CompTIA Security+ Review Guide: Exam SY0-501
1/5
()
About this ebook
CompTIA Security+ Review Guide, Fourth Edition, is the smart candidate's secret weapon for passing Exam SY0-501 with flying colors. You've worked through your study guide, but are you sure you're prepared? This book provides tight, concise reviews of all essential topics throughout each of the exam's six domains to help you reinforce what you know. Take the pre-assessment test to identify your weak areas while there is still time to review, and use your remaining prep time to turn weaknesses into strengths. The Sybex online learning environment gives you access to portable study aids, including electronic flashcards and a glossary of key terms, so you can review on the go. Hundreds of practice questions allow you to gauge your readiness, and give you a preview of the big day.
Avoid exam-day surprises by reviewing with the makers of the test—this review guide is fully approved and endorsed by CompTIA, so you can be sure that it accurately reflects the latest version of the exam. The perfect companion to the CompTIA Security+ Study Guide, Seventh Edition, this review guide can be used with any study guide to help you:
- Review the critical points of each exam topic area
- Ensure your understanding of how concepts translate into tasks
- Brush up on essential terminology, processes, and skills
- Test your readiness with hundreds of practice questions
You've put in the time, gained hands-on experience, and now it's time to prove what you know. The CompTIA Security+ certification tells employers that you're the person they need to keep their data secure; with threats becoming more and more sophisticated, the demand for your skills will only continue to grow. Don't leave anything to chance on exam day—be absolutely sure you're prepared with the CompTIA Security+ Review Guide, Fourth Edition.
Read more from James Michael Stewart
(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide Rating: 3 out of 5 stars3/5CompTIA Security+ Review Guide: Exam SY0-601 Rating: 0 out of 5 stars0 ratingsWindows Server 2003 For Dummies Rating: 4 out of 5 stars4/5
Related to CompTIA Security+ Review Guide
Related ebooks
CompTIA CySA+ Practice Tests: Exam CS0-001 Rating: 0 out of 5 stars0 ratingsCompTIA Cloud+ Study Guide: Exam CV0-002 Rating: 0 out of 5 stars0 ratingsCompTIA Linux+ Practice Tests: Exam XK0-004 Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Study Guide: Exam SY0-501 Rating: 4 out of 5 stars4/5CompTIA Network+ Review Guide: Exam N10-006 Rating: 0 out of 5 stars0 ratingsCompTIA PenTest+ Practice Tests: Exam PT0-001 Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Review Guide: Exam N10-007 Rating: 0 out of 5 stars0 ratingsCEH Certified Ethical Hacker Study Guide Rating: 3 out of 5 stars3/5CompTIA Security+ Practice Tests: Exam SY0-601 Rating: 0 out of 5 stars0 ratingsCompTIA CySA+ Study Guide: Exam CS0-001 Rating: 0 out of 5 stars0 ratingsCompTIA Linux+ Practice Tests: Exam XK0-005 Rating: 0 out of 5 stars0 ratingsCASP+ CompTIA Advanced Security Practitioner Practice Tests: Exam CAS-004 Rating: 0 out of 5 stars0 ratingsCompTIA PenTest+ Study Guide: Exam PT0-001 Rating: 0 out of 5 stars0 ratingsCompTIA CySA+ Practice Tests: Exam CS0-003 Rating: 1 out of 5 stars1/5CompTIA Project+ Study Guide: Exam PK0-004 Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Practice Tests: Exam N10-007 Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Practice Tests: Exam SY0-501 Rating: 0 out of 5 stars0 ratingsCompTIA Project+ Practice Tests: Exam PK0-004 Rating: 0 out of 5 stars0 ratingsCEH v11: Certified Ethical Hacker Version 11 Practice Tests Rating: 0 out of 5 stars0 ratingsCloud Security: A Comprehensive Guide to Secure Cloud Computing Rating: 0 out of 5 stars0 ratings(ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests Rating: 0 out of 5 stars0 ratingsCompTIA Linux+ Study Guide: Exam XK0-004 Rating: 0 out of 5 stars0 ratingsThe Official (ISC)2 Guide to the CISSP CBK Reference Rating: 0 out of 5 stars0 ratingsCASP+ CompTIA Advanced Security Practitioner Study Guide: Exam CAS-003 Rating: 0 out of 5 stars0 ratingsThe Official (ISC)2 CCSP CBK Reference Rating: 0 out of 5 stars0 ratingsCompTIA IT Fundamentals Study Guide: Exam FC0-U51 Rating: 0 out of 5 stars0 ratingsSecurity Administrator Street Smarts: A Real World Guide to CompTIA Security+ Skills Rating: 3 out of 5 stars3/5Start-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit Rating: 0 out of 5 stars0 ratingsSecure Your Network for Free Rating: 0 out of 5 stars0 ratings
Certification Guides For You
Coding For Dummies Rating: 5 out of 5 stars5/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5CompTIA A+ Complete Review Guide: Core 1 Exam 220-1101 and Core 2 Exam 220-1102 Rating: 5 out of 5 stars5/5Mike Meyers' CompTIA A+ Certification Passport, Sixth Edition (Exams 220-901 & 220-902) Rating: 4 out of 5 stars4/5CompTIA A+ Certification All-in-One For Dummies Rating: 3 out of 5 stars3/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Microsoft Office 365 for Business Rating: 4 out of 5 stars4/5Comptia A+ 220-901 Q & A Study Guide: Comptia 21 Day 900 Series, #2 Rating: 5 out of 5 stars5/5AWS Certified Cloud Practitioner All-in-One Exam Guide (Exam CLF-C01) Rating: 5 out of 5 stars5/5CompTIA CySA+ Practice Tests: Exam CS0-002 Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Certification Practice Exams, Fourth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA Project+ Practice Tests: Exam PK0-004 Rating: 0 out of 5 stars0 ratingsCompTIA CySA+ Cybersecurity Analyst Certification Passport (Exam CS0-002) Rating: 5 out of 5 stars5/5How to Get Started as a Technical Writer Rating: 4 out of 5 stars4/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsMike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA A+ CertMike: Prepare. Practice. Pass the Test! Get Certified!: Core 1 Exam 220-1101 Rating: 0 out of 5 stars0 ratingsCompTIA Data+ Study Guide: Exam DA0-001 Rating: 0 out of 5 stars0 ratingsMike Meyers' CompTIA A+ Certification Passport, Seventh Edition (Exams 220-1001 & 220-1002) Rating: 2 out of 5 stars2/5CCNA Certification Study Guide, Volume 2: Exam 200-301 Rating: 0 out of 5 stars0 ratingsSalesforce Certification: Earn Salesforce certifications and increase online sales real and unique practice tests included Kindle Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Certification Study Guide, Fourth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Mike Meyers' CompTIA Network+ Certification Passport, Sixth Edition (Exam N10-007) Rating: 1 out of 5 stars1/5CompTIA A+ Complete Study Guide: Exam Core 1 220-1001 and Exam Core 2 220-1002 Rating: 4 out of 5 stars4/5CompTIA Security+ Get Certified Get Ahead: SY0-701 Study Guide Rating: 5 out of 5 stars5/5
Reviews for CompTIA Security+ Review Guide
1 rating0 reviews
Book preview
CompTIA Security+ Review Guide - James Michael Stewart
Introduction
The Security+ certification program was developed by the Computer Technology Industry Association (CompTIA) to provide an industry-wide means of certifying the competency of computer service technicians in the basics of computer security. The Security+ certification is granted to those who have attained the level of knowledge and security skills that show a basic competency in the security needs of both personal and corporate computing environments. CompTIA’s exam objectives are periodically updated to keep their exams applicable to the most recent developments. The most recent update, labeled SY0–501, occurred in late 2017. This book focuses on these newly revised certification objectives.
