CompTIA Stackable Certifications follow the two CompTIA Career Pathways:

Within each pathway, CompTIA Stackable Certifications are categorized by experience level:

  • Specialist: Early-career IT professionals with 0–2 years of experience
  • Professional: Mid-level IT professionals with 2–5 years of experience
  • Expert: Established IT professionals with more than 5 years of experience

CompTIA Infrastructure Career Pathway

When taken together as the CompTIA Infrastructure Career Pathway, CompTIA A+, CompTIA Network+, CompTIA Security+, CompTIA Server+, CompTIA Linux+ and CompTIA Cloud+ validate the skillsets needed across IT operations, deepening your mastery of skills and broadening the number of IT infrastructure roles in which you can contribute.

CompTIA Infrastructure

CompTIA Cybersecurity Career Pathway

With CompTIA A+, CompTIA Network+, CompTIA Security+, CompTIA Cybersecurity Analyst (CySA+), and CompTIA Advanced Security Practitioner (CASP), the CompTIA Cybersecurity Career Pathway helps technical specialists achieve cybersecurity mastery, from beginning to end.

CompTIA Cybersecurity

CompTIA Career Pathway

CompTIA certifications align with IT infrastructure and cybersecurity career paths, with each added certification representing a deepening of your expertise. Core certifications, like CompTIA A+, lay the groundwork for the specialized pathway certifications, and additional professional certifications cover necessary IT skills like project management.

For more information visit CompTIA IT Certifications

“That policy reflects an effort to articulate neutral principles so that when the issue that the government confronted in 2016 arises again — as it surely will — there will be a framework to address it,” Deputy Attorney General Rod Rosenstein said in unveiling the report at the Aspen Security Forum.

The report also describes a range of challenges hampering the government’s ability to fight more traditional cybercrime and recommends possible solutions.

The challenge that receives the most attention is encryption and other technological impediments to accessing investigative data. The spread of easy-to-use, often-invisible encryption “poses a significant impediment to the investigation of most types of criminal activity,” the report warns.

For years, the government has urged tech companies to voluntarily use warrant-compatible encryption, but in recent years Silicon Valley has moved in the opposite direction. The report recommends seven ways for DOJ to respond to this problem, including “considering whether legislation to address encryption (and all related service provider access) challenges should be pursued.”

The lengthy chapter on foreign influence operations describes five categories of meddling, from hacking election infrastructure to spreading disinformation. It also lays out a policy for disclosing foreign meddling investigations to their targets, tech companies whose platforms are involved, lawmakers and the public.

This meddling “may violate a number of federal laws on which the Department may base criminal investigations and prosecutions,” the report says, but DOJ is “also considering whether new criminal statutes aimed more directly at this type of activity are needed.”

In addition to foreign influence campaigns, the report also covers the more prosaic cybercrime schemes that prosecutors and agents deal with on a daily basis. Chapter 2 discusses the types of cybercrime that the department investigates, from distributed denial-of-service attacks to ransomware infections. Chapter 3 explains how the government fights back, including prosecution tools like the Computer Fraud and Abuse Act, techniques like surveillance of suspects and other response options like dismantling botnets. Chapter 4 describes the government’s private-sector partnerships, information-sharing channels and interagency response plans. And Chapter 5 explains how different DOJ components are training and retaining cybersecurity experts.

Chapter 6 lays out the challenges for cybercrime investigations and prosecutions. Among them are the reticence of victims to report breaches, the government’s sometimes tense relationship with security researchers and gaps in DOJ’s legal authority to access data controlled by foreign companies.

In the encryption section, DOJ notes that it cannot rely solely on purchasing workarounds like Cellebrite or GrayKey.

“Expanding the government’s exploitation of vulnerabilities for law enforcement purposes will likely require significantly higher expenditures — and in the end it may not be a scalable solution,” the report warns. “All vulnerabilities have a limited lifespan and may have a limited scope of applicability.”

