Beruflich Dokumente
Kultur Dokumente
PROJECT TEAM
DISCLAIMER
While CompTIA, Inc. takes care to ensure the accuracy and quality of these materials, we cannot
guarantee their accuracy, and all materials are provided without any warranty whatsoever, including, but
not limited to, the implied warranties of merchantability or fitness for a particular purpose. The use of
screenshots, photographs of another entity's products, or another entity's product name or service in this
book is for editorial purposes only. No such use should be construed to imply sponsorship or endorsement
of the book by nor any affiliation of such entity with CompTIA. This courseware may contain links to sites
on the Internet that are owned and operated by third parties (the "External Sites"). CompTIA is not
responsible for the availability of, or the content located on or through, any External Site. Please contact
CompTIA if you have any concerns regarding such links or External Sites.
TRADEMARK NOTICES
CompTIA®, Comp TIA® Security+® and the CompTIA logo are registered trademarks of CompTIA, Inc.,
in the U.S. and other countries. All other product and service names used may be common law or
registered trademarks of their respective proprietors.
COPYRIGHT NOTICE
Copyright © 2018 CompTIA, Inc. All rights reserved. Screenshots used for illustrative purposes are the
property of the software proprietor. Except as permitted under the Copyright Act of 1976, no part of this
publication may be reproduced or distributed in any form or by any means, or stored in a database or
retrieval system, without the prior written permission CompTIA, 3500 Lacey Road, Suite 100, Downers
Grove, IL 60515-5439.
This book conveys no rights in the software or other products about which it was written; all use or
licensing of such software or other products is the responsibility of the user according to terms and
conditions of the owner. If you believe that this book, related materials, or any other CompTIA materials
are being reproduced or transmitted without permission, please call 1-866-835-8020 or
www.help.comptia.org.
Table of Contents Table of Contents
Course Introduction i
Module 1 / Unit 1
Indicators of Compromise 3
Module 1 / Unit 2
Critical Security Controls 30
Module 1 / Unit 3
Security Posture Assessment Tools 49
Module 1 / Unit 4
Incident Response 68
Module 1 / Summary
Threats, Attacks, and Vulnerabilities 78 Page iii
Table of Contents Module 2 / Identity and Access Management 79
Module 2 / Unit 1
Cryptography 83
Module 2 / Unit 2
Public Key Infrastructure 107
Module 2 / Unit 3
Identification and Authentication 129
Module 2 / Unit 4
Identity and Access Services 157
Module 2 / Unit 5
Account Management 170
Module 2 / Summary
Identity and Access Management 195
Module 3 / Unit 1
Secure Network Design 199
Module 3 / Unit 2
Firewalls and Load Balancers 229
Module 3 / Unit 3
IDS and SIEM 248
Module 3 / Unit 4
Secure Wireless Access 270
Module 3 / Unit 5
Physical Security Controls 291
Module 3 / Summary
Architecture and Design 1 309
Module 4 / Unit 1
Secure Protocols and Services 313
Module 4 / Unit 2
Secure Remote Access 344
Module 4 / Unit 3
Secure Systems Design 361
Module 4 / Unit 4
Secure Mobile Device Services 388
Module 4 / Unit 5
Secure Virtualization and Cloud Services 405
Page vi
Virtualization Technologies ........................................................................406 Table of Contents
Virtualization Security Best Practices .........................................................409
Cloud Computing .......................................................................................413
Cloud Security Best Practices ....................................................................417
Module 4 / Summary
Architecture and Design 2 420
Module 5 / Unit 1
Forensics 426
Module 5 / Unit 2
Disaster Recovery and Resiliency 437
Module 5 / Unit 3
Risk Management 455
Module 5 / Unit 4
Secure Application Development 468
Module 5 / Unit 5
Organizational Security 488
Glossary 544
Index 564
Page viii
About This Course About This Course
This course is intended for those wishing to qualify with CompTIA Security+.
The CompTIA Security+ exam will certify the successful candidate has the
knowledge and skills required to install and configure systems to secure
applications, networks, and devices; perform threat analysis and respond
with appropriate mitigation techniques; participate in risk mitigation activities;
and operate with an awareness of applicable policies, laws, and regulations.