What Is Security+ Certification?
The Security+ certification was created to offer an introductory step into the complex world of IT security. You need to pass only a single exam to become Security+ certified. However, obtaining this certification doesn’t mean you can provide realistic security services to a company. In fact, this is just the first step toward true security knowledge and experience. By obtaining Security+ certification, you should be able to acquire more security experience in order to pursue more complex and in-depth security knowledge and certification.
For the latest pricing on the exam and updates to the registration procedures, please visit www.vue.com. If you have further questions about the scope of the exams or related CompTIA programs, refer to the CompTIA website at www.comptia.org.
Is This Book for You?
CompTIA Security+ Review Guide: SY0-501 is designed to be a succinct, portable exam review guide. It can be used in conjunction with a more typical full-sized study guide, such as Wiley’s CompTIA Security+ Study Guide: SY0-501 (ISBN: 978-1260026054), with computer-based training (CBT) courseware and a classroom/lab environment, or as an exam review for those who don’t feel the need for more extensive (and/or expensive) test preparation. It isn’t our goal to give away the answers, but rather to identify those topics on which you can expect to be tested and to provide sufficient focused coverage of these topics.
Perhaps you’ve been working with information technologies for years. The thought of paying lots of money for a specialized IT exam-preparation course probably doesn’t sound appealing. What can they teach you that you don’t already know, right? Be careful, though—many experienced network administrators have walked confidently into the test center only to walk sheepishly out of it after failing an IT exam. After you’ve finished reading this book, you should have a clear idea of how your understanding of the technologies involved matches up with the expectations of the Security+ test makers.
Or perhaps you’re relatively new to the world of IT, drawn to it by the promise of challenging work and higher salaries. You’ve just waded through an 800-page study guide or taken a weeklong class at a local training center. Lots of information to keep track of, isn’t there? Well, by organizing this book according to CompTIA’s exam objectives, and by breaking up the information into concise, manageable pieces, we’ve created what we think is the handiest exam review guide available. Throw it in your backpack and carry it to work with you. As you read the book, you’ll be able to quickly identify those areas you know best and those that require a more in-depth review.
How Is This Book Organized?
This book is organized according to the official objectives list prepared by CompTIA for the Security+ exam. The chapters correspond to the six major domains of objective and topic groupings. The exam is weighted across these six topical areas or domains as follows:
1.0 Threats, Attacks and Vulnerabilities (21%)
2.0 Technologies and Tools (22%)
3.0 Architecture and Design (15%)
4.0 Identity and Access Management (16%)
5.0 Risk Management (14%)
6.0 Cryptography and PKI (12%)
Within each chapter, the top-level exam objectives from each domain are addressed in turn and in order according to the official exam objectives directly from CompTIA. In addition to a thorough review of each objective, every chapter includes two specific features: Exam Essentials and Review Questions.
Exam Essentials At the end of each top-level objective section, you’re given a short list of topics that you should explore fully before taking the test. Included in the Exam Essentials areas are notations of the key information you should have taken from that section, or from the corresponding content in the CompTIA Security+ Study Guide.
Review Questions This feature ends every chapter and provides 20 questions to help you gauge your mastery of the chapter.
Interactive Online Learning Environment and Test Bank
We’ve included several additional test-preparation features on the interactive online learning environment and test bank. These tools will help you retain vital exam content as well as prepare you to sit for the actual exams:
Go to www.wiley.com/go/sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools.
Sample Tests In this section of the online test bank, you’ll find the chapter tests, which present all the review questions from the end of each chapter, as well as two more practice tests of 90 questions each. Use these questions to test your knowledge of the study guide material. The online test bank runs on multiple devices.
Electronic Flashcards Questions are provided in digital flashcard format (a question followed by a single correct answer). You can use the flashcards to reinforce your learning and provide last-minute test prep before the exam.
Glossary of Terms in PDF We have included a very useful glossary of terms in PDF format so you can easily read it on any computer. If you have to travel and brush up on any key terms, you can do so with this useful resource.
Tips for Taking the Security+ Exam
Here are some general tips for taking your exam successfully:
Bring two forms of ID with you. One must be a photo ID, such as a driver’s license. The other can be a major credit card or a passport. Both forms must include a signature.
Arrive early at the exam center so you can relax and review your study materials.
Read the questions carefully. Don’t be tempted to jump to an early conclusion. Make sure you know exactly what the question is asking.
Read each question twice, read the answer options, and then read the question again before selecting an answer.
You can move forward and backward through the exam, but only one question at a time. You can only move forward once you have given the current question an answer. Only after seeing the Review Page after the last question can you jump around questions at random.
Don’t leave any unanswered questions. Unanswered questions give you no opportunity for guessing correctly and scoring more points.
Watch your clock. If you have not seen your last question when you have 5 minutes left, guess at the remaining questions.
There will be questions with multiple correct responses. When there is more than one correct answer, a message on the screen will prompt you to either Choose two
or Choose all that apply.
Be sure to read the messages displayed so you know how many correct answers you must choose.
Questions needing only a single correct answer will use radio buttons to select an answer, whereas those needing two or more answers will use check boxes.
When answering multiple-choice questions you’re not sure about, use a process of elimination to get rid of the obviously incorrect answers first. Doing so will improve your odds if you need to make an educated guess.
Try to expand your perspective from your own direct experience. Often the writers of the exam questions are from large enterprises; if you only consider answers in light of a small company or as an individual, you might not determine the correct answer.
You can mark or flag a question to indicate you want to review it again before ending the exam. Flagged questions will be highlighted on the Review page.
For the latest pricing on the exams and updates to the registration procedures, visit CompTIA’s website at www.comptia.org.
Performance-Based Questions
CompTIA has begun to include performance-based (scenario-based) questions on its exams. These differ from the traditional multiple-choice questions in that the candidate is expected to perform a task or series of tasks. Tasks could include filling in a blank, answering questions based on a video or an image, reorganizing a set into an order, placing labels on a diagram, filling in fields based on a given situation or set of conditions, or setting the configuration on a network security management device. Don’t be surprised if you are presented with a scenario and asked to complete a task. The performance-based questions are designed to be more challenging than standard multiple choice questions and thus are also worth more points. Take the time to answer these carefully. For an official description of performance-based questions from CompTIA, visit http://certification.comptia.org/news/2012/10/09/What_Is_A_Performance-Based_Question.aspx and https://certification.comptia.org/testing/about-testing/performance-based-questions-explained (this second link is from the CompTIA Security+ information page, so you can follow it from there instead of typing it in).
