Diary Entry 002: Security+ Domain 2

Hello everyone, and welcome to The Analyst Diaries, a college student’s blog into all things cybersecurity! I am currently preparing to take my CompTIA Security+ and wanted to share what I have been learning here in hopes of making the information a whole lot more approachable, digestible, and (hopefully) helpful to those of y’all like me, just diving into the field!

What to Expect

This post is packed with quick definitions and simple breakdowns of tricky concepts. I’ve included infographics, diagrams, and helpful visuals to make everything easier to digest. Whether you’re just getting started or brushing up for the exam, I hope this helps make domain 2 feel a little less overwhelming!

The CompTIA Security+ covers 5 domains:

• General Security Concepts (12%)

• Threats, Vulnerabilities, and Mitigations (22%)

• Security Architecture (18%)

• Security Operations (28%)

• Security Program Management and Oversight (20%)

This article will be covering the second (Threats, Vulnerabilities, and Mitigations) but feel free to jump back to my article on domain 1, if you need to brush up on the fundamentals! Domain 1 makes up 22% of the exam, which is the second largest, so being solid on these topics is imperative for passing.

Domain 2 focuses on five main areas:

• Threat Actors and Motivations

• Threat Vectors and Attack Surfaces

• Vulnerabilities

• Malicious Activity

• Mitigation Techniques

Over the next few sections, I’ll break down what I’ve learned during my Security+ prep. These topics are ever-present and constantly evolving in the field, so my goal is to really understand them— and help you do the same! In the ‘Security+ (V7) Exam Objectives Summary’, the exam objectives and common terms for domain 2 can be found. I find it helpful to use this list as a jumping off point for my studies and try to connect those key terms to one another in active recall.

So grab your coffee and lets get started!

Content

Threat Actors and Motivations

Lets dive into some common threat actors first! A threat actor is an individual or group that exploits vulnerabilities and intentionally causes harm to a computer, network, or system. Threat actors can range from beginners to highly organized. Below you can find a list of the most common terms used to refer to threat actors as well as their skill levels and motivations:

Threat motivations vary for each kind of threat actor, ranging from financial gain to political causes. Some key motivations to be aware of are…

• Data Exfiltration: intentional, unauthorized transfer of sensitive data from one system to an external device

  • often using malware or manual extraction

• Espionage: stealing classified, sensitive data, or intellectual proper y to gain an advantage over a company or government entity, usually for economic gain, competitive advantage, or political reasons

  • theft of trade secrets, bribery, blackmail, phishing attacks, or surveillance

• Financial Gain

Threat Vectors and Attack Surfaces

Next up are the various threat vectors and attack surfaces. A threat vector refers to a method that attackers enter a network or system. A organization’s attack surface is the sum of all the points of entry that can be exploited to enter a system (all threat vectors and entry points).

Common attack vectors can be found below:

A common type of social engineering attack is phishing. Phishing takes place when an attacker tricks someone into giving them sensitive information. Types of phishing include:

• Spear Phishing: target is well researched and appears to come from a trusted sender

• Whaling: campaigns that target the “big fish” within an organization for things like wire transfers, tax information, and other financial data

• Smishing: phishing over SMS

• Vishing: voice fishing

Some additional social engineering attacks are impersonation, watering hold, and typo squatting.

• Impersonation: an attacker acts like someone you trust to steal credentials, personal information, etc.

• Watering Hole Attack: sophisticated attack that identifies websites that targets frequently visit but are less secure and infects them

• Typo Squatting/URL Hijacking: setting up domain names to capitalize on the fact that users make typos (i.e. gooogle.com )

Vulnerabilities

A vulnerability is exactly what it sounds like— a vulnerable place in a system. It is a flaw or weakness that can be exploited by an attacker. A zero-day exploit refers to a vulnerability that has been discovered that there is no fix for; if you would like to see a list of all the currently known zero-days, click here. The following are mediums that vulnerabilities can appear on/in:

• application

• hardware

• mobile device

• virtualization

• operating system (OS)-based

• cloud specific

• web-based

• supply chain

Each medium has their various vulnerabilities, lets go in depth for each of them and what types of attacks and weaknesses there can be!

