GIBSON REMEMBER Flashcards
The CIA Triad is the foundation of everything we do in
cybersecurity. It’s one of the essential concepts listed in the
Security+ exam objectives, and you should be very familiar with it
when you take the exam. As you learn about different security
threats and controls throughout this book, try to relate each of
them to one or more of the three goals of confidentiality,
integrity, and availability.
Confidentiality ensures that data is only viewable by authorized
users. The best way to protect the confidentiality of data is by
encrypting it. This includes any type of data, such as PII, data in
databases, and data on mobile devices. Access controls help
protect confidentiality by restricting access.
Integrity verifies that data has not been modified. Loss of
integrity can occur through unauthorized or unintended changes.
Hashing algorithms, such as SHA, calculate hashes to verify
integrity. A hash is simply an alphanumeric string created by applying a hashing algorithm to a file or message. You can then
later run the same algorithm on the data and you should get the
same hash value. By comparing the hashes, you can verify that
there haven’t been any changes (authorized or unauthorized) to
the data. If the hashes are the same, the data is unchanged. If
the hash has changed, the data has changed.
Availability ensures that systems are up and operational when
needed and often addresses single points of failure. You can
increase availability by adding fault tolerance and redundancies,
such as RAID, failover clusters, backups, and generators.
Redundancy and fault tolerance methods increase the availability
of systems and data. Scalability refers to manually adding servers
to a service or resources to a system to meet new demand.
Elasticity refers to automatically adding or removing resources as needed.
Risk is the likelihood that a threat will exploit a vulnerability. Risk
mitigation reduces the chances that a threat will exploit a
vulnerability or reduces the risk’s impact by implementing security
controls.
You may find all this talk of categories and types a little
confusing. Remember that every control you encounter will
belong to at least one category and at least one type. For
example, a firewall is a technical control because it uses
technology to achieve its goals. It is also a preventive control
because its goal is to stop unwanted traffic from entering the
network, preventing an incident from occurring.
Managerial controls are administrative in function and
documented in security policies. Operational controls are
implemented by people who perform the day-to-day operations to
comply with an organization’s overall security plan.
Security controls are categorized as managerial (documented in
written policies), operational (performed in day-to-day
operations), technical (implemented with technology), or physical
(impacting the physical world).
Technical controls use technology to reduce vulnerabilities. Some
examples include encryption, antivirus software, IDSs, IPSs,
firewalls, and the least privilege principle. Physical security and
environmental controls include motion detectors and fire
suppression systems.
Preventive controls attempt to prevent security incidents.
Hardening systems modifies the basic configuration to increase
security. Security guards can prevent unauthorized personnel
from entering a secure area. Change management processes help
prevent outages from configuration changes. An account
disablement process ensures that accounts are disabled when a
user leaves the organization.
Identification occurs when a user claims an identity, such as with
a username or email address. Authentication occurs when the
user proves the claimed identity (such as with a password) and
the credentials are verified (such as with a password). Access
control systems provide authorization by granting access to
resources based on permissions granted to the proven identity.
Logging provides accounting.
Complex passwords use a mix of character types. Strong
passwords use a mix of character types and have a minimum
password length of at least eight characters. A password
expiration identifies when a password must be changed.
Account lockout policies thwart some password attacks, such as
brute force and dictionary attacks. Many applications and devices
have default passwords. These should be changed before putting
the application or device into service.
Smart cards are often used with two-factor authentication where
users have something (the smart card) and know something
(such as a password or PIN). Smart cards include embedded
certificates used with digital signatures and encryption. They are Smart cards are often used with two-factor authentication where
users have something (the smart card) and know something
(such as a password or PIN). Smart cards include embedded
certificates used with digital signatures and encryption. They are
HOTP and TOTP are open-source standards used to create onetime-use passwords. HOTP creates a one-time-use password that
does not expire until it is used, and TOTP creates a one-time
password that expires after 30-60 seconds. Both can be used as
software tokens for authentication.
The third factor of authentication (something you are, defined
with biometrics) is the strongest individual authentication factor.
Biometric methods include fingerprint recognition, vein pattern
matching, retinal and iris scans, facial recognition, voice
recognition, and gait analysis.