Exam Specifics
The Security+ SY0-501 exam consists of up to 90 questions with a time allotment of 90 minutes for the exam itself. Additional time is provided for the pre-exam elements, such as the NDA, and the post-exam survey. If you are assigned only multiple choice questions, then you will have the maximum of 90 questions. If you are assigned performance-based questions (which is most likely), then you will have fewer than 90 total questions. It is fairly common to have 5 or 6 performance-based questions and about 70 multiple choice questions, for a total of 75 or so questions. However, you could be assigned 8 or more performance-based questions with about 50 multiple choice questions, for a total of 55 questions. To pass, you must score at least 750 points on a scale of 100–900 (effectively 81.25%). At the completion of your test, you will receive a printout of your test results. This report will show your score and the objective topics about which you missed a question.
Although there is no clear statement from CompTIA, there seem to be some questions on the exam that are included for evaluation purposes but do not count toward your score. These questions are likely on topics not currently listed in the SY0-501 objectives list, and they will appear at random within your exam and will not be marked in any way.
These details are subject to change. For current information, please consult the CompTIA website: www.comptia.org.
How to Contact the Publisher
Sybex welcomes feedback on all of its titles. Visit the Sybex website at www.sybex.com for book updates and additional certification information. You’ll also find forms you can use to submit comments or suggestions regarding this or any other Sybex title.
The Security+ Exam Objectives
For easy reference and clarification, the following is a complete listing of Security+ objectives. Also, we organized this book to correspond with the official objectives list. We use the objective list’s order and organization throughout the book. Each domain is covered in one chapter. Each subobjective is a heading within a chapter.
Exam objectives are subject to change at any time without prior notice and at CompTIA's sole discretion. Please visit the Security+ Certification page of CompTIA's website (www.comptia.org) for a link to the most current exam objectives.
Domain 1.0 Threats, Attacks and Vulnerabilities
1.1 Given a scenario, analyze indicators of compromise and determine the type of malware.
Viruses
Crypto-malware
Ransomware
Worm
Trojan
Rootkit
Keylogger
Adware
Spyware
Bots
RAT
Logic bomb
Backdoor
1.2 Compare and contrast types of attacks.
Social engineering
Phishing
Spear phishing
Whaling
Vishing
Tailgating
Impersonation
Dumpster diving
Shoulder surfing
Hoax
Watering hole attack
Principles (reasons for effectiveness)
Authority
Intimidation
Consensus
Scarcity
Familiarity
Trust
Urgency
Application/service attacks
DoS
DDoS
Man-in-the-middle
Buffer overflow
Injection
Cross-site scripting
Cross-site request forgery
Privilege escalation
ARP poisoning
Amplification
DNS poisoning
Domain hijacking
Man-in-the-browser
Zero day
Replay
Pass the hash
Hijacking and related attacks
Clickjacking
Session hijacking
URL hijacking
Typo squatting
Driver manipulation
Shimming
Refactoring
MAC spoofing
IP spoofing
Wireless attacks
Replay
IV
Evil twin
Rogue AP
Jamming
WPS
Bluejacking
Bluesnarfing
RFID
NFC
Disassociation
Cryptographic attacks
Birthday
Known plain text/cipher text
Rainbow tables
Dictionary
Brute force
Online vs. offline
Collision
Downgrade
Replay
Weak implementations
1.3 Explain threat actor types and attributes.
Types of actors
Script kiddies
Hacktivist
Organized crime
Nation states/APT
Insiders
Competitors
Attributes of actors
Internal/external
Level of sophistication
Resources/funding
Intent/motivation
Use of open-source intelligence
1.4 Explain penetration testing concepts.
Active reconnaissance
Passive reconnaissance
Pivot
Initial exploitation
Persistence
Escalation of privilege
Black box
White box
Gray box
Pen testing vs. vulnerability scanning
1.5 Explain vulnerability scanning concepts.
Passively test security controls
Identify vulnerability
Identify lack of security controls
Identify common misconfigurations
Intrusive vs. non-intrusive
Credentialed vs. non-credentialed
False positive
1.6 Explain the impact associated with types of vulnerabilities.
Race conditions
Vulnerabilities due to:
End-of-life systems
Embedded systems
Lack of vendor support
Improper input handling
Improper error handling
Misconfiguration/weak configuration
Default configuration
Resource exhaustion
Untrained users
Improperly configured accounts
Vulnerable business processes
Weak cipher suites and implementations
Memory/buffer vulnerability
Memory leak
Integer overflow
Buffer overflow
Pointer dereference
DLL injection
System sprawl/undocumented assets
Architecture/design weaknesses
New threats/zero day
Improper certificate and key management
Domain 2.0 Technologies and Tools
2.1 Install and configure network components, both hardware- and software-based, to support organizational security.
Firewall
ACL
Application-based vs. network-based
Stateful vs. stateless
Implicit deny
VPN concentrator
Remote access vs. site-to-site
IPSec
Tunnel mode
Transport mode
AH
ESP
Split tunnel vs. full tunnel
TLS
Always-on VPN
NIPS/NIDS
Signature-based
Heuristic/behavioral
Anomaly
Inline vs. passive
In-band vs. out-of-band
Rules
Analytics
False positive
False negative
Router
ACLs
Antispoofing
Switch
Port security
Layer 2 vs. Layer 3
Loop prevention
Flood guard
Proxy
Forward and reverse proxy
Transparent
Application/multipurpose
Load balancer
Scheduling
Affinity
Round-robin
Active-passive
Active-active
Virtual IPs
Access point
SSID
MAC filtering
Signal strength
Band selection/width
Antenna types and placement
Fat vs. thin
Controller-based vs. standalone
SIEM
Aggregation
Correlation
Automated alerting and triggers
Time synchronization
Event deduplication
Logs/WORM
DLP
USB blocking
Cloud-based
NAC
Dissolvable vs. permanent
Host health checks
Agent vs. agentless
Mail gateway
Spam filter
DLP
Encryption
Bridge
SSL/TLS accelerators
SSL decryptors
Media gateway
Hardware security module
2.2 Given a scenario, use appropriate software tools to assess the security posture of an organization.
Protocol analyzer
Network scanners
Rogue system detection
Network mapping
Wireless scanners/cracker
Password cracker
Vulnerability scanner
Configuration compliance scanner
Exploitation frameworks
Data sanitization tools
Steganography tools
Honeypot
Backup utilities
Banner grabbing
Passive vs. active
Command line tools
ping
netstat
tracert
nslookup/dig
arp
ipconfig/ip/ifconfig
tcpdump
nmap
netcat
2.3 Given a scenario, troubleshoot common security issues.
Unencrypted credentials/clear text
Logs and events anomalies
Permission issues
Access violations
Certificate issues
Data exfiltration
Misconfigured devices
Firewall
Content filter
Access points
Weak security configurations
Personnel issues
Policy violation
Insider threat
Social engineering
Social media
Personal email
Unauthorized software
Baseline deviation
License compliance violation (availability/integrity)
