Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA Cloud+ CV0-003 Exam: OS and Application Security Controls
Source: https://www.fatskills.com/cloud-computing/chapter/comptia-cloud-cv0-003-exam-os-and-application-security-controls

CompTIA Cloud+ CV0-003 Exam: OS and Application Security Controls

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~18 min read

Objective: Given a scenario, apply the appropriate OS and application security controls.
The focus of this guide is how you should apply security controls to operating systems and applications within a cloud infrastructure. You will first learn about the importance of developing policies and user permissions. Next, you will learn about improving the security of a system by using hardened baselines, an endpoint detection and response (EDR), a host-based intrusion detection system (HIDS), and a host-based instruction protection system (HIPS).

Topics:
- Policies
- User Permissions
- Antivirus/Antimalware/Endpoint Detection and Response (EDR)
- Host-Based IDS (HIDS)/Host-Based IPS (HIPS)
- Hardened Baselines
- File Integrity
- Log and Event Monitoring
- Configuration Management
- Builds
- Operating System (OS) Upgrades
- Encryption
- Mandatory Access Control
- Firewall Software

1. When you create an application_____, you are specifying which applications can be installed and executed on that virtual machine or container.
2. Which command is used to display permissions in Linux?
3. A hardened _____ is a set of requirements for each system you deploy.
4. A(n) _____ build is a stable build that should be supported for a longer-than-average period of time.

1. Whitelist
2. ls
3. Baseline
4. LT

Policies
A policy is a collection of rules that are designed to provide a higher level of security. Without policies, components of the cloud infrastructure, like user accounts and software, are more vulnerable. This section covers some of policies that you should consider implementing in your cloud environment.

Password Complexity
Clearly “cat1234” is not a very good password on any modern system, and you want to avoid having users create passwords that are this simple. Because password complexity is such a key component of any good security policy, most cloud vendors provide an easy way to implement a policy for the cloud accounts. For example, the figure below demonstrates the AWS password policy for IAM users.

Images
AWS Password Policy
 

Note that the following are common complexity features that you can apply to most password policies:
- Enforce minimum number of characters in the password.
- Require at least one numeric character.
- Require at least one lowercase character.
- Require at least one uppercase character.
- Require at least one character that is not a number or an alpha character (sometimes called special characters).
Note that it is not just cloud accounts that you should apply a password complexity policy to. Other cloud resources, such as database engines and operating systems, also utilize user accounts, and these account passwords should also comply with the company password complexity policy.

Account Lockout
An account lockout policy defines in which situations an account is locked. This can include any of the following:

- An expiration date
- Too many attempts to log in to the account
- The number of days that the account is inactive
- Login attempts from unauthorized locations
Typically, an account lockout policy requires an administrator to remove the lockout. However, in some cases the account lockout could be removed after a predetermined period of time.

Application Whitelisting
When you deploy compute resources in the cloud (and on-premises as well), you should consider developing a policy for application whitelisting. When you create an application whitelist, you are specifying which applications can be installed and executed on that virtual machine or container.
The goal of this policy is to prevent malware from being installed or executed. Malware can be installed either intentionally by a user or unintentionally when clicking a link to a site that downloads and installs the malware.

Software Feature
Most software applications have features that may be considered a security risk. For example, an email application that opens attachments may result in opening a file that contains a virus or worm. A software feature policy is used to determine which features should be disabled to provide a higher level of security.

User/Group
Both cloud and operating system user accounts can be merged together into a group. Typically, this is done to provide access to resources or to apply a policy to a collection of user accounts.
For example, suppose you want to provide access to read data from a database for three user accounts: ned, fred, and ted. You could apply the permissions to access the database to each individual user. This approach can be manageable for a small number of user accounts, but what happens when there are hundreds or thousands of user accounts? What happens when accounts are routinely deleted and added to the environment?
Using groups helps administer permissions and account policies, but there also need to be company policies regarding how the groups are administered. For example, suppose that database contains payroll information. There should be a policy in place that determines what criteria must be met before someone is able to access this database.

User Permissions
To access cloud resources, a user must have the right permissions for those resources. In many cases, these permissions can be applied to specific resources or specific types of cloud resources. For example, you could create a permission that allows a user to read data from any database but then have permissions that allows that user to modify only specific databases.
In terms of operating systems, both of the primary operating systems used in cloud computing (Linux and Microsoft Windows) utilize permissions to protect files. For example, in Microsoft Windows you can go to the properties of a file by right-clicking the file and then choosing Properties. Then you click the Securitytab and you can modify the permissions of the file.

