SYO-701 Security Operations Study Guide for the CompTIA Security+

Security Alerting and Monitoring

Security alerting and monitoring is the process of continuously evaluating a network and network traffic for potential indicators of compromise and alerting the appropriate person or persons to the potential vulnerability. You should be able to explain common security alerting and monitoring concepts and tools for the CompTIA Security+ exam.

Monitoring Computing Resources

Monitoring services in networking is the process of ensuring that services are online and accessible. Monitoring services is often achieved through the use of different tiers of monitoring, with the first tier simply validating whether the service port is open and responding. The second tier interacts with the service to identify if a response looks normal. The highest tier evaluates the service for potential indicators of failure.

Systems

Systems use tools to monitor network traffic such as endpoint detection and response (EDR) programs, firewalls, IDS and IPS, and data loss prevention (DLP) software. Traffic is monitored for abnormal traffic, anomalies, and suspicious activity, with alerts generated and sent to the appropriate entity for further evaluation.

Applications

Applications may be monitored by tracking and analyzing log data for anomalies as well as to identify possible bugs, excessive resource use, and application availability among others.

Infrastructure

Monitoring is used to identify abnormal or unauthorized activity in the infrastructure and its surrounding environment. This monitoring can be done with a variety of sensors, such as fire, humidity, and motion sensors, as well as through human monitoring.

Activities

There are various techniques that are employed by alerting and monitoring tools to aid in identifying potential vulnerabilities and responding to those vulnerabilities during the vulnerability management process.

Log Aggregation

Log collectors are used to collect basic standardized data from logs, including log time, source, and system information. Log aggregation is the process of collecting and compiling collected log information and converting it into a standard form that can be used to analyze data.

Alerting

Alerting occurs when a vulnerability scanning tool, such as a SIEM system, identifies a potential vulnerability and creates a notification or flags the events for review. Alerts can be configured based on rules pertaining to potential severity, with higher levels taking precedence over less impactful potential vulnerabilities.

Scanning

Scanning is the continuous monitoring of machines and their data inputs. Data inputs are the different types of information sources that provide vulnerability scanners with data to be analyzed. This is done to look for security events and to notify a security professional so a deeper review can be done.

Reporting

Vulnerability scanning tools are capable of creating multiple predefined or customs reports that can be reviewed, analyzed, and exported. Some of these reports include log-on and log-off events, threat events, and resource usage.

Archiving

Archiving is the process of storing vulnerability scan data, including logs, reports, and alerts. The duration or archive retention may be dependent on the needs of the enterprise as well as applicable regulations.

Alert Response and RemediationValidation

When an alert has been created, an entity, such as a security professional, is responsible for responding to the alert either by accepting or dismissing the alert. If the alert is accepted, further analysis is required to validate or invalidate the vulnerability, with the appropriate responses and remediation taken if proven valid.

Quarantine

If an alert is deemed potentially valid, the system or device may be quarantined to prevent the potential spread of the vulnerability’s exploitation and allow it to be analyzed in a safe environment.

Alert Tuning

Vulnerability scanning tools may alert to a very high number of potential vulnerabilities if not properly configured. Alert tuning is the process of adjusting alert parameters to minimize false positives while not allowing for false negatives to proliferate.

Tools

Security monitoring and alerting tools come in multiple forms with varying complexities. Some monitoring and alerting tools may be highly intrusive while others sit outside the primary network.

Security Content Automation Protocol (SCAP)

SCAP is a threat intelligence standard developed by NIST to improve cyber threat communication within the cybersecurity community. SCAP maintains standards for Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), CVE, CVSS, the Extensible Configuration Checklist Description Format (XCCDF), and Open Vulnerability and Assessment Language (OVAL).

Benchmarks

Benchmarks are quantifiable metrics that provide a point of comparison. They are used by vulnerability monitoring and alerting tools to identify potential anomalies in security performance. Benchmarks may be created locally in the primary network or can be provided by vendors or by industry standards, such as those provided by the Center for Internet Security (CIS).

Agent/Agentless

Network access control (NAC, sometimes called network admission control) determines whether a system or device should or should not be allowed on a network or network segment based on its security state. A software agent performs a set of security checks on the device (e.g., patch levels, security settings, antivirus version) either before (pre-admission) or after (post-admission) allowing a device or system on the network. NAC solutions can be either agent-based, which places NAC software directly on the requesting device, providing greater insight, or agentless, which uses software that is not locally installed, providing higher accessibility but less insight.

Security Information and Event Management (SIEM)

SIEM is a central security-monitoring tool used to collect and aggregate log data from various sources, correlate and analyze the data, and look for vulnerabilities and potential flaws in the system’s security. SIEM has many canned reports that can be reviewed, analyzed, and exported. It is also capable of a heuristic analysis of user behavior and can flag behavior that falls outside of a user’s normal routine.

Antivirus

Antivirus software is typically designed to prevent, scan, detect, and remove known viruses and other malicious software from a system. Antivirus software can identify threats using signature-based detection, heuristic or behavior-based detection, AI and machine learning, or sandboxing techniques.

