free use worldwide. RC4 Released in 1994, RC4 is one of the few stream ciphers in use today. Its key sizes range from 40 to 2048 bits and can utilize between 1 and 256 rounds of processing on individual bits of data. Although not considered very powerful anymore, its primary advantage is speed. Its heyday was during the SSL (pre-TLS) days of the Internet. It also saw a lot of usage on the early Wi-Fi networks via WEP and WPA Personal security due to its speed benefits. AES continues to replace RC4. EXAM TIP RC4 is one of the most frequent ciphers replaced by AES.
RC5 Also designed in 1994, RC5 is a symmetric block cipher with key sizes up to 2048 bits, 1–255 rounds of processing, on 32-bit, 64-bit, or 128-bit message blocks. Its primary benefits include being fast, simple, and flexible due to its wide range of key, block, and round options. RC6 RC6 was developed in 1998 and was derived from the RC5 cipher in order to meet the AES competition requirements. Despite losing the competition, it was a finalist. RC6 is a symmetric block cipher that uses key sizes of 128, 192, and 256 bits, and it performs 20 rounds of processing on 128-bit message blocks.
15-ch15.indd 589
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
590
Serpent Also developed in 1998, Serpent notably came in second place in the global AES competition. It uses key sizes of 128, 192, and 256 bits with 32 rounds of processing on 128-bit blocks. It is slower than Rijndael (AES). Skipjack Developed in 1998 by the NSA, Skipjack uses key sizes of 128, 192, and 256 bits with 32 rounds of processing on 128-bit blocks. It was originally classified but eventually became declassified. It was designed for secure phone usage, but NIST has since documented that Skipjack is no longer certified for government usage. Blowfish Created by Bruce Schneier in the early 1990s, Blowfish uses key sizes between 32 and 448 bits, with 16 rounds of processing on 64-bit message blocks. Despite its age, it is still considered powerful. It is also unpatented and available for global use. Twofish A late 1990s replacement to Blowfish, Twofish uses key sizes between 128 and 256 bits, with 16 rounds of processing on 128-bit blocks. It was a finalist in the AES competition but has since fallen out of favor in large part due to the success and support provided to AES.
Asymmetric or Public Key Encryption Methods Asymmetric or public key cryptography is an invention of the digital age. Although the methods used are mathematical, it is the use of digital computers that enables the large calculations used in these algorithms. The primary foundation of these methods is the use of a key-pair, a set of separate-yet-related keys for the purposes of encryption and decryption. The two keys are generated together and have a mathematical relationship that enables one key to act counter to the other. If one key encrypts, then only the other can decrypt, and vice versa. One other characteristic is that given one of the keys, the other key cannot be determined from it. This lends itself to a wide range of very useful capabilities. The two keys are typically named the public key and the private key. Using this nomenclature, the following rules are then employed: the public key is distributed publicly to anyone who needs it (as a matter of course, everyone), whereas the private key is kept completely private to the owner of the key. The true usefulness of the key-pair then rests on the private key being kept secret—a simpler task than with symmetric keys because the private key is not shared with anyone. EXAM TIP Asymmetric or public key cryptography is characterized by two keys: one public and one private. The public keys are passed via certificates using PKI to make key exchange easy between parties. Public key cryptography plays a key role in digital signatures and code-signing.
To examine the usefulness of public key cryptography, assume we have two people, Alice and Bob, who wish to communicate securely. Assume that each has generated their own key-pair. Also assume that each has kept their private key private (known only to themselves). Their public keys, on the other hand, are known by all. If Alice wishes to privately communicate with Bob, she needs to encrypt a message that only Bob can
15-ch15.indd 590
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
591
decrypt and read. If Alice uses Bob’s public key to encrypt her message, only Bob’s private key can decrypt it, meaning that only Bob can read her message. Now suppose that Alice wishes to send a message and have everyone know that she and only she could have written it. Alice produces a hash of the message by running the message through a hashing cipher, and then uses her private key to encrypt the hash. The subsequent encrypted hash is called a digital signature. Then, if Bob and others are able to decrypt the encrypted hash with Alice’s public key, this proves that the message was signed by Alice.
Advantages
The major advantages offered by public key cryptosystems is the ability to manage key distribution and provide for integrity and nonrepudiation verification. Public keys are just that—known to all in the public, thus making the key distribution problem a key attribution problem rather than a message secrecy problem. To solve the key attribution problem, a system called public key infrastructure was created.
Asymmetric Algorithms
Diffie-Hellman One of the original public key protocols dating back to 1976, Diffie-Hellman was designed primarily to address a shortcoming of symmetric encryption, which was key exchange. Although it allowed for key exchange, it did not provide confidentiality, integrity, or nonrepudiation services. Diffie-Hellman serves as a framework for other algorithms such as Diffie-Hellman Ephemeral.
PART IV
Public key cryptography originated in the U.K. at a secret lab, GCHQ. This work was kept secret until 1997, long after the same methods were independently invented by others in the cryptographic community. The form commonly seen is the RSA algorithm, in addition to others like Diffie-Hellman, ElGamal, ECC, and Zero Knowledge Proof. We’ll cover each of these asymmetric algorithms in this section.
RSA Published in 1977 by Ronald Rivest, Adi Shamir, and Leonard Aldeman, the powerful RSA algorithm is also the most popular one in use today. RSA is based on factoring very large, nearly prime numbers. Unlike Diffie-Hellman, RSA provides all the primary public key cryptographic functions, including key exchange, confidentiality, integrity, and nonrepudiation. Its key sizes range from 1024 to 4096 bits, and it uses a single round for block processing. RSA is responsible for setting up the majority of secure web communications on the Internet due to the Transport Layer Security (TLS) requirements. RSA also generates digital signatures and can securely exchange symmetric keys such as RC4 and AES keys over an insecure network. It is also used by Microsoft’s Encrypting File System (EFS). Although it is very powerful and well supported, it is comparatively slow. The good news is RSA’s performance is hardly an issue when you consider it only performs the briefest of tasks with key exchange and digital signatures. If it were performing bulk encryption, it would not be feasible to implement. ElGamal Dating back to the mid-1980s, the ElGamal algorithm is based on Diffie-Hellman, but is capable of not only digital signatures but also encryption and key exchange. It is also used in the Digital Signature Algorithm (DSA), the approved digital
15-ch15.indd 591
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
592
signature algorithm of the U.S. government, as well as with Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG). ElGamal had an adoption advantage over RSA by being released into the public domain, whereas RSA was patented at the time. RSA’s patent eventually went away in 2000, thereby offsetting ElGamal’s advantage. On the downside, ElGamal is quite slow largely in part to the considerable overhead it places on encrypted content. Key length can grow up to 2048 bits, but this should be avoided due to ElGamal’s overhead. The recommended key length should be no greater than 1024 bits. Elliptic Curve Cryptography (ECC) Elliptic Curve Cryptography (ECC) is both extremely powerful and very different from other asymmetric algorithms in that its cryptographic patterns are based on elliptic curves over finite fields. ECC dates back to the mid-1980s but didn’t hit the mainstream until the mid-2000s. Like RSA, ECC provides digital signatures, key distribution, and encryption capabilities. ECC has found a niche in low-power and computationally constrained devices (think mobile devices and IoT) because the keys are shorter and the math is faster for a given level of security. Despite not being nearly as popular as RSA, ECC is, pound for pound, more powerful than RSA due to its ability to use considerably smaller keys to produce security equal to much larger RSA keys. We will revisit ECC in more detail in the “Mobile Device Encryption Considerations” section, later in the chapter. NOTE An ECC 256-bit key is equivalent to an RSA 3072-bit key.
Zero Knowledge Proof Zero Knowledge Proof is the process of proving to others that you know a secret without actually sharing the secret with them. Public key cryptography demonstrates this perfectly with a simple test of public and private keys. For example, how can Alice prove to Bob that she knows her private key without sharing her private key with Bob? For a simple explanation of this common occurrence, follow this scenario: 1. Alice shares her public key with Bob. 2. Alice uses her private key to encrypt a message. 3. Alice sends the encrypted message to Bob. 4. Bob uses Alice’s public key to successfully decrypt the message. 5. Bob’s successful decryption of Alice’s encrypted message proves that Alice knows the private key.
Put differently, even though Bob doesn’t know Alice’s private key (nor will he ever), he knows that Alice knows what her private key is. Bob can have zero knowledge of Alice’s private key—Alice can supply zero knowledge to Bob about her private key—but he still knows that she knows what it is due to Alice’s public key successfully performing the decryption.
15-ch15.indd 592
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
593
Cryptography Techniques
Many cryptographic tools and techniques can be used to secure data in the enterprise. Ultimately, security becomes a risk management problem, where risk and benefits must be both measured and balanced. Choosing the appropriate cryptographic method involves examining the context of the risk management problem. Important elements that need to be considered include the type of data, the sensitivity of the data, the value of the data, and the threats to the data.
Key Stretching Key stretching is the process of converting a weak cryptographic key into a stronger one to resist brute-force attacks. By today’s standards, weaker keys are usually 64 bits, which can be brute-force attacked fairly easily. Enhancing this key to a 128-bit or larger size will likely result in the key being too computationally difficult to crack. Key stretching processes can vary, but here is a common example: 1. A weak encryption key is first “salted,” which adds a degree of randomization to the weak encryption key. This salting process produces hash value 1. 3. Hash value 2 gets rehashed, which produces hash value 3. 4. This process can repeat hundreds or thousands of times before completing.
Bcrypt, which is based on the Blowfish block cipher, salts passwords and then encrypts them with Blowfish. Another tool called Password-Based-Key Derivation Function 2 (PBKDF2) adds 64-bit salts of at least 64 bits.
PART IV
2. Hash value 1 gets rehashed, which produces hash value 2.
EXAM TIP Key stretching is frequently used by WPA and WPA2, PGP, GPG, and disk encryption software.
Hashing Hashing is the process of running data through a mathematical function to produce a message digest of a specified size. Hash functions are special mathematical algorithms that cannot be undone, resulting in a one-way operation. The size of a message digest is fixed by the hash algorithm, not the size of the data being processed. The unique message digests provide a representative surrogate for the data and are uniquely determined by the bit pattern of the data. The nonreversible nature of the hash function means that it is not possible to reconstruct the original data if given the message digest. The uniqueness of the hash output—the message digest—provides a means of testing digital data for alterations and integrity checking. EXAM TIP Hash functions are used in a variety of IT systems, from the storing of passwords, to message authentication and digital signatures. Hash functions are commonly used for integrity checks, masking of secrets, and indexing.
15-ch15.indd 593
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
594
Hashing Algorithms Several different major hash functions are available, although from a user perspective they work in an identical fashion: input data and receive a fixed-length message digest. What differs among the hash functions is the length of the message digest and the internal resistance to collisions and other forms of cryptographic attack. Several major families of hash functions exist. This section will cover several hashing algorithms from the MD series, the SHA series, and a few others.
MD5
Designed in 1992, MD5 produces 128-bit ciphertext hashes with four rounds of processing on 512-bit blocks. It is used in many scenarios, such as verifying the integrity of software downloads, file transfers, authentication, software patch verification, and even SSL. Although MD5 is still fairly popular, it is considered obsolete and has largely been replaced by the SHA series. This deprecation was caused by MD5’s susceptibility toward hash collisions. The SHA-1 and SHA-2 series are more resistant to collisions.
SHA-1/SHA-2/SHA-3
Although there was an earlier version of SHA (posthumously called SHA-0), it was deprecated due to severe flaws. Two years later (1995), SHA-1 was created to replace MD5. SHA-1 uses 160-bit hashes with 80 rounds of processing on 512-bit blocks. Despite its obvious improvements over MD5, hash collision attacks have already been demonstrated against it, and major technology companies have abandoned its usage on SSL certificates since 2017. SHA-2 was published in 2001 as a bigger and stronger version of the SHA-1 algorithm. It comes in multiple versions, including SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. The number of processing rounds varies from 64 to 80 on block sizes ranging from 512 to 1024 bits. Like SHA-1, SHA-2 is frequently utilized by IPSec, PGP, S/MIME, SSH, and—most commonly—TLS. SHA-2 has already been “cracked” on paper and in the real world; therefore, migrations to SHA-3 have already begun in earnest. Published in 2015, SHA-3 was not designed to be “better” than SHA-2 but rather to be a backup in case SHA-2 falls out of favor. SHA-3 was deliberately designed very differently from SHA-2 to avoid common vulnerabilities and exploitations. Similar to SHA-2, SHA-3 comes in different varieties, such as SHA3-224, SHA3-256, SHA3-384, and SHA-512. NOTE Migrations to SHA-3 will be slow given the industry’s relative confidence in SHA-2, SHA-3’s speed issues, and the relative lack of hardware/software support for SHA-3.
RIPEMD
Published in 1996, RIPEMD, like SHA-2, comes in different varieties, including RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320. It is largely a replacement to MD5 and similar in power and performance to SHA-1. SHA-160 is the most common version, given the lack of measurable improvement gleaned from the
15-ch15.indd 594
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
595
RIPEMD-256 and RIPEMD-320 varieties. Otherwise, this cipher was never as popular as the MD5 and SHA ciphers.
Hash Vulnerabilities
Two major weaknesses are associated with hash functions. In the case of using a hash function for the purposes of integrity, there exists the possibility of a collision. A collision is when two separate input functions produce the same message digest. Collisions are a natural consequence of the fixed message digest size. A message digest of 128 bits can only represent a maximum of 2128 different inputs; after that there will have to be a repeat message digest. The good news is that although theoretically possible, the practical feasibility of producing a collision where the two data sets could be confused with each other, yet produce a common digest, is considered to be null. The other weakness is in the form of rainbow table attacks. Rainbow tables are precomputed hash values against all members of a particular set of values. For certain functions, such as passwords, this attack methodology can assist in “reversing” a hash through the computation of all possible hashes and looking up the matching value. This attack can be mitigated by system design, specifically the addition of a salt to a password, making the password too long for pre-computation and lookup. PART IV
NOTE Think of rainbow tables as the hashing version of a dictionary attack—only it’s not a dictionary of passwords, it’s a dictionary of hashes.
Use of Hashing in an Enterprise
Hash functions find many uses in a modern enterprise. Because hash functions are nonreversible, any data that passes through the function is in essence destroyed. What is returned from the hash function is a unique digest associated with the original data. Because the hash digest is determined by the original data and will change with a single bit change in the original data, hash digests can be used to compare different data sets to see if they are identical all the way to the bit level. This makes hash functions ideal for integrity checking of data. Hash functions can also serve a number of other functions, including the creation of hash tables for indexing data, the creation of pseudorandom numbers, and password protection. The storage of passwords presents the possibility of an unauthorized party obtaining the password. Rather than store the password, the system can store a hash of the password. Whenever a password is entered, it is subsequently hashed and checked against the stored value; if the hashes match, it means the password was correct. This is not a perfect scheme, and a series of attack vectors have been developed against it, but it provides significantly better security than just storing the passwords. Because hash functions are incredibly sensitive to even the minutest change in input and produce a seemingly random output, this has been used to create pseudorandom numbers.
Digital Signatures Signatures have been a mainstay of proving the authenticity of documents for centuries—and digital signatures extend this functionality to electronic documents. Digital signatures utilize both hashing and asymmetric cryptography to verify integrity
15-ch15.indd 595
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
596
and nonrepudiation. Digital documents are very easy for anyone to change and virtually impossible to directly detect tampering. To protect against unauthorized document editing, hashing functions are used to create a digest of the message that is unique and easily reproducible by any party desiring to know if the document was altered. This ensures that the message integrity is protected from unknown alterations. Asymmetric encryption is used to prevent unauthorized alterations to this resultant hash value. The properties of asymmetric encryption allow anyone to use a person’s private key to generate a message that can be decrypted and read by anyone. Assuming the private key is used to encrypt the hash value—and is only possessed by the authorized keyholder—this proves that the hash was encrypted by that person. If the hash value obtained by decrypting the hash matches a new hash taken of the data, this demonstrates that the data has not been altered. EXAM TIP The United States government has issued a standard for digital signatures referred to as the Digital Signature Standard. One of the three techniques approved is the Digital Signature Algorithm (DSA). This method has been updated to use an SHA-2 series hash and large seeds for the ElGamal discrete logarithm method used for public key encryption. This standard is published by NIST as FIPS 186-3.
Digital signatures are very powerful and can be applied to any digital item, including e-mail, documents, pictures, device drivers, and other types of digital transmission. Digital signatures can provide more than simple integrity checks; they can also provide nonrepudiation. It is also possible to incorporate timestamps into the signed element, providing a means to prove that a signature is valid even after a private key is later exposed or considered insecure.
Generating and Verifying Digital Signatures
Here is a step-by-step process of generating and verifying digital signatures. Steps performed as the signer: 1. Generate a hash value for the data to be signed. 2. Encrypt the hash value using your private key. 3. Attach the encrypted hash, and a copy of your public key (via certificate), to the data and send it to the other party.
Steps performed as the recipient: 1. Separate the data, encrypted hash, and certificate. 2. Obtain your own hash value of the data.
15-ch15.indd 596
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
597
3. Verify the public key is still valid using PKI methods. 4. Decrypt the encrypted hash value using the public key provided. 5. Compare the two hash values. If they are identical, the data is unchanged from the time of signing. (See Figure 15-3 for a diagram of a digital signature and verification process.)
Signing Process 110110101011
sh Ha tion nc u F
Hash Encrypt hash with signer’s private key
+
10110001101010 Signature
Certificate signer’s public key
PART IV
Information to be signed
+
Digitally signed data Verification Process Send to recipient Digitally signed data
10110001101010 Signature
Information that is signed
Decrypt using sender’s public key
Hash function 110110101011 Hash
Certificate signer’s public key
? =
110110101011
If hashes are identical, message is genuine
Figure 15-3 Digital signature signing and verification
15-ch15.indd 597
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
598
Message Authentication When communicating, it is sometimes desired to have a manner of managing message authenticity and integrity. The use of a cryptographic cipher, a secret key, and the message can produce a message authentication code (MAC) that can only be reproduced by holders of the secret key. This enables an authorized receiver (who has possession of the secret key) to verify that a message was not changed in transit. MACs differ from digital signatures because they use a single key for all functions; therefore, they cannot offer nonrepudiation because both the sender and receiver must possess the key. The use of a hash function to derive a message digest can be employed to provide a very sensitive method of detecting changes in messages, and the employment of this technique is referred to as message authentication codes. An HMAC is a specific form of a MAC in which a hash function is used over the message and key. This has become a standard mechanism, with HMAC-SHA1 and HMACMD5 both being used in TLS and IPSec protocols. Additional information on HMACs is available in RFC 2104 and FIPS PUB 198.
Code Signing Code signing is the application of digital signature technology to computer code, executable files, scripts, and resource files. A common concern when downloading code, or receiving it via any channel, including mobile device app stores, is whether or not the code has been changed or tampered with. Using a digital signature and signing the code provides an easy way to verify the integrity of the code. The digital signature can also verify the author of the code, be it a person or a firm. If you are downloading an update to the operating system and the code is signed, the operating system can check to see if the signature is valid and hence the code is intact. It can also alert the administrator as to the source of the signature, so that one knows where the software is coming from. Again, this all rests on the third-party certificate validation scheme (PKI) and valid certificates on the system connecting to the software developers. For large-scale patching systems, such as Microsoft’s Update service, all of this checking is done behind the scenes. Should a certificate not validate or a hash check fail, the patch would not be applied to the system and the operator would be alerted as to the failure.
Pseudorandom Number Generation Random numbers are used in many cryptographic processes but are difficult to generate in a computer. Pseudorandom numbers are numbers that may be deterministically generated and hence are not actually random—but appear to be random. True random numbers are very difficult to generate, and if a pseudorandom sequence appears to be random from a statistical perspective, then it can be used in place of a true random number. In most modern computer systems, input such as keystrokes, mouse movements, voltages, and other varying information can be used as a base for random number generation. Increasing the entropy hash functions can provide a means of spreading values to the point where statistically the output has all the characteristics of a random distribution.
15-ch15.indd 598
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
599
EXAM TIP Generation of random numbers is important in many cryptographic functions. To support this, a hardware-based approach is included in Trusted Platform Module (TPM) chip devices. This chip can also securely store cryptographic keys used by the system.
Perfect Forward Secrecy When cryptographic keys are used to secure information, there is always a possibility that a given transmission will be compromised, and a key lost. If this key is reused, the traffic protected by it would also be at risk. The same would be true of communications secured by a key derived from the compromised key. The term perfect forward secrecy is used to describe a condition where the loss of any specific key will not compromise future communications. To achieve perfect forward secrecy, it is important not to reuse a key. Key reuse can lead to key disclosure, which would then potentially compromise additional messages. Creating a new key as a function of a previous key can also lead to a manner of compromising future messages.
Data-in-Transit Encryption
PART IV
EXAM TIP Two conditions are required for perfect forward secrecy: one is that keys are not reused, and the other is that new keys are not derived from previously used keys.
A data encryption solution must consider the criticality of the data, sensitivity, the risk level and threats, plus the particular state the data is in. Data is either at rest on the hard drive, in transit over the network, or in memory being processed. Different states of data require different protections—which can be achieved by various cryptographic functions. The proper terminology for these data states is data-in-transit encryption, data-in-memory/processing encryption (sometimes called data-in-use encryption), and data-at-rest encryption. Data-in-transit encryption refers to the encryption of data as it travels across a network. This applies to traffic in transit over wired or wireless networks, in addition to the intranet. Different cryptographic solutions will provide varying degrees of protection, but at a minimum this transitory encryption will protect against eavesdropping attacks like sniffing. Although confidentiality solutions guard against sniffing, integrity and nonrepudiation protections must also be considered. If you want to provide protections at all three levels, consider some of the following:
• SSL/TLS Web-based security that has become more generalized • PGP Focuses on protecting e-mails in transit • S/MIME Also focuses on protecting e-mails in transit • IPSec Encrypts at a lower level and therefore supports securing various data types in transit • SSH Focuses on protecting terminal emulation and command-line interface (CLI) traffic
15-ch15.indd 599
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
600
Data-in-Memory/Processing Encryption Also referred to as data-in-use encryption, the encryption of data in memory/processing is designed to secure data while it is in use in memory types such as RAM, in addition to cache and register memory locations on the CPU. Since data in use often contains mission-critical and valuable data, several methods exist for securing live data:
• Secure encrypted enclaves Data encrypted in RAM but available to the CPU as plaintext. An example would be Intel’s Software Guard Extensions. • Homomorphic encryption Allows computation on ciphertext without access to plaintext. • Full memory encryption Emerging method of encrypting the entirety of RAM contents. • CPU-based key storage Stores encryption keys in CPU registers to protect against memory-based attacks.
Data-at-Rest Encryption Data-at-rest encryption refers to the encryption of data while it is inactive on a storage medium. The data is not being used, nor is it being transferred to another location. The most common example of data at rest is data stored on a hard drive; yet, data stored on other devices, in e-mail mailboxes, or in databases also qualifies.
Disk
Full disk encryption (FDE) products like Microsoft’s BitLocker can encrypt the entire computer drive or specific volumes on the drive. BitLocker provides offline data protection (as in someone steals and tries to unlock the drive elsewhere), protects all data stored on the encrypted volume, and helps verify and ensure the integrity of the computer’s early startup components. Since Windows 7, BitLocker To Go has been added to encrypt external hard drives and USB flash media. BitLocker is built into the following versions of Microsoft Windows:
• Windows Vista Enterprise/Ultimate • Windows 7 Enterprise/Ultimate • Windows 8 Pro/Enterprise • Windows 8.1 Pro/Enterprise • Windows 10 Pro/Enterprise/Education Here are some other examples of disk encryption products:
• VeraCrypt • Symantec Drive Encryption • GiliSoft Full Disk Encryption
15-ch15.indd 600
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
601
To utilize the full capabilities of full disk encryption products, be sure to implement a computer’s Trusted Platform Module (TPM) for key/certificate storage, in addition to a Unified Extensible Firmware Interface (UEFI) for secure and measured boot processes. TPMs add additional authentication and integrity attestation benefits.
File
Encryption techniques can also be employed directly on handpicked files and folders. Once a file owner encrypts the file, only that user can decrypt it. Although a series of cryptographic decryption processes take place to open the file, the user is shielded from these complexities by simply double-clicking the file to open it. For others to access the file, the file owner would have to share the file with them, which requires an asymmetric public-key-sharing process. Microsoft Encrypting File System (EFS) supplements the New Technology File System (NTFS) permissions and file-sharing permissions by preventing privileged accounts from accessing the content. This also prevents attackers from opening encrypted content should the content be transported to another device. Only those with the appropriate keys can open an EFS-protected file. Here are various processes involving EFS: PART IV
Encrypting a File with EFS 1. User wishes to encrypt a file. 2. User generates an AES symmetric key, which is also called the file encryption key (FEK). 3. User uses the FEK to encrypt the file and then stores the FEK in the file’s header. 4. User generates an asymmetric RSA key-pair containing a public key and a private key. The public key is stored in an EFS certificate, and the private key is stored in the user’s profile. 5. To protect the FEK, the user encrypts the FEK with the RSA public key. Decrypting a File with EFS 1. User wishes to decrypt an EFS-protected file. 2. User uses their RSA private key to decrypt the FEK. 3. User uses the decrypted FEK to decrypt the file. Sharing EFS-Protected Files 1. Alice wishes to share an EFS-protected file with Bob. 2. Alice must acquire Bob’s EFS certificate, which contains his RSA public key. The EFS certificate can either be acquired from a Certificate Authority or from Bob directly. In the case of the latter, Bob generates an EFS certificate (which contains his RSA public key) and exports the certificate and key to Alice. 3. Alice imports Bob’s EFS certificate. 4. Alice shares the file with Bob by selecting Bob’s EFS certificate.
15-ch15.indd 601
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
602
5. Alice adds a copy of her FEK to the file’s header and encrypts the FEK with Bob’s RSA public key. 6. If Bob wishes to decrypt the file, he would use his RSA private key to decrypt the FEK that was encrypted with his RSA public key. He would then use the FEK to decrypt the file.
Block
For versatility, efficiency, and reliability reasons, storage area networks (SANs) frequently use block-level storage as opposed to file-level storage. Blocks are large chunks of storage that can be treated as an actual hard drive. Blocks are given their own file system (NFS, NTFS, SMB, or VMFS) and are accessible to remote servers through SAN protocols like iSCSI and FCoE. If you’re looking for an encryption solution that is smaller than FDE, and better performing, consider block-level encryption. Block-level encryption is the practice of encrypting blocks of data as opposed to files. Encrypting a block will also encrypt the block’s file system, files, and metadata.
Record
Databases are large files made up of many records. Records are made up of fields that contain individual pieces of data. Think of records as the rows in a spreadsheet, and fields as the cells within a row. Records store related data elements such as customer, financial, and product information. Although complete database encryption options exist, recordlevel encryption calls for the encryption of records. By encrypting individual records, security is more tightly controlled, breaches are limited to individual records, and performance overhead is reduced.
Steganography Although cryptography does a great job of keeping data confidential, what it struggles with is hiding the fact that it is hiding something. It is great news that an encrypted e-mail being sent over a network will appear as gibberish to an eavesdropper, but this gibberish also makes it clear that a secret is being transmitted. Not that an attacker would have an easy time of it, but a cryptanalysis attack is always possible on ciphertext. On the other hand, steganography is designed to hide the fact that it is hiding something. It is the technique of hiding information in plain sight, such that nobody but the sender and receiver even suspect that a message or secret message was sent. These messages are typically hidden inside of other everyday objects like images, photos, audio, videos, text messages, e-mails/SPAM, and even folders. Businesses might use steganography to secretly transmit trade secrets, company plans, or account numbers, whereas hackers might use steganography to transmit and hide their hacking tools and malware. Steganography has the advantage over cryptography of not arousing suspicion because it is not obvious that a secret message was transmitted. An example of this might be the sentence “Sandy enjoyed long lists of fanciful fall shoes, handbags, and rings entered sequentially” found in an e-mail. Although the sentence is somewhat interesting, depending on what else was in the e-mail it could easily
15-ch15.indd 602
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
603
go unnoticed. If, however, you take the first letter of each word in the sentence, you would have the message “sell off shares.” This is an example of a message hidden in plain sight and an example of one type of steganography. The most common form of steganography is image-based steganography. A common method of doing this is to take the least significant bit for each pixel and alter it to send a message one bit at a time. Because we are altering the least significant bit of a picture, pixels are changed only in a very small way—one that is generally not discernable with the human eye. NOTE With the size of images today, a considerable amount of information can be hidden inside of a picture. Couple that with the commonplace occurrence of sending images, and it makes hiding in plain sight even easier.
PART IV
Detecting a steganographic image is extremely challenging, and determining what is contained in the image is even more challenging—especially because the message itself could also be encrypted before it is hidden inside the image. There are various steganalysis techniques designed to detect steganography including stego-only, known-stego, known-message, known-cover, chosen-message, and chosen-stego analysis. These steganalysis methods vary in terms of how much you know about the cover object (a generic image), a secret (what you’re hiding), stego object (image with the secret embedded), and the algorithm that was used to implant the secret into the cover object. For those interested in seeing how image-based steganography works, a number of tools are available on the Internet, including the following:
• OpenStego • QuickStego • Gifshuffle • Hide In Picture
Cryptographic Implementations
The previous section focused on cryptographic techniques that are important pegs in the cryptographic wheel. Although we need techniques like hashing, digital signatures, and code signing, they are not complete by themselves. For instance, which cryptographic hardware and software implementations are going to wield these techniques? This section talks about implementations such as SSL/TLS, PKI, cryptocurrency, and blockchain, plus a variety of other topics. For example, hashing is an important cryptographic technique, but blockchain implements hashing.
Cryptographic Modules Cryptographic modules are collections of hardware, software, and/or firmware that implement standardized security functions such as cryptographic algorithms, key management techniques, and authentication techniques. These modules are designed for the
15-ch15.indd 603
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
604
protection of federal information that is sensitive but otherwise unclassified. Given the federal target audience, cryptographic modules are standardized into four security levels, as per the FIPS 140-2 publication. NOTE For more information about cryptographic modules, see FIPS Publication 140-2, which describes 11 areas regarding the design and implementation of cryptographic modules.
Cryptoprocessors Cryptoprocessors are chips that perform complex cryptographic functions. Often implemented in TPM chips and smart cards, cryptoprocessors have a variety of important security features, including the following:
• Detection of and resistance to tampering • Electrical tap resistance • Zeroing out information if compromised • Chain of trust processes for loading trusted operating systems (OSs)
Cryptographic Service Providers Microsoft’s CryptoAPI is a Windows API that permits programmers to add cryptographic functions such as encryption/decryption and authentication to Windows-based applications. Cryptographic service providers are Windows software libraries that make the Microsoft CryptoAPI available to applications that require cryptographic capabilities. As such, there are a variety of cryptographic service providers, including the following:
• Microsoft Base Cryptographic Provider • Microsoft Strong Cryptographic Provider • Microsoft Enhanced Cryptographic Provider • Microsoft AES Cryptographic Provider • Microsoft RSA/Schannel Cryptographic Provider As an example, if an application needs to implement AES 128-bit encryption, it’ll interface with the Microsoft AES Cryptographic Provider, which then implements one of several AES algorithms, such as one of the AES 128-bit, AES 192-bit, or AES 256-bit variety.
Digital Rights Management (DRM) Digital Rights Management (DRM) uses technology to restrict how digital copyrighted works can be used after they are published. These restrictions include use, modification, and distribution of digital content such as documents, applications, music, movies, and video games.
15-ch15.indd 604
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
605
EXAM TIP Since there are ways to circumvent digital copyrights, the Digital Millennium Copyright Act of 1996 and the European Union’s Copyright Directive were created to legally punish those who endeavor to illegally use, modify, or distribute copyrighted materials.
DRM protections are often implemented through encryption of the protected content, as with the case of music files. In the case of DRM-protected music on iTunes, sharing it with other people and/or accessing the music on unapproved devices is often met with difficulty. That is because the music is encrypted with the purchaser’s key and can only be decrypted by that individual.
Watermarking
GNU Privacy Guard (GPG) Pretty Good Privacy (PGP), which is trademarked by Symantec, is a series of wellknown cryptographic functions that provide for key exchange, confidentiality, integrity, and nonrepudiation of electronic communications. E-mail makes up the primary type of electronic communications protected by PGP. Having been around since 1991, PGP has gone through a variety of changes, spinoffs, legal issues, and even exportation and patent issues. As a workaround to some of these challenges, an open source, patent- and royalty-free version of PGP was created in the late 1990s called GNU Privacy Guard (GPG). GPG is a free implementation of the OpenPGP standard. It can be freely used, modified, and distributed as per the GNU General Public License. Here are some of the algorithms that can be implemented by GPG:
PART IV
Watermarking can be thought of as a hybrid of steganography and DRM in that it embeds a branded logo, trademark, or owner details into digital content for authentication of copyright materials and also the enforcement of their legal protections. You could also argue that the watermark acts not outright as a preventative but rather as a basic deterrence against unauthorized use, modification, or distribution of said materials due to the difficulty of cleanly removing the watermark. Watermarking is supplementary to a DRM-based solution rather than a replacement.
• Asymmetric cryptography Public key: RSA, ElGamal, DSA • Symmetric cryptography 3DES, IDEA, CAST5, Blowfish, Twofish, AES-128, AES-192, AES-256 • Message Digest MD5, SHA-1, RIPEMD-160, SHA-224, SHA-256, SHA-384, SHA-512 GPG is also compliant with IETF’s RFC 4880 for OpenPGP application interoperability requirements.
15-ch15.indd 605
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
606
Like PGP, GPG utilizes a peer-to-peer web of trust model for certificate and public key sharing—which is the opposite of centralized Certificate Authority servers. This involves each system in the web of trust having an independent copy of the other members’ certificates and public keys. This allows protected e-mail communications to take place in a more ad-hoc fashion.
SSL/TLS Secure Sockets Layer (SSL) was created by Netscape in the mid-1990s to provide various cryptographic features to an Internet still in its infancy. It utilizes the full gamut of asymmetric, symmetric, key exchange, hashing, and digital signature features to provide authenticity of servers, integrity, and confidentiality of data. SSL creates secure connections between web browsers and web servers over an otherwise insecure network. Ever see a website URL prefixed with HTTPS as opposed to HTTP? HTTPS is the outcome of using SSL to encrypt HTTP communications. HTTP uses TCP port 80, and HTTPS uses TCP port 443. SSL 3.0/TLS 1.0 would require servers to authenticate to clients but optionally for clients to authenticate to servers. Although Netscape is no longer around, its legacy will forever live on through SSL. Being able to say that you helped pioneer web-based Internet security is no small thing. SSL has been around long enough to have gone through many generations of changes, as noted here:
• SSL 1.0 Never published due to severe flaws (1993–1994) • SSL 2.0 Published but flawed, therefore completely rewritten in SSL 3.0 (1995) • SSL 3.0 Final version of SSL (1996) • TLS 1.0 A non-Netscape and “standardized version of SSL,” which is almost identical but otherwise incompatible with SSL 3.0 (1999) • TLS 1.1 More secure version of TLS 1.0 (2006) • TLS 1.2 Most popular TLS standard (2008) NOTE TLS 1.3 is the latest TLS standard as of August 2018 and sorely needed. Currently there is limited support, but that will change swiftly.
Even though most people still use the SSL term, TLS has long-since replaced SSL due to its security benefits and universal support by web browsers and other applications. Although there are many differences between SSL and TLS, the CASP+ exam does not denote them. You can think of TLS as being a stronger and more modern version of SSL through its usage of better key exchange methods, handshaking, plus stronger asymmetric, symmetric, and hashing ciphers. Few people will correct you when you use SSL and TLS interchangeably since SSL 3.0 and TLS 1.0 are essentially the same—yet their path of divergence has widened significantly over the past 20 years. Not only that, but
15-ch15.indd 606
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
607
they were never compatible with one another. Other implementations exist, including OpenSSL, which implements open versions of SSL and TLS. Although SSL/TLS can be used for securing many traffic types, including VPN, e-mail, LDAP, FTP, and others, web-based security is by far the most likely. Confusion often arises as to what SSL/TLS is when it is often discussed in the same sentence with other terms such as RSA, AES, SHA-2, PKI, and so forth. Think of SSL/TLS as the software that implements cryptographic algorithms. Here is the SSL/TLS process of setting up a secure connection between a web client and web server: 1. Client sends an HTTP request to connect to an Internet web server. This request includes the client’s SSL/TLS cryptographic details for security negotiation. 2. Internet web server replies to client with its own SSL/TLS cryptographic details for security negotiation. The server also sends its digitally signed SSL/TLS certificate, which also contains the server’s public key. 3. Client uses the server’s public key to decrypt the certificate’s digital signature. This reveals the certificate’s hash value.
5. Client generates a symmetric key—likely AES—which is also called a session key. This key gets encrypted by the server’s public key. Client sends the encrypted session key to the server.
PART IV
4. Client rehashes the server’s certificate to verify that the resulting hash matches the server’s supplied hash for integrity verification.
6. Server uses its hidden private key to decrypt the encrypted session key. 7. The client and server have a copy of the same session key for all subsequent traffic encryption needs. This is what happens whenever you establish a secure SSL/TLS session with a secure web server or other entity.
Secure Shell (SSH) Secure Shell (SSH) does for terminal emulation what SSL does for web-based security. It is both an application and protocol that provides for a fully secured connection between terminal emulator products like PuTTY and command-line interface endpoints like Cisco routers, switches, and Linux and Unix servers. It implements many of the same goals and algorithms as SSL, including key exchange, asymmetric and symmetric algorithms, and hashing, which help to secure terminal emulation communications. EXAM TIP SSH is largely a replacement for Telnet, which sends all traffic in cleartext. SSH uses TCP port 22, and Telnet uses TCP port 23. Since any packet sniffer can capture Telnet’s cleartext credentials, it is important to switch to SSH-based tools wherever possible.
15-ch15.indd 607
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
608
S/MIME Secure/Multipurpose Internet Mail Extensions (S/MIME) is a secure e-mail-based cryptography standard that protects MIME e-mail messages through symmetric and asymmetric ciphers as well as digital signatures. Although S/MIME has much in common with the PGP e-mail security features, there are some key differences as well:
• S/MIME relies on a CA, whereas PGP uses a web of trust model. • S/MIME focuses on securing e-mail messages and attachments, whereas PGP secures e-mail messages only. • S/MIME is more affordable. • S/MIME is incorporated into many commercial e-mail packages and is therefore more popular.
Cryptographic Applications and Proper/Improper Implementations Cryptography is not a panacea, nor is it the solution to every security problem. Properly employed, it can play a role in securing information both at rest and in transit. To do so requires appropriate architectural and design considerations based on the context of the system, data, and threats against which protection is desired. A starting point is to define the requirements in terms of both confidentiality and integrity. It is also necessary to examine the data types, and when transport is involved, the characteristics of the transport channel. Because cryptography involves both algorithms and keys, decisions need to be made on algorithms and key exchange issues. Most modern software development platforms have built-in library functions that cover the standard cryptographic functions. This eliminates the need to create one’s own encryption method—a proven method of failure in virtually every case it has been attempted. This leaves the issue of proper implementation. Even with a good algorithm, it is possible to create designs where a key is exposed or lost. Care must be exercised to properly implement the systems as designed in the standards defining the various algorithms and cryptosystems. The primary method of defeating a modern cryptosystem lies in either exploiting a weakness in implementation or an offline attack that bypasses the encryption mechanism. A pass-the-hash attack, circumventing the need for a password, has proven the demise of many a system thought to be protected.
Strength
Modern digital cryptography offers significant protection from attack. As digital computers have become more powerful, various systems have come under attack due to the sheer power of today’s computers, including distributed processing. This has led to the retirement of the DES method as well as the replacement of 3DES with AES. As a general rule, the longer the key, the larger the keyspace and the stronger the encryption for a given algorithm.
15-ch15.indd 608
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
609
Hash functions have also been challenged by modern computing power, and this has led to the development of the SHA-2 and SHA-3 series. The exploitation of a rainbow table’s pre-computed hash values has led to the practice of salting passwords, effectively increasing their length. EXAM TIP Different cryptographic algorithms have different key lengths associated with them, and comparing the strength of algorithms on the basis of key length is not an exact science. An AES key of 256 bits offers very strong encryption as a block-based symmetric cipher. A 3,072-bit RSA key is a very strong public key, and a 384-bit elliptic curve key is also strong. Although the previous three examples are all considered to be strong, comparing their respective strength is not an exact science.
Performance
PART IV
Cryptographic performance is dependent on both the algorithm and the key length. Public key algorithms are more computationally intensive than symmetric algorithms, and hence require more computing power for a given amount of desired encryption. For this reason, public key methods are typically used to pass a secret key, often referred to as a session key, which is used with a symmetric algorithm for the bulk encryption work. A special case, ECC, was developed using an algorithm that is much more computationally efficient than RSA, allowing it to be implemented in mobile devices with lower processing power.
Feasibility to Implement
The key to feasibly implementing cryptographic elements into an enterprise is planning and design. Cryptography is not a new science; it is well understood, and a wide range of cryptographic elements are included in all major development languages. The challenge comes in the proper design and execution. Because cryptography imposes a computational cost on both the sender and receiver, it is important to determine the correct level of needed protection. Just as it doesn’t make sense to protect a $100 bill with a $1,000 system, cryptography can be overdone. Typically, however, cryptography is underutilized, leading to unnecessary risk from avoidable data breaches and disclosures.
Interoperability
The key to interoperability is to operate within the standards that have been developed for all the methods of cryptography. Although the math and methods may be complex— and nearly impossible to understand—they all have standards governing their implementation so that vendor-neutral interoperable solutions can be designed and employed. EXAM TIP As in all issues surrounding security, the landscape is always changing, with attacks causing older technologies to be less secure than desired. This has led to the retirement or deprecation of many algorithms and protocols. Keeping abreast of issues and ensuring older protocols, such as SSL 2.0 and below, and less-than-128-bit encryption methods are disabled on systems are both essential in the constantly changing environment of security.
15-ch15.indd 609
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
610
Stream vs. Block Stream ciphers like RC4 have a performance advantage over block ciphers due to stream ciphers performing encryption on individual data bits. Although block ciphers such as AES typically perform well, they don’t perform as quickly as stream ciphers due to encrypting large blocks of data frequently in the 64-bit to 128-bit size. Bottom line: stream ciphers are generally faster and less secure, whereas block ciphers are more secure but not as fast.
PKI The passing of public keys between entities is done via a specific format called a digital certificate. Digital certificates offer not only a means of standardized key transmission, but also a format whereby the key’s attribution to a particular entity can be established. The necessary set of policies, procedures, hardware, and software to perform the tasks associated with key creation, management, distribution, use, storage, and revocation is referred to as a public key infrastructure (PKI). EXAM TIP The principal components of a PKI system include Certificate Authorities (CAs), Registration Authorities (RAs), certificates, policies, certificate life cycles, and chains of trust. A certificate carries a public key (or keys) and is attested to by a CA. Whether or not one trusts the key depends on the trust relationship with the CA and its signers.
Systems A PKI consists of several elements to allow the association of public keys and entities and to do so with a level of trust. The primary elements of a PKI include the Certificate Authority, the Registration Authority, certificates, the management of these certificates through their life cycle, and policies. Policies are required to manage the rules and processing of certificates and trust. Acceptance of a certificate is based on trusting the chain of signatures associated with issuance of a certificate from a CA.
Digital Certificate
A digital certificate is a standard format for the passing of public keys between entities. The common standard used is X.509, and this format provides for a variety of information to be passed between entities. Four main types of certificates can be issued by a Certificate Authority: end-entity, CA, cross-certification, and policy certificates. End-entity certificates are issued by a CA to a specific entity, such as a person (Alice), a group (the accounting department), or a device (a firewall). An end-entity certificate is the identity document provided by most PKI implementations. End-entity certificates bind a public key to the entity listed on the certificate. End-entity certificates are signed by the CA. A CA certificate is the certificate identifying the public key for the CA. It can be selfsigned, in the case of a standalone or root CA, or it can be issued by a superior CA within a hierarchical model. A superior CA can give the authority and allow a subordinate CA to accept certificate requests and generate the individual certificates itself. This may be necessary when a company needs to have multiple internal CAs, and different departments
15-ch15.indd 610
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
611
within an organization need to have their own CAs servicing their specific end-entities in their sections. In these situations, a representative from each department requiring a CA registers with the higher trusted CA and requests a Certificate Authority certificate. EXAM TIP The common standard used for digital certificates is X.509. The four main types of certificates are end-entity, CA, cross-certification, and policy certificates.
A cross-certification certificate (or cross-certificate) is used when independent CAs establish peer-to-peer trust relationships. Simply put, cross-certificates are a mechanism through which one CA can issue a certificate allowing its users to trust another CA. When two firms merge, this mechanism allows for easy certificate management across both firms. Finally, policy certificates are traceable documents that can disseminate specific policy guidance to PKI clients. These are used in high-security applications, where a mechanism is required to provide centrally controlled policy information to PKI clients.
Certificate Authority
PART IV
A Certificate Authority (CA) is a trusted authority that certifies individuals’ identities and creates electronic documents indicating that individuals are who they say they are. The electronic document is referred to as a digital certificate, and it establishes an association between the subject’s identity and a public key. The private key that is paired with the public key in the certificate is stored separately.
X.509 Digital Certificate Fields
The following fields are included within an X.509 digital certificate:
• Version number Identifies the version of the X.509 standard that was used to create the certificate; indicates the format and fields that can be used. • Serial number A unique number identifying this one specific certificate issued by a particular CA. • Signature algorithm Specifies the hashing and digital signature algorithms used to digitally sign the certificate. • Issuer Identifies the CA that generated and digitally signed the certificate. • Validity Specifies the dates through which the certificate is valid for use. • Subject Specifies the owner of the certificate. • Public key Identifies the public key and algorithm being bound to the certified subject. • Certificate usage Specifies the approved use of the key/certificate, which dictates the intended use of this public key. • Extensions Allow additional data to be encoded into the certificate to expand the functionality of the certificate. X.509 version 3 has extended the extension possibilities.
15-ch15.indd 611
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
612
A CA is made up of the software, hardware, procedures, policies, and people who are involved in validating individuals’ identities and generating the certificates. This means that if one of these components is compromised, it can negatively affect the CA overall and can threaten the integrity of the certificates it produces. This is a weakness in the current PKI system because false certificates have been appearing in malware systems in recent years. Every CA should have a certification practices statement (CPS) that outlines how identities are verified; the steps the CA follows to generate, maintain, and transmit certificates; and why the CA can be trusted to fulfill its responsibilities. The CPS describes how keys are secured, what data is placed within a digital certificate, and how revocations will be handled. If a company is going to use and depend on a public CA, the company’s security officers, administrators, and legal department should review the CA’s entire CPS to ensure that it will properly meet the company’s needs, and to make sure that the level of security claimed by the CA is high enough for their use and environment. A critical aspect of a PKI is the trust between the users and the CA, so the CPS should be reviewed and understood to ensure that this level of trust is warranted.
Registration Authority
A Registration Authority (RA) is the PKI component that accepts a request for a digital certificate and performs the necessary steps of registering and authenticating the person requesting the certificate. The authentication requirements differ depending on the type of certificate being requested. Although not specified in the standards, or required by any specific rule, most CAs offer a series of classes of certificates with increasing levels of trust by class. RAs must have appropriate mechanisms to match validation with the level of trust implied by the class of the certificate. Each higher class of certificate can carry out more powerful and critical tasks than the one below it. This is why the different classes have different requirements for proof of identity. If you want to receive a Class 1 certificate, you may only be asked to provide your name, e-mail address, and physical address. For a Class 2 certification, you may need to provide the RA with more data, such as your driver’s license, passport, and company information that can be verified. To obtain a Class 3 certificate, you will be asked to provide even more information and most likely will need to go to the RA’s office for a face-to-face meeting. Each CA will outline the certification classes it provides and the identification requirements that must be met to acquire each type of certificate for RAs to follow. In most situations, when a user requests a Class 1 certificate, the registration process will require the user to enter specific information into a web-based form. The web page will have a section that accepts the user’s public key, or it will step the user through creating a public/private key-pair, which will allow the user to choose the size of the keys to be created. Once these steps have been completed, the public key is attached to the certificate registration form and both are forwarded to the RA for processing. The RA is responsible only for the registration process and cannot actually generate a certificate. Once the RA is finished processing the request and verifying the individual’s identity, the RA sends the request to the CA.
15-ch15.indd 612
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
613
The CA uses the RA-provided information to generate a digital certificate, integrates the necessary data into the certificate fields (user identification information, public key, validity dates, proper use for the key and certificate, and so on), and sends a copy of the certificate to the user. The certificate may also be posted to a publicly accessible directory so that others can access it. Note that a one-to-one correspondence does not necessarily exist between identities and certificates. An entity can have multiple key-pairs, using separate public keys for separate purposes. Thus, an entity can have multiple certificates, each attesting to separate public key ownership. It is also possible to have different classes of certificates, again with different keys. This flexibility allows entities total discretion in how they manage their keys, and the PKI manages the complexity by using a unified process that allows key verification through a common interface.
Applications
When applications need to use public key cryptography, the standards defined by PKI allow vendors an interoperable method to exchange keys via certificates. This enables a browser to correctly utilize the required keys, including the checking of trust paths and revocation before use, automatically and seamlessly behind the scenes.
The following steps are required for validating a certificate: 1. Compare the CA that digitally signed the certificate to a list of CAs that have already been loaded into the receiver’s computer.
PART IV
Validating a Certificate
2. Calculate a message digest for the certificate. 3. Use the CA’s public key to decrypt the digital signature and recover what is claimed to be the original message digest embedded within the certificate (validating the digital signature). 4. Compare the two resulting message digest values to ensure the integrity of the certificate. 5. Review the identification information within the certificate, such as the e-mail address. 6. Review the validity dates. 7. Check a revocation list to see if the certificate has been revoked.
Users
A user of public keys can be a person, a piece of hardware or software, a department, or a company—virtually any entity can have a public key. The role of the PKI is to validate that the entity claiming to have the key is the correct entity by way of information listed on the certificate itself. Public keys and digital certificates act as cryptographic surrogates providing a secure means of identification for an entity as part of a digital transaction.
15-ch15.indd 613
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
614
Wildcard
A wildcard certificate is a specific form of certificate used in TLS/SSL instances. Normally a separate certificate would be required for each subdomain under a domain, and this could lead to a large number of certificates and force cryptographic renegotiation as a user crosses the subdomains. A wildcard certificate addresses this issue by enabling TLS/ SSL encryption on multiple subdomains using a single certificate as long as the domains are controlled by the same organization and share the same second-level domain name. EXAM TIP A wildcard certificate issued to Company ABC using the Common Name “*.CompanyABC.com” may be used to secure the help.CompanyABC .com, research.CompanyABC.com, and web.CompanyABC.com domains.
OCSP vs. CRL
Before using a certificate, one should ensure that it is still valid and has not been revoked by the issuer or entity. The two primary methods to verify whether a certificate is still valid are the Online Certificate Status Protocol (OCSP) and a certificate revocation list (CRL). The CA is the entity responsible for the status of the certificates it generates; it needs to be told of a revocation, and it must provide this information to others. The CA is responsible for maintaining the CRL and posting it in a publicly available directory. Certificates that have expired are not the same as those that have been revoked. If a certificate has expired, it means that its end validity date was reached. This information is typically provided by means of a certificate revocation list, a list of all revoked certificates and the reasons for revocation. The list usually contains all certificates that have been revoked within the lifetime of the CA. The format of the CRL message is also defined by X.509. The list is signed, to prevent tampering, and contains information on certificates that have been revoked and the reasons for their revocation. These lists can grow quite long, and as such, there are provisions for date-time stamping the list and for issuing delta lists, which show changes since the last list was issued. EXAM TIP Before one uses a public key, it is highly recommended to check to see if it is still valid. This can be done by one of two mechanisms: certificate revocation lists (CRLs) or the Online Certificate Storage Protocol (OSCP). CRLs are verified from the CA that issued the certificate, whereas the OSCP offers a service-based mechanism that can cross multiple CAs in a convenient fashion.
OCSP is a request and response protocol that obtains the serial number of the certificate that is being validated and reviews revocation lists for the client. The protocol has a responder service that reports the status of the certificate back to the client, indicating whether it has been revoked, is valid, or has an unknown status. This protocol and service saves the client from having to find, download, and process the right lists.
15-ch15.indd 614
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
615
Issuance to Entities/Key Escrow
The PKI system has a responsibility to support the entire public key life cycle, from issuance, through use, retirement/destruction, and management functions such as key recovery and escrow. The issuance of certificates is the most common function identified by users, but the real work occurs during the certificate usage phase. Before each use of a certificate, the user should validate that the certificate is still valid. This is done by checking in with the Certificate Authority. The life cycle of a certificate also includes the management of certificate issues with respect to key escrow and key recovery. As noted earlier, the private key is typically never moved from the machine it was generated on, yet in today’s business world there exists a need to manage keys through equipment and personnel changes. This can be done through a system known as key escrow and key recovery. Upon the creation of the keypair, the private key can be written to a certificate and a copy can be deposited in an appropriately secure repository. This is known as key archiving and can act as a safety net in the event of disaster or the loss of an employee associated with the key.
Key escrow is different from key recovery; it is the process of giving keys to a third party so that they can decrypt and read sensitive information if the need arises. Key escrow almost always pertains to handing over encryption keys to a higher authority so that the keys can be used to collect evidence during investigations. A key-pair used in a person’s place of work may be required to be escrowed by the employer for three reasons. First, the keys are property of the enterprise, issued to the worker for use. Second, the firm may have need for them after an employee leaves the firm. Lastly, the firm may need them to perform an investigation on data secured by the keys.
PART IV
NOTE Two systems are important for backing up and restoring cryptographic keys: key archiving and key recovery. Key archiving is a way of backing up keys and securely storing them in a repository; key recovery is the process of restoring lost keys to the users or the company.
Tokens
Tokens are devices that store digital certificates and private keys for the purpose of accessing restricted resources. The most popular example of a token is smart cards, although RSA SecurID tokens are common with the government and military—in addition to common access cards (CAC) serving as a military smart card of sorts. CACs are not only used for performing secure digital functions but also to access restricted rooms and areas. These physical token devices are generally part of a multifactor authentication requirement that may include a password (something you know) and a token (something you have). Tokens may also replace the password or PIN requirement rather than augment it. Tokens are frequently used for secure access to e-mail and VPN servers, to unlock encrypted internal or external hard drives, and to digitally sign content. They are generally considered one of the more powerful authentication factors.
15-ch15.indd 615
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
616
Stapling
With typical OCSP usage, clients contact the CA (OCSP server) to verify the revocation status of a website’s certificate. OCSP stapling changes this by making it the responsibility of the certificate owner (web server) to periodically check the CA for certificate status. The OCSP server responds with a time-stamped digital signature that verifies a certificate’s status. As a result, whenever clients contact the website and perform the usual SSL/ TLS handshaking process, the website will automatically include the OCSP’s digitally signed certificate status response as part of the handshake. In other words, the web client learns during the handshaking process with a web server that the web server’s certificate is valid—without having to independently query the OCSP server itself.
