SYO-701 Security Operations Study Guide for the CompTIA Security+
Page 2
Security of Hardware, Software, and Data Assets
Asset management is the process of following an asset from procurement to secure destruction to ensure the security of the asset at all stages. Assets may be hardware, software, or data. For the Comptia Security+ exam, you will need to be able to explain the security implications of proper hardware, software, and data asset management.
Acquisition and Procurement Procedures
Acquisition and procurement is the process of acquiring assets. Best practices should be followed to ensure the security of the acquired asset, including configuring proper security settings and configurations on the asset itself, vetting the vendor or provider for compliant use of security controls, and requiring contracts and agreements that support security best practices.
Assignment and Accounting
Assignment is the process of identifying the asset’s security classification while accounting is the process of identifying which entity is responsible for ensuring the asset is secure.
Ownership
Ownership refers to the one who, at the highest level, is responsible for an asset. Ownership should be placed in the hands of someone who best understands the asset. For example, ownership for employee data may be given to the head of the Human Resources department.
Classification
Asset classification identifies the sensitivity of the asset and identifies which security measures are required to maintain asset security. Classifying assets is organizationally dependent, but commonly considers factors such as asset value, likelihood of exposure, and the nature or sensitivity of the data it contains.
Monitoring and Asset Tracking
Once an asset has been procured and deployed, the asset requires continual monitoring and tracking to ensure asset security. Asset monitoring and tracking may be automated via asset management software or done manually. Monitoring and tracking an asset should apply not only to the physical device but to the logical connections and communications of the asset as well.
Inventory
Inventory is a method of identifying individual assets in a network and information related to the asset. Tagging is commonly used for asset inventory and may be added to asset management systems.
Enumeration
Enumeration is the process of scanning to identify all assets in a network or system. It can be completed logically using port and vulnerability scanners.
Disposal and Decommissioning
The final step in the asset management process is the secure disposal and decommissioning of the asset. Decommissioning is the process of securely removing the asset from the system, while disposal is the process of completely removing the asset from the inventory and network.
Sanitization
Sanitization is completely removing data from an asset. Sanitization can be applied to an entire asset or to a single data file. The goal of data sanitization is to make data completely unrecoverable. Data sanitization can be achieved through physical destruction, erasure, cryptographic erasure, or data masking, with some methods being more effective than others.
Destruction
Asset destruction is a physical security control that involves properly disposing of and destroying assets from physical papers to hard drives. Physical destruction methods include burning, shredding, pulping, pulverizing, and degaussing. There are also third parties that offer destruction services.
Certification
Certification is the process of documenting asset disposal and destruction. Certificates may be issued for assets, to vendors, or to providers to ensure the security of the disposal process.
Data Retention
Data retention refers to how data is kept. Different industries and organizations require different retention policies, which may include how often data is backed up, how long data is kept, how data is stored, and how data is destroyed.
Vulnerability Management
Vulnerability management is the process of identifying, responding to, and mitigating vulnerabilities within a system or network. For the CompTIA Security+ exam, you will need to identify, understand, and explain various activities associated with vulnerability management.
Identification Methods
There are numerous identification methods that can be used to assess a network or system for current or potential vulnerabilities. Identification methods range from highly invasive to minimally invasive and can be either logical or physical.
Vulnerability Scan
Vulnerability scans are a collection of scanning techniques that attempt to identify potential vulnerabilities within a system to rank the vulnerabilities in order of most detrimental to least. Vulnerability scans may be either a credentialed scan, which is a scan that is allowed access to the entire network through the use of valid credentials, or a non-credentialed scan, which is a scan that is run only on the portions of the network that are publicly available and do not require credentials for entry.
Vulnerability scans may also be either intrusive, which is a scan that attempts to seek out and act upon vulnerabilities in a network, or non-intrusive, which is a scan designed to seek out and report on vulnerabilities without taking any action with regards to those vulnerabilities.