Asset management
Authentication issues
2.4 Given a scenario, analyze and interpret output from security technologies.
HIDS/HIPS
Antivirus
File integrity check
Host-based firewall
Application whitelisting
Removable media control
Advanced malware tools
Patch management tools
UTM
DLP
Data execution prevention
Web application firewall
2.5 Given a scenario, deploy mobile devices securely.
Connection methods
Cellular
WiFi
SATCOM
Bluetooth
NFC
ANT
Infrared
USB
Mobile device management concepts
Application management
Content management
Remote wipe
Geofencing
Geolocation
Screen locks
Push notification services
Passwords and pins
Biometrics
Context-aware authentication
Containerization
Storage segmentation
Full device encryption
Enforcement and monitoring for:
Third-party app stores
Rooting/jailbreaking
Sideloading
Custom firmware
Carrier unlocking
Firmware OTA updates
Camera use
SMS/MMS
External media
USB OTG
Recording microphone
GPS tagging
WiFi direct/ad hoc
Tethering
Payment methods
Deployment models
BYOD
COPE
CYOD
Corporate-owned
VDI
2.6 Given a scenario, implement secure protocols.
Protocols
DNSSEC
SSH
S/MIME
SRTP
LDAPS
FTPS
SFTP
SNMPv3
SSL/TLS
HTTPS
Secure POP/IMAP
Use cases
Voice and video
Time synchronization
Email and web
File transfer
Directory services
Remote access
Domain name resolution
Routing and switching
Network address allocation
Subscription services
Domain 3.0 Architecture and Design
3.1 Explain use cases and purpose for frameworks, best practices and secure configuration guides.
Industry-standard frameworks and reference architectures
Regulatory
Non-regulatory
National vs. international
Industry-specific frameworks
Benchmarks/secure configuration guides
Platform/vendor-specific guides
Web server
Operating system
Application server
Network infrastructure devices
General purpose guides
Defense-in-depth/layered security
Vendor diversity
Control diversity
Administrative
Technical
User training
3.2 Given a scenario, implement secure network architecture concepts.
Zones/topologies
DMZ
Extranet
Intranet
Wireless
Guest
Honeynets
NAT
Ad hoc
Segregation/segmentation/isolation
Physical
Logical (VLAN)
Virtualization
Air gaps
Tunneling/VPN
Site-to-site
Remote access
Security device/technology placement
Sensors
Collectors
Correlation engines
Filters
Proxies
Firewalls
VPN concentrators
SSL accelerators
Load balancers
DDoS mitigator
Aggregation switches
Taps and port mirror
SDN
3.3 Given a scenario, implement secure systems design.
Hardware/firmware security
FDE/SED
TPM
HSM
UEFI/BIOS
Secure boot and attestation
Supply chain
Hardware root of trust
EMI/EMP
Operating systems
Types
Network
Server
Workstation
Appliance
Kiosk
Mobile OS
Patch management
Disabling unnecessary ports and services
Least functionality
Secure configurations
Trusted operating system
Application whitelisting/blacklisting
Disable default accounts/passwords
Peripherals
Wireless keyboards
Wireless mice
Displays
WiFi–enabled MicroSD cards
Printers/MFDs
External storage devices
Digital cameras
3.4 Explain the importance of secure staging deployment concepts.
Sandboxing
Environment
Development
Test
Staging
Production
Secure baseline
Integrity measurement
3.5 Explain the security implications of embedded systems.
SCADA/ICS
Smart devices/IoT
Wearable technology
Home automation
HVAC
SoC
RTOS
Printers/MFDs
Camera systems
Special purpose
Medical devices
Vehicles
Aircraft/UAV
3.6 Summarize secure application development and deployment concepts.
Development life-cycle models
Waterfall vs. Agile
Secure DevOps
Security automation
Continuous integration
Baselining
Immutable systems
Infrastructure as code
Version control and change management
Provisioning and deprovisioning
Secure coding techniques
Proper error handling
Proper input validation
Normalization
Stored procedures
Code signing
Encryption
Obfuscation/camouflage
Code reuse/dead code
Server-side vs. client-side execution and validation
Memory management
Use of third-party libraries and SDKs
Data exposure
Code quality and testing
Static code analyzers
Dynamic analysis (e.g., fuzzing)
Stress testing
Sandboxing
Model verification
Compiled vs. runtime code
3.7 Summarize cloud and virtualization concepts.
Hypervisor
Type I
Type II
Application cells/containers
VM sprawl avoidance
VM escape protection
Cloud storage
Cloud deployment models
SaaS
PaaS
IaaS
Private
Public
Hybrid
Community
On-premise vs. hosted vs. cloud
VDI/VDE
Cloud access security broker
Security as a Service
3.8 Explain how resiliency and automation strategies reduce risk.
Automation/scripting
Automated courses of action
Continuous monitoring
Configuration validation
Templates
Master image
Non-persistence
Snapshots
Revert to known state
Rollback to known configuration
Live boot media
Elasticity
Scalability
Distributive allocation
Redundancy
Fault tolerance
High availability
RAID
3.9 Explain the importance of physical security controls.
Lighting
Signs
Fencing/gate/cage
Security guards
Alarms
Safe
Secure cabinets/enclosures
Protected distribution/Protected cabling
Airgap
Mantrap
Faraday cage
Lock types
Biometrics
Barricades/bollards
Tokens/cards
Environmental controls
HVAC
Hot and cold aisles
Fire suppression
Cable locks
Screen filters
Cameras
Motion detection
Logs
Infrared detection
Key management
Domain 4.0 Identity and Access Management
4.1 Compare and contrast identity and access management concepts.
Identification, authentication, authorization and accounting (AAA)