Images
Changing the Permissions of a File in Windows

For Linux, every file and directory has standard permissions (also called read, write, and execute permissions) that either allow or disallow a user access. To view the permissions of a file or directory in Linux, use the ls -lcommand as follows:
[student@localhost ~]$ ls -l /etc/chrony.keys
-rw-r-----. 1 root chrony 62 May 9 2021 /etc/chrony.keys

The first 10 characters of the output denote the file type (if the character in the first position is a hyphen [–], it denotes a plain file, and ddenotes a directory) and the permissions for the file. Permissions are broken into three sets: the user owner of the file (rootin the preceding example), the group owner (chrony), and all other users (referred to as “others”).
Each set has three possible permissions: read (symbolized by r), write (w), and execute (x). If a permission is set, the character that symbolizes the permission is displayed. Otherwise, a hyphen (–) character is displayed to indicate that permission is not set. Thus, r-xmeans “read and execute are set, but write is not set.”

What read, write, and execute permissions really mean depends on whether the object is a file or directory. For files, these permissions mean the following:
- Read: Can view or copy file contents.
- Write: Can modify file contents.
- Execute: Can run the file like a program. After you create a program, you must make it executable before you can run it.

For directories, they mean the following:
- Read: Can list files in the directory.
- Write: Can add and delete files in the directory (requires execute permission).
- Execute: Can change into the directory (cd) or use it in a pathname.

The chmod command is used to change permissions on files. It can be used in two ways: the symbolic method and the octal method. With the octal method, the permissions are assigned numeric values:
- Read = 4
- Write = 2
- Execute = 1

With these numeric values, one number can be used to describe an entire permission set:
- rwx
- rw-
- r-x
- r--
- -wx
- -w-
- --x
- ---

So, to change the permissions of a file to rwxr-xr--,you would execute the following command:
chmod 754 filename
With octal permissions, you should always provide three numbers, which will change all the permissions. But, what if you want to change only a single permission of the set? For that, you use the symbolic method by passing three values to the chmodcommand, as shown in Table 7.1.

TABLE: Symbolic Permission Values

Who

What

Permission

u = user owner

+

r

g = group owner

-

w

o = other

=

x

a= all sets

 

 


The following example demonstrates how to add execute permission to all three sets (user owner, group owner, and others) using the symbolic method:

[student@localhost ~]$ ls -l display.sh
-rw-rw-r--. 1 student student 291 Apr 30 20:09 display.sh
[student@localhost ~]$ chmod a+x display.sh
[student@localhost ~]$ ls -l display.sh
-rwxrwxr-x. 1 student student 291 Apr 30 20:09 display.sh


Antivirus/Antimalware/Endpoint Detection and Response (EDR)
Just about any compute system has some sort of antivirus/antimalware software available, including traditional operating systems like Microsoft Windows and Linux, as well as mobile device operating systems like iOS (for the mobile OS by Apple) and Android. They have become commonplace and are especially important on cloud resources that are often easily accessible via the Internet.
In addition to installing these products on individual systems, many organizations make use of EDR software. This software monitors and records information on the endpoints (individual systems) into a central database. This information is used to determine what risks to the network are present.
By analyzing this information, organizations can develop a better understanding of the threats that are reaching the endpoints of the organization’s network.

Host-Based IDS (HIDS)/Host-Based IPS (HIPS)
An intrusion detection system (IDS) is a software or hardware system that is designed to determine if an intrusion is occurring or has occurred on a network or a host. There are two major categories of IDS software: network-based and host-based.
A network-based IDS (NIDS) is software that monitors network packets to determine if an intrusion is taking or has taken place. A host-based IDS (HIDS) is installed on specific systems and monitors the state of the system itself to determine if an intrusion is in progress or has taken place.
There are many options available for these software programs, but the general concept is that an HIDS will utilize a database that describes what to monitor on the system. This can include monitoring actions that other software programs take, actions that users take, changes to the configuration of the operating system, and changes that are made to filesystems.
It is important to understand that an IDS is designed to monitor the system or the network for intrusions, but it is not designed to protect the system from intrusions. An IDS may take some actions, such as generating reports or sending alerts via email or SMS, but it doesn’t take any direct action to protect the system or the network. It can generate alerts so an action can be taken manually.
An intrusion protection system (IPS) both monitors for intrusions and can take action if an intrusion is detected. For example, an HIPS may detect a suspicious login and, as a result, block access to the system from the source IP address.
The advantage of an IPS over an IDS is that potential threats may be neutralized quicker than if a human needed to get involved. The disadvantage of an IPS over an IDS is that false positives may result in disabling access for someone who should be allowed the access.