Pinning
Designed to mitigate flaws with SSL/TLS, certificate pinning is an explicit certificate trust process that involves clients checking a server’s certificate against a known copy of that certificate. In other words, clients will download a trusted and verified copy of a server’s certificate. Hackers might hijack a server and change that server’s certificate in order to get clients to falsely trust it. If clients had already “pinned” the previous good certificate and associated public key, the client will not trust the new certificate due to it not matching the known good copy. Certificate pinning allows for certificates to be renewed, but when a certificate changes completely without the previous one being revoked, this will be flagged as malicious activity.
Cryptocurrency/Blockchain Cryptocurrency is a digital form of currency that uses powerful cryptographic methods to secure financial transactions through a decentralized or peer-to-peer network. The groundbreaking qualities of cryptocurrency have made it a widespread modality for performing secure financial transactions. The most prominent example of cryptocurrency is Bitcoin, which began in 2009 and has facilitated millions of people performing secure financial transactions using an electronic form of cash called bitcoins. NOTE At the time of this writing, one bitcoin is equal to $4,194.97 US dollars.
The key to Bitcoin’s success with secure digital financial transactions lies with its usage of a revolutionary type of network called a blockchain. In the context of cryptocurrency, blockchains are a large chain of financial transaction records that, rather than get stored on centralized financial servers, are actually chained to each other as a decentralized and linear series of blocks. Each user of the blockchain network has a complete copy of this blockchain, which forms a digitally shared ledger of sorts—hence the term decentralized. When individuals perform a secure transaction with cryptocurrency, the transaction is stored in an individual piece of the blockchain called a block, which represents a record of a specific transaction that includes information about the individuals involved and the monies exchanged. Picture a blockchain as a chain of domino tiles that stretches out hundreds of thousands or more tiles in length. Despite the decentralized management
15-ch15.indd 616
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
617
of blocks, blockchain cryptography secures the transactions and blocks so that only the parties to the transaction are aware of the details that get recorded in their block. After the transaction is complete, the block is added to the blockchain, much like a domino tile is added to another domino tile. A critical aspect of cryptocurrencies is trust. The cryptocurrency transactions must not only be robust, but secure and tamper-free. For integrity purposes, the contents of the block are hashed, and the hash gets stored with the block so that other blocks can double-check that their hash calculation of your block matches the hash you calculated. Blocks hash themselves and adjacent blocks in order to form an internetwork of hashing oversight. TIP Blockchain is one of the hottest trends in all of cryptography right now. Be sure to understand this not only for the exam but also for the real world.
To better understand the basics of the blockchain process, follow this example: 1. You finished a secure financial transaction.
3. Your Block B is hashed for integrity purposes, with the hash being stored with Block B for other connecting blocks to see. Since Block B is also connected to Block A, Block B also hashes Block A and stores that hash on Block B. Block B is now storing a copy of the Block B and Block A hashes.
PART IV
2. The transaction is stored in your block (Block B), which then gets added to the blockchain by connecting itself to an existing block (Block A).
4. Block A repeats step 2 so that Block A is now storing a copy of Block A and Block B hashes. 5. Someone else performs a financial transaction that gets stored in Block C. Block C gets connected to your Block B. Block C repeats step 2 so that Block C has a copy of Block C and Block B hashes. 6. Rinse and repeat for all subsequent blocks that get added to the blockchain.
As you can see, all blocks connect to other blocks and are, in a sense, responsible for one another’s integrity. This helps it be resistant to tampering, because if someone modifies a block, all other adjacent blocks will notice hashing mismatch violations, which then get flagged.
Mobile Device Encryption Considerations Most mobile devices such as tablets and smartphones support storage encryption. Many organizations have security policies that mandate mobile device encryption as part of a Bring Your Own Device initiative to access corporate e-mail. Part of this requirement stems from the egress risks associated with a lost or stolen mobile device falling into the wrong hands. Device encryption can help protect stored e-mail on a lost or stolen device.
15-ch15.indd 617
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
618
However, mobile devices are different from standard devices in that they are computationally weaker and have a battery to preserve. To combat these limitations, a cryptographic algorithm is needed that is gentle on computational and battery requirements. The answer is Elliptic Curve Cryptography (ECC).
Elliptic Curve Cryptography As described earlier in the chapter, Elliptic Curve Cryptography (ECC) is, pound for pound, more powerful than RSA. However, the importance here lies in ECC finding a niche in low-power and computationally constrained devices like mobile devices and IoT devices because the keys are shorter and the math is faster for a given level of security.
P-256 vs. P-384 vs. P521
As with most cryptographic ciphers, ECC supports multiple key sizes, including P-256, P-384, and P-521. According to FIPS PUB 186-4, P-521 is the accurate title of the key size; therefore, it should not be written as P-512. As the key size goes up, security also goes up, while performance goes down. This balance of security and performance is crucial when considering the computational and battery requirements unique to mobile devices. Therefore, P-256 should be used on mobile devices to ensure strong security while maintaining adequate performance. Remember that 256-bit ECC keys are equivalent to key sizes many times larger regarding RSA.
Chapter Review
This chapter covered one of the most important topics in CASP+—and security in general—which is the implementation of cryptographic techniques based on specific scenarios. The first section began with cryptographic fundamentals, such as the goals of cryptography. These include confidentiality for keeping secrets secret, integrity for ensuring data accuracy, and nonrepudiation for proof of transaction origin. We touched on a variety of different symmetric ciphers, such as RC4, AES, DES, 3DES, and various others. This also includes asymmetric cipher coverage, such as RSA, ECC, ElGamal, Diffie-Hellman, and so on. We then touched on another cryptographic technique: key stretching. Key stretching is important because it turns weak cryptographic keys into stronger ones. Next, we touched on hashing, which is crucial for most integrity verification processes. Then we touched on digital signatures, which implement hashes and private keys for the successful digital signing of content. Message authentication was discussed, which helps protect hashes from attacks against the message hashes themselves. The “Code Signing” section covered the need to digitally sign applications for integrity and nonrepudiation reasons. The next topic was pseudorandom number generation, which helps generate numbers that are seemingly random. This is needed for many cryptographic functions. We then talked about perfect forward secrecy, which requires frequent key changes in order to ensure that compromised keys don’t lead to compromises in the future. We then touched on data-at-rest, data-in-use, and data-in-transit encryption techniques so that data is
15-ch15.indd 618
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
619
PART IV
secured when inactive, in memory, and in a state of transmission, respectively. The “Steganography” section took the discussion from making secrets unreadable (cryptography) to making secrets unnoticed. We then switched gears from techniques to implementation, starting with cryptographic modules and the role they play in implementing cryptographic algorithms. Next, we touched on cryptoprocessors, which are chips that do the math in cryptography. This led to a discussion on cryptographic service providers, which contain libraries of cryptographic algorithms. The subjects of DRM and watermarking moved the discussion into the methods of protecting copyrighted materials. “GNU Privacy Guard (GPG)” provided a discussion of an open source alternative to the popular PGP protocol for e-mail-based encryption. The section on SSL/TLS was complete and comprehensive on various protocols and processes of securing web-based traffic. We then discussed SSH and how it plays a role similar to SSL/TLS, but only for terminal-based traffic security. We talked about cryptographic applications and proper/ improper implementations regarding the strength, performance, feasibility to implement, interoperability of cryptography solutions, and stream ciphers versus block ciphers. We then began a section on PKI, which included a discussion on the wildcards needed to bind certificates to multiple organizational domains as opposed to just one. We then moved on to OCSP versus CRLs, which is a question of utilizing the speed benefits of OCSP as opposed to the more thorough approach of CRLs. We also talked about issuing certifications to organizations and backing up their private keys to key escrow agents for legal reasons. We provided deep coverage of certificates due to the fundamental role they play in almost all digital security situations. We discussed physical security tokens for multifactor authentication implementations, stapling for quicker OCSP responses, and pinning to circumvent man-in-the-middle attacks against certificate owners. We also provided good coverage on blockchain, which is a relatively new and exploding field in cryptocurrency. We touched on mobile device encryption requirements and how the ECC protocol is tailor-made for the computational and battery requirements unique to mobile devices.
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
Cryptography Fundamentals • Cryptography is the science of hiding or making information unreadable to unauthorized parties. • Encryption is the process of converting readable information into an unreadable format. • Decryption is the process of converting unreadable information into a readable format. • Plaintext/cleartext is information in a readable format.
15-ch15.indd 619
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
620
• Ciphertext is information in an unreadable format. • Algorithms are step-by-step mathematical processes. • Ciphers are cryptographic algorithms that perform a specific method of encryption or decryption. • A key is a small, secretive piece of alphanumerical information fed into a cipher to turn a cipher’s predictable plaintext/ciphertext patterns into an outcome unpredictable to those without the key—while being predictable to those in possession of the key. • Confidentiality provides assurances that only authorized individuals can access sensitive materials. • Integrity protects messages from unauthorized modification, while also providing a means of verifying the accuracy of messages. • Nonrepudiation is the assurance that a message, action, or activity originated from the stated source. • Symmetric key encryption is characterized by the use of the same key for both encryption and decryption. • DES is an older symmetric block cipher that uses 56-bit keys. • 3DES is a stronger version of DES in that it implements the DES process three times on each block of data. • AES is a symmetric block cipher with 128-bit, 192-bit, or 256-bit keys and performs either 10, 12, or 14 rounds of processing on 128-bit message blocks. • IDEA is a symmetric block cipher that uses a 128-bit key size and performs 8.5 rounds of processing on 64-bit message blocks. • CAST-128 is a symmetric block cipher with either 40-bit or 128-bit keys, while utilizing 12 or 16 rounds of processing on 64-bit message blocks. • RC4 is a stream cipher that was frequently used in older Wi-Fi and SSL scenarios. • RC5 is a symmetric block cipher with key sizes up to 2048 bits, 1 to 255 rounds of processing, on 32-bit, 64-bit, or 128-bit message blocks. • RC6 is a symmetric block cipher that uses key sizes of 128, 192, and 256 bits, and performs 20 rounds of processing on 128-bit message blocks. • Serpent uses key sizes of 128, 192, and 256 bits with 32 rounds of processing on 128-bit blocks. • Skipjack uses key sizes of 128, 192, and 256 bits, with 32 rounds of processing on 128-bit blocks. • Blowfish uses key sizes between 32 and 448 bits, with 16 rounds of processing on 64-bit message blocks. • Twofish uses key sizes between 128 and 256 bits, with 16 rounds of processing on 128-bit blocks.
15-ch15.indd 620
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
621
• Diffie-Hellman was designed primarily to address a shortcoming of symmetric encryption, which was key exchange. • RSA provides all the primary public key cryptographic functions, including key exchange, confidentiality, integrity, and nonrepudiation. • The ElGamal algorithm is based on Diffie-Hellman but is capable of not only digital signatures but also encryption and key exchange. • ECC provides digital signatures, key distribution, and encryption capabilities. ECC has found a niche in low-power and computationally constrained devices • Zero Knowledge Proof is the process of proving to others that you know a secret without actually sharing the secret with them.
Cryptography Techniques
15-ch15.indd 621
PART IV
• Key stretching is the process of converting a weak cryptographic key into a stronger one to resist brute-force attacks. • Hashing is the process of running data through a mathematical function to produce a message digest of a specified size. • MD5 produces 128-bit ciphertext hashes with four rounds of processing on 512-bit blocks. • SHA-1 uses 160-bit hashes with 80 rounds of processing on 512-bit blocks. • SHA-2 was published in 2001 as a bigger and stronger version of the SHA-1 algorithm by using SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256 ciphers. • SHA-3 is an alternative to SHA-2 and comes in different varieties, such as SHA3-224, SHA3-256, SHA3-384, and SHA-512. • RIPEMD is largely a replacement to MD5 and similar in power and performance to SHA-1. It comes in several versions, including RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320. • Digital signatures utilize both hashing and asymmetric cryptography to verify integrity and nonrepudiation. • Message authentication uses codes to authenticate messages. • Code signing is the application of digital signature technology to computer code, executable files, scripts, and resource files. • Pseudorandom numbers are numbers that may be deterministically generated and hence are not actually random—but appear to be random. • Perfect forward secrecy is used to describe a condition where the loss of any specific key will not compromise future communications. • Data-in-transit encryption refers to the encryption of data as it travels across a network.
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
622
• Data-in-memory/processing encryption is designed to secure data while it is in use in memory types such as RAM, in addition to cache and register memory locations on the CPU. • Data-at-rest encryption refers to the encryption of data while it is inactive on a storage medium. • Steganography is designed to hide the fact that it is hiding something.
Cryptography Implementations • Cryptographic modules are collections of hardware, software, and/or firmware that implement standardized security functions such as cryptographic algorithms, key management techniques, and authentication techniques. • Cryptoprocessors are chips that perform complex cryptographic functions. • Cryptographic service providers are Windows software libraries that make the Microsoft CryptoAPI available to applications that require cryptographic capabilities. • Digital Rights Management (DRM) uses technology to restrict how digital copyrighted works can be used after it is published. • Watermarking embeds a branded logo, trademark, or owner details into digital content for authentication of copyright materials and also the enforcement of their legal protections. • GPG is a series of well-known cryptographic functions that provide for key exchange, confidentiality, integrity, and nonrepudiation of electronic communications. • SSL/TLS utilizes asymmetric, symmetric, key exchange, hashing, and digital signature features to provide authenticity of servers, integrity, and confidentiality of data. • SSH provides many of the same cryptographic benefits to terminal emulation sessions as SSL/TLS does for web-based connections. • Secure/Multipurpose Internet Mail Extensions (S/MIME) is a secure e-mailbased cryptography standard that protects MIME e-mail messages through symmetric and asymmetric ciphers as well as digital signatures. • PKIs include Certificate Authorities (CAs), Registration Authorities (RAs), certificates, policies, certificate life cycles, and chains of trust. • A digital certificate is a standard format for the passing of public keys between entities. • A Certificate Authority (CA) is a trusted authority that certifies individuals’ identities and creates electronic documents indicating that individuals are who they say they are.
15-ch15.indd 622
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
623
PART IV
• A Registration Authority (RA) is the PKI component that accepts a request for a digital certificate and performs the necessary steps of registering and authenticating the person requesting the certificate. • A wildcard certificate is a specific form of certificate that is bound to multiple subordinate DNS domains simultaneously. • CRLs are verified from the CA that issued the certificate, whereas the OSCP offers a service-based mechanism that can cross multiple CAs in a convenient fashion. • Key escrow is the process of giving keys to a third party so that they can decrypt and read sensitive information if the need arises. • Tokens are devices that store digital certificates and private keys for the purpose of accessing restricted resources. • OCSP stapling makes it the responsibility of the certificate owner (web server) to periodically check the CA for certificate status. • Pinning is an explicit certificate trust process that involves clients checking a server’s certificate against a known copy of that certificate. • Cryptocurrency is a digital form of currency that uses powerful cryptographic methods to secure financial transactions through a decentralized or peer-to-peer network. • Blockchains are large chains of financial transaction records that, rather than being stored on centralized financial servers, are actually chained to each other as a decentralized and linear series of blocks.
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. What is the primary advantage of symmetric key over asymmetric encryption? A. Key exchange B. Speed C. Nonrepudiation D. Cost
2. Which of the following are block-based symmetric algorithms? (Choose all that apply.) A. RSA B. 3DES C. AES D. RC4
15-ch15.indd 623
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
624
3. Alice needs to secure a message to Bob and prove it came from her. Which keys will she need to use to accomplish this task? (Choose all that apply.) A. Alice’s private key B. Alice’s public key C. Bob’s private key D. Bob’s public key
4. Public key cryptography offers which of the following advantages over symmetric cryptography? A. A public key can be used for free—there are no patent issues. B. It is built into most computer programming languages via library calls. C. It is faster on a bit basis. D. It can provide for nonrepudiation.
5. In a modern browser environment, which of the following considerations should be taken? A. Disable SSLv2 to block attempts against this version. B. Disable SSLv2 to prevent interference with TLS, a newer form of SSL. C. Enable SSLv2 to increase compatibility with diverse systems. D. Enable SSLv2 for use with non–Internet Explorer browsers.
6. Which of the following items are not standard fields on an X.509 certificate? A. Serial Number B. Reason for Revocation C. Certificate Usage D. Version Number
7. A company buys another firm in a similar industry but located in a different country. The certificates used by each company come from different CAs. Which of the following represents the easiest method of connecting the trust relationships associated with the certificates? A. Use a wildcard certificate. B. Have each firm get additional certificates from the other firm’s CA. C. Use a cross-certificate defining the new trust relationship. D. Have the smaller firm move its certificates to the larger firm’s CA via a
certificate transfer. 8. The components of a PKI include all of the following except: A. Certificate Authority (CA) B. Expiration Authority (EA)
15-ch15.indd 624
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
625
C. Registration Authority (RA) D. X.509 certificates
9. OCSP is best described as: A. A replacement for standard PKI, taking advantage of Web 2.0 capabilities B. An alternative to the X.509 certificate format C. A service for transferring certificates securely between parties D. An alternative to certificate revocation lists
10. The following are hash algorithms except: A. MD5 B. SHA-256 C. IDEA D. RIPEMD-160
11. Hash functions used to protect passwords can be attacked using which of the following attack methods? B. Cryptographic deconstruction C. Birthday attack D. Rainbow tables
PART IV
A. Collision attack
12. The Digital Signature Algorithm (DSA) utilizes which of the following cryptographic functions? A. MD5 or SHA and AES B. SHA-2 series hash and the ElGamal discrete logarithm method C. Any hash function and any public key method (methods identified in header) D. SHA-1 hash or newer and RSA public key algorithm
13. To create a digital signature, which of the following steps are used? A. Hash the data to be signed, encrypt the data using a private key, and send both. B. Hash the data and send the hash with the data to the recipient. C. Encrypt the data, hash the encrypted data, and send to the recipient. D. Hash the data to be signed, encrypt the message digest using a private key,
and send both. 14. One of the advantages of code signing is: A. It doesn’t use PKI, so it is easier to deploy. B. It offers a means of verifying integrity and authorship of software. C. It provides for version tracing via a subversion process. D. It can prevent malware via detection of malware signatures.
15-ch15.indd 625
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
626
15. The sales manager has requested your help in building an electronic ordering system that will offer nonrepudiation of orders entered through the system. You suggest a method with the following explanation of how it protects the firm from repudiation of an order. (Choose the best answer.) A. Use a digital signature to support nonrepudiation by ensuring a specific
private key (registered to the person or firm submitting the order) was used in the order process. Only the holder of the private key could create the order and corresponding signature. B. Use an SSL login page to a secure order page. Logging in can create a log of the order and the credentials used. C. Verify all orders with an automated callback system designed around e-mail and a secondary approval process. D. Build the order system behind a VPN solution, having customers use the VPN to protect their orders from outside snooping. 16. Select the best set of conditions associated with PCI DSS compliance with respect to cryptographic algorithms and processes. A. Ensure all machines using SSL and TLS are updated to the current patch levels. B. When using SSL or TLS to secure communication channels, ensure client connections are also fully patched. C. Restrict connections to HTTPS and VPNs using IPSec. D. Disable SSLv1 and SSLv2 as well as all export-level cryptographic algorithms (less than 128 bit). 17. The best source of pseudorandom numbers for a cryptographic function in a system would be which of the following? A. A combination of random elements from time, network activity, and user activity B. A crypto-library call in the source code C. Random user mouse movements D. The Trusted Platform Module (TPM) chip 18. Which two elements must exist to ensure perfect forward secrecy? A. Keys are not reused; new keys cannot be derived from existing keys. B. Keys are not reused; new keys use a different algorithm. C. Only AES can offer perfect forward secrecy. D. Keys must be stored in a TPM chip. 19. Which of the following are true statements regarding blockchain? (Choose all that apply.) A. It utilizes a centralized network for storing blocks. B. It utilizes a decentralized network for storing blocks. C. Each block only stores a hash of itself and not those of adjacent blocks. D. Each block stores a hash of itself and those of adjacent blocks.
15-ch15.indd 626
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15
Chapter 15: Cryptographic Techniques
627
20. Cryptoprocessors come in many forms, including which of the following? (Choose all that apply.) A. Smart cards B. Certificates C. TPM chips D. BIOS
Answers 1. B. Symmetric keys are smaller and therefore perform their encryption and decryption faster than asymmetric methods. 2. B, C. 3DES and AES are examples of block-based symmetric ciphers. 3. A, D. Alice uses her private key to sign a message, and Alice uses Bob’s public key to encrypt a message. 4. D. PKI provides for nonrepudiation. 5. A. Disable SSL 2.0 due to well-known flaws. 7. C. Use a cross-certification to define a new trust relationship. 8. B. Expiration Authorities do not exist.
PART IV
6. B. Reason for Revocation is not a standard field on an X.509 certificate.
9. D. OCSPs are more efficient alternatives to CRLs. 10. C. IDEA is a symmetric block cipher. 11. D. Rainbow tables are like dictionary tables full of hashes and plaintext. 12. B. DSA uses the SHA-2 cipher and the ElGamal discrete logarithm method. 13. D. Hash the data to be signed, encrypt the message digest using a private key, and then send both to the other party. 14. B. It can help prove the integrity and authorship of software. 15. A. Use a digital signature to support nonrepudiation by ensuring a specific private key (registered to the person or firm submitting the order) was used in the order process. Only the holder of the private key could create the order and corresponding signature. 16. D. Disable older SSL versions and ensure the latest TLS versions are supported. 17. A. A combination of randomly generated elements from time, network activity, and user activity. 18. A. Keys are not reused; new keys cannot be derived from existing keys. 19. B, D. Blockchain uses a decentralized network for storing blocks, and each block stores a hash of itself and those of adjacent blocks. 20. A, C. Smart cards and TPM chips are examples of cryptoprocessors.
15-ch15.indd 627
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 15 Blind Folio: 628
This page intentionally left blank
15-ch15.indd 628
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
16
CHAPTER
Securing Communications and Collaboration This chapter presents the following topics: • Remote access • Unified collaboration tools
It’s an understatement to say that today’s work environments are, in a word, perpetual. Advances in communication and collaboration tools have made it possible for business professionals to be productive in more ways, at any time, and in any place. There never seems to be a moment when people aren’t working—whether at work, home, or while standing in line. Remote access and cloud-based tools are starting to provide remote users with the same enterprise-level experience once previously available only to workers at the office. Not to mention that the unification of communication tools like voice, e-mail, instant messaging, meeting, video, and audio are streamlining tasks and making collaboration very convenient. Yet, our reliance on ubiquitous tool access, ease-of-use, multidevice support, and integration with other organizational tools has created a myriad of new security holes to mitigate. One of the great shifts in communications lies not only with the unification aspects but also with the migration to the cloud. Yet, regardless of the channel being used for communication, or the application providing the specific type of communication service, there is a need to have the communications secured. Depending on the specifics of the communication and the channel, the attributes of security, confidentiality, integrity, and availability may have different desired levels of protection. In streaming communications, such as video and web conferencing, availability can have significant impact because lost packets can result in a poor user experience. Communication systems have long been a target of hackers, spies, and other unauthorized parties. From trying to make free phone calls to eavesdropping on sensitive information in transit, communication channels are a high-priority target for many parties. With unified communications moving more and more content and communications to Internet-delivered methods, attackers have followed the communications to the Web. In this chapter, we take a look at the selection of appropriate security controls for various communications and collaboration scenarios.
629
16-ch16.indd 629
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
630
Remote Access
One of the earliest renditions of unified communications is remote access. Remote access solutions enable users to connect to organizational resources and services such as files, e-mail, and web pages while not being connected directly to the work network. Multiple remote connectivity options exist, such as dial-up, VPN, and DirectAccess servers—in addition to various desktop- and application-sharing solutions. In this section, we discuss each of these solutions and their security considerations.
Dial-Up It began a few decades ago with companies hosting dial-up remote access servers (RASs) to permit workers to connect to company files while using dial-up modems. Dial-up modems were the standard throughout the 1980s and 1990s and were responsible for connecting digital computers to analog telephone networks. These telephone networks were sometimes referred to as Public Switched Telephone Networks (PSTN) or Plain Old Telephone Service (POTS) networks. NOTE The word “modem” is a composite of modulation (mo) and demodulation (dem). In a simplified dial-up context, modulation refers to a sending modem encoding digital information onto an analog wave carrier. Demodulation refers to a receiving modem extracting the digital information from the analog wave carrier.
Modems were either installed into internal ISA/PCI slots or external serial/USB ports. Such modems were typically capable of sending information at a maximum of 56 Kbps, although FCC restrictions limited the connection speeds to 53 Kbps. Despite dial-up connections being rare today, some organizations maintain a dial-up server for emergency backup purposes. Risk management needs to account for dial-up security because many hackers still practice the old-school method of dial-up hacking known as wardialing, which involves an individual dialing up different modem phone numbers until an open modem accepts the connection. Wardialing was like an early form of port scanning. Consider securing dial-up solutions with the following recommendations:
• Implement Remote Authentication Dial-in User Service (RADIUS) to provide centralized authentication, authorization, and account services for dial-up connections. • Limit access to authorized users via strong authentication protocols. • Use the Point-to-Point Protocol (PPP) as opposed to the Serial Line Internet Protocol (SLIP). • Limit users to authorized functions. • Implement security event logging. • Ensure physical security for network circuits.
16-ch16.indd 630
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
Chapter 16: Securing Communications and Collaboration
631
• Have remote access servers call back users. • Disallow call forwarding. NOTE Two protocols dominated the dial-up landscape: Serial Line Internet Protocol and Point-to-Point Protocol. PPP was superior due to supporting error detection, error correction, multiple protocols, dynamic address assignment, and authentication; plus, it was an approved Internet standard. SLIP did not have any of these qualities.
VPN
PART IV
Replacing the slower dial-up servers were the faster, more secure, more flexible, and increasingly available virtual private network (VPN) servers—which were commonly accessed by a newer generation of cable modems, DSL modems, Wi-Fi, and cellular technologies. Unlike dial-up connections, which took place through a relatively private telephone line, VPN servers were typically accessed by connections over the public Internet. Such public connectivity required VPN connections to adopt a stronger assortment of protocols, including tunneling, encryption, and authentication protocols. Authentication methods such as MS-CHAPv2 or, even better, the Extensible Authentication Protocol (EAP) or the Protected Extensible Authentication Protocol (PEAP), will provide for the strongest authentication. For encryption, choose IPSec or SSL-based security. VPNs were already covered in detail in Chapters 5 and 7.
DirectAccess Created by Microsoft starting with Windows 7 Enterprise/Ultimate and Windows Server 2008 R2, DirectAccess allows connectivity for remote users without requiring user interaction or pre-established VPN connections. It has many benefits over traditional VPN, in addition to some negatives: DirectAccess Benefits • Always on Users are always connected to the corporate network since the connection is established by the machine as opposed to the user. After logging into the workstation, the user will have immediate access to corporate resources. • IPv6 DirectAccess’s requirement for IPv6 ensures better end-to-end connectivity and management features. • Bidirectional Unlike VPN, DirectAccess connections are bidirectional, which means the corporate network can more easily manage the DirectAccess clients from a group policy and patching perspective, even without the user being logged on. • Device certificate Devices must have a certificate that indirectly serves as a type of multifactor authentication for the remote device. • Easy to deploy Users can connect from anywhere and don’t require any DirectAccess client software or agents. It fits into the existing environment perfectly.
16-ch16.indd 631
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
632
DirectAccess Negatives • Limited OS support DirectAccess only supports Windows 7 Enterprise/ Ultimate, Windows 8 Enterprise/Ultimate, and Windows 10 Enterprise/Education. • Limited role support DirectAccess only supports domain-joined Windows devices. • IPv6 requirement Although good IPv6/IPv4 tunneling options are available, some IT and security shops will be turned off or intimidated by the IPv6 requirement. Due to limited OSs and devices supporting DirectAccess, it should be seen as complementary to VPN as opposed to a complete replacement. Organizations will generally use both solutions as needed.
Resource and Services The whole point of remote access is to provide workers with access to corporate resources and services, regardless of the users’ whereabouts. Resources can include internal web pages, applications, e-mail, remote desktops, printers, web cameras, organizational IoT devices, and more. However, resource access should be limited to minimize the risk of organizational breaches. Since remote access, resources, and services were already covered in detail in Chapter 5, we’ll summarize with some recommended security practices for managing resource access:
• Determine organizational goals for remote access from stakeholders. • Require multifactor authentication. • Require unique credentials. • Consolidate remote access tools to standardize access. • Lock down permissions. • Implement auditing and logging processes. EXAM TIP Enabling remote access opens up an organization to some of the greatest cybersecurity risks it’ll ever face. It is more important than ever to implement multifactor authentication requirements for remote workers.
Desktop and Application Sharing Desktop sharing is a useful task in today’s distributed computing world. A user on his mobile device needs a file from his desktop PC when he is not in the office. Desktop sharing solutions enable a user to gain the simple functionality of retrieving the file. Workers may choose to share their entire desktops with other people during a meeting, training session, or help-desk trouble call. Desktop-sharing solutions can do other things as well, in some cases opening complete desktop functionality as if the user was sitting at the desktop itself.
16-ch16.indd 632
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
Chapter 16: Securing Communications and Collaboration
633
NOTE Some popular remote access tools are TeamViewer, LogMeIn, Bomgar, Microsoft Remote Desktop, and GoToMyPC.
PART IV
Desktop sharing can be used in a peer-to-peer or centralized fashion through a dedicated server solution such as Microsoft Remote Desktop Services. Connections should be private and secured through strong cryptographic ciphers such as RSA and AES. Connectivity options such as connection quality, resolution, background/animation effects, file sharing, full-screen view, USB device redirection, printer redirection, and mouse and keyboard controls are typically configurable. For security, privacy, and bandwidth-conservation reasons, a worker may choose to only share a specific application with another individual, such as with Microsoft Skype for Business. This is common during meetings or conferences when presenting a slideshow and you want to maintain confidentiality. One of the elements associated with securing desktop sharing is the control of connections to the TCP/UDP ports and applications needed to implement this functionality. As in many aspects of security, planning plays an important role in the security of desktop and application sharing. One of the planning elements is the determination of which desktops require remote access and which do not. For the desktops that don’t require access, the use of firewalls can prevent access. For those that do require access, application-specific ports need to be opened allowing access—but additional monitoring is needed for any remote-access activities. Attempted login failures are a potential sign of an attack; therefore, use monitoring tools to keep an eye out for repeated login failures. The other planning decision is to determine on which applications to allow desktop sharing in the organization. A quick Internet search reveals dozens of remote desktop applications in the marketplace across a variety of platforms. Attempting to manage any and all user-chosen applications is a strategy destined to fail. Remote desktop software applications should be controlled just like any other software. Packages should be evaluated, use should be limited to approved software only, and proper usage should be included in policy. Desktop sharing also has a threat in common with video and web conferencing. When a desktop is shared with another person, content may be observed that is outside the desired objectives of the sharing operation. Imagine the reaction if a CFO shares his desktop during a web conference, a video conference, or a training session, only to have others see a folder on his desktop labeled “XYZ Acquisition” or “Layoffs.” This form of passive information leakage can occur when the principles of a clean desk are not applied to an electronic desktop. Other security considerations to keep in mind include the following:
• Create and enforce a remote administration or remote access policy to set expectations, procedures, and guidelines on its usage. • Remote access should start off with “implicit deny all” with exceptions configured afterward. • Ensure that patches are up to date for server and client remote desktop/applications.
16-ch16.indd 633
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
634
• Implement strong cryptographic algorithms such as AES, RSA, and SHA-2. • If possible, use a security or network gateway tool to screen remote login attempts. • Utilize the latest version of remote administration products. • Ensure remote administration staff members are sufficiently trained. • Implement and check security logs for signs of malicious activity. • Ensure remote administration is enabled on required devices only.
Remote Assistance Remote assistance is similar to remote desktop access, except that the term narrows the focus from general remote administration of systems to assisting other users. Since the goal is typically to assist other users, remote assistance benefits the recipient of the connection. On the flipside, more traditional remote desktop tools benefit the initiator by permitting private access to their own system remotely, or for remotely managing servers. During remote assistance connections, the end user is watching the technician remotely controlling and fixing their computer. Screen sharing is supported, and file exchange and instant messaging (IM) may be available too. Plus, logs are generally kept of the connection. Unlike more “administrative” tools such as Microsoft’s Remote Desktop, the remote assistance tools often allow the user “first right of refusal” by permitting them to accept connections only upon a user-generated invitation. Even after the connection has been established, the end user generally can temporarily or permanently suspend the connection, or limit the helper’s access to read-only. Because these utilities allow remote access, they must be carefully monitored and secured. The following is the process of sending a Microsoft Remote Assistance invitation to helpers: 1. Run “msra” on the Windows Start Menu. 2. Select “Invite someone you trust to help you.” 3. Select “Save this invitation as a file.” 4. Choose a location to save the invitation, such as a network location. 5. Make note of the provided password. 6. E-mail or IM the invitation file and password to the person you want to connect to your computer. 7. The helper can double-click the invitation, type the Remote Assistance password, and complete the connection process.
Products such as Microsoft System Center Configuration Manager and Symantec’s Altiris Suite are beginning to blur the lines between remote desktop functionality, asset management, remote security management, and a host of other administrative functions.
16-ch16.indd 634
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
Chapter 16: Securing Communications and Collaboration
635
Maintaining strong control over one’s remote management application security is an essential element in preventing a significant risk vector across the enterprise. Ensure that remote assistance connections follow a process such as connections through end-user invitations only. The opposite would be allowing helpers to “offer” assistance—which increases risk due to the heightened potential for social engineering. Most remote assistance products have AES- and/or RSA-based algorithms built in. If possible, make sure it is enabled with a suitable key strength of 128-bit or higher.
Unified Collaboration Tools
PART IV
The term “unified communications services” refers to a wide range of products and systems if you follow the marketing literature. Using the IEC technical definition, unified communications systems is an industry term that describes all forms of business communication, audio, video, multimedia data, text, and messaging. Part of unified communications is the management of all these channels within a single view for the end user. Since attackers have already gone after VoIP, e-mail, instant messages, and other data streams, an important element of enterprise security is protecting these communication channels. From an end-user and security perspective, unified communications is similar to single sign-on (SSO) in that it is easier to use by keeping all the information accessible from a single interface. In short, using unified communications makes an end user’s daily access simpler. However, it also offers adversaries the same advantage. Because all of an organization’s communications channels are together in one overlay, it’s easier to hop from system to system in search of information. This places the burden on security practitioners to implement stronger controls and to enhance audit and monitoring. This section discusses various tools that permeate unified communications, including conferencing, collaboration, messaging, presence, social media, and cloud-based tools.
Conferencing Just 15 years ago, most workers were tied to their desk. Within the past 10 years, most workers were in the office and utilized remote access options when at home. Today, more than half of workers have remote access to real-time conferencing tools to permit communication and collaboration from essentially anywhere, with any device. This saves time and travel expenses that might’ve been spent driving, flying, taking trains, and booking hotel rooms. In some cases, a web browser is all that is needed to launch a web-based audio- and/or video-conferencing session. In other cases, the participants will use a client/server architecture tool, like Microsoft’s Skype for Business. The modalities chosen will vary based on the meeting participants, their devices, and the goals of the conference. This section explores web-, video-, and audio-based conferencing options in addition to their security considerations.
16-ch16.indd 635
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
636
Web Conferencing
Web-based communications have become ubiquitous in offices since more information is shared over the Web than any other mechanism. Numerous web-based tools, such as Cisco’s WebEx and Adobe Connect, are used to conduct audio and video conferencing, in addition to allowing screen sharing and presence information. Web conferencing is seen as a low-cost and time-efficient alternative to business travel. For the end users of web conferencing technology, security is often neglected. They, in the natural course of business, examine the information they are going to share with the other parties on the conference to see if the material should be shared, but they fail to consider an outside third party. Web conferencing piggybacks on top of existing infrastructure. Because it is up to the enterprise security staff to keep the infrastructure secure, it is reasoned that the web conferencing is secure. This can be the case if appropriate precautions are taken. Here are some of the issues/precautions to consider when using web conferencing:
• Don’t use trialware or software with a default password and setup. • Understand where the material is being recorded. • Use secure communication channels. • Change passwords for invites on recurring sessions. • Monitor the number of active participants. • Mark materials being passed as sensitive and not for redistribution. • Ensure uninvited guests are not allowed. Trialware and other unlicensed software frequently have default passwords and setups that allow others to easily add themselves to a conference. If the conference is being recorded on a server, the person responsible for the content should understand where that server is (internal or external) and how the material is going to be secured. If a meeting is a recurring one, different passwords should be used for each session. This prevents a replay-type attack against future events. Many web conferencing software packages have the ability to show the host how many parties are participating in the event. If the event is between two parties, and a third party shows up on the list, they should be questioned and understood before the information sharing takes place. Marking the materials being shared can establish legal rights should future liability case be initiated. Many of these items are like simple door locks: They tend to keep honest people honest as opposed to serious adversaries. Nonetheless, they are still useful and important. EXAM TIP Most web conferencing software hosts sessions over unsecured interfaces (HTTP versus HTTPS). This makes information being shared over a web conference susceptible to packet sniffing from tools such as Wireshark, or VideoSnarf for video capture. If sensitive information is going to be discussed via a web conference, minimal protections include not using default passwords and using a secured communication channel such as HTTPS.
16-ch16.indd 636
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
Chapter 16: Securing Communications and Collaboration
637
As with any other data-sharing exercise, it is incumbent on those sharing the information to know who they are sharing it with, why it is being shared, and how the information will be protected once it leaves the enterprise. Meeting organizers need to know who is authorized to attend, and they must manage the attendance authorization process like any other authorization process. Ensure both video and audio channels are covered and secured. Match authentication methods to the sensitivity of the data. For very critical pieces of data, consider whether you would allow connections from a foreign IP address if all attendees are in the U.S. A key factor in securing web conferencing is to consider the implications of sharing sensitive corporate data across the Web. What protocols would you use to secure the transmission of the data? SSL? TLS? How would you handle authentication and authorization? The fact that it is web conferencing does not change the fact that it is occurring across the Web. The role of security is to architect working solutions that secure the information being shared across the insecure Web.
Video Conferencing
PART IV
Video conferencing is very similar from a security perspective to web conferencing. The primary purpose of a video conference is to provide a means for face-to-face communication via a video system as opposed to actual travel. The same concerns associated with web conferencing noted in the previous section still apply. Video conferencing equipment ranges from no cost, using the webcam and microphone on your PC, to high-end systems costing thousands of dollars. The major difference is in the quality of the data capture; however, from a security point of view, they are basically equivalent. One additional concern over those expressed in the “Web Conferencing” section is the issue of an unauthorized party activating webcams and microphones as eavesdropping devices. CAUTION Malware can activate a webcam without notifying the user and stream the video to an attacker. The same can happen to microphones. Worse, free mobile apps downloaded from the app stores may do the same. For these reasons, it is important to always consider what can be seen from the vantage point of the webcam and ensure that if anything is sensitive, then either the video system is powered down (actually turned off ) or the line of sight is blocked.
For PCs and laptops with built-in webcams, this is yet another reason to consider whitelisting as an antimalware mechanism. The proliferation of malware today raises questions concerning the effectiveness of antimalware programs against advanced threats. If a machine is going to be employed in a sensitive area of a firm, a wise precaution would be to buy one without the webcam. Simply removing the driver doesn’t work because the malware can replace the driver without notifying a user. Although antimalware tools won’t remove all malware, they must still be employed. However, it’s not just malware you should fear. Security professionals must also limit the app permissions, or prohibit the use of mobile applications, that require camera permissions.
16-ch16.indd 637
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
638
Audio Conferencing
Whether a web-based or locally installed communications tool, most conferencing products are both video and audio based. Since video capabilities are not always needed, most of the time it’s a simple checkbox to turn off the video and utilize audio only. This may be done for privacy and confidentiality reasons, and also to reduce the bandwidth requirements normally needed by video output. For example, it is common with online training for the instructor to utilize both audio and video; meanwhile, the students may opt to use audio only. The following are some audio conferencing security recommendations:
• Lock down conference requirements such as maximum participants, inactive participants, and sub-conference rooms. • Define whether conference audio recordings are permissible and, if so, what the encryption and download requirements are. • Define roles and privileges for callers based on contact list or directory listings. • Use dynamic personal identification numbers (PINs) so that unauthorized callers cannot get in with old PINs.
Storage and Document Collaboration Tools At their most basic, storage and document collaboration tools provide online filesharing services between local and geographically distributed teams. If document sharing is the goal, products like Microsoft OneDrive, Google Drive, Dropbox, and Box are all worthy contenders. Somewhat misunderstood is the fact that most online filesharing tools do more than just store and share files. For example, Microsoft OneDrive provides free online light versions of Office products—Word Online, Excel Online, PowerPoint Online, and OneNote Online—that permit creating/editing/saving of real Microsoft Office files. On the downside, OneDrive only provides 5GB of online space for free accounts. NOTE OneDrive customers may elect to convert their free account to an Office 365 subscription, which will include, at a minimum, 1TB of OneDrive for Business storage, plus access to a downloadable Microsoft Office Professional suite.
Most free storage and collaboration tools also include file versioning, apps on mobile and desktop OSs, plus real-time and/or asynchronous file-sync options between the cloud and local devices. The downside to free online file-sharing products is the lack of security and control. Although connections to these websites will likely utilize SSL/TLS, the following are security challenges you’ll likely experience with most free online file-sharing sites:
• Files probably stored and processed on the website unencrypted • Access controls/permissions not granular enough • Little to no auditing capabilities
16-ch16.indd 638
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
Chapter 16: Securing Communications and Collaboration
639
• No remote wiping • No independent backup options • Lack of compliance offerings • Lack of expiration dates and download limits for links • Single-factor authentication • Little to no reporting capabilities • No malware protection In most cases, better security, control, and compliance offerings will come from purchasing access to more powerful storage and collaboration products, which will be discussed later in this section.
Unified Communications
1. Using Skype for Business 2016, Alice sends an instant message to Bob since Bob’s present information appears on Alice’s contact list as “available.”
PART IV
Unified communications synergize individual communication features, such as web, video and audio conferencing, instant messaging, presence, and e-mail, into a single entity. This will help improve the efficiency of business processes involving company communications and collaboration. Once upon a time e-mails, instant messages, phone calls, and voice mails were separate processes—yet today you’re likely to see the following process take place via Microsoft’s Skype for Business 2016 and Outlook 2016.
2. If Bob does not reply to the instant message, Alice clicks on Bob’s name and selects to call him via VoIP. 3. If Bob does not answer the phone call, Alice leaves Bob a voice mail via the VoIP connection. 4. Bob receives an e-mail on his Outlook 2016 work account that he missed a phone call and that a voice mail is attached. The e-mail also transcribes the voice mail so that Bob can choose to “read” the voice mail or listen to it. 5. Bob click’s on Alice’s name listed on his Outlook 2016 contacts list, or a recent e-mail, and chooses to call, instant message, video conference, or leave a voice mail to Alice.
Although unified communications is an umbrella term that may include more or less than what is described, this scenario is very common in office and remote worker environments today. NOTE Other major unified communications products to look at include Amazon’s Chime, Google Hangouts, Cisco Spark, and Facebook Workplace.
16-ch16.indd 639
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
640
Chipping away at the on-premises unified communications industry is Unified Communications as a Service (UCaaS), which promises to shift unified communications into the provider-based cloud computing realm. This is an inevitable trend given the mass migration that organizations have already begun toward cloud computing—plus the inherent cost benefits and simplicity of procuring an entire company phone system by simply subscribing to a website. The conveniences of integrated product offerings like unified communications are tempered by its security challenges. With all communications being sent over data networks, we will need to implement security controls that mitigate the following risk factors:
• Eavesdropping IM, audio and video communications • Hijacked voice services for long-distance calls • Vishing VoIP devices as opposed to phishing e-mail accounts • Denial of service attacks crashing phones • Malware infecting communications applications
Instant Messaging Instant messaging (IM) provides computer-mediated near-real-time communication between parties by means of a software application. Numerous applications permit this activity as well as the sharing of files directly between users. The security exposure associated with IM is fairly obvious—information sharing outside normal channels. Even internal to a company, IM traffic is typically plaintext and base64-encoded files, making the communication channel easy to eavesdrop on. Although external IM usage has dropped off in some instances, IM is still a very popular means of two-way communication between users for real-time issues inside corporate networks. E-mail is now considered slow and old by many newer-generation employees. The advantages of IM for real-time communication have resulted in products designed to take advantage of this form of communication. Products now enable logging as well as meetings with file sharing and integration via contacts and address books to enable quick user location. Some of these clients offer statuses, allowing one to see if someone is in their office, is currently typing, and so on. The standard threats are malware injections coming in via IM and sensitive information leaving via IM. These can occur by way of file transfers or in some cases in the text being sent. Logging of IM adds another dimension because sensitive information can then end up in log files. Although antivirus scanners have been relied upon for years as the protection of choice against viruses, worms, and other forms of malware, with today’s spear-phishing, individually crafted malware attacks, antimalware solutions are not nearly as effective as in the past. EXAM TIP Unwanted IM communication has entered the environment. SPAM via IM is referred to as SPIM (SPAM over instant messaging).
16-ch16.indd 640
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
Chapter 16: Securing Communications and Collaboration
641
As with all modern communication products, an important first step is the drafting of a communications policy to ensure intentions for proper usage and security are clearly stated and enforced. Stemming from this policy should be an informed and aware user population. Users need to know that communication channels are a prime target for information thieves and that using IM tools can have significant security impacts on an organization. On the other hand, not using an encrypted communication channel can also lead to eavesdropping, man-in-the-middle, and hijacking attacks. Transport encryption should be configured on the IM client or, if available, on the communications server.
Presence
PART IV
“Presence” is a term used to describe the knowledge of a person’s availability. This is one of the strengths of a unified communications solution because it can combine multiple media channels, including IM, telephone, e-mail, video conferencing, and others. Add in a person’s calendar function and you can determine when to schedule a meeting, when to hold a conference call, and so on. This is certainly more efficient than the previous method of asking, rescheduling, asking again, and so on. When you’re trying to call someone, presence functionality can help direct your phone call to the correct device, whether it is a desk phone or a mobile device. This improves the connectivity and availability for critical response situations. Gone are the days of trying multiple phone numbers and leaving multiple voice mails when trying to track someone down. Presence also brings complexity: with multiple vendors and protocols, coupled with the lack of industry-wide standards, IT staffs will be busy authenticating presence elements from multiple vendors across multiple platforms. Security and privacy also become an issue. Presence information is another form of information that begs the question of which “watchers” need to know? Watchers are the users or presence subscribers that request presence information from a presence service such as a Skype for Business contacts list. We must figure out how to build a communications platform that enables presence information for some watchers while being more restrictive to other watchers. Because these systems tend to be multiple vendor, multiple platform, and multiple protocol in nature, building a security solution across them is a challenge. NOTE In an effort to address some of the consistency challenges of presence, several working groups are attempting to standardize presence processes. The most recent presence standard was created by the XMPP Standards Foundation, which created a protocol called Extensible Messaging and Presence Protocol (XMPP). This protocol is widely used and is also implemented on Facebook Messenger and Google Talk.
E-mail E-mail is one of the most widely used applications in the enterprise and also one of the most difficult to secure. Primarily built on three protocols, e-mail provides for asynchronous cleartext communication between users, with a wide variety of file-sharing options.
16-ch16.indd 641
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
642
Typical e-mail operations involve both client and server applications and offer both internal and external communication channels. Here are the primary protocols involved in e-mail:
• Simple Mail Transfer Protocol (SMTP) A protocol designed for transferring mail between SMTP servers across IP networks. This protocol uses TCP port 25 by default. The SMTP functionality occurs in both services on PCs and mail server applications on servers, although client mail applications typically use POP and IMAP protocols to retrieve mail from the server. • Post Office Protocol (POP) A protocol designed for e-mail retrieval on client machines. This is an application layer protocol whose typical function is to connect to a mail server, retrieve all messages for the client, and then delete them from the server. The current version is POP3; it operates over TCP port 110 in cleartext mode and over TCP 995 when TLS or SSL is used to secure the connection. The other protocol, IMAP, provides greater functionality associated with mail operations but is a proprietary protocol and not supported by all ISPs. • Internet Message Access Protocol (IMAP) An application-level protocol for mail transfer to clients over TCP port 143 (or port 993 when using SSL). Supported by virtually all mail clients, this protocol provides the remote access functionality associated with e-mail, including the creation and deletion of mailboxes on a server. IMAP is currently in version 4 and is referred to as IMAP4. E-mail is as ubiquitous an application as any, with it proliferating on all device types. E-mail was designed in an era before security was a major concern, and many users are ignorant of how it operates and how it can expose their systems to risk. E-mail is, typically, a cleartext technology, meaning that all data being transmitted is susceptible to easy eavesdropping. Because of its ubiquity, e-mail became a mechanism for criminals, resulting in SPAM (unsolicited bulk e-mail). Although users are becoming savvy toward SPAM, a new form has arisen called spear phishing, which involves sending a message that appears to be legit to coax a user into downloading a file or clicking a link. With the phenomenon of URL-shortening services becoming commonplace, it has become an effective method of delivering malware. Although e-mail can be secured using secure transport and encrypted information transfers, these elements require a sophisticated and extensive PKI implementation, making them out of reach for most organizations other than governments and specialized firms. Even then, because both ends of the communication must be involved in the security information transfer, the PKI ramifications can be significant. Entire books have been written about securing e-mail systems, but the basics are relatively easy. Users need to be aware of the threats—and not just from SPAM, but from spear phishing, a leading method of targeted attacks. Users need to understand that the information in an e-mail and its attachments is no longer under the same security umbrella as information in a database store, for instance. If the secret recipe for your product is secured in a database, accessible by only certain executives and from certain machines, sending the information between these same executives via e-mail can negate all the current levels of protection.
16-ch16.indd 642
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
Chapter 16: Securing Communications and Collaboration
643
Telephony and VoIP Integration
PART IV
Telephones may be considered “old school,” but they are still a valuable business tool and are present in all businesses. The original telephone systems were analog devices, separate from computer systems. Then the phone systems became digital, and the interconnection to computer systems became inevitable. Businesses with multiple phones connect them with private branch exchanges (PBXs) to minimize the number of external lines needed. PBX systems can provide a wide range of services, including metering and controlling long-distance and other tariff calls. This one feature makes them a target for scammers who can break into the PBX and steal long-distance time. This is facilitated by system administrators not changing the default passwords for the system, thus allowing attackers relatively easy access. Changing default passwords is also important for user mailboxes. An adversary can access a voice mailbox and change the prompt to “Yes, I will accept the charges,” which can bypass many tool-charge requests. When employees leave, their mailboxes should be closed. Also, all unused mailboxes should be either disabled or monitored to prevent unauthorized use. In the beginning, we had PSTNs and we implemented methods to run data over the analog voice circuits. Then the PSTN became an all-digital network, making the voice signal in essence a data signal. Today, we run voice over the data networks, bypassing the PSTN entirely in some cases. When voice is transmitted using the Internet Protocol, we refer to the technology as Voice over IP (VoIP). VoIP is the encapsulation of voice data in an IP packet by using IP networks to move voice data between clients (telephones). Because it is not typically encrypted, VoIP traffic is subject to exploitation and disclosure. As in all network traffic, it is essential to provide physical protection for all the networking devices to prevent physical attacks, such as the use of a Switched Port Analyzer (SPAN) to replicate ports and copy traffic. EXAM TIP Encryption can be useful for the protection of data from disclosure, yet in cases such as VoIP, the overhead can lead to loss of signal quality.
VoIP is a complex set of protocols including both TCP for signaling and UDP for services. Whereas old PSTN-based telephones were single-purpose devices, VoIP implementation can be on specialty devices such as handsets, computers, or even mobile devices. The versatility of some VoIP devices is both a blessing and a curse. The versatility allows flexibility, but it also exposes the VoIP to risk from vulnerabilities associated with the platform. The risk goes both ways. A vulnerability on the platform can expose the VoIP traffic to risk, and a vulnerability associated with the softphone can expose the platform to risk. A hardware phone separates the VoIP application from a multiuse platform, reducing overall risk but also increasing costs. Both softphones and separate hardware phones have network dependencies, and the security of the network can affect the security of the traffic and applications. As in most network security issues, one of the key elements is understanding the services being carried and implementing an architecture to support the required services. VLANs can be useful in segregating traffic and making it harder for attackers to sniff traffic.
16-ch16.indd 643
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
644
Managing the traffic across the network is important in unified communications networks, as VoIP implementations have quality of service (QoS) dependencies. File transfers and e-mail are fine with packet delays, but VoIP quality is highly dependent on QoS. Packet delay and latency issues can quickly degrade VoIP quality. EXAM TIP Two QoS issues associated with VoIP are jitter and latency. Jitter is the variation in transmission latency from packet to packet. Latency is the delay associated with a given packet. For ideal VoIP, both low jitter and low latency are desired (minimal variation in the delays between packets and minimal delay for packets, respectively).
Securing VoIP is an industry-wide issue. As in all complex technology implementations, the rate of advancement outpaces the rate of security requirement achievement. This gap is one that firms will need to take specific actions to monitor and close. An industry group called the Voice over IP Security Alliance (VOIPSA) has been created to assist users, vendors, and implementers with the task of managing VoIP security issues. The VOIPSA website offers best-practice recommendations and links to tools for monitoring and managing security issues.
Collaboration Sites Although we discussed some basic storage and document collaboration tools earlier, they lacked many important features needed by enterprises. Larger organizations will need powerful and flexible collaboration tools in order to address the collaboration needs of a disparate workforce. The first one that often comes to mind is Microsoft SharePoint. SharePoint can be installed on-premises or utilized in the cloud via Microsoft Office 365. SharePoint goes far beyond online file sharing by offering the following capabilities:
• Creating team sites and customer-facing sites from multiple templates • Integration with countless Microsoft and third-party products • Business intelligence and dashboards • Enterprise search • Records management • Workflows • Custom code • Granular permissions • Information rights management • Role-based access control • Social media • Document versioning
16-ch16.indd 644
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
Chapter 16: Securing Communications and Collaboration
645
NOTE Alternatives to SharePoint exist, such as Google Drive for Business, Box for Business, Process Street, Confluence, and Workzone. Research multiple vendors to find the product with the best balance of functionalities, ease of use, and security.
Some important security considerations for collaboration sites include strong authentication—preferably multifactor authentication, if supported—as well as the use of groups to aggregate users and then standardize their access to relevant content. You’ll also want to limit who has access to the collaboration environment, and also limit members with administrative-level privileges to prevent privilege abuse. If not enabled by default, ensure encryption of data in transit and at rest is enabled and configured. Enterprise-level collaboration tools should include auditing, reporting, and even some analysis tools, so be sure to configure these. Also important is advising users to lock down their devices with drive encryption and PIN access just in case their device synchronizes content to/from the collaboration environments. If remote wipe and remote backup options are available, be sure to configure these as well.
Social Media
PART IV
For every organization that finds social media sites too risky to be of sufficient use, there are other organizations looking to capitalize on its numerous benefits. In terms of Internet-based social networking sites like LinkedIn, Facebook, Twitter, and YouTube, organizations may experience several of the following benefits:
• Generate business leads. • Demonstrate organizational expertise. • Enhanced marketing. • More sales. • Improve brand awareness. • Reduce communication costs. • Improve search rankings. • Employee recruitment. • Improve customer communication practices. • Better customer service. • Research opportunities. • Better market research. • Increased traffic.
