CompTIA Security+

SY0-701

Attention Attendees:
Remember to type your messages to all panellists and attendees
Course Structure

Week / Module 1
Introduction & Security Fundamentals

Week / Module 2
Compliance & Operational Security

Week / Module 3
Threats & Vulnerabilities

Week / Module 4
Application, Data & Host Security

Attention Attendees:
Remember to type your messages to all panellists and attendees
Lab Prep
Download Parrot Sec (Security Edition) from https://www.parrotsec.org/download/
I use VirtualBox, but there are other options.
Vulnerability Management
Device & OS Vulnerabilities
Operating System Vulnerabilities
Vulnerabilities in an OS can lead to significant problems when successfully exploited
• Microsoft Windows Client and Server
• Apple macOS
• Linux
• Android
• iOS

Attention Attendees:
Remember to type your messages to all panellists and attendees
Vulnerability Types
• Legacy Systems
• End-of-Life (EOL) Systems
• Firmware Vulnerabilities
• Virtualization Vulnerabilities
• Application Vulnerabilities

Attention Attendees:
Remember to type your messages to all panellists and attendees
Zero-Day Vulnerabilities
• Previously unknown software or hardware flaws.
• Developers have "zero days" to fix once the vulnerability becomes known

• Traditional security measures like antivirus and firewalls are often ineffective

• Zero-day vulnerabilities have significant financial value

• Adversaries generally use a zero-day vulnerability against high-value targets

Attention Attendees:
Remember to type your messages to all panellists and attendees
Misconfiguration Vulnerabilities
Common cause of security vulnerabilities
• Default configurations
• Hardware/devices
• Software
• Cloud services
• Using search engine results to solve technical problems

Attention Attendees:
Remember to type your messages to all panellists and attendees
Cryptographic Vulnerabilities
Cryptography forms the backbone of secure communication

• Weaknesses in cryptographic systems, protocols, or algorithms

• Methods no longer deemed secure
• Weak Keys
• Misconfigured cipher suites
• Improperly protected keys

Attention Attendees:
Remember to type your messages to all panellists and attendees
Sideloading, Rooting, and Jailbreaking
Rooting and jailbreaking are methods used to gain elevated privileges on mobile devices
• Rooting - gaining root access or administrative privileges on an Android device
• Jailbreaking - gaining full access to an iOS device (iPhone or iPad)
• Sideloading - installing applications from sources other than the official app store
• F-Droid
• Android APK (Android Application Package) files

Attention Attendees:
Remember to type your messages to all panellists and attendees
Vulnerability Management
Application and Cloud Vulnerabilities
Application Vulnerabilities

• Race Condition
• Time-of-check to time-of-use (TOCTOU)
• Memory Injection
• Buffer Overflow
• Type-Safe Programming Languages
• Malicious Update

When executed normally, a function will return control to the calling function. If the
code is vulnerable, an attacker can pass malicious data to the function, overflow the
stack, and run arbitrary code to gain a shell on the target system.

Attention Attendees:
Remember to type your messages to all panellists and attendees
Evaluation Scope

• Scope refers to the product, system, or service being analyzed for

potential security vulnerabilities
• Practices
• Security Testing
• Documentation Review
• Source Code Analysis
• Configuration Assessment
• Cryptographic Analysis
• Compliance Verification
• Security Architecture Review
Attention Attendees:
Remember to type your messages to all panellists and attendees
Web Application Attacks

• Specifically target applications accessible over the Internet

• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• SQL Injection (SQLi)

Attention Attendees:
Remember to type your messages to all panellists and attendees
Cloud-based Application Attacks

• Target applications hosted on cloud platforms

• Exploit potential vulnerabilities within the hosted applications
• Exploit cloud infrastructure the applications run on

• Cloud As an Attack Platform

• Cloud Access Security Brokers

Attention Attendees:
Remember to type your messages to all panellists and attendees
Vulnerability Management
Vulnerability Identification Methods
Vulnerability Scanning

• Cornerstone of modern cybersecurity practices

• Focused on identifying, classifying, remediating,
and mitigating vulnerabilities
• Helps to locate and identify misconfigurations

Greenbone OpenVAS vulnerability scanner with Security Assistant web

application interface as installed on Kali Linux. (Screenshot used with
permission from Greenbone Networks, http://www.openvas.org.)