Course Outcomes
This course will teach you the fundamental principles of installing and
configuring cybersecurity controls and participating in incident response and risk
mitigation. It will prepare you to take the CompTIA Security+ SY0-501 exam by
providing 100% coverage of the objectives and content examples listed on the
syllabus. Study of the course can also help to build the prerequisites to study
more advanced IT security qualifications, such as CompTIA Cybersecurity
Analyst (CSA)+, CompTIA Advanced Security Practitioner (CASP), and ISC’s
CISSP (Certified Information Systems Security Professional).
■ Describe the standards and products used to enforce security on web and
communications technologies.
To get started with this course, you should have successfully completed
“CompTIA Network+ Study Guide" course and obtained Network+ certification,
and / or have around 24 months' experience of networking support or IT
administration. It is not necessary that you pass the Network+ exam before
completing Security+ certification, but it is recommended.
■ Use Windows Server OS to create and manage files and use basic
administrative features (Explorer, Control Panel, Server Manager, and
Management Consoles).
Page x
This course is divided into five modules, each covering a different subject area: About This Course
Each module starts with a list of the CompTIA domain objectives and content
examples that will be covered in each unit.
At the back of the book there is an index to help you look up key terms and
concepts from the course and a glossary of terms and concepts used.
The following symbols are used to indicate different features in the course
book:
Icon Meaning
A tip or warning about a feature or topic.
When you have completed your first read through, you should make a study
plan. For your study plan, keep in mind the following things:
■ How much time you have to study each day or each week. Page xi
About This Course ■ When you want to (or have to) become CompTIA Security+ Certified.
In your study plan, you'll identify how much time you want to spend on each
unit and when you're going to sit down and do that study. We recommend that
you study no more than one or two units per day. Studying a unit means
reading it closely, making notes about things that come to mind as you read,
using the glossary to look up terms you do not understand, then using the
review questions to test and reinforce what you have learned.
Only you can decide how long you need to study for in total. Security+
Certification is supposed to represent the knowledge and skills of someone
with 24 months of practical network security administrative experience. If you
cannot get that experience, you will need to do a corresponding amount of
study to make up.
You also need to think about where you are going to study. You need to find
somewhere comfortable and where you are not subject to interruptions or
distractions. You will also need a computer or tablet with an Internet
connection for the review and practical activities.
Page xii
About CompTIA Certifications About CompTIA
Certifications
CompTIA offers a number of credentials that form a foundation for your career in
technology and allow you to pursue specific areas of expertise. Depending on
the path you choose to take, CompTIA certifications help you build upon your
skills and knowledge, supporting learning throughout your entire career.
Page xiv
Module 1 / Threats, Attacks, and Threats, Attacks, and
Vulnerabilities
Vulnerabilities
Threats, Attacks, and Vulnerabilities
CompTIA Security+ Certification Domain Areas Weighting
1.0 Threats, Attacks, and Vulnerabilities 21%
2.0 Technologies and Tools 22%
3.0 Architecture and Design 15%
4.0 Identity and Access Management 16%
5.0 Risk Management 14%
6.0 Cryptography and PKI 12%
Page 1
Module 1 / Unit 1
Refer To Domain Objectives / Examples
Unit 1.2 / Critical 3.1 Explain use cases and purpose for frameworks,
Security best practices and secure configuration guides
Controls Industry-standard frameworks and reference architectures
{Regulatory • Non-regulatory • National vs. international •
Industry-specific frameworks} • Benchmarks / secure
configuration guides {Platform / vendor-specific guides
(Web server, Operating system, Application server,
Network infrastructure devices) • General purpose guides}
• Defense-in-depth / layered security {Vendor diversity •
Control diversity (Administrative, Technical) • User
training}
5.3 Explain risk management processes and concepts
Testing (Penetration testing authorization, Vulnerability
testing authorization)
5.7 Compare and contrast various types of controls
Deterrent • Preventive • Detective • Corrective •
Compensating • Technical • Administrative • Physical
Unit 1.3 / 2.2 Given a scenario, use appropriate software tools
Security Posture to assess the security posture of an organization
Assessment Protocol analyzer • Network scanners (Rogue system
Tools detection, Network mapping) • Wireless scanners / cracker
• Steganography tools • Honeypot • Banner grabbing •
Command line tools (ping • netstat • tracert • nslookup /
dig • arp • ipconfig / ip / ifconfig • tcpdump • Nmap • netcat)
Unit 1.4 / 5.4 Given a scenario, follow incident response
Incident procedures
Response Incident response plan {Documented incident types /
category definitions • Roles and responsibilities •
Reporting requirements / escalation • Cyber incident
response teams • Exercise} • Incident response process
{Preparation • Identification • Containment • Eradication •
Recovery • Lessons learned}
Page 2
Module 1 / Unit 1 Indicators of Compromise
Indicators of Compromise
Objectives
On completion of this unit, you will be able to:
Page 3
Module 1 / Unit 1
Why is Security Important?