Another problem relevant to election security is that the Computer Fraud and Abuse Act only empowers DOJ to prosecute people who hack internet-connected devices.

“In many conceivable situations, electronic voting machines will not meet those criteria, as they are typically kept off the Internet,” the report notes. “Consequently, should hacking of a voting machine occur, the government would not, in many conceivable circumstances, be able to use the CFAA to prosecute the hackers.”

At the Aspen event, Rosenstein said the report underscored how DOJ “must continually adapt criminal justice and intelligence tools to combat hackers and other cybercriminals.”

The DOJ began compiling the report in February, after Attorney General Jeff Sessions, under fire from congressional Democrats for not appearing to prioritize election security, created a Cyber-Digital Task Force to study DOJ-related cyber issues and “identify how federal law enforcement can more effectively accomplish its mission in this vital and evolving area.”

The report mostly summarizes previously known information about DOJ, its headquarters components like the National Security Division and its agencies like the FBI.

In some cases, the report copies and pastes text directly from federal websites, including in a section describing INTERPOL Washington.

DOJ Report of the Attorney General’s Cyber Digital Task Force

The first bug (CVE-2018-10987) is a remote code execution issue that resides in the REQUEST_SET_WIFIPASSWD function (UDP command 153) of the vacuum.

“This vulnerability allows attackers to obtain superuser rights on the vacuum, meaning they can control it remotely, viewing video and images, and physically moving the vacuum,” Galloway told Threatpost. “It can also be used in a botnet for DDoS attacks or for bitcoin mining.”

An attacker can discover the vacuum on the network by obtaining its media access control (MAC) address – an unique identifier assigned for communications at the data link layer of a network.

They can then send a specially-crafted user datagram communications protocol (UDP) request, which results in execution of a command with superuser rights on the vacuum. A crafted UDP packet runs “/mnt/skyeye/mode_switch.sh %s” with an attacker controlling the %s variable.

“To succeed, the attacker must authenticate on the device—which is made easier by the fact that many affected devices have the default username and password combination (admin:888888),” researchers said.

A second vulnerability (CVE-2018-10988) would also allow superuser rights, but additionally, could enable crooks to steal unencrypted data, including photos, video and emails, sent from other devices on the same Wi-Fi network.

The bug exists in the vacuum’s update mechanism – and it is less threatening as it requires attackers to have physical access to the vacuum. Attackers exploiting this bug could create a special script and place it on a microSD card, then insert it into the vacuum.

After the card is inserted, the vacuum update system runs firmware files from the upgrade_360 folder with superuser rights, without any digital signature check. The script could run arbitrary code, such as a sniffer, to intercept private data sent over Wi-Fi by other devices.

Positive Technologies told Threatpost it followed responsible disclosure practices, alerting the company on March 15, 2018. Positive Technologies also submitted the vulnerabilities officially (CVE-2018-10987 and CVE-2018-10987).

“Positive Technologies does not have any information about whether or not the vulnerabilities have been fixed to date,” the company told Threatpost. Chinese supplier Dongguan Diqee did not respond to multiple requests for comment.

A similar incident occurred last year, when researchers discovered that LG’s Hom-Bot IoT vacuum cleaner lineup was open to a hack that would let an attacker take control of the devices and their cameras –and give them the ability to live-stream video from inside a home.

These vulnerabilities may also affect other IoT devices using the same video modules as Dongguan Diqee 360 vacuum cleaners. Such devices include outdoor surveillance cameras, DVRs, and smart doorbells, researchers said.

“New IoT devices are being created and deployed every day,” Galloway told Threatpost. “If these issues continue to go addressed, IoT security will progressively get worse. To address security issues, the industry should create a comprehensive, agreed-upon set of guidelines in cooperation with all parties, from hardware manufacturers to service providers and security experts.”

