CompTIA Security+ SY0-501 Exam Preparation – The Basics of Information Security

BASICS OF INFORMATION SECURITY

THE NEED FOR SECURITY

Over time, cybersecurity attacks have evolved from a simple text that appeared on a screen to cyber attacks that can lead to a loss of life. Yes, loss of life.

Cybercriminals are not attacking banks and financial institutions only, they are attacking companies from different industries such as energy, transport, and health among others.

Some of the attacks can be carried out to gain financial benefits, while others are carried out for vandalism purposes.

Attacks on hospitals that target life-supporting infrastructure can lead to a loss in lives. This type of attack should not be underestimated and should be effectively mitigated.

So, we understand that organizations need to protect their information and IT infrastructure.

Information security is the result of the need to defend against different cyber attacks.

Information security can be defined, as the state of safeguarding electronic information of an organization.

Qualified information security professionals, with the aid of different tools and technologies, are responsible to protect such information.

Getting security certifications is one of the ways where an individual can prove his/her cybersecurity skills. Computing Technology Industry Association (CompTIA) Security + certification is one of the most respectable and on-demand security certifications in the world.

Let’s agree that there is nothing that is 100% secure. Technology is evolving, so do attacks.

As we said earlier on, information security’s main goal is to protect information.

There is a battle between securing the information and accessing it to achieve business objectives.

Normally, where there is more security, there is less convenience (functionalities with appealing user interface and usability). More functionalities mean fewer restrictions.

Information security is intended to protect the CIA of information.

In the context of information security, the CIA stands for Confidentiality, Integrity, and Availability.

Confidentiality of information: It is the state of having individuals with adequate rights to view and access the information.

This means that sensitive information should only be accessed by authorized users only.

For example, in the case of a hospital. The hospital should ensure that patients’ sensitive information is only accessed by authorized users and kept safe at all times.

The integrity of information: It is the state of having the information in its genuine and correct format, where the information has not been maliciously changed or altered.

For example, Alice is shopping online, she selected a product, and now she wants to check out. The checkout balance is $100. The integrity of information is compromised when she finds a way and changes the balance from $100 to $1 (so that she pays less for the product).

Availability: it is the state of having information available as required and expected by its authorized users.

For example, Bob has an online account with a shopping store. Bob would like to update his personal information. As a result, he wants to log in to his account. Bob could reach the login portal of the store may be due to a cyber attack or due to login-page implementation from the store itself.

In this case, the availability of information has been compromised because it denied Bob (as an authorized user) access to his information (when he wanted to do so).

The CIA concept has been extended to include the AAA concept.

AAA stands for Authentication, Authorization, and Accounting.

Authentication: It is the state of ensuring that the user is genuine and not fake. A fake user can be when a user poses to be another user or entity.

A user can be authenticated when he/she proves that he/she is the person he/she is claiming to be.

Alice wants to log in to her account, the system authenticates her by asking her to input a password that she only knows (to verify that that’s her so that she can have authorized access to her account).

Authorization: It is the state of having adequate permissions to access information. For example, a bank store sensitive information about its clients. The bank should ensure that individuals who want to access such information (to perform certain tasks) should have adequate permissions and approval to do. They should be authorized to access the information.

Accounting: It is the state of being responsible for your actions. It provides tractability of certain events.

Alice works for a company, and she has access to sensitive information. The organization that Alice works for keeps track of her activity on the system. So that she is accountable for her activity. This means that Alice’s access to information and system resources is monitored, logged and audited.

Information security is also involved in protecting the information when it is being stored, transmitted, and processed. It protects information and the assets that its assets.

So, for proper information protection, an organization has to implement measures to ensure the CIA of information.

INFORMATION SECURITY TERMINOLOGY

As an information security professional, you should familiarize yourself with the terminology that is used in the industry.

Asset: An asset is a resource or item that has a value.

An information security asset is an asset that is a valuable resource or item to the organization. It can have a financial value to the organization. It is considered to be valuable due to the organization’s investment in it and is used to help the organization achieve its business objectives.

