CompTIA Security+ Exam SY0-701

Lesson 11
Enhance Application Security
Capabilities

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

1
Lesson 11

Topic 11A
Application Protocol Security Baselines

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

2
Secure Protocols
• Many of the protocols used today were developed many
decades ago
• Functionality was primary focus
• Trustworthiness was assumed
• Cybersecurity was less of an issue than it is today Insecure Secure Alternative
• Insecure Protocols Telnet SSH
• Transmit data in clear text format HTTP HTTPS
• Generally, cannot be secured
FTP FTPS/SFTP
• Must be avoided

• Secure Protocols
• Same functionality and secure
• More complex to configure
3
Transport Layer Security
• Most Common Uses
• Secure HTTP communications

• Virtual Private Networking (VPN)

• SSL/TLS Versions
• SSL 2.0, 3.0

• TLS 1.0, 1.1, 1.2, 1.3

• Only use TLS version 1.2 or newer

• Disable all others

• Downgrade attack
4
Transport Layer Security
• Cipher Suites
• Describe the mix of algorithms used
to implement TLS protections

• Prior to TLS 1.3

ECDHE-RSA-AES128-GCM-SHA256

• TLS 1.3 uses shortened suites

TLS_AES_256_GCM_SHA384

• Only lists bulk encryption key

strength, mode of operation and Viewing the TLS handshake in a Wireshark packet capture. Note that the connection is

hash type using TLS 1.3 and one of the shortened cipher suites (TLS_AES_128_GCM_SHA256).

5
Secure Directory Services
• A Network directory contains
• Subjects (users, computers, and services)

• Objects (directories and files) available in the environment

• Permissions that subjects have over objects

• High-value attack target

• Lightweight Directory Access Protocol (LDAP)

• Default is cleartext communication
6
Simple Network Management Protocol Security
• Simple Network Management Protocol (SNMP)
• Management and monitoring
• SNMP monitor + agents
• Provides very detailed information about systems
• Uses “Community Strings” default “Public” and “Private”
• Can be used to issue commands
• SNMPv3 has secure features, other versions should be avoided
7
File Transfer Services
• File Transfer Protocol
• Cleartext
• Used to host and share files

• SSH
• Primarily used to access a shell remotely
• Very versatile protocol
• Can be used as a tunnel for other protocols

• FTP (SFTP) and FTP Over SSL (FTPS)

• SFTP is FTP tunneled through SSH
• FTPS is FTP secured using TLS
8
Email Services
• SMTP
• Cleartext by default
• Transmit email between systems
• SMTPS is secure configuration

• Open Relay
• Improperly configured SMTP server
• Used to send SPAM

• POP & IMAP

• Used to access mailboxes
• Cleartext by default
Configuring mailbox access protocols on a server.

• POPS & IMAPS are secure

9
Email Security
• Sender Policy Framework (SPF)
• Email validation method that
helps detect and prevent sender
address forgery
• Uses data saved in DNS TXT
Records
• Can use to identify “authorized
senders” Displaying the TXT records for microsoft.com using the dig tool. (Screenshot used with
permission from Microsoft.)

• Hosted email

• Marketing campaigns, etc.

10
Email Security
• DomainKeys Identified Mail (DKIM)
• Sender signs emails using a digital signature
• Receiver uses a DKIM record in the sender's
DNS to verify the signature

• Domain-based Message Authentication,

Reporting & Conformance (DMARC)
• Uses the results of SPF and DKIM checks to
define rules for handling messages
• Provides reporting capabilities
• Email activity
• Identify systems sending emails
• Identify unauthorized activity
Performing a DMARC lookup using the DNSChecker website https://dnschecker.org.
11
Email Security
• Email Gateway
• Control point for all incoming and outgoing email
• Anti-spam filters and antivirus scanners
• Sophisticated threat detection algorithms
• Identify phishing attempts, Business Email Compromise (BEC) Attack
• Harmful attachments and malicious URLs
• URL Sanitization/Link Anonymization/Safe Linking/Web Link Transformation