Note: The terms antivirus and anti-malware are often used interchangeably.

Data Loss Prevention (DLP)

DLP systems or programs are used to help maintain the security of data within the system or network. These systems are designed to monitor all data within the system to ensure that the policies and procedures set forth are followed. They also allow monitoring for potentially sensitive data that may be at risk or not properly protected. DLP systems may also act proactively to prevent sensitive data from leaving the system by blocking transmissions and alerting the security team to potential incidents.

Simple Network Management Protocol (SNMP) Traps

SNMPv3 is the most current version of SNMP, which provides source authentication, message integrity, and encryption. An SNMP trap is a protocol data unit (PDU) that can be sent unrequested to management agents. They contain event data and messages that will alert the agent of possible problems with network-connected devices.

NetFlow

A network flow, sometimes called a bandwidth monitor, is a record of network communications between devices, which includes information such as IP addresses, ports, protocols, size, and packet counts. Network flows provide valuable insight into the traffic patterns of a network. NetFlow is a Cisco proprietary protocol that collects network traffic from Layer 3 (or the network layer) of the Open Systems Interconnection (OSI) model as it actively enters and leaves a network.

Vulnerability Scanners

Vulnerability scanners are common cybersecurity tools that are also employed by threat actors to identify potential vulnerabilities in a network, application, or web application. Common vulnerability scanning tools include Nessus and OpenVAS.

Modifications to Enhance Security

Enhancing security is a continual process for cybersecurity professionals. As new vulnerabilities and exploits are identified, modifications to the security structure of a network is paramount to creating defense in depth. Given a scenario, you must be able to modify enterprise capabilities to enhance security.

Firewall

A firewall is a device that can be deployed as a network appliance or on endpoints. It is able to monitor incoming and outgoing traffic for anomalies based on a predefined set of security rules. Numerous types of firewalls can be deployed throughout a network. To enhance security in specific situations, firewall rules and configurations may be modified.

Rules

Firewalls use predefined rules to allow or block traffic. Configuration changes can be made to firewall rules, including adding or removing permitted traffic sources.

Access Control List (ACL)

An ACL is a predefined set of rules for filtering and controlling network traffic. An ACL is similar to a firewall but can be configured directly on a networking device or appliance. Adjusting ACLs can aid in creating a more secure network.

Ports/Protocols

Open ports and services are common methods of intrusion into a system or network by threat actors. To harden a system and reduce its vulnerability using firewall configurations, open ports (ports that are not in use) and unneeded services should be disabled, leaving only the ports and services necessary for network functionality to remain open.

Screened Subnets

A screened subnet, previously known as a demilitarized zone (DMZ), is a network segmentation method that provides an area of access to certain parts of the network for a set of users that is kept separate from the primary network. For example, companies often use a screened subnet for web traffic by customers. Customers are able to access portions of the subnet that they need while being kept completely separate from the primary network.

Intrusion Detection System (IDS)/Intrusion Prevention System (IPS)

IDS and IPS can be used in the networking environment as well as on endpoints. An IDS detects and alerts of anomalies, while anIPS detects and blocks anomalies. They can use different detection methods for the identification of malicious traffic. An IDS/IPS can be signature-based, heuristic, or anomaly-based, as well as either inline or passive.

Trends

An IDS/IPS can also provide insight into trends occurring within a network. For example, if a new malware signature has been identified and is increasing in occurrence (or trending up), it can indicate that that particular malware is a growing concern and should be addressed.

Signatures

Signature-based detection compares digital signatures against a known list of malicious signatures to identify threats.

Web Filter

A web application is a composite group of systems that contain code, a web and operating system, databases, and application programming interfaces (APIs) to allow for integration. A web application scans the public-facing web servers and applications for vulnerabilities, such as injection vulnerabilities. A web filter is used to allow or deny access based on predefined rules or configurations.

Agent-Based

An agent-based web filter is one that enforces web filtering policies on network-connected devices. An agent-based web filter is host-based and not dependent on the external web connection to enforce policies and rules. This protects a network-connected device even when not connected to the primary network.

Centralized Proxy

A centralized proxy web filter is one that resides at the Layer 2 (switches) or Layer 3 (routers) devices and enforces web filter rules on network-connected devices. A centralized proxy is able to block traffic on any connected device, even if the device is not a member of the network, such as a guest user’s laptop.

Universal Resource Locator (URL) Scanning

URL scanning is the process of identifying the URL of a web page and running the URL through a URL filter to either allow or deny connection. Configuration changes to a content or URL filter are used to increase web security and may include creating new block rules for content or known URLs. These filters can also be used to stop a threat from attempting to connect with its host device or network via the internet.

Content Categorization

Web filters may be configured to allow or deny access based on the categorization of the content the web application contains. Content categorization can be used to identify and block inappropriate or harmful content based on predefined content rules or via URL lists.

Block Rules

Web filter block rules, or deny lists, are lists of known malicious or suspicious web pages that are explicitly denied access when an attempt is made to access them. Reconfiguring the web block rules is a viable option if the source of the threat is known.