Assets
Security is not an end in itself; businesses do not make money by being
secure. Rather, security protects the assets of a company. Assets are usually
classified in the following ways:
Most assets have a specific value associated with them (the market value),
which is the price that could be obtained if the asset were to be offered for
sale. In terms of security however, assets must be valued according to the
liabilities that the loss or damage of the asset would create:
■ Legal - these are responsibilities in civil and criminal law. Security incidents
could make an organization liable to prosecution (criminal law) or for
damages (civil law). An organization may also be liable to professional
standards, codes, and regulations.
Page 4
Why Is Data Important? Indicators of Compromise
All of the systems used to store, transmit, and process data must demonstrate
the properties of security. Secure information has three properties, often Page 5
referred to by the "CIA Triad":
Module 1 / Unit 1 ■ Confidentiality - means that certain information should only be known to
certain people.
■ Integrity - means that the data is stored and transferred as intended and
that any modification is authorized.
Some security models and researchers identify other properties that secure
systems should exhibit. The most important of these is non-repudiation. Non-
repudiation means that a subject cannot deny doing something, such as
creating, modifying, or sending a resource. For example, a legal document
such as a will must usually be witnessed when it is signed. If there is a dispute
about whether the document was correctly executed, the witness can provide
evidence that it was.
Security Policy
2) The next step is to analyze risks to security within the organization. Risks
are components, processes, situations, or events that could cause the loss,
damage, destruction, or theft of data or materials.
3) Having identified risks, the next step is to implement controls that detect
and prevent losses and procedures that enable the organization to
recover from losses (or other disasters) with a minimum of interruption to
business continuity.
4) The "final" step in the process is to review, test, and update procedures
continually. An organization must ensure continued compliance with its
security policy and the relevance of that policy to new and changing risks.
Page 6
Information Security Roles and Responsibilities Indicators of Compromise
■ Non-technical staff have the responsibility of complying with policy and with
any relevant legislation.
■ External responsibility for security (due care or liability) lies mainly with
directors or owners, though again it is important to note that all employees
share some measure of responsibility.
■ Set up and maintain document access control and user privilege profiles.
■ Monitor audit logs and review user privileges and document access
controls.
■ Create and test business continuity and disaster recovery plans and
procedures.
Page 7
■ Participate in security training and education programs.
Module 1 / Unit 1 Vulnerability, Threat, and Risk
NIST uses the following definitions of vulnerability, threat, risk, and control:
Page 8
The Lone Hacker Indicators of Compromise
Organized Crime
In many countries cybercrime is starting to overtake physical crime both in
terms of number of incidents and losses. Organized crime can operate across
the Internet from different jurisdictions to their victims, increasing the
complexity of prosecutions. Organized crime will seek any opportunity for
criminal profit but typical activities are financial fraud (both against individuals
and companies) and blackmail.
Page 9
Module 1 / Unit 1
Researchers such as FireEye report on the activities of organized crime and nation state actors
Nation state actors will work at one remove from the state sponsoring and
protecting them. They are likely to pose as independent groups or even as
hacktivists.
Hacktivists
A hacktivist group, such as Anonymous, WikiLeaks, or LulzSec, is one using
cyber weapons to promote a political agenda. Hacktivists might attempt to
obtain and release confidential information to the public domain, perform
Denial of Service (DoS) attacks, or deface websites. Political, media, and
financial groups and companies are probably most at risk, but environmental
and animal advocacy groups may target companies in a wide range of
industries.
Competitors
Most competitor-driven espionage is thought to be pursued by nation-state
backed groups, but it is not inconceivable that a rogue business might use
cyber espionage against its competitors.