Multifactor authentication
Something you are
Something you have
Something you know
Somewhere you are
Something you do
Federation
Single sign-on
Transitive trust
4.2 Given a scenario, install and configure identity and access services.
LDAP
Kerberos
TACACS+
CHAP
PAP
MSCHAP
RADIUS
SAML
OpenID Connect
OAUTH
Shibboleth
Secure token
NTLM
4.3 Given a scenario, implement identity and access management controls.
Access control models
MAC
DAC
ABAC
Role-based access control
Rule-based access control
Physical access control
Proximity cards
Smart cards
Biometric factors
Fingerprint scanner
Retinal scanner
Iris scanner
Voice recognition
Facial recognition
False acceptance rate
False rejection rate
Crossover error rate
Tokens
Hardware
Software
HOTP/TOTP
Certificate-based authentication
PIV/CAC/smart card
IEEE 802.1x
File system security
Database security
4.4 Given a scenario, differentiate common account management practices.
Account types
User account
Shared and generic accounts/credentials
Guest accounts
Service accounts
Privileged accounts
General Concepts
Least privilege
Onboarding/offboarding
Permission auditing and review
Usage auditing and review
Time-of-day restrictions
Recertification
Standard naming convention
Account maintenance
Group-based access control
Location-based policies
Account policy enforcement
Credential management
Group policy
Password complexity
Expiration
Recovery
Disablement
Lockout
Password history
Password reuse
Password length
Domain 5.0 Risk Management
5.1 Explain the importance of policies, plans and procedures related to organizational security.
Standard operating procedure
Agreement types
BPA
SLA
ISA
MOU/MOA
Personnel management
Mandatory vacations
Job rotation
Separation of duties
Clean desk
Background checks
Exit interviews
Role-based awareness training
Data owner
System administrator
System owner
User
Privileged user
Executive user
NDA
Onboarding
Continuing education
Acceptable use policy/rules of behavior
Adverse actions
General security policies
Social media networks/applications
Personal email
5.2 Summarize business impact analysis concepts.
RTO/RPO
MTBF
MTTR
Mission-essential functions
Identification of critical systems
Single point of failure
Impact
Life
Property
Safety
Finance
Reputation
Privacy impact assessment
Privacy threshold assessment
5.3 Explain risk management processes and concepts.
Threat assessment
Environmental
Manmade
Internal vs. external
Risk assessment
SLE
ALE
ARO
Asset value
Risk register
Likelihood of occurrence
Supply chain assessment
Impact
Quantitative
Qualitative
Testing
Penetration testing authorization
Vulnerability testing authorization
Risk response techniques
Accept
Transfer
Avoid
Mitigate
Change management
5.4 Given a scenario, follow incident response procedures.
Incident response plan
Documented incident types/category definitions
Roles and responsibilities
Reporting requirements/escalation
Cyber-incident response teams
Exercise
Incident response process
Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
5.5 Summarize basic concepts of forensics.
Order of volatility
Chain of custody
Legal hold
Data acquisition
Capture system image
Network traffic and logs
Capture video
Record time offset
Take hashes
Screenshots
Witness interviews
Preservation
Recovery
Strategic intelligence/counterintelligence gathering
Active logging
Track man-hours
5.6 Explain disaster recovery and continuity of operation concepts.
Recovery sites
Hot site
Warm site
Cold site
Order of restoration
Backup concepts
Differential
Incremental
Snapshots
Full
Geographic considerations
Off-site backups
Distance
Location selection
Legal implications
Data sovereignty
Continuity of operation planning
Exercises/tabletop
After-action reports
Failover
Alternate processing sites
Alternate business practices
5.7 Compare and contrast various types of controls.
Deterrent
Preventive
Detective
Corrective
Compensating
Technical
Administrative
Physical
5.8 Given a scenario, carry out data security and privacy practices.
Data destruction and media sanitization
Burning
Shredding
Pulping
Pulverizing
Degaussing
Purging
Wiping
Data sensitivity labeling and handling
Confidential
Private
Public
Proprietary
PII
PHI
Data roles
Owner
Steward/custodian
Privacy officer
Data retention
Legal and compliance
Domain 6.0 Cryptography and PKI
6.1 Compare and contrast basic concepts of cryptography.
Symmetric algorithms
Modes of operation
Asymmetric algorithms
Hashing
Salt, IV, nonce
Elliptic curve
Weak/deprecated algorithms
Key exchange
Digital signatures
Diffusion
Confusion
Collision
Steganography
Obfuscation
Stream vs. block
Key strength
Session keys
Ephemeral key
Secret algorithm
Data-in-transit
Data-at-rest
Data-in-use
Random/pseudo-random number generation
Key stretching
Implementation vs. algorithm selection
Crypto service provider
Crypto modules
Perfect forward secrecy
Security through obscurity
Common use cases
Low power devices
Low latency
High resiliency
Supporting confidentiality
Supporting integrity
Supporting obfuscation
Supporting authentication
Supporting non-repudiation
Resource vs. security constraints
6.2 Explain cryptography algorithms and their basic characteristics.
Symmetric algorithms
AES
DES
3DES
RC4
Blowfish/Twofish
Cipher modes
CBC
GCM
ECB
CTM
Stream vs. block
Asymmetric algorithms
RSA
DSA
Diffie-Hellman
Groups
DHE
ECDHE
Elliptic curve
PGP/GPG
Hashing algorithms
MD5
SHA
HMAC
RIPEMD
Key stretching algorithms
BCRYPT
PBKDF2
Obfuscation
XOR
ROT13
Substitution ciphers
6.3 Given a scenario, install and configure wireless security settings.
Cryptographic protocols
WPA
WPA2
CCMP
TKIP
Authentication protocols
EAP
PEAP
EAP-FAST
EAP-TLS
EAP-TTLS
IEEE 802.1x
RADIUS Federation
Methods
PSK vs. Enterprise vs. Open
WPS
Captive portals
6.4 Given a scenario, implement public key infrastructure.
Components
CA
Intermediate CA
CRL
OCSP
CSR
Certificate
Public key
Private key
Object identifiers (OID)
Concepts
Online vs. offline CA
Stapling
Pinning
Trust model
Key escrow
Certificate chaining
Types of certificates
Wildcard
SAN
Code signing
Self-signed
Machine/computer
User
Root
Domain validation
Extended validation
Certificate formats
DER
PEM
PFX
CER
P12
P7B
Security+ Acronyms
Here are the acronyms of security terms that CompTIA deems important enough that they’re included in the objectives list for the exam. We’ve repeated them here exactly as listed by CompTIA.
Chapter 1
Threats, Attacks, and Vulnerabilities
COMPTIA SECURITY+ EXAM OBJECTIVES COVERED IN THIS CHAPTER INCLUDE THE FOLLOWING:
1.1 Given a scenario, analyze indicators of compromise and determine the type of malware.
Viruses
Crypto-malware
Ransomware
Worm
Trojan
Rootkit
Keylogger
Adware
Spyware
Bots
RAT
Logic bomb
Backdoor
1.2 Compare and contrast types of attacks.
Social engineering
Phishing
Spear phishing
Whaling
Vishing
Tailgating
Impersonation
Dumpster diving
Shoulder surfing
Hoax
Watering hole attack
Principles (reasons for effectiveness)
Authority
Intimidation
Consensus
Scarcity
Familiarity
Trust
Urgency
Application/service attacks
DoS
DDoS
Man-in-the-middle
Buffer overflow
Injection
Cross-site scripting
Cross-site request forgery
Privilege escalation
ARP poisoning
Amplification
DNS poisoning
Domain hijacking
Man-in-the-browser
Zero day
Replay
Pass the hash
Hijacking and related attacks
Clickjacking
Session hijacking
URL hijacking
Typo squatting
Driver manipulation
Shimming
Refactoring
MAC spoofing
IP spoofing
Wireless attacks
Replay
IV
Evil twin
Rogue AP
Jamming
WPS
Bluejacking
Bluesnarfing
RFID
NFC
Disassociation
Cryptographic attacks
Birthday
Known plain text/cipher text
Rainbow tables
Dictionary
Brute force
Online vs. offline
Collision
Downgrade
Replay
Weak implementations
1.3 Explain threat actor types and attributes.
Types of actors
Script kiddies
Hacktivist
Organized crime
Nation states/APT
Insiders
Competitors
Attributes of actors
Internal/external
Level of sophistication
Resources/funding
Intent/motivation
Use of open-source intelligence
1.4 Explain penetration testing concepts.
Active reconnaissance
Passive reconnaissance
Pivot
Initial exploitation
Persistence
Escalation of privilege
Black box
White box
Gray box
Pen testing vs. vulnerability scanning
1.5 Explain vulnerability scanning concepts.
Passively test security controls
Identify vulnerability
Identify lack of security controls
Identify common misconfigurations
Intrusive vs. non-intrusive
Credentialed vs. non-credentialed
False positive
1.6 Explain the impact associated with types of vulnerabilities.
Race conditions
Vulnerabilities due to:
End-of-life systems
Embedded systems
Lack of vendor support
Improper input handling
Improper error handling
Misconfiguration/weak configuration
Default configuration
Resource exhaustion
Untrained users
Improperly configured accounts
Vulnerable business processes
Weak cipher suites and implementations
Memory/buffer vulnerability
Memory leak
Integer overflow
Buffer overflow
Pointer dereference
DLL injection
System sprawl/undocumented assets
Architecture/design weaknesses
New threats/zero day
Improper certificate and key management
The Security+ exam will test your knowledge of IT attacks and compromises. There are a wide range of hacks and compromises that both individuals and organizations must understand in order to defend against downtime and intrusion. To pass the test and be effective in reducing loss and harm, you need to understand the threats, attacks, vulnerabilities, concepts, and terminology detailed in this chapter.