Reputation

A reputation-based web filter evaluates a website’s reputation to either allow or deny access. The web filter evaluates the web server that hosts the website for behavior to assign a reputation score, which is then used as a metric for allowing or blocking access.

Operating System Security

Techniques for securing OSs vary, but there are some common practices that can be used for all operating systems, such as:

• Always keep the OS up to date on patches and updates, and harden user accounts (implement strong password requirements).

• Use the principle of least privilege for permissions.

• Deploy anti-malware, IPS, IDS, or other security software on the OS.

Group Policy

Group Policy is a Windows tool that provides detailed information on methods of securing the Windows OS. Group Policy has over 1,300 pages of information pertaining to security settings and their recommended configurations. It also details why a configuration is recommended and its possible effects on the OS.

Security-Enhanced Linux (SELinux)

SELinux is a security module that can be installed on the Linux OS to enhance its native security settings by adding additional security capabilities, such as access control schemes, enhanced user rights, and policy-defined resource permissions.

Implementation of Secure Protocols

As a cybersecurity professional, you need to be able to implement protocols to secure the entire networking environment. You should be able to identify and understand common secure protocols. Questions about these concepts will be scenario-based.

Protocol Selection

A protocol is a set of rules that define how connected devices exchange information across a network. Not all protocols are secure. To ensure the security of a network, there are common best protocol-selection practices that should be implemented within the network.

Port Selection

A protocol port is a software-defined number through which a specific protocol sends and receives traffic for a specific service. There are numerous commonly used protocols that are associated with specific port numbers. While many common protocols and their associated ports are not natively secure, there is often a secure version available on another port.

Secure Shell (SSH) is a protocol that provides a method of securely logging in remotely to another console. SSH provides encryption as well as password and public key authentication. SSH can also be used in conjunction with other protocols or as a tunneling protocol to increase security. SSH uses TCP port 22.

Transport Method

Transport method refers to the protocol that is used to send a data packet through the internet and is commonly associated with the Internet Protocol (IP). There are two common transport protocols, the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). The TCP protocol confirms connection prior to sending data while UDP does not.

Domain Name System (DNS) Filtering

DNS servers and services are not encrypted or secure in and of themselves. To secure a DNS server, requests must be filtered through the use of Domain Name System Security Extensions (DNSSEC). It also requires proper DNS configurations, such as turning on logging or blocking malicious domain requests.

Email Security

While both web and email traffic can use numerous security protocols, the primary security protocol used for web traffic is HTTPS, while for email it is IMAP secure and POP secure. Email can also use HTTPS if it is accessed via HTTP.

DomainKeys Identified Mail (DKIM)

DKIM is an email security protocol that uses a digital signature attached to a received email that is used to authenticate the validity of the sender as well as the unaltered contents of the email.

Sender Policy Framework (SPF)

SPF is an email security protocol that verifies the validity of an email by querying the mail server through which it was sent. The mail server should have authorization to send mail from the sending domain.

Domain-Based Message Authentication Reporting and Conformance (DMARC)

DMARC is an email security tool that combines the use of other email security protocols to help provide protection against spam and email spoofing. DMARC uses DNS, DKIM, and SPF to verify sender identities.

Gateway

An email gateway, also known as a secure email gateway (SEG), sits between an internal network and an external network and receives all incoming and outgoing email traffic to check for malicious activity. An email gateway essentially acts as an email filter and may use multiple security techniques, such as machine learning, signature analysis, and URL scanning.

File Integrity Monitoring

File integrity monitors evaluate the integrity of files within a network by creating signatures or fingerprints for files and then monitoring the file system for changes in the signatures or fingerprints of the files.

Data Loss Prevention (DLP)

DLP tools are designed to monitor data throughout its life cycle. They are commonly deployed on endpoint devices and are connected to a primary server for management. DLP tools can classify, label, and tag data within the network to identify protected or sensitive data. DLP tools can also be programmed with policy management and enforcement functions, as well as monitoring and reporting capabilities.

Network Access Control (NAC)

NAC is used to secure a network by allowing or denying access based on specific predefined rules. The NAC software agent that is used can be either installed on the device itself or it can be agentless through the use of a web browser. NAC is a powerful enforcement tool that can validate the security status of a requesting device either prior to connection, referred to as pre-admission, or after connection, referred to as post-admission.

Endpoint Detection and Response (EDR)/Extended Detection and Response (XDR)

EDR tools are used to add another layer of protection to endpoints through monitoring and log analysis. EDR systems evaluate the collected data looking for anomalies and indicators of compromise (IoCs), and they can be either automated or manual. XDR expands upon the capabilities of EDR to include the network as a whole and its associated components.

User Behavior Analytics

User behavior analytics is a security tool that is used to identify unique users and their associated behaviors to detect anomalous activity through the use of machine learning algorithms (MLAs) and automation. A baseline is created through the analysis of standard user behavior, which is then used as a point of comparison for future behaviors.