Retired

Security+ Domain #4: Application, Data, and Host Security (SY0-401) [DECOMMISSIONED ARTICLE]

Fakhar Imam
October 21, 2017 by
Fakhar Imam

NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.


Introduction

Application, data, and host Security falls into the fourth domain of CompTIA’s Security+ exam (SYO-401) and contributes 15% to the exam score. To pass the Security+ exam, candidates must understand the topics under this domain, which includes the following.

Importance of Application Security Controls and Techniques

If an application is not correctly programmed, then a network hardening, user training, or auditing is useless. Application security is critical for the long-term survival of any business. Reliable application security begins with secure design and coding, which is maintained over the life cycle of the application through patching and testing.

Fuzzing—it’s a software-testing method that generates inputs for the targeted program. Fuzzing discovers input sets that cause crashes, failure, or errors in the targeted application.

Secure coding concepts—When an application passes through a coding stage, the programmers must implement security and avoid common mistakes and pitfalls. There are two secure coding concepts, namely exception handling and input validation, that can be used to implement security in the application.

Cross-site scripting (XSS) prevention—Programmers need to use some techniques to prevent XSS on a resource host. These techniques include validating input, escaping, metacharacters, rejecting all script-like inputs, and coding defensively.

Cross-site request forgery (XSRF) prevention—XSRF can be prevented by adding a randomization string to each URL (universal resource locator) request and session creation and testing the client HTTP request header referrer for the spoofing.

Application hardening and configuration baseline—Application hardening imposes security on required services and applications. The application configuration baseline aims at ensuring compliance with policy and reduces human supervision.

NoSQL—it’s a database approach that uses non-relational data structures, such as multilevel and hierarchies nesting/referencing.

Server-side and client-side validation—server-side validation protects a system from malicious inputs by checking input length, a metacharacter filter, and a filter for malicious content, such as script calls or SQL commands. On the other hand, client-side validation provides better feedback to typical users and indicates whether an input meets certain requirements, such as content, length, and value.

Mobile Security Concepts and Technologies

Mobile devices have paramount importance in an organization’s IT infrastructure. The underlying concepts are related to mobile security.

Mobile device security—Mobile device security can be ensured by deploying some security features, such as device encryption, screen locks, lockout, remote wiping, application control, GPS, removable storage, device access control, device management, inventory control, storage segmentation, and asset tracking.

Mobile device application security—The applications on a mobile device must be protected and secured. The important features used for application security include credential management, key management, geo-tagging, authentication, encryption, transitive trust/authentication, and application whitelisting.

Bring your own device (BYOD)—BYOD is a policy that allows users to bring their cell phones to work and then use those devices to establish connectivity to the company network. BYOD can create insecurity. Employees’ mobile devices may involve some issues, including data ownership, support ownership, privacy, forensics, antivirus management, patch management, user acceptance, adherence to corporate policies, on-boarding/off-boarding, on-board cameras/video, acceptable use policies, legal concerns, and architecture/infrastructure consideration.

Select the Appropriate Solutions to Establish Host Security

Along with server and network security, the host security is also essential. The end user is a dangerous element in an organization. The end user interacts with the company resources through the Internet, so the Internet must be secured against dangers from removable media, and peripherals.

Operating system security—The operating system must be fully secured by deploying all the security procedures necessary for it.

Antivirus software—it’s an essential security application and is an example of a host IDS (intrusion detection system). Antivirus software monitors a system against malware in storage, in memory, and in active processes.

Pop-up blockers—These are used to prevent websites from opening the additional web browser windows without the consent of the user.

Hardware security—System hardware requires physical access controls over the facility and physical environment to maintain the logical security imposed by the antivirus program.

Virtualization technology—It’s used to host one or more operating systems within a single host system. Virtualization can encounter several issues, including snapshots, patch compatibility, security control testing, sandboxing, and host availability/elasticity.