Application-Level Vulnerabilities:

• SQL Injection is a super common an easy attack which uses malicious SQL code for insecure backend database manipulation. This gives attackers access to information that is not intended to be displayed which could include sensitive data or private information. I found this particularly interesting, so if you do as well and would like to learn more and see it in action try this room on TryHackMe!

Hardware Vulnerabilities:

Mobile Device Vulnerabilities:

• Untrusted App Stores

• Jailbreaking/Rooting: removes operating system restrictions on mobile devices

• Bluetooth and Wi-Fi Exploits

• Location/Data Leakage

Virtualization Vulnerabilities:

Operating System (OS)-Based Vulnerabilities:

• Privilege Escalation

• Unpatched Systems

• Service Misconfigurations

• Backdoors

Cloud-Specific Vulnerabilities:

A cloud provider is a large multi-tenant set of infrastructures which attract skilled hackers who are drawn to large, desirable companies. Vulnerabilities could consist of…

• Inadequate Identity and Access Management (IAM): weak password policies, overly permissive roles, neglected user deprovisioning, etc.

• Insecure APIs

• Shared Technology

• Shadow IT

• Lack of Encryption: data should be encrypted while in transit and at rest which becomes even more important in the cloud since we are constantly moving data.

Web-Based Vulnerabilities:

Supply Chain Vulnerabilities:

• Malicious or Compromised Vendors

• Update Tampering

• Lack of Vendor Vetting

• Dependency Exploits

Malicious Activity

Now that we have laid the groundwork for where a system can be vulnerable, lets talk about how we know malicious activity is occurring, we can call these indicators of compromise. These indicators are artifacts observed with a high degree of confidence that indicate a computer intrusion. Baselines should be set prior to use so that you’re aware of any activity or traffic that is abnormal. Some indicators of compromise could be:

• Unusual Outbound Network Traffic

• DNS Request Anomalies

• Mismatch Port-Application Traffic

• Anomalies in Privileged User Account Activity

But what exactly could be happening behind the scenes when these indicators arise? Malicious activity can come in a few different forms, each of which we are going to take the next few minutes to discuss! Starting with (what I think) is the most interesting, malware attacks.

Malware is short for malicious software and is defined as any intrusive software developed by an attacker to steal data, damage, or destroy computer systems. There are many types of malware and new ones being developed each day. The infographic below outlines the most common (and the ones most likely on the Security+):

Other forms of malware are logic bombs which trigger after a period of time or based on some date, and a rootkit which installs itself at the OS or Kernel level to avoid detection. Some defenses that can be used to combat malware are…

• Antivirus/Anti-Malware

• Endpoint Detection and Response Systems (EDR)

• Security Awareness Training

• Keeping Systems Patched and Up-to-date

The next type of attack we will discuss are password attacks. These are attempts to gain unauthorized access by exploiting weak or reused passwords. Similar to malware, there are many different ways to exploit a password, a few we have already detailed like phishing and keylogging. There are others, of course, which you can find in the infographic below:

Application attacks target vulnerabilities in software applications. These mainly consist of ones we’ve already covered: SQL injection (SQLi), cross-site scripting (XSS), command injection, insecure APIs, and cross-Site request forgery (CSRF). Application attacks can be defended against by validating input, implementing web application firewalls, ensuring secure coding practices, reviewing code regularly, frequently scanning for vulnerabilities, and testing the security of APIs.

As we well know, security spans beyond computer systems, so physical attacks also must be considered. These attacks require physical access to devices or infrastructure. A few common types are:

• Theft of Devices

• Hardware Keyloggers

• Evil Maid Attacks: attacker gains brief physical access to install backdoors

• Tailgating

• Dumpster diving

Some defenses that can be used in the case of physical attacks are physical security controls, full disk encryption, device tracking and remote wipe, security training and awareness, and clean desk policies and shredders.

