***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/cap-software-and-systems-security/blob/main/README.md) >

## CompTIA Cybersecurity Analyst (CySA+) - Course Material 2022
###### Topic: ``Infrastructure Management Solutions``
***

Course material for the ``CompTIA Cybersecurity Analyst (CySA+)`` module of the ``ICT Associate Apprenticeship (Cybersecurity)`` programme.

<a id="top"></a>
***
## Table of Contents
***

### [Infrastructure Management Solutions](#a) <br/><br/>

- [Identity and Access Management](#b) <br/><br/> 
    - [``IAM``](#b) <br/><br/> 
        - [Identity and Account Types](#b) <br/><br/> 
            - [Personnel](b) <br/><br/> 
            - [Endpoints](b) <br/><br/> 
            - [Servers](b) <br/><br/> 
            - [Software](b) <br/><br/> 
            - [Roles](b) <br/><br/>     
        - [Tasks](#c) <br/><br/> 
            - [Creating and Deprovisioning Accounts](#c) <br/><br/> 
            - [Managing Accounts](#c) <br/><br/> 
            - [Auditing Account Activity](#c) <br/><br/> 
            - [Maintaining Compliance](#c) <br/><br/> 
            - [Sending Identity Logs to a SIEM](#c) <br/><br/> 
            - [Adjusting Roles/Rules as Applicable](#c) <br/><br/>         
        - [Account Management Risks](#d) <br/><br/> 
- [Password Policies](#e) <br/><br/> 
    - [ [NIST Recommendations](https://pages.nist.gov/800-63-3/sp800-63b.html) ] <br/><br/> 
- [Single Sign-On](#f) <br/><br/> 
    - [``SSO``](#f) <br/><br/> 
- [Multi-Factor Authentication](#g) <br/><br/> 
    - [``MFA``](#g) <br/><br/> 
        - [Two Factors](#g) <br/><br/>
            - [``2FA``](#g) <br/><br/>
- [One-hit Combo](#h) <br/><br/> 
    - [Multiple Accounts](#h) <br/><br/>
        - [``SSO``/``MFA``](#h) <br/><br/>
- [Certificate Management](#i) <br/><br/> 
    - [``cmd``](#i) <br/><br/> 
        - [``certutil``](#i) <br/><br/> 
            - [ [docs.microsoft.com](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil) ] <br/><br/>
        - [``sigcheck ``](#i) <br/><br/> 
            - [ [docs.microsoft.com](https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck) ] <br/><br/> 
    - [Tasks](#i) <br/><br/> 
        - [Deploying Certificates](#i) <br/><br/> 
        - [Updating Certificates](#i) <br/><br/> 
        - [Revoking Certificates](#i) <br/><br/> 
        - [Installing Root Certificates](#i) <br/><br/> 
        - [Validating Root Certificates](#i) <br/><br/> 
        - [Updating Root Certificates](#i) <br/><br/> 
        - [Preventing Self-signed Certificates](#i) <br/><br/> 
        - [SSH Key Management](#i) <br/><br/> 
- [Federation](#j) <br/><br/> 
    - [Shared Login Capability](#j) <br/><br/> 
        - [Connects IAM of Multiple Systems](#j) <br/><br/>
    - [Require Instant Changes](#j) <br/><br/>
        - [Provisioning](#j) <br/><br/>
        - [Deprovisioning](#j) <br/><br/>
        - [Password Reset](#j) <br/><br/>
- [Privilege Management](#k) <br/><br/> 
    - [Best Practices](#k) <br/><br/> 
        - [Rule of Least Privilege](#k) <br/><br/> 
        - [Separation of Duties](#k) <br/><br/> 
    - [Access Control Model](#k) <br/><br/> 
        - [Discretionary Access Control](#k) <br/><br/> 
            - [``DAC``](#k) <br/><br/> 
                - [Access Control List](#k) <br/><br/> 
                    - [``ACL``](#k) <br/><br/> 
        - [Mandatory Access Control](#k) <br/><br/> 
            - [``MAC``](#k) <br/><br/> 
                - [System Defined Rules](#k) <br/><br/> 
                    - [Clearance Level](#k) <br/><br/> 
        - [Role-Based Access Control](#k) <br/><br/> 