Application Security
Application security uses multiple tools and techniques to harden an application at all stages of the application life cycle. Performing vulnerability scans on applications can be helpful in identifying known and unknown security problems in the application itself.
Static Analysis
Static analysis is used to test the source code of an application to identify potential vulnerabilities in the application code. A static analysis, unlike dynamic analysis, does not execute or run the code. Instead, a static analysis looks for flaws in the actual code rather than its functionality.
Dynamic Analysis
Dynamic code analysis is the process of analyzing the code during the execution process to identify any vulnerabilities or potential issues. Like static code analysis, dynamic code analysis can be done either manually or automatically.
Package Monitoring
Package monitoring is the process of capturing and monitoring packets as they traverse a network or system. Packet capture is collecting IP packets for analysis or review, while packet replay is sending a captured packet back out, either as it was originally captured or modified. Various tools can be used for packet capture and replay, including Wireshark, an open-source tool that provides packet capturing, filtering, and analysis through a user-friendly graphical user interface (GUI).
Threat Feed
Threat feeds are continuously updated stores of information on current and emerging cybersecurity threats, including zero-day attacks and malware. Threat feeds typically include what vulnerability the attacker is targeting as well as signature data and suggested remediation for the vulnerability.
Open-Source Intelligence (OSINT)
OSINT is a collection of threat intelligence that is gained from publicly available sources. Examples of OSINT sources are Senki.org, Open Threat Exchange, the MISP Threat Sharing Project, and threatfeeds.io. Some companies offer OSINT intelligence, such as Microsoft’s threat intelligence blog, Cisco’s threat security site, and the SANS Technology Institute’s Storm Center. The US government also offers OSINT through the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense Cyber Crime Center (DC3), and CISA’s Automated Indicator Sharing (AIS) program.
Proprietary/Third Party
Proprietary threat intelligence is intelligence that is gathered, maintained, and shared only among authorized individuals, such as company- or government-specific threat intelligence. For example, vendor websites can be a useful source of information. Often when a vulnerability is discovered in a vendor-specific product, the vendor will issue a description of the vulnerability as well as remediation tactics or patches to prevent the threat.
Information-Sharing Organization
Information-sharing centers are collections of threat information that are shared among users. For example, academic journals are a good source of known threat information and contain carefully vetted articles. There are also local industry groups, which are a collection of local like-minded companies that engage in information sharing within the group.
Dark Web
The dark web is a highly encrypted internet network that allows anonymous interaction among users. The dark web is often used for malicious purposes or as a marketplace for malicious activity.
Penetration Testing
Penetration testing, also known as pen testing or ethical hacking, is an authorized attack on a system to find potential vulnerabilities and weaknesses in the system. Penetration testing can occur in a known environment, unknown environment, or partially known environment and uses specific rules of engagement prior to testing.
Responsible Disclosure Program
A responsible disclosure program is a secure method that can be used by ethical hackers to safely report identified vulnerabilities to an impacted entity. Such a program is designed to allow reporting without the fear of repercussion.
Bug Bounty Program
A bug bounty program leverages outside security experts to encourage the exploitation of a network or application. These are set by the target company, which offers monetary rewards to penetration testers who successfully identify a vulnerability in the system and report their findings back to the target.
System/Process Audit
A system or process audit is a formal, impartial security assessment of an entity. Audits may be carried out either internally or externally via a third party using a predefined set of standards. System and process audits provide an unbiased view into the vulnerability of a system or network.
Analysis
When a vulnerability has been identified, the analysis process begins. During analysis, vulnerabilities are confirmed, categorized, and prioritized based on the requirements of the entity. Categorization and prioritization may depend on organizational factors such as risk tolerance and exposure factors.
Confirmation
Confirmation is the process of either validating or disproving the existence of the vulnerability. Results obtained from software such as vulnerability scans may produce false positive or false negative results, resulting in potentially missed vulnerabilities.
False Positive
A false positive occurs when a vulnerability scan identifies a vulnerability that is not actually a vulnerability. False positives are common in vulnerability scans and can be time-consuming to manage.