1.1 Given a scenario, analyze indicators of compromise and determine the type of malware.
Malware or malicious code is any element of software that performs an unwanted function from the perspective of the legitimate user or owner of a computer system. This objective topic focuses on your ability to recognize a specific type of malware from a given scenario, list of symptoms, or general description of an infection or compromise. Malicious code includes a wide range of concepts, including viruses, ransomware, worms, Trojans, rootkits, keyloggers, adware, spyware, bots, RATs (Remote Access Trojan), logic bombs, and backdoors. Following is an overview of each.
Viruses
Viruses are just one example of malicious code, malicious software, or malware. Viruses get their name from their biological counterparts. They’re programs designed to spread from one system to another through self-replication and to perform any of a wide range of malicious activities. The malicious activities performed by viruses include data deletion, corruption, alteration, and exfiltration. Some viruses replicate and spread so rapidly that they consume most of the available system and network resources, thus performing a type of denial-of-service (DoS) attack (discussed later in this chapter).
Most viruses need a host to latch onto. The host can be a file (as in the case of common viruses) or the boot sector of a storage device. Viruses that attach themselves to the boot sector of a storage device (including HDD, SSD, CD/DVD-ROM, Blu-ray, and USB), and thus are loaded in memory when the drive is activated, are known as boot sector viruses.
Within these categories, some specific virus types include the following:
Polymorphic viruses Polymorphic viruses have the ability to mask their own code using encryption in order to avoid detection by antivirus scanners.
Macro viruses Macro viruses live within documents or emails and exploit the scripting capabilities of productivity software.
Stealth viruses Stealth viruses attempt to avoid detection by masking or hiding their activities.
Armored viruses Armored viruses are any form of malware that has been crafted to avoid detection and make removal difficult. This can involve the use of complex compiling techniques, overly complex coding logic, and abnormal use of memory.
Retroviruses Retroviruses are specifically targeted at antivirus systems to render them useless.
Phage viruses Phage viruses modify or infect many aspects of a system so they can regenerate themselves from any remaining unremoved parts.
Companion viruses A companion virus borrows the root filename of a common executable and then gives itself the .com extension in an attempt to get itself launched rather than the intended application.
Multipart or multipartite viruses Multipart or multipartite viruses perform multiple tasks and may infect a system in numerous ways.
The best technology to serve as a countermeasure against viruses is an antivirus or antimalware scanner that is updated regularly and that monitors all local storage devices, memory, and communication pathways for viral activities. However, it is essential that modifying user behavior to avoid risky activities be a core part of the security strategy. Otherwise, without human risk reduction, no technological protections will be sufficient. Examples of activities to reduce or avoid risk include avoiding downloading software from nonvendor sources, not opening email attachments, and avoiding the use of removable media from other environments.
If a system is infected with a virus, some potential symptoms include corrupted or missing data files, applications that will no longer execute, slow system operation, lag between mouse click and system response, application or system crashes, ongoing hard drive activity, and the system’s tendency to be unresponsive to mouse movements or keystrokes. Any of these symptoms could accompany a virus infection; however, they can be symptoms of other malware infections as well.
Crypto-malware
Crypto-malware is any form of malware that uses cryptography as a weapon or a defense. Crypto as a weapon is seen in malware such as ransomware, while crypto as a defense is seen in malware such as polymorphic and armored viruses.
Another potential form of crypto-malware is code that seeks out the encryption keys of encrypted storage devices and then discloses those keys to a remote attacker. The goal or purpose of such malware is to grant the attacker access to otherwise protected content.
Symptoms of crypto-malware infection include the inability to access data, missing data, a system that will not boot, a sluggish system (during the encryption processes), and pop-ups demanding payment to decrypt your data.
Ransomware
Ransomware is a form of malware that takes over a computer system, usually by encrypting user data, in order to hinder its use while demanding payment. Effectively, it’s malware that holds a user’s data hostage in exchange for a ransom payment. Often, the thieves behind ransomware request payment to be made in untraceable money cards, such as the MoneyPak Green Dot card, or in Bitcoins (a form of digital currency intended to be untraceable).
Countermeasures against ransomware include avoiding risky behaviors, running antimalware software, and maintaining a reliable backup of your data. Unless absolutely no other option is available to you to regain access to your data, avoid paying the ransom. Paying a ransom to attackers only encourages them to continue their criminal activities.
Symptoms of ransomware infection include the inability to access data, missing data, a system that will not boot, a sluggish system (during the encryption processes), and pop-ups demanding payment to decrypt your data.
Worm
Another form of malware that is closely related to a virus is a worm. Worms are self-contained applications that don’t require a host file or hard drive to infect. Worms typically are focused on replication and distribution, rather than on direct damage and destruction. Worms are designed to exploit a specific vulnerability in a system (operating system, protocol, service, or application) and then use that flaw to spread themselves to other systems with the same flaw. They may be used to deposit viruses, logic bombs, ransomware, backdoors, or zombies/agents/bots for botnets, or they may perform direct virus-like maelstrom activities on their own.
Countermeasures for worms are the same as for viruses, with the addition of keeping systems patched.
A worm infection may display symptoms that include a slow-to-respond system, applications that no longer will execute, a lack of free space on storage devices, CPU and memory utilization maxed out at 100 percent, system crashes, and abnormal network activity.
Trojan
A Trojan horse is a form of malicious software that is disguised as something useful or legitimate. The most common forms of Trojan horses are games and screensavers, but any software can be made into a Trojan. The goal of a Trojan horse is to trick a user into installing it on their computer. This allows the malicious code portion of the Trojan to gain access to the otherwise secured environment. A Trojan is crafted by combining a seemingly benign host file with a malicious payload. It is an integration of technology abuse with social engineering. The victim is tricked into accepting the Trojan on their system because they believe that the only thing they are obtaining is the obvious benign host. However, when the host is used, the malicious payload is released to infect the system. Some of the most common Trojans are tools that install distributed denial-of-service (DDoS), botnet agents, or remote-control backdoors onto systems.
Countermeasures for Trojan horses are the same as for viruses.
Scenarios involving a system becoming infected through Trojan horse delivery of malware can elicit any of the symptoms mentioned for other malware infections (see earlier and later malware concepts), since a Trojan horse can be used to deliver any sort of malicious code. In addition, a Trojan horse may cause system slowdown or unresponsiveness immediately after triggering or launching the Trojan horse while it is delivering the malicious payload.
Rootkit
A rootkit is a special type of hacker tool that embeds itself deep within an operating system (OS). The rootkit positions itself at the heart of an OS, where it can manipulate information seen by the OS. Often, a rootkit replaces the OS kernel, shims itself under the kernel, replaces device drivers, or infiltrates application libraries so that whatever information it feeds or hides from the OS, the OS thinks is normal and acceptable. This allows a rootkit to hide itself from detection, prevent its files from being viewed by file management tools, and prevent its active processes from being viewed by task management or process management tools. Thus, a rootkit is a type of invisibility shield. A rootkit can be used to hide other malicious tools and/or perform other functions. A rootkit or other tools hidden by a rootkit can capture keystrokes, steal credentials, watch URLs, take screen captures, record sounds via the microphone, track application use, or grant a remote hacker backdoor access or remote control over the compromised target system.