            - [``RBAC``](#k) <br/><br/> 
        - [Attribute-Based Access Control](#k) <br/><br/> 
            - [``ABAC``](#k) <br/><br/>          
- [IAM Auditing and Monitoring and Logging](#l) <br/><br/> 
- [Conduct and Use Policies](#m) <br/><br/> 
    - [Central Policy Types](#m) <br/><br/> 
        - [Code of Conduct](#m) <br/><br/> 
        - [Privileged User Agreement](#m) <br/><br/> 
            - [``PUA``](#m) <br/><br/> 
        - [Acceptable Use Policy](#m) <br/><br/> 
            - [``AUP``](#m) <br/><br/> 
                - [``ISP``](#m) <br/><br/> 
                    - [Fair Use Policy](#m) <br/><br/> 
- [Applying Network Architecture Security Solutions](#n) <br/><br/> 
    - [Asset and Change Management](#o) <br/><br/> 
        - [Asset Tagging](#o) <br/><br/> 
        - [Change Management](#o) <br/><br/> 
    - [Network Architecture](#p) <br/><br/> 
        - [Physical Network Architecture](#p) <br/><br/> 
        - [Virtual Private Networks](#p) <br/><br/> 
            - [``VPN``](#p) <br/><br/> 
        - [Software Defined Networking](#p) <br/><br/> 
            - [``SDN``](#p) <br/><br/> 
                - [Defined By](#p) <br/><br/> 
                    - [``API``](#p) <br/><br/> 
                    - [Compatible Hardware](#p) <br/><br/> 
                - [Modeling](#p) <br/><br/> 
                - [``"planes"``](#p) <br/><br/> 
                    - [Control Plane](#p) <br/><br/> 
                    - [Data Plane](#p) <br/><br/> 
                    - [Management Plane](#p) <br/><br/>                
    - [Segmentation](#q) <br/><br/> 
        - [Types](#q) <br/><br/> 
            - [Air Gap](#q) <br/><br/> 
            - [Physical Segmentation](#q) <br/><br/> 
            - [Virtual Segmentation](#q) <br/><br/> 
                - [``VLAN``](#q) <br/><br/> 
            - [Access Control Lists](#q) <br/><br/> 
                - [``ACL``](#q) <br/><br/> 
            - [Demilitarized Zone](#q) <br/><br/> 
                - [``DMZ``](#q) <br/><br/> 
                    - [Hosts](#q) <br/><br/> 
                        - [``Bastion Hosts``](#q) <br/><br/> 
            - [Jumpbox](#q) <br/><br/> 
                - [Jump Server](#q) <br/><br/> 
                    - [Hardened Server](#q) <br/><br/> 
    - [Virtualization and Containerization](#r) <br/><br/> 
        - [Virtual Desktop Infrastructure](#r) <br/><br/> 
            - [``VDI`` ](#r) <br/><br/> 
        - [Containerization](#r) <br/><br/> 
    - [Virtualization Infrastructure Security Management](#s) <br/><br/> 
        - [Terms/Secure Best Practices](#s) <br/><br/> 
            - [Virtual Hosts](#s) <br/><br/> 
            - [Virtual Networks](#s) <br/><br/> 
            - [Management Interface and Host Platform](#s) <br/><br/> 
    - [Honeypots and Active Defense](#t) <br/><br/> 
        - [Active Defense](#t) <br/><br/> 
            - [Honeypot](#t) <br/><br/> 
                - [Honeynet](#t) <br/><br/>
                    - [Decoy](#t) <br/><br/>
            - [Fake DNS Entries](#t) <br/><br/> 
            - [Decoy Files and Directories](#t) <br/><br/> 
            - [Detected Port Scanning](#t) <br/><br/> 
                - [Port Triggering/Spoofing](#t) <br/><br/> 
                    - [Return Useless Data](#t) <br/><br/> 
- [Technical Data and Privacy Solutions](#u) <br/><br/> 
    - [Access Controls](#v) <br/><br/> 
    - [Cloud-Based Infrastructure Management](#w) <br/><br/> 
        - [Virtual Private Cloud](#w) <br/><br/> 
            - [``VPC``](#w) <br/><br/> 
        - [Cloud Access Security Broker](#w) <br/><br/> 
            - [``CASB``](#w)
<hr width=50%;>