16-ch16.indd 645
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
646
Despite the many benefits that social media provides to organizations, there are many reasons why other organizations avoid social media like the plague. Here’s a summary of a few of them:
• Malware • Personal information disclosure • Loss of intellectual property • Confidential information leaked • Loss of organizational reputation • Employee or customer defamation • Social engineering • Identity theft • Reduced employee productivity • Damage to organizational infrastructure • Compliance issues Although social media carries some risk, the benefits generally outweigh the negatives if you take a layered approach to securing your network, devices, and creating policies, procedures, and awareness, as described in the next section.
Social Media Security Recommendations
Given the litany of social media threats, organizations will need to implement various security strategies to reduce social media risk to an acceptable level.
• Create a formal social media policy that governs proper usage of all social media platforms. • Restrict social media usage on mobile devices due to social media apps often requiring privacy-invading permissions on devices, including access to the camera, microphone, photo, SMS, and e-mail. • Train all end users and management on the proper usage of social media websites and applications. • Monitor social media use as needed to ensure employee compliance with the organization’s social media policy. • Define professional communication and language guidelines on social media usage. • Implement strong password requirements for social media accounts. • Utilize all privacy features built into the social media websites.
16-ch16.indd 646
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
Chapter 16: Securing Communications and Collaboration
647
Not all social media is public and Internet based, as with the preceding products. Some organizations prefer to keep all of their social media capabilities hosted within the enterprise. A popular example of such a service is Yammer, which was acquired by Microsoft. Unlike public social media platforms, only domain-based users can access the Yammer environment. Yammer provides numerous private features to organizations, including enterprise microblogging, Office 365 integration, company directories, profile pages, file transfer, chat, collaboration workspaces and tools, employee communities— and the list goes on. NOTE Given the internally hosted nature of Yammer, organizations will have tighter integration with their infrastructure as well as greater security, control, content insight, and productivity than with public social media sites.
Cloud-Based Collaboration
PART IV
Cloud-based collaboration sites fill the collective need of having the enterprise-level collaboration capabilities typically provided on-premises, but with the ease of access and flexibility offered by an Internet cloud provider. Microsoft Office 365 provides several cloud-based collaboration tools, including SharePoint Online (which is essentially a cloud version of Microsoft SharePoint—in addition to Microsoft Teams). Other, nonMicrosoft tools include ezTalks Cloud Meeting, Evernote, Cisco WebEx, and Prezi. Cloud-based collaboration sites provide several benefits, including the following:
• Cost-effective (pay by usage) • Compatible across multiple OSs and device types • Reduce collaboration barriers to entry • Simplify collaboration between local and global team members Since cloud-based collaboration sites are hosted by another organization, you might experience reductions in or changes to data security controls, privacy, auditing, and regulatory compliance. As such, be sure to research various cloud providers to ensure that their tools provide the closest fit to your organization’s objectives, functions, cost requirements, and regulatory requirements. Ensure that the tool provides adequate encryption for data in transit and at rest. It’s also important that the tool support multifactor authentication, protect data through DLP processes, and offer adequate tracking and auditing capabilities.
Chapter Review
This chapter covered the selection of appropriate security controls given various communications and collaboration scenarios. We began with coverage on remote access methods such as the legacy dial-up RAS servers, which are still subject to wardialing attacks. We then highlighted VPN and a few encryption and authentication recommendations.
16-ch16.indd 647
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
648
Remote access methods ended with Microsoft’s DirectAccess, which provides easier, more integrated and manageable remote access than VPN. We then looked at security recommendations for enterprise resources and services. Next was desktop- and applicationsharing methods and security considerations such as cryptography, policies, patching, and others. This section ended on remote assistance with Microsoft’s Remote Assistance product being highlighted. The next section covered unified collaboration tools such as web, video, and audio conferencing. These conferencing methods share many security requirements, including transport encryption, strict authentication, and defined roles and privileges. Next was storage and document collaboration tools, which highlighted Microsoft’s OneDrive. We also took a look at the various features that are commonly missing from free online file-sharing tools such as a lack of encryption of data at rest and in storage, lack of granular permissions, no auditing, and minimal compliance offerings. We then covered unified communications techniques, such as instant messaging, which has antimalware, transport encryption, and logging requirements for improved security. Following instant messaging was the topic of presence information and its authentication and authorization security requirements. We then moved on to e-mail security, including coverage and security suggestions for protocols such as SMTP, POP3, and IMAP4. Telephony and VoIP integration topics and their security requirements followed, with the chapter ending on collaboration sites on social media and cloud-based tools.
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
Remote Access • Remote access solutions enable users to connect to organizational resources and services such as files, e-mail, and web pages, while not being connected directly to the work network. • Dial-up modems were the standard throughout the 1980s and 1990s. They connected digital computers to analog telephone networks. • The telephone networks were sometimes referred to as Public Switched Telephone Networks (PSTNs) or Plain Old Telephone Service (POTS) networks • Some organizations maintain a dial-up server for emergency backup purposes. • Wardialing involves an individual dialing up different modem phone numbers until an open modem accepts the connection. • VPN connections use a stronger assortment of protocols, including tunneling, encryption, and authentication protocols. • DirectAccess allows connectivity for remote users without requiring user interaction or pre-established VPN connections.
16-ch16.indd 648
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
Chapter 16: Securing Communications and Collaboration
649
• Due to limited OSs and devices supporting DirectAccess, it should be seen as complementary to VPN as opposed to a complete replacement. • Resources can include internal web pages, applications, e-mail, remote desktops, printers, web cameras, organizational IoT devices, and more. • Desktop-sharing solutions enable a user to gain the simple functionality of retrieving a file. • Desktop-sharing connections should be secured through strong cryptographic ciphers such as RSA and AES. • For security, privacy, and bandwidth-conservation reasons, a worker may choose to only share a specific application with another individual. • Remote assistance is similar to remote desktop access, except that the term narrows the focus from general remote administration of systems to assisting other users.
Unified Collaboration Tools
16-ch16.indd 649
PART IV
• Unified communications systems is an industry term that describes all forms of business communication, audio, video, multimedia data, text, and messaging. • Part of unified communications is the management of all these channels into a single view for the end user. • Most of today’s workers have remote access to real-time conferencing tools to permit communication and collaboration from essentially anywhere with any device. • In some cases, a web browser is all that is needed to launch a web-based audioand/or video-conferencing session. • The primary purpose of a video conference is to provide a means for face-to-face communication via a video system, as opposed to actual travel. • Video conferencing is very similar from a security perspective to web conferencing. • Audio conferencing provides most of the important benefits of conferencing, but with increased privacy and confidentiality compared to that of video conferencing. • Storage and document collaboration tools provide online file-sharing services between local and geographically distributed teams. • Better security, control, and compliance offerings will come from purchasing access to more powerful storage and collaboration products. • Instant messaging (IM) provides computer-mediated near-real-time communication between parties by means of a software application. • Transport encryption should be configured on the IM client or, if available, on the communications server. • Presence is a term used to describe the knowledge of a person’s availability.
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
650
• E-mail is one of the most widely used applications in the enterprise and also one of the most difficult to secure. • Although e-mail can be secured using secure transport and encrypted information transfers, these elements require a sophisticated and extensive PKI implementation. • VoIP is the encapsulation of voice data in an IP packet by using IP networks to move voice data between clients (telephones). • VoIP’s general lack of encryption subjects its communications to exploitation and disclosure. • Larger organizations will need powerful and flexible collaboration tools—such as Microsoft SharePoint—in order to address the collaboration needs of a disparate workforce. • For every organization that finds social media sites too risky to be of sufficient use, there are other organizations looking to capitalize on social media’s numerous benefits. • Cloud-based collaboration sites fill the collective need of having the enterpriselevel collaboration capabilities typically provided on-premises, but with the ease of access and flexibility offered by an Internet cloud provider.
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. Unified communications can add significant risk to an enterprise because: A. Information is concentrated in single user channels. B. There is a lack of security products for this market segment. C. Auditing is not possible because of the nature of the system. D. Unified communications enable all users access to important information.
2. Unified communications is frequently used to describe which of the following communication channels? (Choose all that apply.) A. VoIP B. E-mail C. Social media channels D. Instant messaging
3. Web conferencing can introduce which of the following security threat(s)? (Choose all that apply.) A. Data leakage B. Unauthorized attendance
16-ch16.indd 650
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
Chapter 16: Securing Communications and Collaboration
651
C. Impersonation D. Replay attacks against future sessions
4. Video-conferencing equipment poses what new threat(s) in the enterprise? A. Unauthorized eavesdropping via equipment B. Replay attacks C. Malware proliferation D. Driver corruption
5. Desktop sharing can have which of the following security implications in an enterprise? (Choose all that apply.) A. Electronic clean desk issue B. VPN channels C. Malware delivery mechanism D. Increased need for monitoring
6. Which ports are involved in e-mail? (Choose all that apply.) B. TCP 25 C. TCP 21 D. TCP 110
PART IV
A. TCP 22
7. Implementing VoIP in an enterprise has an effect on network utilization. Which complementary technology is frequently associated with VoIP? A. Data archiving B. Log management C. Quality of service D. Encryption
8. Your VoIP installation is having difficulty with call quality. Network analysis points to severe traffic congestion causing consistent delays in packet delivery. This is an example of which of the following? A. Best-effort class of service B. VoIP routing C. Latency D. Jitter
9. VPN technology provides which of the following benefits? (Choose all that apply.) A. Secure data transfers over insecure networks B. Self-correcting data packets C. Removes the need for IDS/IPS D. Secures external traffic into the enterprise past firewalls
16-ch16.indd 651
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
652
10. Unwanted bulk instant messages are called what? A. SPAM B. Malware C. Pharming D. SPIM
11. Variations in packet delays affecting VoIP signal quality are known as what? A. Noise B. Slamming C. Latency D. Jitter
12. Remote assistance differs from remote desktop sharing in which of the following ways? A. Remote assistance uses encryption. B. Remote assistance does not support screen sharing. C. Remote assistance is designed for end-user assistance. D. Remote assistance is designed for server-based administration.
13. Which of the following presence standards is used by Facebook Messenger and Google Talk? A. XMPP B. HTTPS C. SIP D. VoIP
14. Which port number does IMAP4 use when secured by SSL/TLS? A. 110 B. 143 C. 995 D. 993
15. Which port number does POP3 use when secured by SSL/TLS? A. 110 B. 143 C. 995 D. 993
16-ch16.indd 652
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16
Chapter 16: Securing Communications and Collaboration
653
Answers 1. A. Concentrating information can increase exposure when vulnerabilities are exploited. 2. A, B, D. Unified communications combine VoIP, e-mail, text messages, IM, voice mail, and other communication mechanisms into a single stream by user. 3. A, B, D. Data leakage can occur when information is inadvertently shared via a shared desktop image during a web conference. Unauthorized attendance can occur if credentials are shared by a participant (forwarded e-mail invitation). Replay attacks can occur if sessions are recorded, or if a regular series of sessions uses common access passwords. 4. A. Video conferencing equipment can be remotely activated and used to spy on people within range of camera and microphones, at times, without them knowing that they are being recorded. 5. A, C. If the desktop has sensitive issues such as files with names that give away details, then the act of sharing can lead to data leakage. (Just as leaving a file marked “XYZ Merger” on your desk can alert passersby.) Also, because the desktop is shared, it can involve delivery of files and hence malware to a system. 7. C. Quality of service can be an issue with respect to voice quality in VoIP implementations.
PART IV
6. B, D. Port 25 is for SMTP, port 110 for POP3.
8. C. Latency is the measured time in milliseconds it takes for the transmission of a network packet. 9. A, D. VPNs can provide a secure network connection over insecure networks and can bring external traffic into an enterprise past the firewalls to a VPN server. 10. D. SPIM is SPAM over instant messaging. 11. D. Jitter is the variation of latency from packet to packet and can disturb VoIP call quality. 12. C. Remote assistance is designed for end-user assistance. 13. A. Extensible Messaging and Presence Protocol (XMPP). 14. D. 993 is used by IMAP4 when secured by SSL/TLS. 15. C. 995 is used by POP3 when secured by SSL/TLS.
16-ch16.indd 653
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 16 Blind Folio: 654
This page intentionally left blank
16-ch16.indd 654
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17 Blind Folio: 655
PART V
Research, Development, and Collaboration Chapter 17 Chapter 18 Chapter 19
17-ch17.indd 655
Research Methods and Industry Trends Technology Life Cycles and Security Activities Business Unit Interactions
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17 Blind Folio: 656
This page intentionally left blank
17-ch17.indd 656
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
17
CHAPTER
Research Methods and Industry Trends This chapter presents the following topics: • Performing ongoing research • Threat intelligence • Researching security implications of emerging business tools • Global IA industry/community
An exciting yet difficult aspect of information security is the fast-paced and ever-changing environment that security practitioners have to deal with. Not only do you have to stay abreast of the latest advancements in technology, but also any newly discovered vulnerabilities in your applications, operating systems, and hardware. To succeed at this, security practitioners must exercise a high degree of resourcefulness because security issues and trends can be sourced from numerous places. A big part of this responsibility is performing ongoing research on the latest cybersecurity trends and vulnerabilities. Being the lead or one of the lead security professionals at a company, chances are nobody is going to tell you about these trends. It’ll be the other way around—people will be counting on you to keep them in the loop on the latest cybersecurity developments. As you conduct your research, you’ll notice a pattern of numerous immediate and short-term threats, as well as a few long-term threats that will refine the cybersecurity landscape. As a result of the sheer volume of changes in technologies, vulnerabilities, and threats, you must repeat your research throughout the year to stay ahead of the curve. Your organization’s current and future security posture will depend on your ability to always know what’s going on in the industry. This chapter discusses how we can apply various research methods to determine industry trends and their impact on the enterprise.
Performing Ongoing Research
A good chunk of your time should be spent conducting research—either formal as part of your job to improve the security posture of your organization’s computer systems and networks or informal to simply maintain your own level of currency and proficiency. Your research will include obtaining knowledge on the newest technologies in computer
657
17-ch17.indd 657
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
658
science and the potential impact they may have on your organization, both in productivity and in regard to security. You will also need to know what security services are offered that might be useful for your organization in protecting its computer systems and networks, and what the current best practices are for both the technology and the industry as a whole—especially for your given sector. For example, if you are in the banking and financial services sector, what are considered the standard best practices for banks and financial institutions specifically? Here are some suggestions to consider when doing your security research.
• Visit vendor websites for the latest information on vulnerabilities, updates, FAQs, other software downloads, and best security practices. • Use official information security sources such as RFCs, ISO, NIST, ISACA, EC-Council, (ISC)², and SANS. • Subscribe to security mailing lists such as Bugtraq and CERT Advisories and Security Weekly. • Visit vulnerability websites such as the CVE database, SecurityTracker, and SecurityFocus. • Create vendor-specific social media profiles on Facebook, Twitter, and LinkedIn. • Attend security convention events like Black Hat, DEFCON, and HOPE.
Best Practices People are interested in lists of best practices for various aspects of security because they want to determine what others, in a similar situation, are doing. With a limited amount of time, security administrators want to address the most important issues first. Having a list of tasks that others do in a similar situation provides an idea for where they need to get started. This is also important in case of litigation that might arise because of a security breach in an organization’s computer systems or network. If the organization hasn’t at least done what others in a similar situation have done, a court might decide the organization has been negligent in its security precautions. If, on the other hand, the organization can show that it took the same steps others have taken, that it has done what might be described as the “industry standards,” then the organization is much more likely to convince a court that it took all reasonable precautions and the incident was not its fault. There are lists of best practices for many different aspects of security. The lists themselves can range from very detailed and proscriptive, describing very specific tasks that need to be done, to high-level discussions about the type of actions that should be taken but without any precise details on how to accomplish them. One list, for example, might be aimed at security programs in general—that is, what would you need to do in order to establish a viable and sustainable security program? It might include items such as the following:
• Do you have an established corporate security policy? • Do you have a designated information security officer? • Does your organization have an acceptable use policy for its devices and network?
17-ch17.indd 658
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
Chapter 17: Research Methods and Industry Trends
659
• Do you have data retention and destruction policies? • Do you have policies governing password creation and change? • Do you have computer security awareness training for all employees? • Do you have an identified incident response plan and individuals identified? As can be seen, these are high-level items that are neither machine nor program specific. Another list might address securing an operating system, such as Microsoft’s Windows 10 Enterprise. Microsoft’s website has security checklists for their operating systems that include some system-specific but still not descriptive items, such as the following:
• Enable User Account Control. • Configure the Windows Update application to search for and install updates at your desired day and time. • Enable Windows Defender Security Center features. • Enable Windows Defender Firewall. • Utilize the Windows Backup and Restore features. • Protect your files using BitLocker Drive Encryption. NOTE Microsoft renamed its Windows Firewall to Windows Defender Firewall with the 1709 Fall Creators Update release of Windows 10.
PART V
This list does not contain “how-to” details on any one of the topics it presents, but rather mentions the features present in the operating system that the user should be aware of and utilizing. More detailed information can be found on these topics. For example, instructions can be found on Windows Defender Firewall, discussing each of the options and the recommended settings for them. Microsoft recommends that the firewall be turned on (a rather obvious choice) and allows you (“for maximum protection”) to choose to block all incoming connections. You also have the choice to have the firewall contact you whenever it blocks a connection. In the case of Windows, Microsoft has done its best to provide the security applications users will need in order to maintain the security of the system—and has tried to provide them in a manner that gives user control using the easiest of interfaces. For users who don’t understand the specifics of what the system is doing, they can agree with the Microsoft recommended settings and can then expect to have a reasonable level of security. For the tech-savvy users, more granular options are provided to allow for more detailed security settings. Linux has a number of best practices and security checklists as well, although they tend to be a bit more involved and descriptive. A typical Linux security checklist might contain the following:
• Ensure the latest patches and updates have been installed. • Regularly check logs for signs of suspicious activity.
17-ch17.indd 659
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
660
• Make regular backups. • Install Secure Shell (SSH). • Disable the ability to log on remotely as root. • Remove the hosts.equiv and .rhosts files. • Limit network access using iptables. • Restrict access to the X server. Because security is constantly changing—with new operating systems, applications, and versions of existing software being released continually—the best practices, especially those that are topic specific, will change constantly. Therefore, the wise security practitioner will regularly check to see what has changed in established checklists and what new items might have been added. Although there is no set period of time to accomplish this, any time new operating systems are installed or new applications loaded, it would be wise to check to see if best-practice checklists for these new packages are available. You can check a number of locations for best-practice and guideline documents, such as the Information Assurance Support Environment (IASE), hosted by the Defense Information Systems Agency (DISA), as shown in Figure 17-1; the security special publications from the National Institute of Standards and Technology (NIST); and the security benchmarks maintained by the Center for Internet Security (CIS).
Figure 17-1 The DISA-hosted IASE site provides information on a variety of security guidelines, along with other documents.
17-ch17.indd 660
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
Chapter 17: Research Methods and Industry Trends
661
New Technologies, Security Systems, and Services Technology has changed a lot in the past 50 years. It evolved from being an intellectual curiosity in the 1960s to academic usage in the 1970s, to residential use in the 1980s, to global proliferation in the 1990s, to social media in the 2000s, to the complete integration into our lives in the form of mobile devices, wearables, and IoT of the 2010s. Although malicious hacking progressed in tandem with the technological advances, new technologies were also developed to counter the hackers. Just as it is important to stay on top of the latest best practices, so too is it important to understand the new technologies that have been created that might impact the security of our computer systems and networks. With that said, the following are some of the new technology trends and security systems the modern security practitioner must be aware of:
• Artificial intelligence/machine learning • Big data • Blockchain/cryptocurrencies • Cloud access security brokers • Containerization • Homomorphic encryption • Internet of Things (IoT) • Quantum computing • User behavior analytics PART V
EXAM TIP The majority of IoT devices are not designed with security in mind. Be sure to research security best practices for the IoT devices under your charge, plus seek security best practices from the vendor.
The introduction of any new technology to an organization must be accomplished with an examination of the possibility for exploitation of the technology by others. Organizations that fall into the category of “early adopters” of technology will be the most vulnerable to new exploitations because the full potential for security vulnerabilities might not immediately be understood. By the time that majority of organizations adopt a new technology, most of the basic security concerns will have been examined and addressed at some level. Not only do administrators need to know the potential security impact of any new technology, they also need to know something about the new security technologies that exist to both attack and defend computer systems and networks. New security devices and software are constantly being developed to address both new threats that have arisen as well as new approaches to old threats or issues. All of the security technologies we know today, such as firewalls, intrusion detection and prevention systems, and biometric access controls, were at some point new technologies that were just being introduced.
17-ch17.indd 661
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
662
Fortunately, in order to stay in touch with what new technologies are being introduced to help address cybersecurity, you can subscribe to one or more of a number of technology blogs or publications that frequently not only discuss technologies in general but often will provide reviews of new products when they are released. An example of this would be the trend over the last few years that has increased the computing power found in mobile devices. These devices can no longer be considered just phones because they provide quite a bit of processing power, and an ever-increasing number of applications are useable on them. This has led to them being targeted by individuals interested in gaining access to an individual’s personal information, which in turn has led to a number of new products designed to better secure the devices from attack. In a similar manner, new security services are created and older ones improved, so security professionals need to also stay abreast of these as well. Services run the gamut, from those offered as systems that are being developed, before they become operational, and after they have been deployed. Service offerings might include the following:
• Code testing and review • Threat modeling • Security training (at multiple levels) • Vulnerability assessment • Risk analysis and assessment • Penetration testing • Social-engineering testing • Security system monitoring and alert notification A growing security business area is that of managed security services. Companies providing these services may be utilized to monitor security devices in your organization, providing security experts to look for signs of intrusive activity and to respond to it if found. These services may also include device management in which the company will configure, update, and maintain your systems in a manner that ensures the maximum level of security within your operating environment. One area popular among security service providers is the concept of penetration testing, or “ethical hacking,” in which security professionals take the role of an attacker attempting to gain access to an organization’s computer systems and networks. This will generally include attempting to utilize various means to gain access to the systems and networks (for example, via the Internet, wireless connections, or telephone modems). It may also, depending on the arrangement with the company hired to conduct the test, include social engineering attacks, where they try to trick employees into providing access or information useful in gaining access to the network. It may even include other nontechnical techniques employed by attackers such as “dumpster diving,” in which an organization’s trash is examined to look for clues and information that might provide access to computers and the network.
17-ch17.indd 662
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
Chapter 17: Research Methods and Industry Trends
663
EXAM TIP New technologies, services, and products are constantly being created. It is important to understand that each of these may certainly provide a new capability for an organization, but may also introduce new security vulnerabilities. As these are added or implemented, security administrators need to be aware of any known vulnerabilities and prepare for the discovery of additional vulnerabilities as the technology, product, or service has time to be thoroughly examined by individuals in both the security and hacking communities.
Technology Evolution Computers, networks, and the Internet are constantly evolving as technology advances. Frequently the advancements are minor and do not require large-scale changes to the Internet operating environment and the protocols on which it relies. Occasionally, however, advances are made that can have a much broader impact. When these occur, the community has to determine how to proceed (because there is no single entity that “owns” the Internet). The way this is done is often through Requests for Comments (RFCs), which are created by organizations such as the Internet Engineering Task Force (IETF). The IETF is a large, international community of network administrators, designers, vendors, and researchers who are concerned with the evolution of the Internet and its continued operation. They are responsible for 8,000+ RFCs, including some of the following:
PART V
• RFC 1321: The MD5 Message-Digest Algorithm • RFC 2460: Internet Protocol, Version 6 (IPv6) Specification • RFC 2616: Hypertext Transfer Protocol 1.1 • RFC 2660: The Secure HyperText Transfer Protocol • RFCs 2865, 2866, 3575: Remote Authentication Dial-in User Service • RFC 3748: Extensible Authentication Protocol (EAP) • RFC 3766: Determining Strengths for Public Keys Used for Exchanging Symmetric Keys • RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile • RFC 4301: Security Architecture for the Internet Protocol • RFC 4949: Internet Security Glossary, Version 2 • RFC 6595: A Simple Authentication and Security Layer (SASL) and GSS-API Mechanism for the Security Assertion Markup Language (SAML) • RFC 6749: The OAuth 2.0 Authorization Framework • RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3 This is just a short list, but it illustrates the type of topics addressed in RFCs. It also serves to illustrate how the Internet is cooperatively designed and controlled by an open
17-ch17.indd 663
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
664
community of professionals. From a security standpoint, changes to technology and protocols can have a definite security implication, and discussions on subjects such as the preceding ones often have a security component. After an appropriate amount of time is allowed for comments to be received on a subject, the IETF’s working group on the subject will evaluate the comments, and the RFC may result in the publication of a new Internet standard. Not all RFCs end up as standards. Some RFCs are designed as informational only. Others are intended to discuss best current practices. Even among RFCs that were intended for the “standards” track, there are categories such as Proposed Standard, Draft Standard, and Internet Standard. The IETF is not the only international organization impacting the Internet and security communities. The International Organization for Standardization (ISO) is another international body that establishes standards. The ISO is composed of individual representatives from a variety of national standards organizations. It produces and disseminates proprietary, industrial, and commercial standards. A significant difference between the standards of IETF RFCs and those of the ISO is that the ISO obtains funding through the sale of its standards. EXAM TIP An important standard of concern to security administrators is ISO/IEC 27001:2013, which describes best practices for an information security management system (ISMS).
The point of this chapter is the fact that advances in technology will have an impact on trends that are seen and adopted in industry, and that this, in turn, has a potential impact on the security of organizations. Understanding this is critical, and there are plenty of examples, such as wireless networking evolving from wired networking. Wired networks have an overhead associated with them in terms of the wire that must be strung around the organization. It also impacts flexibility. Introducing wireless technology to a corporate network allows for much more flexibility and mobility throughout facilities. It, however, also introduces security concerns because wireless signals are not necessarily confined to the buildings or offices owned by the organization. This might allow attackers to listen in on network traffic or to use the corporate network for their own purposes. There are security responses to these vulnerabilities (such as encryption), but they, in turn, have been attacked (WEP encryption, for example, is widely known to be crackable), which led to the security community looking to WPA/WPA2 and to the new WPA3, which was announced by the Wi-Fi Alliance in January 2018. This neverending cycle of advancing technology, followed by security discoveries, followed by new advances, and so forth, is something security personnel need to understand and accept. The corporate landscape is constantly changing with advances in technology, and the security posture of organizations will be constantly changing with it. Another common technology trend that is having tremendous security overtones (which security personnel need to understand) is the widespread use of mobile devices. The new phones of today are closer to computers now than they are to the first cell phones we once used. Unfortunately, most individuals still treat them as just phones and not computing devices, which means that attackers can take advantage of this carelessness to target these devices. Security personnel need to know how this new almost ubiquitous technology can have security implications for their organization.
17-ch17.indd 664
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
Chapter 17: Research Methods and Industry Trends
665
Another, less widely understood technology change that has security implications is the somewhat gradual switch to IPv6 from IPv4. All of these technology trends provide great examples to study the pattern of technology change driving security changes, which is the focus of this chapter. NOTE Wireless computing is a technology that is easily added to the workplace, by either administrators installing authorized access points or individuals installing their own. It is a good security practice to periodically test to see what wireless access points are available in your organization to ensure that unsecured access points have not been added by employees. A great tool to use for office Wi-Fi discovery scans is inSSIDer Office from MetaGeek.
Threat Intelligence
PART V
Threat intelligence is the methodical process of collecting information about cybersecurity threats. This intelligence stems from multiple threat areas, including the threat’s goals, infrastructure, and resources. We use this information to make more intelligent decisions about preventing, detecting, and recovering from security incidents. Security practitioners must utilize various open source resources, including vendor websites, hacker channels, and Internet forums to help organizations adopt a more proactive cybersecurity posture. If you’re wondering why we’re suggesting you visit hacker channels, it’s important to understand the nature of hackers. Many hackers struggle with keeping secrets. They have this relatively rare accumulation of knowledge, tools, and techniques, and they want to be recognized for it. After all, what is the fun in keeping a secret that no one knows you’re keeping? As a result, security professionals might be able to discover emerging threats and malicious intentions just by sniffing around a bit on the Internet. Not to mention, hackers might announce their hacking intentions directly to their targets. NOTE The black hat hacking group called Lizard Squad openly threatened to hack the Microsoft and Sony gaming networks back in 2014—and then did just that shortly afterward. Hacker threats must always be taken seriously.
A big part of threat intelligence involves awareness of the latest attacks. In this section, we’re going to cover threat intelligence components such as the latest attacks, knowledge requirements for current vulnerabilities and threats, zero-day mitigation strategies, and threat models.
Latest Attacks, Vulnerabilities, and Threats As has been discussed, you need to have an understanding of your own networks and what constitutes normal activity so that you can better determine when abnormal activity is occurring. This is one aspect of situational awareness; another is to know what threats exist that can impact your organization’s critical cyber systems. Before we get into the latest attacks, vulnerabilities, and threats, it’s important to get some key terms out of
17-ch17.indd 665
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
666
the way. It’s important to know the specifics of these terms because much of the information you’ll be researching online will reference them.
• Threat agent Individual or group that carries out or gives rise to a threat. • Threat Possible danger that may intentionally or unintentionally exploit a vulnerability that produces a loss. • Exploit A defined method of attacking vulnerabilities. • Vulnerability A weakness or absence of a countermeasure that can be exploited. • Risk The probability and impact of a threat exploiting a vulnerability. • Exposure The loss incurred from a threat exploiting a vulnerability. It was only a few years ago when every mainstream media source in the world was talking about the infamous Heartbleed Bug, which affected roughly 66 percent of active websites worldwide and utilized the OpenSSL-based Apache and Nginx web platforms. The Heartbleed Bug is one of those “Mount Rushmore” attacks that people will be talking about for years to come due to its scale and longevity—and the rumor that the NSA exploited the Heartbleed Bug for two full years prior to its public discovery. To be fair, the NSA emphatically denies this claim and continues to state that they did not know about the bug until it was made public. NOTE Other hall-of-fame malware infections include Stuxnet, Melissa, I Love You, MYDOOM, and the more recent WannaCry ransomware. Stuxnet is so noteworthy that documentaries have been made about it.
Now, not every cybersecurity threat will be broadcasted to us on national television; therefore, we’ll have to perform a little due diligence and go out and look for the information. Go to any search engine and type in “Cybersecurity trends 2018” or “Cybersecurity threats 2018” and you will be bombarded with articles predicting the upcoming cybersecurity landscape. Not only are the latest cybersecurity trends not hard to find, but you’ll quickly notice that most of the articles are predicting the same trends. Such a consensus really hammers home how imminent these threats are. The following is a list of cybersecurity trends:
• Explosive growth of ransomware A type of malware that threatens to “dox” a user’s data or perpetually encrypt it until a ransom is paid—usually in the form of bitcoins to expedite payment while reducing paper trails. The legendary and ongoing WannaCry ransomware of May 2017 has caused billions of dollars of damages worldwide. • Artificial intelligence attacks AI is being used by hackers to automate the collection, analysis, and learning of user data, and then that data is used to more intelligently attack targets. Such data collection also helps narrow down password possibilities based on the demographics gleaned from the data collection. Such narrowing down will significantly speed up password-based attacks.
17-ch17.indd 666
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
Chapter 17: Research Methods and Industry Trends
667
PART V
• Internet of Things (IoT) With IoT devices expected to reach up to 50 billion in total by 2020, attackers will partake in a new gold rush. The frightening fact about IoT is most devices will not be designed with security in mind. • State-sponsored attacks Despite all the current finger-pointing taking place regarding nations hacking other nations, the fact is international surveillance and hacking have always happened—not only between enemy nations but also between allies. The only differences are nations are more technologically equipped today to perform such state-sponsored activities than in years past. Given international tensions, cyberwarfare will only increase in the years to come. • Sandbox-evading malware The clever among us attempt to sandbox malware inside of virtual machines in an effort to isolate, analyze, or extract any meaningful content from it. The reality, of course, is today’s more advanced malware is capable of discovering its sandboxing predicament, thereby suspending its payload or vacating the virtual machine to attack the hypervisor, physical host, or other virtual machines. • App store malware App stores are frequently targeted with malware that is disguised as a security tool or other desirable application. This is a quick way to affect millions of devices with malware. • Cryptojacking A method of hijacking a device’s hardware in order to mine cryptocurrency. • Dronejacking With the number of drones in the skies now, hackers are hijacking not only the insecurities inherent in toy drones but also drones used for business purposes like deliveries and law enforcement. • General Data Protection Regulation (GPDR) This new EU privacy law will directly or indirectly affect every major region in the world with compliance requirements that many organizations either cannot or deliberately will not meet. Supposedly the costs of compliance can be more expensive than the penalties incurred from noncompliance. • Cloud computing With the explosion of data, applications, and services hosted in the cloud, attackers have found the proverbial sea with infinite fish. You can expect significant increases in cloud-based attacks from APTs, DDoS attacks, and malicious insiders in the data centers.
Zero-Day Mitigation Controls and Remediation A zero-day vulnerability occurs when a software error or hole impacting security is discovered and exploited before a patch is developed to address the vulnerability. The term comes from the fact that up until the point of it being used in an attack, the vendor and public in general knew nothing about the vulnerability. The “clock” starts when the vulnerability is made public. How long it takes the vendor to develop a patch and how long it takes companies to develop a signature to detect it or methods to mitigate its impact will have a direct bearing on the amount of damage it can cause.
17-ch17.indd 667
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
668
Another factor in how much damage may be caused by the vulnerability is how much publicity is generated. If it is generally announced or released, the damage can be considerable because numerous individuals may attempt to exploit the vulnerability while the software vendor scrambles to develop a patch for it and various security vendors rush to develop a signature that might be useable to detect and prevent attacks utilizing the exploit. Of course, it is also possible for a zero-day attack to go unnoticed if the result is subtle and the attacker does not do anything that causes the attack to be noticed. If everything is kept quiet, the attacker can continue to exploit the vulnerability until it is eventually noticed, until the vendor discovers the error leading to the vulnerability through their own efforts, or until another attacker discovers and exploits it in a more noticeable fashion. There have been cases where a vulnerability has gone unnoticed for several years until a vendor discovers it. It is impossible to know in a case such as this whether somebody else had previously noticed it and had been exploiting it for their own benefit. The amount of time between when a vulnerability is detected (exploited) and when the vendor has a patch for the vulnerability (or vendors have a mechanism to counter it) is generally known as the vulnerability window. Zero-day attacks are, by definition, often hard to discover and prevent. Because it is a new vulnerability, firewall and intrusion detection/prevention vendors won’t know about it and will therefore not have a signature in their database of vulnerabilities that matches it. Firewalls and signature-based IDS/IPS will therefore most likely not be able to block, detect, or prevent an attack utilizing the vulnerability. Because of the level of damage a zero-day attack can cause, the topic of how to counter zero-day exploits occupies considerable time in the security research community. On the nontechnical side, ways to address zero-day attacks center around the speed at which information about them can be disseminated once a zero-day exploit is discovered. Discovering the exploits can occur in a number of ways. An easy one occurs when the individual who discovered the exploit or developed an exploit makes it available to the “hacking” community. Another way in which they may be discovered is if an attack utilizing the exploit is discovered and an analysis to determine how the attack occurs reveals the new vulnerability. A tool that has sometimes proven to be useful in the discovery of new exploits is the honeypot or honeynet. The concept behind both of these terms is to construct a system or network that appears to be official but in fact is not. The honeypot or honeynet can then be monitored, looking for individuals who are attempting to attack systems. Because honeypots or honeynets are not official, there shouldn’t be anybody who is trying to connect to them, so any attempted connection is likely to be somebody looking for systems and networks to attack. By monitoring the activities of the attackers, we can observe their tools and methods. Therefore, should a zero-day attack be attempted, its existence may be revealed. Once a new exploit is discovered, receiving word about it becomes important in order for individuals to be prepared to address it. Some in the security community argue against the posting of information regarding the discovery of new vulnerabilities.
17-ch17.indd 668
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
Chapter 17: Research Methods and Industry Trends
669
The argument is that posting this information makes it easier for individuals in the “hacking community” to find out about these vulnerabilities and to then use them in attacks. The counter-argument is that the owners of systems need to know about these attacks so they can be prepared. Keeping information on a new exploit secret until it is announced along with a patch from a vendor simply provides a window of opportunity for attackers during which they can utilize the vulnerability without too much fear of being discovered. Even if a patch has not been issued to fix a vulnerability, the knowledge that it exists and details on what to look for will at least let security administrators know whether their own systems have been compromised. CAUTION Microsoft ended support for Windows XP as of April 8, 2014. Since Microsoft is not patching Windows XP anymore, it is loaded with zeroday vulnerabilities that hackers will be able to exploit forever. As a result, it is crucial to start deploying newer operating systems that are still supported.
17-ch17.indd 669
PART V
Although we said that signature-based security systems will generally not be able to detect a zero-day attack because it will most likely exhibit a different signature, other methods are being used to spot potential new vulnerabilities. Often, this takes the form of attempts to identify unusual traffic patterns for the system or network. Unusual patterns may very well indicate attempts to attack the system. Knowing what is unusual means that the normal activity for the system or network needs to be known. Activity outside of the normal activity can then be identified. The unusual patterns may be part of a known attack; in fact, some activities (such as “general probing of a network”) are so common that although they are not part of the activities for which the system or network was intended, they can nonetheless be identified easily. Occasionally, however, a pattern may be discovered that is not part of the normal activity for the system or network and is also not indicative of any known attack pattern. In this case, it could be a strong indicator of a new exploit. Of course, the best way to counter zero-day attacks is to prevent them in the first place, which means doing a better job of building bug-free software. This requires better design, coding, and testing practices. Operating systems have also taken steps to limit the damage events such as buffer overflows can have on a system. This makes it less likely that a vulnerability can have a disastrous impact on a system. Data Execution Prevention (DEP), for example, is an attempt to prevent programs from executing in memory locations that should contain data and not code. Address Space Layout Randomization (ASLR) moves pieces of programs around randomly in portions of memory in an attempt to make it harder for nefarious code segments to jump to some place in memory that they shouldn’t. Structured Exception Handler Overwrite Protection (SEHOP) attempts to make stack overflows harder to accomplish by checking to make sure that chains of exception handlers (interruptions) aren’t hijacked. These three techniques make it more difficult for any piece of code to take over a system, without knowing a precise attack signature.
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
670
NOTE In newer Windows-based operating systems, DEP and ASLR can be turned on or off by the software vendor. Microsoft has released the Enhanced Mitigation Experience Toolkit (EMET), which allows administrators to override the choice set by software vendors so that all of these tools can be employed.
Whitelisting is also seen as an approach to address at some level the issue of zero-day exploitation. This is the term used to refer to the process of providing a list of approved entities that are allowed to accomplish a certain task. A common example of this is found in browser security, where lists of approved URLs or IP addresses can be used to limit the sites a user is allowed to go to. The same technique can be used to limit who may access a system as well. The concept can also be extended to systems where lists of approved applications can be provided to limit what is allowed to be run on the system. Another approach some have taken to avoid the exploitation of zero-day vulnerabilities is to offer rewards for previously unknown vulnerabilities. Approaching the problem in this way provides a financial incentive for individuals to try and exploit systems, thus increasing the likelihood that vulnerabilities are found. This method is looked upon differently by various vendors and security companies, and it cannot be said that it is a universally accepted approach to the problem.
Threat Model Threat modeling is a process of identifying and analyzing a threat’s objectives, attack vectors, requirements, and the various ways in which it might exploit the vulnerabilities of an asset. Since threats are both numerous and shaped according to the assets themselves, many kinds of threat models will need to be created. To diversify analytical perspectives, threat models can be broader (organizationally based) in nature or more specific (asset focused versus attacker focused). Despite the variety of threats, threat modeling is a cyclical process in that you can apply the threat modeling process to different kinds of threats. NOTE The five steps for threat modeling include identifying attacker objectives, identifying attack vectors and attack requirements, identifying targets, assessing targets, and identifying mitigation techniques.
Some well-known threat-modeling methodologies for IT purposes include the following:
• STRIDE Created by Microsoft to aid developers in identifying threats to programming projects. • P.A.S.T.A. A seven-step process, threat-focused threat model that encompasses organizational objectives, technical requirements, and compliance issues. • Trike Uses threat modeling for risk management and security auditing purposes. • VAST A threat model designed for integration with an organization’s software development life cycles.
17-ch17.indd 670
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
Chapter 17: Research Methods and Industry Trends
671
Researching Security Implications of Emerging Business Tools
Evolving Social Media Platforms
PART V
There is a constant demand in organizations to find new ways to conduct business in faster, more efficient ways. Plenty of vendors are developing new tools or improving on existing tools that will appeal to this demand. When an organization finds a new tool it believes will help, the possible security implications should be considered, but all too frequently they are not. As previously discussed, technology such as mobile computing provides tremendous advantages in terms of allowing employees to continue to work no matter where they may be. They can stay in touch with their office so that important e-mail and messages are not missed, and they can conduct many routine office tasks almost no matter where they are. This freedom doesn’t come without a price, however, as a new avenue for attacks on the organizations is introduced. When an organization is considering adoption of a new product or type of technology, where can they go in order to determine the security implications of the decision? The vendor may provide information on this, but if it is not favorable to their product, this is not likely to happen. Another possibility is to hire or employ security testers who can search for security holes before the product or technology is fully deployed within the organization. Any number of security companies can provide penetration testing services both before and after deployment. Periodic outside penetration testing is considered a good security practice because it provides an additional fresh look at an organization’s security posture from individuals who have no preconceived notion of the organization’s security status. A simple search of the Internet may also provide information on security issues related to a product or new technology, and several federal programs (such as the national Information Assurance Partnership validated products list as well as the Approved Products List kept by DISA, shown in Figure 17-2) can provide information on certain products that have been evaluated.
Social networks at first may seem harmless because they appear to simply be a way for individuals to “stay connected” to friends and families. Unfortunately, there are a couple of issues that security administrators need to be aware of associated with these networks. First is the fact that these networks are increasingly being used by attackers to attempt social-engineering attacks. These are surprisingly successful due to the nature of social networks, which encourage the sharing of information with an assumed level of trust— often misplaced. Attackers also will attempt to trick users into going to potentially malicious sites where personal information—or corporate data, if the machine accessing the site is a work system—may be extracted. The common use of shortened URLs on social networks only adds to the problem. Another issue with social networks is the possibility for employees to post sensitive information about the company. For decades, details of mergers or other important business transactions have been discussed by individuals when they weren’t supposed to.
17-ch17.indd 671
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
672
Figure 17-2 The DISA Approved Products List provides a list of products that have completed interoperability and information-assurance certifications for the Department of Defense.
The issue today is that if done on a social networking site, the ability for it to be seen by large numbers of individuals and to quickly spread beyond an individual’s closest friends is tremendous. EXAM TIP Organizations should establish policies for the use of social media in the workplace and should provide guidelines on who can speak on behalf of the organization. Although they may not be able to control everything that employees post, organizations should at least make employees aware of the potential dangers to the organization from certain activities on social networks and unauthorized comments or information about the organization.
Integration Within the Business At first, organizations looked for ways to limit, or prohibit outright, the use of social networks in the workplace. As their use increased, however, and as the next generation of employees, raised on social networks, entered the workforce, most organizations have realized that social networks are now part of life, and instead of trying to prohibit their
17-ch17.indd 672
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
Chapter 17: Research Methods and Industry Trends
673
use, they need to help employees recognize the appropriate way to use them. Social media is beneficial to businesses in various ways, including the following:
• Crowdsourcing and soliciting public opinion through polls and user surveys • Product promotion • Brand exposure • Competitive analysis • Customer service and support • Recruitment • Business leads and sales • Background checks to hire employees
Big Data Big data refers to huge amounts of mostly unstructured data that is often too large for standard systems to process. Yet, big data is already seeing a lot of action in government, law enforcement, manufacturing, healthcare, education, media, insurance, science, financial trading, and sports analytics. It allows quick detection of errors and scams, realtime analysis, and has been especially valuable in the healthcare industry due to research and disease prevention reasons. However, the sheer volume of data can make analysis difficult, plus it aids privacy invasion due to the amount of data being aggregated about people. When describing characteristics of big data, consider the following factors: PART V
• Volume The quantity of data • Velocity The speed at which that data is generated and processed • Variety The type and behavior of data • Veracity The accuracy of data • Value The quality of data NOTE Closely associated with big data is Hadoop, which is an open source framework that performs distributed processing for big data across clusters of servers. It provides for the enormous storage and processing requirements needed for big data loads.
In order to tame the immovable object that is big data, it takes an irresistible force— artificial intelligence. Artificial intelligence and machine learning are discussed next.
AI/Machine Learning Artificial intelligence (AI) involves computers performing tasks with a human-like intelligence. These machines are capable of incorporating perception of, and adaptation to, their environment in order to succeed at completing a task. Typical software and hardware devices have all of their knowledge pre-programmed internally. This “inherited”
17-ch17.indd 673
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
674
knowledge is then used to perform various tasks. However, the future of technology behaviors will not come from inherited knowledge but from learned knowledge. It is believed that a tool can exhibit greater levels of intelligence by acquiring information itself versus having the information built in. Whenever most people think about AI, their thoughts inevitably become apocalyptic—machines becoming self-aware and turning on their human creators. Although AI is still in its early stages, human history reveals that most inventions designed for good are eventually repurposed with malicious intent. Although the jury is still out, we’re already seeing both positive and negative outcomes from AI. The technological intelligence stemming from AI allows our software to learn from the consequences of past events in order to predict and identity threats. At the same time, hackers are also using AI to automate the collection of a victim’s information and then filtering out the irrelevant parts to launch a more focused and potent attack on vulnerabilities. Yet, AI is a complex topic that can be broken down into the following subgroups:
• Machine learning A type of AI where computers use certain built-in learning factors to guide their learning and adaptation of data. Although the learning aspects are guided by these statistical baseline factors, the outcomes themselves are dynamic in nature—hence, the purpose and value of “learning.” • Deep learning A deeper form of machine learning in which technology tools don’t use any baseline factors to guide its learning; rather, the technology decides for itself what learning and classification modalities to implement based on the inputs it receives. This allows for even more human-like intelligent behaviors than generalized machine learning. Common applications of AI/machine learning include Google’s search engine results, Amazon’s product recommendations, and Facebook’s news feed customizations. You may have seen IBM’s AI tool called Watson on various TV commercials in recent years. It utilizes machine learning and deep learning to intelligently discover and mitigate cybersecurity threats. NOTE Scientists are saying that the AI market promises to be even bigger than the automobile market. Expect to see Amazon, Microsoft, Google, IBM, and Palo Alto Networks leading the AI charge into the near future.
Global IA Industry/Community
The information assurance community is large—and growing. Numerous training companies, conferences, seminars, workshops, and webinars exist that can help security professionals stay on top of current security issues and developing trends. Overall, the community has a tendency to be very friendly, and any number of individuals are more than willing to help struggling security administrators having specific problems with their systems. Blogs and tips can be found discussing a variety of common security problems,
17-ch17.indd 674
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
Chapter 17: Research Methods and Industry Trends
675
which can be very useful for both those new to the community and those who are faced with a new problem they haven’t seen before. In addition, organizations such as the SANS Institute (a private U.S. company, with SANS derived from Sysadmin, Audit, Networking, and Security) provide a number of free resources in addition to their paid training that newcomers will find useful. In particular, the Reading Room (which can be found from the SANS home page at www.sans.org) includes numerous papers on dozens of topics written by security professionals going through one of its many courses. SANS also publishes a list of the top 25 programming errors and the top 20 critical controls, which can also be extremely helpful to individuals in the community. The SANS site is one that both novice and experienced security professionals will want to keep track of. Other helpful hints can also be often found in one of the hundreds of security vendor sites. Many companies have produced white papers on a variety of security topics. In addition to white papers, quite a few open source security tools can be found on numerous sites. Obviously, a word to the wise concerning downloading and running software from unknown sites—what better way to convince individuals to run your exploit malware than to disguise it as a security tool designed to help secure the very system that the exploit is designed to take advantage of. Always be careful of what sites you visit, and be especially careful of any software you might download from them.
PART V
EXAM TIP Individuals can take advantage of a number of different options in order to stay on top of what is happening in the security community. Some of these include conferences, workshops, and seminars (as well as webinars) that are offered throughout the year and in locations around the world. There are also numerous legitimate (safe) websites that provide details on evolving security trends, new technologies, and best practices that security personnel can take advantage of at no cost in order to stay up to date with what is going on in the security community.
Computer Emergency Response Team (CERT) Computer emergency response team (CERT) has a few different contexts. There’s the general usage involving any expert group of security professionals that implement an organization’s incident response plans. Then there’s the coalition of official security teams, or CERTs, scattered throughout the world—more accurately referred to as computer security incident response teams (CSIRT)—that assist organizations with incident response processes in their respective regions. Last, there’s the CERT trademark held by the Software Engineering Institute at Carnegie Mellon University. A well-known U.S.-based CERT known as the United States Computer Emergency Readiness Team (US-CERT) provides incident response guidance to various enterprises. TIP Whether in the USA, or other nations, enterprises should subscribe to the mailing lists of their regional CERT in order to be kept abreast of the latest security issues.
17-ch17.indd 675
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
676
Conventions/Conferences One of the best ways to stay on top of what is happening in the security community is to attend one of the numerous computer security–related conferences that exist. Not all conferences aim to reach the same audience, so choosing which to attend will depend on individual goals. Security-related conferences can be roughly broken into three categories: industry, academic, and “hacker.” The best-known industry conference is RSA. This extremely large conference also includes one of the largest and best vendor exhibitions. The conference draws individuals from across government, academia, and industry as well as features national-level keynote speakers. Often with over a dozen simultaneous tracks, choosing the talk to attend during any given session is often challenging. Having over a dozen tracks ensures that the chance of finding a talk of interest to you will be very high. The only downside to the conference is the cost, which is fairly high in comparison to some of the other security conferences that exist. Another large conference is Black Hat. The original Black Hat conference was in Las Vegas, held immediately before the annual DEFCON “hacker” conference. Las Vegas continues to be the largest Black Hat conference, but other versions exist in Europe, Asia, and the Middle East. The original intent of Black Hat was to bring individuals from the different “sides” of the hacking community together. Thus, it appealed to those in the government (law enforcement) as well as the “hacking” community. Today, it probably has somewhat of an even split between the government, industry, and “hacking” sectors, with a few from academia thrown in as well. The vendor area is not as large as RSA, but it is growing. Like RSA, it also has multiple simultaneous tracks, which again sometimes makes it challenging to decide on which talk to attend. USENIX is a computer systems professional organization that, among other things, sponsors a number of different conferences. One of these is the USENIX Security Symposium, which has been conducted for over 20 years. It is a large security conference and serves as a bridge between conferences more focused on industry and conferences designed for researchers and the academic community. There are a number of academic workshops, symposiums, and conferences. No matter what the security research topic is, chances are good that there is a meeting, conference, workshop, or symposium on it somewhere. Some of the better known and larger conferences include the IEEE Symposium on Security and Privacy, the Annual Computer Security Applications Conference, and the ACM Conference on Computer and Communications Security. All of these address a broad range of security topics. An example of a more focused security conference is the European Cryptology Conference (EuroCrypt) or the International Symposium on Recent Advances in Intrusion Detection (RAID). Another type of conference focuses more on the “hacking” side of security and was originally designed more as an “underground” event that appealed to those in the community. DEFCON is the best known of these conferences—although it no longer is anywhere close to being an underground conference, nor is it attended only by those in the hacking community. Today, it probably has an even balance between professional
17-ch17.indd 676
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
Chapter 17: Research Methods and Industry Trends
677
security personnel from government, academia, and industry and individuals who might fall more into a “hobbyist” category. These conferences pride themselves as being not only more technical than some of the others, but also more practical and “hands on.” An additional attribute of conferences in this category is their more relaxed nature. Another example of a conference in this category is HOPE (Hackers On Planet Earth), sponsored by the 2600 magazine. Living up to its more relaxed nature, this is not an annual event but has been held on a periodic basis. Since 2000, it has occurred every two years. Another well-known conference seeking for a more relaxed atmosphere is CanSecWest.
Research Consultants/Vendors Although a wide variety of security resources are available for research, two that should not be neglected are security consulting agencies and vendors. Although many organizations have sufficient security expertise on staff, some will feel more comfortable outsourcing certain security tasks to a security consulting company. However, which consulting firms should we consider? According to a Gartner 2016 Top 10 Security Consulting Services Firms list, the security organizations Deloitte, EY, PwC, KPMG, IBM, Accenture, Booz Allen Hamilton, HP Enterprise, Optiv Security, and BAE Systems, in that order, are the largest in terms of revenue. Any of these would be a good starting point for a researching consultant. TIP Given the size and prestige of the top security consulting companies, they are likely very expensive. Consider hiring a smaller or more local organization that is more affordable if the budget calls for it. PART V
Finally, we have the vendors themselves that wrote the software or manufacture the hardware we’re using. Be sure to visit vendor websites for the latest news, alerts, downloads, documentation, firmware, and patches for your products. Be mindful of their support hours, region, and time zone, just in case you need support. Also, any contracts or service level agreements that they may have with you should be consulted during times of degraded services.
Threat Actor Activities A question that administrators sometimes ask is, “Who would want to attack us?” The implication being that the company doesn’t do anything that the administrator would view as being worthy of interest to a cyber attacker. From the attacker’s standpoint, there are two general types of targets: targets of opportunity and explicit targets. If an organization is being targeted because of who they are or what sector they are in, they are an explicit target. If, on the other hand, the target was not specifically chosen for who they are but instead because they are running a specific piece of software or using a specific piece of hardware, then they are a target of opportunity. Targets of opportunity generally occur when an attacker is looking for somebody, anybody, who might have a system
17-ch17.indd 677
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
678
that is vulnerable to a specific exploit. The attacker is not concerned with who they are; they just want to gain access to somebody. If the attack is attempted and fails because the organization has protected itself against the exploit being used, the attacker moves on to the next organization and tries the attack against it. On the other hand, if a specific exploit fails against the chosen target in an explicit attack, the attacker doesn’t move on to another potential target but instead moves on to another exploit to try. The goal for an explicit attack is to gain access to a very specific target. The goal of an attack on targets of opportunity is to find somebody who is vulnerable to an exploit. Let’s return to the original question of who would want to attack a specific organization? It should now be obvious that for some attackers, the organization simply doesn’t matter. It is a matter of the technology being used. If the organization uses technology that the hacker feels comfortable exploiting, it may not matter whether the organization has assets that are inherently valuable to the attacker or not. In other words, all organizations, regardless of what they think hackers want, are at risk of being hacked; therefore, they must prepare for it. Determining who the attackers might be depends on the type of target. The vast majority of attacks are unstructured attacks against targets of opportunity. The definition of what an attack in this case is very broad and can range from somebody simply testing to see if they can guess a password for an account, to an individual who just learned about an exploit and wants to find somebody who is vulnerable to it. A term that is often used in the community to describe the majority of individuals in this category is “script kiddies”—individuals who may have simply downloaded an exploitation script and are running it. They probably know very little about the vulnerability being exploited and might not have ever been able to actually create the exploit themselves. Unstructured attacks are generally not targeted against a single infrastructure (unless the new exploit is targeting systems only used in a specific sector) and are conducted by individuals with little to no financial backing. Two additional groups that are often placed in the unstructured threat category are hacktivists (individuals who attack computer systems and networks in order to promote a cause or ideology, or “hacking activists”) and hacking groups. Hacking groups are simply groups of individuals interested in computer systems and security who band together to help each other learn more about the systems they attack. An example of hacktivism might be a group of individuals supporting animal rights who deface the website of a company that sells fur coats. Individuals in these categories may be loosely organized with no real financial backing, or they may, as is sometimes seen in the case of ideological hacktivists, have a bit more support and organization. Hacking groups also vary in the level of support and expertise they have. In both cases, the groups may no longer be considered to be in the unstructured threat category as they become more organized with a specific purpose in mind and if they begin to receive financial backing. CAUTION Another dangerous group of hackers is called suicide hackers. Unlike most other hacktivists, these hackers believe so strongly in their cause that they do not mind getting caught. This will make them potentially more aggressive due to their relative lack of fear.