Network attacks an another way attackers attempt to exploit vulnerabilities, through network infrastructure or communication channels in this case. Common types are listed here:

Common defenses for network attacks are…

• Network Segmentation and Firewalls

• VPNs and TLS Encryption

• Intrusion Detection/Prevention Systems (IDS/IPS)

• Secure DNS and DHCP Configurations

• Traffic Monitoring and Anomaly Detection

The last type of attacks we’ll discuss in this section are cryptographic attacks. These can consist of brute-force, replay, and downgrade attacks which we have discussed previously, as well as a few we haven’t covered:

• Birthday Attack: exploit hash collisions based on the ‘birthday’ paradox which says that if you have 23 people in a room there is at least a 50% chance that two have the same birthday

• Weak Key Usage: poor key generation or reuse

• Cryptanalysis: advanced math used to break algorithms

Mitigation Techniques

Now we’re in the final stretch, look at us go! We have finally made it to the final topic of domain 2, mitigation techniques. Mitigation refers to the action of reducing the severity, seriousness, or negative effect of something. When going over the different types of malicious activity, I listed some common defenses along with them, but in the next few paragraphs well will be diving into specific techniques that keep enterprises secure.

Segmentation:

Networks can be segmented to prevent lateral movement from attackers. Physical or logical segmentation breaks networks into groups of smaller collision domains to reduce chatter and create security boundaries called VLANs (Virtual Local Area Network). These virtualized environments keep hosts in a “sandboxed” or isolated environment, allowing control over the environment to go to the network administrator or system admin. This method of isolating a computer or network from the internal or external network is critical for highly secure classified networks, and is often referred to as air gapping.

Access Control:

In my overview of domain one (which can be found here, if ya missed it) we discussed the different types of access control. This concept is mainly applied in mitigating risk. Access control lists (ACL) are used to determine the level of access to one or more resources a user can have. These lists can be implicit or explicit and up to the discretion of the resource owner (DACL) or system-wide policy (SACL). I’ll remind you here of the key term, least privilege, which provides individuals or systems with the minimum level of access or permissions necessary to preform their job junctions.

Configuration Enforcement:

Ensuring the system and software adhere to defined configuration standards is critical in standardizing the environment, adhering with compliance, reducing attack surface, and keeping up with documentation.

Systems:

There are many systems and tools that a company can use to monitor and protect their digital systems. Listed in the below are a few:

• SIEM: security information and event monitoring

• EDR: endpoint detection and response, monitor and collect activity data from endpoints, analyze data to identify threats, patterns, or IOCs, automatically respond

• Host-Based Firewalls: protect a single host only, usually by restricting applications (not as robust as network)

• IDS/IPS: can be host-based (HID/PS) or network-based (NID/PS)

  • IDS: can detect anomalous behavior and alert

  • IPS: functions similarly but can additionally take specified actions

• SOAR: security orchestration, automation, and response, a tool that brings together a bunch of outside data and tools into one UI

Resources

If you’re studying for the Security+ Exam, I highly recommend the following resources, they have been invaluable in my learning and creating this post!

• Professor Messer YouTube Videos (https://www.youtube.com/professormesser)

  • great resource to get familiar with the material, I listened to these in the car, on walks, and really at every chance I could! (plus they are free)

• PluralSight CompTIA Security+ (https://app.pluralsight.com/paths/certificate/comptia-security-sy0-701)

  • unfortunately it is a paid resource, but the labs and information coverage was great! I watched each module and took extensive notes. I am just getting into the labs now, but they have been great so far (I’ll keep y’all updated)

Final Thoughts and Additional Considerations

Thank you so much for coming along with me on my exploration into all things ‘Threats, Vulnerabilities, and Mitigations’ for the CompTIA Security+ Exam. I hope that this was helpful and that you learned something new!

I am super excited to continue to learn more about the world of cybersecurity and continue to share it on this blog: The Analyst Diaries.

Until next time,

Jewels from The Analyst Diaries :)