1.1 System and Network Architecture Concepts
OS concepts
📘CompTIA CySA+ (CS0-003)
1. System Processes
System processes are programs and tasks that an operating system (OS) runs in the background to keep the computer functioning. Cybersecurity analysts must understand system processes because abnormal or unexpected processes are often signs of compromise or malware.
1.1 What Is a System Process?
A system process is a running program or service that performs essential OS functions, such as:
- Managing memory
- Scheduling tasks
- Handling networking
- Managing user sessions
- Controlling hardware
System processes often start automatically when the OS boots and run without user interaction.
1.2 Types of System Processes
1. System (Kernel) Processes
These are the most important processes. They interact directly with the OS kernel.
- Run with the highest privilege level.
- Manage low-level hardware operations.
- Cannot be easily stopped by users.
Examples (IT-related):
- Linux:
systemd,init - Windows:
System,smss.exe,csrss.exe
2. User Processes
These are started by the user or applications the user runs.
- Web browsers
- Office tools
- Development tools
- Security tools
They run with lower privileges unless elevated.
3. Background Services / Daemons
These are long-running background processes that provide system services.
- Windows calls them services
- Linux/Unix calls them daemons
Examples:
- Web service:
httpd,apache2,w3wp.exe - Database service:
mysqld,sqlservr.exe - Security monitoring service:
winlogon.exe,auditd
These are important for security monitoring because attackers often try to hide malware as a service.
4. Scheduled Tasks / Cron Jobs
Tasks that run automatically at scheduled intervals.
- Windows: Task Scheduler
- Linux: cron, systemd timers
Used for:
- Log rotation
- Backups
- Security scans
- Patch installations
Attackers also abuse scheduled tasks for persistence.
1.3 Process Management Concepts
Process ID (PID)
A unique number assigned to each process.
- Useful for tracking suspicious processes.
- Helps analysts terminate or trace activity.
Parent and Child Processes
A parent process launches one or more child processes.
Example in IT:
- A web server parent process spawns worker processes.
- A command shell spawns processes when running applications.
Understanding parent/child relationships helps analysts detect suspicious behavior such as:
- PowerShell launching unexpected scripts
- Office apps spawning command shells (often malicious)
Process States
Common process states include:
- Running – actively executing
- Sleeping / Idle – waiting for resources
- Stopped – paused
- Zombie – terminated but still listed
Abnormal or excessive zombie processes can signal system misconfiguration or exploited software.
Multitasking and Scheduling
The OS scheduler decides which process runs on the CPU at a given time.
- Preemptive scheduling allows the OS to interrupt a process.
- Ensures fairness, security, and stability.
Cybersecurity analysts examine scheduling behavior when analyzing performance issues or identifying crypto-mining malware.
1.4 Security Implications of System Processes
Understanding system processes helps analysts:
1. Detect Malware
Malware often appears as:
- Unknown processes
- Processes with unusual names (e.g., near-identical to real ones)
- Processes running from unexpected directories
2. Detect Privilege Escalation
Malicious activity often tries to escalate a user process into system-level privilege.
3. Identify Persistence
Attackers maintain long-term access by abusing:
- Services
- Scheduled tasks
- Startup processes
4. Monitor System Stability
Unstable or crashing system processes can indicate:
- Exploits
- Resource exhaustion
- Corrupted drivers
2. Hardware Architecture
Hardware architecture refers to how the physical components of a computer system are designed, organized, and connected. Understanding this helps cybersecurity analysts identify vulnerabilities and evaluate system performance.
2.1 Key Components of Hardware Architecture
1. CPU (Central Processing Unit)
The brain of the system.
- Executes instructions
- Handles processes and threads
- Performs computations
Relevant concepts for cybersecurity:
CPU Privilege Levels / Rings
The CPU uses protection rings:
- Ring 0 – Kernel mode (full access)
- Ring 3 – User mode (limited access)
Malware attempts to access Ring 0 to gain full control.
2. Memory (RAM)
Temporary storage for running processes.
Security concerns:
- Memory corruption attacks
- Buffer overflows
- Memory scraping malware
- Unauthorized access to sensitive data in memory
Analysts monitor RAM usage to detect anomalies such as memory leaks or high usage caused by hidden malware.
3. Storage Devices
Includes SSDs, HDDs, and NVMe devices.
Security considerations:
- Encrypted vs unencrypted storage
- Boot sector integrity
- Secure wipe and data remanence
- Disk forensics and evidence preservation
4. Motherboard and Chipsets
Controls communication between components.
Chipsets can include:
- BIOS/UEFI firmware
- TPM (Trusted Platform Module)
- I/O controllers
Security relevance:
- Firmware vulnerabilities
- Secure Boot
- Hardware integrity checks
5. Firmware
Software embedded into hardware components.
Types:
- BIOS/UEFI
- Network card firmware
- Storage controller firmware
- GPU firmware
Firmware compromise is dangerous because:
- It survives OS reinstallation
- Often runs at a higher privilege level than the OS
6. Peripherals
Devices connected to the system such as:
- Keyboards
- USB devices
- Network interface cards
Security concerns include:
- Rogue USB devices
- NIC firmware attacks
- Hardware keyloggers
2.2 Hardware Architecture Models
1. x86 and x64 Architectures
Widely used CPU architectures.
- x86 → 32-bit
- x64 → 64-bit
Security impacts:
- Address space layout
- Support for advanced security features (e.g., DEP, virtualization extensions)
2. ARM Architecture
Common in mobile devices and IoT.
Features include:
- Low power usage
- Hardware security modes (TrustZone)
Cybersecurity analysts must understand ARM when analyzing mobile and embedded threats.
3. RISC vs CISC
- RISC: simple, efficient instructions (ARM)
- CISC: complex instructions (x86)
Architecture type affects:
- Malware behavior
- Binary analysis
- Reverse engineering
2.3 Virtualization Hardware Extensions
Modern CPUs support virtualization:
- Intel VT-x
- AMD-V
These enable running virtual machines efficiently.
Security relevance:
- Detecting hypervisor-based malware
- Understanding virtual machine escapes
- Analyzing guest vs host interactions
2.4 Hardware Security Features
1. TPM (Trusted Platform Module)
Provides:
- Hardware-based key storage
- Measured boot
- Disk encryption support
2. Secure Boot
Ensures only trusted OS bootloaders run.
Protects against:
- Bootkits
- Rootkits
- Unauthorized OS loading
3. Hardware-Based Memory Protection
Examples:
- DEP (Data Execution Prevention)
- ASLR (Address Space Layout Randomization)
These help prevent memory-based attacks.
3. How System Processes and Hardware Architecture Work Together
System processes depend heavily on hardware architecture:
- CPU handles process scheduling
- RAM stores active processes
- Hardware protection rings enforce permissions
- Firmware initializes system processes during boot
A weakness in hardware or abnormal system process activity can result in major security issues.
4. What CySA+ Exam Expects You to Know
For this section, you must understand:
System Processes
- Types of system processes
- Services and daemons
- Process IDs, parent/child relationships
- Scheduling, multitasking
- How processes are abused by attackers
Hardware Architecture
- CPU components and privilege levels
- Memory concepts and security risks
- Firmware (BIOS/UEFI) and Secure Boot
- TPM and hardware security features
- Virtualization support
- Architecture types (x86, x64, ARM)
Conclusion
This topic is critical for cybersecurity analysts because attackers often target system processes and hardware weaknesses. Understanding these fundamentals helps you detect anomalies, investigate suspicious activity, and protect system integrity.
