Comptia CASP Notes – Modules 4 & 5

December 16, 2016 | Views: 3396

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Module 4

Enterprise Storage

Cloud Storage Types

Private → Public → Hybrid → Community

Cloud Service Models

  • IaaS (Infrastructure as a Service) – vendor provides the hardware the company manages

  • PaaS (Platform as a Service) – vendor provides hardware & software

  • SaaS (Software as a Service) – vendor provides everything

Data Archiving

  • Tier 1 – production, high availability

  • Tier 2 – Disaster Recovery, Short-Term retention

  • Tier 3 –  Tape backups for long term retention

SANs (Storage Area Networks)

High-capacity storage devices that are connected by a high-speed private network separate from LAN

Scalable but expensive

Easier maintenance but requires higher skill level

Sharing is easier but may  not be  possible to leverage legacy investments

Easier to provide physical security

SAN Security Issues

  • Data only secure as the OS

  • Fiber Channel does not provide security against spoofing

  • Fiber Channel and FCP (Fiber Channel Protocol) allows a knowledgeable attacker to steal or destroy data

NAS (Network Attached Storage)

  • Operates on LAN; almost any device can connect

  • Easier snooping and sniffing

Storage Protocols

  • iSCSI (Internet Small Computer System Interface) – IP-based networked storage method of encapsulating SCSI commands in IP packets.

    • Benefit: SCSI commands are used in SAN so iSCSI allows commands to travel the network

    • Security

      • Use separate VLAN for SAN traffic

      • Use ACLs & strong authentication

      • Use management interfaces only, encrypt data

File systems used

  • NFS (Network File System) – *NIX based systems

  • CIFS (Common Internet File System) – Version of SMB (Server Message Block) Windows use

Secure Storage Management Techniques

  • Multipathing – multiple physical or virtual network paths

  • Round Robin multipathing (performance)

  • Snapshots – able to provide a full copy of data; fast captures only data that has changed

  • Deduplication – removes redundant data

  • DDPs (Dynamic Disk Pools) – uses an algorithm to define which drives are used; requires a minimum of 11 drives

LUN Masking / Mapping

  • LUN identifies a device by the SCSI or iSCSI

  • Masking/Mapping controls access to a LUN by hiding its existence

  • Can be done at the HBA (host bus adapter)

Offsite Replication

  • Asynchronous – delayed replication; uses less bandwidth, can survive higher latency

  • Synchronous –  Near real time but requires higher bandwidth & cannot tolerate latency

  • Point-in-time (snapshot) – periodic replication, uses the least bandwidth; only replicates changes


  • Disk-level

    • Entire volume/disk encrypted; slow boot/log on process

  • Block-level – disk level

    • Partition encryption or virtual encryption

  • File-level

    • Per file, key for each owner

  • Record-level

    • Useful in high-security environments (HIPAA or Credit Card industry)

  • Port-level

    • Used to encrypt network data on specific ports; prevents eavesdropping

Network & Security Components, Concepts, & Architectures

Remote Access – VPNs

  • LAN protocol required; remote access protocol required

  • Authentication protocol & encryption protocol (optional)

  • Implemented either remote or site-to-site

SSH (Secure Shell)

RDP (Remote Desktop Protocol) – proprietary developed by Microsoft to provide a graphical interface

VNC (Virtual Network Computing) – operates like RDP but uses the RFB (Remote Frame Buffer) protocol

  • VNC server – program that shares the screen

  • VNC client – program that interacts with the server

  • VNC protocol (RFB) – used to communicate between the client & VNC server

SSL (Secure Sockets Layer)

  • SSL portal – single SSL connection for accessing multiple services on a web server

  • SSL tunnel – used to access a server that is not a web server, provides access through a web browser

IPv6 – provides a virtually unlimited number of IP addresses. 128 bits organized into 8 hextets

Transport Encryption

  • FTP → secure versions FTPS or SFTP

  • HTTP → secure versions HTTPS port 443 or HTTPS port 80

Network Authentication Methods

  • PAP Password Authentication Protocol (sends in clear text)

  • CHAP Challenge Handshake Authentication Protocol  (password not sent)

    • MS-CHAP

    • MS-CHAPv2

  • EAP (Extensible Authentication Protocol) – framework with many versions that use hash and encryption

    • EAP-MD5-CHAP (password used but not transmitted)

    • EAP-TLS (certificates on client and server)

    • EAP-TTLS (certificates on server only)

Authentication Concepts (additional)

  • TOTP (Time-based One-time Password) computes password from a shared secret and time

  • HOTP (HMAC One-time Password) – computes from a shared secret using an incrementing counter on both the client and server

  • SSO (single sign-on) – requires user to authenticate once to access all network resources

802.1x – standard for port based authentication uses 1. Supplicant 2. Authenticator 3. Authentication server

