SYO-701 Security Operations Study Guide for the CompTIA Security+

Page 1

General Information

This is study material for the CompTIA Security+ SYO-701 exam, which is the replacement for the old (as of July 31, 2024) CompTIA Security+ SYO-601 exam. Be sure that you are studying for the right test.

The CompTIA Security+ SYO-701 exam devotes between one-fourth and one-third of the questions (28%) to this security area, which makes sense because they cover the day-to-day occurrences in the security field. Also, nearly half of these questions begin with a scenario, so you really have to know how to “think on your feet” to answer them correctly.

Applying Security Techniques

Securing a networking environment encompasses a wide range of techniques, tools, and methods that can be applied to both physical and logical devices, systems, and processes. For the CompTIA Security+ exam, you will need to understand and apply different security techniques based on a given scenario.

Secure Baselines

A secure baseline is a minimum standard of security configurations that can be used as a starting point to create higher levels of security based on need.

Establish

The first step is establishing the baseline itself. Secure baselines are often based on industry standards, which are adjusted to meet regulations and organizational requirements.

Deploy

Once a secure baseline is established, it will need to be deployed across all applicable devices. Deployment of secure baselines can be accomplished manually or through configuration management tools.

Maintain

Once the secure baseline is deployed, it will need to be maintained by installing patches and updates, monitoring continued compliance, and updating the secure baseline as needed.

Hardening Targets

Creating a secure networking environment is accomplished by limiting the amount of access any device or user has. This is known as the principle of least privilege. It also involves layering security throughout the network, known as defense in depth (DiD). Hardening is the process of creating additional security by applying various physical and logical security techniques. These can be applied to primary networking devices, such as routers and switches, as well as endpoints, such as mobile devices and workstations. Endpoints, or devices peripherally attached to a network, are common targets for threat actors due to their inherent accessibility.

Test note: The following examples of hardening techniques are not exhaustive.

Mobile Devices

Mobile devices are commonly the most difficult to harden in an enterprise setting due to their portability and the necessity for user operability. Common mobile device hardening techniques include passwords, timely updates and patches, encryption, containerization, remote wipe capabilities, and controlled connectivity. Using a mobile device management (MDM) system is also recommended to ensure compliance and increase manageability.

Workstations

Workstations can be physically hardened through strategic device placement and physical access control, as well as through physical segmentation from the primary network. Logical hardening techniques for workstations include the use of password-protected screen locks, logical segmentation, firewalls, intrusion detection systems (IDSs) and intrusion protection system (IPSs), and secure protocols. The principle of least privilege is another logical technique (this is discussed in greater detail below).

Switches

Switches can be physically hardened using techniques similar to workstations, with particular attention to access control. Logical hardening techniques include installing patches and updates and disabling all unused ports, protocols, interfaces, and features. Switches can be monitored using security information and event management (SIEM) systems and logging.

Routers

Routers may be secured using the same physical and logical techniques as switches. Since they are responsible for communications with external networks, routers may have additional hardening techniques added such as employing virtual private networks (VPNs) and firewalls and managing user permissions.

Cloud Infrastructure

Techniques used to harden a cloud infrastructure may vary depending on the service model employed. For example, with software as a service (SaaS), the cloud provider is responsible for the majority of the cloud security, while with infrastructure as a service (IaaS), the user is primarily responsible. Techniques for hardening a cloud infrastructure are primarily logical and are similar to techniques used to harden physical networking devices such as routers, switches, and endpoints.

Servers

In addition to techniques used to harden routers and switches, servers containing sensitive data can be hardened through physical isolation, such as through air gapping.

Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA)

ICS and SCADA systems both provide an architecture that can control devices, collect data, communicate, monitor, and interface with highly complex systems and networks. ICS and SCADA systems are created for operability between numerous devices and are not typically built with security as the main concern, making hardening difficult. Understanding how data flows through the system is important when applying security solutions to prevent unintentional communication disruption. Isolating these systems is a method for hardening when traditional security solutions are impractical.