IoT 3

Malware for macOS is not that common, and this sample was found to contain some suspiciously familiar features. So we decided to unpick Calisto to see what it is and why its development was stopped (or was it?).

Propagation

We have no reliable information about how the backdoor was distributed. The Calisto installation file is an unsigned DMG image under the guise of Intego’s security solution for Mac. Interestingly, Calisto’s authors chose the ninth version of the program as a cover which is still relevant.

For illustrative purposes, let’s compare the malware file with the version of Mac Internet Security X9 downloaded from the official site.

It looks fairly convincing. The user is unlikely to notice the difference, especially if he has not used the app before.

Installation

As soon as it starts, the application presents us with a sham license agreement. The text differs slightly from the Intego’s one — perhaps the cybercriminals took it from an earlier version of the product. 

Next, the “antivirus” asks for the user’s login and password, which is completely normal when installing a program able to make changes to the system on macOS.

But after receiving the credentials, the program hangs slightly before reporting that an error has occurred and advising the user to download a new installation package from the official site of the antivirus developer.

The technique is simple, but effective. The official version of the program will likely be installed with no problems, and the error will soon be forgotten. Meanwhile, in the background, Calisto will be calmly getting on with its mission.

Analysis of the Trojan
With SIP enabled

Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions. Calisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for various reasons; we categorically advise against doing so.

Calisto’s activity can be investigated using its child processes log and decompiled code:

Log of commands executed by the Trojan during its operation

Hardcoded commands inside the Calisto sample

We can see that the Trojan uses a hidden directory named .calisto to store:

  • Keychain storage data
  • Data extracted from the user login/password window
  • Information about the network connection
  • Data from Google Chrome: history, bookmarks, cookies

Recall that Keychain stores passwords/tokens saved by the user, including ones saved in Safari. The encryption key for the storage is the user’s password.

Next, if SIP is enabled, an error occurs when the Trojan attempts to modify system files. This violates the operational logic of the Trojan, causing it to stop.

Error message

With SIP disabled/not available

Observing Calisto with SIP disabled is far more interesting. To begin with, Calisto executes the steps from the previous chapter, but as the Trojan is not interrupted by SIP, it then:

  • Copies itself to /System/Library/ folder
  • Sets itself to launch automatically on startup
  • Unmounts and uninstalls its DMG image
  • Adds itself to Accessibility
  • Harvests additional information about the system
  • Enables remote access to the system
  • Forwards the harvested data to a C&C server

Let’s take a closer look at the malware’s implementation mechanisms.

Adding itself to startup is a classic technique for macOS, and is done by creating a .plist file in the /Library/LaunchAgents/ folder with a link to the malware:

The DMG image is unmounted and uninstalled via the following command:

To extend its capabilities, Calisto adds itself to Accessibility by directly modifying the TCC.db file, which is bad practice and an indicator of malicious activity for the antivirus. On the other hand, this method does not require user interaction.

An important feature of Calisto is getting remote access to the user system. To provide this, it:

  • Enables remote login
  • Enables screen sharing
  • Configures remote login permissions for the user
  • Allows remote login to all
  • Enables a hidden “root” account in macOS and sets the password specified in the Trojan code

The commands used for this are:

Note that although the user “root” exists in macOS, it is disabled by default. Interestingly, after a reboot, Calisto again requests user data, but this time waits for the input of the actual root password, which it previously changed itself (root: aGNOStIC7890!!!). This is one indication of the Trojan’s rawness.