After a rootkit has infected a system, that system can no longer be trusted or considered secure. There are rootkits that are still undetectable and/or can’t be effectively removed. Thus, any rootkit-compromised system can never be fully trusted again. To use a silly analogy: if you’re fighting an invisible army, how can you be sure that you’ve defeated all of the soldiers?
There are several rootkit-detection tools, some of which are able to remove certain rootkits. However, once you suspect a rootkit is on a system, the only truly secure response is to reconstitute or replace the entire computer. Reconstitution involves performing a low-level formatting operation on all storage devices on that system, reinstalling the OS and all applications from trusted original sources, and then restoring files from trusted rootkit-free backups. Obviously, the best protection against rootkits is defense rather than response.
There are often no noticeable symptoms or indicators of compromise related to a rootkit infection. Rootkit authors often strive to minimize any noticeable activity that might indicate that a system has been compromised. In the moments after initial rootkit installation there might be some system sluggishness and unresponsiveness as the rootkit installs itself, but otherwise it will actively mask any symptoms.
Keylogger
A keylogger is a form of malware that records the keystrokes typed into a system’s keyboard. Software keyloggers are often able to record input from both physical keyboards and on-screen keyboards. The captured keystrokes are then uploaded to the attacker for analysis and exploitation.
Many antimalware scanners include signatures for keyloggers; however, a potentially unwanted program (PUP) scanner, such as Malwarebytes, might also be necessary to detect this type of abusive software.
Hardware keyloggers are physical devices attached to the keyboard cable where it connects to the main system. Such devices are not detectable by software and thus require physical inspection to uncover. Some hardware keyloggers can upload captured content via Wi-Fi, Bluetooth, or cellular service, whereas others must be physically retrieved.
A keylogger infection might exhibit sluggish keyboard response, require typing keys twice to get them to be recognized by the system, and cause overall system performance degradation.
Adware
Adware is a variation on the idea of spyware (discussed later in this section). Adware displays pop-up advertisements to users based on their activities, URLs they have visited, applications they have accessed, and so on. Adware is used to customize advertisements to prospective customers. Unfortunately, most adware products arrive on client systems without the knowledge or consent of the user. Thus, legitimate commercial products are often seen as intrusive and abusive adware.
Some forms of adware display offerings for fake or false security products. They often display an animation that seems like the system is being scanned; they may even search for malicious code or intrusion events. The adware then displays a warning that problems were found and the solution is to download a free
utility to remove or resolve the offense. This type of malware is also known as scareware.
Countermeasures for adware are the same as for spyware and viruses—antimalware software with added specific spyware/adware-scanning tools.
Indicators of adware compromise can include the pop-up display of advertisements even when a web browser is not already running, sluggish system response, and poor mouse responsiveness (especially when clicking on links).
Spyware
Spyware is any form of malicious code or even business or commercial code that collects information about users without their direct knowledge or permission. Spyware can be fully malicious when it seeks to gain information to perform identity theft or credential hijacking. However, many advertising companies use less malicious forms of spyware to gather demographics about potential customers. In either case, the user is often unaware that the spyware tool is present or that it’s gathering information that is periodically transmitted to some outside entity. Spyware can collect keystrokes, names of launched applications, local files, sent or received emails and instant messages (IMs), and URLs visited; it can also record audio by turning on the microphone, or even record video by turning on a webcam. Spyware can be deposited by viruses, worms, or Trojan horses, or it can be installed as an extra element from commercial, freeware, or shareware applications.
Countermeasures for spyware are the same as for viruses, with the addition of specific spyware-scanning tools.
Spyware infections may cause noticeable symptoms such as slow system performance, poor keyboard and mouse responsiveness, the appearance of unknown files, and quickly dwindling available storage space.
Bots
The term botnet is a shortened form of the phrase robot network. It is used to describe a massive deployment of malicious code onto numerous compromised systems that are all remotely controlled by a hacker. A botnet is the culmination of traditional DoS attacks into a concept known as a distributed denial-of-service (DDoS) attack. A DDoS attack occurs when a hacker has deposited remote-controlled agents, zombies, or bots onto numerous secondary victims and then uses the deployed bots as a single entity to attack a primary target. (This is covered in more detail later in this chapter, when we review specific attack types.)
Botnets are either directly or indirectly controlled by a hacker. Sometimes the hacker is called a bot herder, a master, or even a handler. Direct control of a botnet occurs when the bot herder sends commands to each bot. Therefore, bots have a listening service on an open port waiting for the communication from the bot herder. Indirect control of a botnet can occur through any intermediary communication system, including Internet Relay Chat (IRC), IM, File Transfer Protocol (FTP), email, the Web, blogging, Facebook, Twitter, and so on. When indirect control is used, the bots access an intermediary communication service for messages from the bot herder. The intermediary communication service is often named a command and control center,
but instead of being a complex controlling interface, it is simply the locus of connection between the attacker and the bots where information is exchanged.
Botnets are possible because most computers around the world are accessible over the Internet, and many of those computers have weak security. A botnet creator writes their botnet code to exploit a common vulnerability in order to spread the botnet agent far and wide—often using the same techniques used by viruses, worms, and Trojan horses. Botnets typically include thousands (if not hundreds of thousands) of compromised secondary victims. The secondary victims are the hosts of the botnet agent itself and aren’t affected or damaged beyond the initial intrusion and planting of the botnet agent. The hackers want the secondary victims fully functional so that when they launch their botnet attack against the primary victim, they can use all the resources of the secondary victims against the primary target.
A botnet can be used to perform any type of malicious activity. Although they’re most often used to perform DoS flooding attacks, botnets can also be used to transmit spam, perform massively distributed parallel processing to crack passwords or encryption keys, perform phishing attacks, capture network packets, or perform any other conceivable activity.
The best defense against a botnet is to keep your systems patched and hardened and to not become the host of a botnet agent (in other words, don’t become a secondary victim). Strict outbound firewall rules, spoofed source address filtering, and web content filtering on a unified threat management (UTM) device are also effective countermeasures. In addition, most antivirus software and antispyware/adware tools include well-known botnet agents in their detection databases.
If you’re the primary victim of a botnet flooding attack, there is little you can do to stop the attack. Your responses are often limited to disconnecting from the Internet, contacting your ISP, and reporting the incident to law enforcement. There are several DDoS filtering services, which range from free services to quite expensive enterprise-class services.
The indicators of botnet compromise can include slow system performance, high levels of CPU and memory utilization, high levels of abnormal network traffic, strange files appearing on storage devices, unknown processes running, and odd program windows appearing on the desktop.
RAT
A remote-access Trojan (RAT) is a form of malicious code that grants an attacker some level of remote-control access to a compromised system. Often the remote-control backdoor component is hidden inside a host file that is linked to some current popular concept, such as a new movie, music album, or game. Once the victim uses or opens the host, the remote-control malware is installed on their system and a notification is sent to the attacker. Most RATs then initiate an outbound connection to the attacker’s waiting system to grant them access to manipulate the victim’s data and system operations.