17-ch17.indd 678
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
Chapter 17: Research Methods and Industry Trends
679
PART V
A structured attack is one in which a specific organization (or sector) is being targeted and is conducted by individuals with some financial backing and who have more time in which to obtain their goal. An example might be individuals with backing from organized crime attempting to gain access to computer systems owned by a financial institution. A highly structured attack is one in which the attacker has considerable time and financial backing in order to be able to conduct the attack. Multiple vectors (including attempts to usurp insiders) may be tried, and spotting this type of attack will be extremely challenging. The idea of the advanced persistent threat will often fall into this category, and attacks in this category will generally be supported by organizations with time and money, such as nation-states or organized crime going after extremely high-value targets. Another way that attackers are sometimes categorized is in terms of what “hat” they wear. In this case, white hats are individuals in the community who perform what is often referred to as ethical hacking—also known as penetration testing—in order to help organizations secure their computer systems and networks. They do not break any laws in conducting their activities and work with the permission of the organization they are attacking when conducting their penetration attempts. On the other end of the spectrum are the black hats, who do violate laws with their activities and attack computer systems without permission for a variety of purposes, including theft, revenge, ideological purposes, or simply the intellectual challenge and the reputation they may obtain within the black hat community. In between these two groups are the gray hats, who may attack systems without permission from the organization (and thus are committing a crime) but are not driven by personal economic gain or other purposes, as are the black hats. Instead, they will often inform vendors of the problems or vulnerabilities they discover in software so that the vendor can fix them. Technically, they have acted illegally, though not for nefarious purposes. In all three categories, the techniques and tools are often the same (although each may have developed their own individual tools), and it is simply whether the hacker has the permission of the organization and the intent that differentiates between which hat the person is wearing.
Emerging Threat Sources One of the factors that makes cybersecurity such a challenging endeavor is the fact that the cost of entry for attackers is so very low. During the Cold War era, a nation wishing to become a superpower would have to spend considerable money on weapon systems and research. To become a cyber superpower, on the other hand, requires considerably less investment. The only entities that had the type of funding that would have allowed them to become superpowers during the Cold War were nations. The same is not true of cyber superpowers. The organizations that would have been targeted by the different sides in the Cold War were confined to the military, the defense industrial base, and the national infrastructures. The same is not true during the cyber era, where many different organizations may find themselves the target of an attack. The threats are different as well. Script kiddies, who will generally have no or only loose affiliation with any entity,
17-ch17.indd 679
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
680
have already been mentioned, but other potential threats exist as well. Organizations within one of the key national infrastructure sectors may find themselves the target of attacks from nation-states, such as have been seen in the power sector the last few years. Any organization that collects payment via credit cards could find itself a target of criminal organizations or individuals wishing to gain access to the credit card information. Organizations that are part of an industry that is considered controversial may find themselves the target of hacktivists who may try to deface their websites in order to obtain publicity for their cause. Another interesting and more recent threat that has impacted individuals in different sectors is the rise of organizations such as Anonymous, which claims to be a group of hackers interested in various causes. In one example, this group announced an attack on the city of Orlando, Florida, because of certain activities that were going on within the city. This is an example of an emerging threat that was not heard of just a few years ago. Cities have generally not been the target of attacks, but now they may find themselves the focus of one because of any number of reasons—a specific industry in the city, a government organization with offices in the city, or policies or politics of interest to the city. What can be said of organizations and threats to them today is that no matter who you are, there is somebody who will attack you. It should probably be mentioned that two of the issues driving the emerging threat sources are the level of dependence that society now has on computer systems and networks and the growing level of technical understanding of individuals and employees. As a result of this, individuals such as hacktivists see the opportunity to make their cause known through a new medium that arguably will have a much better chance of being seen by more individuals than traditional techniques such as protests outside of specific facilities. Disgruntled employees, instead of having no recourse or opportunity for revenge, now have a variety of easy ways they can address perceived grievances or actions taken by their heavily cyber-dependent companies. The disgruntled employee, in fact, has become one of the most dangerous threats to organizations because they will know what best to target in an organization in order to have the greatest impact on it. Nation-states and terrorist organizations now no longer need to rely solely on physical attacks in order to affect adversaries. With the heavy reliance on the Internet and computer systems, they can target the cyber infrastructures of a nation’s critical infrastructures (for example, power, telecommunications, water, transportation, and so on) in order to disrupt the targeted nation. We have already seen this in attacks on both the nations of Estonia and Georgia in separate conflicts where cyberattacks were used to disrupt critical infrastructures or were used in conjunction with physical attacks. Finally, it has become painfully obvious how the dependence organizations place on the Internet in order to conduct financial transactions has led to a rise in attacks on computer systems and networks by individual criminals as well as organized crime organizations. CAUTION Remember, never assume your computers will not be targeted because they contain no sensitive or personal information. Just because your computer systems exist makes them a potential target of opportunity should a new exploit be discovered.
17-ch17.indd 680
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
Chapter 17: Research Methods and Industry Trends
681
Chapter Review
PART V
This chapter covered research, development, and collaboration concepts. More specifically it covered how to apply research methods to determine industry trends and their impact to the enterprise. The first section discussed the need for performing ongoing research into industry best practices regarding OS hardening, security policies, password policies, and enduser training. It also touched on the latest technologies as well as security systems and services such as AI, big data, blockchain, cloud access security brokers, containerization, homomorphic encryption, IoT, quantum computing, and user behavior analytics. It also mentioned technological evolution from the perspective of RFCs and ISO standards because these documents provide us with official sources of technological information. The next section covered threat intelligence by starting off with some basic threat vocabulary. Then it provided coverage of the latest attacks, such as ransomware (particularly WannaCry), AI, IoT, state-sponsored hacking, sandbox-evading malware, app store malware, cryptojacking, dronejacking, GDPR, and cloud computing. The next topic covered zero-day vulnerabilities due to the dangers inherent in vendors not being aware of the vulnerabilities yet; therefore, no patches are available. Various mitigations of zeroday vulnerabilities were proposed as a result. We then covered threat modeling and how it helps us to analyze the attack vectors, requirements, and motivations behind threats attacking assets. The next section involved researching security implications of emerging business tools. Starting this off was the evolving social media platforms and how they integrate with businesses. Social media provides various ingress and egress risks to businesses; yet it also provides businesses with many rewards through product promotion, brand awareness, customer service, customer leads and sales, and more. Big data was discussed, including basic vocabulary and how it helps us in many industries with analytics, plus error and scam detection. We then covered AI/machine learning and how its increased intelligence will automate information collection and attacks, but will also be equally effective at defending organizations with said intelligence. The final section covered the global information assurance industry and communities. The first of these are computer emergency response teams (CERTs), which are collections of expert security groups that provide incident response assistance for both their respective organizations and for societies at large. We then provided coverage of security conventions/conferences such as RSA, Black Hat, DEFCON, and so on, and how they provide a tremendous networking and informational opportunity for security practitioners from all over the world. We then talked about researching consulting companies and vendors in order to provide us with much-needed security assistance, tools, documentation, maintenance, and more. We then discussed threat actor activities by covering the different types of malicious attackers out there and their various motives and techniques. We finished the section discussing emerging threat sources such as nation-state hackers, disgruntled employees, and more.
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
17-ch17.indd 681
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
682
Performing Ongoing Research • A good chunk of your time should be spent conducting research—either formally as part of your job requirements or informally to keep up your skills. • Visit vendor websites for the latest information on vulnerabilities, updates, FAQs, other software downloads, and best security practices. • Use official information security sources such as RFCs, ISO, NIST, ISACA, EC-Council, (ISC)², and SANS. • Subscribe to security mailing lists such as Bugtraq, CERT Advisories, and Security Weekly. • Visit vulnerability websites such as the CVE database, SecurityTracker, and SecurityFocus. • Visit vendor-specific social media profiles on Facebook, Twitter, and LinkedIn. • Attend security convention events like Black Hat, DEFCON, and HOPE. • The introduction of any new technology to an organization must be accomplished with an examination of the possibility for exploitation of the technology by others. • The IETF is a large, international community of network administrators, designers, vendors, and researchers who are concerned with the evolution of the Internet and its continued operation. • ISO produces and disseminates proprietary, industrial, and commercial standards.
Threat Intelligence • Threat intelligence is the methodical process of collecting information about cybersecurity threats. • A zero-day vulnerability occurs when a software error or hole impacting security is discovered and exploited before a patch is developed to address the vulnerability. • The best way to counter zero-day vulnerabilities is to prevent them in the first place through better coding practices. • Threat modeling is a process of identifying and analyzing a threat’s objectives, attack vectors, requirements, and the various ways in which it might exploit the vulnerabilities of an asset. • The five steps for threat modeling are identifying attacker objectives, identifying attack vectors and attack requirements, identifying targets, assessing targets, and identifying mitigation techniques.
Researching Security Implications of Emerging Business Tools • Organizations should establish policies for the use of social media in the workplace and should provide guidelines on who can speak on behalf of the organization. • Big data refers to huge amounts of mostly unstructured data that is often too large for standard systems to process.
17-ch17.indd 682
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
Chapter 17: Research Methods and Industry Trends
683
• Artificial intelligence (AI) involves computers performing tasks with a humanlike intelligence. • Machine learning is a type of AI where computers use certain built-in learning factors to guide their learning and adaptation of data. • Deep learning is a deeper form of machine learning in which technology tools don’t use any baseline factors to guide their learning; rather, the technology decides for itself what learning and classification modalities to implement based on the inputs it receives.
Global IA Industry/Community • Numerous training companies, conferences, seminars, workshops, and webinars exist that can help security professionals stay on top of current security issues and developing trends. • CERT is a coalition of official security teams scattered throughout the world that are more accurately known as computer security incident response teams (CSIRTs). • One of the best ways to stay on top of what is happening in the security community is to attend security conferences such as RSA, Black Hat, DEFCON, USENIX Security Symposium, IEEE Symposium, and so on. • Research into security consulting agencies and hardware/software vendors is a great way to gain insight or support on enhancing organizational security. • From the attacker’s standpoint, there are two general types of targets: targets of opportunity and explicit targets.
The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question.
PART V
Questions
1. Best-practice documents are useful for security personnel for which of the following reasons? (Choose all that apply.) A. Following them will ensure that the organization will be free from security
problems (breaches). B. They allow security personnel to see what others may do in similar situations to the one they find themselves in. C. With a limited amount of time, security personnel need to know what things to do first or to concentrate on what will yield the largest payback. D. In case of a breach, the organization can show that it at least did what others are doing to secure their own systems, thus it has shown a reasonable level of due diligence.
17-ch17.indd 683
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
684
2. Which of the following is true about the introduction of new technologies into an organization? A. Because the security issue has been known for a while, new technologies are
produced with security in mind, and introducing them will have no adverse impact on the security of an organization. B. The introduction of new technology to an organization will usually result in a more secure network environment. C. New technologies can have a negative impact on the security of an organization, potentially introducing new vulnerabilities. D. New technology is more secure than older technology but can still have security implications if not installed correctly. 3. Your network administrator has informed you that your organization will be switching from IPv4 to IPv6. You’ve been asked to determine what impact this might have on the security of the corporate network. You know that others have also made this same move in their organizations, so you are sure that there must be some documents on what the security implications might be. Besides documents from vendors that often are obviously also trying to sell you a product or service, which of the following might you also check to learn as much about this new technology and its security implications from an objective standpoint? A. There is no real way of determining the security implications of new technology before you implement it on your own network. B. The National Institute of Standards and Technology (NIST) produces bestpractice documents for all new technology that is introduced to the Internet. C. RFCs are used to seek input from the community on issues and changes in technology that have an impact on the larger Internet community. D. The International Internet Standards Organization must approve all new technology changes that will have an impact on the Internet before they are implemented. This organization produces standards for the implementation and use of new technologies, which you can download and follow. 4. Your CEO just came back from a luncheon where the speaker discussed zero-day threats. Your CEO has expressed a concern that your organization could be hit by one of these and wants to know what can be done to protect the organization from such a threat. The CEO wants you to do whatever is necessary to guarantee that such an event won’t impact your organization. What is your reply? A. You tell your CEO that you can guarantee that you will never be susceptible to a zero-day exploit, but it will require a dramatic increase in the security budget so you can employ all possible countermeasures. B. You try to allay some of the CEO’s fears by discussing how as long as you employ what are considered the standard best practices for your industry, you should be pretty much guaranteed that you will not be hit by a zero-day exploit.
17-ch17.indd 684
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
Chapter 17: Research Methods and Industry Trends
685
C. You use Stuxnet as an example and explain that zero-day exploits are only the
17-ch17.indd 685
PART V
concern of specific sectors (such as the critical infrastructures such as power and water) and that because your company is not part of one of them, it is not going to be hit with an event such as Stuxnet. D. You explain that by their very nature, zero-day exploits are extremely difficult to detect and that there is no way you can guarantee the company will never be impacted by one. You explain that there are steps that can be taken to minimize the potential impact and to increase the likelihood that you catch one quickly, but you can’t eliminate the possibility totally. 5. Which of the following are considered threats in computer security? (Choose all that apply.) A. Hackers B. Organized crime C. Insiders D. Lightning 6. Which of the following statements are true of social media/networking? (Choose all that apply.) A. Social networks are harmless and present no security concern to an organization. B. Social networks can be used as an avenue for attackers to have users inadvertently install malware on corporate systems and networks. C. Employees might post sensitive information on a social networking site that could harm an organization. D. Social networks should never be used by any business. 7. Which of the following are ways that an organization can determine the security implications of a new technology? (Choose all that apply.) A. Check with the Better Business Bureau, which keeps a list of security vulnerabilities for products. B. The vendor may supply information, as long as it benefits the product. C. The organization can have a vulnerability or penetration test performed on the new product or technology. D. Check to see what has been said about it on the Internet. 8. Which of the following statements is true about the information assurance community? A. It is large and continually growing. B. It has remained static for the last decade, neither growing nor shrinking. C. With the downturn in the global economy, the security community has also been affected and has shrunk from its peak, which occurred around 2001. D. It is not a legitimate source for security information.
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
686
9. Which of the following conferences was created to draw its audience from “all sides” of the hacking community—that is, from industry, government (including law enforcement), academia, and the hacking community? A. DEFCON B. RSA C. Black Hat D. USENIX
10. Which of the following is a characteristic of a highly structured threat? A. It is conducted by script kiddies. B. Attackers will take weeks or even months to accomplish their goal. C. The attackers have considerable time and financial backing. D. Attackers concentrate on only one attack vector until successful.
11. One type of attack occurs when an attacker is looking for somebody who has a system that is vulnerable to a specific exploit. The attacker is not concerned with the type of organization that is using the system, but only wants to find organizations that are utilizing the specific system or software. This is known as a(n): A. Explicit target B. Target of opportunity C. Non-sector-based attack D. Sector-specific attack
12. What is a “hacktivist”? (Choose all that apply) A. An attacker who targets only controversial organizations. B. A term used to refer to “hackers” who are not as talented and are not part of
any organized group. C. A term used to refer to individuals who are part of an organized hacking group targeting controversial organizations. D. An attacker who “hacks” in order to obtain publicity for some cause. 13. Which organization is responsible for publishing RFCs? A. ISO B. IEEE C. IETF D. NIST
17-ch17.indd 686
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
Chapter 17: Research Methods and Industry Trends
687
14. Which of the following are examples of malicious hackers who always hack for political or social reasons? (Choose all that apply.) A. Suicide hackers B. Hacktivists C. Script kiddies D. White hats
15. Which of the following best describes a zero-day vulnerability? A. A vulnerability that can be quickly mitigated. B. A vulnerability that disappears on its own. C. A vulnerability that is unknown to the vendor of the vulnerable product. D. A vulnerability too complex or risky to ever develop a patch for.
Answers 1. B, C, D. All of these are reasons that following security best practices will be useful for security professionals. 2. C. The introduction of some new technologies can absolutely have an impact on the security of the system and should therefore be closely examined to see what new vulnerabilities might have been introduced. An example of this is the introduction of wireless networks to an organization.
4. D. Zero-day exploits can hit any software, so there is no way to guarantee that a piece of software your organization uses won’t be impacted by one. There are certainly steps you can take to make it less likely you will suffer a catastrophic impact from a zeroday exploit, but you simply can’t guarantee you will never be impacted by one.
PART V
3. C. RFCs are often used to seek input for security issues due to changes in technology that may have a large impact on the Internet. Although the possibility was not provided, you can also often find fairly objective white papers produced by various vendors discussing security issues related to new technology.
5. A, B, C, D. All these can be considered threats to your computer systems and network. 6. B, C. Social networks can be a problem from several perspectives, including providing a new avenue for the insertion of malware and also the possibility of employees posting sensitive information. 7. B, C, D. The vendor may supply information on the security implications, but you can’t always count on this. If they have considered the implications and addressed them, then they will probably be mentioned. If not, they will be avoided and you will need to check elsewhere. If you have already purchased the product, you can conduct a vulnerability or penetration test, either using your own security personnel to conduct it or by hiring a third party. Finally, don’t forget the Internet. Chances are good that somebody has written something about the technology and its security implications already.
17-ch17.indd 687
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 17
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
688
8. A. The community has been growing and doesn’t show any signs of a downturn. 9. C. Black Hat was originally created to bring together individuals from all sides to discuss security issues. It has grown to become a very large conference with attendees from all over the world and from every sector. 10. C. Highly structured threats are characterized by attackers who have considerable time and financial backing in order to accomplish their goal. 11. B. This is a description of a target of opportunity. 12. C, D. A term used to refer to individuals who are part of an organized hacking group targeting controversial organizations. Also, a hacktivist has a cause to promote and will attack sites associated with that issue or cause, but may also attack less protected sites in order to gain publicity. 13. C. IETF publishes RFCs. 14. A, B. Suicide hackers are essentially hacktivists who are willing to get caught or “take one for the team” in order to advance their agenda. 15. C. It a vulnerability that a product’s vendor is currently unaware of; therefore, the vendor has not developed a patch yet.
17-ch17.indd 688
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
18
CHAPTER
Technology Life Cycles and Security Activities This chapter presents the following topics: • Systems development life cycle • Software development life cycle • Adapting solutions • Asset management (inventory control)
Like all things in the universe, hardware and software systems have a life cycle—a beginning, middle, and end. Considering that customers, competitors, industries, and regulations are in a constant state of change, organizations must quickly adapt to their new surroundings. Typically, new technological systems are developed or acquired as part of this adaptation. The technology life cycle refers to new technologies entering the enterprise on a regular basis—in limited use at first—followed by widespread adoption when it makes business sense. Eventually, technologies are retired as new ones take their place. Across this life cycle, security functionality must be maintained, and changes in the technology environment force potential changes in the security environment. Software development life cycles are increasingly important and mandate the incorporation of security into all phases of development. We’ve seen a significant uptick in software life cycle documentation requirements, code testing, and the need for software to adapt to the ever-changing threat landscape. This chapter covers the systems development life cycle, software development life cycle, various testing methods and documentation sources, and the adaptation of solutions to keep our systems and software safe.
Systems Development Life Cycle
More generalized in nature, the systems development life cycle (SDLC) refers to the process of planning, creating, testing, and deploying hardware or software systems. This includes hardware-only, software-only, or both information system types in a single project. The National Institute of Science and Technology (NIST) has published a special publication on the topic of systems development life cycles: NIST SP 800-64, “Security Considerations in the Information Systems Development Life Cycle.” This document
689
18-ch18.indd 689
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
690
Phase
Security Tasks
Initiation
• Initial definition of business requirements in terms of
confidentiality, integrity, and availability • Determination of information categorization and identification of known special-handling requirements in transmitting, storing, or creating information • Determination of privacy requirements Development/acquisition
• Conduct the risk assessment and use the results to supplement the baseline security controls
• Analyze security requirements • Perform functional and security testing • Prepare initial documents for system certification and accreditation • Design security architecture Implementation
• Implementation of system security features • System security features configured, enabled, tested, and verified
Operation/maintenance Disposal
• Secure modification of system on a regular basis • Implementation of configuration management process • Secure disposition of information, including data and cryptographic keys
Table 18-1 Information Systems Development Life Cycle Phases
is designed to assist implementers in the integration of security steps into their existing development processes. The NIST process consists of five phases: initiation, development/ acquisition, implementation, operation/maintenance, and disposal (see Table 18-1). As indicated in the table, the initiation phase is where systems begin. This is where needs and requirements are determined and where system planning and feasibility studies are conducted. Before a system can be architected and designed, a full set of requirements needs to be developed, both technical and operational. In addition to those functionality requirements, security requirements must also be defined here. The development/acquisition phase is when the requirements from the initiation phase are turned into functional designs. Whether a system is built or purchased, there is a need to determine what security controls are required and how they should be employed to ensure the system meets the requirements. The implementation phase sees these requirements are met with actual security controls upon approval from executive management. Once a system has been implemented, the operation/maintenance phase continually ensures the system’s security posture is verified periodically with respect to continued compliance with the initial security requirements. This is done through a series of security audits. During the operation of a system, it will be upgraded and changed as software gets updated and hardware capabilities improve. These incremental changes, governed by
18-ch18.indd 690
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
691
Figure 18-1 Systems development life cycle
Initiation Phase 1 Development/Acquisition Phase 2
Disposal Phase 5
Implementation Phase 3 Operation/Maintenance Phase 4
PART V
the Change Control Board (CCB) process, keep the system aligned with ever-changing business requirements as well. The disposal phase involves the removal of the system after it loses its value to the organization. It ensures the secure destruction of information, including data and cryptographic keys, and possibly the physical hardware and storage devices on which the information was saved. See Figure 18-1 for a visual depiction of the systems development life cycle. EXAM TIP The U.S. federal government has a formal process for implementing security in the system development life cycle, called the Certification and Accreditation Process. Certification is the formal examination of the security controls implemented to ensure they meet the desired requirements. Accreditation is a form of authorization for placing the system into production and accepting the residual risk.
Requirements It’s important to know in advance which business needs the proposed system must fulfill in order to rationalize implementation. To formalize this understanding, a useful SDLC step is the creation of a requirements definition document. This document will outline all system requirements and why they are needed. It discusses the needed features, functions,
18-ch18.indd 691
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
692
and any customizations that should be implemented. Certain requirements will be prioritized over others in order to better align the proposed system with business objectives. The requirements help us determine the overall capabilities that the system must have to meet the organization’s needs.
Acquisition Ironically, not all systems development life cycles involve development. In many instances, organizations will elect to purchase systems or applications from a vendor as opposed to developing an in-house solution. Other than this switching of the second phase of the SDLC from development to acquisition, the process remains much the same. Implementers must still evaluate the acquired solution’s ability to fulfill the organization’s security requirements prior to purchasing, which will be discussed in the next section.
Test and Evaluation Regardless of whether the new technology was developed or acquired, organizations must test and evaluate the technology to identify any shortcomings or vulnerabilities in its functionality, security, and performance. This will help determine if the product conforms to organizational expectations. Such tests may even include black-box testing and white-box testing to exploit the vulnerabilities to demonstrate how hackers might make similar attempts themselves—but more importantly discover and mitigate the vulnerabilities before the hackers attack.
Commissioning/Decommissioning Commissioning a new, modified, or upgraded system marks the implementation of the technology into the production environment. Conversely, decommissioning is the retirement of technology from the environment. At no point in the system’s life cycle is a technology more vulnerable than when it is first implemented. Security controls must be implemented promptly, yet the nature of those controls will depend on whether the newly integrated system is hardware or software based, a developed system versus an acquired one, or a network-based system as opposed to a host-based system. On the flip side, systems will be periodically decommissioned or disposed of as part of normal operations. Such decommissioning of systems comes with legal and security implications. If the device stores data, the following questions are in order:
• Has all the data been removed from the system? • Is the decommissioning of the system documented? • If a vendor is given access to repair a system, how is the vendor access managed with respect to data security? • If the vendor has administrative permissions on a system, how is their activity logged, managed, and regulated?
18-ch18.indd 692
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
693
EXAM TIP An oft-forgotten data element when disposing of equipment, or sending it off for repair/replacement, is the storage of cryptographic keys. If a system has stored cryptography keys, the removal and/or destruction of those data elements is an important security issue. The bottom line is simple: before any equipment is shipped out, regardless of the reason, all data needs to be removed.
Operational Activities Systems operate within the context of other systems. Whether you’re implementing something as simple as new functionality in an existing system or putting in place a completely new system, security issues arise from the interaction of the system with the rest of the enterprise systems. Sometimes the risk is in the new system only, and sometimes a new system can introduce risk elsewhere in the enterprise. To ensure that the desired risk profiles of the enterprise are maintained, it is important to perform specific securityrelated activities associated with determining and managing the risk. EXAM TIP The operational activities associated with the determination and maintenance of a risk profile include the following:
• Security policy management • Security impact analysis (including configuration and patch
These activities should be performed prior to implementation and then periodically or as changes are introduced over time.
PART V
management) • Privacy impact analysis • Threat modeling and vulnerability analysis • Security awareness and training
The introduction of new systems or components can affect the security policy of an organization. Periodic analysis and maintenance of the security policy are necessary to ensure that the organization is cognizant of the desired risk profiles associated with operations. To understand the impact of a system on the risk profile, a security impact analysis can be performed. This examines the impact on the desired levels of security attributes— typically confidentiality, integrity, and availability—due to the system’s implementation. The security impact analysis can also examine the issues of configuration management and patch management activities and their impact on risk profiles. A privacy impact analysis can perform the same function toward privacy impacts. Threat modeling and vulnerability analysis can provide information as to the levels and causes of risk associated with a system. These tools provide the means to examine, characterize, and communicate the elements of risk in a system. Security awareness and training assist in enabling the people component of security, communicating to users the security expectations, risks, and implications that can result from their specific interactions.
18-ch18.indd 693
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
694
Monitoring
The systems development life cycle doesn’t end once a product is operational. We must continuously monitor the system’s operational state in order to identify performance and usage patterns, in addition to any signs of malicious activities. An important part of this monitoring is the capturing of a baseline, especially given the pristine condition of a system that was just freshly integrated into the environment. The baseline will serve as the measuring stick for future performance benchmarks comparisons in order to ensure that performance remains aligned with the baseline, or addressed in order to realign it with the baseline. Intentional changes to the system are inevitable; therefore, a change management process may be invoked to ensure proposed changes are formally requested, approved, and scheduled for implementation. A security assessment may also be necessary during this stage to identify and mitigate any vulnerabilities that were missed during earlier life cycle phases.
Maintenance
Every system requires maintenance as part of its life cycle. Both hardware and software require maintenance, and these activities can have an impact on security. Maintenance activities can be both on a specific system and on the environment where the system resides. The maintenance of antivirus and antimalware programs on a server may be considered separate from the systems running on the server, yet this is an important security activity. There have been cases of antivirus/antimalware updates resulting in the disabling of critical system components because of false positive issues. There have been cases of operating system patches that have resulted in the disabling of system functionality that a specific system was counting on to properly function. The policy should not be to skip these critical maintenance functions, but rather to perform them in a documented manner that permits recovery from unknown effects. The policy should specify timeframes for applying updates, both in the daily operational cycle and with respect to time, from release to implementation. These are important not just for antivirus and antimalware updates, but also operating system and application updates and patches. When new hardware is employed, or existing hardware is replaced as a form of maintenance, a security analysis of the changes needs to be performed to understand the risks and the plan to recover from maintenance issues. A solid maintenance program will completely document maintenance history activities, both past and future (schedule), as well as who performed the maintenance, the results of the maintenance, and any noted concerns during the maintenance process. This documented log will assist in future planning activities as well as diagnosing problems associated with the actual maintenance.
Configuration and Change Management
Configuration management is the methodical process of managing configuration changes to a system throughout its life cycle. Carefully managing the configurations ensures that chances are slim the system’s security posture will be accidentally diminished. Sustaining these configurations is important; therefore, detailed records are kept to permit validation that the system’s trusted state hasn’t been altered, or was only altered under authorized conditions.
18-ch18.indd 694
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
695
If the system in question is a server, configuration management will result in the following outcomes:
• Enhanced provisioning Server deployments can be automated via a configuration management tool such as Microsoft System Center Configuration Manager. This deployment will include a fully configured OS, applications, drivers, and updates without user intervention. • Reduced outages Using intelligent configuration management tools will help sustain configuration integrity and instill positive changes while preventing negative changes, which will result in less outages and security breaches. • Cost-effective With IT automation resulting in faster deployments, greater consistency of configurations, increased reliability, and more efficient recoveries from failures, cost reductions are achieved at multiple levels. EXAM TIP Configuration management sounds an awful lot like change management, but they are different. Configuration management views change from a more technical context, whereas change management views change from a higher plane—as in the process, documentation, communications, and security considerations surrounding change.
18-ch18.indd 695
PART V
Change management is a formalized process by which all changes to a system are planned, tested, documented, and managed in a positive manner. In the event of an issue, a key element of each change plan is a back-out process that restores a system to its previous operating condition. Change management is an enterprise-wide function; therefore, changes are not performed in a vacuum, but under the guidance of all stakeholders. Change management activities are frequently managed through a CCB process, where a representative group of stakeholders approves change management plans. The CCB ensures that proposed changes have the necessary plans drafted before implementation, that the changes scheduled do not conflict with each other, and that the change process itself is managed, including testing and post-change back-out if needed. As an example, the IT department installs a new network printer at a branch office. The printer is statically configured with an IP address that was not already assigned by the DHCP server. Moments later, a branch office manager attending a video conference session is suddenly disconnected. It is soon determined that the IT technician configured the printer with the same IP address as the video conferencing equipment. Had the network printer implementation gone through a change management process, it is very likely that the proposed IP address for the printer would have been denied due to the conflict it would have caused with the video conferencing equipment. Change management is an important process for system stability. Change management is an enterprise-level process designed to control changes. It should be governed by a change management policy and implemented via a series of change management procedures. Anyone desiring a change should have a checklist to complete to ensure that the proper approvals, tests, and operational conditions exist prior to implementing a change.
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
696
The change management process is driven by the CCB and governed by a series of procedures. The typical set of change management procedures will include the following:
• Change management process • Documentation required for a change request • Documentation required for actual change, including back-out • Training requirements and documentation associated with a proposed change
Asset Disposal Asset disposal refers to the organizational process of discarding assets when they are no longer needed. All system assets, whether software based or hardware based, eventually reach the end of their usefulness to the organization. If the asset to be discarded is an acquired or developed application, the organization will likely eradicate the data from the storage device. There are several ways to sanitize storage media:
• Erasing A software technique involving overwriting each area on the storage media. NIST recommends at least three full-disk overwrite operations; yet more passes may be required for government compliance. Overwriting balances the needs of strong sanitization without media destruction. This permits the recirculation of the drive back into the organization, or its donation to another company or group. Companies frequently donate computers and storage media to schools or libraries. • Degaussing Involves demagnetizing the drive media, which is generally considered one of the most powerful sanitization methods. However, it will likely result in destroying the drive media as well. This is a desired outcome for drives that should be thrown out anyway. • Shredding Uses a hard drive shredder that shreds the drive into many pieces. Shredded drives may undergo a second pass to increase shredded content. • Disintegrating A disintegrator uses knives to disintegrate drives into fragments even smaller than those from a shredder. • Melting Completely eradicates a drive through exposure to a molten vat, battery acids, or another type of acid. NOTE Compliance laws often mandate data disposal requirements. As per the U.S. Department of Health and Human Services website, HIPAA disposal requirements suggest the following: “For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).”
18-ch18.indd 696
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
697
Asset/Object Reuse Eventually, all assets will require disposal, yet some are still viable for recirculation back into the organization’s inventory. Before reintegrating the asset, we should first identify the asset’s current purpose and information content. If the asset will be provided to someone with a similar role or usage requirement, the asset may require little to no data wiping or restructuring. If the asset contains sensitive materials, we’ll likely have to erase or overwrite the drive prior to reprovisioning it to the user from a disk image or factory reset.
Software Development Life Cycle
1. Requirements gathering 2. Design
PART V
Considered a subset of the systems development life cycle—as well as used interchangeably with it on occasion—the software development life cycle (SDLC) represents the various processes and procedures employed to develop software. It encompasses a detailed plan for not only development but also the replacement or improvement of the software. Software is complicated to develop; therefore, a series of steps are needed to guide the development through various milestones. Since SDLC focuses on software development as opposed to the more generalized systems development, the SDLC’s steps will guide the development of the software from planning and designing to testing, maintenance, and even disposal. Given the variety of popular SDLC models such as Waterfall, Agile, and Spiral, the SDLC steps can vary a bit. One thing all of these development strategies have in common is to develop great software in an affordable and efficient way. Shown next are the order of steps that roughly capture the essence of any SDLC model. Mind you, the exact process will vary based on the software development methodology chosen:
3. Development 4. Testing 5. Operations and maintenance
Requirements Gathering Phase The requirements gathering phase of a software development life cycle is basically the brainstorming of the who, the what, and the why of the project. Why are we developing the software? What will the software do? Who will use the software? In addition to answering these questions, software engineers and business stakeholders will define the scope of the project. They will consider expected costs, project scheduling, required human resources, hardware and software requirements, and capacity planning. Change management should also weigh in to formalize the request and proposal for the software.
18-ch18.indd 697
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
698
Security requirements must be defined for the software—for example, the exact confidentiality, integrity, and availability requirements as per the CIA scoring system talked about in Chapter 3. Since software development is a major change, a risk assessment should be conducted to identify any risks, threats, or vulnerabilities that could derail the feasibility and cost/benefits of the project. Also, consider performing a privacy risk assessment to determine data sensitivity levels for the data being generated or consumed. Compliance laws may impart specific security and privacy requirements on the software and its data. Such requirements may involve certain physical security, authentication, encryption, logging, and data disposal processes.
Design Phase The requirements defined in the previous phase will be used as input for the design phase. Although we’re still in the “theoretical” stage of software development, the design phase shifts the focus from one largely about brainstorming both the organizational needs and their obstacles, to a phase focused on addressing said needs and obstacles. In other words, what design elements and protections must the software include to address the requirements? A good design should “connect the dots” by mapping the core behavior of the software directly to the software goals, security, and privacy requirements.
Design Models
The core behavior of software is typically designed by the guidance of three wellknown models:
• Informational model Specifies what information will be handled and how it will be handled. • Functional model Describes the various functions the application needs to implement. • Behavioral model Indicates the actions performed by the application at various phases of its usage. As with the requirements gathering phase, the information gleaned from these models will further shape the design of the software. In addition to software functional requirements, security and privacy requirements must also be addressed during the design phase. We’ll first want to determine the software’s attack surface to identify the areas that can be attacked or damaged, in addition to performing threat modeling, which examines the threats and their various methods of attacking the software. It should be hoped that the methods of addressing these various risk factors are not overly costly; otherwise, the software may be deemed impractical to implement.
18-ch18.indd 698
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
699
Development Phase The development phase transitions the SDLC away from the theoretical phases to actual development of the proposed software. This development will utilize all the information gathered from the previous phases to ensure the requirements guide each phase of development. The design phase saw us mapping the software’s behaviors to requirements; therefore, each of those mapped behaviors will serve as independent development milestones or “deliverables” that steer the development piece-by-piece. Increasingly important today is the implementation of secure coding practices, which include manual and automated code review processes, vulnerability assessments from scanning tools, secure coding practices from groups like OWASP and CERT, plus input validation and bounds checking. EXAM TIP Software lacking input validation is particularly dangerous because attackers could potentially exploit it using SQL injection, file injection, LDAP injection, SOAP injection, and XML injection attacks—not to mention cross-site scripting (XSS), cross-site request forgery (XSRF), and buffer overflow and integer overflow attacks.
Testing Phase
PART V
After the software is developed, the testing phase begins with a series of testing processes in order to identify, resolve, and reassess software until it is fit for use. There are numerous testing approaches, testing levels, and testing types that can be employed on software. Examples of testing approaches include static and dynamic testing. Static testing takes place at various points during develop or prior to code actually running, whereas dynamic testing takes place while the code is running. Testing levels include unit testing, where individual components are tested, and integration testing, which tests how components work together. Testing types include acceptance testing, where code is verified to meet requirements, and regression testing, which retests software after modifications are made. EXAM TIP Although there are too many testing types to list, the keys to software testing are to ensure that the software meets promised requirements, can handle various input types, performs reasonably fast, has an intuitive interface, and installs and runs reliably.
Operations and Maintenance Phase The final stage of the SDLC sees the software deployed into the production environment. From here on out we’ll be performing continuous monitoring to see how it performs under daily workloads, identify any functional and security issues, and either reconfigure the software or develop software patches to address the discovered issues. NOTE Eventually, the software’s life cycle will end with its retirement and disposal from the production environment. A new product may be developed to replace the previous one, thus beginning the SDLC process all over again.
18-ch18.indd 699
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
700
Application Security Frameworks Secure application development is not an easy task. There are too many issues across too many platforms to expect a person to get it all correct every time. The solution is to adopt an application-level security framework and let the designers and developers spend their resources on designing and developing the desired functionality. There are several approaches to implementing an application security framework— from homegrown to industry supported to commercial solutions. Numerous resources are available from standard libraries to complete frameworks available for integration into an enterprise solution. The key element is to decide on a path, document the path, train the development team as to the path, and then hold the design and development team’s feet to the fire with respect to staying on a specific path. EXAM TIP A wide variety of application security frameworks is available to developers. From the comprehensive OWASP Enterprise Security API, to Apache Shiro, to individual input data validation and output encoding functions, there are numerous specific solutions. What’s more, numerous vetted libraries of secure functions can be used in place of native language calls. After choosing the development language, the next most important step is to pick the framework and libraries to ensure consistent and secure development practices are employed.
Application developers rely on software development frameworks to solve a lot of fundamental problems in their application development efforts. To reduce risk via the development process, we need to use application frameworks and libraries that solve their problems in a secure way. The application framework should protect developers from SQL injection and other injection attacks; it should provide strong session management, including cross-site request forgery protection and auto-escaping protection against cross-site scripting. Through the use of the application framework, developers would be protected from making mistakes that are prevalent in web applications.
Software Assurance Software assurance is a process of providing guarantees that acquired or developed software is fit for use and meets prescribed security requirements. In doing so, we can be confident that the software will be relatively devoid of vulnerabilities at launch and throughout its life cycle. Software assurance processes are frequently implemented in mission-critical industries, including national security, financial, healthcare, aviation, and more. There are various ways to implement software assurance, including the following:
• Auditing and logging of the software • Standard libraries such as cryptographic ciphers • Industry-accepted approaches such as ISO 27000 series, ITIL, PCI DSS, and SAFECode The next several topics will go into more detail on software assurance methods.
18-ch18.indd 700
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
701
Standard Libraries
Modern web applications are complex programs with many difficult challenges related to security. Ensuring technically challenging functionality such as authentication, authorization, and encryption can take a toll on designers, and these have been areas that are prime for errors. One method of reducing development time and improving code quality and security is through the use of vetted library functions for these complex areas. A longstanding policy shared among security professionals is, “Thou shall not roll your own crypto,” which speaks to the difficulty in properly implementing cryptographic routines in a secure and correct fashion. Standard libraries with vetted calls to handle these complex functions exist and should be employed as part of a secure development process.
Examples of Secure Libraries
There are numerous vetted and secure libraries for use in applications, including the following:
• Microsoft Web Protection Library (runtime protection from XSS and SQL injection) • OWASP Enterprise Security API input data validation and output encoding functions • OWASP AntiSamy • OWASP CRSFGuard PART V
The use of tools such as these removes much of the tedium associated with secure coding and allows developers to focus on the actual application development as opposed to the secure implementation of functions. Standard libraries can perform numerous functions. For instance, in the C language, there are libraries full of functions to enable more efficient coding. Understanding the security implications of libraries and functions is essential because they are incorporated into the code when compiled. In languages such as C, certain functions can be used in an unsafe fashion. An example is the strcpy() function, which copies a string without checking to see if the size of the source fits in the destination, thus creating a potential bufferoverflow condition. The rationale is that this is done for speed, because not all string copies need to be length verified, and the function strncpy() and other custom functions should be used where length is not guaranteed. The challenge is in getting coders to use the correct functions in the correct place, recognizing the security issues that might occur.
Industry-Accepted Approaches
The information security industry is full of accepted approaches to securing information in the enterprise. From standards such as the ISO 27000 series, to approaches such as IT Infrastructure Library (ITIL), to contractual elements such as PCI DSS, each of these brings various constructs to the enterprise. Also, each has an impact on application development because it frames a set of security requirements.
18-ch18.indd 701
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
702
A more direct approach to an industry-accepted best practices application can be found through the industry group Software Assurance Forum for Excellence in Code (SAFECode, www.safecode.org). SAFECode is an industry consortium with a mission to share best practices that have worked in major organizations.
SAFECode
SAFECode publishes a series of industry best practices. These practices are broken into the following categories and recommendations:
• Secure Design Principles • Threat modeling • Use least privilege • Implement sandboxing • Secure Coding Practices • Unsafe string and buffer functions • Validate input and output • Robust integer operations • Use anti-XSS • Use canonical data formats • Avoid string concatenation for dynamic SQL statements • Eliminate weak cryptography • Use logging and tracing • Testing Recommendations • Determine attack surface • Use appropriate testing tools • Perform fuzz/robustness testing • Perform penetration testing • Technology Recommendations • Use a current compiler toolset • Use static analysis tools
Web Services Security (WS-Security)
SOAP is a protocol that employs XML, allowing web services to send and receive structured information. SOAP by itself is very insecure. Web Services Security (WS-Security) can provide authentication, integrity, confidentiality, and nonrepudiation for web services using SOAP. However, WS-Security is just a collection of security mechanisms
18-ch18.indd 702
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
703
for signing, encrypting, and authenticating SOAP messages. Merely using WS-Security does not guarantee security. Authentication is critical and should be performed in almost all circumstances. Simple authentication can be achieved with usernames and password tokens. Passwords and usernames should always be encrypted. Furthermore, always use PasswordDigest in favor of PasswordText to avoid cleartext passwords. Authentication of one or both parties can be achieved by using X.509 certificates. Authentication is accomplished by including an X.509 certificate and a piece of information signed with the certificate’s private key. WS-Security is very flexible and allows the encryption and signing of the underlying XML document, or only parts of it. This is useful because it allows the generation of a single message with different portions readable by different parties. If possible, always sign and encrypt the entire underlying XML document. Encryption should not be applied without a signature, if possible, because encrypted information can still be modified or replayed. The order of signing and encrypting is also important. Generally, the best protection is achieved by signing the message and then encrypting the message and the signature. Stronger encryption algorithms such as AES should be used instead of older algorithms such as 3DES. Do not transmit symmetric keys over the network, if possible. If transmission of symmetric keys is required, always encrypt the symmetric key with the recipient’s public key and be sure to sign the message.
Forbidden Coding Techniques
CASP+ practitioners are not likely to be expert programmers, yet they’re expected to be capable of warning software developers about poor coding techniques. This section lists some of the forbidden coding techniques regarding unacceptable developer and application behaviors.
18-ch18.indd 703
PART V
• Integrating plaintext passwords or keys into source code • Using absolute values in file paths, which reduces code flexibility • Lack of cryptography at rest, in transit, and in use • Error messages that are too verbose or useless • Single-factor authentication and plaintext delivery of credentials • Applications requiring administrative privileges and generous access to the Windows Registry • Utilizing “self-made” cryptographic ciphers • Code typos • Long code with many possible functions • Unnecessary time spent optimizing less-important code • Applications making unnecessary connections on unnecessary ports • Lack of proper bounds checking and input validation • Absence of parameterized APIs • Code that doesn’t incorporate the principle of least privilege
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
704
NX/XN Bit Use
NX (no-execute) bit use refers to CPUs reserving certain areas of memory for containing code that cannot be executed. Akin to malware sandboxing, malware can be quarantined to this memory space so that it is restricted from execution. This will help protect the computer from certain malicious code attacks. On the flip side, XN (never-execute) is equivalent to NX bit use, only it applies to ARM CPUs instead. NOTE AMD started implementing NX bit use with their Athlon 64 and Opteron line of CPUs, while Intel started supporting it with the Pentium 4.
ASLR Use
Another memory security technique available to us is called address space layout randomization (ASLR). As the name implies, ASLR involves the operating system randomizing the operating locations of various portions of an application (such as application executable, APIs, libraries, and heap memory) in order to confuse a hacker’s attempt at predicting a buffer overflow target. Most modern operating systems support ASLR, including Windows Vista+, macOS 10.5+, Linux kernel version 2.6.12+, iOS 4.3+, Android 4+, plus a few other Unix varieties. CAUTION ASLR is useful for mitigating many memory vulnerabilities, but not all of them. It has proven vulnerable to side channel attacks, plus certain memory and CPU exploits. Some experts theorize that its inherent exploitability may render it useless if further ASLR improvements are not created.
Code Quality
Code quality refers to the implementation of numerous coding best practices that are not officially defined, yet are generally accepted by the coding community. Given its subjectivity, here are characteristics generally associated with code quality:
• Clarity Simply written and easy to comprehend. • Consistency Closely aligns with functional and security requirements. • Dependencies Limits the number of outside dependencies. • Efficient Requires minimal resources and time for task completion. • Extensibility Accommodates future changes and growth. • Maintainable Easy to make changes. • Standardized Uses well-known and standardized techniques. • Well-documented Documented for current and future developers to understand components. • Well-tested Constantly subjected to testing to ensure bugs are identified early and often to ensure the product is fit for use.
18-ch18.indd 704
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
705
Code Analyzers
Code analysis involves the various techniques of reviewing and analyzing code. Automated and manual code analysis methods can be employed on static and dynamic code types—in addition to the use of fuzzing tools, which “poke” at code to see how it responds. By better understanding our code, we can discover and mitigate functional and security issues, hopefully before hackers exploit them. The next few topics provide deeper coverage of static, dynamic, and fuzzing analysis techniques. Fuzzer Previously discussed at length in Chapters 8 and 10, fuzzers take the approach of analyzing code in a more offensive manner by injecting unusual or malicious input into an application to see how it responds. The response generated by the application is then analyzed for signs of vulnerabilities. Fuzzing is commonly implemented via tools such as OWASP’s JBroFuzz and the WSFuzzer tools, in addition to other industry regulars such as Peach Fuzzer, w3af, skipfish, and wfuzz. Given their accessibility and content value, web applications are more frequently targeted for fuzzing than other Internet systems. Static Static code analysis is the process of reviewing code when it’s not running— hence, the term “static.” Since the code is in a non-executed and motionless state, it provides enhanced predictability. This code can be analyzed via manual review processes that are formal (line by line reviewing by multiple developers) or informal (lightweight and brief ) in nature, in addition to automated methods to expedite both the speed and uniformity of code analysis. In either case, the goal is to identify any security or functionality issues.
PART V
Dynamic On the contrary, dynamic code analysis is the process of reviewing code that is running. Since the code is running, it’s in a constant state of flux; hence, the term “dynamic.” Since code is meant to be run, dynamic analysis is positioned to identify code issues exposed in their natural state. As a result, such issues are more difficult to identify via static analysis methods. A good example of dynamic code analysis is the actions performed by fuzzers. EXAM TIP Static and dynamic code analysis methods are “equal in their differences.” Their different focuses makes them both equally necessary. Static analysis focuses on the ground-up perspective of code (developer perspective), as opposed to dynamic analysis, which views the code more from a top-down perspective (user’s perspective). Both perspectives give you the most information to discover and mitigate code issues.
Development Approaches Software development has changed a lot over the years. There are more applications, and devices capable of running applications, than ever before. Just Google Play and the Apple App Store alone have several million applications each. Today’s programmers have more defined specialties in specific disciplines, such as web applications, mobile applications, IoT, video games, and so on, than in years past—while also collaborating in increasingly larger teams and departments that are full-to-bursting with specialists in other areas.
18-ch18.indd 705
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
706
Whether it’s software development or life in general, today’s professionals tend to specialize in a given area as opposed to being well-rounded. Think about it, wouldn’t you rather visit a dentist for a root canal as opposed to a primary care physician? Better yet, wouldn’t you rather visit an endodontist, who specializes in root canals, as opposed to a general dentist? With the talent of today’s specialized developer, and their enhanced collaboration with other specialists, today’s software typically has the makings to be truly remarkable. On the flip side, the greater complexity of today’s software also increases its attack surface. More software features means more can be hacked, and more needs securing. Plus, today’s users are paradoxically making demands for “idiot-proof ” and intuitive software that is also very secure and feature-rich. Needless to say, developers have a lot of checkboxes to consider. To address such issues, while developing software in the most economical and efficient manner possible, developers rely upon various development approaches based on the type of software and project they’re working on. Each of these approaches employs different step-by-step procedures for producing high-quality software. As always, the goal is to make sure that software fulfills its stated promises. This section covers various development approaches and how they all uniquely attempt to achieve those goals. It also discusses DevOps, and how it can significantly improve software development timelines and quality.
DevOps
Typically, the software development group develops software, the quality assurance group tests and validates the software, and the operations group deploys it to the production environment. Having three separate teams inevitably creates an “us and them” dynamic of decreased communication, blame games, inefficiencies, and delayed or even cancelled projects. DevOps addresses these concerns by combining the software development, quality assurance, and operations teams into a single working unit to expedite and improve the quality of the development, testing, and deployment of software. DevOps units will benefit from less time spent on development, QA, and deployment; enhanced collaboration and creativity; a reduction in application maintenance and repairs; new and improved services; and quicker time to market.
Security Implications of Agile, Waterfall, and Spiral Software Development Methodologies
Given the complexities of software deployment, developers often choose from multiple software development methods, including Agile, Waterfall, and Spiral. As a security practitioner, you can help educate the developers regarding some of the security considerations inherent in these models. Agile The traditional approach to software development is akin to a parade in that everything is planned out in advance and the marching band cannot simply walk from point A to point B. There are many rules to follow, including walking in a certain formation, wearing a uniform, playing an instrument, smiling, and, most importantly, sticking
18-ch18.indd 706
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
707
to the script. Although that’s great for entertainment, many software projects can illafford to waste time jumping through hoops. These developers are often given a carefully laid-out plan with numerous processes to follow, and predetermined phases and milestones to achieve. There’s a lot of red tape, and they have to, again, stick to the script. As you can imagine, such over-thoroughness can drag a project out—as in sometimes not finish. Plus, it doesn’t encourage innovation or permit abrupt changes in strategy or tactics to take place if something goes wrong. Given the name, you might think that Agile software development has a need for speed—and you would be correct. Unlike other development methods, and by no means perfect, Agile focuses on efficiency rather than slow and steady. Agile prefers a lessregulated journey with smaller and adaptable milestones so that developers may quickly react to changes in requirements. When an “adaptive” model like this is used, changes are welcomed; plus it invites better collaboration with team members, and even may solicit feedback from customers. Projects are more likely to finish before deadlines as a result. On the downside, accelerated approaches may diminish security. Faster coding with smaller-sized milestones, and reduced structure, may lead to less code testing and security implementations. Developers must be made aware to continue incorporating security best practices into their project despite its accelerated pace. NOTE Agile is an umbrella term with various manifestations, such as Scrum and lean software development.
PART V
Waterfall When you look at a waterfall, you see it following the same pattern and outcome each time. Water speeds off a cliff and hits the bottom. You’ll never see water changing its mind halfway down and flying back up to the top with a better idea. Such is the nature of the Waterfall development technique. In many ways the opposite of Agile, the Waterfall approach follows a strict sequential life-cycle approach where each development phase must be finished before beginning the next. The key is that developers cannot revisit previous phases once they’re complete; therefore, you must make absolutely sure you’re done before moving on. Although changes can be made prior to completing a phase, they cannot be added after phase completion. Instead, you’d have to wait until the entire project is finished before revisiting earlier phases. In other words, you have to solve issues earlier than you can anticipate, or much later when the change is long overdue. There are five steps in the Waterfall process:
• Requirements • Design • Implementation • Verification • Maintenance
18-ch18.indd 707
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
708
The best thing about the Waterfall approach is its predictability, since projects must be conducted in a very specific and predetermined way. This can work with easier development projects or those without a particular time constraint. Unfortunately, security can fall by the wayside due to the Waterfall’s inability to permit security changes once phases have completed. This can cause significant delay or prevent much-needed security changes. Spiral Although the Agile and Waterfall approaches have their benefits, there’s no middle ground. Either an approach is accelerated and relatively unplanned or slow and overly planned. Spiral comes to the rescue by borrowing some of the aspects of the other two approaches to make a balanced development solution. It utilizes the incremental progress and revisitation rights of Agile, but within the relative confines of the Waterfall approach. Given the balance of planning and efficiency, this is a good approach to use for large-scale projects. Security issues can arise from lack of security foresight from the beginning. Since Spiral takes a long-view perspective like Waterfall, failure to incorporate secure code into the project early on may delay its incorporation until after the project has finished. Plus, because of the more accelerated aspects of Spiral due to its Agile-like incremental milestones, the coding might be rushed at certain portions, which leaves little time for security. EXAM TIP Agile and Spiral are generally considered to be superior to Waterfall given Agile’s accelerated nature and Spiral’s balance of acceleration and thoroughness.
Continuous Integration
Continuous integration (CI) is the process of repeatedly incorporating code from various developers into a single code structure. It is performed multiple times throughout the day in an automated fashion. This rapid-fire repetition of integration is the benefit because delayed integration leads to developer code “sprawl,” which makes integration more difficult. By developers continuously performing the integration, code drift is less likely to occur; in addition, this permits functional and security code repairs while the issues are still small, which makes for higher-quality and more secure software.
Versioning
Versioning is the process of marking important code milestones or changes with a timestamped version number. Since code changes take place frequently, version numbers progress through a series of major and minor number increments. Based on the significance or direction of code changes, version numbers may change incrementally—from 1.0 to 1.0.1 (minor), for example—or larger changes such as 1.0 to 1.1 (major). Whenever code changes occur, it can have a positive or negative effect. To ensure that we’re always taking the right path forward, we may stick with the versions of code that produce the best outcomes. If we hit a snag or dead end, we can roll back to previous versions of code. This will allow us to systematically trace our successes and failures to certain versions of code. By utilizing versioning, we’ll eventually discard the bad code and continue onward with the better code. The end result will be a better and more secure final product.
18-ch18.indd 708
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
709
Secure Coding Standards Secure coding standards are language-specific rules and recommended practices that provide for secure programming. It is one thing to describe sources of vulnerabilities and errors in programs; it is another matter to prescribe forms that, when implemented, will preclude the specific sets of vulnerabilities and exploitable conditions found in typical code. Application programming can be considered to be a form of manufacturing. Requirements are turned into value-added product at the end of a series of business processes. Controlling these processes and making them repeatable is one of the objectives of a secure development life cycle. One of the ways an organization can achieve this objective is to adopt an enterprise-specific set of secure coding standards. NOTE Secure coding standards have been published by the Software Engineering Institute/CERT at Carnegie Mellon University for C, C++, and Java. Each of these standards includes rules and recommended practices for secure programming in the specific language.