Hardened Baselines
Each resource should be designed to provide specific features and functions. For example, you might have a virtual machine that is designed to serve as a web host. Unfortunately, many operating systems have other features enabled when you perform an “out of the box” installation.

A hardened baseline is a set of requirements for each system you deploy. This baseline can include establishing rules on how different components of the system are configured, including the following:
- Operating system configurations
- Network configurations and services permitted on the network
- System monitoring configurations
- Data encryption methods
- Application configurations
- Security appliance configurations
- Backup policies and procedures
- Patching and update policies
The goal of hardened baselines is to establish specific rules and procedures to best ensure the security of any resource that your organization deploys. These baselines should be well established long before your organization deploys any resource in a production environment.

Single Function
As mentioned in the previous section, each resource should be designed to perform a single function. For example, a virtual machine that provides an organization’s web server should not also function as the organization’s mail server, NTP server, and file server.
The separating of functions is one of the primary advantages of cloud computing and a major reason to consider utilizing containers rather than full operating systems. In a cloud infrastructure you can customize the system resources (CPU, memory, and so on) to meet the need of the compute resource that you are deploying. You don’t need to guess how much system resources your web server will need, and you don’t have to feel compelled to “fill up” an expensive server with additional services.
By using a single function methodology, you provide a more secure environment. For example, maybe an attacker can hack into your web server (granted, this is bad), but if you use a single function methodology, the attacker doesn’t automatically gain access to your mail server, NTP server, and file server.

File Integrity
File integrity refers to the process of protecting a file from unauthorized changes, including cyber-attacks. In other words, a file's 'integrity' is validated to determine whether or not it has been altered after its creation, curation, archiving or other qualifying event.


Configuration Management
Configuration Management is the process of maintaining systems, such as computer hardware and software, in a desired state. Configuration Management (CM) is also a method of ensuring that systems perform in a manner consistent with expectations over time.


Builds
When an organization develops software and the software is released, either internally or externally, the release is referred to as a build. This section explores different types of builds.

Stable
A stable build is designed to be a release that is ready for a production environment.
Typically, if you are a customer who purchases software, that software is considered a stable build.
Prior to a software build being released, earlier releases are called beta builds. Some organizations like to have access to beta builds because this access provides them with early insight as to how the software will perform. However, beta builds come with little to no support or warranty. They are considered “use at your own risk” and should not be used in production environments.

Long-Term Support (LTS)
A long-term support build is a stable build that should be supported for a longer than average period of time. This can be an important issue for some organizations because moving to a new version of software can pose several challenges, including:
- Time, effort, and money to ensure that the new version performs within standards.
- Potential new licensing costs.
- The need to deal with potential inconsistencies or incompatibilities. For example, a newer version of software might not integrate with other software that the organization is already using.
- Additional training costs to teach existing employees and customers how the new version of the software behaves.
- Reduced production as employees attempt to use the new version of the software.
One disadvantage of utilizing an LTS build is that new features that are released with the regular stable build are not normally implemented in the LTS build.

Beta
See the earlier “Stable” section.

Canary
You may have heard how miners would take a canary bird into the mines with them to determine if the air held dangerous levels of toxic gases. The idea was that the canary had a faster breathing rate than humans and would show signs of the presence of toxic gases quicker than humans would.
A canary build works on a similar concept. New features are released to a specific set of beta testers (pilot users) to determine if the new features have any negative impact on the software. The features are provided in the new beta builds in a very specific manner and typically spread out over several beta releases. This type of build allows the developers some insight as to which new features may have caused an issue and allows the developers the time to fix the issues before releasing the software in a stable build.

Operating System (OS) Upgrades
Examples of updates include service packs, version upgrades, security updates, drivers, or other types of updates. Important and high-priority updates are critical to the security and reliability of your computer.

Encryption
Encryption is a security control used primarily to provide confidentiality protection for data. It is a mathematical transformation to scramble data requiring protection (plaintext) into a form not easily understood by unauthorized people or machines (ciphertext).