Attention Attendees:
Remember to type your messages to all panellists and attendees
Vulnerability Scanning (cont’d)

• Network Vulnerability Scanners

• Tenable Nessus
• OpenVAS
• Credentialed and Non-Credentialed Scans

• Application and Web Application Scanners

• Package Monitoring

Configuring credentials for use in target (scope) definitions in Greenbone OpenVAS as

installed on Kali Linux. (Screenshot used with permission from Greenbone Networks,
http://www.openvas.org.)

Attention Attendees:
Remember to type your messages to all panellists and attendees
Threat Feeds

• Real-time, continuously updated

sources of information about
potential threats and vulnerabilities
• Provide timely information and
context about new threats

IBM X-Force Exchange threat intelligence portal. (Image

copyright 2019 IBM Security exchange.xforce.ibmcloud.com.)

Attention Attendees:
Remember to type your messages to all panellists and attendees
Threat Feeds

• Open-source and proprietary threat feeds

• IBM X-Force Exchange
• Mandiant's FireEye
• Recorded Future
• Proofpoint Emerging Threats
• Abuse.ch
• Information-Sharing Organizations
• Information Sharing and Analysis Centers (ISACs)
• Open-Source Intelligence
• Search engines, blogs, forums, social media platforms, and the dark web

Attention Attendees:
Remember to type your messages to all panellists and attendees
Deep and Dark Web

• Deep Web
• Any part of the World Wide Web that is not
indexed by a search engine
• Dark Net
• A network established as an overlay to
Internet infrastructure, such as The Onion
Router (TOR), Freenet, or I2P, that acts to
anonymize usage
• Dark Web
• Sites, content, and services accessible only
over a dark net
Using the TOR browser to view the AlphaBay market, now closed by law
enforcement. (Screenshot used with permission from Security Onion.)

Attention Attendees:
Remember to type your messages to all panellists and attendees
Other Vulnerability Assessment Methods

• Penetration Testing
• Unknown environment (previously black box) testing
• Known environment (previously white box) testing
• Partially known environment (previously gray box) testing
• Bug Bounties
• Auditing

Attention Attendees:
Remember to type your messages to all panellists and attendees
Vulnerability Management
Vulnerability Analysis and Remediation
Common Vulnerabilities and Exposures

• Vulnerability Feed CVSS Score Description

• National Vulnerability Database (NVD) 0.1+ Low

4.0+ Medium
• Security Content Automation Protocol (SCAP)
7.0+ High
• Common Vulnerabilities and Exposures (CVE)
9.0+ Critical
• Common Vulnerability Scoring System (CVSS)

Attention Attendees:
Remember to type your messages to all panellists and attendees
False Positives, False Negatives, and Log Review

• False Positive
• Scanner or another assessment tool
incorrectly identifies a vulnerability
• False Negatives
• Vulnerabilities that go undetected
in a scan
• Validate vulnerability reports by
examining logs

Attention Attendees:
Remember to type your messages to all panellists and attendees
Indicators of Malicious Activity
Malware Attack Indicators
Malware Classification

• Classification by vector or infection method

• Viruses and worms
• Spread within code without authorization
• Trojans
• A malicious program concealed within a benign one
• Potentially unwanted programs/applications (PUPs/PUAs)
• Pre-installed “bloatware” or installed alongside another
app
• Not completely concealed, but installation may be covert
• Also called grayware
• Classification by payload

Attention Attendees:
Remember to type your messages to all panellists and attendees
Computer Viruses

• Rely on some sort of host file or media

delivery vector
• Non-resident/file infector
• Memory resident
• Boot
• Script/macro