Clients’ databases, operating systems, and servers can be considered as assets.

Threat: A threat is something that can cause harm or damage to the information or its assets. It is the danger that the organization wishes not to happen.

It has the potential to cause harm to a computer system (such as erasing data, sabotage)

A threat agent (or threat actor) is the entity that can lead to a threat. It can be an individual, act of nature or a software.

Hurricanes, Spam and Phishing can be examples of threats.

Vulnerability

  • It is a weakness, flaw or an error in the design or  implementation of an asset or a system
  • The attacker can take advantage of the weakness or the error to gain unauthorized access to the system and its resources
  • Examples, poorly configured server and unpatched software are some examples of vulnerabilities.

The attack can take place when an attacker takes advantage of a vulnerability. Threat vector is defined as the mean that the threat agent can use to attack a system.

Exploit

  • It is the state of taking advantage of the vulnerability to obtain unauthorized access to the system
  • Unauthorized access to the server can be described as an exploit when an attacker takes advantage of a misconfigured server (vulnerability)
  • The attacker took advantage of the misconfiguration to gain unauthorized access to the system.

Risk

  • It is the impact (damage) that can be a result of asset compromise
  • Financial losses and reputational damages can be examples of risks in information security.

Payload

  • It refers to the component of the code that executes the malicious activity
  • Inappropriate message display and Data destruction are examples of payloads

WHY DO WE NEED INFORMATION SECURITY

Individuals and organizations need information security to protect information and prevent theft. It can thwart threats (whenever applicable), and help avoid legal consequences. It also helps organizations to securely achieve their business goals.

THINK LIKE AN ATTACKER

Normally, a hacker is so successfully in access networks and systems, because he/she understands the mindset of a security administrator and knows how to penetrate a system.

As a cybersecurity professional, for you to be able to defend against hacking, you have to think like one. You need to understand his/her mindset and the ways that he/she can use to get unauthorized access to the system.

You should be aware of how they think, the methods and tools that they use to break into a system.

When we are thinking like hackers, we need to understand the different motives of the hackers. Each hacker or hacker group has its own goals behind the hacking activity.

TYPES OF HACKERS

There are different types of hackers. Based on their motives, we can classify them as follows:

  • White Hat:
    • Skilled individuals who ethically use their skills to defend organizations
    • The hacking is done with the consent of the system owner
  • Black hat
    • Skilled individuals who use their skills for malicious and destructive activities
    • These are the malicious actors who steal information, erase data, etc.…
  • Gray Hat
    • Sometimes who can act as white hat or black hat hackers
  • Script kiddies
    • They use tools and programs written by real hackers
    • They lack the hacking skill
  • State-sponsored
    • Individuals who are sponsored by state governments to perform different activities
  • Hacktivists
  • It comes from combining hack and activist
  • Skilled individuals who hack for political reasons

WHAT IS AN INFORMATION SECURITY ATTACK

It is an attempt or a malicious process to compromise the confidentiality, and integrity of information and disrupt systems by exploiting system vulnerability.

The attacks are launched by malicious actors to achieve a certain objective such as deleting information, stealing trade secrets, etc.…

Attacks come in different forms. Some type of attacks are:

  • Password cracking
  • Denial of service
  • Eavesdropping etc…

PENETRATION TESTING FUNDAMENTALS

Definition

  • It is also known as ethical hacking
  • It is the state of intruding into a system or a network to find out vulnerabilities and threats that pose a risk to the organization
  • The tester uses different techniques and tools similar to those used by malicious hackers
  • This exercise is done with the permission of the concerned authorities
  • It is done to ensure the security of the system
  • The Penetration Test is performed by ethical hackers to determine whether a malicious actor can gain unauthorized access to the system by exploiting several vulnerabilities
  • Here, penetration tester should think like hackers

Phases of Penetration Testing

It consists of five phases:

  • Reconnaissance
    • It falls under a pre-attack phase
    • It is the process of collecting information about the target
    • It can be passive (without making direct contact with the target such as gathering information through online resources) or active (by making direct contact with the target such as phone call)
  • Scanning networks:
    • It also falls under a pre-attack phase
    • It is the process of gathering technical information about the target such as open ports, running services, etc.
    • The attacker can use an automated tool such as Nmap
  • Gaining access
    • this is when the attacker breaks into the system
    • The attacker bypasses the access control or authentication mechanism deployed or through any other means
  • Maintaining access
    • running tools that will give the attacker “hidden access” to the system
    • It helps the attacker to remain undetected
  • Clearing Tracks
    • The attacker deletes/overwrites logs to:
      • avoid detection
      • conceal identity
      • avoid prosecution

Types of penetration testing

Black-box penetration is the state when the ethical hacking is performed with no prior knowledge of the network or the system and the infrastructure.

White Box penetration testing is when the tester has full or complete knowledge of the network and the infrastructure

Gray Box penetration testing is when the tester has limited knowledge of the network and the infrastructure

WHAT IS TO DEFEND AGAINST AN ATTACK

As a cybersecurity professional, you should be able to defend the organization against attacks. Attacks can be prevented or stopped before they take place.

You should be able to identify vulnerabilities before hackers do. For you to stop an attack, you can stop the attack at any level (whether at information gathering level, or system scanning level). You have to do your best to prevent a system breach.

One way of effectively defending your organization is by implementing a defense in depth concept.

Defense in depth is the state where an organization deploys several layers of defenses to safeguard its information and assets.

The layers should not implement similar defending techniques, so that if the attacker does not bypass several security layers using one technique.

The organization should implement sophisticated security layers so that it makes it difficult for the attacker to obtain unauthorized access to its information.

It is important that you remain updated on the latest techniques and tools that are used by hackers to break into systems.

SUMMARY

Attacks on information are evolving. Today’s attack can lead to loss of lives.

Qualified individuals are the ones who are entitled to secure information and ICT infrastructure in an organization.

Information security is about protecting the Confidentiality, Integrity, and Availability of Information.

To better defend the organization, information security professionals should think like hackers.

There are different types of hackers, White hat, Gray hat, and Black hat hackers.

Penetration testing is a legal way to break into a system and identify vulnerabilities

Organizations can defend against attacks through the defense in depth approach.

PRACTICAL LABS

LAB 1 TRACKING REAL TIME LIVE ATTACKS WITH THREAT INTELLIGENCE DATA

A threat is something that can cause harm or damage to the information or its assets. It is the danger that the organization wishes not to happen.

Threat Intelligence is the process of analyzing the threats that the organization faces.

An attack is an attempt or a malicious process to compromise the confidentiality, and integrity of information and disrupt systems by exploiting system vulnerability.

As a cybersecurity professional, you should be aware of the threats that emerge in the information security industry. This will help you to better identify the threats and control the risks that face the organization.

SCENARIO

You want to educate yourself about the different threats. This will help you identify different attacks.

The type of attack gives you an insight into what the hackers are using as their attack vector.

As a result, you will be able to identify and mitigate the risks that are facing your organization.

OBJECTIVES

  • Identify live threats
  • A brief analysis of the identified threat

LAB REQUIREMENTS

  • PC
  • Internet Connection

TASKS:

  1. Open your
  2. Go to https://threatmap.checkpoint.com/ThreatPortal/livemap.html

This will take you to a live threat map

  • Check the information that is on the site
  • Towards the bottom right of the page, there is a table, read the content of the table
  • Under that attack header, check the name of the attack.
  • Copy the name, and paste it in google search
  • (If you can’t copy the name of the attack because it goes away quickly, record it by any means that is convenient to you)
  • Search the name
  • Read the analysis that you find about the attack (The analysis should be from a trusted source)
  • Go back to the map
  • Click on any county of your choice
  • Read the statistics about that country
  • Write down your comments

This process will allow you to identify the attacks that are used by malicious actors right now. This will help you determine whether such attacks are a threat to your organizations or not.