Embedded Systems

Embedded systems are increasingly common and may be found in implanted medical devices, smart devices, vehicles, and IoT devices. The first step in hardening embedded systems is identifying them and their unique vulnerabilities. Embedded systems face cybersecurity issues because they may not be patchable, can create overlooked network connections, and may be vulnerable to penetration.

Real-Time Operating System (RTOS)

Devices that use RTOS commonly require prioritization of data transmission, such as medical devices. Many RTOS-based devices include security features in the RTOS software itself. RTOS communications may also be hardened using encryption, firewalls, and access control lists (ACLs) to create DiD.

Internet of Things (IoT) Devices

IoT refers to a wide range of devices that are network-connected and provide data to a central location. These devices often use specialized embedded devices to achieve functionality and are rarely patched, making them potential targets for threat actors.

Wireless Devices

Wireless networks and connections come with their own unique set of security challenges. You should be able to identify and securely install various wireless configurations and settings, including knowing secure device placement, encryption protocols, and authentication protocols.

Installation Considerations

When installing a network that can be accessed wirelessly, it is important to take the physical environment, functional usage needs, and security needs into account prior to deployment. Various factors can impact wireless networks.

Site Surveys

A site survey is a full inspection of a facility or space to visualize where existing networks are as well as what physical impediments may be present in the space to determine the best location for installation.

Heat Maps

A heat map is a visual map of where wireless signals are on a floor plan as well as what channels are being used and their strength. This provides insight into where access points (APs) should be located.

Mobile Solutions

Mobile devices are extremely common in today’s work environment. Keeping them secure depends on proper implementation and oversight. The vulnerability concerns to address in the hardening process include how the mobile devices are deployed and used, the connection methods used by the mobile devices, and the security protocols employed on each device.

Mobile Device Management (MDM)

MDM is the process of tracking, unifying, and securing mobile devices used within a network. However, MDM is also a tool, similar to unified endpoint management (UEM), that is used to manage mobile devices such as phones, tablets, and laptops that have differing OSs. UEM tools are designed to address mobile devices as well as stationary devices, such as desktop computers or any other endpoint device. Both tools integrate various management concepts.

Deployment Models

Deployment models for mobile devices refer to who owns the device and how it is used. Deployment models vary depending on the enterprise, with each model creating its own set of considerations, such as device control, device usage, and cost to the enterprise.

Bring Your Own Device (BYOD)

A BYOD deployment model is one in which the user or employee provides the device for use with the enterprise as well as for personal use. This is the most cost-effective model but provides the least control over the device by the enterprise.

Corporate-Owned, Personally Enabled (COPE)

A COPE deployment model is one in which the enterprise both owns and controls the device but allows for limited personal usage on the device. This model is more costly to the enterprise but offers a higher level of security.

Choose Your Own Device (CYOD)

The CYOD model is one in which the enterprise owns and pays for the device but the user is allowed to select and maintain the device. Similar to the BYOD model, the user has control over device usage, which limits control by the enterprise.

Connection Methods

There are various connection methods used by mobile devices to access a network, just as there are various receivers.

Cellular

A cellular connection is a wireless connection method that uses geographical locations and cellular towers to provide connectivity. Cellular communications use protocols such as LTE, 4G, and 5G for connection.

Wi-Fi

Wi-Fi is a wireless connection method that uses radio band frequencies, most commonly 2.4 GHz and 5 GHz, to connect an access point to a wireless device. It has a much shorter range than cellular, can be hindered by physical impediments, and is most commonly privately operated.

Bluetooth

Bluetooth is a wireless connection method that uses the 2.4 GHz bandwidth for low-power, short-range communications that do not require high bandwidth. Bluetooth connections are usually peer-to-peer rather than client-server. For example, to connect Bluetooth headphones, the headphones and connecting devices authenticate with each other rather than through a central server.