Organizations should adopt the use of a secure application development framework as part of their software development life cycle process. Because secure coding guidelines have been published for most common languages, adoption of these practices is an important part of secure coding standards in an enterprise. Adapting and adopting industry best practices is also an important element in the software development life cycle.
Documentation is crucial to SDLC since each phase has many requirements that need to be met. Developers look to documentation to guide them through the numerous processes and procedures necessary to succeed at each phase of the SDLC. Documentation not only helps plot a course forward but also gives you a historical account of successes and failures that you can refer to for guidance on a current situation or problem. Various documentation types exist for these purposes, including a security requirements traceability matrix, a requirements definition, system design documents, and testing plans. The next few topics dive deeper into these forms of documentation.
PART V
Documentation
Security Requirements Traceability Matrix (SRTM)
The security requirements traceability matrix (SRTM) is a grid that allows users to crossreference requirements and implementation details. The SRTM assists in the documentation of relationships between security requirements, controls, and test/verification efforts. In the case of development efforts, the SRTM provides information as to which tests/use cases are employed to determine security requirements have been met. Each row in the SRTM is for a new requirement, making the matrix an easy way to view and compare the various requirements and the tests associated with each requirement. This matrix allows developers, testers, managers, and others to map requirements against use cases to ensure coverage by testing. In Table 18-2, Requirement 1.1.2 can be
18-ch18.indd 709
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
710
Requirement Identifier
Use Case 1.1
1.1.1
X
1.1.2 1.1.3
Use Case 1.2
Use Case 1.3
Use Case 1.4
Use Case 1.5
Use Case ...
Use Case 2.1
X X
X
X X
X
X
.... 6.8.1
X
X
Table 18-2 Sample SRTM for Development
tested using Use Cases 1.2 and 1.5. If changes are made to Use Case 1.5, this potentially affects the ability of the use case to test Requirements 1.1.2 and 6.8.1.
Requirements Definition
As discussed earlier in this chapter, the requirements definition is a document that outlines all system requirements and the reasons they are needed. It lists the needed capabilities, functions, and any modifications that should be implemented. Certain requirements will be given higher priority over others to cater to certain business objectives. The requirements help us determine the overall capabilities that the system must have to meet the needs of the business.
System Design Document
Whereas the requirements document outlines the reasons for software development, the system design document focuses on what will be developed and how it will be developed. This document describes the software at the architecture level and lists out various elements:
• Subsystems/services Outlines which software subsystems will be in use and what their responsibilities are. • System hardware architecture Describes hardware in use and connectivity between different hardware devices. • System software architecture Lists out all software components, including languages, tools, functions, subroutines, and classes. • Data management Includes descriptions of data schemes and the database selection. • Access control and security Describes access control method for data, including authentication, encryption, and key management capabilities. • Boundary conditions Discusses system startup/shutdown as well as error/ exception handling. • Interface design Documents internal/external interface architecture and design elements in addition to how the software interfaces with the user.
18-ch18.indd 710
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
711
It should be noted that these elements include security design requirements. These requirements should be taken seriously by the developing team to ensure both functional and secure software.
Test Plans
According to the International Software Testing Qualifications Board (ISTQB) website at www.istqb.org, test plans are “documentation describing the test objectives to be achieved and the means and the schedule for achieving them, organized to coordinate testing activities.” Here are some examples of test plans:
• Master test plan A top-level test plan that unifies all other test plans • Testing level-specific test plan A plan that describes how testing will work at different testing levels, such as unit testing and integration testing • Testing type-specific test plan Plans for the implementation of performance testing and security testing plans NOTE Although there are too many to list here, various test plan templates can help determine the formatting and content a test plan should incorporate. Suffice it to say that a few of those requirements include test deliverables, a test environment, an approach to testing, and pass/fail criteria.
Validation of the System Design
18-ch18.indd 711
PART V
Verification and validation are crucial steps in any system development process. Verification is a form of answering the question, Are you building it correctly? It is aimed at examination of whether or not the correct processes are being performed properly. Validation asks a different question: Are you building the right thing, or does the output match the requirements? Both of these are important questions, but after some simple thought it can be seen that verification can be viewed from an operational efficiency perspective and validation from a more important operational sufficiency perspective. Even if you get verification correct, if the product does not meet the requirements, it is not suitable for use. Testing can go a long way toward meeting system validation requirements. When requirements are created early in the system development process, the development of use cases for testing to validate the requirements can assist greatly in ensuring suitability at the end of the process. Testing in this regard tends to be aimed at seeing whether the system does what it is supposed to do; however, you must also ensure it does not do other things that it is not supposed to do. This leads to a more difficult question: How do you prove something is bounded by a set of desired states and does not perform other actions or have other states that would not be permissible? A branch of computer science called formal proofs is dedicated to examining this particular problem. The challenge is in finding a manner of modeling a system so that formal methods can be employed. In this section, we’re going to look at a few different testing methods: regression testing, user acceptance testing, unit testing, integration testing, and peer review.
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
712
Regression Testing
Regression testing determines if changes to software have resulted in unintended losses of functionality and security. In other words, has the software regressed since a recent change was made? This type of test will help ensure that only acceptable changes are committed and that any negative outcomes are rolled back to a trusted starting point until changes no longer result in regression. The extra care taken will delay completion but will also increase software quality and security.
User Acceptance Testing
User acceptance testing solicits feedback from the software’s target audience to gauge their level of acceptance. Do they like the software? Does the software work? Is the software intuitive? Does the software secure and protect the privacy of their data? If the users reject the software, this may result in discarding the project entirely.
Unit Testing
When airline customers enter an airport, the security team will isolate each person who wishes to board a plane and examine them individually to ensure they don’t pose any threat. Unit testing performs a similar function in that it isolates every line of code in an application and performs an individual test on that code. This ensures the code is functional on its own and behaves in the exact manner it should. Although this slows down development efforts a bit, it results in fewer software bugs. CAUTION Some applications have too many lines of code for you to be able to perform unit testing on all of them. Instead, you’ll test a limited number of lines.
Integration Testing
In a way the opposite of unit testing, integration testing seeks to combine each developer’s code into an aggregated test to see how all that code meshes together. Since developers often work in silos, it’s important to determine if their code can be integrated with others’ code to create an application that meets functionality and security requirements. Since continuous integration is probably already automating the integration aspects, this would be a perfect time to perform the integration test. The biggest challenge to security is its potential removal due to poor integration efforts sometimes placing the blame on security. If security is the “obstacle” to integration, developers will probably discard the security element with a promise to revisit it later—only to not do so.
Peer Review
Peer review involves programmers on a team analyzing one another’s code to lend a different perspective. Analyzing our own code is a good idea, but it is difficult for us to spot all of the functional issues, both directly in front of us and buried in the details. Whereas functional issues are more easily detected through our own static, dynamic, and automated code analysis techniques, security issues are more difficult to spot and would greatly benefit from the fresh perspective offered by a peer. Anything that helps us detect and mitigate security issues is time well spent.
18-ch18.indd 712
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
713
Adapting Solutions
The security landscape is changing, and we need to change with it. The global proliferation of ransomware (such as WannaCry) by itself has caused billions of dollars of damage to businesses and people. Microsoft smartly adapted its Windows 10 operating system to included ransomware support via its Windows Defender Antivirus tool. That said, what about us security practitioners? Are we preparing ourselves for the onslaught of emerging threats, security trends, and disruptive technologies that are presently reinventing how hackers select, profile, and attack their victims? The intelligent among us will use our platform to compel organizations into increasing cybersecurity investments, implementations, and education in order to counter the next generation of cybersecurity threats and attackers. This section discusses the adaptation of security solutions based on the changing cybersecurity landscape.
Emerging Threats and Security Trends
18-ch18.indd 713
PART V
The threat environment faced today is different from the one faced last year—and will be different again next year. This is a function of two separate changing factors—one in the business environment and the other in the threat environment. The business environment is always evolving; it changes as markets change, technologies change, and priorities change. All this change leads to both opportunities and challenges with respect to securing the enterprise. But the bottom line from a security perspective remains the same: What is the risk profile, and how can it be improved using the available resources and controls? Will this risk profile meet the requirements of the business? The changes in the threat environment comprise a second, more pressing issue. What began as simple “Click here to…” spam has morphed into spear phishing threats, where clicking on what you expect to be a PDF report is instead a PDF with malware attached. Most threat vectors have shifted toward more dangerous and costly attacks. Nation-states have begun corporate espionage against literally thousands of firms, not to steal funds directly, but to gain intellectual property that saves them development costs. Organized crime is still mainly a “target of convenience” threat, but the tools being employed are becoming sophisticated and the costs are increasing. The challenge for the security professional is to determine what the correct controls are to reduce risk to a manageable level and then employ those controls. Then, as the operational situation changes over time, the security professional must reevaluate the tools being employed, reconsider the level of risk, and make adjustments. This is not a casual exercise of “Yep, it’s still all working.” Rather, it needs to be a serious vulnerability-assessment-based examination into the details of the levels of exposed risk. As in all systems, people play an integral role. The people side of the system also needs a periodic examination and refresh. This is where training and awareness campaigns come into play. However, just as a casual look at security controls doesn’t work, neither does running the same training over and over again. People are adaptive, and if they perceive they know the answers, they will not commit any time to the issue. Training and awareness needs to be fresh, informative, and interesting if you are going to capture the energy necessary to result in changed behaviors.
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
714
NOTE The vast majority of training and awareness campaigns are perceived by the people receiving them as “Yes, we have to go check that box again” and hence do not have any true value in changing user behavior. For training and awareness to be effective, you must capture the participants’ true attention and get them involved. For instance, IT departments can send simulated spear phishing e-mails to end-users to let them “feel the pain” experienced by their improper e-mail handling techniques. Users tend to care more about security when their negligence is exposed. A caution: If these campaigns are also used for discipline, they can lose their training effectiveness.
Disruptive Technologies Throughout history, disruptive technologies have emerged that were so groundbreaking they changed everything about how people completed tasks. Cars reduced horseback riding, e-mail reduced mailing letters, and arguably the biggest disruptive technology of the past century was the invention of the refrigerator, which changed cooking and food preservation techniques. The “disruption” is very much a good thing, yet great technological strides are known for creating some “causalities” along the way. Current technologies will be displaced by the new disruptive technologies, which will lead to technologies being retired, entire industries disappearing, new industries being created, and, most loathsome of all, job loss. After all, the postal service isn’t thrilled about the effect e-mail has had on the mail delivery industry. NOTE Although some jobs are likely to disappear due to disruptive technologies, there’s one thing you can do to protect yourself from being the displaced party—educate yourself. With new knowledge, skills, and abilities, you’ll either keep your job or acquire one of the new jobs created by the disruptive technologies.
Today, many disruptive technologies are poised to change the world for the better, while also introducing entirely new forms of security threats and vulnerabilities. Couple this with many organizations and people urgently wanting to get the latest and greatest technology, and we might be opening ourselves up to considerable risk. Before we worried about our computers being hacked; now we’re worried about our homes and cars being hacked. Let’s take a look at the current crop of disruptive technologies:
• Artificial intelligence (AI) will improve information gathering and security, in addition to hacker attack methods. • Internet of Things (IoT) will flood our society with tens of billions of devices by 2020. • Blockchain will change how financial transactions are conducted around the world. • Advanced robotics will affect construction, retail, food and hospitality, manufacturing, and many more physical tasks.
18-ch18.indd 714
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
715
• Cloud computing will outsource IT, applications, data, and jobs to large Internet companies. • Self-driving cars will change how people travel, in addition to what people do while they’re traveling. • Virtual/augmented reality will vastly affect entertainment, education, and communication. • 5G wireless will increase cellular bandwidth, between 1 and 10Gbps per second. Although these are some of the more substantial disruptive technologies, there are many more out there and new ones lurking just over the horizon. Security professionals will need to get educated and update their skills on how to secure the next generation of cybersecurity hardware and software. They’ll need to learn how to adapt risk management, vulnerability assessments, incident response, and various other security controls to the current and future crop of security threats. After all, organizational and personal security hang in the balance.
Asset Management (Inventory Control)
18-ch18.indd 715
PART V
Asset management encompasses the business processes that allow an organization to support the entire life cycle of the organization’s assets (such as the IT and security systems). This covers a system’s entire life, from acquisition to disposal, and acquisition covers not just the actual purchase of the item, but the request, justification, and approval process as well. For software assets, this also includes software license management and version controls (to include updates and patches for security purposes). An obvious reason for implementing some sort of asset management system is to gain control of the inventory of systems and software. There are other reasons as well, including increasing accountability to ensure compliance (with such things as software licenses, which may limit the number of copies of a piece of software the organization can be using) and security (consider the management controls needed to ensure that a critical new security patch is installed). From a security standpoint, knowing what hardware the organization owns and what operating systems and applications are running on them is critical to being able to adequately protect the network and systems. Imagine that a new vulnerability report is released, providing details on a new exploit for a previously unknown vulnerability. A software fix that can mitigate the impact has been developed. How do you know whether this report is of concern to you if you have no idea what software you are running and where in the organization it resides? The components of an inventory control or asset management system include the software to keep track of the inventory items, possibly wireless devices to record transactions at the moment and location at which they occur, and a mechanism to tag and track individual items. Common methods of tagging today include barcodes as well as radio-frequency identification (RFID) and barcode tags. Such tags have gone a long way toward increasing the speed and accuracy of physical inventory audits. RFID tags are more expensive than barcodes but have the advantage of not needing a line of sight to be able to read them (in other words, a reader doesn’t have to actually see the RFID tag in order to be able to read it, so it can be placed in out-of-the-way locations on assets).
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
716
As a final note, the database of your software and hardware inventory is going to be critical for you to manage the security of your systems, but it could also be an extremely valuable piece of information for others as well. Obviously, vendors would love to know what you have in order to try and sell you other, additional products, but more importantly, attackers would love to have this information to make their lives easier because your database would give them a good start on identifying possible vulnerabilities to attempt to exploit. Because of this, you should be careful to protect your inventory list. For those who need or are interested in assistance with their inventory management, there are software products on the market that assist in automating the management of your hardware and software inventory. TIP A good inventory control system is often overlooked from a security perspective, but it shouldn’t be. It is absolutely critical that you know what hardware and software your organization is using. Without this knowledge, if a new vulnerability is announced, you will have no way of knowing if you need to be concerned about it.
Chapter Review
In this chapter, we covered the implementation of security activities across the technology life cycle. The first section went over the systems development life cycle (SDLC), which covers the five phases of systems development: initiation, development/acquisition, implementation, operation/maintenance, and disposal. We then covered other life cycle components, including determining requirements, acquisition of a system as opposed to development, the testing and evaluation of the developed/acquired system, and then the eventual commissioning of the system from the organization’s infrastructure. We also talked about operational activities, which focus on the ongoing use of the deployed system, including monitoring, maintenance of the system, configuration management, plus change management. Lastly, we talked about the life cycle ending by disposing of the asset or reusing it by providing it to another individual. The next section was on the software development life cycle (also called SDLC), which could be considered a subset of the system development life cycle, but focusing on software development. In this SDLC process, we once again covered phases of development, beginning with requirements gathering and then design, development, testing, and operations/maintenance. We also talked about application security frameworks to assist developers with incorporating security into their applications. The next topic was on software assurance, which provides guarantees that software will meet company objectives. Implementing standard libraries such as cryptographic libraries will help provide software assurance. Adopting industry-accepted approaches to software development, in addition to utilizing the web service security stack, will further provide software assurance to the organization. On the flip side, it’s important to also know what not to do when it comes to software development; therefore, security professionals must warn software developers about forbidden coding techniques. We talked about NX/XN bit use, which permits CPUs to allocate certain portions of RAM for code that should not execute—malware being the prime example. This helps protect our code from any
18-ch18.indd 716
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
717
PART V
memory-resident malware. ASLR adds to this by randomizing the locations of application code to discourage buffer overflow attacks by hackers. We ended the software assurance topic with coverage on code quality requirements and the implementation of code analysis techniques such as fuzzers as well as static and dynamic code analysis. Continuing with the topic of the software development life cycle, we talked about development approaches to SDLC, beginning with the unification of the development, quality assurance, and operations teams, known collectively as DevOps. This greatly enhances software quality and speed. Although there are many development approaches, we focused on the popular ones—Agile, Waterfall, and Spiral. Agile isn’t bogged down with excessive processes and restrictions, thus it focuses on accelerated development of minor milestones, with the opportunity to revisit previous sections and make design changes as requirements dictate. Waterfall goes the opposite route of preplanning the long- and short-term milestones, focusing on completing phases in their entirety before moving onto newer ones. It doesn’t permit revisiting previous sections until the project has been completed. The Spiral approach combines the long-term rigidness of Waterfall with some of the short-term flexibilities and acceleration of Agile. The next topic talked about continuous integration, which repeatedly incorporates the code of various developers into a single code structure to ensure it all fits together. Another important approach is versioning the software to keep track of successful and unsuccessful code portions. Also, rather than reinvent the wheel, developers can use secure coding standards, which can help developers incorporate security into their code from the ground up. Given the formalities involved with SDLC, there are various documentation needs. For example, the security implications traceability matrix document allows cross-referencing of requirements with implementation details. Other useful documents include the requirements definition, system design, and testing plans documents. The last part of this topic involves validation of the system design. We can perform this validation through regression testing, user acceptance testing, unit testing, integration testing, and peer review. The next topic focused on adapting solutions to address emerging threats and security trends, in addition to disruptive technologies such as cloud computing, blockchain, artificial intelligence, 5G wireless, self-driving cars, advanced robotics, and virtual/ augmented reality. The final topic in the chapter discussed asset management for the purpose of inventory control. This helps business processes to support the entire life cycle of the organization’s assets, including IT and security systems.
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
Systems Development Life Cycle • Systems development life cycle is a process for the initiating, developing/ acquiring, implementing, operating/maintaining, and disposing of systems. • Requirements define the business needs the proposed system must fulfill in order to justify its implementation.
18-ch18.indd 717
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
718
• Organizations often acquire systems from third parties as opposed to developing one in-house. • Organizations must test and evaluate systems to identify any shortcomings or vulnerabilities in their functionality, security, and performance. • Commissioning a new, modified, or upgraded system marks the implementation of the technology into the production environment. • Systems will be periodically decommissioned or disposed of as part of normal operations. • Operational activities involve the actions employed in the daily usage of systems. • It’s important to monitor the system’s operational state in order to identify performance and usage patterns, in addition to any signs of malicious activities. • Maintenance activities can be both on a specific system and on the environment where the system resides. • Configuration management is the methodical process of managing configuration changes to a system throughout its life cycle. • Change management is a formalized process by which all changes to a system are planned, tested, documented, and managed in a positive manner. • Asset disposal refers to the organizational process of discarding assets when they are no longer needed. • Eventually, all assets will require disposal, yet some are still viable for recirculation back into the organization’s inventory.
Software Development Life Cycle • Software development life cycle (SDLC) represents the various processes and procedures employed to develop software. • The requirements gathering phase involves the brainstorming of the who, what, and why of the project. • The design phase shifts the focus from one largely about brainstorming the organizational needs and their obstacles, to a phase focused on addressing said needs and obstacles. • The core behavior of software is typically designed using the guidance of three well-known models: the informational, functional, and behavioral models. • The develop phase transitions the SDLC away from the theoretical phases to the actual development of the proposed software. • The testing phase begins with a series of testing processes in order to identify, resolve, and reassess software until it is fit for use. • The operations and maintenance phase involves monitoring the ongoing usage and upkeep of the software. We monitor it to see how it performs under daily workloads, identify any functional and security issues, and either reconfigure the software or develop software patches to address the discovered issues.
18-ch18.indd 718
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
719
18-ch18.indd 719
PART V
• Application security frameworks ensure that developers employ consistent and secure development practices. • Software assurance is the process of providing guarantees that any acquired or developed software is fit for use and meets prescribed security requirements. • Standard libraries reduce development time and improve code quality and security through the use of vetted library functions. • Industry-accepted approaches guide programmers into using well-known standards such as ISO 27000 series, ITIL, PCI, and even SAFECode. • Web Services Security (WS-Security) provides authentication, integrity, confidentiality, and nonrepudiation for web services using SOAP. • Forbidden coding techniques must be known to developers so they know what coding practices to avoid. • NX (no-execute) bit use refers to CPUs reserving certain areas of memory for containing code that should not be executed. • ASLR involves the operating system randomizing the operating locations of various portions of an application (such as the application executable, APIs, libraries, and heap memory) in order to confuse a hacker’s attempt at predicting a buffer overflow target. • Code quality refers to the implementation of numerous coding best practices that are not officially defined, yet are generally accepted by the coding community. • Code analysis involves the various techniques of reviewing and analyzing code. • Fuzzers inject unusual or malicious input into an application to see how it responds. • Static code analysis is the process of reviewing code when it’s not running. • Dynamic code analysis is the process of reviewing code that is running. • DevOps combines the software development, quality assurance, and operations teams into a single working unit to expedite and improve the quality of the development, testing, and deployment of software. • Agile is an accelerated development approach that favors smaller milestones, reduced long-term planning, and the ability to revisit previous phases without restriction. • Waterfall follows a strict sequential life-cycle approach, where each development phase must be finished before beginning the next. It does not permit revisiting previous phases until the completion of the projection. • Spiral utilizes the incremental progress and revisitation rights of Agile, but within the relative confines of the Waterfall approach. • Continuous integration is the process of repeatedly incorporating code from various developers into a single code structure. • Versioning is the process of marking important code milestones or changes with a timestamped version number.
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
720
• Secure coding standards are language-specific rules and recommended practices that provide for secure programming. • Documentation guides developers through the numerous processes and procedures necessary to succeed at each phase of the SDLC. • The security requirements traceability matrix (SRTM) is a grid that allows users to cross-reference requirements and implementation details. • The requirements definition document outlines all system requirements and the reasons they are needed. • The system design document focuses on what will be developed and how it will be developed. • According to the International Software Testing Qualifications Board (ISTQB), test plans are “documentation describing the test objectives to be achieved and the means and the schedule for achieving them, organized to coordinate testing activities.” • Verification determines whether or not the correct processes are being performed properly. • Validation determines whether or not the right thing is being built or if the output matches the requirements. • Regression testing determines if changes to software have resulted in unintended losses of functionality and security. • User acceptance testing solicits feedback from the software’s target audience to gauge their level of acceptance. • Unit testing isolates every line of code in an application and performs an individual test on that code. • Integration testing combines each developer’s code into an aggregated test to see how the code meshes together. • Peer review involves programmers on a team analyzing one another’s code to lend a different perspective.
Adapting Solutions • Adapting solutions involves making preventative, detective, and corrective adjustments to our risk management and security controls based on changes in the security landscape. • Disruptive technologies are ground-breaking advancements that change everything about how people perform tasks. • Key disruptive technologies include AI, IoT, blockchain, advanced robotics, cloud computing, self-driving cars, virtual and augmented reality, and 5G wireless networking.
18-ch18.indd 720
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
721
Asset Management (Inventory Control) • Asset management encompasses the business processes that allow an organization to support the entire life cycle of the organization’s assets (such as the IT and security systems). • The components of an inventory control or asset management system include the software to keep track of the inventory items, possibly wireless devices to record transactions at the moment and location at which they occur, and a mechanism to tag and track individual items. • Common methods of tagging today include barcodes as well as radio-frequency identification (RFID) and barcode tags. • RFID tags are more expensive than barcodes but have the advantage of not needing a line of sight to be able to read them.
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. SDLC phases include a minimum set of security tasks required to effectively incorporate security in the system development process. Which of the following is one of the key security activities for the initiation phase? A. Determine CIA requirements. C. Conduct a PIA. D. Analyze security requirements.
2. The process of creating or altering systems, and the models and methodologies that people use to develop these systems, is referred to as what?
PART V
B. Define the security architecture.
A. Systems Development Life Cycle B. Agile methods C. Security requirements traceability matrix D. EAL level
3. Which of the following statements are true about a security requirements traceability matrix (SRTM)? (Choose all that apply.) A. It assists in the documentation and easy presentation of what is necessary for
the security of a system. B. It allows requirements and tests to be easily traced back to one another. C. It is part of the Common Criteria for determining the system level. D. It is a software development security assurance process proposed by Microsoft.
18-ch18.indd 721
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
722
4. What phase indicates that the system should be modified on a regular basis through the addition of hardware and software? A. Requirements phase B. Change management phase C. Operation or maintenance phase D. Test phase
5. You are responsible for secure programming at your company. You want to implement steps to validate the security of software design. At what phase in the SDLC should you implement design validation for security? A. After the design phase. B. Before the testing phase. C. This is not necessary. SDLC eliminates the need for design validations. D. At every phase.
6. Technology has a life cycle. What are the different phases of the technology life cycle? (Choose all that apply.) A. Operational activities B. Maintenance C. Testing and validation D. Decommissioning
7. Elements of a change management program include which of the following? (Select all that apply.) A. CCB process B. Third-party validation before implementation C. Back-out plans for each change D. Approval by the CIO for each change in production
8. Validation is what? A. Seeing if the process was properly followed during production B. Checking to see if all steps have been completed C. Checking to see if the processes are working correctly D. Seeing if all of the requirements are satisfied
9. Which of the following testing methods involves testing every line of code? A. Regression testing B. User acceptance testing C. Unit testing D. Peer review
18-ch18.indd 722
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
Chapter 18: Technology Life Cycles and Security Activities
723
10. Which of the following testing methods determines if changes to software have resulted in unintended losses of functionality and security? A. Regression testing B. User acceptance testing C. Unit testing D. Peer review
11. Which of the following development approaches focuses on accelerated development with smaller milestones, and the ability to revisit previous stages at any point? A. Spiral B. Waterfall C. Agile D. None of the above
12. Which of the following development approaches plans all long-term and shortterm goals and milestones upfront with no ability to revisit development phases until the completion of the project? A. Spiral B. Waterfall C. Agile D. None of the above
1. A. Key security activities for the initiation phase are as follows: initial definition of business requirements in terms of confidentiality, integrity, and availability (CIA); determination of information categorization and identification of known special-handling requirements in transmitting, storing, or creating information; determination of privacy requirements.
PART V
Answers
2. A. The Systems Development Life Cycle (SDLC), or Software Development Life Cycle, in systems engineering, information systems, and software engineering is the process of creating or altering systems as well as the models and methodologies that people use to develop these systems. 3. A, B. A security requirements traceability matrix (SRTM) is a grid that provides documentation and easy presentation of what is necessary for the security of a system. It allows requirements and tests to be easily traced back to one another. SRTM ensures that there is accountability for all processes. It also ensures that all work is being completed.
18-ch18.indd 723
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 18
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
724
4. C. Phase 4 of the SDLC is known as the operation or maintenance phase. This phase indicates that the system should be modified on a regular basis through the addition of hardware and software. 5. D. Every phase of the SDLC can result in tweaks and changes to the design, necessitating revalidation. 6. A, B, D. The phases of the technology life cycle include Technology Introduction, Operational Activities, Maintenance, and Retirement/Decommissioning. 7. A, C. Change management programs are run by Change Control Boards (CCBs), and all change plans should have a back-out plan in case they do not integrate into production properly. 8. D. Validation is the testing of an item to see if it meets requirements. 9. C. Unit testing attempts to test each and every line of code, or a certain percentage of the application’s total code base. 10. A. Regression testing determines if changes to software have resulted in unintended losses of functionality and security. 11. C. Agile focuses on accelerated development with smaller milestones, and the ability to revisit previous stages at any point. 12. B. Waterfall plans all long-term and short-term goals and milestones upfront with no ability to revisit development phases until the completion of the project.
18-ch18.indd 724
11/03/19 3:17 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
19
CHAPTER
Business Unit Interactions This chapter presents the following topics: • Security requirements across various roles • Security processes and controls for senior management • Secure collaboration within teams • Governance, risk, and compliance committees
Although many organizations have dedicated security experts on staff, all staff share responsibility for the organization’s security posture. Yet, the importance of this shared responsibility is almost never clearly stated or understood by anyone outside of the security department. In order to best protect an organization’s information, we need to unlock the security responsibilities of all individuals throughout the enterprise. This won’t happen unless the importance of security is clearly and consistently communicated to managers and employees. This communication will come in the form of formalized education, training, awareness, and documentation initiatives to ensure that all levels of the organization have adequate security knowledge. Employees are more likely to do their part if they understand the importance of security and the vital role it plays in their daily routine. This chapter dives into many of the key roles within organizations as well as how increased security knowledge, communication, and collaboration will improve security initiatives for the organization at large.
Security Requirements Across Various Roles
Bob Hope once said that a bank is a place that will lend you money if you can prove that you don’t need it. In much the same way, it sometimes feels like policies, standards, procedures, processes, and guidelines are written in a manner that assumes the reader already understands the information. You might be asking yourself, if employees already understand the information, then why are we writing about it? The purpose of communicating security requirements is to educate employees and raise awareness on policy adherence, and to hold people accountable for negligence. Security requirements should not be communicated in an overly complicated manner, contain too much jargon, or be incomplete. If security is to be integrated throughout an enterprise, it’s imperative that all requirements are fully understood by all relevant parties.
725
19-ch19.indd 725
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
726
Not only is it important that everybody understand the various policies and requirements that affect them, they must also have an understanding of their importance; otherwise, individuals will not be motivated to follow them. Before security requirements can be developed and communicated, the overall security policy must first be defined. This, in turn, will lead to other more specific policies and, subsequently, processes. Broadly speaking, security policies will often address at a minimum the “security triad,” or CIA of security—confidentiality, integrity, and availability. To these, often other requirements may be added, depending on the needs of the organization. With the proliferation of e-commerce and online transactions, authentication and nonrepudiation become important. Accountability may also be a concern for an organization because it provides the ability to know who caused a specific action to take place. The security policies will speak to which of these are important to the organization. NOTE At every stage of security within an organization, everyone must be involved. Security is generally not the first priority for anybody except those with “security” in their title. All staff, from sales to human resources to the IT department, need to factor security into their daily workload; otherwise, security breaches will occur from the bottom up.
Sales Staff Sales personnel are a good example of individuals who are important to an organization but generally do not list security as an important concern. Salespeople care about three things—selling, selling, and more selling. Yet, they have their own unique computing challenges that can introduce security concerns. Due to the nature of their responsibilities, these individuals are often on the road traveling and will find themselves attempting to connect to the office from potentially hostile networks. Sitting down at a coffee shop and connecting to the free wireless may be convenient, but such networks are generally left wide open to keep things simple. After all, baristas don’t want to be barraged all day with wireless security questions. On the flipside, free wireless networks are frequented by individuals attempting to take advantage of the user’s lack of security. The sales staff may also be specifically targeted by competitors or others who want to learn about the company’s products and services. Given the mobility of sales staff, corporate data will often be cached onto the employee’s mobile devices, which increases device and data theft concerns. Security professionals need to consider the responsibilities of sales personnel in order to tailor their security solutions. The security solutions offered should be as unobtrusive as possible to ensure that the sales staff will actually use them. The following are some security recommendations for sales personnel:
• Use VPN for remote access utilizing a modern tunneling protocol such as OpenVPN or L2TP, encryption using SSL/TLS or IPSec, and authentication using EAP/PEAP-based methods.
19-ch19.indd 726
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
Chapter 19: Business Unit Interactions
727
• If supported, Microsoft DirectAccess provides an enhanced remote access experience with automated connectivity to the corporate network, plus improved bi-directional management, which helps ensure security compliance. • Encrypt internal and external storage media (for example, using Microsoft BitLocker) in addition to file system encryption (for example, Microsoft Encrypting File System) to guard against compromised machines. • Use host-based firewall and antimalware software. • Employ remote lock, backup, and wipe capabilities. • Provide end-user training (security and social engineering focus). NOTE It would be nice if all personnel had the same level of understanding and concern for security that we do, but this is simply not the case. Understanding the motivation of various groups of employees will allow security personnel to better develop workable security solutions—with “workable” also implying solutions that are actually willingly adopted by non-security personnel. For this to happen, the solutions need to be relatively unobtrusive, and the users need to understand the motivation and reason for the security mechanism. Simply levying a security requirement without explaining to those affected by it why it is necessary will inevitably result in resistance and possibly outright opposition to the mechanism.
Programmers PART V
Software programmers are critical to the security of software systems and the protection of the data the software processes. At the heart of the multitude of security vulnerabilities we read about in operating systems and applications is software for which a certain aspect of security was not considered or tested. Sometimes this is a bug (mistake) in the coding process; other times it may be a flaw in the original design and specifications for the software. In either case, the mistake results in a vulnerability that places the organization’s computer systems and networks and the data they process at risk. Programmers are critical to the process of developing secure software. Unfortunately, too often security is not a concern for them. A great way to get your programmers into the “spirit” of secure programming is to advise them on available certifications just for programmers. Here are several reputable certifications:
• Microsoft Certified Solutions Developer • Amazon Web Services (AWS Certified Developer) • EC-Council Certified Secure Programmer (ECSP)
19-ch19.indd 727
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
728
The Motivation of Personnel
The motivation for different members of an organization will vary, and very few of them will have security as their primary concern. Programmers, for example, will generally be attempting to develop software as quickly as possible, network engineers will be trying to maintain the operational aspect of the organization’s computer systems and networks, and the sales staff will be focused on selling what products or services the organization has to offer. Although each may claim a concern for security, unless security is seen as a business imperative and is integrated throughout the organization, it will always take a backseat to other concerns and may in fact be ignored altogether. Any lack of security urgency on the part of the programmer can have a few causes. One is that the metrics used to measure the effectiveness of a programmer seldom include security for goals or milestones. Programmers are typically evaluated on their ability to write software quickly and to have that software adhere to design specifications. If security is not one of the design specifications, it will be given light consideration at best. Another factor affecting programmers’ ability to write secure code is that they often haven’t been taught to do so. Most programmers are either self-taught or have graduated with a computer science or programming education from an institution where secure software development isn’t a requirement. In fact, it’s seldom that secure programming is even mentioned. Understanding this, it becomes important for individuals who develop the specifications for software to include secure coding practices and security testing before a piece of software is signed off as being completed. If an organization is developing its own software, it might prove very useful to invest in the programmers and have them take a secure software design course before they begin working on the software the organization needs. For in-house development needs, security specifications should be included at the design phase, with code review and security testing included as part of the acceptance process. For software that is being purchased “off the shelf,” an organization should inquire the vendor regarding the development practices used with the product.
Database Administrators The purpose of a database is to provide a tool for individuals to manipulate data so that it can be used for the benefit of the organization. Databases contain many different pieces of information, but generally all of it is important to the organization. As a result, it is imperative that the integrity of the database is maintained so that the data does not become corrupted. In addition, the confidentiality of the database is extremely important to ensure that unauthorized individuals do not gain access to sensitive information (such as a list of all the customer credit card numbers) that could have an adverse impact on the organization. Thus, just like programmers, the database administrators need to be concerned with security when managing databases.
19-ch19.indd 728
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
Chapter 19: Business Unit Interactions
729
Generally, organizations don’t develop their own database management system but instead use a commercial product to manage their data. Database administrators are responsible for the design and building of the specific database structure, using the tools and features provided by the database management system. The database administrators need to be concerned with the security of the data contained in the database and should ensure adequate access controls for the database. They should also implement an active backup process to ensure that the organization’s critical data survives in the event of a natural disaster or security incident. They should follow a configuration guide or benchmark for secure configuration of the database as well as work with the server administrator to ensure that the configuration of the database and the server complement each other from a security perspective. Poor configuration of either could lead to compromise of the other. In addition to these suggestions, here are some important security considerations to implement on databases:
PART V
• Transparent data encryption Encrypt all data in a database at rest. • Column-level encryption Encrypt individual columns of data within a database. • Field-level encryption Encrypt individual data fields within a database. • Default credentials/rights Rename all default usernames and passwords, plus ensure accounts have minimum privileges required to perform necessary tasks. • Least privilege Ensure that the principle of least privilege is applied to all aspects of the database server. • Training Ensure database administrators attend database administration training for Microsoft SQL Server or Oracle products, for example. • Patch Ensure host OS, database software, and applications are up to date with security patches.
Good Security Is Annoying
Security mustn’t be an impediment to the mission of the organization. It may be viewed as a minor inconvenience, but if the employees understand the benefit, they will put up minimal resistance. An example of this is the ubiquitous user ID/ password combination. Having to remember and periodically change a password is inconvenient, but most employees accept this as a necessary requirement. If the need for passwords to be sufficiently strong and periodically changed is not explained, however, you will find that employees will select poor ones or will write them down in obvious places. Security needs to become an accepted practice among employees and not be seen as an impediment to getting their job done.
Network Administrators Network administrators are responsible for the management of an organization’s network. Their daily ritual involves the management of network appliances such as routers, switches, firewalls, VPN concentrators, unified threat management devices, IDSs, and
19-ch19.indd 729
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
730
IPSs—providing Internet connectivity as needed—and managing all LAN, WAN, and Wi-Fi network connections to ensure timely access to enterprise resources. Given the scope of responsibilities, network management can be time-consuming; therefore, the extinguishing of operational fires will likely take priority over security. In fact, security may “fall off a cliff ” in the name of functionality and ease of use. For example, an administrator might implement a wide-open Wi-Fi network to simplify employee access to the corporate network, yet they’ve also opened up a huge security hole in the process. Or they might permit users to use simple passwords to minimize forgotten passwords, account lockouts, and calls to the help desk, yet the security compromise is quite severe. Given the urgency of network security nowadays, network administrators can no longer allow security to be an afterthought. Physical security is a good place to start; therefore, network administrators should ensure network equipment is located inside data centers or closets with locked doors, security cameras, proper lighting, temperature/humidity controls, and restricted access. Devices should have the latest firmware installed, default accounts disabled or renamed, default passwords changed, and privileges and configurations locked down. Responsibilities for local and remote management of network devices will need to be carefully controlled. Administrative tasks can be delegated to trusted subordinate IT staff in order to free up the network administrators to concentrate on security improvements and other important projects. Despite their expertise, network administrators should continue to update their skills by attending training classes with a reputable training provider, in addition to updating their certifications. Security staff can help out by keeping network administrators abreast of emerging trends and attack vectors so that administrators can take proactive measures to minimize any threats made against the enterprise. EXAM TIP Network administrators should always have two separate accounts: one account with standard privileges for basic day-to-day work, and an administrative account for tasks requiring stronger privileges. Minimizing the use of an administrative account helps guard against privilege escalation attacks, in addition to reducing malware and administrative accidents.
Management/Executive Management Upper-level management is responsible for setting the direction for the organization. In doing so, the concern of management is generally on the operation of the organization and in meeting the goals set for it. These more often than not do not include security. To management, security is like insurance—it’s something that does not add to the “bottom line” but is recognized as being necessary. The goal, however, will be only spending enough on security for systems and data to be secure, and not any more. The problem, of course, is knowing what this magic number is. If you spend too little on security, you may have a security incident. If you spend too much, you will have wasted money. But how do you know what’s too much? The absence of a security incident may mean you’ve spent just the right amount, not too much.
19-ch19.indd 730
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
Chapter 19: Business Unit Interactions
731
Because security is important, just as insurance is important, it is imperative that management conveys the organization’s goals in terms of security to all employees. Management is responsible for setting the tone for the organization by establishing the organization’s security policy. EXAM TIP The key to getting management to take up the security mission with the rest of the organization hinges on them understanding it themselves. Use their language to communicate the importance of security. Show them information regarding total cost of ownership and return on investment regarding security investments (and what happens when you don’t make the investments). Show how the investment into security saves the company money by preventing breaches. It’s very important to show them examples of organizations—particularly in the same industry or competitors—that have been breached, the vulnerabilities exploited during the breach, and what the overall financial impact to the organizations was.
PART V
If you approach management with the right kind of information, they will listen much more intently. The members of top-level management may not be responsible for the day-to-day security operations within the organization, but they are responsible for the level of importance that is placed on security. Because management may not have a lot of security expertise, they will often rely on security personnel, as well as possibly forming steering committees or advisory groups, to help them with determining the right amount of security for the organization. Management folk are often nontechnical; therefore, they will need to be trained on proper computer and security practices, including password management, how to handle social engineering, anti-phishing and e-mail training, and so forth. Also, the work area for managers may require stronger physical security due to the likelihood of confidential materials being kept nearby.
Financial The financial details of an organization are almost always going to be sensitive; therefore, financial personnel will need to protect the information they deal with on a daily basis. As a result of the normal desire to maintain an increased level of security and privacy for the organization’s financial information, financial personnel are more sensitive to security needs overall. That is not to say that security is their chief concern—again, their concerns are with the tasks for which they are employed. Often, problems may arise with financial information being improperly secured, not because of a lack of concern but rather a lack of understanding of the nuances of properly securing information in the digital world. For example, financial personnel will understand the need to maintain confidentiality and privacy of information, so having to supply a password to gain access to data will generally not surprise them. They may not, however, understand the concept of strong versus weak passwords.
19-ch19.indd 731
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
732
To that end, proper end-user training on password management would be a good first start. This includes not writing passwords down or putting them on sticky notes or on paper stored under the keyboard. To combat the latter threats, organizations often have clean desk policies that mandate the removal of all personal information from “plain sight,” including written-down passwords. Such materials would need to be locked away in cabinets or drawers.
Human Resources Human resources (HR) is another group that, due to its mission, is generally concerned with maintaining the privacy of the information handled. HR deals with a lot of personal information about employees that should be maintained securely. HR is also be responsible for tasks such as obtaining background investigations on potential employees and conveying the results to the potential hiring managers. Like financial personnel, HR personnel have a heightened concern for security and privacy, but these are generally not their areas of expertise, and they may not always make the best security choices in order to protect their data. Security personnel can help them determine the best mechanisms to secure information with minimal impact on their mission. TIP As with all business units, proper training on password management, social engineering, proper usage of e-mail, and website browsing will help prevent data breaches in HR, one of the organization’s most critical departments.
Emergency Response Team Unlike most of the other disciplines discussed so far, individuals on the emergency response team have security as one of their primary areas of focus. The general term “emergency response” can apply to a number of different situations (such as fire or natural disasters), but in the context of the CompTIA Advanced Security Practitioner (CASP+) certification, it refers to computer emergencies. A computer emergency can be the result of a number of things—from natural disasters that destroy computer processing facilities, to individuals who have gained unauthorized access to the organization’s computer systems, either physically or electronically. An emergency response team can have this as their full-time mission. More commonly, though, the team is made up of personnel from across the organization who come together when an emergency occurs. The team should not be composed entirely of technical individuals. When an emergency occurs, a number of different individuals need to be part of the organization’s coordinated response. This includes top-level management, legal advisors, a public relations representative, and subject matter experts on the various technologies impacted by the event. Members should be trained before becoming part of the team, and ensuring that they are is the responsibility of management. Management should also ensure that the team has the tools needed to address whatever event they may face.
19-ch19.indd 732
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
Chapter 19: Business Unit Interactions
733
Facilities Manager The job of the facilities manager is the maintenance of the building and facilities that the organization occupies. The responsibilities include custodial services and repairs. Physical security of the facilities is certainly a concern for the facilities manager, whereas computer security has traditionally been less of a concern. This is changing, however, as physical security begins to become more networked with devices such as closed-circuit televisions (CCTVs) that can be monitored remotely via an Internet link. Although the monitoring of such devices may not be under the purview of the facilities manager, the maintenance of the devices may very well be. In addition, the facilities manager needs to be concerned with the access that individuals such as those involved in providing the custodial services may have. Generally, these individuals may have unrestricted access to the facilities for extended periods of time. As a result, the facilities manager needs to be concerned with the backgrounds and trustworthiness of the individuals hired to provide these services. Over the last decade, the number of systems controlling water, power, HVAC, and other facility services that are being computerized is increasing. The SCADA (Supervisory Control and Data Acquisition) systems that control these services are making computer and network security more relevant to facility managers who oversee these functions. SCADA equipment comes with its own physical and technical security requirements, including segmentation, firmware updates, security patches, configuration baselines, and access control.
Physical Security Manager PART V
The physical security manager is in charge of the devices and technologies that physically secure the facilities. The aforementioned CCTV is the responsibility of the physical security manager, as are any burglar alarms, card readers, or other access control devices, guards, and locks. The physical security manager is also often the point of contact with local law enforcement personnel. There needs to be a close relationship between the physical and computer security personnel because the two offices are complementary and depend on each other. As was mentioned, as technology advances, the devices used in physical security and surveillance are often connected via networks, which must be secure. At the same time, computer security depends on physical security as well because if physical access to a computer system can be obtained, the difficulty of maintaining the security of the system is greatly increased.
Legal Counsel Many organizations have an internal legal department, consult with external law firms, or both. Whatever the case is, legal counsel assists organizations in complying with all state and federal laws and requirements. Whether constructing security policies that require legal guidance or responding to forensic investigations, legal counsel can be the difference between organizational compliance, fines, business shutdown, and executive jail sentences. In-house legal departments handle most legal issues well enough, yet it may be necessary in some cases to partner up with an external law firm that has more expertise in
19-ch19.indd 733
13/03/19 1:20 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
734
cybersecurity—particularly with data and privacy requirements (and breaches). With the right legal counsel, businesses are developing more effective incident response plans, in addition to improving organizational compliance with the unique security and privacy requirements mandated by laws and regulations. Keep in mind that these are legal experts, not security experts. As security practitioners, we are tasked with not only securing the legal group’s equipment, information, and communications, but also providing them with cybersecurity education. Legal departments are subject to heightened CIA requirements due to the increased sensitivity and criticality of data in their possession. Also, laws and regulations are subject to change; therefore, legal staff should receive up-to-date training on all matters affecting their industry. This includes not only legal training but also internal training involving account and password management, social engineering, and e-mail and Internet best practices. Bottom line: the legal group must be well taken care of if you want your organization to have a shot at long-term viability.
Security Processes and Controls for Senior Management
As a security professional, you may have the responsibility of providing guidance and recommendations on security controls to staff members and senior management. Security controls are processes or tools that you implement in order to protect systems and information, to prevent a security incident from occurring, to detect when an incident has occurred and respond to it in an effective manner in order to minimize the potential damage, and to recover from an incident when one occurs. Controls may be categorized as physical, procedural/administrative, technical, and regulatory/compliance controls. The following is a breakdown of these categories of controls:
• Physical controls Used for tasks such as preventing the loss of systems or data through the use of locks, cameras, alarm systems, and other similar devices • Procedural and administrative controls Include incident response processes, password policies, training and awareness programs, and background checks • Technical controls Include access-control mechanisms, antivirus software, firewalls, and encryption • Regulatory/compliance controls Include those that are either mandated by law or used to enforce mandated protection, such as controls to ensure privacy on a system At times, you may have to make recommendations on the implementation of new security controls to possibly mitigate a security vulnerability that may exist in your systems. This information needs to be conveyed to management to obtain support for your recommendations. In a recommendation, you need to include an explanation of the vulnerability that the control will address, why this is important, the potential impact if
19-ch19.indd 734
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
Chapter 19: Business Unit Interactions
735
the vulnerability is not mitigated, and the cost to the organization of implementing the control. Often the selection of what control to put in place will be affected by possible side effects to other systems or processes within the organization. It is not uncommon for a software patch released to address a vulnerability in an operating system or software application to have a negative impact on another application. When this occurs, the organization must make a choice between patching the system, which would eliminate the vulnerability, and finding a different method to mitigate the impact of the vulnerability. These are sensitive situations that require a well-thought-out and effective presentation of a recommendation in order to accurately convey the picture and situation to staff and management.
Secure Collaboration Within Teams
It is often stated that a chain is only as strong as its weakest link, and this applies to security as well. Processes, procedures, and controls can be implemented within an organization, but if the employees seek to avoid them at every opportunity, security can be severely impacted. The goal is to get everybody in the organization behind the implementation of specific security solutions. Management needs to provide the support and resources, security personnel need to find methods that will work within the organization, and employees need to understand why and what the impact is (both positive and negative).
PART V
NOTE Once everybody understands the importance of security, it is easier to get them to follow procedures. An example of this is the physical practice of locking a door. We all accept the need for this now, and generally it is fairly easy to convince employees to follow procedures regarding safeguarding facilities. That does not mean that people don’t get careless and make mistakes—but then again, this is what awareness and periodic security refresher training are for.
The motivation and willingness of employees to adhere to security policies and procedures can be affected by several factors. It has already been mentioned that individuals need to understand the reason for specific safeguards and the potential damage to the organization should the safeguards be ignored. Another factor that helps obtain support for safeguards is the feeling that individuals had a say in the selection of them. If there is a security issue for which solutions are being sought, and the potential solutions will have an impact on the entire organization, it’s useful to include users and representatives from the general employee population in order to obtain their feedback and to garner their support. In the end, the solution chosen may have an impact on all employees, but if they have been part of the selection process, they will be more likely to accept any inconvenience caused by the new solution and thus to support whatever security safeguard will be implemented.
19-ch19.indd 735
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
736
A final factor that should be mentioned but that the security professional may not have control over is the overall concern for the organization by employees. If the general workforce of an organization is not happy and is not concerned with the well-being of the organization, it will be hard to obtain their support for any security safeguard that’s seen as inconvenient. Employees lock their own doors and secure their own valuables because they don’t want their possessions stolen. If they don’t care about their organization, they may not show the same level of concern. Therefore, an important element of effective collaboration is motivating employees—management can use either a carrot or a stick (or a combination of the two), but the most effective will always be a method that provides a positive incentive (a carrot) for employees to accept and adopt a security safeguard.
Governance, Risk, and Compliance Committee
Governance, risk, and compliance (GRC) is a unified management approach to strategically achieving business objectives, keeping risks at a tolerable level, and following all required laws and requirements. In other words, each of these three elements is baked into all aspects of the business. NOTE Strangely enough, an industry agreed-upon definition of GRC does not yet exist; however, the Open Compliance and Ethics Group (OCEG) helped pioneer the concepts of GRC, so they have a well-supported definition on their website (www.oceg.org). They define GRC as “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.” Visit their website for much more information and papers on GRC.
Generally appointed by an organization’s board of directors, a governance, risk, and compliance committee is typically composed of managers from IT, security, facilities, finance, and potentially other units. The following list provides a brief definition of each term:
• Governance Provides overall management of the organization, including strategic direction, deliverable business objectives, and mitigation of business risks • Risk management Ensures continuous identification, analysis, and mitigation of all risks that threaten business deliveries • Compliance Confirms all requirements from contracts, laws, policies, regulations, and strategies have been demonstrably met A GRC may be aimed at the overall organization or tailored to individual business departments such as finance, IT, or legal. Various GRC products have recently entered the marketplace to solve specific business problems such as organizations implementing GRC separately across individual business departments, as opposed to uniformly across the organization as a whole. As GRC research increases and markets mature, you can expect more organizations to officially adopt its principles into their business models.
19-ch19.indd 736
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
Chapter 19: Business Unit Interactions
737
Chapter Review
19-ch19.indd 737
PART V
In this relatively short chapter, we talked about the importance of interaction across diverse business units to achieve security goals. It began with a section on interpreting security requirements and goals to communicate with stakeholders from other disciplines. If stakeholders understand the importance of policies, they will better understand, carry out, and evangelize the security requirements to other employees. We talked about various types of stakeholders, beginning with sales staff and the unique security requirements inherent with staff that frequently travel and connect from potentially hostile networks. Next, we talked about programmers and their need to incorporate secure coding practices, code review, and security testing into their application projects. We then discussed database administrators and the importance of controlling access to the databases, including the incorporation of field, column, and full database-level encryption techniques. Network administrators are often too busy to think about security; therefore, it’s important to educate them on incorporating security best practices into network appliances, including disabled/renamed default accounts, changing default passwords, adopting the principle of least privilege, updating firmware, performing patch management, and configuration hardening. Management and executive management were discussed in terms of how to compel them to care more about security by selling security solutions to them in their own language. Consider total cost of ownership, return on investment, case studies of competitors, and other organizations experiencing security breaches. Next, we discussed the financial staff and their unique security and privacy needs since they handle more sensitive data than most departments. We talked about the emergency response teams, which in this case handle computer-related emergencies and crimes, and the appropriate members of the team and their areas of responsibilities. We discussed facilities managers and their responsibilities involving the maintenance of the physical campuses, as opposed to physical security managers, whose responsibility it is to secure access to the physical campus. We ended the section by discussing legal counsel and how they are tasked with ensuring organization compliance with state and federal laws. The next section of the chapter focused on providing objective guidance and impartial recommendations to staff and senior management on security processes and controls. This included information about physical controls, procedural and administrative controls, technical controls, and regulatory and compliance controls. Another section discussed establishing effective collaboration within teams to implement secure solutions. Management needs to provide the support and resources, security personnel need to find methods that will work within the organization, and employees need to understand both the importance of security and how impactful security breaches can be to the organization. People are motivated by the reasons for security, their say in the implementation of security, and their level of personal affection for the organization itself. The final section covered governance, risk, and compliance committees. These committees seek to incorporate all three of these elements into all aspects of business processes in order to fulfill company objectives in a secure manner. Such committees are typically composed of individuals from IT, security, facilities, finance, and other units, and their focus is typically aimed at finance, IT, or legal departments.
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
738
Quick Tips The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.
Security Requirements Across Various Roles • Security requirements should not be communicated in an overly complicated manner, contain too much jargon, or be incomplete. • Security requirements are often written in a manner that can be understood by security professionals but may mean nothing to other individuals. • If security is to be integrated throughout an enterprise, it becomes imperative that the requirements, policies, processes, and guidelines are communicated to individuals in other disciplines. • The motivation of programmers is often to produce working software as quickly as possible, with security not being of prime importance. • Network administrators ensure the organization’s networks and computer systems are operational and are available to support the needs of the organization, again with security often taking a backseat to other concerns. • The members of the sales staff have their own unique computing challenges that often introduce security concerns. • Database administrators have to implement strong access control, in addition to database encryption and default account/password best practices to secure the information. • Management/executive management needs to fully understand security to help you get buy-in from the rest of the organization. • Financial staff require increased security and privacy over their data since it is of a more sensitive nature than most other data. • Human resources staff, like the financial staff, also have highly sensitive information available to them; therefore, they need extra security controls. • Emergency response teams are responsible for computer-related emergencies and crimes. • Facilities managers are in charge of all maintenance-related matters regarding facilities, in addition to some physical security concerns. • Physical security managers are primarily responsible for the physical security access to the campuses. • Legal counsel must ensure the organizational policies, processes, procedures, guidelines, and standards are compliant with state and federal regulations.
19-ch19.indd 738
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
Chapter 19: Business Unit Interactions
739
Security Processes and Controls for Senior Management • As a security professional, you may have the responsibility of providing guidance and recommendations on security controls to staff members and senior management. • You may have to make recommendations on the implementation of security controls to address a security vulnerability in your systems that requires you to convey the information to management in terms they understand in order to obtain support for your recommendations. • Often the selection of what control to put in place will be affected by possible side effects to other systems or processes within the organization. • It is not uncommon for a software patch released to address a vulnerability in an operating system or software application to have a negative impact on another application. • Certain sensitive situations require a well-thought-out and effective presentation of a recommendation in order to accurately convey the picture and situation to staff and management.