If you are interested in extra tasks, you can try the following ones on your own:

  1. Write a threat intelligence report based on the findings
  2. Repeat tasks 1-13 using https://threatmap.fortiguard.com/

LAB 2 CHECK WHETHER YOUR WEBSITE HAS BEEN PWNED OR NOT

Pwned, in the cybersecurity context, means that the system has been compromised or conquered.

In this lab, we are going to use a tool that will help us search weather our email has been compromised or not.

SCENARIO

Hackers break into different organizations that offer services that we use. These services can store our emails and password in plain text.

After successful attacks on the resources of that company, hackers manage to obtain our username and password combinations.

The account and password combination can be used to retrieve sensitive information to steal our identities.

LAB OBJECTIVES

  • Check compromised companies
  • Check if your account has been compromised
  • Check statistics of different breaches

LAB REQUIREMENTS

  • PC
  • Internet connection

TASKS

  1. Go the website https://haveibeenpwned.com/
  2. On the top navigation bar, check the names of the big companies that have been pwned
  3. Pick a company of your choice (that is on the list)
  4. Read the descriptive information associated with the company
  5. Go back the homepage of the website
  6. scroll down to read the statistics of breaches
  7. Scroll up, and type your email account (where it says email address) check if your account has been compromised or not

This lab allowed you to check the name of companies that are associated with data breaches.

If you are interested in extra tasks, you can try the following ones on your own:

  • Type the name of any account other than the email address and record the results
  • Explore the different services that are offered on the website (such as notify me, domain search)
  • Write your comments

LAB 3 GATHERING INFORMATION ABOUT INDIVIDUALS

For an attacker to carry out an attack. He/she goes through a process.

The process is known as the Cyber Kill Chain. There is developed by Lockheed Martin.

Cyber Kill Chain is used to describe the stages the attacker goes through until he/she compromises the system.

In this lab, we are going to use a tool called Spokeo.

Spokeo is a people search engine that organizes white pages listings, public records, and social network information into simple profiles to help you safely find and learn about people.

SCENARIO

Before starting an attack, the attacker gathers information about the target. Depend on the purpose of the attack, the attacker can then specify the type of information that he/she is willing to collect.

In our case, we assume that the attacker is collecting sensitive information about an individual to perform social engineering attacks to gain financial benefits. These financial benefits can be realized through identity theft, where the attacker steals the identity of the victim, and opens a new bank account or issue a new bank card and steal money.

So the attacker can use Spokeo to gather information about the victims.

LAB OBJECTIVES

  • Gather sensitive information about people
  • Explore the returned results

LAB REQUIREMENTS

  • PC
  • Internet Connection

TASKS

  1. open your browser
  2. go to https://www.spokeo.com/
  3. Search for people using any of the available options (such as name, social, phone number or address)
    We are going to search by name
  4. Type the name in the search box
  5. I typed Jerry Banfield
  6. And then look to see if you can find the person that you are looking for.
  7. Name, age, phone number, email address, relationship status, location history, etc…

The gathered information will help the attacker to better craft his social engineering attack.

If you are interested in extra tasks, you can try the following ones on your own:

  • Analyze the collected information
  • Try to compare the results that you obtain from this tool with another similar online one
  • Write down your comments

LAB 4 GATHERING TECHNICAL INFORMATION ABOUT ONLINE CONNECTED DEVICES

As part of the Cyber Kill Chain. The attacker wants to gather information about the devices that he/she can attack that will give him/her financial benefit.

The cybercriminal starts to look for internet-connected devices such as servers, webcams, and the Internet of Things (IoT).

The attacker goes to the Shodan search engine.

Shodan in a search engine for internet connected devices.

SCENARIO

The attacker wants to look for remote targets that can be compromised. The attacker expects a financial reward for his malicious attacks.

As a result, the attacker starts to look for devices that have an internet-facing IP address. A device with an internet-facing IP can be remotely accessed.