At the end, Calisto attempts to transfer all data from the .calisto folder to the cybercriminals’ server. But at the time of our research, the server was no longer responding to requests and seemed to be disabled:

Attempt to contact the C&C server

Extra functions

Static analysis of Calisto revealed unfinished and unused additional functionality:

  • Loading/unloading of kernel extensions for handling USB devices
  • Data theft from user directories
  • Self-destruction together with the OS

Loading/unloading of kernel extensions

Working with user directories

Self-destruction together with the entire system

Connections with Backdoor.OSX.Proton

Conceptually, the Calisto backdoor resembles a member of the Backdoor.OSX.Proton family:

  • The distribution method is similar: it masquerades as a well-known antivirus (a Backdoor.OSX.Proton was previously distributed under the guise of a Symantec antivirus product)
  • The Trojan sample contains the line “com.proton.calisto.plist”
  • Like Backdoor.OSX.Proton, this Trojan is able to steal a great amount of personal data from the user system, including the contents of Keychain

Recall that all known members of the Proton malware family were distributed and discovered in 2017. The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton.

To protect against Calisto, Proton, and their analogues:

  • Always update to the current version of the OS
  • Never disable SIP
  • Run only signed software downloaded from trusted sources, such as the App Store
  • Use antivirus software
MD5

DMG image: d7ac1b8113c94567be4a26d214964119
Mach-O executable: 2f38b201f6b368d587323a1bec516e5d

 

“Whether they are fighting cybercrime, exploring how engineers solve problems, or advocating for issues affecting their community, Girl Scouts are learning how to proactively address some of the foremost challenges of today while also building skills that will set them up for a lifetime of leadership,” Girl Scouts USA CEO Sylvia Acevedo said.

While the new badges are good, discrepancies between Girl Scouts and Boy Scouts badges remain. The Girl Scouts badges for cooking seem to spotlight the social aspects of food, where the Boy Scouts meal-related badge focuses on nutrition and food safety. In October last year, the Boy Scouts of America announced it would begin accepting girls into the program.

 

Photo courtesy of Girl Scouts of the USA

 

This legal aspect, experts feel, differentiates the law distinctly from the GDPR. They also opine that the bill’s sweeping nature may be unprecedented in terms of privacy but its final impacts are yet to be known.

The concept of “personal information” has some broad and sweeping definitions and includes the usual categories such as people’s names, their social security numbers, and email IDs.

However, it has also brought within its purview some unique personal identifiers like geolocation data; IP addresses; browsing, search and shopping histories; and profiles of consumers, based on inferences drawn from available personal information.

It is seen that unique identifiers are used mostly by ad tech firms to track people anonymously on the web. This implies that an ad tech firm that stores tracking cookies on consumers’ devices shall now have to offer people the option of asking the company to delete such information garnered by way of those cookies.

They shall also have to ensure that such cookies and any corresponding or relevant information doesn’t get exposed should there be a data breach in the future. This would make the business susceptible to facing a class-action lawsuit.

Legal Loopholes

After having gone through the draft of the law, some of California’s leading legal luminaries have pointed out a loophole in the statute. This is in the sphere of any “de-identified” personal information or information about the “aggregate consumer.”

Interpretations of this section imply that personal information, which cannot be bracketed with a particular consumer, would be deemed to be de-identified. Again, it’s still not clear whether the identifier types that operate the digital advertising ecosystem will fall within the ambit of the law.

Exempt from the law

However, the law has suggested that IDs for mobile advertising and online tracking cookies, used for collecting information on individual devices, are likely to come within its jurisdiction. Digital advertising businesses may argue here that they are exempt from the law because they assemble such identifiers into anonymous, larger audience pools.

This particular area continues to be in flux and is somewhat confusing, feel legal experts. Arguably, however, anonymous information doesn’t allow the creation of a consumer profile because it can’t be linked to a particular individual. Even then, there are certain provisions in the law that don’t exactly exempt digital advertising agencies totally.

This is because even if an agency claims that it has disassociated any information from an individual, it will have to ensure that this type of disassociation can’t be undone and that such data may be reconnected to the aforesaid party.

Even though the bill is now a law, the advertising industry is still confused over this possible loophole, assuming that it doesn’t exist.