Secure Collaboration Within Teams
PART V
• Processes, procedures, and controls can be implemented within an organization, but if the employees seek to avoid them at every opportunity, security can be severely impacted. • The motivation and willingness of employees to adhere to security policies and procedures can be affected by several factors, including understanding the reason and need for the policy or procedure and the employees’ belief that they had a say in the decision to adopt it. • If the general workforce of an organization is not happy and is not concerned with the well-being of the organization, it will be hard to obtain support for any security safeguard that is seen as inconvenient.
Governance, Risk, and Compliance Committee • Governance, risk, and compliance (GRC) is a unified management approach to strategically achieving business objectives, keeping risks at a tolerable level, and following all required laws and requirements. • The GRC committee is generally appointed by an organization’s board of directors and is composed of managers from IT, security, facilities, finance, and potentially other units. • GRC may be aimed at the overall organization or tailored to individual business departments such as finance, IT, or legal.
19-ch19.indd 739
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
740
Questions The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. 1. Which of the following are generally true about the programmers in an organization? (Choose all that apply.) A. With the number and frequency of security incidents today, developing secure software has become a prime motivator for programmers. B. Programmers are encouraged to produce working software as quickly as possible. C. Security is not a primary concern for most programmers. D. Most programmers have not been trained in secure software development techniques. 2. Which of the following is true about security requirements and goals for an organization? A. They are deliberately written in a way that makes them instantly understandable by anybody within the organization. B. They are intended for the security personnel within an organization, so it is not important that they be communicated to others. C. They are often written in a manner that can be understood by security professionals but may mean nothing to other individuals. D. After the goals and requirements are developed, the organization can then go about developing its overall security policy. 3. Your organization has established its overall security policy. What must now be done? (Choose all that apply.) A. Specific requirements, policies, processes, and guidelines can be developed based on the security policy to guide the organization in meeting its security goals. B. Once the requirements, policies, processes, and guidelines are established, it becomes imperative that they are communicated to individuals in other disciplines so that they may be understood and followed. C. The requirements, policies, processes, and guidelines need to be conveyed to individuals in all other disciplines in terms that they can understand and that highlight the ones that specifically apply to them. D. Because the overall security policy only pertains to security personnel, it is only important that security personnel understand the organization’s security goals and requirements.
19-ch19.indd 740
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
Chapter 19: Business Unit Interactions
741
4. Which of the following is true of the relationship between security professionals and management? A. Once the security policy is established, it is unimportant and generally not
19-ch19.indd 741
PART V
needed for security personnel to interact or communicate with the upper levels of management. B. Security personnel may need to make recommendations concerning security to management and will need to do so in a manner that highlights the reason for the recommendation and is conveyed in terms that management can understand. C. It is more important that security recommendations are precise and written in terms understandable by security personnel who have to implement them rather than being conveyed in a manner that is understandable by management. D. Management support for security recommendations is nice but unimportant because security is the responsibility of security personnel. 5. Which of the following is true concerning security processes, procedures, and controls? A. Security processes, procedures, and controls can be implemented within an organization, but if the employees seek to avoid them at every opportunity, security can be severely impacted. B. Security processes, procedures, and controls only apply to security personnel. C. Security processes, procedures, and controls are always strictly followed by the employees they pertain to. D. Security processes, procedures, and controls are all the same thing. 6. Which of the following are factors that can impact the motivation and willingness of employees to adhere to security policies and procedures? (Choose all that apply.) A. The speed at which the policies and procedures were created after the organization’s overall security policy was established. (The faster they are established, the more likely it is that employees understand that they are important to management.) B. The level of understanding by employees of specific policies and procedures. C. The belief that employees had a say in the decision to adopt specific policies and procedures. D. There is little that can be done to motivate employees.
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
742
7. Which of the following business units is most responsible for helping organizations maintain compliance with state and federal regulations? A. Finance B. Human resources C. Physical security manager D. Legal counsel
8. Which of the following is true concerning the different disciplines represented within an organization in relation to security policies? A. Although all employees are subject to the organization’s security policies,
the different roles that each may have based on their specific discipline will require different specific security responsibilities. B. All disciplines are equally motivated by security concerns. C. Specific security requirements are the same for all employees no matter what the discipline. The requirements are based on the single organizational security policy. D. None of the above. 9. Which of the following is true concerning how security personnel approach the different disciplines within an organization? A. The success of security within an organization rests solely with security personnel and is not impacted by individuals in other disciplines. B. Because all security policies are based on the organization’s overall security policy, there is no difference in the way security personnel should approach the different disciplines represented within an organization. C. Understanding the different disciplines and the jobs associated with them will give a picture of what motivates individuals within the discipline and will help security personnel better work to secure the organization’s information assets in a manner that will be accepted by individuals within the discipline. D. Using different approaches to describe security requirements for different disciplines within an organization is generally a waste of time because the employees are not going to follow them anyway. 10. Which of the following disciplines generally has no security requirements and responsibilities? A. Programmer. B. Network administrator. C. Human resources. D. Facilities manager. E. All disciplines and jobs within an organization will have some level of security responsibilities.
19-ch19.indd 742
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19
Chapter 19: Business Unit Interactions
743
Answers 1. B, C, D. All of these are true in general for programmers. Their prime motivation is in getting the software to run; they are not trained to be concerned about security within the code. 2. C. An organization’s security goals and requirements are often written in a way and using language that is understood by security personnel but may not be understood by other personnel within the organization. 3. A, B, C. After the overall security policy is established, goals, requirements, processes, policies, and guidelines to implement the overall policy can be established. These need to be written in a manner that is understood by the employees in the disciplines that they will be applied to, and all employees need to understand their individual security responsibilities. 4. B. It may become necessary for security personnel to make recommendations to management on the implementation of security controls. When this occurs, the recommendations need to be conveyed in a manner that is understood by them in order to obtain management support. 5. A. For security processes, procedures, and controls to be effective, they must be followed by the employees they apply to. If employees seek to avoid or ignore them, it will have a negative impact on the security of the organization.
7. D. Legal counsel is responsible for ensuring organizations maintain compliance with local and state laws and regulations. 8. A. The different disciplines represented within an organization will result in different roles for the employees and thus different security requirements. All, however, will be subject to the organization’s overall security policy. How it applies to them may be different depending on their specific discipline.
PART V
6. B, C. The motivation and willingness of employees to adhere to security policies and procedures can be affected by several factors, including understanding the reason and need for the policy or procedure and the belief that the employees had a say in the decision to adopt it.
9. C. It is important for the success of security safeguards and requirements that each functional area, represented by different disciplines, understands the requirements in a manner that makes them applicable and understandable to that discipline. 10. E. Everybody in an organization has some level of security responsibility.
19-ch19.indd 743
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Chapter 19 Blind Folio: 744
This page intentionally left blank
19-ch19.indd 744
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Appendix
APPENDIX
About the Online Content This book comes complete with TotalTester Online customizable practice exam software with more than 200 practice exam questions, including a pre-assessment, a simulated performance-based question quiz, and a downloadable PDF Glossary.
System Requirements
The current and previous major versions of the following desktop browsers are recommended and supported: Chrome, Microsoft Edge, Firefox, and Safari. These browsers update frequently, and sometimes an update may cause compatibility issues with the TotalTester Online or other content hosted on the Training Hub. If you run into a problem using one of these browsers, please try using another until the problem is resolved.
Your Total Seminars Training Hub Account
To get access to the online content, you will need to create an account on the Total Seminars Training Hub. Registration is free, and you will be able to track all your online content using your account. You may also opt in if you wish to receive marketing information from McGraw-Hill Education or Total Seminars, but this is not required for you to gain access to the online content.
Privacy Notice McGraw-Hill Education values your privacy. Please be sure to read the Privacy Notice available during registration to see how the information you have provided will be used. You may view our Corporate Customer Privacy Policy by visiting the McGraw-Hill Education Privacy Center. Visit the mheducation.com site and click Privacy at the bottom of the page.
Single User License Terms and Conditions
Online access to the digital content included with this book is governed by the McGraw-Hill Education License Agreement outlined next. By using this digital content you agree to the terms of that license.
745
20-Appendix.indd 745
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Appendix
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
746
Access To register and activate your Total Seminars Training Hub account, simply follow these easy steps. 1. Go to hub.totalsem.com/mheclaim. 2. To register and create a new Training Hub account, enter your e-mail address, name, and password. No further personal information (such as credit card number) is required to create an account. NOTE If you already have a Total Seminars Training Hub account, select Log in and enter your e-mail and password. Otherwise, follow the remaining steps.
3. Enter your Product Key: 94b3-392b-hj4j 4. Click to accept the user license terms. 5. Click Register and Claim to create your account. You will be taken to the Training Hub and have access to the content for this book.
Duration of License Access to your online content through the Total Seminars Training Hub will expire one year from the date the publisher declares the book out of print. Your purchase of this McGraw-Hill Education product, including its access code, through a retail store is subject to the refund policy of that store. The Content is a copyrighted work of McGraw-Hill Education, and McGraw-Hill Education reserves all rights in and to the Content. The Work is © 2019 by McGrawHill Education, LLC. Restrictions on Transfer The user is receiving only a limited right to use the Content for the user’s own internal and personal use, dependent on purchase and continued ownership of this book. The user may not reproduce, forward, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish, or sublicense the Content or in any way commingle the Content with other third-party content without McGraw-Hill Education’s consent. Limited Warranty The McGraw-Hill Education Content is provided on an “as is” basis. Neither McGraw-Hill Education nor its licensors make any guarantees or warranties of any kind, either express or implied, including, but not limited to, implied warranties of merchantability or fitness for a particular purpose or use as to any McGraw-Hill Education Content or the information therein or any warranties as to the accuracy, completeness, correctness, or results to be obtained from, accessing or using the McGraw-Hill Education Content, or any material referenced in such Content or any information entered into licensee’s product by users or other persons and/or any material available on or that can be accessed through the licensee’s product (including via any hyperlink or otherwise) or as to non-infringement of third-party rights. Any warranties of any kind, whether express or implied, are disclaimed. Any material or data obtained through use of the McGraw-Hill Education Content is at your own discretion
20-Appendix.indd 746
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Appendix
Appendix: About the Online Content
747
and risk and user understands that it will be solely responsible for any resulting damage to its computer system or loss of data. Neither McGraw-Hill Education nor its licensors shall be liable to any subscriber or to any user or anyone else for any inaccuracy, delay, interruption in service, error or omission, regardless of cause, or for any damage resulting therefrom. In no event will McGraw-Hill Education or its licensors be liable for any indirect, special or consequential damages, including but not limited to, lost time, lost money, lost profits or good will, whether in contract, tort, strict liability or otherwise, and whether or not such damages are foreseen or unforeseen with respect to any use of the McGraw-Hill Education Content.
TotalTester Online
TotalTester Online provides you with a simulation of the CompTIA CASP+ exam. Exams can be taken in Practice Mode or Exam Mode. Practice Mode provides an assistance window with hints, references to the book, explanations of the correct and incorrect answers, and the option to check your answer as you take the test. Exam Mode provides a simulation of the actual exam. The number of questions, the types of questions, and the time allowed are intended to be an accurate representation of the exam environment. The option to customize your quiz allows you to create custom exams from selected domains or chapters, and you can further customize the number of questions and time allowed. To take a test, follow the instructions provided in the previous section to register and activate your Total Seminars Training Hub account. When you register you will be taken to the Total Seminars Training Hub. From the Training Hub Home page, select CASP+ All-in-One Exam Guide (CAS-003) TotalTester from the Study drop-down menu at the top of the page, or from the list of Your Topics on the Home page. You can then select the option to customize your quiz and begin testing yourself in Practice Mode or Exam Mode. All exams provide an overall grade and a grade broken down by domain.
Pre-Assessment Test In addition to the exam questions, the TotalTester also includes a CompTIA CASP+ pre-assessment test to help you assess your understanding of the topics before reading the book. To launch the pre-assessment test, click CASP+ Pre-Assessment. The CompTIA CASP+ pre-assessment test has 50 questions and runs in Exam Mode. When you complete the test, you can review the questions with answers and detailed explanations by clicking See Detailed Results.
Other Book Resources
The following sections detail the other resources available with your book. You can access these items by selecting the Resources tab, or by selecting CASP+ All-in-One Exam Guide (CAS-003) Resources from the Study drop-down menu at the top of the page or from the list of Your Topics on the Home page. The menu on the right side of the screen outlines all of the available resources.
20-Appendix.indd 747
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Appendix
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
748
Performance-Based Questions In addition to multiple-choice questions, the CompTIA CASP+ exam includes performance-based questions (PBQs), which, according to CompTIA, are designed to test your ability to solve problems in a simulated environment. More information about PBQs is provided on CompTIA’s website. You can access the performance-based questions included with this book by navigating to the Resources tab and selecting PerformanceBased Questions Quiz. After you have selected the PBQs, an interactive quiz will launch in your browser.
Downloadable Content The Resources tab also includes links to download additional content that accompanies this book. The downloadable content for this book includes a bonus Glossary PDF.
Glossary
A bonus PDF Glossary from the book has been included for your review. You can access the Glossary by navigating to the Resources tab and selecting CASP+ Glossary from the Downloads section of the menu.
Technical Support
For questions regarding the TotalTester or operation of the Training Hub, visit www.totalsem.com or e-mail [email protected]. For questions regarding book content, e-mail hep_customer-service@mheducation .com. For customers outside the United States, e-mail international_cs@mheducation .com.
20-Appendix.indd 748
11/03/19 3:18 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
GLOSSARY
802.11 A wireless specification created by the Institute of Electrical and Electronics Engineers (IEEE) that helped globally standardize wireless local area network communications. 802.1x A port-based network access control method that requires users to authenticate prior to connecting to a wired or wireless network. acceptable use policy (AUP) A policy that states what employee responsibilities are with respect to accessing and using information resources within the organization. acceptance testing A testing method used to determine if software is performing in a way that is acceptable to users based on business requirements. access control list (ACL) In terms of file systems, it’s a list of permissions by user, computer, and group accounts, associated with a specific object. Active Directory (AD) A Microsoft Windows directory service technology that provides a structured, secure, and hierarchical object database for a network including users, computers, group policies, printers, and other services. ActiveX A Microsoft software framework designed for Internet Explorer, built on object-oriented programming technologies, for the purpose of running dynamic media content. Address Space Layout Randomization (ASLR) Involves the operating system randomizing the operating locations of various portions of an application (such as the application executable, APIs, libraries, and heap memory) in order to confuse a hacker’s attempt at predicting a buffer overflow target. Advanced Encryption Standard (AES) A symmetric block encryption algorithm adopted by the U.S. government and widely used to encrypt data. after-action report A post-incident process that implements the security recommendations gleaned from the lessons-learned report. Agile An accelerated development approach that favors smaller milestones, reduced long-term planning, and the ability to revisit previous phases without restriction. alert fatigue The result of administrators no longer monitoring alerts due to too many false positives. algorithm A step-by-step mathematical process frequently used for cryptography.
749
21-Glossary.indd 749
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
750
annualized loss expectancy (ALE) The expected monetary loss associated with an asset and a specific risk over a one-year period. It can be expressed as the product of the single loss expectancy (SLE) and the annualized rate of occurrence (ARO). annualized rate of occurrence (ARO) The probability that a specific risk will occur in a single year. artificial intelligence (AI) Involves computers performing tasks with a human-like intelligence. Asynchronous JavaScript and XML (AJAX) A common programming methodology used to improve the end-user experience in web applications by permitting web applications to send and retrieve data from a server in the background without interfering with the content of the existing page. attestation The act of certifying some element to be true and doing so in a fashion that provides a form of evidence as to its authenticity. audit The process of inspecting organizational records and processes to determine compliance with requirements. authentication The process of verifying the legitimacy of a claimed identity. Authentication, Authorization, and Accounting (AAA) The set of security services used to manage the critical functions of determining identity, permissions, and activity tracking. Authentication Header (AH) A protocol from the IPSec suite that provides integrity, data origin authentication, and protection from replay attacks. AH does not provide confidentiality. authorization The process of determining the access scope and permissions a user has to resources. baseline A point-in-time measurement of what we agree is the acceptable level of normal performance. benchmark A point-in-time measurement that is only focused on that particular point in time. big data Refers to huge amounts of mostly unstructured data that is often too large for standard systems to process. black-box testing Simulates black hat hackers by starting off penetration tests without prior knowledge of the organizational network. blockchain A large chain of financial transaction records that, rather than being stored on centralized financial servers, are actually chained to each other as a decentralized and linear series of blocks. Blowfish A symmetric block cipher that uses key sizes between 32 and 448 bits, with 16 rounds of processing on 64-bit message blocks.
21-Glossary.indd 750
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
Glossary
751
Bluetooth A wireless technology standard designed for exchanging information between devices such as mice, keyboards, headsets, smartphones, smart watches, and gaming controllers—at relatively short distances and slow speeds. bots Automated programs that perform a specific task, such as crawling the Web from link to link. bring your own device (BYOD) A mobile device strategy that allows users to bring personal mobile devices into the workplace to access organizational resources. buffer overflow Occurs when the size of the data being read is larger than the destination buffer, which causes an overflow condition resulting in application failure. building automation system (BAS) A centralized management system that controls and monitors facilities and environmental technologies. business continuity planning (BCP) The plans a business develops to continue critical operations in the event of a major disruption. business impact analysis (BIA) Documents the various risks to an organization and the resulting impact from disasters should those risks come to fruition. business partnership agreement (BPA) A type of legal agreement between partners establishing the terms, conditions, and expectations of the relationship between the partners. CAST-128 A symmetric block cipher with either 40-bit or 128-bit keys, while utilizing 12 or 16 rounds of processing on 64-bit message blocks. Certificate Authority (CA) A service that generates, issues, validates, and revokes digital certificates. certification revocation list (CRL) A list of certificates that have been revoked by a Certificate Authority. chain of custody A detailed record of evidence handling, from its collection, preservation, and analysis, to presentation in court and disposal. Challenge Handshake Authentication Protocol (CHAP) A three-way handshake protocol used to authenticate a user over a network without having to send a cleartext password. change monitoring A monitoring technique that checks for signs of failed or successful attempts at modifying network configuration baselines as well as any signs of unauthorized devices or behaviors being introduced into the network. chief information security officer (CISO) The title for the executive-level position with responsibility over information security in an organization. choose your own device (CYOD) A mobile device strategy that enables a business to publish a limited list of devices that employees can buy.
21-Glossary.indd 751
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
752
cipher A cryptographic algorithm that performs a specific method of encryption or decryption. AES, RSA, and SHA-2 are examples of ciphers. ciphertext The resulting encrypted data that was caused by inputting the original plaintext into an encryption cipher. clickjacking An attack where a user is tricked into clicking something on a web page, causing a different operation than the one expected to be performed. closed-circuit television (CCTV) A private television system usually hardwired in security applications to record visual information. cloud computing According to NIST, cloud computing is defined as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” cloud security broker Cloud-based security policy environments that reside between an organization’s on-premises network and some other cloud provider’s network. code reuse Involves the authorized use of someone else’s proven code, or knowledge about code, to improve your software development efforts. code review The proofreading of source code to discover and mitigate software vulnerabilities before they make it onto the finished product. code signing The application of digital signature technology to computer code, executable files, scripts, and resource files. Common Access Card (CAC) A smartcard-based personnel identification system implemented by the U.S. Department of Defense that can be used for a variety of identification purposes, including computer system authentication. Common Criteria An international standard for computer security evaluations and certification. Common Internet File System (CIFS) The name associated with an Application layer network protocol used for file and resource sharing. From Microsoft, CIFS is also known as Server Message Block (SMB). community cloud A model that involves a group of organizations that collectively own, share, or consume a common cloud computing infrastructure as a result of mutual interests like software interfaces and security features. Computer Emergency Response Team (CERT) The name CERT is a trademark held by the Software Engineering Institute and should not be used without their permission. This term has been used to identify the members of the expert group that investigates and responds to computer security incidents. A more correct term to use for incident response teams is computer security incident response team (CSIRT) or computer incident response team (CIRT).
21-Glossary.indd 752
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
Glossary
753
computer incident response team (CIRT) The term used to identify the members of the expert group that investigates and responds to computer security incidents. configuration baseline A standardized configuration across an application, operating system, or device. configuration lockdown The concept of sealing configurations into our network devices to prevent unauthorized changes. configuration management database (CMDB) Automatically tracks the state of enterprise assets such as hardware, software, policies, documentation, networks, and staff throughout the life cycle of these assets—in addition to managing and tracking the relationships between these assets. configuration profile A group of settings applied to mobile devices and computers to control device features including the operating system and applications. containerization The process of isolating corporate data into a protected and encrypted container stored on the mobile device. containers An OS feature in which its kernel divides itself into multiple isolated instances, or containers––each of which is allocated to an application. From the application’s viewpoint, a complete OS instance has been allocated, when in fact it has only received a smaller isolated OS “portion.” Containers have a reduced hardware footprint as compared to virtual machines. content management system (CMS) Typically, web-based applications that encourage enterprise-wide collaboration with web applications and documentation between multiple contributors creating, editing, and publishing content. context-aware authentication Builds on conventional authentication methods by also considering the user’s technological and environmental characteristics. context-aware management The application of restrictive policies to mobile devices based on certain device conditions like location or time of day. continuity of operations (COOP) A detailed plan of how essential functions of an organization will be handled during an emergency or disaster. continuous monitoring Involves tracking changes to the information system that occur during its lifetime and then determining the impact of those changes on the system security controls. Control Objectives for Information and Related Technologies (COBIT) A set of best practices for IT management created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). corporate owned, personally enabled (COPE) A mobile device strategy in which corporations buy devices for employees while permitting business and personal usage of devices.
21-Glossary.indd 753
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
754
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) An enhanced data cryptographic encapsulation mechanism designed for use over wireless LANs based on the counter mode with CBC-MAC from AES. Credential Security Support Provider (CredSSP) CredSSP lets an application delegate a user’s credentials from client to server over a secure channel. cross-certification trust model A process involving the CAs from one hierarchical trust model trusting the CAs from another hierarchical trust model. cross-site request forgery (CSRF or XSRF) A method of attacking a system by sending malicious input to the system and relying on the parsers and execution elements to perform the requested actions, thus instantiating the attack. XSRF exploits the trust a site has in the user’s browser. cross-site scripting (XSS) A method of attacking a system by sending script commands to the system input and relying on the parsers and execution elements to perform the requested scripted actions, thus instantiating the attack. XSS exploits the trust a user has for the site. cryptocurrency A digital form of currency that uses powerful cryptographic methods to secure financial transactions through a decentralized or peer-to-peer network. cryptographic service provider Windows software libraries that make the Microsoft CryptoAPI available to applications that require cryptographic capabilities. cryptography The science of hiding or making information unreadable to unauthorized parties. cryptoprocessor Chips often built inside of Trusted Platform Modules (TPMs) that perform complex cryptographic functions. customer relationship management (CRM) A model, typically implemented via a software suite, that facilitates interactions with customers, customer service, technical support, and other areas of the business. cyclic redundancy check (CRC) An error-detection methodology that can offer limited data integrity functionality. data custodian The individual responsible for implementing the decisions made by the data owners. Data Encryption Standard (DES) An older symmetric block cipher that uses 56-bit keys. Data Execution Prevention (DEP) A security feature of an operating system that can be driven by software, hardware, or both, designed to prevent the execution of code from blocks of data in memory.
21-Glossary.indd 754
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
Glossary
755
data loss prevention (DLP) Technology, processes, and procedures designed to detect when unauthorized removal of data from a system occurs. DLP is typically active, preventing the loss of data, either by blocking the transfer or dropping the connection. data owner The individual responsible for deciding how certain data should be used and managed. data remnants Unwanted pieces of information that remain after a deletion operation. data retention A requirement that organizations hold onto data for a predetermined period of time, typically, as per a state or federal law. data sovereignty A concept that stipulates that once data has been collected on foreign soil, it is subject to the laws of that particular nation. data-at-rest encryption Refers to the encryption of data while it is inactive on a storage medium. database activity monitor A tool that monitors the transactions and other activity of database services. data-in-transit encryption Refers to the encryption of data as it travels across a network. data-in-use encryption Refers to the encryption of data while it is in use in memory types such as RAM, in addition to cache and register memory locations on the CPU. dd A Unix and Linux command-line tool that allows for the conversion, formatting, and copying of files. This includes drive cloning, disk wiping, data recovery, backup, and modification of boot records. de facto standard A standard that is widely accepted by an industry but for which no formal standardization process has been undertaken. decryption The process of using a decryption key to convert unreadable ciphertext into readable plaintext. deep learning A deeper form of machine learning in which technology tools don’t use any baseline factors to guide the learning; rather, the technology decides for itself what learning and classification modalities to implement based on the inputs it receives. deep packet inspection A technique used by application-level and next-generation firewalls involving the scanning and analyzing the headers, state, and data portions of packets before allowing or dropping them. demerger The process of breaking apart two previously combined organizations into separate organizations. demilitarized zone (DMZ) A network zone of limited trust that exists between trusted and untrusted zones to protect trusted zones from direct contact with untrusted zones.
21-Glossary.indd 755
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
756
denial of service (DoS) Actions taken to make a resource unavailable for its intended use. A DoS attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have available for use. deperimeterization The removal of the logical barrier between organizations and the outside world. deterrence The process of discouraging threat actors from performing unauthorized actions through warnings or the threat of consequences. Diffie-Hellman (DH) An algorithm that enables two systems to generate and securely distribute a symmetric key over a public channel. Although it allows for key distribution, it does not provide encryption or digital signature functionality. digital certificate Electronic documents used to provide attribution of a public key to a user, computer, or service. Digital Encryption Standard (DES) A 56-bit key-based block cipher, now considered obsolete. Its successor, triple DES, involves three rounds of DES, and has in turn been replaced by AES. digital forensics The application of scientific methods to electronic data systems for the purposes of gathering specific information from a system. Digital Rights Management (DRM) Uses technology to restrict how digital copyrighted works can be used once published. digital signature The implementation of both hashing and asymmetric cryptography to verify integrity and nonrepudiation of information. Digital Signature Algorithm (DSA) A U.S. government standard for implementing digital signatures. direct object reference Occurs when an application request refers to the actual name of objects, such as files, folders, database, or storage elements. DirectAccess A Microsoft remote access technology that allows connectivity for remote users without requiring user interaction or pre-established VPN connections. Directory Service Centralized identity and access management systems that store information about network objects, in addition to providing authentication, authorization, location, management, and auditing services upon those network objects. disaster recovery plan (DRP) A detailed operational plan for the prioritized recovery of services after a disaster or other form of service disruption. discretionary access control (DAC) An access control model where the owner of data decides who can access data and at what level. disruptive technologies Groundbreaking advancements that change everything about how people perform tasks.
21-Glossary.indd 756
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
Glossary
757
distributed denial of service (DDoS) A method of denial of service in which the attack comes from a distributed vector. divestiture The process of an organization selling off one of its business units. Domain Name Service (Server) (DNS) A service that converts a human-recognizable network name (such as www.example.com) to an IP address. due care Addresses whether the organization has a minimal set of policies that provides reasonable assurance of success in maintaining security. due diligence Requires that management actually do something to ensure security, such as implement procedures for testing and review of audit records, internal security controls, and personnel behavior. dumpster diving The process of digging through people’s trash to find confidential information. Dynamic Link Library (DLL) A shared library file that can contain code, data, and resources, and acts as a shared library element in Microsoft Windows environments. eavesdropping The unauthorized interception of communications between other parties. e-discovery The electronic discovery of evidence. electromagnetic interference (EMI) The disruption of electronics due to an electromagnetic field. ElGamal An asymmetric cipher that is based on Diffie-Hellman but is capable of not only digital signatures but also encryption and key exchange. Elliptic Curve Cryptography (ECC) An asymmetric cipher that provides digital signatures, key distribution, and encryption capabilities. ECC has found a niche in low-power and computationally constrained devices. Encapsulated Security Payload (ESP) A protocol from the IPSec suite that provides confidentiality, connectionless integrity, data origin authentication, and protection from replay attacks. Encrypted File System (EFS) A security feature of Windows (from Windows 2000 onward) that enables the transparent encryption/decryption of files on the system. encryption Process of converting readable information into an unreadable format. enterprise license agreement (ELA) A software licensing model in which software is licensed for use across an enterprise, as opposed to a per-machine installation model. enterprise resilience Consists of an organization’s ability to adapt to short-term and long-term changes.
21-Glossary.indd 757
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
758
enterprise resource planning (ERP) Business process management software that permits enterprises to use a consolidated platform of business application modules to manage enterprise-wide activities such as customer service, human resources, accounting, sales, payroll, purchase orders, and many more. enterprise security architecture (ESA) A framework to align operational security capabilities with organizational goals and objectives. Enterprise Service Bus (ESB) A software architecture model used to define communications between software applications in a Service Oriented Architecture. Evaluation Assurance Level (EAL) A method of rating operating systems according to their level of security testing and design. eXtensible Access Control Markup Language (XACML) Defines a declarative access control policy language. Extensible Authentication Protocol (EAP) An authentication framework designed to define message formats and methods providing for the transport and usage of the keying material and parameters used in authentication. EAP is not a specific authentication mechanism. Federal Information Security Management Act (FISMA) A law aimed at government agencies for the sole purpose of enforcing various security requirements on government networks and devices. federation A group of trusted organizational networks that permit users from one network to seamlessly use its network credentials to access resources located at another network without having to resort to a separate identity-verification step involving user interaction. Fiber Channel Over Ethernet (FCOE) The encapsulation of fiber channel frames over an Ethernet network, permitting the use of the Fiber Channel Protocol across an Ethernet-based network. file integrity monitoring (FIM) Software that ensures that operating system, application, and data files maintain their intended state. File Transfer Protocol (FTP) An application-level protocol for the transfer of files from one system to another. File Transfer Protocol Secure (FTPS) An application-level protocol used to transfer files over a network connection that uses FTP over an SSL or TLS connection. fingerprinting The process of determining specific details about a system, including port numbers, services, operating systems, vulnerabilities, and accounts. flood guard A network device that blocks flooding-type DoS/DDoS attacks, frequently part of an IDS/IPS.
21-Glossary.indd 758
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
Glossary
759
Foremost A forensic data recovery command-line tool used on Linux primarily for law enforcement to recover deleted or corrupted data from drives. fuzzing A software testing methodology used to detect input validation errors. gap analysis Analyses the differences between an organization’s present state of security and its recommended or desired state. General Data Protection Regulation (GDPR) A privacy law signed by the European Union (EU) enforcing data protection and privacy requirements for all individuals within the EU, and other parties that conduct business with the EU. Generic Routing Encapsulation (GRE) A tunneling protocol designed to encapsulate a number of different protocols across an IP network. geofencing The process of creating a logical or virtual boundary around a mobile device. geolocation The process of identifying a device’s geographical location by using GPS or cell towers. geotagging The process of attaching geographically related information to common media types such as pictures, videos, SMS messages, and even websites. GNU Privacy Guard (GPG) A series of well-known cryptographic functions that provide for key exchange, confidentiality, integrity, and nonrepudiation of electronic communications. Governance, Risk, and Compliance (GRC) A unified management approach to strategically achieving business objectives, keeping risks at a tolerable level, and following all required laws and requirements. Gramm–Leach–Bliley Act (GLBA) A financial law that includes provisions for financial organizations to protect the privacy of customer data. The Safeguards Rule and Privacy Rule carry out these requirements. gray-box testing Simulates a malicious non-administrator who has partial knowledge of the network. Group Policy A set of rules that provides for centralized management and configuration of a Windows operating system, user configurations, and applications. guidelines Specify optional and recommended security controls or processes to be followed. hard disk drive (HDD) A physical device designed to store data, typically on magnetic spinning platters. hardware security module (HSM) Devices that provide key generation and safeguarding services, speed up specific cryptographic operations on platforms requiring strong authentication, and provide access control capabilities.
21-Glossary.indd 759
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
760
hashed message authentication code (HMAC) The use of a cryptographic hash function and a message authentication code to ensure the integrity and authenticity of a message. hashing The process of running data through a mathematical function to produce a message digest of a specified size. Health Information Technology for Economic and Clinical Health Act (HITECH) An extension of HIPAA that widens the scope of privacy and security protections available under HIPAA. It increases the potential legal liability for noncompliance and provides for more enforcement. Health Insurance Portability and Accountability Act (HIPAA) A healthcare regulation signed in 1996 that provides standards for the management and protection of protected health information (PHI). heating, ventilation, and air conditioning (HVAC) A facilities management system that permits central control of the heating and cooling temperatures for the enterprise. host intrusion detection system (HIDS) An intrusion detection mechanism that is located on and designed to protect a specific machine. host intrusion prevention system (HIPS) An intrusion prevention mechanism, which is an IDS with automated actions in response to specific rules, located on the host it is protecting. HTTP interceptor A device or program that captures web traffic between the source web browser and the destination website. hunt teaming A comprehensive process of security teams seeking out any signs of attack against the organizational network. hybrid cloud A combination of multiple cloud models such as public, private, and community cloud models. hyper-converged infrastructures Virtualizes converged infrastructures into a softwaredefined solution. Hypertext Markup Language version 5 (HTML5) An enhanced version of HTML that supports more multimedia capabilities, added mobile device support, plus many other features. Hypertext Transfer Protocol (HTTP) A protocol for the transfer of material across the Internet that contains links to additional material. Hypertext Transfer Protocol over SSL/TLS (HTTPS) A protocol for the transfer of material across the Internet that contains links to additional material that is carried over a secure tunnel via SSL or TLS.
21-Glossary.indd 760
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
Glossary
761
hypervisor Software that can virtualize hardware into software versions of CPUs, RAM, hard drives, and NICs, to enable the utilization of multiple isolated operating systems on the same set of physical hardware. IDEA A symmetric block cipher that uses a 128-bit key size and performs 8.5 rounds of processing on 64-bit message blocks. identification The process of a user, device, or service claiming an identity. identity management The process in a computer system of managing the individual identities and assigning credentials to users. identity proofing The process of verifying people’s identities before an organization issues them accounts and credentials. Identity Provider (IdP) A Security Assertion Markup Language (SAML) item that creates, maintains, and manages individual identity information. incident response A team-led activity of detecting and responding to security breaches. incident response team A group of people who prepare for and respond to any emergency incident, such as a natural disaster or an interruption of business operations. information classification The process of placing specialized security labels on objects like files and folders to indicate their criticality and sensitivity to an organization. information technology governance (IT governance) The implementation of processes where executive management actively ensures that IT is being used in the most effective and efficient manner by those responsible for it. Information Technology Infrastructure Library (ITIL) An IT services framework that provides best practices for the alignment of IT services with organizational objectives. Infrared Data Association (IrDA) An organization that created a set of protocols permitting communications between devices using infrared wireless signals. infrastructure as a service (IaaS) The automatic, on-demand provisioning of infrastructure elements, operating as a service; a common element of cloud computing. inherent risk The risk that an incident will pose if no security controls are put into place. initialization vector (IV) A data value used to seed a cryptographic algorithm, providing for a measure of randomness. Inline Network Encryptors (INE) Devices that encrypt sensitive information en route between sources and destinations across insecure networks like the Internet and company WAN links. integer overflow Occurs when a number is too large to be stored in the variable.
21-Glossary.indd 761
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
762
Integrity Measurement Architecture (IMA) A secure boot method that provides assurances that the Linux OS has a trusted boot environment. interconnection security agreement (ISA) An agreement that documents the IT security requirements between organizations that own connected systems. International Organization for Standardization (ISO) The world’s largest standards organization, which creates standards for many industries, including security and technology. Internet Control Message Protocol (ICMP) The protocol in the IP protocol suite for transmitting messages concerning errors in packet transmissions in IP networks. Internet Engineering Task Force (IETF) A large, international community of network administrators, designers, vendors, and researchers who are concerned with the evolution of the Internet and its continued operation. Internet Key Exchange (IKE) A protocol used when setting up IPSec to document the required security association between the parties. Internet Protocol (IP) A suite of protocols that define the requirements for packet transfers across IP networks. Internet Protocol Security (IPSec) A suite of protocols for security packets that traverse an IP network. interoperability agreement A broad category of agreements that include data, technology, and communication-sharing requirements between two or more organizations. jailbreaking The process of removing certain security restrictions from iOS devices such as iPhones and iPads. JavaScript A scripting language developed by Netscape and designed to be operated within a browser instance. JavaScript Object Notation (JSON) A language-independent data format derived from JavaScript. It utilizes a simple text format for the storage and exchange of data between a browser and web applications. job rotation Provides cross-training benefits in addition to reducing employee fraud. key A small secretive piece of alphanumerical information fed into a cipher to turn a cipher’s predicable plaintext/ciphertext patterns into outcomes unpredictable to those without the key—while being predictable to those in possession of the key. key distribution center (KDC) A system designed to reduce the risks associated with the exchange of cryptographic keys. Also, a component of the Kerberos authentication system. key escrow The process of giving keys to a third party so that they can decrypt and read sensitive information if the need arises.
21-Glossary.indd 762
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
Glossary
763
key performance indicators Quantifiable metrics used to evaluate the success of technology, processes, or people meeting an organization’s performance goals. key risk indicators Measure the amount of risk an activity brings to an organization. Layer 2 Tunneling Protocol (L2TP) A networking protocol designed to establish a tunnel to support virtual private networks (VPNs). L2TP does not provide encryption services itself, instead relying on the traffic generator and consumer to set up encryption over the tunnel. least privilege Ensures that each individual in the organization is supplied with only the absolute minimum amount of information and privileges needed to perform their work tasks. legal hold A process that permits organizational compliance with legal directives to preserve all digital and paper records in anticipation of possible litigation. lessons learned A post-incident process of evaluating what took place during the incident, including organizational successes and mistakes. Lightweight Directory Access Protocol (LDAP) An application protocol for accessing and maintaining directory information over IP, using a subset of the standard Directory Access Protocol. Lightweight Extensible Authentication Protocol (LEAP) A version of EAP developed by Cisco prior to 802.11i to push 802.1X and WEP adoption. load balancer A network device that distributes computing across multiple computers. Local Area Network Manager (LANMAN) A Microsoft method of storing a password so that it can be exchanged with other, non-Microsoft-based networks. Now considered insecure because of its methods that can be exploited to reveal passwords. logical unit number (LUN) A unique identifier, used in the management of block storage elements shared as a storage area network (SAN). It identifies a specific logical unit, which may be a part of a hard disk drive, an entire hard disk, or several hard disks in a storage device. loop protection The requirement to prevent bridge loops at the Layer 2 level, which is typically resolved using the spanning tree algorithm on switch devices. machine learning (ML) A type of AI where computers use certain built-in learning factors to guide its learning and adaptation of data. managed security service (MSS) The outsourcing of security and network services to another organization. managed security service provider (MSSP) Third-party organization that provides dedicated security services to cloud subscribers.
21-Glossary.indd 763
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
764
mandatory access control (MAC) An access control system that enforces security and requires every object have an identity and a base set of rules that are always and consistently applied. mandatory vacation Forced employee vacations to permit organizational audits into employee activities to determine possible malicious activities or fraud being committed against the organization. Master Boot Record (MBR) A strip of data on a hard drive in Windows systems meant to result in specific initial functions or identification. master service agreement An all-encompassing agreement between multiple organizations that serves as the building block for future agreements, transactions, and business documents. MD5 A hashing algorithm that produces 128-bit ciphertext hashes with four rounds of processing on 512-bit blocks. mean time between failure (MTBF) The statistically determined period of time between failures of the system. mean time to recovery (MTTR) The average time a system will take to recover from a failure. media access control (MAC) A data communication protocol that enables multiple communication channels to a host while enabling channel-access-control mechanisms to manage the traffic flow in the Data Link layer of the OSI stack. memdump A Linux command-line utility that can dump physical and kernel memory contents to both local storage and network locations. memorandum of agreement (MOA) A document between parties specifying the details of responsibilities for a cooperative effort associated with a project or common goal. memorandum of understanding (MOU) A document executed between two parties that defines some form of agreement. memory dumping The process of dumping memory contents to the hard drive for offline analysis. memory leak Occurs when an application fails to correctly manage memory, which can lead to a memory shortage. message authentication Uses codes to authenticate messages. message authentication code (MAC) A short piece of data used to authenticate a message. See “hashed message authentication code (HMAC).” MicroSD hardware security module Tiny hardware security module card that plugs into the microSD port of smart devices such as Android smartphones and tablets.
21-Glossary.indd 764
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
Glossary
765
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) Microsoft’s first proprietary implementation of CHAP. It provides better password storage than CHAP but is otherwise considered weak by today’s standards. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) An enhanced Microsoft proprietary protocol that provides mutual authentication between endpoints to prevent rogue server attacks and other nonrepudiation and integrity violations. It also uses different keys for sending and receiving. mobile device management (MDM) Software that enables enterprises to manage heterogenous mobile devices and desktops by using various policies to control device features, the operating system, and applications. Multimedia Messaging Service (MMS) An enhanced text messaging service that can also include pictures and videos. Multiprotocol Label Switching (MPLS) A highly scalable routing methodology that uses short labels for routing rather than looking up long network addresses in complex routing tables. MPLS can carry both circuit-based and packet-based traffic. multitenancy The process of cloud computing organizations making a shared set of resources available to multiple organizations and customers. National Institute of Standards and Technology (NIST) A U.S. government agency charged with developing and maintaining standards associated with technology and measurements. nbtstat A command-line tool that allows troubleshooting of NetBIOS-related issues by displaying TCP/IP connections and protocol statistics based on NetBIOS network activity. nc A Unix/Linux command-line utility designed to connect to or host various types of network connections with other systems. near field communication (NFC) A group of communication protocols that permit devices such as smartphones to communicate when they are within a few centimeters of each other. netstat A command-line tool designed to display generalized network connections and protocol statistics for the TCP/IP protocol suite. network access control (NAC) A technical approach to improving network security through the control of network access by ensuring all devices have proper security controls in place and active before granting network access. Network Address Translation (NAT) The act of modifying IP addresses to packets when crossing a network device to allow local IP addresses (nonroutable IP addresses) the ability to be routed across an IP network.
21-Glossary.indd 765
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
766
network attached storage (NAS) The use of network connections to attach file-level storage to computers. Network Basic Input/Output System (NetBIOS) A system that provides communication services across a local area network. network enumerator Software that scans systems and give us more details such as usernames, groups, shares, and audit options. network intrusion detection system (NIDS) An intrusion detection system that monitors traffic using a sensor on a network connection allowing it to cover multiple machines. network intrusion prevention system (NIPS) An intrusion prevention system that monitors traffic using a sensor on a network connection allowing it to cover multiple machines. Network Mapper (Nmap) An industry-leading port scanner that can perform numerous port scan types, spoofing, network enumeration, and other network features. New Technology LANMAN (NTLM) A deprecated security suite from Microsoft that provides authentication, integrity, and confidentiality for users. Because it does not support current cryptographic methods, it is no longer recommended for use. nondisclosure agreement (NDA) A legal contract between parties detailing the restrictions and requirements borne by each party with respect to confidentiality issues pertaining to information to be shared. nonrepudiation The assurance that a message, action, or activity originated from the stated source. NX (no-execute) bit Refers to CPUs reserving certain areas of memory for containing code that should not be executed. OAuth A token-based authorization standard that permits an end user’s resources or account information to be shared with third parties without also sharing their password. object request broker (ORB) The concept of using a piece of software to allow computer programs to make calls between different programs on different systems. Online Certificate Status Protocol (OSCP) A protocol used to quickly request the revocation status of a digital certificate. This is an alternative to certificate revocation lists. open source intelligence Refers to the collection of valuable information from public sources. OpenID A protocol that provides users with a mechanism to consolidate their various digital identities.
21-Glossary.indd 766
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
Glossary
767
operating level agreement (OLA) An internal agreement in an organization as to the requirements to support a service level agreement. order of volatility Describes the order in which digital evidence should be collected before it disappears. out-of-band management A network management technique that uses a dedicated interface to deliver management traffic through a separate channel from normal network communications. outsourcing An act of using another organization to assume responsibility over a business process. passive vulnerability scanner Scanners that analyze network traffic in order to nonintrusively discover vulnerabilities with organizational assets. Password Authentication Protocol (PAP) A plaintext authentication protocol used by Point-to-Point Protocol (PPP) to validate users. password cracker Specialized tool designed to determine unknown passwords via dictionary, brute-force, hybrid, or rainbow table attacks. patch management The process of acquiring, testing, deploying, and maintaining a patching solution for an organization’s devices. Payment Card Industry Data Security Standard (PCI DSS) A standard created by credit card companies that requires all organizations that process payment cards to protect both the transactions and the cardholder data with a variety of security controls. penetration testing The practice of simulating attacks on organizational targets in order to prepare organizations for malicious hackers. Perfect Forward Secrecy (PFS) The property of a cryptosystem where the case of a future compromise of a key does not affect security of previous messages using different keys. This implies that the compromise of a single key only compromises messages encrypted by that key. personally identifiable information (PII) Information that can be used to identify individuals, including elements such as social security number (or other government ID number), date of birth, address, and so on. pharming Using phishing e-mails to redirect victims to hacker websites. phishing Using e-mail to trick victims into revealing confidential account and financial information through malicious links, filling out website forms, or running software they shouldn’t. piggybacking The process of unauthorized individuals tricking an authorized individual into consenting to give them access into a restricted area.
21-Glossary.indd 767
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
768
pivoting The process of compromising a host in order to use that host to compromise other hosts on the network. platform as a service (PaaS) A cloud computing service that permits customers to develop, run, and manage their applications directly on the cloud platform. This frees customers from having to also build and maintain the underlying infrastructure. Microsoft Azure or Amazon AWS are common PaaS examples. Point-to-Point Protocol (PPP) A protocol for connecting network nodes at the Data Link layer. PPP is capable of providing authentication and encryption and is compatible with many different physical network methodologies. Point-to-Point Tunneling Protocol (PPTP) The use of generic routing encapsulation over PPP to create a methodology used for virtual private networking. Port Address Translation (PAT) The manipulation of port information in an IP datagram at a point in the network to map ports in a fashion similar to Network Address Translation’s change of network address. port scanner A tool designed to scan one or more systems to determine which TCP/ UDP ports are “open,” “closed,” or “filtered.” Port Security Provides assurances that only approved devices are permitted to communicate on its ports. pre-shared key (PSK) A secret that has been previously shared between parties and is used to establish a secure channel. Pretty Good Privacy (PGP) A popular program used to encrypt and decrypt files and e-mails for secure communications across insecure networks. Developed by Philip Zimmerman in 1991, for safe political free speech worldwide, it has become the de facto standard. Now a commercial product, freeware and similar versions are available on the Web. privacy The desire to control the use of one’s personal data. privacy impact assessment A process for determining whether privacy-related data is properly handled by the organization. private cloud Allows the local organization to be the sole beneficiary of an infrastructure that duplicates many of the public cloud benefits, like on-demand selfservicing, ubiquitous network access, resource pooling, rapid elasticity, agility, and service measuring. privilege escalation An attack that elevates the privileges of the currently logged-on user to a higher level to increase control over the compromised system. procedure The operational-level, step-by-step details on how to achieve a specific business process. process Predictable series of steps needed to achieve an objective.
21-Glossary.indd 768
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
Glossary
769
Protected Extensible Authentication Protocol (PEAP) A protected version of EAP developed by Cisco, Microsoft, and RSA Security that functions by encapsulating the EAP frames in a TLS tunnel. Protection Profiles (PPs) The Common Criteria replacement for EALs, PPs provide more accurate and trustworthy assurance levels for operating system evaluations. protocol analyzer A hardware or software tool designed to capture and analyze traffic passing over a communications channel, such as a network. proxy server A hardware or software system that acts as a connection intermediary between internal clients and Internet resources. pseudorandom numbers Numbers that may be deterministically generated and hence are not actually random—but appear to be random. public cloud Involves a public organization providing cloud services to paying customers (using a pay-as-you-go or subscription-based model) or nonpaying customers. public key infrastructure (PKI) The protocols, software, and systems used to manage the public keys in an enterprise setting. push-based authentication The process of pushing out a special access code to the user’s device that the user must input to a form in order to authenticate to a system. qualitative risk analysis A method for determining risk by using word-based risk descriptions such as “low,” “medium,” and “high.” quality of service (QoS) The system of providing different priorities to network traffic of various types to reduce traffic issues for delay-sensitive traffic such as voice and video. The system is based on resource reservation rather than actual quality measurement. quantitative risk analysis A method for determining risk by using calculations based on historical data associated with risk. race condition Software flaws that arise from different threads or processes having a dependence on an object or resource that affects another thread or process. radio frequency identification (RFID) A wireless technology that uses antennas, radio frequencies, and chips (tags) to keep track of an object or person’s location. rainbow table A “pre-computed” table that stores a mapping of plaintext passwords and their associated hash values to help attackers perform password attacks. rapid application development (RAD) A software development methodology that favors the use of rapid prototypes and changes as opposed to extensive advance planning. RC4 A stream cipher that was frequently used in older Wi-Fi and SSL scenarios. RC5 A symmetric block cipher with key sizes up to 2048 bits, 1 to 255 rounds of processing, on 32-bit, 64-bit, or 128-bit message blocks.
21-Glossary.indd 769
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
770
RC6 A symmetric block cipher that uses key sizes of 128, 192, and 256 bits, and performs 20 rounds of processing on 128-bit message blocks. Real-time Transport Protocol (RTP) A protocol for a standardized packet format used to carry audio and video traffic over IP networks. reconnaissance The methodical process of collecting as much information about a target as possible before attempting to hack it. recovery agent (RA) In Microsoft Windows environments, an RA is the entity authorized by the system to use a public key recovery certificate to decrypt other users’ files using a special private key function associated with the Encrypting File System (EFS). recovery time objective (RTO) The amount of time a business has to restore a process before unacceptable outcomes result from a disruption. Registration Authority (RA) The PKI component that accepts a request for a digital certificate and performs the necessary steps of registering and authenticating the person requesting the certificate. regression testing Determines if changes to software have resulted in unintended losses of functionality and security. remote access server (RAS) A server whose specific purpose is to manage remote access services to a network. Remote Authentication Dial-in User Server (RADIUS) A remote access networking protocol that provides for authentication, authorization, and accounting, as described in RFC 2865 and 2866. Remote Desktop Protocol (RDP) A Microsoft protocol that provides a secure, graphical, remote access connection over a network between computers via port 3389. remote wiping The process of sending a signal to a remote device to erase specified data. remotely triggered black hole (RTBH) A more advanced type of black hole routing in that ISPs react to DDoS attack traffic by triggering an immediate routing table update to deny traffic from affecting a destination company network. Representational State Transfer (REST) A framework that relies on various web protocols to define how clients and servers can exchange web resources with a high degree of interoperability. Request for Information (RFI) A process by which one party specifies in a formal document a request for responses on a specific topic, typically used to gather information before issuing some decision. Request for Proposal (RFP) A process by which one party specifies in a formal offering a request for other parties to submit proposals in accordance with the specifications in the document.
21-Glossary.indd 770
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
Glossary
771
Request for Quote (RFQ) A process by which a party submits the requirements for some aspect of work, requesting quotes for completion of the tasks described. residual risk The risk that remains after all security controls and countermeasures have been implemented. resource exhaustion A form of denial of service where a required resource that performs some specific action is not available at the time of need. return on investment (ROI) A measurement of the benefit of an investment minus the cost of the investment. reverse proxy server A server or device that provides remote Internet devices with access to servers behind an enterprise firewall. reverse social engineering Used to trick victims into first initiating dialogue with the attacker. RIPEMD A hashing algorithm that is largely a replacement for MD5 and similar in power and performance to SHA-1. It comes in several versions, including RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320. risk Refers to the probability of a threat causing a loss, and the impact of the loss caused by the threat. risk assessment The process of evaluating the probability and impact of negative outcomes from future events, with the subsequent intent on reducing or removing the risk of such negative outcomes. risk management A business process involving the identification, assessment, analyzation, and mitigation of business risks. risk profile Represents a cross-section of an organization’s comfort level concerning which risks it will and will not tolerate. role-based access control (RBAC) An access control system where users are grouped into roles and permissions are granted by role rather than by individual user. This reduces the level of administration associated with user changes. rooting The process of granting actual root-level privileges to the Android OS. RSA An asymmetric cipher that provides all the primary public key cryptographic functions, including key exchange, confidentiality, integrity, and nonrepudiation. rule-based access control (RBAC) An access control system where permissions are granted by rules rather than by individual user. This reduces the level of administration associated with user changes. runtime debugging Involves the analysis of software while it is actively running in memory.
21-Glossary.indd 771
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
772
sandboxing The practice of separating programs or files from a more generalized computing environment for testing and verification purposes. Sarbanes–Oxley Act (SOX) A U.S. government regulation that mandates corporations to implement various internal controls as well as auditing and disclosure practices. It was created to protect businesses, investors, and customers from corporate scandals. Secure Boot A booting process made available through UEFI firmware that will only load trusted, digitally signed boot files, as per the original equipment manufacturer (OEM). Secure Copy Protocol (SCP) A network protocol that supports secure file transfers. secure enclave Involves the use of a separate coprocessor from the system’s main processor to prevent the main processor from having direct access to information stored in the secure encrypted enclave. Secure FTP A method of secure file transfer that involves the tunneling of FTP through an SSH connection. This is different from SFTP, which is defined as Secure Shell File Transfer Protocol. Secure Hypertext Transfer Protocol (SHTTP) An alternative to HTTPS in which only the transmitted pages and POST fields are encrypted. Rendered moot, by and large, by widespread adoption of HTTPS. Secure Real-Time Protocol (SRTP) A secure implementation of RTP providing encryption, message authentication, integrity controls, and replay protection. Secure Shell (SSH) A protocol for obtaining a remote shell session with an operating system over a secured channel, using TCP port 22. Secure Shell File Transfer Protocol (SFTP) A secure file transfer subsystem associated with the Secure Shell (SSH) protocol. Secure Sockets Layer (SSL) An outdated protocol for securing communication sessions over IP networks using TCP. Its successor is Transport Layer Security (TLS). Secure/Multipurpose Internet Mail Extensions (S/MIME) The use of public key cryptography to secure MIME attachments to e-mail. security as a service (SECaaS) A series of security services provided to consumers by a cloud provider. Security Assertions Markup Language (SAML) Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data. Security Content Automation Protocol (SCAP) A method of using specific protocols and data exchanges to automate the determination of vulnerability management, measurement, and policy compliance across a system or set of systems.
21-Glossary.indd 772
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
Glossary
773
Security Development Life Cycle (SDLC) A name used to describe the addition of security checks into a Software Development Life Cycle. Also called Security System Development Life Cycle (SSDLC). security information event management (SIEM) The name used for a broad range of technological solutions for the collection and analysis of security-related information across the enterprise. security policies Documents that provide the foundation for organizational security goals. They may include standards, processes, procedures, baselines, and guidance to ensure business requirements are met. Security System Development Life Cycle (SSDLC) A name used to describe the addition of security checks into a Software Development Life Cycle. Also called Security Development Life Cycle (SDLC). separation of duties Requires multiple individuals to work together to complete a single function. Serpent Uses key sizes of 128, 192, and 256 bits with 32 rounds of processing on 128-bit blocks. Server Message Block (SMB) The name associated with an Application layer network protocol used for file and resource sharing. From Microsoft, SMB is also known as Common Internet File Sharing (CIFS). service level agreement (SLA) An agreement between parties concerning the expected or contracted uptime associated with a system. Service Oriented Architecture (SOA) A framework for software engineering that supports interoperable services. service provider (SP) In general terms, a service provider is an organization that provides IT services to others. When used with respect to SAML, a service provider is “a role donned by a system entity where the system entity provides services to principals or other system entities,” per SAML specs. Service Provisioning Markup Language (SPML) A web protocol that permits the sharing of user, resource, and service provisioning information between a group of organizations. SHA-1 A hashing algorithm that uses 160-bit hashes with 80 rounds of processing on 512-bit blocks. SHA-2 A hashing algorithm published in 2001 as a bigger and stronger version of the SHA-1 algorithm by using SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256 ciphers. SHA-3 A hashing algorithm that is an alternative to SHA-2 and comes in different varieties, such as SHA3-224, SHA3-256, SHA3-384, and SHA-512.
