Digging into the Security domain of CompTIA’s Cloud+
In the past few months, we looked at the first four of the seven domains that are on the CompTIA Cloud+ certification exam (number CV0-001). This month, the focus turns to the fifth domain — Security — and the five topic areas that comprise it on this entry-level exam:
● Explain network security concepts, tools, and best practices
● Explain storage security concepts, methods, and best practices
● Compare and contrast different encryption technologies and methods
● Identify access control methods
● Implement guest and host hardening techniques
Security is a big topic with CompTIA: They have two exams on the topic and there is usually a domain on it associated within the other exams they offer. Here, it is weighted the third highest of any domain, the topic areas combining for a total of 16 percent of the exam questions.
It is important to note that since this is considered an entry-level certification, there is a heavy focus on the exam on definitions and knowledge as opposed to actual implementation steps.
The following sections walk through and examine each of the five topic areas on the exam in the order in which they appear in the objectives.
Network Security Concepts
An Access Control List (ACL) works much like a guest list. It is used to limit which users or system processes have access and what permissions they should/will have once that access is gained.
At the end of every ACL, there exists a condition known as implicit deny which means that if the permission/access has not otherwise been granted up to this point, then it is denied. Firewalls use similar technology and generally offer only three options:
● Block the connection
● Allow the connection
● Allow the connection only if it is secured
The default, if no other condition is met is to block the connection.
Virtual Private Networks (VPNs) use the Internet to extend the private network. The VPN channel, even though running across the network, for all practical purposes appears to be a dedicated channel. Three main areas of interest an administrator must pay attention to with a VPN are: security, management policies, and functionality.
An Intrusion Detection System (IDS) is used to monitor network access. These are often used in conjunction with a firewall (hardware and/or software) and placed inside the firewall to monitor for intruders. It monitors packets and, upon finding a problem, sends a notification.
An Intrusion Prevention System (IPS) is an extension of an IDS that monitors packets and, upon finding a problem, rejects the packet. Because of the differences between the response of the two, an IDS is often called passive while an IPS is active.
In installation where the two are used together, the IPS is often outside the firewall (rejecting questionable packets from even getting to it) and the IDS is inside looking for anything that sneaked through.
A Demilitarized Zone (DMZ) can be created separate from the intranet/LAN and usually consists of the servers that the outside world sees and interacts with. Often this is the web servers, but it can also be mail servers, FTP servers, and so on. While there can technically be a minor difference between this and a “Perimeter Network,” the two are used as synonyms today.
Logs are created by many services based on plethora of events. Know that the data is of no good unless it is analyzed and acted upon. A significant responsibility for administrators is examining and understanding the logs. False positives (Type I errors) and false negatives (Type II errors) greatly hinder the tasks and/or can lead to a false sense of security.
When it comes to attacks, one of the most common is the Denial of Service (DoS) attack in which your server(s) are bombarded with requests to respond that keep them so busy they can’t handle legitimate traffic. This is also known as a Ping of Death and if many computers are in on the attack (the most common scenario), it is known as a Distributed DoS (DDoS) attack.
Obfuscation is the art of masking data and this is done to protect it (think of sensitive data) from being usable by unauthorized viewers. Zoning is used to control access and it is implemented at the hardware level based on a World Wide Name (WWN) – a unique identifiers used with Fibre Channel, ATA, and SAS technologies.
Zoning is used in conjunction with LUN (Logical Unit Number) masking, which is done at the controller level. User and host authentication are a necessary evil. No user appreciates authenticating and most would prefer single sign-on, but it is authentication to distinct resources that can increase security just as walking through more than one checkpoint at a secure facility can.
PKI (Public Key Infrastructure) is intended to offer a means of providing security to messages and transactions on a grand scale. The need for universal systems to support e-commerce, secure transactions, and information privacy is one aspect of the issues being addressed with PKI.
PKI is used to create trust models (bridge, hierarchical, hybrid, and mesh); it is a two-key (asymmetric) system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates.
The main goal of PKI is to define an infrastructure that should work across multiple vendors, systems, and networks. Because of that, keep in mind that it is a framework and not a specific technology. Implementations of PKI are dependent on the perspective of the software manufacturers that implement it.
Messages are encrypted with a public key and decrypted with a private key. As an example:
● You want to send an encrypted message to Carly, so you request her public key.
● Carly responds by sending you that key.
● You use the public key she sends you to encrypt the message.
● You send the message to her.
● Carly uses her private key to decrypt the message.
IPSec is a security protocol that provides authentication and encryption across the Internet. It is available on most network platforms, and considered to be highly secure; working at layer 3 of the OSI model. Support for it is built into IPv6 and one primary use of it is to create VPNs.
It works in conjunction with Layer 2 Tunneling Protocol (L2TP) or Layer 2 Forwarding (L2F), creating packets that are difficult to read if intercepted by a third party. The two primary protocols used by IPSec at the bottom layer are Authentication Header (AH) and Encapsulating Security Payload (ESP).