• Secure/Multipurpose Internet Mail Extensions (S/MIME)

• Encrypts emails to provide the confidentiality and integrity protections
• Requires Public Key Infrastructure (PKI)
12
Email Data Loss Prevention
• Email is one of the most frequently used communication channels within organizations
• Conduit for sensitive data
• Encourages careless handling of sensitive data (ease of use) and prone to human error
• Common channel for data loss
• GDPR, HIPAA, and PCI DSS, (and others) have requirements for protecting data

• DLP scans emails and attachments for certain types of sensitive information
• Prevents unauthorized sharing of sensitive information
• Create organization-wide DLP policies
• Actions are based on predefined rules, such as
• Blocking the email, alerting the sender, automatically encrypting it
13
DNS Filtering
• Block or allow access to specific websites
• DNS filter checks requests against a database of
domain names
• Block access to malicious sites
• Content/Site Restrictions
• Ad-blocking (Pi-Hole, AdGuard)

• OpenDNS opendns.com
• Quad9 quad9.net
• CleanBrowsing cleanbrowsing.org The Pi-hole administrative dashboard showing DNS resolution statistics. (Screenshot courtesy
of Pi-hole.)
• Cisco Umbrella
umbrella.cisco.com/products/dns-layer-network-s
ecurity
• CloudFlare DNS
cloudflare.com/application-services/products/dns
/ 14
DNS Security
• DNS Contains valuable information about hosts on a network
• Internal records should not be accessible from the Internet
• DNS protocol is often exploited to perform data exfiltration
• DNS can be exploited to provide malicious data (ex. Attacker IP instead of real IP)

• DNS Security Extensions (DNSSEC)

• Mitigate spoofing and poisoning attacks

• Provides a validation process for DNS responses

• Authoritative server for the zone creates a "package" of resource records (RRset)
15
 Review Activity: Application Protocol Security Baselines
• Secure Protocols
• Transport Layer Security
• Secure Directory Services
• Simple Network Management Protocol Security
• File Transfer Services
• Email Services
• Email Security
• Email Data Loss Prevention
• DNS Filtering
16
 Lab Activity
• Assisted Lab: Performing DNS Filtering

17
Lesson 11

Topic 11B
Cloud and Web Application Security
Concepts

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

18
Secure Coding Techniques
• Pressure to release an application
often overshadows the requirement
to ensure it is secure

• Coding practices must implement

secure development practices
• Code Signing
• Secure Cookies
• Static/Dynamic Code Analysis
• Peer Review
Reviewing the digital signature contained within the Bitwarden
Password Management app installer. 19
Secure Coding Techniques
• Input Validation
• Attacker provides specially crafted data to an application to manipulate its behavior
• Injection Attack
• Methods used to perform input validation:
• Allow/Block Lists

• Data Type checks

• Range checks

• Regular Expressions

• Encoding

20
Application Protections
• Data exposure
• Allows privileged information to be read by unauthorized user
• Access token
• Password
• Personal data

• Error Handling
• Safely handle and control errors
• Report errors to logs instead of user interface

• Application Security in the Cloud

• Application security supports the shared responsibility model
• Secure applications running on a secure cloud platform
21
Application Protections
• Memory Management
• Buffer overflow attacks are a decades-old problem

• Input validation is an important defense

• Client-Side vs. Server-Side Validation

• Security checks should be performed server-side

• Developers often use client-side checks to improve application performance

• Client-side checks can be bypassed

22
 Software Sandboxing
• A security mechanism used to
isolate software
• Prevent it from accessing
operating system features
• Isolate is from other
processes/software
• Prevent access to network
• “Safe Detonation”
Joe Sandbox analysis of a malicious executable file. (Screenshot courtesy of Joe Security,
LLC.) 23
 Review Activity:
• Secure Coding Techniques
• Application Protections
• Software Sandboxing

24
 Lab Activity
• Assisted Lab: Configuring System Monitoring

25
CompTIA Security+ Exam SY0-701

Lesson 11
Summary

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

26