21-Glossary.indd 773
12/03/19 6:07 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
774
Shibboleth An open source and web-based federated identity solution that is very popular worldwide. Short Message Service (SMS) A popular form of text messaging typically sent via mobile devices. shoulder surfing Involves observing someone entering in credentials. sideloading The process of installing applications from sources outside the official app stores. Simple Certificate Enrollment Protocol (SCEP) A protocol that provides an easy process for network equipment, software, and mobile devices to enroll in digital certificates. Simple Mail Transfer Protocol (SMTP) The standard protocol used in the routing of e-mail messages across a network. Simple Network Management Protocol (SNMP) A standard protocol used to manage network devices across a network remotely. Simple Object Access Protocol (SOAP) An XML-based specification for exchanging information associated with web services. single loss expectancy (SLE) The expected loss associated with a single incident of a risk event. single sign-on (SSO) A subset of a federated identity management system where a user’s credentials are trusted across multiple distinct systems. single tenancy The process of cloud computing organizations granting each customer their own virtualized software environment to ensure more privacy and performance and that control requirements are held to a greater standard. Skipjack A symmetric block cipher that uses key sizes of 128, 192, and 256 bits, with 32 rounds of processing on 128-bit blocks. smishing Involves sending unsolicited SMS messages to targets. SOAP A specification for exchanging information associated with web services. social engineering Focuses on manipulating or compromising people into revealing confidential information. software as a service (SaaS) The provisioning of software as a service, commonly known as on-demand software. software assurance The process of providing guarantees that any acquired or developed software is fit for use and meets prescribed security requirements. Software Development Life Cycle (SDLC) Represents the various processes and procedures employed to develop software.
21-Glossary.indd 774
12/03/19 6:08 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
Glossary
775
Software Requirements Traceability Matrix (SRTM) A document, typically in the form of a table, that allows the cross-reference of requirements, implementation, and testing information. software-defined networking Centralizes the configuration and control of network devices by decoupling the control element of network devices from the forwarding element. solid-state drive (SSD) A mass storage device, such as a hard drive, that is composed of electronic memory as opposed to a physical device of spinning platters. spam filter A security appliance designed to remove spam at the Network layer before it enters e-mail servers. Spam over Internet Messaging (SPIM) Spam sent over an instant messaging channel. spear phishing A type of phishing that targets a specific individual as opposed to the random individuals targeted by regular phishing attacks. Spiral Utilizes the incremental progress and revisitation rights of Agile, but within the relative confines of the Waterfall approach. standard The required elements regarding the implementation of controls or procedures in support of a security policy. standard operating environment (SOE) An IT industry term used to describe a standard implementation of hardware and software to optimize operational efficiencies. Start of Authority (SOA) An SOA record in a DNS system contains information about a zone and the DNS records associated with it. state management A method of managing web-based connections generally through the use of cookies and session IDs. steganography A form of security that is designed to hide the fact that it is hiding something. storage area network (SAN) A dedicated network that provides access to data storage. Structured Query Language (SQL) injection A code injection attack that involves the insertion of malicious SQL commands to attack a database server. Subscriber Identity Module (SIM) An integrated circuit or hardware element that securely stores the International Mobile Subscriber Identity (IMSI) and the related key used to identify and authenticate subscribers on mobile telephones. Supervisory Control and Data Acquisition (SCADA) A generic term used to describe the industrial control system networks used to interconnect infrastructure elements (such as manufacturing plants, oil and gas pipelines, power generation and distribution systems, and so on) and computer systems.
21-Glossary.indd 775
12/03/19 6:08 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
776
symmetric key encryption Characterized by the use of the same key for both encryption and decryption. system on a chip (SoC) An electronic device that combines the functions of CPUs, memory, and other hardware onto a single circuit board. Systems Development Life Cycle (SDLC) A process for the initiating, developing/ acquiring, implementing, operating/maintaining, and disposing of systems. tailgating The process of unauthorized individuals tricking an authorized individual into providing access into a restricted area without their consent. tcpdump A command-line tool commonly used on Unix/Linux operating systems to capture network packets transferred over networks. telecommuter An individual who primarily works from home. teleworker An individual who primarily travels to locations other than the main office, such as branch offices or customer sites. Telnet A network protocol used to provide cleartext bidirectional communication over TCP. Temporal Key Integrity Protocol (TKIP) TKIP, also called Wi-Fi Protected Access (WPA), was created to replace the WEP protocol after it was discovered to be flawed. Terminal Access Controller Access Control System (TACACS) A remote authentication system that uses the TACACS protocol, defined in RFC 1492, and TCP or UDP port 49. tethering The process of sharing a wireless Internet connection with other devices via the Wi-Fi, USB, or Bluetooth protocol. threat actor An individual responsible for actions that lead to losses for other individuals or organizations. threat intelligence The methodical process of collecting information about cybersecurity threats. threat modeling A process of identifying and analyzing a threat’s objectives, attack vectors, requirements, and the various ways in which it might exploit the vulnerabilities of an asset. tokenization The process of using a nonsensitive value (token) as a substitute for the original sensitive value (credit card number). total cost of ownership (TCO) A financial methodology where all costs, both direct and indirect, are included in the estimate.
21-Glossary.indd 776
12/03/19 6:08 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
Glossary
777
Transmission Control Protocol / Internet Protocol (TCP/IP) A connection-oriented protocol for communication over IP networks. Transport Layer Security (TLS) The IETF standard protocol for establishing a secure connection over an IP network, built upon and replacing SSL. Triple Digital Encryption Standard (3DES) The use of three rounds of DES to improve security. Triple DES is now considered obsolete. Trivial File Transfer Protocol (TFTP) A simplified version of FTP used for lowoverhead file transfers using UDP port 69. trusted operating system An OS we can place a certain level of trust in based on the various levels established by the Orange Book or other government requirements. Trusted Platform Module (TPM) A secure chip that contains a cryptoprocessor that stores keys and provides other cryptographic functions in hardware. Tshark A network protocol analyzer that captures network traffic from a live network or can read packets that were previously captured and saved into capture files. Twofish A symmetric block cipher that uses key sizes between 128 and 256 bits, with 16 rounds of processing on 128-bit blocks. Type 1 Hypervisor Server-based hypervisor that sits between the VMs and the hardware. Type 2 Hypervisor Client-based hypervisor that sits between the VMs and the host operating system. unified communications systems A term that describes all forms of business communication—audio, video, multimedia data, text, and messaging. unified threat management Network devices that incorporate the functions of multiple network and security appliances into a single appliance. uninterruptible power supply (UPS) A power supply with a built-in battery that provides power even in the event of loss of line power. unit testing Isolates every line of code in an application and performs an individual test on that code. Universal Description Discovery and Integration (UDDI) An OASIS-backed standard that uses XML to allow entities to register themselves and locate web services across the Internet. universal resource locator (URL) A specific character string used to point to a specific item across the Internet.
21-Glossary.indd 777
12/03/19 6:08 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
778
user acceptance testing (UAT) The application of acceptance-testing criteria to determine fitness for use according to end-user requirements. User Access Control (UAC) A Microsoft Windows security methodology of having a user run in nonprivileged mode until privilege is required and then specifically asking the user to respond to the request for higher privilege. Used as a security feature to prevent shadow installs. User Datagram Protocol (UDP) A connectionless protocol for data transmission across an IP network. video teleconferencing (VTC) A business process of using video signals to carry audio and visual signals between separate locations, thus allowing participants to communicate via a virtual meeting instead of traveling to a physical location. Modern video-conferencing equipment can provide very realistic connectivity when lighting and backgrounds are controlled. Virtual Desktop Infrastructure (VDI) The use of servers to host virtual desktops by moving the processing to the server and using the desktop machine as merely a display terminal. VDI offers operating efficiencies as well as cost and security benefits. virtual local area network (VLAN) A switching methodology designed to segment a network into a series of administratively enforced segments. Although frequently used for security, VLANs are designed for traffic control, not security. Virtual Machine (VM) An emulation or simulation of a computer system. They permit the running of an operating system in an isolated window, which behaves like a separate instance of a computer. Virtual Network Computing (VNC) A platform-independent graphical desktop sharing protocol that uses the Remote Frame Buffer (RFB) protocol. virtual private network (VPN) A methodology of tunneling across a public open network to provide a private network service with required security attributes of confidentiality, integrity, and authentication. virtual storage area network (vSAN) Using the VLAN model, portions of fiber channel storage can be used to create fabrics of virtual storage areas. virtual TPMs Pieces of software that simulate the capabilities of a physical TPM chip in order to provide VMs with TPM-like capabilities. virtualization The act of creating a virtual or simulated version of real things like computers, devices, operating systems, or applications. vishing The process of calling people on the phone while pretending to be a trusted entity.
21-Glossary.indd 778
12/03/19 6:08 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
Glossary
779
VM escape Occurs when malware escapes the VM, goes through the hypervisor, and attacks the host computer. vulnerability assessment Employs various techniques to discover vulnerabilities in systems without exploiting them. war dialing Involves an individual dialing up different modem phone numbers until an open modem accepts the connection. Waterfall Follows a strict, sequential life-cycle approach, where each development phase must be finished before beginning the next. It does not permit revisiting previous phases until the completion of the projection. watermarking Embedding a branded logo, trademark, or owner details into digital content for authentication of copyright materials and also the enforcement of their legal protections. web application firewall (WAF) A firewall that operates at the application level, specifically designed to protect web applications by examining requests at the application stack level. Web Services Description Language (WSDL) An XML-based language for machine readable description of a web service’s functionality details. whaling A type of phishing that targets important individuals like executives, politicians, or celebrities. Where Are You From (WAYF) A service designed to send a user to the Identity Provider (IdP) of his home organization. white-box testing Simulates a malicious administrator who has complete knowledge of the network. wildcard certificate A specific form of certificate that is bound to multiple subordinate DNS domains simultaneously. Wired Equivalent Privacy (WEP) An encryption scheme designed for Wi-Fi connections. A poor design allows the key to be determined after traffic has been intercepted, thus making the level of protection weak. Replaced by the WPA and WPA2 protocols. wireless access point (WAP) A device that connects a wireless network to a wired network. wireless controller Network appliances or software solutions that enable administrators to centralize security configurations across multiple WAPs simultaneously. wireless intrusion detection system (WIDS) An intrusion detection system established to cover a wireless network.
21-Glossary.indd 779
12/03/19 6:08 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Glossary
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
780
wireless intrusion prevention system (WIPS) An intrusion prevention system established to cover a wireless network. Wi-Fi Protected Access (WPA) A replacement security protocol for WEP on wireless networks, also known as TKIP, but one that is also flawed, thus leading to the development of WPA2, a secure wireless protocol. XACML See “eXtensible Access Control Markup Language.” zero knowledge proof The process of proving to others that you know a secret without actually sharing the secret with them. zero-day vulnerability Occurs when a software error or hole impacting security is discovered and exploited before a patch is developed to address the vulnerability.
21-Glossary.indd 780
12/03/19 6:08 PM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
INDEX Numbers 3DES (Triple DES), 588 3G/4G signals, 287 3-way handshake, 172 6to4 tunneling, 171 802.1x standard, 173, 560 802.11 standards, 243, 244
A AAA servers, 173, 560 acceptable use policy (AUP), 44 access, 199, 733 access control considerations, 552 discretionary, 45 mandatory, 45–46 remote access, 165–166, 269, 630–635 role-based, 45 rule-based, 46 access control lists (ACLs), 45, 182, 238 access control policy, 45–46 accountability, 127, 726 accounts, 552, 553 ACK flag, 379 ACLs (access control lists), 45, 182, 238 acquisition assessment policy, 46 acquisitions, 12, 13, 481–482, 692 Active Directory (AD), 28, 509, 572–573 ActiveX controls, 329 AD (Active Directory), 28, 509, 572–573 add-ons, 329 address space layout randomization (ASLR), 669, 670, 704 AddressSanitizer tool, 349 administrative controls, 734 administrators Active Directory domain, 28 alerts, 184–185 database, 728–729 local, 28–29 network, 729–730 new technology and, 661 privileges, 29, 320, 730 Windows, 29 Advanced Encryption Standard (AES), 587, 588–589 advisory policies, 43 adware, 218
AES (Advanced Encryption Standard), 587, 588–589 AFRINIC (African Network Information Center), 360 after-action report, 447–448 agents, 186, 196, 248, 666 agile software development, 706–707 AH (Authentication Header), 167, 186 AI (artificial intelligence), 666, 673–674, 714 AirPcap adapter, 184 AirWatch, 267, 269 AJAX (Asynchronous JavaScript and XML), 330 alarms, 122, 292. See also alerts ALE (annualized loss expectancy), 92, 95, 96 alerts, 122, 184–185 algorithms, 162, 584, 586–595 Amazon Web Services (AWS), 509 American Recovery and Reinvestment Act of 2009 (ARRA), 23 analysis tools, 393–394 Android devices fragmentation, 284–285 rooting, 280–282 versions, 284–285 Android OS, 216 Angry IP Scanner, 399 annualized loss expectancy (ALE), 92, 95, 96 annualized rate of occurrence (ARO), 92, 96 anomaly-based detection, 223–224 Anonymous group, 57, 680 ANSI standard, 464 antennas, 245, 286 antimalware, 56, 217–218, 290, 406, 530 anti-spyware, 220 antivirus (AV) software, 166, 219, 348, 406 API (application programming interface), 472–473 app stores, 269 Apple App Store, 705 Apple Pay, 283–284 application development, 700, 709 application firewalls, 159, 228 application programming interface (API), 472–473 application scanners, 384–385 application security frameworks, 700, 709 application sharing, 632–634 application wrapping, 268 application-aware technologies, 163–164 applications. See also software API/protocol issues, 467–473 blacklisting, 234–235 commercial, 471
781
22-Index.indd 781
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
782
applications (cont.) considerations, 312 COTS, 471 data formats, 472 direct object references, 313 enterprise, 486–491 in-house developed, 470–471 input validation. See input validation integration enablers, 488–491 interoperability issues, 467–473 isolating, 519 legacy, 467–468, 519 mobile. See mobile applications open source, 471–472 privileges, 320 provisioning, 480 public keys and, 613 remote access, 480 requirements, 468–469 sandboxing, 327 secure encrypted enclaves, 327 security, 309–312, 700, 709 sensitive data and, 320–321 tailored commercial, 471 vulnerabilities, 312–326 web. See web applications whitelisting, 234–235 AppLocker, 235 arithmetic overflows, 323 ARO (annualized rate of occurrence), 92, 96 ARP spoofing, 239 ARRA (American Recovery and Reinvestment Act of 2009), 23 artificial intelligence (AI), 666, 673–674, 714 AS (autonomous system), 189 AS number (ASN), 189 ASBRs (autonomous system boundary routers), 189 ASLR (address space layout randomization), 669, 670, 704 ASN (AS number), 189 asset control, 418–419 asset management, 418–419, 715–716 asset value (AV), 96 assets considerations, 4, 481 critical, 193–194, 474 defined, 418 disposal of, 696 examples of, 58 reusing, 697 separation of, 193–194 asymmetric algorithms, 591–592 asymmetric encryption, 596 asymmetric/public key cryptography, 590–592 Asynchronous JavaScript and XML (AJAX), 330 attack signatures, 224 attack surface, 311
22-Index.indd 782
attack tools/frameworks, 391–393 attackers. See hackers attacks. See also specific attacks assumed likelihood of, 476 Bluetooth, 241–242 brute-force, 395, 396, 593 clickjacking, 315–316 CSRF, 314–315 DOM-based, 314 explicit targets, 677, 678 failure of, 678 hybrid, 395 injection, 318–319, 321 latest trends, 665–667 nation, 667 reflected, 313 session hijacking, 316–317 state-sponsored, 667 stored, 314 structured, 679 SYN flood, 324 targets of opportunity, 677–678, 680 transitive, 357–358 unstructured, 678 using public sources, 358–359 VLAN-hopping, 187–188 VM escape, 534–535 website, 313–316 XSS, 314–315 zero-day, 667–670 attestation, 563 attestation services, 252 audio conferencing, 638 audio/video (A/V) systems, 199 audit logs, 183, 231–232, 429 audits/auditing cloud computing and, 506 external audits, 367 findings, 22–23 frequency, 68–69 internal audits, 23, 24, 367 overview, 183 requirements, 68–69 security issues identified, 128 Windows systems, 231–232 augmented reality, 291 AUP (acceptable use policy), 44 authentication, 552–561 802.1x, 173 attestation and, 563 vs. authorization, 561 considerations, 551, 553 context-aware, 560–561 described, 553 digital certificates. See digital certificates federation identity management, 564–569 vs. identification, 552, 553
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
Index
783 vs. identity proofing, 563–564 identity propagation and, 564 MD5, 189, 190, 361 mobile devices, 288–290 network, 169, 172–173 overview, 585–586 password-based, 189 plaintext, 361 push-based, 561 SAML-based, 564, 565–566 simple, 703 single sign-on, 559 SSL/TLS, 558–559 two-factor, 553 username/password, 553 WS-Security, 703 authentication, authorization, and accounting. See AAA authentication factors, 553–557 Authentication Header (AH), 167, 186 authentication server, 173, 560 authenticator, 173, 560 authorization, 561–563 vs. authentication, 561 OAuth standard, 562 OpenID, 562, 567 overview, 561 SPML, 563 XACML, 562 automation, 67–68, 102–103, 474 autonomous system (AS), 189 autonomous system boundary routers (ASBRs), 189 AV (asset value), 96 AV (antivirus) software, 166, 219, 348, 406 A/V (audio/video) systems, 199 availability cloud computing and, 505 high availability, 475 overview, 83–84, 137–138 potential impact definitions, 85 presence, 641 availability controls, 83–84, 180–182 availability failures, 83 AWS (Amazon Web Services), 509 Azure, 135–136, 278, 509
B backups, 100, 271, 278, 422, 434 BACnet/IP (B/IP), 198 banner grabbing, 351 barcode tags, 715 BAS networks, 198 baseband processors, 291 baselines, 52–53, 127, 130–132 baselining, 180–181 Basic Input/Output System (BIOS), 248–252 BASs (building automation systems), 197
22-Index.indd 783
BCP (business continuity plan), 103–105, 434 Bcrypt, 593 behavioral analytics, 428–429 behavioral characteristics, 556–557 behavioral model, 698 benchmarks, 127, 130–132 BES (BlackBerry Enterprise Server), 27 BGP (Border Gateway Protocol), 189 BIA (business impact analysis), 58–59, 104 bidirectional, 631 big data, 673 biometric locks, 409 biometric readers, 199 biometric systems, 289–290, 556 BIOS (Basic Input/Output System), 248–252 B/IP (BACnet/IP), 198 Bitcoin, 616 BitLocker, 600 black box testing, 365 Black Hat conference, 676 black hat hackers, 368, 481, 679 black hole routing, 191 BlackBerry Enterprise Server (BES), 27 black-box testing, 692 blacklists, 188, 221, 317–318 block ciphers, 587, 589, 610 blockchain cryptography, 616–617, 714 block-level encryption, 602 blocks, 616 Blowfish algorithm, 590 Blue Screen of Death, 348–349 blue team, 368 Bluetooth attacks, 241–242 Bluetooth locks, 409 Bluetooth technology, 241–242, 288 Bluetooth tethering, 288 body cameras, 292, 295 boot loader protections, 249–253 Border Gateway Protocol (BGP), 189 botnets, 190, 221 bounds checking, 322 BPA (business partnership agreement), 60 Bring Your Own Device (BYOD), 26–27, 272–273, 561, 617 browser extensions, 329 brute-force attacks, 395, 396, 593 buffer overflows, 322–323, 391 bugs, 309–310, 351 building automation systems (BASs), 197 business continuity plan (BCP), 103–105, 434 business continuity team, 104 business contracts, 61–62 business decisions, 127, 430 business desktop, 28 business documents, 58–62 business impact analysis (BIA), 58–59, 104 business models, 8, 13
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
784
business objective, 6 business partnership agreement (BPA), 60 business partnerships, 9, 48, 60 business unit interactions, 725–743 governance, risk, and compliance, 736 roles, 725–734 security requirements, 725–734 security within teams, 735–736 senior management and, 730–731, 734–735 businesses/organizations acquisitions, 12, 13, 481–482, 692 changes to, 53–57 demergers/divestitures, 12, 13, 481–482 mergers, 12, 13, 481–482 resiliency of, 108 strategies, 8–9, 13 BYOD (Bring Your Own Device), 26–27, 272–273, 561, 617
C CA (Certificate Authority), 557, 570, 610–612 CA servers, 271, 570 CACs (common access cards), 615 cameras, 197, 292, 295 canary values, 322 CanSecWest, 677 capability, 136 CAPTCHAs, 364 CAST-128 algorithm, 589 CAST-256 algorithm, 589 casting, 269 CC (Common Criteria), 214, 215 C&C (command and control) server, 190 CCB (Change Control Board) process, 690–691, 695, 696 CCE (Common Configuration Enumeration), 389 CCTVs (closed-circuit televisions), 733 cell phones. See smartphones Center for Internet Security (CIS), 660 centralized computing, 501–502, 503 centralized servers, 503, 526 centralized storage, 516, 518 centralized virtual desktops, 526, 527 CERT (computer emergency response team), 675 Certificate Authority. See CA certificate pinning, 616 certificate revocation list (CRL), 614 certificates. See digital certificates Certification and Accreditation Process, 691 certification practices statement (CPS), 612 Certified in Governance of Enterprise IT (CGEIT), 23 Certified Information Security Manager (CISM), 23 CGEIT (Certified in Governance of Enterprise IT), 23 chain letters, 356 chain of custody, 428, 430
22-Index.indd 784
Challenge Handshake Authentication Protocol (CHAP), 172 Change Control Board (CCB) process, 690–691, 695, 696 change management, 46, 694, 695–696 change monitoring, 180 change-of-state (CoS) events, 200 CHAP (Challenge Handshake Authentication Protocol), 172 chief information officer (CIO), 98 chief security officer (CSO), 98–99 choose your own device (CYOD), 26, 273, 561 CI (continuous integration), 708 CIA triad, 81–87, 180–181, 726 CIDR (Classless Inter-Domain Routing), 171 CIO (chief information officer), 98 cipher locks, 408 ciphers, 44, 584 ciphertext, 583 CIS (Center for Internet Security), 660 CIs (converged infrastructures), 525–526 Cisco routers/switches, 182, 188, 190 CISM (Certified Information Security Manager), 23 classified information, 69 Classless Inter-Domain Routing (CIDR), 171 clean desk policy, 46, 353 clear box testing, 365 cleartext, 583 CLI (command-line interface), 168, 239, 397 clickjacking, 315–316 clients, 24, 168, 196 client/server architecture, 501, 502 client-side processing, 328–333 closed-circuit televisions (CCTVs), 733 Cloud Act, 21 cloud bursting, 512 cloud computing advantages of, 505 availability and, 137–138, 505 basics, 504–507 community, 512–513 considerations, 26, 504, 508–509, 629, 667 content filtering, 532 data security and, 506–507, 534–538 deployment models, 508–515 encryption and, 534 hosting options, 508–513 hybrid, 511–512 issues associated with, 10–11, 26, 506–507 mobile devices and, 278–279 multitenancy, 513 network separation and, 534, 535 on-premises, 509, 510, 514, 530, 539 outsourcing and, 27, 514 overview, 501–504 password cracking and, 395 private clouds, 505, 510–511, 513
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
Index
785 provisioning and, 479 public, 509–510 redundancy and, 181 sandboxing and, 531–532 scalability and, 135–136 SECaaS, 533 security services for, 530–533 separating critical assets, 194 single tenancy, 513 vulnerabilities, 530–531, 533–538 cloud providers, 10, 26, 278, 505–514, 532 cloud security brokers, 532–533 cloud service models, 515 cloud-based collaboration, 647 cloud-based tools, 25–26, 530–533 CMDB (configuration management database), 487–488 COBIT (Control Objectives for Information and Related Technologies), 22 COBIT 5 (Control Objectives for Information and Related Technology 5), 105–106 code signing, 598 code/coding. See also software development analysis of, 705 best practices, 702 code reuse, 326 code reviews, 351 continuous integration, 708 dynamic code, 705 error handling, 319–320 exception handling, 319–320 forbidden coding techniques, 703 fuzzers, 390, 705 NX (no-execute) bit use, 704 peer reviews, 712 quality of, 704 security and, 310–312, 709, 728 software programmers, 727–728 static code, 705 testing plans/methods, 711–712 verification/validation, 711–712 versioning, 708 XN (never-execute) bit use, 704 cognitive dynamics, 557 Cold War era, 679 collaboration, 635–647, 735–736. See also communications collaboration sites/tools, 635–647 collisions, 595 color-team exercises, 367–368 command and control (C&C) server, 190 command shell restrictions, 235–236 command-line interface (CLI), 168, 239, 397 command-line tools, 397–404 commercial off-the-shelf (COTS) applications, 471 commissioning, 692–693 common access cards (CACs), 615
22-Index.indd 785
Common Configuration Enumeration (CCE), 389 Common Criteria (CC), 214, 215 Common Object Request Broker Architecture (CORBA), 473 Common Platform Enumeration (CPE), 389 Common Vulnerabilities and Exposures (CVE), 389, 531 Common Vulnerability Scoring System (CVSS), 389 communication plan, 104 communications, 629–647. See also collaboration conferencing, 635–638 considerations, 99, 104 e-mail. See e-mail instant messaging, 283, 356, 357, 640–641 overview, 629 presence, 641 remote access, 630–635 telephony/VoIP, 643–644 unified, 635–647 community cloud computing, 512–513 company devices, 281–282 competitors, 22, 96 complexity, 28 compliance, 126, 736 compliance controls, 734 compliance laws, 698 compliance policies, 270 computer emergency response team (CERT), 675 computer security incident response teams (CSIRT), 675 computer-based social engineering, 355–357 conditional access policies, 270 conferences, 635–638, 676–677 confidential information, 13, 69–70, 584 confidentiality, 13, 82, 85, 584 confidentiality, integrity, and availability. See CIA triad configuration files, 321 configuration lockdowns, 180 configuration management, 694–695 configuration management database (CMDB), 487–488 consolidation, 514, 517 containerization, 266 containers, 523–525 content filtering, 532 content screening, 317–318 context-aware authentication, 560–561 context-aware management, 275–277 continuity of operations, 434 continuity of operations planning (COOP), 103–105 continuous integration (CI), 708 continuous monitoring, 67–68, 102–103 contracts, business, 61–62 Control Objectives for Information and Related Technologies (COBIT), 22
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
786
Control Objectives for Information and Related Technology 5 (COBIT 5), 105–106 controls. See security controls conventions, 676–677 converged infrastructures (CIs), 525–526 cookies, 20, 316, 322, 332 COOP (continuity of operations planning), 103–105 COPE (Corporate Owned Personally Enabled), 26, 28, 273 copyrights, 604–605 CORBA (Common Object Request Broker Architecture), 473 Corporate Owned Personally Enabled (COPE), 26, 28, 273 CoS (change-of-state) events, 200 cost benefit analysis, 138–139 COTS (commercial off-the-shelf ) applications, 471 CPE (Common Platform Enumeration), 389 CPS (certification practices statement), 612 CPU utilization, 131, 132, 517 credentials, 563–564 credit card readers, 286–287 credit cards, 18, 242, 283–284, 680 criminal actions, 428 critical infrastructure, 200–201 CRL (certificate revocation list), 614 CRM (customer relationship management), 486 cross-certificates, 611 cross-site request forgery (CSRF), 314–315 cross-site scripting (XSS), 313–314 CRR (Cyber Resilience Review), 108 cryptocurrency, 616–617 cryptographic algorithms, 44 cryptographic key, 583 cryptographic modules, 603–604 cryptographic service providers, 604 cryptography, 583– 627. See also encryption asymmetric/public key, 590–592 blockchain, 616–617, 714 considerations, 609 fundamentals, 583–586 goals of, 584 implementations, 603–618 vs. steganography, 602–603 symmetric key encryption, 586–590 terminology, 583–584 tools/techniques, 586–603 cryptojacking, 667 cryptoprocessors, 604 CSIRT (computer security incident response teams), 675 CSO (chief security officer), 98–99 CSRF (cross-site request forgery), 314–315 customer demand, 54 customer relationship management (CRM), 486 customer requirements, 24 customers, 9, 24, 54, 486, 509, 513
22-Index.indd 786
CVE (Common Vulnerabilities and Exposures), 389, 531 CVSS (Common Vulnerability Scoring System), 389 Cyber Resilience Review (CRR), 108 cyber superpowers, 679 cybersecurity. See security cyberwarfare, 57 CYOD (choose your own device), 26, 273, 561
D DAC (Discretionary Access Control), 45 daisy chaining, 357–358 DAMs (database activity monitors), 164, 327 data. See also information analyzing, 424–425 backups, 100, 271, 278, 422, 434 big data, 673 breaches. See data breaches centralized, 516, 518 cloud considerations, 506–507, 534, 535–538 commingling, 533–534 confidential, 13, 69–70, 584 consolidating, 514 corporate-owned, 270 cross-border flow of, 20–21 degaussing, 325, 539 deleting, 325–326, 507, 531, 538–539 destruction/disposal of, 49, 419, 420 dispersing, 505 equipment disposal and, 693 evidence. See evidence handling, 421 integrity, 13 legal holds, 421 managing, 506–507, 534 on mobile devices, 269–270, 277–279 overwriting, 325 persistent/nonpersistent, 474–475 personal, 62, 266, 271, 295–296 PHI, 14–16, 427, 433 PII, 17, 62–63, 427, 433 protecting, 506–507, 534, 535–538 replicating, 505 retention of, 46 sensitive. See sensitive data standard formats, 472 states, 599 storing. See data storage trend, 132–133 volatility, 437 data aggregation, 477 data at rest, 295 data breaches, 421–426. See also incidents after-action report, 447–448 considerations, 477 cost of incidents, 445 detection, 422–424
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
Index
787 disclosure of, 426 downtime, 445 evidence. See evidence external communications, 426 incident detection/response, 426–429 internal/external, 427 isolation techniques, 425, 477 legal ramifications, 445–446 lessons learned, 447 mitigation/response, 424–425 notification laws, 422 overview, 421–422 post-incident response, 446–448 recovery/reconstitution, 425–426 root-cause analysis, 446–447 scope, 444, 445 severity of, 444–446 data centers, 108, 181 data centralization, 516, 518 Data Encryption Standard (DES), 588 Data Execution Prevention (DEP), 669, 670 data flow, 175–179, 462–463 data formats, 472 data interfaces, 239 data isolation, 425, 477 data leakage, 358 data length, 317 data loss, 422, 424 data loss prevention (DLP), 175–176, 225–226 data minimization, 424–425 data ownership, 421, 478 data privacy laws, 21 data recovery, 248, 420, 425–426 data recovery agent (DRA), 248 data remnants considerations, 49, 476, 507, 534 eradicating data, 480 storage and, 538–539 vulnerabilities, 325–326 data retention laws, 478 data retention policies, 46, 419–420 data security cloud computing and, 506–507, 534–538 considerations, 476 data flow, 462–463 data storage, 474, 484–485 mobile devices. See mobile security remnants. See data remnants virtualization and, 535–538 data sovereignty, 21, 478 data storage centralized, 516, 518 considerations, 311 data remnants and, 538–539 mobile devices, 277–279 NAS, 484–485 privacy/security and, 484–485
22-Index.indd 787
SAN, 484–485 sensitive data, 320–321 strategies, 419, 420 data types, 20, 175–177, 179, 475 data volume, 478 data-at-rest encryption, 600–602 database activity monitors (DAMs), 164, 327 database administrators, 728–729 database scanners, 385 databases CMDB, 487–488 considerations, 164, 728–729 encryption, 729 NVD, 531 security tips, 728–729 software/hardware inventory, 716 data-in-memory/processing encryption, 600 data-in-transit, 295, 599 dd tool, 438–439 DDoS (distributed denial-of-service) attacks, 190–191, 505 debugging tools, 349 decision-making authority, 104 decommissioning, 692–693 decryption, 583, 601 dedicated interfaces, 237 deep learning, 674 deep packet inspection (DPI), 176–177 DEFCON conference, 676–677 Defense Information Systems Agency. See DISA defense-in-depth, 194, 195, 482, 483 degaussing, 325, 539, 696 Deleaker tool, 349 delegation, 195, 483, 572 demergers/divestitures, 12, 13, 481–482 demilitarized zone (DMZ), 191, 192–193 denial-of-service, 190–191, 324–325, 505 denial-of-service (DoS) attacks, 190–191, 324–325 DEP (Data Execution Prevention), 669, 670 Department of Homeland Security (DHS), 108 deperimeterization, 25–26 deployment diagrams, 483–484 DES (Data Encryption Standard), 588 design models, 698 design phase, 698 desktop sharing, 632–634 desktops, virtual, 169–170, 526–528 detection, 422–424 development environment. See software development development phase, 699 development/acquisition phase, 690 device circumstances, 275–277 devices external, 239–247 firmware, 175 healthcare, 200
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
788
devices (cont.) IoT, 56–57, 661, 667 mobile. See mobile devices network. See network devices personally managed, 28–29 SCADA, 201 software, 175 USB, 240–241 UTM, 152 virtual, 480, 538 wearable, 292–296 wireless, 26 DevOps units, 706 DHCP snooping, 239 DHS (Department of Homeland Security), 108 dial-up communications, 630–631 DIAMETER standard, 560 dictionary attacks, 395 Diffie-Hellman algorithm, 591 dig tool, 403 digital certificates as authentication, 557–559 basics, 610–616 SCEP services and, 271–272 validating, 613 digital evidence. See evidence digital forensics, 66, 296, 431–433 digital privacy, 21 Digital Rights Management (DRM), 604–605 Digital Signature Algorithm (DSA), 591–592, 596 digital signatures, 274–275, 585, 595–597 direct object references, 313 DirectAccess, 631–632 Directive 2009/136/EC, 63 directory services, 488–489 DISA (Defense Information Systems Agency), 660 DISA Approved Products List, 671, 672 disaster recovery, 47, 434–435, 518–519 Disaster Recovery Plan (DRP) Policy, 47 disaster recovery plans, 47, 103–105, 434 disclosure, 426 Discretionary Access Control (DAC), 45 disintegrating drives, 696 disk encryption, 247–248, 600–601 disruptive technologies, 714–715 Distinguished Name (DN), 557 distributed denial-of-service (DDoS) attacks, 190–191, 505 divestitures, 12, 13 DLP (data loss prevention), 175–176, 225–226 DMZ (demilitarized zone), 191, 192–193 DN (Distinguished Name), 557 DNA scan, 556 DNS (Domain Name System), 489–490 DNS records, 362–363 DNS reverse lookup, 362 DNS servers, 362, 403, 489
22-Index.indd 788
DNS zone transfers, 362–363, 403 documents. See also files business documents, 58–62 collaboration tools, 638–639 sharing, 638–639 software development life cycle, 709–711 storage of, 638–639 DocuSign, 562 domain bridging, 290–291 domain controllers, 573 Domain Name System. See DNS entries domain names/details, 359–360 DOM-based attacks, 314 DoS (denial-of-service) attacks, 190–191, 324–325 double tagging, 187–188 downtime, 128, 445, 467 DPI (deep packet inspection), 176–177 DRA (data recovery agent), 248 drives destroying, 326, 476, 539, 696 encryption, 296, 326 erasing/sanitizing, 696 mapping/mounting, 246 redundant, 181 reusing, 697 DRM (Digital Rights Management), 604–605 dronejacking, 667 DRP (Disaster Recovery Plan) Policy, 47 DSA (Digital Signature Algorithm), 591–592, 596 DTP (Dynamic Trunking Protocol), 187 due care, 64 due diligence, 12, 64 DumpIt utility, 349, 443 dumpster diving, 353 dynamic code analysis, 705 dynamic routing, 361 Dynamic Trunking Protocol (DTP), 187
E EALs (Evaluation Assurance Levels), 215 EAP (Extensible Authentication Protocol), 172 ease of use, 55 eavesdropping, 353 ECC (Elliptic Curve Cryptography), 592, 618 e-discovery, 11–12, 418–421 EDR (endpoint detection and response), 233 EF (exposure factor), 96 EFS (Encrypting File System), 248, 601–602 eFuse technology, 280 egress, 26, 239 EHRs (electronic health records), 200 EK (endorsement key), 252 electronic health records (EHRs), 200 electronic inventory, 418–419 ELGamal algorithm, 591–592 Elliptic Curve Cryptography (ECC), 592, 618
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
Index
789 e-mail attachments, 47 chain letters, 356 considerations, 640 handling of, 47 hoax letters, 356 HTML, 47, 221 IMAP, 642 MIME, 608 overview, 641–642 phishing, 129, 352, 355, 642 POP, 642 protocols, 642 security, 642 SMTP, 642 social engineering via, 352, 355 spam. See spam e-mail policies, 47 e-mail servers, 408 emergency response, 104, 429–430 emergency response team, 732 EMET (Enhanced Mitigation Experience Toolkit), 670 employees. See also users administrators. See administrators database administrators, 728–729 delegation, 195, 483, 572 disgruntled, 680 emergency response team, 732 ethics, 48 facilities manager, 733 financial personnel, 731–732 human resources, 732 ID badges, 353 job rotation, 64–65 legal counsel, 733–734 mandatory vacation, 65 mobile, 165–166 motivation, 728, 735, 736 network administrators, 729–730 outsourcing, 9–10, 514 personal information, 68 physical security manager, 733 piggybacking, 353 programmers, 727–728 recruitment/hiring process, 66 remote access, 50, 165–166 resignation/termination, 66, 271 sales staff, 726–727 security challenges, 729, 735–736 security training/awareness, 122, 713–714 separation of duties, 64, 537 shoulder surfing, 354 social engineering and. See social engineering social media and, 671–673 tailgating, 353 telecommuters, 25–26 teleworkers, 26
22-Index.indd 789
total cost of ownership and, 139 training/awareness, 68 vishing, 354–355 Encapsulated Security Payload (ESP), 167, 186 enclaves, 25, 327 Encrypting File System (EFS), 248, 601–602 encryption. See also cryptography AES, 587, 588–589 asymmetric, 590–592, 596 block-level, 602 cloud computing and, 534 considerations, 333, 534 data loss and, 422, 424 data-at-rest, 600–602 databases, 729 data-in-transit, 599 data-in-use, 600 described, 583 disk, 247–248, 600–601 drive, 296, 326 files, 247–248, 601–602 full memory, 600 homomorphic, 600 mobile devices, 617–618 passwords, 554 records, 602 symmetric key, 586–590 wearable technology, 295 XML, 566 end-entity certificates, 610 endorsement key (EK), 252 endpoint detection, 232–233 endpoint detection and response (EDR), 233 endpoint security software, 217–233 Enhanced Mitigation Experience Toolkit (EMET), 670 enterprise applications, 486–491 enterprise mobility management, 265–277 enterprise resilience, 107–108 enterprise resource planning (ERP), 487 Enterprise Service Bus (ESB), 491 enterprise standard operating environment, 28 enterprise wired networks, 290 enumeration tools, 390 equipment. See hardware erasing, 696 error handling, 319–320 error messages, 319–320 errors, 309–310, 319, 323 ESB (Enterprise Service Bus), 491 ESP (Encapsulated Security Payload), 167, 186 Ethernet switches, 560 ethical hacking, 662, 679 ethics policy, 48 EU (European Union), 63 EU Directives, 9, 19–20, 63 European Union. See EU evaluation, 692
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
790
Evaluation Assurance Levels (EALs), 215 evidence admission of, 431 analyzing, 424–425 chain of custody, 428, 430 collecting, 66, 423 criminal, 428 destruction of, 421 e-discovery, 418–421 handling of, 66, 431 legal holds, 421 evil twin attack, 359 exception handling, 319–320 executive management. See senior management expert witnesses, 431 exploitation tools/frameworks, 391–393, 405 exploits, 666 export controls, 20–21 exposure, 666 exposure factor (EF), 96 eXtensible Access Control Markup Language (XACML), 562 Extensible Authentication Protocol (EAP), 172 Extensible Configuration Checklist Description Format (XCCDF), 389 Extensible Markup Language. See XML Extensible Messaging and Presence Protocol (XMPP), 641 external I/O restrictions, 239–247 extranet policy, 48 extranet zone, 191, 193
F Facebook, 282 facial scans, 290, 556 facilities management, 197, 733 failure mode effects analysis (FMEA), 93 false negatives/positives, 122, 385 fault injection, 321 FDE (full disk encryption), 600 features, 55 Federal Information Processing Standard (FIPS), 82 Federal Information Security Management Act (FISMA), 18, 63, 82 federation identity management, 564–569 file carving, 444 file integrity monitoring (FIM), 405 files. See also documents classifications, 69–70 configuration, 321 encryption, 247–248, 601–602 log. See log files permissions, 247–248 printer, 321 sharing, 638–639 storage of, 638–639
22-Index.indd 790
FIM (file integrity monitoring), 405 FIN scans, 381 financial data, 176 financial institutions, 17 financial personnel, 731–732 fingerprint scans, 290, 556 fingerprinting, 290, 350–351, 556 FIPS (Federal Information Processing Standard), 82 firewall policy, 48 firewalls application, 159, 228 characteristics, 158 considerations, 158, 228 host-based, 226–229 latency and, 134–135 Linux systems, 227–228 network ingress/egress, 158 network-based, 158–159, 229 NGFW, 159 overview, 158–159, 223, 226 packet-filtering, 158, 228 physical, 158–159 requirements, 48 rules, 122, 158, 226, 228 scenarios, 229 stateful, 159 web application, 163, 327 Windows systems, 220, 226–227, 659 firmware, 175, 270, 334–335 firmware updates, 248–249, 270 FISMA (Federal Information Security Management Act), 18, 63, 82 fitness devices, 293 flash drives, 50 flood guards, 157 FMEA (failure mode effects analysis), 93 footprinting, 349–350 foremost tool, 444 forensics, 66, 296, 431–433 forgery, 315 formal proofs, 711 Foursquare, 282 fragmentation, 170, 284–285 FTP services, 311 full disk encryption (FDE), 600 functional model, 698 fuzzers/fuzzing, 321, 390, 705
G G Suite products, 278 gap analysis, 122–123 GDPR (General Data Protection Regulation), 9, 20–21, 63, 667 General Data Protection Regulation (GDPR), 9, 20–21, 63, 667 generators, 181
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
Index
791 geofencing, 276 geographic bundaries, 21 geolocation, 276 geotagging, 282–283, 325 gestures, 288–289 glasses, smart, 293–294 GLBA (Gramm-Leach-Bliley Act), 17, 63 global IA industry, 674–675 Global System for Mobile Communications (GSM), 587 GNU Privacy Guard (GPG), 592, 605–606 Google Drive, 278 Google Glass, 293 Google hacking, 363, 364 Google Play, 705 governance, 736 governance, risk, and compliance (GRC), 736 GPG (GNU Privacy Guard), 592, 605–606 GPMC (Group Policy Management Console), 235 Gramm-Leach-Bliley Act (GLBA), 17, 63 graphical user interface (GUI), 397 gray box testing, 365 gray hats, 679 grayware, 218 GRC (governance, risk, and compliance), 736 GRE tunneling, 171 Group Policy, 235 Group Policy Management Console (GPMC), 235 GSM (Global System for Mobile Communications), 587 GUI (graphical user interface), 397 guidelines, 51
H Hackers On Planet Earth (HOPE), 677 hackers/hacking Anonymous, 680 black hats, 368, 481, 679 ethical hackers, 662, 679 Google hacking, 363, 364 government-sponsored, 57 hacktivists, 678, 680 identifying, 678–679 military-sponsored, 57 motivation, 95–96, 679 script kiddies, 678, 679–680 state-sponsored, 57 suicide hackers, 350, 678 threat actors, 677–679 white hats, 365 hacking groups, 678 hacktivism, 678 hacktivists, 678, 680 Hadoop framework, 673 HAIPE (High Assurance Internet Protocol Encryptor), 155 hard drives. See drives
22-Index.indd 791
hardening, 233–249, 333 hardware anti-tampering, 280 disposal of, 693 failures, 537 inventory control, 716 repair/replacement, 693 vulnerabilities, 253–254 hardware abstraction, 518 hardware security modules (HSMs), 162 hash ciphers, 585 hash functions, 593, 594–595, 609 hash values, 585 hashing, 585, 593–595 HCI (hyper-converged infrastructure), 525–526 HDMI (High-Definition Multimedia Interface), 247 headsets, 294 Health Information Technology for Economic and Clinical Health Act (HITECH), 23 Health Insurance Portability and Accountability Act. See HIPAA healthcare devices, 200 Heartbleed Bug, 666 heating, ventilation, and air conditioning. See HVAC heuristic analytics, 429 heuristic-based detection, 219 HIDS (host-based intrusion detection system), 225 hierarchical trust model, 570 hierarchies of trust, 557 High Assurance Internet Protocol Encryptor (HAIPE), 155 High-Definition Multimedia Interface (HDMI), 247 HIPAA Security Rule, 15–16 HIPAA standard, 14, 63, 296, 464 HIPS (host-based intrusion prevention system), 225 HITECH (Health Information Technology for Economic and Clinical Health Act), 23 HMACs, 598 hoax letters, 356 home automation systems, 197 honeynets/honeypots, 668 HOPE (Hackers On Planet Earth), 677 host hardening, 233–249 host tools, 394–408 anitvirus software, 406 command-line tools, 397–404 file integrity monitoring, 405 local exploitation, 405 log analysis tools, 406 password crackers, 394–396 reverse engineering tools, 406–408 SCAP tools, 405 vulnerability scanners, 396–397 host-based firewalls, 226–229 host-based intrusion detection system (HIDS), 225 host-based intrusion prevention system (HIPS), 225 hosted cloud computing, 508–513
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
792
hosted virtual desktops, 526 hosts, compromising, 357–358 hotfix, 222 hotspots, 243, 287, 290–291 HR (human resources), 732 HSMs (hardware security modules), 162 HTML (Hypertext Markup Language), 47, 221 HTML5, 330 HTTP (Hypertext Transfer Protocol), 168, 316, 566, 606 HTTP interceptors, 391 HTTPS, 168, 606 human resources (HR), 732 human-based social engineering, 352–355 hunt teaming, 428 HVAC controllers/systems, 198 hybrid attacks, 395 hybrid cloud computing, 511–512 hyper-converged infrastructure (HCI), 525–526 Hypertext Markup Language. See HTML Hypertext Transfer Protocol. See HTTP hypervisors, 522–523
I IA (information assurance), 674–675 IaaS (infrastructure as a service), 515 IAs (interoperability agreements), 59–60 IASE (Information Assurance Support Environment), 660 ICSs (industrial control systems), 200 ID badges, 353 IDEA (International Data Encryption Algorithm), 589 identification, 552 identities, 552, 553 identity management systems, 564–569 identity proofing, 563–564 identity propagation, 564 Identity Provider (IdP), 566 identity theft, 62 IdP (Identity Provider), 566 IDS (intrusion detection system), 175, 223–225 IDS/IPS alarms, 122 IEEE (Institute of Electrical and Electronic Engineers), 243, 465 IETF (Internet Engineering Task Force), 663, 664 ifconfig tool, 401, 402 IKE (Internet Key Exchange) protocol, 167 IM (instant messaging), 283, 356, 357, 640–641 IMA (Integrity Measurement Architecture), 251 IMAP (Internet Message Access Protocol), 642 impersonation, 353 implementation phase, 690 incident response behavoral analytics, 428–429 chain of custody, 428, 430
22-Index.indd 792
considerations, 11–12, 428 criminal actions, 428 data breaches. See data breaches digital forensics, 431–433 e-discovery, 418–421 heuristic analytics, 429 hunt teaming, 428 overview, 65–66, 417, 418, 429–430 post-incident response, 446–448 tools for, 437–444 incident response cycle, 436 incident response teams (IRTs), 423, 426–427, 435–437 incidents. See also data breaches cost of, 445 detection of, 426–429 downtime, 445 impact of, 444, 445 legal ramifications, 445–446 levels of impact, 430 response to. See incident response root-cause analysis, 446–447 scope, 444, 445 severity of, 444–446 inductance-enabled transactions, 286 industrial control systems (ICSs), 200 industrial equipment, 200 industry-accepted approaches, 701–702 INEs (inline network encryptors), 155 information. See also data classification of, 69–70 confidential, 13, 69–70, 584 evidence. See evidence personally identifiable, 62–63 security, 6, 701–702 sensitive. See sensitive data sharing, 9, 60 visuals, 99 information assurance (IA), 674–675 Information Assurance Support Environment (IASE), 660 information criticality, 430 Information Systems Audit and Control Association (ISACA), 22 Information Technology Infrastructure Library (ITIL) framework, 107 informational model, 698 informative policies, 43 Infrared Data Association (IrDA), 243 infrared radiation (IR) cameras, 409 infrastructure as a service (IaaS), 515 infrastructure, critical, 200–201 ingress, 26, 239 inherent factors, 555–557 initiation phase, 690 injection attacks, 318–319, 321 inline network encryptors (INEs), 155
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
Index
793 input validation application issues, 312–313 client-side vs. server-side, 328–332 considerations, 330, 699 fuzzing and, 321 overview, 317–318 SQL injection and, 319 inSSIDer Office, 665 Instagram, 282 instant messaging (IM), 283, 356, 357, 640–641 Institute of Electrical and Electronic Engineers (IEEE), 243, 465 integer overflows, 323 integration enablers, 488–491 integration testing, 712 integrity, 13, 82–85, 275, 584–585 Integrity Measurement Architecture (IMA), 251 integrity violations/failures, 82, 83 interceptors, 391 interconnected environment, 13–21 interconnection security agreement (ISA), 59 interference, 287 International Data Encryption Algorithm (IDEA), 589 International Organization for Standardization. See ISO International Software Testing Qualifications Board (ISTQB), 711 Internet DMZ, 191 Internet Engineering Task Force (IETF), 663, 664 Internet Key Exchange (IKE) protocol, 167 Internet Message Access Protocol (IMAP), 642 Internet of Things. See IoT Internet Protocol Security (IPSec), 166–167, 186–187 Internet security requirements, 48 Internet service providers (ISPs), 19, 181, 191 Internet usage policy, 48–49 Internet zone, 191, 193 internetworks, 360–361 interoperability agreements (IAs), 59–60 interoperability issues, 467–473 intranet zone, 191, 193 intrusion detection system (IDS), 175, 223–225 intrusion prevention system (IPS), 175, 223–225 Intune, 155, 267–268, 269 inventory control, 715–716 inventory, electronic, 418–419 IoT (Internet of Things), 57, 667, 714 IoT devices, 56–57, 661, 667 IP configuration, 401–402 IP identification (IPID) probes, 238 IP video, 197 ipchains, 227–228 ipconfig tool, 401–402 iPhones/iPads Apple Pay, 283–284 jailbreaking, 280–282 upgrades, 285
22-Index.indd 793
IPID (IP identification) probes, 238 IPS (intrusion prevention system), 175, 223–225 IPSec (Internet Protocol Security), 166–167, 186–187 iptables, 227–228 IPv4, 166, 170–171, 665 IPv6, 166, 170–171, 665 IR (infrared radiation) cameras, 409 IrDA (Infrared Data Association), 243 iris scans, 290, 556 IRTs (incident response teams), 423, 426–427, 435–437 ISA (interconnection security agreement), 59 ISACA (Information Systems Audit and Control Association), 22 ISATAP tunneling, 171 ISO (International Organization for Standardization), 7, 55, 465, 664 ISO/IEC 38500 standard, 106–107 isolation techniques, 425 ISPs (Internet service providers), 19, 181, 191 ISTQB (International Software Testing Qualifications Board), 711 IT governance, 22, 105–107 IT Governance Institute (ITGI), 22 IT projects, 129 ITGI (IT Governance Institute), 22 ITIL (Information Technology Infrastructure Library) framework, 107
J jailbreaking, 280–282 Java applets, 329 JavaScript, 332–333 JavaScript Object Notation (JSON), 328–329 job rotation, 64–65 John the Ripper, 395–396 JSON (JavaScript Object Notation), 328–329
K Kali Linux, 393 Kerberos systems, 559 key escrow, 615 key lengths, 609 key performance indicators (KPIs), 128, 129 key recovery, 615 key risk indicators (KRIs), 128–129 key stretching, 593 keyloggers, 218, 220 key-pair, 590–591 keys, 584, 599 keystroke biometrics, 556 knowledge factors, 553–555 KPIs (key performance indicators), 128, 129 KRIs (key risk indicators), 128–129
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
794
22-Index.indd 794
L
M
L2TP (Layer 2 Tunneling Protoco), 167 latency, 134–135 laws/regulations, 55, 62–63 Layer 2 Tunneling Protoco (L2TP), 167 layered security, 194, 195 LDAP (Lightweight Directory Access Protocol), 571–572 LEAP (Lightweight Extensible Authentication Protocol), 173 least connections algorithm, 162 legacy systems/software, 467–468 legal counsel, 733–734 legal holds, 421 legal issues cross-border data flow, 20–21 digital evidence, 421 incidents/breaches, 445–446 lessons-learned/after-action review, 123–124 libraries, 326, 700, 701 life cycles software development life cycle, 697–712 systems development life cycle, 689–697 Lightweight Directory Access Protocol (LDAP), 571–572 Lightweight Extensible Authentication Protocol (LEAP), 173 Linux systems best practices, 659–660 firewalls, 227–228 Kali Linux, 393 SELinux, 216 sudo command, 29 Lizard Squad, 665 load balancers, 161–162, 181 local administrator accounts, 28–29 location contexts, 276 lock alternatives, 408–409 lock picks, 408–409 log analysis tools, 406 log files audit logs, 183, 231–232, 429 formats, 230 importance of, 183, 429 instant message logs, 640 security logs, 429 system logs, 429 types of, 230 Windows Event Viewer, 229, 230–231 log monitoring, 229–232 log reduction tools, 393–394 log sources, 157 logging, 183, 429 logic bombs, 218 logical deployment diagrams, 483–484 loop protection, 157 loss, impact of, 5