Page 10
Threats can be characterized as structured or unstructured (or targeted Indicators of Compromise
versus opportunistic) depending on the degree to which your own
organization is targeted specifically. For example, a criminal gang attempting to
steal customers' financial data is a structured, targeted threat; a script kiddie
launching some variant on the "I Love You" mail virus is an unstructured,
opportunistic threat. The degree to which any given organization will be
targeted by external threats depends largely on the value of its assets and the
quality of its security systems.
Again, the key point here is to identify likely motivations, such as employees
who might harbor grievances or those likely to perpetrate fraud. An employee
who plans and executes a campaign to modify invoices and divert funds is
launching a structured attack; an employee who tries to guess the password
on the salary database a couple of times, having noticed that the file is
available on the network, is perpetrating an opportunistic attack.
CERT identify the main motivators for insider threat as sabotage, financial
gain, and business advantage.
Another key point is that technical controls are less likely to be able to deter
structured insider threats, as insiders are more likely to be able to bypass
them. Implementing operational and management controls (especially secure
logging and auditing) is essential.
Page 11
Module 1 / Unit 1
There are several models for describing the general process of an attack on
systems security. These steps are often referred to as a kill chain, following
the influential white paper Intelligence-Driven Computer Network Defense
commissioned by Lockheed Martin.
■ Action on objectives - in this phase, the attacker typically uses the access
he has achieved to covertly copy information from target systems (data
exfiltration). An attacker may have other goals or motives however.
Page 12
■ Retreat - once the attacker has achieved his initial aims without being Indicators of Compromise
detected, he may either maintain an APT or seek to withdraw from the
network, removing any trace of his presence to frustrate any subsequent
attempt to identify the source of the attack.
MITRE's schema is not the only one. The company Mandiant were
instrumental in developing some of the language of threat
classification and sponsor the OpenIOC (openioc.org) framework of
Indicators of Compromise. The IETF has also created the Incident
Object Description Exchange Format (RFC 5070).
Page 13
Module 1 / Unit 1 The STIX architecture is built from the following components:
Threat Intelligence
Cyber-attacks become less effective when they are well-known so new threats
and exploits appear all the time. To keep up-to-date, you should monitor
websites and newsgroups. Some examples of threat intelligence feed
providers and sources for threat reports, alerts, and newsletters include:
■ Alien Vault
■ SecureWorks
■ FireEye
■ Symantec
■ Microsoft
■ DarkReading
Page 14 ■ SANS
Social Engineering Indicators of Compromise
Impersonation
Impersonation (pretending to be someone else) is one of the basic social
engineering techniques. The classic impersonation attack is for the social
engineer to phone into a department, claim they have to adjust something on
the user's system remotely, and get the user to reveal their password. For this
attack to succeed the approach must be convincing and persuasive.
Familiarity / Liking
Some people have the sort of natural charisma that allows them to persuade
others to do as they request. One of the basic tools of a social engineer is simply
to be affable and likable and to present the requests they make as completely
reasonable and unobjectionable. This approach is relatively low-risk as even if
the request is refused, it is less likely to cause suspicion and the social engineer
may be able to move on to a different target without being detected.
A social engineering attack can use this instinct either to persuade the target
that to refuse a request would be odd ("That's not something anyone else has
ever said no to") or to exploit polite behavior (see "Tailgating" below).
Page 15
Module 1 / Unit 1 Authority and Intimidation
Many people find it difficult to refuse a request by someone they perceive as
superior in rank or expertise. Social engineers can try to exploit this behavior to
intimidate their target by pretending to be someone senior. An attack might be
launched by impersonating someone who would often be deferred to, such as
a police officer, judge, or doctor. Another technique is using spurious technical
arguments and jargon. Social engineering can exploit the fact that few people
are willing to admit ignorance. Compared to using a familiarity / liking sort of
approach, this sort of adversarial tactic might be more risky to the attacker as
there is a greater chance of arousing suspicion and the target reporting the
attack attempt.
Shoulder Surfing
Shoulder surfing refers to stealing a password or PIN (or other secure
information) by watching the user type it. Despite the name the attacker may
not have to be in close proximity to the target - they could use high-power
binoculars or CCTV to directly observe the target remotely.