No Loophole

The industry feels there can be no loophole because any data which is linked to other data can be associated with an individual or group of individuals. For instance, Exponential Interactive, an ad tech company purchases data from third parties for use in ad targeting campaigns. However, when such data is bought, it’s totally aggregated.

Exponential Interactive makes use of cookie IDs to match such aggregated 3rd party data with its own audience pool to target specific audiences with ads. This it does without accessing any underlying data that includes people’s names or their email IDs.

This cookie-based process of matching is likely to subject ad tech firms to comply with provisions of the law, even though they may eliminate cookie-based identifiers from the process. An individual’s behavioral profile may be stripped of its cookie ID and IP address to assume a de-identified status, but shall be deemed to be personal information under the law.

Long Way to Go

A segment of legal professionals, however, feel that the law will have minimal impact on the leading online platforms.

Moreover, there’s still enough time for it to be amended or changed as it has been passed by the California state legislature and not California voters. Thus, there is enough scope to ask the lawmakers for necessary clarifications on specifics while experts continue to work out its final impact.

 

The greatest increase was the use of malware in attacks, up 75% since Q1 last year. In fact, the report found that malware was used in 63% of all attacks.

Primarily, individuals are the victims of malware attacks 5 out of 6 times, according to the report. Similarly, the report found that cryptocurrency miners accounted for 23% of malware attacks.

“Spyware, in particular, is used most often because it allows obtaining not only personal

information and corporate secrets, but credentials for the services and systems needed to

attack internal corporate infrastructure.” Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies, said in the report.

According to the report, cyber attacks on the government increased as well—most of these involving spyware. This malware was placed on government infrastructure primarily through phishing emails. Public sector workers should be vigilant for odd looking emails and possibly invest in training their employees to better spot phishing emails. For more tips on identifying these emails, check out this article from TechRepublic’s Macy Bayern.

IT workers in banking need to be aware of cyber-attackers seeking financial gain. While these efforts total 64% of attacks on banks, the remaining 36% is aimed at gaining sensitive client balances. So, IT professionals in finance and banking should make sure their customer databases are as secure as possible.

While these attacks aren’t new, they aren’t expected to slow down anytime soon.

“We expect that the number of unique cyberattacks will continue to grow,” Galloway said in the release. “New types of malware, and especially spyware, will appear.”

The big takeaways for tech leaders:

A report from positive technologies found that 63% of cybersecurity incidents involved malware.
IT pros in finance must watch for credential stealing, while government employees should be especially mindful of phishing.

To pile on further scrutiny, in June 2018, its parent company – Dixons Carphone – revealed that it had been the victim of a cyberattack which had begun in July 2017. Hackers accessed 5.9 million bank cards and 1.2 million personal data records, with the attack deemed serious enough to instigate an investigation from GCHQ. While Dixons Carphone stated that the incident was unrelated to the one from 2015, the brands are so closely aligned that Carphone Warehouse was once again associated with a huge breach.

Businesses are judged on their response to incidents

Preventing cyberattacks is more difficult with the evolving sophistication of attacks outpacing the technology used to defend against them. Furthermore, businesses are now being judged – by consumers and regulators – on how they respond. How quickly they notify relevant stakeholders, the information and advice provided, as well as how efficiently they can plug the gap all have an effect on the level of financial fallout and backlash faced. These factors point to the compelling need for firms to have a proactive Cyber-Security Incident Response Team (CSIRT) in place.

Organised from experts from across the enterprise, it will be well drilled through extensive and regular testing and planning, enabling it to immediately action the suitable response to incidents of increasing sophistication and complexity.

Another benefit of such a team is that the proactive regular testing enables businesses to identify any existing vulnerabilities so that they can be plugged before they are maliciously exploited. As companies grow and evolve, networks and processes shift so testing needs to be an ongoing effort to ensure cyber resilience remains high.

Getting the CSIRT up and running

There are some important considerations to be made before starting a programme. These include operational and technical issues – such as securing the necessary equipment – as well as determining the resources and funding needed for newly formed teams. Firms must also ensure that existing teams are not left shorthanded and are still able to carry out their responsibilities.