M&A (mergers and acquisitions), 12, 13 MAC (mandatory access control), 45–46, 214 MAC (message authentication code), 598 MAC addresses, 188, 245 MAC filtering, 245 machine learning, 673–674 maintainability, 137 maintenance phase, 690–691, 694, 699 malware administrator privileges and, 29 antimalware packages, 217–218 considerations, 54, 56, 531 described, 217 “hall-of-fame,” 666 mobile apps, 357 mobile devices, 290 ransomware, 56, 218, 666, 713 sandboxing, 348, 408, 667 social media and, 359 Stuxnet, 200 types of, 217–218 via IM, 640–641 managed security service provider (MSSP), 11 managed security services, 11–12 management, 730–731, 734–735. See also senior management management interfaces, 238–239 management zone, 191 mandatory access control. See MAC mantraps, 199, 353 master service agreement (MSA), 60 maximum tolerable downtime (MTD), 105 MBSA (Microsoft Baseline Security Analyzer), 396–397 MD5 algorithm, 594 MD5 authentication, 189, 190, 361 MDM (mobile device management), 25, 29, 419 MDM tools application management, 269–270 configuration profiles, 266–268 context-aware management, 275–277 data management, 269–270 recommendations for, 267, 419 remote assistance access, 269 remote wiping, 271 VPN connections, 273–274 MDT (Microsoft Deployment Toolkit), 234 mean time between failure (MTBF), 105, 129, 137, 138 mean time to repair (MTTR), 105, 129, 137, 138 Measured Launch, 250–251 media disposal of, 49, 696 geotagging, 325 removable, 50 sanitizing, 696
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
Index
795 medical data, 176 medical sensors/devices, 294 melting, 696 memorandum of understanding (MOU), 59 memory dumping, 348–349, 442–443 memory leaks, 323, 324 memory/runtime debugging tools, 349 mergers, 12, 13, 481–482 mergers and acquisitions (M&A), 12, 13 mesh networks, 173 message authentication, 598 message digest, 595 messaging, 291 Metasploit, 405 metrics. See risk metrics microphones, 246–247 microSD cards, 278 microSD HSMs, 162 Microsoft, 21 Microsoft Azure, 135–136, 278, 509 Microsoft Baseline Security Analyzer (MBSA), 396–397 Microsoft Challenge Authentication Protocol (MS-CHAP), 172 Microsoft Deployment Toolkit (MDT), 234 Microsoft initiative, 215 Microsoft Intune, 155, 267–268, 269 Microsoft Office 365, 647 Microsoft OneDrive, 278 Microsoft Point-to-Point Encryption (MPPE), 167 Microsoft SharePoint, 644, 647 Microsoft Web Protection Library, 701 MIME e-mail, 608 MIMO (multiple-input multiple-output), 244 mirroring, screen, 269 mitigation strategies, 366 MMS (multimedia messaging service), 291 MobiControl, 267 mobile applications application wrapping, 268 integrity, 274–275 malicious apps, 357 managing, 269–270 nonrepudiation, 275 permissions, 274 privacy issues, 358 repackaged apps, 357 side loading, 274 system apps, 274–275 unsigned apps, 274–275 mobile device management. See MDM mobile devices. See also smartphones applications. See mobile applications authentication, 288–290 backups, 278 biometrics, 289–290 BYOD, 26–27, 272–273, 561, 617 challenges, 266
22-Index.indd 795
cloud storage, 278–279 configuration profiles, 266–268 considerations, 265–266 containerization, 266 COPE, 28, 36, 273 CYOD, 26, 273, 561 data on, 269–270, 277–279 data storage, 277–279 employee resignation/termination, 271 encryption, 617–618 geofencing, 276 geolocation, 276 geotagging, 282–283 hardware anti-tampering, 280 ingress/egress, 26 lost/stolen, 271, 279–280 malware, 290 managing, 265 networks, 29 onboarding, 268 overview, 265 personal data on, 266, 271, 295–296 POCE, 268 push notifications, 282 remote access, 269 remote wiping, 271 screen mirroring, 269 security. See mobile security social engineering and, 357 system apps, 275 tethering, 287–288 time-based restrictions, 277 tracking, 419 USB port, 279 user behavior, 276 mobile hotspots, 287 mobile payments, 285–287 mobile security, 277–292 authentication, 288–290 biometrics, 289–290 BYOD and, 26–27 data storage, 277–279 domain bridging, 290–291 malware, 290 mobile payments, 285–287 personal data and, 266, 271, 295–296 tethering, 287–288 wearable technology, 294–296 mobile security controls, 265–307 enterprise mobility management, 265–277 privacy concerns, 277–292 security implications, 277–292 wearable technology, 292–296 mobile wallets, 286 MobileIron, 267 modems, 630 monitoring functions, 67–68, 102–103, 694 Moore’s Law, 53
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
796
motivation, 95–96, 679, 728, 735, 736 MOU (memorandum of understanding), 59 mouse dynamics, 557 MPPE (Microsoft Point-to-Point Encryption), 167 MSA (master service agreement), 60 MS-CHAP (Microsoft Challenge Authentication Protocol), 172 MSSP (managed security service provider), 11 MTBF (mean time between failure), 105, 129, 137, 138 MTD (maximum tolerable downtime), 105 Mtrace tool, 349 MTTR (mean time to repair), 105, 129, 137, 138 multimedia messaging service (MMS), 291 multiple-input multiple-output (MIMO), 244 multitenancy, 513
N NAC (network access control), 155–156, 195–196 NAP (Network Access Protection), 155 NAS (network-attached storage), 484–485 NAT (Network Address Translation), 170, 171 nation attacks, 667 National Institute of Standards and Technologies. See NIST National Security Agency (NSA), 155, 216 National Vulnerability Database (NVD), 531 nation-states, 680 natural disasters, 96 nbtstat tool, 440 nc (netcat) tool, 442 NDA (nondisclosure agreement), 10, 24, 60 near-field communications. See NFC need to know principle, 65 Nessus scanner, 383, 384, 396 NetBIOS (Network Basic Input/Output System), 440 NetBIOS over TCP/IP. See nbtstat tool netcat (nc) tool, 442 NetScanTools Pro, 390 Netscape, 606 Netstat tool, 403–404, 441 network access control (NAC), 155–156, 195–196 Network Access Protection (NAP), 155 network ACLs, 182 Network Address Translation (NAT), 170, 171 network administrators, 729–730 network availability, 129 Network Basic Input/Output System. See NetBIOS network design, 164–175 802.1x standard, 173 authentication methods, 172–173 IPv4/IPv6 technologies, 170–171 mesh networks, 173 overview, 164–165 remote access, 165–166 Remote Desktop Protocol, 168–169 reverse proxy servers, 170
22-Index.indd 796
Secure Shell, 168 security device placement, 174–175 Virtual Desktop Infrastructure, 169–170 Virtual Network Computing, 169 virtual private networks, 166–168 network devices advanced configuration, 185–191 alerts, 184–185 A/V systems, 199 best practices, 185, 730 building/home automation, 197 change monitoring, 180 firewalls. See firewalls hardware security modules, 162 HVAC controllers, 198 inline network encryptors, 155 IP video, 197 load balancers, 161–162 NIDS/NIPS, 153–154 physical access systems, 199 routers. See routers scientific/industrial equipment, 196, 200 sensors, 198 SoC, 196 software-defined networking and, 182–183 switches. See switches UTM appliances, 152 vulnerabilities, 186 wireless controllers, 159–160 network enumerators, 389–390 network firewalls, 158–159, 226, 229 network flow, 178 network intrusion detection system (NIDS), 153–154 network intrusion prevention system (NIPS), 153–154 network performance, 131 network resources, 536 network scanners, 382–385 network security, 151–212 data flow, 175–179 network access control, 155–156 route protection, 188–190 SIEM utilities, 156–157 trunking security, 187–188 network services, 11 network shares, 351 network tools, 377–394 analysis tools, 393–394 attack tools/frameworks, 391–393 auditing tools, 183 fuzzers, 390 HTTP interceptors, 391 log reduction tools, 393–394 logging tools, 183 management/monitoring, 183–185 network enumerators, 389–390
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
Index
797 port scanners, 377–382 protocol analyzers, 386–388 SCAP scanners, 389 sniffers. See sniffers visualization tools, 393 vulnerability scanners, 382–385 network-attached storage (NAS), 484–485 network-level authentication (NLA), 169 networks authentication, 169, 172–173 BAS, 198 baselining, 180–182 Blackberry devices on, 27 configuration lockdowns, 180 design of. See network design ingress/egress, 158 internetworks, 360–361 management/monitoring, 183–185, 729–730 mesh, 173 multitier, 192 personal device, 29 quarantine, 195 resiliency, 107 SCADA, 201 security. See network security segmentation, 165–166, 194–195, 482–483 separation of, 534, 535 software-defined networking, 182–183 VLANs, 157, 195, 643 VPNs, 166–168, 273–274, 631 wired, 243, 290, 291, 664 wireless. See wireless networks never-execute (XN) bit use, 704 New Technology File System (NTFS), 45, 601 next-generation firewalls (NGFWs), 159 Next-Generation Secure Computing Base (NGSCB), 214–215 NFC (near-field communications), 242, 283–284, 286 NFC antennas, 286 NGFWs (next-generation firewalls), 159 NGSCB (Next-Generation Secure Computing Base), 214–215 NIC interface, 181, 237–238 NIDS (network intrusion detection system), 153–154 NIPS (network intrusion prevention system), 153–154 NIST (National Institute of Standards and Technologies), 7, 106, 660, 689 NIST 800 series standards, 464 NIST process, 689–691 NIST special publications, 55 NLA (network-level authentication), 169 Nmap tool, 350–351, 378, 382, 383, 399 no-execute (NX) bit use, 704 nondisclosure agreement (NDA), 10, 24, 60 nonremovable storage, 277
22-Index.indd 797
nonrepudiation, 275, 585 NOP sled, 323 NSA (National Security Agency), 155, 216 nslookup tool, 363, 403 NTFS (New Technology File System), 45, 601 NULL scans, 381 NVD (National Vulnerability Database), 531 NX (no-execute) bit use, 704
O OAuth standard, 562 Object Management Group (OMG), 473 object reuse, 697 OCEG (Open Compliance and Ethics Group), 736 OCSP (Online Certificate Status Protocol), 614, 616 OFDM (orthogonal frequency-division multiplexing), 244 OLA (operating level agreement), 60 OMG (Object Management Group), 473 onboarding, 268 OneDrive, 278 one-time password (OTP), 559 Online Certificate Status Protocol (OCSP), 614, 616 Open Compliance and Ethics Group (OCEG), 736 Open Shortest Path First (OSPF) protocol, 189, 190 open source intelligence (OSINT), 358–364 open source software, 471–472 Open Vulnerability and Assessment Language (OVAL), 389 Open Web Application Security Project (OWASP), 310, 701 OpenID, 562, 567 OpenID providers (OPs), 567 OpenSCAP tools, 389 OpenSSL, 607 OpenVPN, 167 operating level agreement (OLA), 60 operating system (OS) containers, 523–525 fingerprinting, 350–351 secure encrypted enclaves, 327 standardizing, 28 vulnerabilities, 333–334 operational activities, 693–696 operational security, 87 operations center locations, 104 operations phase, 690–691, 693–696, 699 OPs (OpenID providers), 567 Orange Book, 213–214 orchestration, 474 order of volatility, 437 organizations. See businesses/organizations orthogonal frequency-division multiplexing (OFDM), 244 OS. See operating system OSI model, 440 OSINT (open source intelligence), 358–364
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
798
OSPF (Open Shortest Path First) protocol, 189, 190 OTAP (over-the-air provisioning), 270 OTG (USB On-the-Go), 279 OTP (one-time password), 559 outages, 695 out-of-band management, 237–238 output validation, 323 outsourcing, 9–10, 11, 514 OVAL (Open Vulnerability and Assessment Language), 389 over-the-air provisioning (OTAP), 270 overwriting, 325 OWASP (Open Web Application Security Project), 310, 701
P PaaS (platform as a service), 515 packet analyzers. See sniffers packet fragmentation, 170 packet headers, 176–177 packet injection, 184 packet sniffers, 184, 386–388 packet-filtering firewalls, 158 packets, 176–177, 226 Palladium, 215 palm scan, 556 PAP (Password Authentication Protocol), 172 partnerships, 9, 48, 60 passive vulnerability scanners (PVSs), 163–164 passphrases, 554 Password Authentication Protocol (PAP), 172 password policies, 49, 555 password vaults, 554 password-based authentication, 189 passwords complexity, 554 cracking, 394–396 default, 554 encryption, 554 frequency of changes, 554 “fuzzed,” 390 hard-coded, 321 hashing and, 595 as knowledge factor, 553 length, 554 multiple factors, 554 passphrases, 554 picture, 288–289 requirements, 49 salt, 595 vs. tokens, 559 training on, 122, 731–732 WS-Security, 703 P.A.S.T.A. threat model, 670 patch latency, 128 patch management, 222–223, 236–237, 334
22-Index.indd 798
patches, 129, 166, 667–668 pathping, 400–401 Payment Card Industry Data Security Standard. See PCI DSS PBXs (private branch exchanges), 643 PCI DSS standard, 18–19, 55, 63 PCI Sata Security Standard, 19 PEAP (Protected Extensible Authentication Protocol), 172 peer reviews, 712 peer-to-peer trust model, 570–571 penetration testing, 364–365 color-team exercises, 367–368 goal of, 364 overview, 364 social engineering and, 352 types of, 365 uses for, 364 vs. vulnerability assessments, 366 perfect forward secrecy, 599 performance benchmark metrics, 126 cryptographic, 609 improvements to, 127 network, 131 overview, 134, 662 system, 131 perimeterization, 25–26 peripheral-enabled payments, 286–287 permissions, 45, 247–248, 274 personal data, 62, 266, 271, 295–296 personal device networks, 29 personal devices, 281–282 personal identification numbers (PINs), 553 personally identifiable information (PII), 17, 62–63, 427, 433 personally owned, corporate-enabled (POCE), 268 personnel. See employees PGP (Pretty Good Privacy), 592, 605 pharming, 355 PHI (protected health information), 14–16, 427, 433 phishing, 129, 352, 355, 642 physical access control systems, 199 physical controls, 734 physical deployment diagrams, 483–484 physical destruction, 326 physical reconnaissance, 295 physical security audio/video systems, 199 biometric readers/systems, 199, 289–290, 556 considerations, 733, 735 door lock alternatives, 408–409 importance of, 50 IR cameras, 409 mantraps, 199 networks, 730 physical access control systems, 199
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
Index
799 proximity readers, 199 requirements for, 50 tools, 408–409 physical security controls, 50 physical security manager, 733 physical security policy, 50 physiological characteristics, 555, 556 PIA (privacy impact assessment), 63, 433, 693 picture passwords, 288–289 piggybacking, 353 PII (personally identifiable information), 17, 62–63, 427, 433 PIN codes, 289, 295 ping sweep, 378 ping sweepers, 351 ping tool, 397–399 pinning, 616 PINs (personal identification numbers), 553 pivoting, 357–358 PKI (public key infrastructure), 557, 570, 610–616, 642 Plain Old Telephone Service (POTS), 630 plaintext, 583 plaintext authentication, 361 plan maintenance, 104 platform as a service (PaaS), 515 plug-ins, 329 POCE (personally owned, corporate-enabled), 268 Point-to-Point Protocol (PPP), 630, 631 Point-to-Point Tunneling Protocol (PPTP), 167 policies, 42–51. See also procedures; specific policies advisory, 43 bottom-up, 48 business changes and, 53–57 categories, 43–44 clean desk, 353 communications, 641 compliance, 270 conditional access, 270 considerations, 726 data flow, 177 data retention, 419–420 enforceability of, 43 examples of, 44–51 executive buy-in, 63–64 informative, 43 IoT, 57 issue-specific, 43 listed, 44–51 managing, 693 organizational, 43 overview, 14, 41–43 password, 49, 555 policy life cycles, 42–43 policy reviews, 43 primary objective of, 87 privacy, 62–63, 433
22-Index.indd 799
regulatory, 43 reviewing, 122, 693 scope, 43 stakeholders, 86–87 standard security practices, 63–70 standards, 51, 463–467 system-specific, 43 top-down, 48 updates to, 122 virtualization platform, 538 policy certificates, 611 POP (Post Office Protocol), 642 pop-ups, 356 port scanners, 377–382 port security, 157, 188, 239 ports closed, 380, 381 disabling, 188 filtered, 380, 381 HDMI, 247 open, 333, 351, 377, 378, 381 SD, 247 SPAN, 175 specific, 378 USB, 241, 279 possession factors, 555 POST (Power-On Self-Test), 251 Post Office Protocol (POP), 642 POTS (Plain Old Telephone Service), 630 power supplies, 181 Power-On Self-Test (POST), 251 PowerShell scripting, 237 PPP (Point-to-Point Protocol), 630, 631 PPTP (Point-to-Point Tunneling Protocol), 167 presence, 641 Pretty Good Privacy (PGP), 592, 605 printer files, 321 PRISM (U.S. global surveillance program), 20 privacy impact assessment (PIA), 63, 433, 693 privacy issues. See also sensitive data considerations, 21 data storage, 484–485 defined, 62 health data, 14–16, 273, 277, 292–296 lack of privacy, 359 laws/regulations, 62–63 mobile devices, 273, 277, 292–296, 358 open source intelligence and, 358–364 privacy vs. security, 433 smart glasses and, 294 social media, 358, 359 privacy laws, 21 privacy policies, 62–63, 433 private branch exchanges (PBXs), 643 private cloud computing, 505, 510–511, 513 private keys, 590–591 privilege elevation, 535
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
800
privilege escalation, 320 privileges administrator, 29, 320, 730 applications, 320 least privilege, 65, 216–217, 729 users, 320 procedural controls, 734 procedures, 52, 122. See also policies production environment, 534 profile squatting, 359 programmers, 727–728 Protected Extensible Authentication Protocol (PEAP), 172 protected health information (PHI), 14–16, 427, 433 Protection Profiles, 215 protocol analyzers, 386–388 protocol-aware technologies, 163–164 prototypes, 129–130 provisioning tasks, 479–480 proximity readers, 199 proxy servers, 161, 328 prudent person principle, 64 pseudorandom numbers, 598–599 PSTN (Public Switched Telephone Networks), 630, 643 public cloud computing, 509–510 public key cryptography, 590–592 public key infrastructure (PKI), 557, 570, 610–616, 642 public keys, 557, 590–591 Public Switched Telephone Networks (PSTN), 630, 643 push notifications, 282 push-based authentication, 561 PuTTY tool, 168, 239 PVSs (passive vulnerability scanners), 163–164
Q QoS (quality of service), 170, 644 qualitative risk analysis, 91 quality of service (QoS), 170, 644 quantitative risk analysis, 92–94 quarantine, 195 QUERTY format, 466–467
R RA (Registration Authority), 612–613 race conditions, 324 radio frequency identification. See RFID RADIUS (Remote Authentication Dial-in User Service), 173, 560, 571, 630 RADIUS servers, 571 RAID arrays, 181 rainbow table attack, 595 rainbow tables, 395 random numbers, 598–599
22-Index.indd 800
ransomware, 56, 218, 666, 713 RAS (remote access server), 630 RBAC (Role-Based Access Control), 45 RC4 algorithm, 589 RC5 algorithm, 589 RC6 algorithm, 589 RDP (Remote Desktop Protocol), 168–169, 254 RDS (Remote Desktop Services), 254, 528, 529 reconnaissance, 349–350 reconstitution, 425–426 record encryption, 602 recoverability, 138 recovery critical services, 59 data, 248, 420, 425–426 recovery point objective (RPO), 105, 138 recovery time objective (RTO), 105, 138 recruitment/hiring process, 66 red team, 368 redundancy, 181, 475 reflected attacks, 313 regional Internet registries (RIR), 360 Registration Authority (RA), 612–613 regression testing, 712 regulations, 14 regulatory controls, 734 regulatory entities, 23–24 regulatory policies, 43 regulatory requirements, 55 remediation servers, 195 remote access, 165–166, 480, 630–635 remote access policy, 50 remote access server (RAS), 630 remote assistance, 269, 634–635 Remote Authentication Dial-in User Service. See RADIUS remote connections, 50 Remote Desktop Protocol (RDP), 168–169, 254 Remote Desktop Services (RDS), 254, 528, 529 Remote Frame Buffer (RFB) protocol, 269 remote virtual desktops, 527 remote wiping, 271 remotely triggered black hole (RTBH), 191 removable media policy, 50 removable storage, 278 replication, 237 Representational State Transfer (REST), 328–329 request for information (RFI), 62 request for proposal (RFP), 61 request for quote (RFQ), 62 Requests for Comments (RFCs), 663–664 requirements definition document, 691–692, 710 requirements gathering phase, 697–698 research consultants/vendors, 677 research methods, 657–688 best practices, 658–660 big data, 673 conventions/conferences, 676–677
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
Index
801 emerging business tools, 671–674 emerging threat sources, 679–680 ongoing research, 657–665 overview, 657 social media and, 671–673 technology evolution, 663–665 technology trends, 661–663 threat intelligence, 665–670 tips for, 658 residual risk, 100 resiliency, 107–108, 473–476 resource allocation, 126 resource exhaustion, 324–325 resources access to. See access control competition for, 536 network, 536 provisioning/deprovisioning, 479–480, 538–539 remote access and, 632 shared, 324–325, 553 utilization, 517 REST (Representational State Transfer), 328–329 restricted zone, 191 retina scan, 556 return on investment (ROI), 97–98, 138–139 reverse engineering, 406–408 reverse proxy servers, 170 reverse social engineering, 354 RFB (Remote Frame Buffer) protocol, 269 RFCs (Requests for Comments), 663–664 RFI (request for information), 62 RFID (radio frequency identification), 245, 715 RFID locks, 408 RFID tag/chip, 409, 715 RFID tools, 409 RFP (request for proposal), 61 RFQ (request for quote), 62 Rijndael algorithm. See AES RIPEMD algorithm, 594–595 RIPv2 (Routing Information Protocol version 2), 189–190 RIR (regional Internet registries), 360 risk. See also threats acceptance of, 100 assessing. See risk assessment business impact analysis, 58–59 cloud computing and, 10–11, 26 described, 5, 95, 666 detection, 93, 94 emergence of, 56–57 historical, 56 human-based, 4 impact of, 84–85 managing. See risk management occurrence, 93, 94 remote access, 165–166 residual, 100 scoring, 93
22-Index.indd 801
severity, 93 technical, 98–99 technological, 4 trend analysis, 97 risk analysis, 90–94 risk appetite, 99–100 risk assessment calculating risk, 92–94 likelihood of threat, 95–97 magnitude of impact, 95 overview, 58, 90–91 purpose of, 91 quantitative, 92–94 risk avoidance, 100 risk determination, 95–98 risk factors, 3–4 risk management challenges, 6 cloud computing and, 10–11 considerations, 95 deterrence, 101–102 enterprise resilience, 107–108 examples, 3–4 exemptions, 101 guidelines for, 6–8 importance of, 4, 5 vs. information security, 6 inherent risk, 102 IT governance, 105–107 overview, 4–5, 736 publications, 101 residual risk, 102 risk management frameworks, 105–107 risk management process, 5, 101–102 risk metrics, 121–147 analyzing metrics/attributes, 134–139 analyzing trend data, 132–133 availability, 137–138 baselines, 130–132 benchmarks, 130–132 capability, 136 cost benefit analysis, 138–139 creation/collection/analysis, 126–129 effectiveness of existing security, 121–124 judgment calls and, 139–140 latency, 134–135 maintainability, 137 performance, 134 prototyping/testing solutions, 129–130 recoverability, 138 reverse-engineering, 124–126 scalability, 135–136 usability, 136 risk mitigation, 100 risk priority number (RPN), 93 risk profile, 6, 713 risk transference, 100 robotics, 714
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
802
ROI (return on investment), 97–98, 138–139 Role-Based Access Control (RBAC), 45 roles, 45, 66, 487, 552, 725–734 rollups, 222 root accounts, 320 root-cause analysis, 446–447 rooting, 280–282 rootkits, 218 round robin algorithm, 162 route protection, 188–190 routers/routing best practices, 186 dynamic routing, 361 overview, 160–161, 360–361 rogue, 160–161 static routing, 361 Routing Information Protocol version 2 (RIPv2), 189–190 routing protocols, 361 routing tables, 160–161, 360–361 RPN (risk priority number), 93 RPO (recovery point objective), 105, 138 RSA algorithm, 591 RSA conference, 676 RSA keys, 592 RSA SecureID, 555 RST flag, 380 RTBH (remotely triggered black hole), 191 RTO (recovery time objective), 105, 138 Rule-Based Access Control, 46 rules, 14, 46, 122 runtime, 349 runtime debugging, 349
S SaaS (software as a service), 515 SAFECode, 702 sales staff, 726–727 Salesforce.com, 562 salt, 595 SAML (Security Assertion Markup Language), 564, 565–566 Sampled Flow (sFlow), 178, 1728 SAN (storage area network), 484–485 sandbox-evading malware, 667 sandboxing applications, 327 cloud computing and, 531–532 considerations, 408, 667 described, 219, 531 malware, 348 SANS Institute, 44, 675 Sarbanes-Oxley Act (SOX), 17–18 SC (security categorization), 87 SC (security category), 84 SCADA (Supervisory Control and Data Acquisition) systems, 200–201, 733
22-Index.indd 802
SCADA worm, 200 scalability, 135–136 scanners application, 384–385 considerations, 385 database, 385 network, 382–385 port, 377–382 PVS, 163–164 SCAP, 389 source code, 385 vulnerability, 382–385, 396–397 scans, biometric, 199, 289–290, 556 SCAP (Security Content Automation Protocol), 389 SCAP scanners/tools, 389, 405 scareware, 352 SCEP (Simple Certificate Enrollment Protocol), 271–272 scientific equipment, 200 scope, 43, 444, 445 screen casting, 269 screen mirroring, 269 script kiddies, 96, 678, 679–680 scripting, 237. See also code/coding scripts, disabling, 314 SD cards, 247, 278 SD ports, 247 SDLC (software development life cycle), 697–712 SDLC (systems development life cycle), 689–697 SDN (software-defined networking), 182–183 SEAndroid, 216 search engines, 363–364 SECaaS (Security as a Service), 533 Secret classification, 69, 214 Secure Boot process, 249–250 secure coding standards, 709 secure digital. See SD secure enclaves, 327, 528–529 secure libraries, 701 Secure Shell (SSH), 168, 607 Secure Socket Tunneling Protocol (SSTP), 167, 168 Secure Sockets Layer (SSL), 168, 186–187, 606–607 Secure Sockets Layer/Transport Layer Security. See SSL/TLS Secure/Multipurpose Internet Mail Extensions (S/MIME), 608 security accountability, 127 across roles, 725–734 adapting solutions, 713–715 anticipating defense needs, 132–133 applications, 309–312, 700, 709 asset management, 715–716 best practices, 658–660 business contracts, 61–62 business unit interactions, 725–743 cloud computing and, 10–11, 26
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
Index
803 coding and, 310–312, 709, 728 complexity and, 28 considerations, 8, 164, 726, 729, 735 cost of, 730 cybersecurity trends, 97, 665–667 defense-in-depth, 194, 195, 482, 483 documentation. See business documents vs. ease of use, 55 e-mail, 642 employees. See employees gap analysis, 122–123 identifying problems, 127 importance of, 735 input validation. See input validation interconnected environment, 13–21 internal/external influences, 22–25 lab environment, 130 layered, 194, 195 mobile. See mobile security multilevel, 214, 215 network. See network security new trends, 661–663 ongoing activities, 68 outsourcing, 11 physical. See physical security ports, 157, 188, 239 vs. privacy, 433 research on. See research methods secure by default, 311–312 secure by deployment, 312 secure by design, 311 senior management and, 730–731, 734–735 session management, 316–317 smartphones and, 26 social media and, 645–647 solutions for. See security solutions support for, 735–736 tablets and, 26 within teams, 735–736 third-party providers and, 27 virtualization and, 518, 538 Security as a Service (SECaaS), 533 Security Assertion Markup Language (SAML), 564, 565–566 security assessment tools, 377–416 host tools, 394–408 network tools, 377–394 physical security tools, 408–409 security assessments, 347–376 code reviews, 351 color-team exercises, 367–368 fingerprinting, 350–351 malware sandboxing, 348 memory dumps, 348–349 methods, 347–364 open source intelligence, 358–364 overview, 347
22-Index.indd 803
penetration testing, 352, 364–365 pivoting, 357–358 reconnaissance, 349–350 runtime debugging, 349 self-assessments, 366–367 social engineering. See social engineering social media, 358–359 tabletop exercises, 367 types of, 364–368 vulnerability assessments, 366 security audits. See audits/auditing security categorization (SC), 87 security category (SC), 84 Security Content Automation Protocol. See SCAP security controls administrative, 734 based on CIA requirements, 87 baselines, 130–132 benchmarks, 130–132 categories, 734 considerations, 87, 99–100, 734–735 effectiveness of, 121–124, 126, 127 minimum required, 87 overview, 734 physical, 734 procedural, 734 prototyping/testing solutions, 129–130 regulatory/compliance, 734 return on investment, 97–98 for senior management, 734–735 technical, 734 total cost of ownership, 98 types of, 22 worst-case scenarios, 88–90 security conventions, 658 security device placement, 174–175 security gaps, 122–123 security guards, 353 security impact analysis, 693 security incidents. See incidents security information event management (SIEM), 156–157, 394, 429 security logs, 429 security mailing lists, 658 security patches, 222 security policies. See policies security profiles, 462 security requirements, 698, 709–710 security requirements traceability matrix (SRTM), 709–710 security services, 530–533, 661–663 security solutions availability, 137–138 capability of, 136 considerations, 139–140, 463 cost benefit analysis, 138–139 deconstructing, 124–126
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
804
security solutions (cont.) latency and, 134–135 maintainability, 137 performance criteria, 134 prototypes, 129–130 prototyping/testing, 129–130 recoverability, 138 reverse engineering, 124–126 scalability of, 135–136 testing, 129–130 usability of, 136 security training/awareness, 122, 713–714 security trends, 57, 713–714 security zones, 191–195 Security-Enhanced Linux (SELinux), 216 segmentation, 165–166, 194–195, 482–483 SEHOP (Structured Exception Handler Overwrite Protection), 669 self-assessments, 366–367 SELinux (Security-Enhanced Linux), 216 senior management. See also management communicating with, 24–25 governance, risk, and compliance, 736 security and, 730–731, 734–735 security processes/controls, 734–735 whaling attacks and, 355 sensitive data applications and, 320–321 financial, 176 improper storage of, 320–321 loss of, 175–176 medical, 176 privacy, 46, 176 protecting, 62–63, 462–463, 584 sensors, 198 separation of duties, 64, 537 Serial Line Internet Protocol (SLIP), 630, 631 Serpent algorithm, 590 server clusters, 181 server environment, 28 server farms, 181, 521 server pools, 161–162, 181 servers AAA, 173, 560 authentication, 173, 560 CA, 271, 570 centralized, 503, 526 command and control, 190 consolidating, 517, 521 DNS, 362, 403, 489 e-mail, 408 multiple, 181 provisioning/deprovisioning, 479–480, 507, 519 proxy, 161, 328 RADIUS, 571 redundant, 181 remediation, 195 resiliency, 107
22-Index.indd 804
reverse proxy, 170 virtual, 519, 521, 536 VPN, 631 server-side processing, 328–333 service and system recovery, 104 service level agreements (SLAs), 9, 10, 59–60, 137, 445 Service Oriented Architecture (SOA), 490–491 service packs, 222 Service Provider (SP), 566 Service Provisioning Markup Language (SPML), 563 service set identifier (SSID), 243 services identifying, 378 limiting, 234 new trends, 661–663 remote access and, 632 running, 351 security, 661–663 unnecessary, 333 session hijacking, 316–317 session management, 316–317 session riding, 314–315 SFC (System File Checker), 405 sFlow (Sampled Flow), 178 SHA algorithms, 594 SharePoint, 644, 647 sharing applications, 632–634 desktop, 632–634 files, 638–639 information, 9 Shibboleth, 567–568 short message service (SMS), 283, 291, 357 shoulder surfing, 354 shredding drives, 353, 539, 696 side channel attack, 704 side loading, 274 SIEM (security information event management), 156–157, 394, 429 Signal Protocol, 283 signature-based detection, 219 signature-based systems, 224 signatures, 224, 557 Simple Certificate Enrollment Protocol (SCEP), 271–272 Simple Mail Transfer Protocol (SMTP), 642 Simple Network Management Protocol. See SNMP single loss expectancy (SLE), 92, 95, 96 single sign-on (SSO), 559, 567 Skipjack algorithm, 590 SLAs (service level agreements), 9, 10, 59–60, 137, 445 SLE (single loss expectancy), 92, 95, 96 SLIP (Serial Line Internet Protocol), 630, 631 smart cards, 553, 555 smart glasses, 293–294, 295 smart watches, 285–287, 292–293
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
Index
805 smartphones. See also mobile devices 3G/4G signals, 287 authentication and, 561 mobile hotspots, 287 mobile payments, 285–287 security and, 26 S/MIME (Secure/Multipurpose Internet Mail Extensions), 608 smishing, 357 SMS (short message service), 283, 291, 357 SMTP (Simple Mail Transfer Protocol), 642 sniffers/sniffing, 184, 316, 386–388 SNMP (Simple Network Management Protocol), 185, 197 SNMP agents, 186 SNMP traffic, 185, 186 Snort tool, 154, 184–185 Snowden, Edward, 20 SOA (Service Oriented Architecture), 490–491 SOAP messages, 703 SOAP protocol, 330–331, 566, 702 SoC (system on a chip), 196, 291 social engineering, 352–357 computer-based, 355–357 considerations, 50–51, 671 dumpster diving, 353 eavesdropping, 353 human-based, 352–355 impersonation, 353 mobile-based, 357 overview, 352 piggybacking, 353 protecting against, 50–51 reverse social engineering, 354 social media and, 359 tailgating, 353 training about, 68 via e-mail, 352, 355 social engineering awareness policy, 50–51 social media data leakage, 358 geotagging, 282 overview, 645–647 policies, 358 privacy and, 358, 359 risks, 358–359 security and, 645–647 vulnerabilities, 358–359 social networks, 671, 672–673 SOE (standard operating environment), 29, 233–235 software. See also applications application security frameworks, 700, 709 best practices, 702 code reuse, 326 compliance laws, 698 design phase, 698 development phase, 699 devices, 175
22-Index.indd 805
documentation, 709–711 input validation. See input validation interoperability issues, 467–473 inventory control, 716 legacy, 467–468, 519 maintenance phase, 699 memory leaks, 323, 324 open source, 471–472 operations phase, 699 race conditions, 324 secure by default, 311–312 secure by deployment, 312 secure by design, 311 security requirements, 698, 709–710 shared resources, 324 system design document, 710–711 system design validation, 711–712 test plans, 711 testing, 699, 711–712 types of, 469–472 updates, 270 verification vs. validation, 711 vulnerabilities, 310, 312–326 software as a service (SaaS), 515 software assurance, 700–706 software bugs, 309–310 software development, 351, 534, 705–708. See also code/coding software development life cycle (SDLC), 697–712 software patches, 222–223 software programmers, 727–728 software-defined networking (SDN), 182–183 Solaris Trusted Extensions, 216 SOP (standard operating procedure), 28 SOTI MobiControl, 267 source code scanners, 385 source IP hash algorithm, 162 SOX (Sarbanes-Oxley Act), 17–18 SP (Service Provider), 566 spam considerations, 642 countermeasures, 220–222, 356, 424–425 images in, 222 overview, 356 spam filters, 220–222 SPAM over instant messaging (SPIM), 640 SPAN (Switched Port Analyzer), 175, 643 speaker recognition, 556 spear phishing, 355, 642 spectrum management, 287–288 spim, 356–357 SPIM (SPAM over instant messaging), 640 spiral software development, 708 Splunk tool, 133 SPML (Service Provisioning Markup Language), 563 spyware, 218, 220 SQL injection, 318–319 SRK (storage root key), 252
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
806
SRTM (security requirements traceability matrix), 709–710 SSH (Secure Shell), 168, 607 SSID (service set identifier), 243 SSL (Secure Sockets Layer), 168, 186–187, 606–607 SSL/TLS, 168, 322, 587, 606–607 SSL/TLS authentication, 558–559 SSO (single sign-on), 559, 567 SSTP (Secure Socket Tunneling Protocol), 167, 168 stakeholders, 54, 104, 108 standard libraries, 701 standard operating environment (SOE), 29, 233–235 standard operating procedure (SOP), 28 standard security practices, 63–70 standards, 51, 463–467 stapling, 616 state management, 332 stateful firewalls, 159 state-sponsored attacks, 667 static code analysis, 705 static routing, 361 SteelCentral Packet Analyzer, 393, 394 steganography, 602–603 stop errors, 348–349 storage. See data storage storage area network (SAN), 484–485 storage collaboration tools, 638–639 storage root key (SRK), 252 stored attacks, 314 strcpy() function, 701 stream ciphers, 587, 589, 610 STRIDE threat model, 670 Structured Exception Handler Overwrite Protection (SEHOP), 669 Stuxnet malware, 200, 666 suicide hackers, 350, 678 Supervisory Control and Data Acquisition. See SCADA supplicant, 173, 560 surveillance, 199 swipe patterns, 288 switch spoofing, 187 Switched Port Analyzer (SPAN), 175, 643 switches best practices, 186 Ethernet, 560 overview, 157 port security, 188 symmetric algorithms, 586, 587–590 symmetric key encryption, 586–590 SYN flag, 379, 380 SYN flood attacks, 324 SYN packets, 324 SYN scans, 381 SYN/ACK flag, 379, 380 system administrators. See administrators system applications, 274–275
22-Index.indd 806
system design document, 710–711 system design validation, 711–712 System File Checker (SFC), 405 system logs, 429 system on a chip (SoC), 196, 291 system performance, 131 system requirements, 691–692, 710 system updates, 222–223 systems. See also specific systems aquisition of, 692 auditing, 68–69 changes to, 46, 694, 695–696 commissioning/decommissioning, 692–693 configuration management, 694–695 continuous monitoring, 67–68, 102–103 critical, 156–157 deployment diagrams, 483–484 fingerprinting, 350–351 heterogeneity of, 473 interoperability issues, 467–473 introduction of, 693 legacy, 467–468 maintenance, 690–691, 694 monitoring, 694 new, 693 operations, 690–691, 693–696 repair/replacement, 693 resilience issues, 473–476 secure by default, 311–312 secure by deployment, 312 secure by design, 311 valuation, 366 systems development life cycle (SDLC), 689–697
T tabletop exercises, 367 TACACS+ (Terminal Access Controller AccessControl System Plus), 173, 560 TACLANE (Tactical Local Area Network Encryption) devices, 155 Tactical Local Area Network Encryption (TACLANE) devices, 155 tagging, 323, 715 tailgating, 353 Target data breach, 198, 477 TCB (trusted computing base), 213–214 TCG (Trusted Computing Group), 250, 252 TCO (total cost of ownership), 98, 138–139 TCP (Transmission Control Protocol), 379–382 TCP scans, 381, 382 TCP segment hijacking, 317 tcpdump tool, 393, 439 TCP/IP connections, 440 TCP/UDP services, 378 TCSEC (Trusted Computer System Evaluation Criteria), 213–214
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
Index
807 technical controls, 734 technical risks, 98–99 technologies considerations, 54–55 disruptive, 714–715 evolution of, 663–665 new, 53–55 role on warfare, 57 testing/evaluating, 692 trends, 661–663 technology life cycles software development life cycle, 697–712 systems development life cycle, 689–697 telecommuters, 25–26 telephony, 643–644 teleworking, 26 Telnet, 182, 607 Teredo tunneling, 171 Terminal Access Controller Access-Control System Plus (TACACS+), 173, 560 terminal emulation, 239 Terminal Server, 528, 529 Terminal Services, 254, 528, 529 termination, employee, 66, 271 terrorist organizations, 680 test plans, 710–711 tests/testing black-box testing, 692 integration testing, 712 new technologies, 692 penetration. See penetration testing regression testing, 712 security solutions, 129–130 software testing, 699, 711–712 unit testing, 712 user acceptance testing, 712 white-box testing, 692 tethering, 287–288 TextSecure, 283 TGT (Ticket-Granting Ticket), 559 third-party libraries, 326 threat actors, 88–90, 96, 677–679 threat agents, 666 threat modeling, 693 threat models/modeling, 670 threat profiles, 501, 502 threats. See also risk anticipating defense needs, 132–133 described, 666 emerging, 679–680, 713–714 hackers. See hackers identifying, 366 latest trends, 665–667 likelihood of, 95–97 motivations, 95–96 probability of, 5 rate of occurrence, 96 sources of, 96
22-Index.indd 807
three-way handshake, 379–382 Ticket-Granting Ticket (TGT), 559 time of check/time of use, 324 time to detection (TTD), 128 time to remediation (TTR), 128 time-to-live (TTL), 238 TLS (Transport Layer Security), 168, 186–187, 591, 606–607 token-based systems, 559 tokenization, 283–284 tokens, 555, 559, 615 tools analysis tools, 393–394 attack tools/frameworks, 391–393 brute-force tools, 396 command-line tools, 397–404 enumeration tools, 390 exploitation tools/frameworks, 391–393, 405 host. See host tools log-related, 393–394, 406 MDM. See MDM tools network. See network tools OpenSCAP tools, 389 physical security tools, 408–409 RFID tools, 409 SCAP tools, 405 security assessment. See security assessment tools tracert/traceroute tools, 399–400 unified collaboration tools, 635–647 visualization tools, 393 web proxy tools, 391 Top Secret classification, 69 top-down policies, 48 total cost of ownership (TCO), 98, 138–139 TotalView tool, 349 TPM (Trusted Platform Module), 249, 252–253, 280, 587, 601 TPM chips, 250, 252 tracert/traceroute tools, 399–400 training programs, 68, 713–714 transitive attacks, 357–358 Transmission Control Protocol. See TCP Transport Layer Security (TLS), 168, 186–187, 591, 606–607 trend analysis, 97 trend data, 132–133 Trike threat model, 670 Triple DES (3DES), 588 Tripwire, 405 Trojan horse, 218 trunking security, 187–188 trust models, 569–573 trust relationships, 557 Trusted Computer System Evaluation Criteria (TCSEC), 213–214 trusted computing base (TCB), 213–214 Trusted Computing Group (TCG), 250, 252 Trusted Execution Technology (TXT), 250
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
808
trusted operating system, 213–217 Trusted Platform Module. See TPM Trusted Solaris, 216 trustworthy computing, 215 tshark utility, 443 TTD (time to detection), 128 TTL (time-to-live), 238 TTR (time to remediation), 128 tunneling, 167, 171, 186–187, 274 two-factor authentication, 553 Twofish algorithm, 590 TXT (Trusted Execution Technology), 250
U UAC (User Account Control), 29 UBE (unsolicited bulk e-mail), 220–221 UCaaS (Unified Communications as a Service), 640 UDP scans, 382 UEFI (Unified Extensible Firmware Interface), 249, 250, 251, 601 unified collaboration tools, 635–647 unified communications, 629, 630–635, 639–640 Unified Communications as a Service (UCaaS), 640 Unified Extensible Firmware Interface (UEFI), 249, 250, 251, 601 unified threat management (UTM), 152 uniform partnership act (UPA), 60 uninterruptible power supplies (UPSs), 181 unit testing, 712 United States v. Microsoft, 21 Universal Serial Bus. See USB unsigned applications, 274–275 unsolicited bulk e-mail (UBE), 220–221 UPA (uniform partnership act), 60 updates firmware, 248–249, 270, 333–335 over-the-air, 270 software, 270 system, 222–223 UPSs (uninterruptible power supplies), 181 URLs, shortened, 671 U.S. Computer Emergency Readiness Team (US-CERT), 108, 675 U.S. global surveillance program (PRISM), 20 U.S. Navy, 6 usability, 136 USB (Universal Serial Bus), 240–241 USB devices, 240–241, 279 USB On-the-Go (OTG), 279 USB ports, 241, 279 USB tokens, 555 US-CERT (U.S. Computer Emergency Readiness Team), 108, 675 USENIX Security Symposium, 676 user acceptance testing, 712 User Account Control (UAC), 29 user accounts, 29, 351, 479, 488, 552
22-Index.indd 808
user behavior, 276 user identities, 552, 553 user provisioning, 478 users. See also employees behavioral characteristics, 556–557 biometric systems, 199, 289–290, 409, 556 credentials, 563–564 ID badges, 353 identity proofing, 563–564 inherent factors, 555–557 knowledge factors, 553–555 physiological characteristics, 555, 556 piggybacking, 353 privileges, 320 public keys and, 613 security training/awareness, 122, 713–714 shoulder surfing, 354 social engineering. See social engineering tailgating, 353 training/awareness, 68 vishing, 354–355 UTM (unified threat management), 152
V vacation, mandatory, 65 validation, 711 valuation, 366 vascular scan, 556 VAST threat model, 670 VDI (Virtual Desktop Infrastructure), 169–170, 526–528 vendors, 48, 468 verification, 711 versioning, 708 video conferencing, 635, 637 video devices, 197 Virtual Desktop Infrastructure (VDI), 169–170, 526–528 virtual desktops, 169–170, 526–528 virtual devices, 480, 538 virtual LANs. See VLANs virtual machines. See VMs Virtual Network Computing (VNC), 169, 269 virtual private networks. See VPNs virtual server farms, 521 virtual servers, 519, 521, 536 virtual Trusted Platform Module (vTPM), 525 virtualization advantages, 516–519 basics, 507–508 configuration issues, 521 considerations, 503, 504, 508–509 containers, 523–525 cost considerations, 516–517, 520 data security and, 535–538 disadvantages, 520–521 disaster recovery and, 518–519
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
Index
809 HCI, 525–526 hosting options, 508–513 hypervisors, 522–523 overview, 501–504 secure enclaves/volumes, 528–529 security and, 518, 538 Terminal Services, 528, 529 viruses, 217–219, 406 vishing, 354–355 visualization tools, 393 VLAN-hopping attacks, 187–188 VLANs (virtual LANs), 157, 195, 483, 643 VM escape attacks, 534–535 VMs (virtual machines), 507–508 hardware failures and, 537 hypervisors, 522–523 migrating, 518, 534 provisioning, 479–480, 538 separation of duties and, 537 traffic filtering between, 537 vTPM, 525 vulnerabilities, 537–538 VMware, 537 VMware AirWatch, 267, 269 VNC (Virtual Network Computing), 169, 269 Voice over IP (VoIP), 643 Voice over IP Security Alliance (VOIPSA), 644 voice recognition, 556 VoIP (Voice over IP), 643 VOIPSA (Voice over IP Security Alliance), 644 volatility, 437 volumes, 528–529 VPN servers, 631 VPNs (virtual private networks), 166–168 vTPM (virtual Trusted Platform Module), 525 vulnerabilities, 309–343 analysis of, 693 anticipating defense needs, 132–133 applications, 312–326 buffer overflow, 322–323 clickjacking, 315–316 cloud computing, 530–531, 533–538 code reuse, 326 considerations, 663 cookies, 322 CSRF, 314–315 data remnants, 325–326 described, 666 direct object references, 313 error/exception handling, 319–320 finding in code, 351 firmware, 334–335 fuzzing/fault injection, 321 geotagging, 325 hardware, 253–254 input validation. See input validation integer overflows, 323 latest trends, 665–667
22-Index.indd 809
memory leaks, 323, 324 mitigation strategies, 366 network devices, 186 operating systems, 333–334 overview, 310 persistent/nonpersistent, 314 privilege escalation, 320 race conditions, 324 resource exhaustion, 324–325 sensitive data storage, 320–321 session management, 316–317 social media, 358–359 software, 310, 312–326 SQL injection, 318–319 third-party libraries, 326 virtual machines, 537–538 webcams, 637 Windows, 214–215 XSS, 313–314 zero-day, 667–668 vulnerability assessments, 366, 531 vulnerability scanning, 382–385, 396–397, 530–531 vulnerability testing, 122 vulnerability websites, 658
W WAFs (web application firewalls), 163, 327 WannaCry ransomware, 666 WAPs (wireless access points), 159–160, 243, 560 wardialing, 630 warfare, 57 watchers, 641 watches, 285–287, 292–293 waterfall development technique, 707–708 watermarking, 605 WAYF (Where Are You From) service, 568–569 wearable technology, 292–296 web application firewalls (WAFs), 163, 327 web applications black box testing, 365 cookies and, 322 described, 310 error/exception handling, 319–320 firewalls, 163, 327 fuzzing/fault injection, 321 interceptors, 391 security design, 310–312 security issues, 310–312 SQL injection, 318–319 state management, 332 third-party libraries, 326 vulnerability scanners, 384–385 white box testing, 365 web conferencing, 636–637 web proxy tools, 391 Web Service Definition Language (WSDL), 331
14/03/19 10:35 AM
All-In-One / CASP+® CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide / Lane / 133-4 / Index
CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide
810
Web Services Security (WS-Security), 702–703 webcams, 246–247, 637 WebScarab project, 328 website attacks, 313–316 websites blacklists, 221 cookies, 20, 316, 322, 332 domain names/details, 359–360 pop-ups, 356 WEP (Wired Equivalent Privacy), 244 whaling, 355 Where Are You From (WAYF) service, 568–569 white box testing, 365 white hats, 365, 679 white team, 368 white-box testing, 692 whitelist screening, 317, 318 whitelisting, 188, 670 Whois tool, 359–360 Wi-Fi hotspots, 287, 290–291 Wi-Fi Protected Access (WPA), 244–245 Wi-Fi Protected Acess II (WPA2), 244, 245 wildcard certificate, 614 Windows administrators, 29 Windows Event Viewer, 229, 230–231, 406 Windows NT systems, 519 Windows Server Update Services (WSUS), 237 Windows systems audit policies, 231–232 best practices, 659, 660 Blue Screen of Death, 348–349 DirectAccess, 631–632 firewalls, 220, 226–227, 269 hardening, 333 permissions, 45 remote assistance, 634–635 security checklists, 660 stop errors, 348–349 User Account Control, 29 vulnerabilities, 214–215 Windows XP systems, 469, 669 Wired Equivalent Privacy (WEP), 244 wired networks, 243, 290, 291, 664 wireless access points (WAPs), 159–160, 243, 560 wireless communication policy, 51
22-Index.indd 810
wireless computing, 665 wireless controllers, 159–160 wireless devices, 26 wireless networks considerations, 664 packet sniffers, 388 protecting, 51 wireless technologies, 241 Wireshark, 386, 388 worms, 200, 217–219 WPA (Wi-Fi Protected Access), 244–245 WPA2 (Wi-Fi Protected Access II), 244, 245 WSDL (Web Service Definition Language), 331 WS-Security (Web Services Security), 702–703 WSUS (Windows Server Update Services), 237
X X.509 digital certificate, 611 X.509 standard, 557, 610 XACML (eXtensible Access Control Markup Language), 562 XCCDF (Extensible Configuration Checklist Description Format), 389 XMAS scans, 381 XML (Extensible Markup Language), 566 XML documents, 703 XML encryption, 566 XML schemas, 566 XML signatures, 566 XMPP (Extensible Messaging and Presence Protocol), 641 XMPP Standards Foundation, 641 XN (never-execute) bit use, 704 XSS (cross-site scripting), 313–314
Y Yammer service, 647
Z Zero Knowledge Proof, 592 zero-day attacks, 667–670 zombies, 221 zones/zoning, 191–195, 485
14/03/19 10:35 AM
Save 10% on CompTIA® Exam Vouchers for ANY CompTIA Certification! Now there’s even more reason to get certified. Ready to get started? 1. Visit the CompTIA Marketplace www.comptiastore.com. 2. Select the appropriate exam voucher. 3. At checkout, apply the coupon code: MCGRAW10 to receive your 10% discount.
Single User License Terms and Conditions Online access to the digital content included with this book is governed by the McGraw-Hill Education License Agreement outlined next. By using this digital content you agree to the terms of that license. Access To register and activate your Total Seminars Training Hub account, simply follow these easy steps. 1.
Go to hub.totalsem.com/mheclaim.
2.
To Register and create a new Training Hub account, enter your email address, name, and password. No further information (such as credit card number) is required to create an account.
NOTE If you already have a Total Seminars Training Hub account, select “Log in” and enter your email and password.
3.
Enter your Product Key: 94b3-392b-hj4j
4.
Click to accept the user license terms.
5.
Click “Register and Claim” to create your account. You will be taken to the Training Hub and have access to the content for this book.
Duration of License Access to your online content through the Total Seminars Training Hub will expire one year from the date the publisher declares the book out of print. Your purchase of this McGraw-Hill Education product, including its access code, through a retail store is subject to the refund policy of that store. The Content is a copyrighted work of McGraw-Hill Education and McGraw-Hill Education reserves all rights in and to the Content. The Work is © 2019 by McGraw-Hill Education, LLC. Restrictions on Transfer The user is receiving only a limited right to use the Content for user’s own internal and personal use, dependent on purchase and continued ownership of this book. The user may not reproduce, forward, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish, or sublicense the Content or in any way commingle the Content with other third-party content, without McGraw-Hill Education’s consent.
CompTIA Coupon Terms and Conditions: • CompTIA coupons are unique and linked to specific exams, countries, dates and pricing and may only be used as indicated. • CompTIA coupons may only be redeemed online at a marketplace designated by CompTIA for coupon redemption.
• CompTIA coupons and products purchased with such coupons may not be resold or redistributed. • CompTIA coupons must be redeemed prior to the expiration date. • CompTIA coupon expiration dates cannot be extended.
• CompTIA coupons may be used only for one transaction.
• CompTIA coupons may not be applied towards exams that have already been taken or purchased.
• CompTIA coupons may not be combined with any other discounts, promotions or special pricing.
• CompTIA coupons may not be refunded, returned or exchanged.
• The total discount of any order cannot exceed the discount provided for by a CompTIA coupon.
• CompTIA coupons may not be redeemed for cash or credit.
• CompTIA coupon redemptions are final. • CompTIA and participating test providers are not responsible for lost or stolen coupons. • CompTIA may modify or cancel a coupon at any time. • CompTIA may seek restitution for transactions that do not conform to these terms and conditions. • The use of a CompTIA coupon constitutes acceptance of these terms and conditions.
WHY CERTIFY? • To prove you have the knowledge and skills for problem solving
• To qualify you for increased compensation and/or promotions
• To make you more competitive and employable
• To open up new career opportunities
Limited Warranty The McGraw-Hill Education Content is provided on an “as is” basis. Neither McGraw-Hill Education nor its licensors make any guarantees or warranties of any kind, either express or implied, including, but not limited to, implied warranties of merchantability or fitness for a particular purpose or use as to any McGraw-Hill Education Content or the information therein or any warranties as to the accuracy, completeness, currentness, or results to be obtained from, accessing or using the McGraw-Hill Education Content, or any material referenced in such Content or any information entered into licensee’s product by users or other persons and/or any material available on or that can be accessed through the licensee’s product (including via any hyperlink or otherwise) or as to non-infringement of third-party rights. Any warranties of any kind, whether express or implied, are disclaimed. Any material or data obtained through use of the McGraw-Hill Education Content is at your own discretion and risk and user understands that it will be solely responsible for any resulting damage to its computer system or loss of data. Neither McGraw-Hill Education nor its licensors shall be liable to any subscriber or to any user or anyone else for any inaccuracy, delay, interruption in service, error or omission, regardless of cause, or for any damage resulting therefrom. In no event will McGraw-Hill Education or its licensors be liable for any indirect, special or consequential damages, including but not limited to, lost time, lost money, lost profits or good will, whether in contract, tort, strict liability or otherwise, and whether or not such damages are foreseen or unforeseen with respect to any use of the McGraw-Hill Education Content.