  • RADIUS – udp only encrypts password, does not support all protocols but creates less traffic

  • TACACS+ – TCP, entire packet encrypted, supports all protocols

Mesh Networks – All nodes cooperate to relay data and connect to each other; uses one of several protocols:

  • AHCP (Ad Hoc Configuration Protocol)

  • PAA (Proactive Autoconfiguration)

  • DWCP (Dynamic WMN Configuration Protocol)

Security Devices

  • UTM (Unified Threat Management) – performs multiple security function within the same device

  • NIPS (Network Intrusion Prevention System) – scans traffic, takes action against attack

  • IDS (Intrusion detection system) – only detects unauthorized access or attacks; host or network based

  • INE (In-line Network Encryptor) or HAIPE (high-assurance internet protocol encryptor) – certified as Type I by NSA

  • SIEM (Security Information & Event Management) – receives information from log files

  • HSM (Hardware Security Module) – appliance that manages digital keys with strong authentication

  • WAF (Web Application Firewall) – applies rules to HTTP packets

  • NGFWs (Next-generation firewalls) address shortcomings of stateful firewalls without hurting performance

  • Vulnerability scanners (passive & active)

  • DAMs (Database Activity Monitors) – monitor database services & transactions

    • Interception – watches client server communication

    • Memory based – uses a sensor attached to the database to collect SQL statements as the are performed

    • Log-based – Analyzes and extracts information from transaction logs

Network Devices

  • Switches – vulnerable to MAC address overflow attack


  • Packet-filtering – looks at every packet and compares to ACL

  • Stateful – looks at state of connections, only allows connections that makes sense based on 3-way handshake

  • Proxy – operate at session layer, deep inspection also the biggest network impact

  • Dynamic packet-filter (port forwarding) –

  • Kernel proxy firewalls – inspects packets at every layer of the OSI without the performance reduction

Firewall Implementations

  • Dual-Homed Firewall

  • Multihomed Firewall – more than 2 network interfaces

  • Screened Host Firewall

Common Ports

  • DNS TCP & UDP: port 53

  • FTP TCP & UDP: Port 20, UDP port 21

  • SFTP TCP & UDP: Port 22(uses ssh)

  • HTTP TCP: port 80

  • HTTPS TCP: port 443 (uses ssl)

  • SSH TCP: port 443

  • POP3 TCP: port 110

  • SMTP TCP: port 25

Secure Configuration & Network Security

ACLs – use rules to control allowed traffic

  • Access-list 101 deny tcp host host eq www

    • The above says deny the host from http traffic to the destination address


  • RAID 0 – requires 2 drives, no fault tolerance, quick read times

  • RAID 1 – requires 2 drives, provides fault tolerance through duplication across drives

  • RAID 3 – requires 4 drives, 3 with data 1 with parity

  • RAID 5 – stripes data with parity information across all drives. At least 3 drives

  • SPOF (single point of failure) – anywhere where 1 device failure will be catastrophic

DTP (Dynamic Trunking Protocol) – should be disabled, set trunk links manually

To prevent VLAN hopping: never use VLAN 1 (default) for anything

HVAC Controllers – use BACnet (Building Automation & Control Network)

SCADA (Supervisory Control and Data Acquisition |

ICS (Industrial control systems)

RTUs (Remote Terminal Units) – connect to sensors and convert sensor data to digital data, including telmetry

PLCs (Programmable Logic Controllers) – connect to sensors and convert sensor data to digital data, does not include telemetry

Human Interface: presents data to operator

Authentication and Authorization Technologies

Biometric Concepts

  • FRR (False Rejection Rate) – how many users will be falsely rejected (Type I)

  • FAR (False Acceptance Rate) – How many invalid users will be falsely accepted (Type II) this is worse than FRR

  • CER (Crossover Error Rate) – Point where FRR equals FAR; low numbers are better

Certificate Based Authentication

  • Requires the deployment of PKI

  • PKI can verify that a public key is tied to an entity and verify that the certificate is valid

Access Control Models

  • DAC (Discretionary Access Control) – allow owner of resource to determine who can access

  • MAC (Mandatory Access Control) –  resources are assigned a security level, and user can access objects at his/her level

  • RBAC (Role-Based Access Control) – Based on job role. I.e set of permissions for sales role

  • RBAC (Rule-Based Access Control) – i.e ACLs, RBAC uses rules on objects to determine who can access


  • OAUTH (Open Authorization) – a standard for authorization that allows users to share private resources on one site to another site without using credentials.