Application Programming Interface (API) Endpoint
An API is a technique that is used to provide a well-known communication method between a client and a server. A client will issue an API request to a server, typically using representational state transfer (REST).
API calls across the Internet are common. Even if the API call is made within an enclosed network, it is important that the transmission itself be encrypted. For this reason, the endpoint of API connections is normally established with the HTTPS protocol.

Application
Applications often store and transmit data. To ensure the security of this data, all data in transit and all data at rest should be in an encrypted format. This is especially important in cloud environments because data is often more accessible as it is stored in a network-accessible location.

OS
Typically, in regard to OS encryption, what is really being encrypted is the storage disk or the filesystem where the OS resides. See the “Filesystem” section later in this guide.
Most cloud-based storage devices provide some level of encryption although it might not be enabled by default. Cloud storage that is used to hold sensitive data should have the encryption option turned on.

Filesystem
The term filesystem encryption refers to any filesystem in which the file data (and, sometimes, metadata) is encrypted when the data is “at rest.” The data is decrypted when needed by a user or program.
In some cases, the encryption is provided as a feature of a filesystem that can be turned on or off. In other cases, a separate application handles the encryption process.
In environments like the cloud, where the data on the filesystem can be accessed by multiple people, using an encrypted filesystem is an important part of security strategy.
Encrypted filesystems are not the same as full disk encryption. With full disk encryption, the entire disk is encrypted when the operating system is inactive (shut down). When the system is booted, the data on the disk is encrypted.

Mandatory Access Control
Consider a situation in which a user logs in to an operating system and then wants to share a file with another user so that the other user can view the contents of the file. This change is typically accomplished by file permissions and, if the user owns the file, that user normally has the ability to make changes to the file permissions. This is referred to as discretionary access control (DAC).
The problem with DAC is that users don’t always make the best choice when it comes to security. For example, suppose the user couldn’t figure out how to change the permissions on the file so that the other user had access. Instead, the first user, either because of frustration or lack the time to research how to accomplish this task, decides to allow everyone the ability to view the file contents. Depending on the contents of the file, this can be a very poor security decision.
A mandatory access control (MAC) system is a set of rules that either allow or deny entities (users, software programs, and so on) access to a resource. However, unlike DAC, with MAC individual users don’t have the ability to change the access rules. A MAC policy is used to manage the access rules, and the administrator should be the only one who can modify the policy.
MAC systems are popular on operating systems. Microsoft utilizes Mandatory Integrity Control to provide MAC on Windows. On Linux systems, SELinux and AppArmor are popular MAC systems.
Your cloud vendor likely also employs MAC. For example, as the cloud administrator for your organization, you can permit users the ability to access resources using either cloud permissions or policies.

Firewall Software
Firewall software is used to protect either a network or an individual resource. When firewall rules are put in place, the firewall can filter which network packets can enter a network or the operating system.

A large number of firewall programs are available. You shouldn’t expect to be asked questions on the CompTIA Cloud+ exam on any specific firewall software. However, you should realize that firewalls provide many features and benefits, including the following:
- A firewall can block or allow packets based on any header information, like source IP address or destination port.
- In some cases a firewall can block or allow packets based on the content of the message.
- Firewall software can often provide advanced features, like Network Address Translation (NAT), malware filtering, intrusion prevention, and VPNs.
- Firewalls can be configured to log network packet information.
- Firewalls are not one directional. You can use a firewall to block access from resources within your network attempting to access an external resource.

Quiz
1. Which of the following is not normally a rule used to enforce more complex passwords? A.Minimum number of characters in the password B.Maximum number of characters in the password C.Require at least one lowercase character D.Require at least one uppercase character
2. Based on the following permissions, what can members of the chrony group do with the /etc/chrony.keys file?
[student@localhost ~]$ ls -l /etc/chrony.keys A.Can only view the file B.Can view and change the file C.Can view and delete the file D.Cannot do anything with the file
3. Which of the following is not normally a requirement for a hardened baseline? A.Operating system configurations B.System monitoring configurations C.Application configurations D.Cloud access configuration
4. Which build includes small beta releases over time? A.Oriole B.Canary C.Goldfinch D.Big bird

Answers:

1. Maximum number of characters in the password
2. Can only view the file
3. Cloud access configuration
4. Canary


Image

Image

Image



ADVERTISEMENT