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="a"></a>
***
### Infrastructure Management Solutions
***

> Apply IAM, account management, and password policies

> Apply SSO, MFA, certificate management, and federation

> Apply privilege management and monitoring controls

> Apply access controls, encryption, DLP, and DRM

> Explain cloud-based infrastructure management and CASB

> Explain service-oriented security controls

< [Table of Contents](#top) | [References](#references) >
<a id="b"></a>
***
###### Identity and Access Management - ``IAM``
***

An overview of Identity and Access Management (``IAM``) and Account Management and Tasks.

> Identity and Account Types 

- Personnel

Most common; usually describing organizational employees.

- Endpoints

Devices used to access a network and its resources.

- Servers

Critical systems that use digital signatures to establish an identity.

- Software

Also use digital signatures or management solutions to provide identity services.

- Roles

A group of rules that govern asset permissions and privilege.

< [Table of Contents](#top) | [References](#references) >
<a id="c"></a>
***
###### Identity and Access Management - ``IAM`` - Tasks
***

The main responsibility of an ``IAM`` system is to administer access to different types of account types. 

With this, there are many tasks that must be performed in order to properly control all assets within that ``IAM`` program.

The following are some examples of expected tasks to be performed.


- Creating and deprovisioning accounts.


- Managing accounts.


- Auditing account activity.


- Maintaining compliance.


- Sending identity logs to a ``SIEM``.


- Adjusting roles and rules as applicable to business needs.

< [Table of Contents](#top) | [References](#references) >
<a id="d"></a>
***
###### Identity and Access Management - ``IAM`` - Account Management Risks
***

Even if business approval is granted for special roles or accounts, monitoring on shared accounts and privileged accounts needs to be a regularly occurring activity. For legitimate administrative accounts, a baseline needs to be established to track normal versus malicious activity. Also, shared accounts should be removed or at least limited on what they can do, as it becomes more difficult to track the “who” on an account that is shared amongst several users.

< [Table of Contents](#top) | [References](#references) >
<a id="e"></a>
***
###### Password Policies
***

A password policy document ideally promotes strong passwords by:


- Specifying a minimum password length.


- Requiring complex passwords, length and periodic password changes.


- Placing limits on reuse of old passwords.


Password policies must be enforced and follow industry best practices to limit the risk of account takeover - [ [NIST Recommendations](https://pages.nist.gov/800-63-3/sp800-63b.html) ] as a minimum.

< [Table of Contents](#top) | [References](#references) >
<a id="f"></a>
***
###### Single Sign-On - ``SSO``
***

Is an authentication technology that enables a user to authenticate once and receive authorizations for multiple services.

< [Table of Contents](#top) | [References](#references) >
<a id="g"></a>
***
###### Multi-Factor Authentication - ``MFA``
***

Is an authentication scheme that requires the user to present at least two different factors as credentials, from ``something you know``, ``something you have``, and ``something you are``, or ``something you do`` and ``somewhere you are``. 

Specifying two factors is known as ``2FA``.

MFA Options:


- 2-step verification via mobile.


- Biometric.


- Certificate-based (digital certification).


- Location-based.

< [Table of Contents](#top) | [References](#references) >
<a id="h"></a>
***
###### One-hit Combo - Multiple Accounts - ``SSO``/``MFA``
***

For users that require multiple accounts or just to add an additional layer of security to every account, it is recommended that both ``SSO`` and ``MFA`` are enabled and enforced across the board. 

These two controls are a one-hit combo that provide both increased security and increased functionality to end-users managing multiple accounts.

< [Table of Contents](#top) | [References](#references) >
<a id="i"></a>
***
###### Certificate Management
***

Certificate Management is the practice of issuing, updating, and revoking digital certificates. 

> ``cmd`` - ``certutil`` - ``sigcheck``

[ [``certutil``](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil) ] and [ [``sigcheck``](https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck) ] are popular command options used for management over certificates.

> ``cmd`` - Tasks

Some expected tasks would be as follows:

- Deploying Certificates


- Updating Certificates


- Revoking Certificates


- Installing Root Certificates


- Validating Root Certificates


- Updating Root Certificates


- Preventing Self-signed Certificates


- SSH Key Management

< [Table of Contents](#top) | [References](#references) >
<a id="j"></a>
***
###### Federation
***

Federation is a process that provides a shared login capability across multiple systems and enterprises. 

It essentially connects the Identify Access Management (``IAM``) of multiple systems.

![image.png](attachment:image.png)

One aspect of federation to consider with configuring it, is that since a third-party is handling the transaction, you want to ensure that important tasks or changes are propagated quickly over the network with little delay. 

The following are some common changes that in a business setting need to happen almost instantaneously.

> Provisioning

Creating an account and providing user authorization to it.

> Deprovisioning

Removing authorization and disabling the account.

> Password Reset

Resetting a user's account password in the event of a security incident.

< [Table of Contents](#top) | [References](#references) >
<a id="k"></a>
***
###### Privilege Management
***

Privilege Management is the use of authentication and authorization mechanisms to provide an admin with centralized or decentralized control of user and group role-based privilege management.

> Best Practices

When implementing privilege management controls, it is important to follow the ``Rule of Least Privilege`` as well as a ``Separation of Duties`` between accounts. 