Page 16
Lunchtime Attack Indicators of Compromise
Tailgating
Tailgating (or piggybacking) is a means of entering a secure area without
authorization by following close behind the person that has been allowed to
open the door or checkpoint. This might be done without the target's
knowledge or may be a means of an insider to allow access to someone
without recording it in the building's entry log.
Phishing
Example phishing email - on the left you can see the message in its "true" form as the mail client
has stripped out the formatting (shown on the right) designed to disguise the nature of the links
(note that for the avoidance of doubt the highly reputable software firm Sage UK have nothing to
do with this message)
See Unit 5.4 for more information on web browser and application
security.
Hoaxes
Hoax security alerts are another common phishing technique. An email alert or
web pop-up will claim to have identified some sort of security problem, such as
virus infection, and offer a tool to fix the problem. The tool of course will be
some sort of Trojan application. Criminals will also use sophisticated phone call
scams to try to trick users into revealing log in credentials or financial account
details.
Vishing
While email is one of the most common vectors for phishing attacks, any type
of electronic communication without a secure authentication method is
vulnerable. Vishing describes a phishing attack conducted through a voice
channel (telephone or VoIP for instance). For example, targets could be called
by someone purporting to represent their bank asking them to verify a recent
credit card transaction and requesting their security details. It can be much
more difficult for someone to refuse a request made in a phone call compared
to one made in an email.
Similarly SMiShing refers to fraudulent SMS texts. Other vectors could include
instant messaging or social networking sites.
Page 18
Pharming Indicators of Compromise
■ Train employees to identify phishing and pharming style attacks plus new
styles of attack as they develop in the future.
See Unit 5.5 for more information on security policies. These can
be used to inform and guide users.
Page 19
Module 1 / Unit 1
Malware Types
Computer Viruses
Computer viruses are programs designed to replicate and spread from
computer to computer, usually by "infecting" executable applications or program
code. There are several different types of virus and they are generally classified
by the different ways they can infect the computer (the vector). For example:
■ Boot sector viruses - attack the disk boot sector information, the partition
table, and sometimes the file system.
■ Multipartite viruses - these use both boot sector and executable file
infection methods of propagation.
What these types of viruses have in common is that they must infect a host file.
That file can be distributed through any normal means - on a disk, on a
network, or as an attachment through an email or instant messaging system.
Email attachment viruses (usually program or macro viruses in an attached file)
often use the infected host's electronic address book to spoof the sender's
address when replicating. For example, Alice's computer is infected with a
virus and has Bob's email address in her address book. When Carlos gets an
infected email apparently sent by Bob, it is the virus on Alice's computer that
has sent the message.
Page 20
Indicators of Compromise
Unsafe attachment detected by Outlook's mail filter - the "double" file extension is an
unsophisticated attempt to fool any user not already alerted by the use of both English and
German in the message text
Viruses are also categorized by their virulence. Some viruses are virulent
because they exploit a previously unknown system vulnerability (a "zero day"
exploit); others employ particularly effective social engineering techniques to
persuade users to open the infected file (an infected email attachment with the
subject "I Love You" being one of the best examples of the breed).
Worms
Worms are memory-resident viruses that replicate over network resources. A
worm is self-contained; that is, it does not need to attach itself to another
executable file. They typically target some sort of vulnerability in an application,
such as a database server or web browser. The primary effect of a worm
infestation is to rapidly consume network bandwidth as the worm replicates. A
worm may also be able to crash an operating system or server application
(performing a Denial of Service attack). Also, like viruses, worms can carry a
payload that may perform some other malicious action (such as installing a
backdoor).
Logic Bombs
Some viruses do not trigger automatically. Having infected a system, they wait for
a preconfigured time or date (time bomb) or system or user event (logic bomb).
Logic bombs need not be viruses; a typical example is a system administrator
bearing a grudge leaving a scripted trap that runs in the event of their account
being deleted or disabled. Anti-virus software is unlikely to detect this kind of
Page 21
malicious script or program. This type of trap is also referred to as a mine.
Module 1 / Unit 1
Trojans and Spyware
Modern types of malware are not produced with the sole goal of self-replicating
and crashing a host or network. Modern malware provides sophisticated tools
to allow an adversary to gain control over a computer system and achieve his
or her action on objectives.
