ITPro.TV: CompTIA Security+ (SY0-601)

CompTIA Security+ Exam Cram

Today I’ll be covering Chapters 7 and 8 of the Security+ Exam Cram, “Security Assessment Techniques” and “Penetration Testing Techniques”.

Vulnerability Scans

Types of scanners:

Dealing with discovered vulnerabilities:


Note that the US government uses OVAL - the “Open Vulnerability Assessment Language”, an XML-based vulnerability description language - instead of the CVE numbers used in private industry. That said, OVAL vulnerability representations are often based off of CVE data.

Intrusive vs. Non-Intrusive Scans

“Intrusive” scans actually try to exploit potentially vulnerable systems.

Credentialed vs. Non-Credentialed Scans

Credentialed scans: More invasive, but also more accurate.

Security Information and Event Management (SIEM)

Strategies for identifying “events of interest”:

WORM drives are commonly used as part of SIEMs in a regulatory context, or when conducting investigations into IT and security staff.

Exam Cram notes that SIEMs only become cost-effective when ingesting a million+ events/day.

Some SIEMs are now beginning to include sentiment analysis functionality, often leveraging external data sources.

Security Orchestration, Automation, and Response (SOAR)

SOAR is to SIEM as broader threat intelligence it to log aggregation. It also layers on incident response automation. Seems to be a bit of a marketing term.

Testing Methodology


Exam Cram refers to passive recon as “footprinting”.

Team Exercises

Exam Cram specifically defines red teaming as more focused than a regular penetration test, with specific operational objectives. These days, I’d imagine that most red teams focus on APT emulation.

I have not heard of “white teams” - which apparently set the rules of engagement for red/blue teams and are the keepers of business GRC policies - before. Exam Cram refers to them as the “referees”.

ITPro.TV: CompTIA Security+ (SY0-601)

Network Reconnaissance And Discovery

Interesting tools:

Packet Capture And Replay

# Start dumping packets observed on interface $IFACE.
tcpdump -i $IFACE

# Dump packets observed on interface $IFACE to pcap file $PCAP_FILE.
tcpdump -i $IFACE -w ${PCAP_FILE}.pcap

# Replay packets from $PCAP_FILE.
tcpreplay -i $IFACE ${PCAP_FILE}.pcap