LAB OBJECTIVES

  • Look for online routers
  • Look for online switches
  • Check the details of the identified devices

LAB REQUIREMENTS

  • PC
  • Internet Connection

TASKS

  1. Open your browser
  2. Go to https://www.shodan.io/
  3. In the search box, type the name of the device that you would like to look for
    In our scenario, we type routers
  4. Check the returned results
  5. Check the name of the router
  6. Click on one result of your choice
  7. Check the detailed results

The attacker can use the detailed results to architect another attack that will lead to system compromise.

Repeat steps 1-7 by tying switches instead of routers.

If you are interested in extra tasks, you can try the following ones on your own:

  • Perform more customized searches by using available search filters
  • locate apache server by typing the following (in the search box): apache
  • Check the returned results
  • Write down your comments

PRACTICE QUESTIONS

1. There are different types of hackers.  The hackers who break into a computer system with the permission of the system owner are known as:

  1. white hat hackers
  2. black hat hackers
  3. blue hat hackers
  4. gray hat hackers

2. Complete security is guaranteed when:

  1. the system is fully patched
  2. security solutions are purchased from a well-known vendor
  3. when penetration testing services are outsourced
  4. never

3. Hackers who break into the organization without the permission of the system owner and publish post the discovered vulnerability online without notifying the organization are called:

  1. White hat hackers
  2. Gray hat hackers
  3. Black hat hackers
  4. Dark hat hackers

4. For you to better defend against hackers, you should think like___________:

  1. security manager
  2. white hat
  3. hacker
  4. auditor

5. Organizations defend against attacks daily. Which of the following is NOT a reason why organizations find it difficult to defend against evolving attack:

  1. Outdated systems
  2. Remotely connected devices
  3. The different integration of sophisticated defense tools and mechanisms
  4. Attacks techniques are rapidly changing and getting complicated

6. Why can malicious actors demand high prices for stolen customer-sensitive information such as customer credit card numbers?

  1. It took the malicious actor a lot of time and effort to obtain the stolen information
  2. The attacker wants a high price for his skills that he used to obtain the information
  3. The attacker prices the information depends on the income of the organization where the information was stolen from
  4. The vulnerability was previously unknown and is unlikely to be patched quickly.
  5. The attacker prices the stolen information based on how much money can be gained from it

7. Information security is best described as:

  1. Using antivirus tools to protect information systems
  2. Use scanners to identify vulnerabilities
  3. Protecting electronic information and ICT assets
  4. Implementing locks and ensuring that servers are stored in secure locations

8. Information is only accessed by authorized users:

  1. Authentication  
  2. Authorization
  3. Confidentiality
  4. Availability

9. Threat actor:

  1. is the entity or person that pose as a vulnerability
  2. is the entity or person that identified the vulnerability and the treat
  3. is the entity or person that was caught performing an attack
  4. the person or entity that can lead to a threat

10. Ensuring the entity/individual is genuine and not fake

  1. Auditing
  2. Authentication
  3. Demonstration
  4. Certification

11. What is the difference between a hacktivist and a cyberterrorist?

  1. Hacktivist attacks to promote a political agenda while a cyber-terrorist conducts an attack to cause large scale 
  2. A hacktivist is not motivated by ideology while a cyberterrorist is not.
  3. A hacktivist works alone while a cyber-terrorist works with governments only.
  4. The aim of hacktivist hacks for fun while cyberterrorists hack to gain money.

12.  Which one is NOT a goal of information security: [needs more attention]

  1. Restrict access of information to certain individuals/entities
  2. Prevent productivity
  3. Prevent data theft
  4. Avoid legal costs and penalties

13. It is an act that requires organizations to properly implement policies, processes, and procedures to ensure the CIA of information

  1. Hospital Protection and Insurance Association Agreement (HPIAA)
  2. Health Insurance Portability and Accountability Act (HIPAA)
  3. Hospital and Health Insurance Protection Accountability Act (HHIPAA)
  4. None of the above