By following these two best practices, you will limit roles or accounts becoming top heavy with access, thus creating a security risk in the organization.

The following are different ways that these best practices can be enforced within the realm of privilege management.

> Access Control Model - Discretionary Access Control - ``DAC``

Access control model where each resource is protected by an Access Control List (``ACL``) managed by the resource owner.

> Access Control Model - Mandatory Access Control - ``MAC``

Access control model where resources are protected by inflexible, system defined rules. 

Resources and users are allocated a clearance level.

> Access Control Model - Role-Based Access Control - ``RBAC``

An access control model where resources are protected by ACLs that are managed by admins and that provide user permissions based on job functions.

> Access Control Model - Attribute-Based Access Control - ``ABAC``

An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.

< [Table of Contents](#top) | [References](#references) >
<a id="l"></a>
***
###### IAM Auditing and Monitoring and Logging
***

There is a lot of activity that can occur within an ``IAM`` solution. 

It is vital that proper logging and monitoring controls are in place to audit on a regular basis. 

The following are events that should be reviewed:


- Audit logs for all actions performed by users.


- Account log on/log off.


- Creation events.


- Accessing files, shares or systems.


- Changes made to policies or security solutions.


- Anomalous log entries including authentication failures, unscheduled changes, and recurring errors.

It is also important to incorporate periodic manual reviews of auditing controls to ensure logging policies and alerts are set appropriately.

< [Table of Contents](#top) | [References](#references) >
<a id="m"></a>
***
###### Conduct and Use Policies
***

Conduct policies generally contain the following attributes:


- Focus on protection of personal account credentials via the ``CIA Triad``.


- Privileges obtained may only be used for authorized job related activities.


- Respect the privacy of other users on the network.


- Are mindful of any compliance, legal, or regulatory requirements that you may be subject to.

> Central Policy Types - Code of Conduct

Professional behavior depends on basic ethical standards, such as honesty and fairness - some professions may have developed codes of ethics.

> Central Policy Types - Privileged User Agreement - ``PUA``

Contract terms stating a code of conduct for employees assigned high-level privileges on network and data systems.

> Central Policy Types - Acceptable Use Policy - ``AUP``

A policy that governs employees' use of company equipment and internet services.

- ``ISPs`` may also apply ``AUP`` to their customers - also known as a ``Fair Use Policy``.


- A popular example for applying the ``AUP`` is in regards to the use of company internet for personal use.

< [Table of Contents](#top) | [References](#references) >
<a id="n"></a>
***
###### Applying Network Architecture Security Solutions
***

Section will cover key definitions relating to:

- Asset and Change Management


- Network Architecture


- Segmentation


- DMZ 


- Jumpboxes


- Virtualization


- Containerization

< [Table of Contents](#top) | [References](#references) >
<a id="o"></a>
***
###### Asset and Change Management
***

> Asset and Change Management - Asset Tagging 

Is the practice of assigning an ID to assets to associate them with entries in an inventory database.

> Asset and Change Management - Change Management 

Is the process through which changes to the configuration of information systems are monitored and controlled as part of the organization's overall configuration management efforts.

The ultimate goal with a change management process is to ensure any mission critical changes to sensitive assets are being logged and tracked. Not only does change management play a huge role in compliance, but from a security perspective, you need to have a point in time reference of what the system looked like before the changes occurred in case of a failure.

< [Table of Contents](#top) | [References](#references) >
<a id="p"></a>
***
###### Network Architecture
***

> Network Architecture - Physical Network Architecture

A physical network architecture is simply a layout of all your networking equipment (switches and routers), cabling routes, and wireless access points. 

Having this available is important if it is believed an intruder is tapping into your physical network.

> Network Architecture - Virtual Private Networks - ``VPN``

A ``VPN`` is a secure tunnel created between two endpoints connected via an unsecure network.

> Network Architecture - Software Defined Networking - ``SDN`` 

``SDN`` is defined by ``API`` and compatible hardware allowing for programmable network appliances and systems.

> Network Architecture - Software Defined Networking - ``SDN`` - Modeling - ``"planes"``

In regards to ``SDN`` Modeling, there are 3 important terms to remember that are called “planes”:

> Network Architecture - Software Defined Networking - ``SDN`` - Modeling - Control Plane

Handles the prioritization of traffic from a security and routing perspective.

> Network Architecture - Software Defined Networking - ``SDN`` - Modeling - Data Plane

Implements ``ACL`` and handles the routing and switching network features in regards to traffic.

> Network Architecture - Software Defined Networking - ``SDN`` - Modeling - Management Plane

Oversees network and high-level traffic conditions.