As with any team, the effectiveness of the CSIRT is greatly increased when it has a defined objective. When everyone within the team is clear on their role, it’s easier for them to pull in the same direction. Teams should be structured in a way that gives every member responsibility and accountability, but also defines who has the final say.

During the planning phases it’s also essential to remove any areas of duplication. Re-doing activities and processes is a waste of resources and simply delays the time taken to reach the desired outcome. Companies can identify where overlaps and gaps exist by carrying out analysis on their current cyber response programmes. This will also bring to light the firm’s current incident response capabilities, the effectiveness of existing alert sources, as well as determining any restrictions.

Selecting the most effective team

Ideally, the CSIRT should consist of staff from across the enterprise to ensure there’s a good spread of expertise and that the requirements of all relevant stakeholders can be met.

A vital component should be a business manager. They operate on the frontline of the business and are accountable for managing a company’s activities and employees. Should an incident be so severe that critical systems need to be shut down to mitigate further damage, having a business manager on board will help the company to determine the impact of downtime.

Technical knowledge should be provided by a representative of the IT team. It’s important that clear guidelines are set on how IT staff and the CSIRT should interact, and the actions to be taken by each during response operations. If the CSIRT requires access to network and systems logs for analysis purposes then the level of access and visibility should be clarified.

The aftermath of any data loss incident may result in legal proceedings, therefore, it’s vital that a member of the legal team is present to determine liability. With their expertise, they will also be essential for securing the firm by reviewing non-disclosure agreements and developing appropriate wording for contacting other sites and organisations.

Other members should consist of audit and risk management specialists – as threat metrics and vulnerability assessments will play a key role in planning the strategy – as well as a representative from human resources and public relations. The former will help in developing job descriptions to hire CSIRT staff and drafting policies and procedures for removing internal employees found engaging in unauthorised or illegal computer activity. The latter will be responsible for tackling external communications, handling any media queries and helping to develop press statements and guidelines for information disclosure.

Ultimately, in an age where businesses falling victim to cyberattacks is a daily occurrence, it’s essential that firms have proactive incident response teams that can help to lessen the threat to reputation. Breach repercussions are ongoing and, if companies can’t move quickly to manage them, they can spiral out of control. A well prepped CSIRT that is full of expertise from across the enterprise is a powerful tool that dramatically increases cyber resilience. When incident response is slick and well planned, the company in question will be viewed more favourably by regulators and, more importantly, it will mitigate the severe drop in consumer confidence that can be fatal to other less prepared firms.

French Caldwell, chief evangelist, MetricStream
Image Credit: BeeBright / Shutterstock

 

Additionally, it makes intentionally misinforming a voter about voting locations, eligibility or times a misdemeanor.

Assemblyman Marc Berman authored the law and said it would improve election security and crack down on misinformation.

“Cyberattacks and deceptive voter misinformation tactics present increasingly sophisticated threats to the integrity of our elections,” the Palo Alto Democrat told his Assembly colleagues earlier this month before they voted to pass it.

It passed both chambers of the Legislature with just one “no” vote.

Brown, a Democrat, announced the signing on the same day President Donald Trump stood alongside Vladimir Putin as the Russian president denied meddling in the 2016 U.S. election. U.S. intelligence agencies have determined there was interference.

Before certifying California’s 2018 primary results last week, Secretary of State Alex Padilla said there is no evidence California’s election systems were hacked. However, Padilla stressed the importance of cybersecurity.

“Cyber threats from Russia and others who seek to harm our democracy are very real,” Padilla said Friday. “They’re not going away.”

In the state budget that took effect July 1, Brown and the Legislature included money to create offices focused on election cybersecurity and risk management and $134 million for new voting equipment. It’s the most California has spent on new voting systems in more than a decade.