Header Ads

Security+ SYO-501 Notes Part 1

1) Understanding the basic goals of Information Security - CIA
The first thing to remember is that security is not implemented in a vacuum.  Every organization has a use case which it uses to clarify objectives and to implement Technologies. For the security professional, this helps in clarifying the requirements towards achieving a goal.

a) The first common use case is confidentiality. As the name implies it refers to something not being available to everyone. To be more specific it means ensuring that data is only available to those who have been authorized to view it. The two best ways of achieving this are by encrypting the data and by setting up access controls to restrict unfettered access. Another method of providing confidentiality is by steganography, which is hiding data inside another data, so when viewed without any specialized application, the hidden data remains obscured.

b) Another is integrity. This verifies that data has not been changed through accidental or unauthorized means. The best way of providing integrity is through hashing algorithms such as MD5, SHA-1 & HMAC. A hash is what you have when you apply a hashing algorithm to data (file, message, etc). By comparing this hash at different times you can determine if the data has been modified.
Non-repudiation prevents entities from denying they took an action. A use case of this is in digital signatures, which can also provide authentication and integrity for email clients. Digital signatures need certificates to function.

C) Availability ensures that data and services are accessible when needed. It eliminates SPOF (single point of failure) by adding fault tolerance, redundancies, failover clusters, load balancing, backups, virtualization, HVAC systems, and generators.

2) Basic Risks Concepts
Risk the likelihood (probability) that a threat (something that has the potential to compromise CIA) will exploit (make use of) a vulnerability (weakness) leading to a loss of either confidentiality, integrity or availability. Risk mitigation either reduces the chances of a threat exploiting a vulnerability or the impact of the risk by using security controls.

3) Security Controls
They can be categorized as technical, administrative or physical.
a) Technical controls are implemented using technology, examples are encryption, IDS, firewall, antivirus, the principle of least privilege.
b) Administrative controls have to do with administrative practices such as risk and vulnerability assessments, change management, security awareness programs, and configuration management.
c) physical controls include any kind of control that you can touch, examples are security guards, fences, lights, signs etc.
While control goals are preventive controls which attempt to prevent security incidents, examples are Hardening systems, security guards, change management processes, account disablement policies etc. Detective controls which try to detect when a vulnerability had been exploited, examples are IDS, log monitoring, trend analysis, motion detection systems, video surveillance systems, periodic review of user rights, etc. Corrective controls try to reverse the impact of an incident after it has happened. Examples include IPS, Backups and system recovery plans. Deterrent controls try to prevent incidents by discouraging threats, most are similar to preventive controls. Examples are cable locks, hardware locks etc. Compensating controls are used when the primary control is unavailable.

4) Virtualization
This allows multiple containerized applications or operating systems on a single host, they have features which boost availability such as snapshots and easy restoration. There is Type 1 hypervisor also called bare metal which runs directly on the system hardware and Type 2 hypervisor which runs as software within a host operating system. Container Virtualization is a specialized version of Type 2 hypervisor, it allows services or applications to run within isolated cells or containers using the kernel of the host. They are useful when testing security controls as they provide snapshots which capture the state of the VM at any time, hence they can easily be reverted to a previous stable state. VM sprawl can occur due to poor management and VM escape allows an attacker to access a host from a VM, to safeguard against this always make sure hosts and VMs have current patches installed.

5) Command Line Tools
These are typically run in a command prompt for windows or a terminal for Linux.
a) Ping can be used to determine network connectivity, name resolution and verify that routers, firewalls, and IPS block ICMP packets.
b) ipconfig (windows)/ifconfig (Linux) on windows allows you to view configuration of network interfaces while on Linux you can manipulate the network interface such as setting it to promiscuous mode.
c) Netstat allows you to view current active connections to a host and other TCP/IP statistics. This can be helpful if you suspect malware is making a host connect with a remote computer.
d) Tracert (windows)/Traceroute (Linux) list the routers or number of hops between systems. It can also be used to verify that a path has not been modified.
e) APR command allows you to view and modify a hosts ARP cache. This can aid analysis especially when you suspect a hosts ARP cache has been changed during an attack.

No comments

Powered by Blogger.