Attention Attendees:
Remember to type your messages to all panellists and attendees
Computer Worms and Fileless Malware

• Early computer worms

• Propagate in memory/over network links
• Consume bandwidth and crash process
• Fileless malware
• Exploiting remote execution and memory residence to deliver payloads
• May run from an initial script or Trojan
• Persistence via the registry
• Use of shellcode to create backdoors and download additional tools
• “Living off the land” exploitation of built-in scripting tools
• Advanced persistent threat (APT)/advanced volatile threat (AVT)/
low observable characteristics (LOC)
Attention Attendees:
Remember to type your messages to all panellists and attendees
Ransomware, Crypto-Malware and Logic Bombs

• Ransomware
• Nuisance (lock out user by
replacing shell)
• Crypto-malware
• High impact ransomware (encrypt data
files or drives)
• Cryptomining/crypojacking
• Hijack resources to mine cryptocurrency
• Logic bombs

Attention Attendees:
Remember to type your messages to all panellists and attendees
TTPs and IoCs

• Signature detection by anti-virus often ineffective

• Tactics, Techniques, and Procedures (TTPs)
• Indicators of Compromise (IoCs)
• Documented and published TTPs and IoCs
• MITRE ATT&CK
• Pattern-matching via artificial intelligence (AI) systems

Attention Attendees:
Remember to type your messages to all panellists and attendees
Indicators of Malicious Activity
Physical and Network Attack Indicators
Physical Attacks

• Brute force
• Physical denial of service
• Breaking into premises/cabinets
• Environmental
• RFID cloning and skimming
• Radio Frequency Identification (RFID) and Nearfield
Communications (NFC)
• Contactless cards, badges, and fobs
• Static tokens versus cryptoprocessors

Attention Attendees:
Remember to type your messages to all panellists and attendees
Network Attacks

• Reconnaissance and credential harvesting

• Denial of service
• Weaponization/delivery/breach
• Command and control (C2 or C&C), beaconing, and
persistence
• Lateral movement, pivoting, and privilege escalation
• Data exfiltration

Attention Attendees:
Remember to type your messages to all panellists and attendees
Distributed Denial of Service Attacks

• Leverage bandwidth from compromised hosts/networks

• Handlers form a command and control (C&C) network
• Compromised hosts installed with bots that can run automated
scripts
• Co-ordinated by the C&C network as a botnet
• Overwhelm with superior bandwidth (number of bots)
• Consume resources with spoof session requests (SYN
flood)

Attention Attendees:
Remember to type your messages to all panellists and attendees
Domain Name System Attacks

• Attacks on public DNS services

• Typosquatting, DRDoS, and hijacking
• DNS poisoning
• DNS-based on-path attacks
• Get client to use malicious resolver
• DNS client cache poisoning
• HOSTS file
• DNS server cache poisoning
• DNS attack indicators

Attention Attendees:
Remember to type your messages to all panellists and attendees
Wireless Attacks

• Rogue access points

• Non-malicious backdoors
• Evil twins masquerade as legitimate AP
• Launch on-path attacks
• Indicators and detection
• Wireless denial of service
• Jamming and disassociation
• Wireless replay and key recovery

Attention Attendees:
Remember to type your messages to all panellists and attendees
Password Attacks

• Online password attack

• Adversary interacts with authentication service
• Offline attacks
• Password database
• Hash transmitted directly
• Hash used as key to sign an HMAC
• Brute force attack
• Dictionary and hybrid attacks
• Password spraying

Attention Attendees:
Remember to type your messages to all panellists and attendees
Lab
Vulnerability Scan
- Go to www.tenable.com/downloads/nessus
- Run sudo dpkg –i Nessus-10.7.4-ubuntu404_amd64.deb
- Run /bin/systemctl start nessusd.service
Social Engineering Toolkit
Questions

Attention Attendees:
Remember to type your messages to all panellists and attendees