XACML (Extensible Access Control Markup Language) – standard for an access policy using XML

  • Fine grained control of activities based on:

    • Attributes of the user (User location)

    • Protocol that the request was made on (HTTPS)

    • Authentication mechanism (certificate)

  • Components:

    • PEP (Policy Enforcement Point) – Entity protecting the resource that creates an XACML request based on the attribute of the subject, requested action, resource, and other information

    • PDP (Policy Decision Point) – Entity that retrieves all applicable policies in XACML, compares the request with the policies in XACML, compares the request with the policies and transmits an answer back to the PEP

SPML (Service Provisioning Markup Language) – XML based framework developed by OASIS (Organization for the Advancement of Structured Information Standards.

  • Components:

    • RA (Request Authority) – Entity making the request

    • PSP (Provisioning Service Provider) – Entity that responds to the RA requests

    • PST (Provisioning Server Target) – Entity that performs the provisioning


  • Allows changes to a user’s computer to be detected by authorized parties

  • Provides evidence about a target to an appraiser so the target’s compliance with a policy can be determined before access is allowed

  • Has a role in the operation of a TPM

  • Contains an AIK (Attestation Integrity Key) pair, generated and used to allow remote attestation as to the integrity of the application.


  • A federated identity is  a portable identity that can be used across businesses and domains with 2 basic models

  • Cross-certification model – each organization certifies that every other organization is trusted

  • Trusted third-party (bridge model) – each organization subscribes to the standards of a 3rd party. The 3rd party manages verification, certification, and due diligence for all organizations

SAML (Security Assertion Markup Language)

  • Security attestation model built on XML and SOAP-based services that allows for the exchange of credentials

  • When authenticating over HTTP using SAML, an assertion ticket is issued to the authenticating user

  • SAML uses transient identifiers that are valid for only a single login session to prevent a third party from being able to identify that a user has previously accessed a service provider

OpenID – Open standard and decentralized protocol by the OpenID Foundation that allows users to be authenticated by cooperating sites

  • Less complex than SAML

  • Widely adopted used by companies such as Google & Yahoo

  • Does not perform as well as SAML

  • Can only be initiated from the service provider, SAML can initiate SSO from either the service provider or the identity provider.


  • Open source project that provides SSO, allowing sites to make informed authorization decision for individual access of resources

  • Uses 2 components

    • IP (Identity Providers) which supply the user information

    • SP (Service Providers) which consume information from the IP before providing a service

WAYF (Where Are You From)

  • SSO system that allows credential to be used in more than one place

  • Allows a user from an institution that participates to log in by identifying the institution  that is his home organization

  • When the user attempts to access a resource held by one of the participating institutions, if they are not already signed into the home institution they are redirected to do so

RADIUS (Remote Authentication Dial-In User Service) – networking protocol that provides centralized Authentication, Authorization and Accounting (AAA or Triple A) management for users who connect and use a network service

  • Dial-up remote access servers | VPN access servers

  • Wireless access points | Security-enabled switches

LDAP – database designed to centralize data management regarding network subjects and objects

AD (Active Directory) – Microsoft’s version of LDAP using Kerberos

Kerberos  a network authentication protocol that  lets a user request an encrypted “ticket” from an authentication process that can then be used to request a particular service from a server.

Module 5

Industry Trends

Study RFCs (Request For Comments) to stay current

  • RFC 2460 – IPv6

  • RFC 2821 – SMTP

  • RFC 2821 & 2866 – RADIUS (remote authentication dial in user service)

  • RFC 33115 – DHCPv6

APT (Advanced persistent threat) –  hacking process over a long period of time

Global Industry/Community

  • CERT Computer Emergency Response Team

  • Attend conferences i.e blackhat, DEFCON

Contract Related Documents

  • RFP – Request for Proposal

  • RFQ – Request for Quote

  • RFI – Request for Information

Securing the Enterprise

Cost/Benefit Analysis

  • Performed before deploying any solution

  • ROI – money gained or lost after investment

  • TCO – measure overall cost associated

  • Collect metrics

    • Who collects the metrics

    • Which metrics will be collected

    • When will the metrics be collected

    • What thresholds will trigger corrective actions

Assessment Tools & Methods

Includes: Password crackers, vulnerability scanners, Nmpa/Zenmap, Fuzzers, exploitation tools, Passive Reconnaissance, Vulnerability Assessments & Sandboxing, Pen Testing, Fingerprinting, Code Review, Social Engineering

  • Routing Update Authentication

    • PAP (Clear Text)

    • CHAP (no passwords exchanged) – uses hash to compare information without sending password

  • Penetration Testing

    • Blind Test – test team only has limited knowledge; security team knows about the test

    • Double-blind test – test team has limited knowledge; security team does not know

    • Target Test – maximum information given to both teams

  • Reconnaissance/Fingerprinting – information gathering

    • Fingerprinting – scanning a network to identify hosts

      • Active Tools – transmit packets to remote hosts + analyze the replies

      • Passive tools – Captures packets from network + examine them

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?