Iris and retina scans are the strongest biometric methods
mentioned in this section. Iris scans are commonly preferred over
retinal scans because retinal scans are intrusive and may reveal
private medical concerns. Facial recognition and gait analysis can
bypass the enrollment process when used for identification
instead of authorization
Using two or more methods in the same factor of authentication
(such as a PIN and a password) is single-factor authentication.
Two-factor authentication uses two different authentication
factors, such as using a hardware token and a PIN. Multifactor
authentication uses two or more factors.
Passwordless authentication is not necessarily multifactor
authentication. You can use a single something you have or
something you are factor to use passwordless authentication.
Privileged access management (PAM) systems implement
stringent security controls over accounts with elevated privileges
such as administrator or root-level accounts. Some capabilities
include allowing authorized users to access the administrator
account without knowing the password, logging all elevated
privilege usage, and automatically changing the administrator
account password.
Requiring administrators to use two accounts, one with
administrator privileges and another with regular user privileges,
helps prevent privilege escalation attacks. Users should not use
shared accounts.
An account disablement policy identifies what to do with accounts
for employees who leave permanently or are on a leave of
absence. Most policies require administrators to disable the
account as soon as possible so that ex-employees cannot use the
account. Disabling the account ensures that data associated with
it remains available. Security keys associated with an account
remain available when the account is disabled, but the security
keys (and data they encrypted) are no longer accessible if it is
deleted.
Usage auditing records user activity in logs. A usage auditing
review looks at the logs to see what users are doing and it can be
used to re-create an audit trail. Permission auditing reviews help
ensure that users have only the access they need and no more
and can detect privilege creep issues.
SAML is an XML-based standard used to exchange authentication
and authorization information between different parties. SAML
provides SSO for web-based applications.
It’s easy to get confused about what OAuth does because the
name is ambiguous! Remember that the “Auth” in OAuth stands
for authorization, not authentication!
A role-based access control scheme uses roles based on jobs and
functions. A roles and permissions matrix is a planning document
that matches the roles with the required privileges.
Group-based privileges reduce the administrative workload of
access management. Administrators put user accounts into
security groups and assign privileges to the groups. Users within
a group automatically inherit the privileges assigned to the group.
Rule-based access control is based on a set of approved
instructions, such as an access control list. Some rule-BAC
systems use rules that trigger in response to an event, such as
modifying ACLs after detecting an attack or granting additional
permissions to a user in certain situations.
The DAC scheme specifies that every object has an owner, and
the owner has full, explicit control of the object. Microsoft NTFS uses the DAC scheme.
The MAC scheme uses sensitivity labels for users and data. It is
commonly used when access needs to be restricted based on a
need to know. Sensitivity labels often reflect classification levels
of data and clearances granted to individuals.
The ABAC scheme uses attributes defined in policies to grant
access to resources. It’s commonly used in software-defined
networks (SDNs).
You can use a memory trick to remember the order of the OSI
layers – make a sentence that has words starting with the seven
letters of the model layers in order. My personal favorite is “Please
Do Not Throw Sausage Pizza Away!” Other people use “All People
Seem To Need Data Processing.” You can choose whatever works for you.
Secure Shell (SSH) encrypts traffic over TCP port 22 and is used
to transfer encrypted files over a network. Transport Layer
Security (TLS) is a replacement for SSL and is used to encrypt
many different protocols, including browser-based connections
using HTTPS. Secure FTP (SFTP) uses SSH to encrypt traffic. FTP
Secure (FTPS) uses TLS to encrypt traffic.
SMTP, POP3, and IMAP4 are primary email protocols. Well-known
ports for encrypted and unencrypted traffic (respectively) are:
SMTP uses ports 25 and 587, POP3 uses 110 and 995, IMAP4
uses 143 and 993. HTTP and HTTPS use ports 80 and 443,
respectively.
Directory services, such as Microsoft Active Directory Domain
Services (AD DS), provide authentication and authorization
services for a network. AD DS uses LDAP, encrypted with TLS
when querying the directory.
Administrators connect to servers remotely using protocols such
as Secure Shell (SSH) and the Remote Desktop Protocol (RDP). In
some cases, administrators use virtual private networks to
connect to remote systems.