False Negative
A false negative occurs when a vulnerability scan fails to identify an actual vulnerability in the network. A false negative is a much greater threat to the network than a false positive.
Prioritize
Once a vulnerability has been identified, prioritization begins based on predefined factors such as risk tolerance, potential repercussions, and likelihood of occurrence. Vulnerability scanning software can be configured to place priority on specific events based on preset rules.
Common Vulnerability Enumeration (CVE)
CVE is a standard for the nomenclature used to describe security-related software flaws. Both CVE and the CVSS are provided by the National Institute of Standards and Technology (NIST) through their National Vulnerability Database (NVB).
Common Vulnerability Scoring System (CVSS)
The CVSS is a standardized approach for measuring and describing the severity of CVEs using a scale of 1 to 10, with 10 being the most severe.
Vulnerability Classification
After a vulnerability has been verified, it is classified using factors such as likelihood of occurrence, potential impact, and organizational risk management policies. To aid in the classification process, resources such as the CVE CVSS system can be utilized.
Exposure Factor
The exposure factor, or the likelihood of occurrence, is the probability that a risk will occur. It is commonly expressed as a percentage.
Environmental Variables
An environmental variable is an external threat that originates from nature, such as a hurricane, tornado, earthquake or other natural disaster.
Industry/Organizational Impact
These impacts describe what effects a risk would have on an enterprise if it were to occur. This may include financial, operational, and reputational impacts.
Risk Tolerance
Risk tolerance, or risk appetite, is the level of risk an organization is willing to accept. For example, if an enterprise has a low risk tolerance, it may install a manual lock, a biometric lock, and a security guard on a door, while an enterprise with a higher risk tolerance may only place a single manual lock on a door.
Vulnerability Response and Remediation
Once a vulnerability has been identified, analyzed, and classified, the task of responding to and remediating it begins. Remediation refers to neutralizing the vulnerability by choosing the most appropriate security response.
Patching
If the vulnerability was previously known, a patch may be available, which should be tested and installed in a timely manner.
Insurance
Cybersecurity insurance is a type of specialized insurance dedicated to providing coverage for cyber-related incidents. Cybersecurity insurance may cover the cost of recovering from a cybersecurity incident or any related lost revenue.
Segmentation
Segmentation is used to isolate or quarantine a system to minimize the vulnerability’s effect on other portions of the network. This is especially necessary for vulnerabilities that do not currently have a patch.
Compensating Controls
Compensating controls are additional security techniques that can be used to minimize the likelihood of threat actors exploiting the vulnerability. Examples include firewalls, IDS, IPS, and VPNs for network segmentation.
Exceptions and Exemptions
If the risk is deemed necessary or acceptable, an exemption or exception may be made for it, resulting in an unmitigated or accepted risk.
Validation of Remediation
Once remediation has been established, validation of the effectiveness of the response occurs. During remediation validation, the system should be checked for full remediation of the vulnerability as well as any adverse effects that may have occurred to the complete network. Due to the high complexity and interconnectedness of a network, remediating one vulnerability may have unintended consequences on other portions of the network.
Rescanning
The same scanning techniques used to identify the vulnerability in the first place can be re-run to ensure the vulnerability is no longer present.
Audit
Auditing, either by an internal or external entity, may be used to identify the effectiveness of the remediation and to identify any other potential vulnerabilities that may be present, perhaps due to the remediation effort.
Verification
Verification is the process of ensuring that the vulnerable system is working properly while testing any network components that may have been affected by the vulnerability or the remediation effort.
Reporting
Once the vulnerability management process has been completed, all findings should be documented and presented to relevant entities. Reports should include an analysis of what occurred, how it was addressed, and methods to prevent recurrence. The report should also include what lessons were learned in the process to identify trends, future potential vulnerabilities, and any changes to policies and procedures that may be required.
All Study Guides for the CompTIA Security+ are now available as downloadable PDFs