< [Table of Contents](#top) | [References](#references) >
<a id="q"></a>
***
###### Segmentation
***

Segmentation is a security technique that helps to add additional layers to your network. 

> Segmentation - Types

The following are some of the important types of segmentation that can be applied.

> Segmentation - Types - Air Gap

A type of network isolation that physically separates a network from all other networks.

> Segmentation - Types - Physical Segmentation

Deploying one switch per segment or switches can be connected together for networks with more hosts; more costly to perform this method.

> Segmentation - Types - Virtual Segmentation

Using multiple ``VLAN`` per switch can be achieved as well as a ``VLAN`` over multiple switches for more logical control.

> Segmentation - Types - Access Control Lists - ``ACL``

Can be applied to zones that make up a segmented logical network - technique allows for a more granular approach to restricted access at the network level.

> Segmentation - Types - Demilitarized Zone - ``DMZ``

A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the internet over designated ports. 

A ``DMZ`` is a section of your network where externally-facing hosts live and are segmented off here, as they have a higher chance of being compromised.

- Host in a ``DMZ`` are also known as a ``Bastion Host``.

> Segmentation - Types - Jumpbox

A hardened server that provides access to other hosts - sometimes referred to as a ``Jump Server``.

Think of a ``Jumpbox`` as an intermediate hop between different hosts or segments, in which the Jumpbox host is strictly limited in which resources it can access.

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="r"></a>
***
###### Virtualization and Containerization
***

> Virtualization and Containerization - Virtual Desktop Infrastructure - ``VDI`` 

Is a virtualization implementation that separates the personal computing environment from a user's physical computer.

> Virtualization and Containerization - Containerization 

Is a type of virtualization applied by a host OS to provision an isolated execution environment for an application.

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="s"></a>
***
###### Virtualization Infrastructure Security Management
***

Virtualization tools are extremely beneficial to companies that need to spin up and spin down resources in a hurry. 

> Virtualization Infrastructure Security Management - Terms/Best Practices

The following are some of the terms and secure best practices to remember of VM related environments.

> Virtualization Infrastructure Security Management - Terms/Best Practices - Virtual Hosts

Always use published procedures to create VMs that include patch management processes and secure configuration templates.

> Virtualization Infrastructure Security Management - Terms/Best Practices - Virtual Networks

Ensure all networks are documented and properly identified to sustain proper segmentation practices.

> Virtualization Infrastructure Security Management - Terms/Best Practices - Management Interface and Host Platform

Use proper separation of duties on both the solution interface and the supporting host to keep the integrity of the system in check.

< [Table of Contents](#top) | [References](#references) >
<a id="t"></a>
***
###### Honeypots and Active Defense
***

> Honeypots and Active Defense - Active Defense 

Is the practice of responding to a threat by destroying or deceiving a threat actor's capabilities.

> Honeypots and Active Defense - Active Defense - Honeypot

A honeypot is a host setup with the purpose of luring attackers away from the actual network components and/or discovering attack strategies and weaknesses in the security configuration. 

> Honeypots and Active Defense - Active Defense - Honeypot - Honeynet 

A related term is honeynet, meaning a whole network setup to entice attackers - also called a ``Decoy``.

Other ways of performing active defense include:

- Confusing the attacker with fake DNS entries.


- Creating decoy files and directories to waste their time.


- Return useless data when port scanning is detected via port triggering/spoofing.

< [Table of Contents](#top) | [References](#references) >
<a id="u"></a>
***
###### Technical Data and Privacy Solutions
***

< [Table of Contents](#top) | [References](#references) >
<a id="v"></a>
***
###### Technical Data and Privacy Solutions - Access Controls
***

It is important to remember in regards to access controls that there are geographical requirements to factor in. 

Remember to take into consideration sovereignty laws where certain data may not be accessed in certain geographical areas, or even remote employees that may need access to corporate resources from multiple locations.

< [Table of Contents](#top) | [References](#references) >
<a id="w"></a>
***
###### Cloud-Based Infrastructure Management
***

> Cloud-Based Infrastructure Management - Virtual Private Cloud - ``VPC``

A private network segment made available to a single cloud consumer on a public cloud.

> Cloud-Based Infrastructure Management - Cloud Access Security Broker - ``CASB``

An enterprise management software designed to mediate access to cloud services by users across all types of devices.

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cybrary, "Infrastructure Management Solutions," [cybrary.it](https://web.archive.org/web/20220724081418/https://www.cybrary.it/), n.d..

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
## END

In [1]:
from IPython.core.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

  from IPython.core.display import display,HTML


# END JUPYTER NOTEBOOK