OpenSSH is a suite of tools that simplifies the use of SSH to
connect to remote servers securely. The ssh-keygen command
creates a public/private key pair, and the ssh-copy-id command
copies the public key to a remote server. The private key must
always stay private.
Port security includes disabling unused ports and limiting the
number of MAC addresses per port. A more advanced
implementation is to restrict each physical port to only a single
specific MAC address.
Broadcast storm and loop prevention such as STP or RSTP is
necessary to protect against switching loop problems, such as
those caused when two ports of a switch are connected.
Routers and stateless firewalls (or packet-filtering firewalls)
perform basic filtering with an access control list (ACL). ACLs
identify what traffic is allowed and what traffic is blocked. An ACL
can control traffic based on networks, subnets, IP addresses,
ports, and some protocols. Implicit deny blocks all access that has
not been explicitly granted. Routers and firewalls use implicit
deny as the last rule in the access control list.
Administrators use SNMPv3 to manage and monitor network
devices, and SNMP uses UDP ports 161 and 162. SNMPV3
encrypts credentials before sending them over the network and is
more secure than earlier versions.
Host-based firewalls provide protection for individual hosts, such
as servers or workstations. Network-based firewalls run on
dedicated hardware and provide protection for an entire network.
You should use host-based firewalls and network-firewalls
together to achieve a defense-in-depth approach to network
security.
Firewalls use a deny any any, deny any, or a drop all statement at
the end of the ACL to enforce an implicit deny strategy. The
statement forces the firewall to block any traffic that wasn’t
previously allowed in the ACL. The implicit deny strategy provides a secure starting point for a firewall.
A stateless firewall blocks traffic using only an ACL, and a stateful
firewalls use ACLs as well but also consider the state of the
packet within a session. Web application firewalls provide strong
protection for web servers. They protect against several different
types of attacks, focusing on web application attacks.
A screened subnet (sometimes called a DMZ) is a buffer zone between the Internet and an internal network. It allows access to
services while segmenting access to the internal network. In
other words, Internet clients can access the services hosted on
servers in the screened subnet, but the screened subnet provides
a layer of protection for the intranet (internal network).
NAT translates public IP addresses to private IP addresses and
private IP addresses back to public. A common form of NAT is
Port Address Translation. Dynamic NAT uses multiple public IP
addresses, while static NAT uses a single public IP address.
An air gap isolates one network from another by ensuring there is
physical space (literally a gap of air) between all systems and
cables.
Virtual local area networks (VLANs) separate or segment traffic on
physical networks, and you can create multiple VLANs with a
single switch. A VLAN can logically group several different
computers together or logically separate computers without
regard to their physical location. VLANs are also used to separate
traffic types, such as voice traffic on one VLAN and data traffic on
a separate VLAN.
A proxy server forwards requests for services from a client. It
provides caching to improve performance and reduce Internet
bandwidth usage. Transparent proxy servers accept and forward
requests without modifying them. Non-transparent proxy servers
use URL filters to restrict access to certain sites. Both types can
log user activity
A unified threat management (UTM) appliance combines multiple
security controls into a single appliance. It can inspect data
streams and often includes URL filtering, malware inspection, and
content inspection components. Many UTMs include a DDoS
mitigator to block DDoS attacks.
A jump server is placed between different security zones and
provides secure access from devices in one zone to devices in the
other zone. It can provide secure access to devices in a screened
subnet from an internal network.
A HIDS can monitor all traffic on a single host system such as a
server or a workstation. In some cases, it can detect malicious
activity missed by antivirus software.
A NIDS console is installed on a network appliance. Sensors are
installed on network devices such as switches, routers, or
firewalls to monitor network traffic and detect network-based
attacks. You can also use taps or port mirrors to capture traffic. A
NIDS cannot monitor encrypted traffic and cannot monitor traffic
on individual hosts.
Signature-based detection identifies issues based on known attacks or vulnerabilities. Signature-based detection systems can
detect known attack types. Trend-based IDSs (also called
anomaly-based) can detect unusual activity. They start with a
performance baseline of normal behavior and then compare
network traffic against this baseline. When traffic differs
significantly from the baseline, the system sends an alert.
A false positive incorrectly indicates an attack is occurring when
an attack is not active. A high incidence of false positives
increases the administrator’s workload. A false negative is when
an attack occurs, but the system doesn’t detect and report it.