RAT infections may result in noticeable symptoms such as odd network communications and traffic levels; a system that will not auto-engage the screensaver or timed sleep mode; higher levels of drive, CPU, and memory activity; and the appearance of unknown files on storage devices.
Logic bomb
A logic bomb is a form of malicious code that remains dormant until a triggering event occurs. The triggering event can be a specific time and date, the launching of a specific program, typing in a certain keystroke combination, or the accessing of a specific URL (such as your online banking logon page). Logic bombs can perform any malicious function the programmer wishes, from causing system crashes, to deleting data, to altering configurations, to stealing authentication credentials.
A logic bomb can also be a fork bomb, which triggers a duplication event where the original code is cloned and launched. Then, each of the new clones forks itself again. This forking/cloning process repeats until the system crashes due to complete resource consumption by the malware. A fork bomb also works by consuming storage space or using up the network bandwidth.
Symptoms of logic bomb compromise could include an abrupt change in system performance, crashing of applications or the system, and a loss of storage device free space.
Backdoor
The term backdoor can refer to two types of problems or attacks on a system. The first and oldest type of backdoor was a developer-installed access method that bypassed all security restrictions. The backdoor was a special hard-coded user account, password, or command sequence that allowed anyone with knowledge of the access hook (sometimes called a maintenance hook) to enter the environment and make changes. This sounds great from a developer’s perspective, especially during the coding and debugging process. Unfortunately, such programming shortcuts are often forgotten about when the product nears completion; thus, they end up in the final product. Fortunately, once a backdoor is discovered in a released product, the vendor usually releases a patch to remove the backdoor code from the installed product. The possible presence of backdoors is another good reason to stay current with vendor-released updates and patches.
The second meaning of backdoor is a hacker-installed remote-access client. These small, maliciously purposed tools can easily be deposited on a computer through a Trojan horse, a virus, a worm, a website mobile code download, or even as part of an intrusion activity. Once active on a system, the tool opens access ports and waits for an inbound connection. Thus, a backdoor serves as an access portal for hackers so that they can bypass any security restrictions and gain (or regain) access to a system. Some common backdoor tools include Back Orifice, NetBus, and Sub7 (all of which function on Windows). These and other common backdoor tools are detected and removed by virus scanners and spyware scanning tools.
Figure 1.1 shows a backdoor attack in progress.
Image described by caption and surrounding text.FIGURE 1.1 A backdoor attack in progress
Preemptive measures against backdoors include restricting mobile code from being automatically downloaded to your systems, using software policies to prevent unauthorized software from being installed, monitoring inbound and outbound traffic, and requiring software and driver signing.
A backdoor compromise may elicit noticeable symptoms such as an unresponsive system, applications opening or closing seemingly on their own, abnormal network connections and activity, and missing or new files.
Exam Essentials
Understand viruses. Viruses are programs that are designed to spread from one system to another through self-replication and to perform any of a wide range of malicious activities.
Understand crypto-malware. Crypto-malware is any form of malware that uses cryptography as a weapon or a defense.
Understand ransomware. Ransomware is a form of malware that aims to take over a computer system in order to block its use while demanding payment.
Understand worms. Worms are designed to exploit a single flaw in a system (operating system, protocol, service, or application) and then use that flaw to replicate themselves to other systems with the same flaw.
Understand Trojan horses. A Trojan horse is a form of malicious software that is disguised as something useful or legitimate.
Understand rootkits. A rootkit is a type of malicious code that fools the OS into thinking that active processes and files don’t exist. Rootkits render a compromised system completely untrustworthy.
Understand keyloggers. A keylogger is a form of malware that records the keystrokes typed into a system’s keyboard.
Understand spyware and adware. Spyware gathers information about users and may employ that information to customize advertisements or steal identities. Adware gathers information about users and uses it to direct advertisements to the user. Both spyware and adware are usually unwanted software that gathers information without authorization.
Understand botnets. A botnet is a network of robots or malicious software agents controlled by a hacker in order to launch massive attacks against targets.
Understand a RAT. A remote-access Trojan (RAT) is a form of malicious code that grants an attacker some level of remote-control access to a compromised system.
Understand logic bombs. A logic bomb is a form of malicious code that remains dormant until a triggering event occurs. The triggering event can be a specific time and date, the launching of a specific program, or the accessing of a specific URL.
Understand backdoor attacks. There are two types of backdoor attacks: a developer-installed access method that bypasses any and all security restrictions, or a hacker-installed remote-access client.
Understand malicious code countermeasures. The best countermeasure to viruses and other malicious code is an antivirus scanner that is updated regularly and that monitors all local storage devices, memory, and communication pathways for malicious activity. Other countermeasures include avoiding downloading software from the Internet, not opening email attachments, and avoiding the use of removable media from other environments.
1.2 Compare and contrast types of attacks.
Any computer system connected to any type of network is subject to various types of attacks. The rate at which networked systems are attacked is increasing at an alarming rate. Even systems that aren’t connected to the Internet, such as those isolated in a private network, may come under attack. There are myriad ways to attack a computer system. Your familiarity with a modest collection of these attacks and how to respond to them is an essential skill for the Security+ exam. The following sections discuss common attack methods.
Social engineering
Social engineering is a form of attack that exploits human nature and human behavior. Social engineering attacks take two primary forms: convincing someone to perform an unauthorized operation or convincing someone to reveal confidential information. For example, the victim may be fooled into believing that a received email is authoritative (such as an email hoax), that a person on the phone is someone to be respected and obeyed (such as someone claiming to be from tech support or a manager offsite), or that a person with them is who they claim to be (such as an air-conditioning [AC] repair technician). In just about every case, in social engineering the attacker tries to convince the victim to perform some activity or reveal a piece of information that they shouldn’t. The result of a successful attack is information leakage or the attacker being granted logical or physical access to a secure environment.
Any form of advertisement could be considered a form of social engineering attack—ads appeal to you in an attempt to get you to purchase or use a product or service. Although an advertisement’s motivation is profit, the motives for most social engineering attacks are more malevolent. In fact, hackers now have access to sophisticated technology to assist in their social engineering endeavors.
One such tool is the Social Engineering Toolkit (SET). As you can see on the http://social-engineer.org website, SET was specifically designed to perform advanced attacks against the human element. It integrates with the Metasploit framework to allow an attacker to take control of a remote computer by enticing the soon-to-be victim to click a pop-up of some sort. For instance, a gamer playing the latest version of the newest hot online video game could receive a pop-up stating that there is temporary Internet congestion. It might then say, Please select Stay Online if performance is acceptable or select Disconnect to disconnect and reconnect.
Either selection results in the attacker’s code being run and possibly in the exploitation of the system. The user-interaction portion of the attack is why this is referred to as the Social Engineering Toolkit.
Here are some example scenarios of common social engineering attacks:
A worker receives an email warning about a dangerous new virus spreading across the Internet. The message directs the worker to look for a specific file on the hard drive and delete it, because it indicates the presence of the virus. Often, however, the identified file is really an essential file needed by the system.
A website claims to offer free temporary access to its products and services, but it requires web browser and/or firewall alterations in order to download the access software.
A secretary receives a phone call from a person claiming to be a client who is running late to meet the CEO. The caller asks for the CEO’s private cell phone number in order to call them.
The helpdesk receives a call from an outside line. The caller claims to be a manager of a department who is currently involved in a sales meeting in another