The attacker must establish some means of secretly communicating with the
compromised machine (a covert channel). This means that the RAT must
establish a connection from the compromised host to a Command and
Control (C2 or C&C) host or network operated by the attacker. This network
connection is usually the best way to identify the presence of a RAT.
Page 22
Backdoors Indicators of Compromise
In this context, RAT can also stand for Remote Administration Tool.
Actual Keylogger - Windows software that can run in the background to monitor different kinds of
computer activity (opening and closing programs, browsing websites, recording keystrokes, and
capturing screenshots [actualkeylogger.com])
Page 23
Module 1 / Unit 1 Adware is any type of software or browser plug-in that displays commercial
offers and deals. Some adware may exhibit spyware-like behavior however, by
tracking the websites a user visits and displaying targeted ads for instance.
As well as the intrusive aspects, adware and spyware can have a negative
impact on performance and system stability.
Rootkits
Many Trojans cannot conceal their presence entirely and will show up as a
running service. Often the service name is configured to be similar to a
genuine process to avoid detection. For example, a Trojan may use the
filename "run32d11" to masquerade as "run32dll". To ensure persistence
(running when the computer is restarted) the Trojan may have to use a
Registry entry, which can usually be detected fairly easily.
There are also examples of rootkits that can reside in firmware (either the
computer firmware or the firmware of any sort of adapter card, hard drive,
removable drive, or peripheral device). These can survive any attempt to
remove the rootkit by formatting the drive and reinstalling the OS. For example,
the US intelligence agencies have developed DarkMatter and QuarkMatter EFI
rootkits targeting the firmware on Apple Macbook laptops.
Page 24
Ransomware / Crypto-malware Indicators of Compromise
Ransomware is a type of malware that tries to extort money from the victim.
One class of ransomware will display threatening messages, such as requiring
Windows to be reactivated or suggesting that the computer has been locked by
the police because it was used to view child pornography or for terrorism. This
may block access to the computer by installing a different shell program but
this sort of attack is usually relatively trivial to fix.
Page 25
Module 1 / Unit 1
Open Source Intelligence
Most companies and the individuals that work for them publish a huge amount
of information about themselves on the web and on social media sites. Some
of this information is published intentionally; quite a lot is released
unintentionally or can be exploited in ways that the company or individual could
not foresee. An attacker can "cyberstalk" his victim to discover information
about them via Google Search or by using other web or social media search
tools.
Email Harvesting
The general purpose of email harvesting is to identify who works at a
company. Most companies use real names for email addresses. This makes it
possible for the attacker to identify social media or personal web accounts
operated by an employee and from there try to identify an exploit.
An attacker will also want to try to match email addresses to job roles. In many
circumstances a company may just publish information about senior staff and
their job roles on its website or in promotional material such as a shares
prospectus or the information filed with regulatory authorities (the SEC's Edgar
database for instance).
Even without private access, an unwary user might have made a large amount
of information about themselves publicly available, especially on a business
networking site such as LinkedIn. Social media analytics and OSINT software
(such as pipl.com, peekyou.com or echosec.net) can aggregate and process
the metadata from multiple sites to build up surprisingly detailed pictures of
user's interests and even their habits and geographic location at a particular
point in time.
pipl.com
Page 27
Module 1 / Unit 1 The Deep Web and Dark Web
Cyber threat actor types such as organized crime and hacktivists need to be
able to exchange information beyond the reach of law enforcement.
The deep web is any part of the World Wide Web that is not indexed by a
search engine. This includes pages that require registration, pages that block
search indexing, unlinked pages, pages using non-standard DNS, and content
encoded in a non-standard manner. Within the deep web however are areas
that are deliberately concealed from "regular" browser access:
■ Dark web - sites, content, and services accessible only over a dark net.
Using the TOR browser to view the AlphaBay market, now closed down by law enforcement
Page 28
Indicators of Compromise
3) What is a CISO?
5) True or false? Nation state actors primarily only pose a risk to other states.
6) In which stage of the "kill chain" does a threat actor first gain access to a
resource on the target network?
12) What is the difference between phishing, spear phishing, and whaling?
13) Why are backdoors and Trojans considered different types of malware?
Page 29