Security Plus Exam Cram Series 2024 Edition: Domain 2 - Threats, Vulnerabilities, and Mitigations

Overview

• Focus on threats, vulnerabilities, and mitigations.
• Understand individual components and how they're related.
• Impact on an organization's security posture.

Study Resources

• PDF copy of the presentation available for download.
• Official Study Guide from Cybex: 500 practice questions, 100 flashcards, 2 practice exams.
• Practice Test Manual: Additional 1,000 practice questions and 2 practice exams.

Domain 2 Topics

2.1 Threat Actors and Motivations

• Types of Threat Actors: Nation-state, Unskilled (Script kiddies), Hacktivists, Insider Threats, Organized Crime, Shadow IT.
• Attributes of Threat Actors: Inside/Outside, Relative funding levels, level of capability/sophistication.
• Motivations: Espionage, Disruption, Financial gain, Political/philosophical, Ethical hacking, Revenge, Chaos, War.

2.2 Common Threat Vectors and Attack Surfaces

Message-Based Services

• Email: Phishing, spam, email spoofing.
• SMS: Smishing, SIM swapping.
• Instant Messages: Malicious links/files, impersonation.

Image, File, & Voice-Based Threats

• Images: Steganography, fake images.
• Files: Malicious attachments, unpatched vulnerabilities.
• Voice Calls: Vishing, AI-based deepfake attacks.
• Removable Devices: Malware from USB drives.

Vulnerable Software

• Client-based: Unpatched software, outdated applications.
• Agentless Software: Vulnerabilities in main software.
• Unsupported Systems and Applications: Legacy systems.

Unsecured Networks

• Wireless: MITM attacks, weak encryption.
• Wired: Physical access, weak segmentation.
• Bluetooth: Hijacking, unauthorized connections.
• Open Service Ports: Exploited vulnerabilities on port 80, RDP.
• Default Credentials: Guessing default usernames/passwords.
• Supply Chain and Third-Party Providers: Vendor risk management.

Social Engineering

• Tactics: Authority, Intimidation, Consensus, Scarcity, Familiarity/Liking, Trust, Urgency.
• Types: Phishing, spear-phishing, whaling, vishing, smishing, impersonation.
• Pretexting: Developing a story to gain information.
• Watering Hole Attacks: Compromising legit websites.
• Brand Impersonation: Fake websites/social media accounts.
• Typo Squatting: Misspelling domains for data theft.

2.3 Vulnerabilities

Key Terms

• Vulnerability: Weakness that can be exploited.
• Threat: Potential event exploiting a vulnerability.
• Exploit: Method/tool to leverage a vulnerability.
• Attack: Attempt to exploit a vulnerability.

Examples of Vulnerabilities

• Buffer Overflow: Input size exceeding memory buffer; use input validation.
• Race Conditions: Timing vulnerabilities.
• Malicious Updates: Fake patches compromising security.
• Operating System Vulnerabilities: Default settings, misconfigurations, privilege escalation, zero-day vulnerabilities.
• Web-Based Vulnerabilities: SQL Injection, Cross-site Scripting (XSS).
• Hardware: Firmware attacks, end-of-life, and legacy systems.
• Virtualization: VM Escape, Resource Reuse.
• Cloud-Specific Vulnerabilities: Detailed in the CSA Egregious 11 list.
• Supply Chain: Attacks through intermediaries.
• Cryptographic: Weak encryption, poor key management, inadequate randomness, etc.
• Misconfiguration: Common human errors.
• Mobile Devices: Rooting/jailbreaking, third-party app stores, side loading.
• Zero-Day Vulnerabilities: Unknown to the vendor, use AI-driven solutions.

2.4 Indicators of Malicious Activity

• Log Monitoring: Centralized collection and automated investigation.
• Account Lockout: Multiple failed login attempts.
• Concurrent Session Usage: Same account logged in from different locations.
• Blocked Content: Frequent attempts to access blocked resources.
• Impossible Travel Time: Logins from far apart locations in short time span.
• Resource Consumption & Inaccessibility: Spikes in CPU/network/memory usage.
• Out-of-Cycle Logging: Unusual increases in log entries.
• Published/Documented Indicators: Known exploits tracked by security professionals.
• Missing Logs: Tampered logs can indicate malicious activity.

Types of Attacks

• Ransomware: Encrypts data; backup, patch, user-awareness.
• Trojans: Malicious payload hidden in legitimate software.
• Spyware: Monitors user activity; cautious downloads, regular scans.
• Worms: Self-replicating malware; patching, antivirus, firewall rules.
• Bloatware: Unnecessary pre-installed software.
• Key Logger: Records keystrokes; virtual keyboards, regular scans, secure system.
• Viruses: Various propagation methods like multipartite, stealth, polymorphic.
• Logic Bombs: Triggered by specific events/timers.
• Rootkits: Provide privileged access stealthily.
• Physical Attacks: Breaking physical security (locks, doors).
• RFID Cloning: Cloning access cards.
• Environmental Attacks: Tampering with HVAC systems.
• Network Attacks: Including DDOS, DNS poisoning, domain hijacking, wireless attacks, on-path attacks, credential replay.
• Application Attacks: Directory traversal, injection attacks, buffer overflow, session replay, privilege escalation, request forgery.
• Cryptographic Attacks: Collision attacks, downgrade attacks, birthday attacks.
• Password Attacks: Brute force, dictionary attacks, password spraying.

2.5 Mitigation Techniques

Network Segmentation

• Physical and logical segmentation: Reduces attack surface.
• Micro-Segmentation: Further divides workloads.

Access Control Models

• Mandatory, Discretionary, Non-discretionary, Rule-based, Role-based.
• Application Allow List: Only explicitly allowed apps can run.
• Isolation: Air-gapped systems, Faraday cages.

Patching

• Patch Management Processes: Test, approve, deploy patches, patch audits.
• Focus Areas: Firmware, OS, applications, mobile devices.

Encryption

• Hardware Rooted Trust: TPM for key storage, secure boot.
• Full Disk Encryption: BitLocker (Windows), DM-Crypt (Linux), SED (Opal standard).

Monitoring

• Privileged Operations: Review use of privileged accesses.
• Log Monitoring: Centralized collection and automated investigation (SIEM/SOAR).

Principle of Least Privilege

• Need to Know and Separation of Duties.

Configuration Enforcement

• Configuration & Change Management: Documentation, baselining, versioning.

Decommissioning

• Secure data deletion: Crypto shredding, data removal to prevent recovery.

Hardening Techniques

• Antivirus: Protects against known threats.
• EDR: Detects/responds to endpoint threats.
• XDR: Broadens detection to networked devices.
• HIPS: Intrusion prevention local to the host.
• Host-Based Firewall: Bundled within desktop OS.
• Endpoint Best Practices: Close open ports, disable unneeded services, harden registry.
• OS Hardening: Using security baselines.

Conclusion

• Extensive coverage of Domain 2 concepts for Security Plus Exam.
• Ensure understanding of threats, vulnerabilities, mitigations, and key terms and principles.
• Regularly review and implement the preventive measures and mitigation techniques highlighted.

Good luck preparing for the exam!