Wireless Security Settings

Wireless networks and connections come with their own unique set of security challenges. You should be able to identify and securely install various wireless configurations and settings. Questions about these concepts will be scenario based.

Wi-Fi Protected Access 3 (WPA3)

WPA3, the latest WPA iteration, increases security in Personal mode by using Simultaneous Authentication of Equals (SAE) for password-protected authentication. WPA3-Enterprise provides perfect forward secrecy to ensure transmissions between the client and server are protected even in the case of a password breach.

AAA/Remote Authentication Dial-in User Service (RADIUS)

A RADIUS federation is an authentication, authorization, and accounting (AAA) system that allows a trust relationship to be built between RADIUS servers while allowing for authentication between different servers. It provides a way for different organizations to authenticate between themselves for expanded access to validated users.

Cryptographic Protocols

Wi-Fi networks rely on cryptographic protocols to provide security and certification for connected devices and networks. Counter Mode Cipher Block Chaining Message Authentication Code Protocol (Counter Mode CBC-MAC Protocol or CCMP) was first introduced by WPA2 and uses the Advanced Encryption Standard (AES) for stronger encryption when compared to the Wired Equivalent Privacy (WEP) protocol that was previously used. CCMP provides user authentication but not network authentication. WPA3 increased security by implementing SAE, which does not use pre-shared keys (PSKs) but instead validates between the client and the network. SAE also allows each user to create individual passwords for better usability.

Authentication Protocols

An authentication protocol for a wireless network refers to the method used by the wireless device to authenticate to the home network. Authentication protocols used by wireless networks differ between devices and networks, but all have to adhere to the 802.1x standard for access control set by the Institute of Electrical and Electronics Engineers (IEEE). Extensible Authentication Protocol (EAP) is a framework used for authentication by protected wireless network devices. EAP in and of itself is not an authentication tool but a framework that allows vendors to develop their own methods for authentication. There are numerous variations of EAP, but the Security+ exam specifically mentions PEAP, EAP-FAST, EAP-TLS, and EAP-TTLS.

Application Security

Application security is the process of creating and maintaining secure applications. During application development, it is important to build in security measures to protect the application. However, this must also be balanced with functionality. Applying too much security to an application may render the application non-functional.

Input Validation

Input validation is the process of checking input values against a specified set of rules or parameters to ensure that no extraneous data has been added. By validating inputs, threats such as cross-site scripting (XSS) attacks and injection attacks can be mitigated. Input can be validated through input allow listing or input deny listing. Allow listing specifies what input values are allowed and only passes the input through if the parameters have been met, rejecting all inputs that do not meet the criteria. Deny listing is not as secure and only specifies what value cannot be in an input, blocking values specified on the deny list and automatically passing all others through.

Secure Cookies

A cookie is the information that a browser stores locally on a computer or device. A secure cookie uses Hypertext Transfer Protocol Secure (HTTPS) to transmit across the network rather than HTTP.

Static Code Analysis

When an application is developed, it is almost impossible to locate every potential vulnerability in the code. Static code analysis is the process of analyzing application source code for potential vulnerabilities, such as buffer overflows or database injections, without running it. This analysis can be used to further evaluate code.

Code Signing

Code signing is the process of creating a unique digital signature for code at the time of deployment by the original developer. It provides a way to validate the application code against the original code. When an application is installed, it can verify the code signature against the code signature of the original code through a trusted certificate authority.

Sandboxing

Sandboxing is a separation technique that places an application in a functional, contained, isolated, and controlled environment in which it can be tested without affecting or interacting with the network or network resources. It is used to test updates, patches, and new applications or software for functionality prior to deployment on the system, network, or endpoints.

Monitoring

Monitoring involves reviewing applications for flaws and vulnerabilities throughout the entire life of the application. Continuous monitoring is an automated technique that, as the name implies, continuously monitors any and all changes to the application code during development and deployment all the way through end-of-life.

Next

All Study Guides for the CompTIA Security+ are now available as downloadable PDFs