Administrators often set the IDS threshold high enough to
minimize false positives but low enough that it does not allow
false negatives.
An intrusion prevention system (IPS) is a preventive control. It is
placed in-line with traffic. An IPS can actively monitor data
streams, detect malicious content, and stop attacks in progress. It
can also be used internally to protect private networks.
An IPS is placed in-line with the traffic and can detect, react to,
and prevent attacks. An IDS monitors and responds to an attack.
It is not in-line but instead collects data passively (also known as
out-of-band).
Honeypots and honeynets attempt to deceive attackers and
disrupt attackers. They divert attackers from live networks and
allow security personnel to observe current methodologies
attackers are using. A honeyfile is a file with a name (such as
password.txt) that will attract the attacker’s attention. A
honeytoken is a fake record inserted into a database to detect
data theft.
MAC filtering can restrict wireless network access to specific
clients. However, an attacker can use a sniffer to discover allowed
MAC addresses and circumvent this form of network access
control. It’s relatively simple for an attacker to spoof a MAC
address
A site survey examines the wireless environment to identify
potential problem areas. A heat map shows wireless coverage and
dead spots if they exist. Wireless footprinting gives you a detailed
diagram of wireless access points, hotspots, and dead spots
within an organization.
WPA2-PSK uses a pre-shared key and does not provide individual
authentication. Open mode doesn’t use security and allows all
users to access the AP. Enterprise mode is more secure than
Personal mode, providing strong authentication. Enterprise mode
uses an 802.1X server (implemented as a RADIUS server) to add
authentication.
WPA2 supports CCMP (based on AES) and replaced earlier
wireless cryptographic protocols. WPA3 uses Simultaneous
Authentication of Equals (SAE) instead of a pre-shared key (PSK)
used with WPA2.
Enterprise mode requires an 802.1X server. EAP-FAST supports
PACs. PEAP and EAP-TTLS require a certificate on the 802.1X
server. EAP-TLS also uses TLS, but it requires certificates on both
the 802.1X server and each of the clients. An 802.1X server
provides port-based authentication, ensuring that only authorized
clients can connect to a device or a network. It prevents rogue
devices from connecting.
A disassociation attack effectively removes a wireless client from
a wireless network, forcing it to re-authenticate. WPS allows users
to configure a wireless device by entering an eight-digit PIN
and/or pressing buttons on the device. A WPS attack guesses all
possible PINs until it finds the correct one. It will typically
discover the PIN within hours and use it to discover the
passphrase.
Rogue access points are often used to capture and exfiltrate data.
An evil twin is a rogue access point using the same SSID (or a
similar SSID) as a legitimate access point. A secure AP blocks
unauthorized users, but a rogue access point provides access to
unauthorized users.
Bluejacking is the unauthorized sending of text messages to a
nearby Bluetooth device. Bluesnarfing is the unauthorized access
to, or theft of information from, a Bluetooth device. Ensuring
devices cannot be paired without manual user intervention
prevents these attacks and placing them in Faraday cages will
prevent pairing.
Administrators use war driving techniques as part of a wireless
audit. A wireless audit checks a wireless signal footprint, power
levels, antenna placement, and encryption of wireless traffic.
Wireless audits using war driving can detect rogue access points
and identify unauthorized users. War flying is similar to war
driving, but it uses planes or drones instead of cars.
A virtual private network (VPN) provides remote access to a
private network via a public network. VPN concentrators are
dedicated devices used for VPNs. They include all the services
needed to create a secure VPN supporting many clients.
IPsec is a secure encryption protocol used with VPNs.
Encapsulating Security Payload (ESP) provides confidentiality, integrity, and authentication for VPN traffic. IPsec uses Tunnel
mode for VPN traffic and can be identified with protocol ID 50 for
ESP. It uses IKE over port 500. A full tunnel encrypts all traffic
after a user has connected to a VPN. A split tunnel only encrypts
traffic destined for the VPN’s private network.
Network access control (NAC) includes methods to inspect clients
for health, such as having up-to-date antivirus software, and can
restrict access of unhealthy clients to a remediation network. You
can use NAC for VPN clients and internal clients.