14. Which of the facilities can cause large scale fear when attacked by cyber terrorists:

  1. Air condition control centers
  2. Water pump manufacturer
  3. Light distribution system
  4. Power plants

15. What is the first phase in penetration testing?

  1. Reconnaissance
  2. Password cracking
  3. Stealing information
  4. Executing tools to avoid detection

16. Implementing different layers of security to defend the organization

  1. Information layering
  2. Defense in depth
  3. Sophisticated information layers
  4. Network Layers security

17. An “Insider” is all but:

  1. Contractors
  2. Script kiddies
  3. Employees
  4. Suppliers

20. Cyberterrorists target water and power facilities because

  1. they have weak security controls
  2. they can cause large scale fear
  3. They are regulated by the government and would attack the attention of that government
  4. They require a lot of money that cyber terrorists have

21. State hackers are:

  1. Hackers that are on privately funded to steal government military secrets
  2. Steal government information for fame
  3. Steal government information  for fun
  4. hackers that are sponsored by government states to carry out hacking activities

20. An______ is tasked to managed and implement information security in an organization

  1. Chief information security officer (CISO)
  2. Information security administrator
  3. Information security manager
  4. Information security technician

ANSWERS

  1. B: Black hat Hackers. Black hat hackers break into a system without authorization or permission from the system owner
  2. D: Never. Attacks are always evolving. Attackers find new ways to break into systems. So no security solution will guarantee the security of the system 100% all the time.
  3. B: Gray Hat Hacker. Gray hat hackers are hackers that hack legally and illegally at different times. Whey they hack illegally. They break into the system with the permission of the organization through an identified vulnerability. Then they publish that vulnerability online to promote awareness that the organization should patch that vulnerability.
  4. C: Hacker. You know the mentality, motives, and techniques of a hacker so that you know what security mechanism to deploy to prevent hacker’s attacks. So you should think like a hacker.
  5. C: The different integration of sophisticated defense tools and mechanisms is not one of the reasons why organizations find it difficult to defend against evolving attacks.
  6. D: The vulnerability was previously unknown and is unlikely to be patched quickly. This is a case of a zero-day attack. The vendor normally takes time to release a patch. As a result, the attacker will demand a high price for the discovered vulnerability.
  7. C: Protecting electronic information and ICT assets. The main goal of information security is to protect information and its assets from attacks.
  8. C: Confidentiality. It is the state of only allowing access to information to authorized users.
  9. D: It is the person or entity that can lead to a threat such as a disgruntled employee or a hurricane.
  10. B- Authentication: It is the state of ensuring that the user is genuine and not fake. A fake user can be when a user poses to be another user or entity.
  11. A: Hacktivists hack to promote a political agenda for a social change or to describe their content over a situation. On the other hand, cyberterrorists carry out hacking activities to promote a political agenda and/or a certain ideology; they aim to incite large scale fear.
  12. B: Prevent productivity. One of the goals of information security to be productive through securing information and its assets
  13. B- HIPAA (Health Insurance Portability and Accountability Act). It is united stated legislation that provides to ensure that medical institution secures the CIA of their patients’ information through data security and privacy.
  14. D: Power Plants. Attacking a power plant will disrupt the supply of electricity to certain areas such as cities. This will cause a large scale of panic and fear when the population learns that the power cut is a result of a cyber attack against the facility.
  15. A: Reconnaissance. It is a pre-attacking phase.It is the phase where the attacker gathers information about the target.
  16. B: Defense in Depth. Defense in depth is the state where an organization deploys several layers of sophisticated security layers to safeguard its information and assets.
  17. B: Script Kiddie. They are unskilled individuals who use tools written by real hackers. They are considered outsiders who hack for fame and/or for the thrill associated with the activity.
  18. B: they can cause large scale fear. Cyberterrorists choose to target facilities such as air traffic control, water facilities, and power plants because targeting any of these facilities can affect the large population and incite large scale fear. 
  19. D: Hackers that are sponsored by government states to carry out hacking activities. Government sponsor hacking groups to hack other government or entities to steal sensitive information or to perform other malicious tasks.
  20. A: Chief Information Security Officer’s position that is responsible to assess evaluate manage and execute information security in an organization

THANK YOU NOTE

This is the end of today’s exam preparations. In the next preparation session, we will be discussing malware, vulnerabilities and the associated threats.

Thank you!