Secure Sockets Layer (SSL) is used to establish a secure communication connection between two TCP-based machines. This protocol uses the handshake method of establishing a session. When a connection request is made to the server, the server sends a message back to the client indicating that a secure connection is needed.
The client sends the server a certificate indicating the capabilities of the client. The server then evaluates the certificate and responds with a session key and an encrypted key. The session is secure at the end of this process. Modern browsers can work with 128-bit encrypted sessions/certificates. Earlier browsers often needed to use 40- or 56-bit SSL encryption.
Transport Layer Security (TLS) is a security protocol that expands upon SSL and is also referred to as SSL 3.1, but despite its name, it doesn’t interoperate with SSL. The TLS standard is supported by the IETF and has been predicted by many industry analysts to replace SSL. The default port it uses is 443.
Ciphers fall under two general categories: symmetric and asymmetric based on the number of keys used. Symmetric ciphers include:
● AES (Advanced Encryption Standard) is now the current product used by U.S. governmental agencies. It supports key sizes of 128, 192, and 256 bits, with 128 bits being the default
● 3DES (Triple DES or Data Encryption Standard) is a technological upgrade of DES that is still used, even though AES is the preferred choice for government applications. 3DES is considerably harder to break than many other systems, and it’s more secure than DES. It uses a key length of 168 bits
● RC4 is popular with wireless and WEP/WPA encryption. It is a streaming cipher that works with various key sizes and is used in SSL and TLS. It is also popular with utilities used for downloading BitTorrent files since many providers limit the download of these, and by using RC4 to obfuscate the header and the stream, it makes it more difficult for the service provider to realize that they are indeed BitTorrent files being moved about.
● RC5 is a block cipher with key strength of up to 2040 bits.
Asymmetric algorithms include:
● RSA (Rivest, Shamir and Adleman) uses large integer numbers as basis of the process. It’s widely implemented, and it has become a de facto standard. RSA is stream-based and works for both encryption and digital signatures. RSA is used in many environments, including Secure Sockets Layer (SSL), and it can be used for key exchange.
● DSA (Digital Signature Algorithm) is based on El Gamal, an algorithm used for transmitting digital signatures and key exchanges. The block-based method is based on calculating logarithms.
Data can be encrypted in two states: In Transit and At Rest. Data in transit is data that is currently being exchanged (active data) while data at rest is stored data.
Access Control Methods
Role-Based Access Control (RBAC) models base access control on established roles in an organization. Those roles can be based on such common things as a job function, title, or responsibility. If a person moves from one role to another, the access associated with the previous role is no longer available.
For example: Instead of thinking “Wolfgang needs to be able to edit files”, RBAC uses the logic:
● Editors need to be able to edit files
● Wolfgang is a member of the Editors group
Always remember: the user’s role dictates their access capabilities.
Mandatory Access Controls (MAC) are much different than RBAC. This is an inflexible method that enforces a rigid model of security. If well-designed, it can greatly enhance security. The biggest disadvantages are in the lack of flexibility and the fact that needs change over time. It is often used in government/military implementations. Always remember: with MAC, all access is predefined.
Discretionary Access Controls (DAC) are much more flexible than MAC, but it increases the risk of unauthorized disclosure of information. The best example is the “other” in Unix/Linux permission sets (owner and group are based on roles). Always remember: with DAC, flexibility is incorporated.
Multifactor Authentication utilizes authentication factors based on one of five values:
● Something you are
● Something you have
● Something you know
● Somewhere you are
● Something you do
Identification is usually done based on the username, biometrics, or a Personal Identification verification card.
Single Sign-On (SSO) is the dream of every user. Technologies that work with, or enable, it include Kerberos, Microsoft Active Directory, Novell eDirectory, and some certificate model implementations.
Federated Identity means linking a person’s electronic identities across multiple identity management systems. Ping Identity and Layer 7 are examples of some cloud integration federation offerings trying to make multiple cloud resources available using a single username and password: extending Active Directory to the cloud.
To harden a network, pay attention to every part of it: servers, workstations, etc. An attack surface is defined as the area that is available to users—those who are authenticated and, more importantly, those who are not. The attack surface can include services, protocols, interfaces, and code.
The smaller the attack surface, the less there is to attack; the larger the attack surface, the more likely it is to become a (successful) target. The goal of attack surface reduction (ASR) is to minimize the possibility of exploitation by reducing the attack surface and limiting potential damage.
The potential damage can be limited by turning off unnecessary functions, reducing privileges, limiting entry points, and adding authentication requirements.
Always disable unneeded ports and services. Delete/disable accounts that are not needed, deactivate default accounts, and change default passwords. Keep antivirus/antimalware software current and install patches after testing them on non-production machines to try to minimize zero-day exploits.
When it comes to security and hardening: Always let common sense be your guide.
Summing It Up
There are seven domains on the CompTIA Cloud+ certification exam (CV0-001) and this month we walked through the topics covered on the fifth one. Next month, the focus will move to the last two domains – Systems Management and Business Continuity in the Clouds – and what you should know about each of them as you study for the exam.