Implement the Appropriate Controls to Ensure Data Security

Data is an even more important factor than hardware and software in the IT infrastructure, so data security has paramount important in an IT environment. The confidentiality, availability, and integrity of data must be protected. Data security can be ensured by taking some proactive measures as mentioned below.

Data encryption—Through cryptography, data encryption is used to protect data on storage devices. Data can be encrypted on the full disk, a file, a database, mobile device, and on removable media.

Data policies—data policies ensure the confidentiality, integrity, and availability of data. The common elements of data policies include wiping, storage, disposing, and retention.

Compare and Contrast Alternative Methods to Mitigate Security Risks in Static Environments

Static environments—A static environment may be an application, OS, hardware set, or network that is configured once for a particular need and then not changed. Examples of static environments include embedded systems, SCADA, iOS, Android, mainframes, and game consoles.

Static environment security methods—There are some techniques for managing the security of static environments. These techniques include application firewalls, security layers, network segmentation, wrappers, control redundancy and diversity, firmware version control, and manual updates.

Performance-Based Questions in Security+ Exam

Performance-based questions (PBQs) test candidates’ ability to solve problems in a simulated environment. Candidates need to manage their time wisely when working on the PBQs. The exam requires the student to solve a specific problem for each performance-based question. After that, a simulated environment is provided in which the student completes the required steps. Also, the candidates cannot see a clock when solving the PBQs.

Example:

Question: Which of the following can be used for limiting the risks associated with mobile devices?

  1. Automatic Locking
  2. Secured Rooms
  3. Wipe after ten (10) Failed Security Code Entries
  4. Passcode
  5. Encryption
  6. Locked Cabinet
  7. Remote Wipe

Answer:

  1. Automatic Locking
  2. Secured Rooms
  3. Wipe after ten (10) Failed Security Code Entries
  4. Passcode
  5. Encryption
  6. Locked Cabinet
  7. Remote Wipe

A, D, E: Automatic locking the mobile device reduces the risk of unauthorized control. Encryption and passcode techniques prevent the attackers from compromising the data on the mobile device.

C: Wipe after ten (10) failed security code entries assumes that someone was trying to get unauthorized access to the mobile device. Hence, it prevents data loss on mobile devices.

G: A remote wipe allows an enterprise to remove data from the mobile devices once the enterprise leaves their controls.

Where Should You Focus Your Study Time?

Quizzing and taking mock exams are the best ways to assess your understanding of this subject and your preparation before taking the Security+ exam. Taking notes and test questions on the CD can also be helpful in this regard.

Moreover, studying the right material is also very important. Some official books recommended by the CompTIA for Security+ exam, SYO-401, include:

  • Cert-SYO-401, written by David L. Prowse
  • CompTIA Security + All-in-One Exam Guide: Fourth Edition, published by McGraw Hill
  • CompTIA Security + Certification Study Guide, published by McGraw Hill

How Is This Information Useful in the Real World?

Digital literacy is an essential survival skill in a digital world. Your Security+ certification proves that you have the skills and knowledge to solve security problems in any business environment. Also, more than 25 million IT professionals worldwide are Security+ certified. Security+ certification is a proof of your professional achievement; it increases your marketability, provides an opportunity for advancement, and fulfills training requirement.

Today, businesses are looking for security professionals to protect applications, data, and host in organizations’ IT environments, as they are vulnerable to various security risks. For example, BYOD & Mobile Security 2016 study revealed that one in five companies suffered a mobile security breach, which is driven by malicious WiFi and malware. Security threats to BYOD impose enormous burdens on businesses’ IT resources (35%) and help desk workloads (27%). The organization can get rid of of these issues if they correctly deploy mobile devices security mechanisms.

InfoSec Security+ Boot Camp

The InfoSec Institute offers a Security+ Boot Camp that teaches you the theory and reinforces theory with hands-on exercises that help you learn by doing.

InfoSec also offers thousands of articles on all manner of security topics.

Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.