Cover Page

CompTIA

CompTIA® Security+™

Review Guide

 

Wiley Logo

 

James Michael Stewart

 

 

Wiley Logo

Senior Acquisitions Editor: Jeff Kellum

Development Editor: Amy Breguet

Technical Editors: Josh More and Buzz Murphy

Production Editor: Christine O'Connor

Copy Editor: Tiffany Taylor

Editorial Manager: Pete Gaughan

Vice President and Executive Group Publisher: Richard Swadley

Associate Publisher: Chris Webb

Media Project Manager 1: Laura Moss-Hollister

Media Associate Producer: Josh Frank

Media Quality Assurance: Doug Kuhn

Book Designers: Judy Fung and Bill Gibson

Proofreader: Louise Watson and Jenn Bennett, Word One New York

Indexer: Nancy Guenther

Project Coordinator, Cover: Todd Klemme

Cover Designer: Wiley

Copyright © 2014 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-118-90137-3

ISBN: 978-1-118-90142-7 (ebk.)

ISBN: 978-1-118-92290-3 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2014930404

TRADEMARKS: Wiley and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission is a registered trademark of. CompTIA and Security+ are trademarks or registered trademarks of Computing Technology Industry Association, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Dear Reader,

Thank you for choosing CompTIA Security+ Review Guide. This book is part of a family of premium-quality Sybex books, all of which are written by outstanding authors who combine practical experience with a gift for teaching.

Sybex was founded in 1976. More than 30 years later, we're still committed to producing consistently exceptional books. With each of our titles, we're working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available.

I hope you see all that reflected in these pages. I'd be very interested to hear your comments and get your feedback on how we're doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at contactus@sybex.com. If you think you've found a technical error in this book, please visit http://sybex.custhelp.com. Customer feedback is critical to our efforts at Sybex.

Title Page

 

 

 

 

 

To Catharine Renee Stewart: Aw, it's a helluva ride … Yeah, it's a helluva life.

Acknowledgments

Thanks to all those at Sybex who continue to allow me to do what I enjoy most—impart knowledge to others. Thanks to Jeff Kellum, acquisitions editor, and the whole Sybex crew for professional juggling services adequately rendered. Thanks to my editors: developmental editor, Amy Breguet, and technical editor, Josh More. To my parents: Dave—Dad, I miss you; and Johnnie—Mom, thanks for your love and consistent support. To Mark: I have been and always shall be your friend. And finally, as always, to Elvis: you were pioneering in recognizing that everything is better with bacon!

About the Author

James Michael Stewart has been working with computers and technology since 1983 (although officially as a career since 1994). His work focuses on Windows, certification, and security. Recently, Michael has been teaching job skill and certification courses, such as CISSP, CEH, CHFI, and Security+. Michael has contributed to many Security+ focused materials, including exam preparation guides, practice exams, DVD video instruction, and courseware. In addition, Michael has co-authored numerous books on other security and IT certification and administration topics. He has developed certification courseware and training materials as well as presented these materials in the classroom. Michael holds numerous certifications, including Sec+, CISSP, and CEH. Michael graduated in 1992 from the University of Texas at Austin with a bachelor's degree in philosophy. Despite his degree, his computer knowledge is self-acquired, based on seat-of-the-pants, hands-on “street smarts” experience. You can reach Michael by email at michael@impactonline.com.

Introduction

The Security+ certification program was developed by the Computer Technology Industry Association (CompTIA) to provide an industry-wide means of certifying the competency of computer service technicians in the basics of computer security. The Security+ certification is granted to those who have attained the level of knowledge and security skills that show a basic competency with security needs of both personal and corporate computing environments. CompTIA's exam objectives are periodically updated to keep their exams applicable to the most recent developments. The most recent update, labeled as SY0–401, occurred in spring 2014. This book focuses on these newly revised certification objectives.

What Is Security+ Certification?

The Security+ certification was created to offer an introductory step into the complex world of IT security. You only need to pass a single exam to become Security+ certified. However, obtaining this certification doesn't mean you can provide realistic security services to a company. In fact, this is just the first step toward true security knowledge and experience. By obtaining Security+ certification, you should be able to acquire more security experience in order to pursue more complex and in-depth security knowledge and certification.

For the latest pricing on the exam and updates to the registration procedures, please visit www.vue.com. If you have further questions about the scope of the exams or related CompTIA programs, refer to the CompTIA website at www.comptia.org.

Is This Book for You?

CompTIA Security+ Review Guide: SY0-401 is designed to be a succinct, portable exam review guide. It can be used in conjunction with a more complete Security+ 2014 study guide, such as Sybex's CompTIA Security+ Study Guide: SY0-401 (ISBN: 9781118875070), computer-based training (CBT) courseware, and a classroom/lab environment; or as an exam review for those who don't feel the need for more extensive test preparation. It isn't our goal to give away the answers, but rather to identify those topics on which you can expect to be tested and to provide sufficient coverage of these topics.

Perhaps you've been working with information technologies for years. The thought of paying lots of money for a specialized IT exam-preparation course probably doesn't sound appealing. What can they teach you that you don't already know, right? Be careful, though—many experienced network administrators have walked confidently into the test center only to walk sheepishly out of it after failing an IT exam. After you've finished reading this book, you should have a clear idea of how your understanding of the technologies involved matches up with the expectations of the Security+ test makers.

Or perhaps you're relatively new to the world of IT, drawn to it by the promise of challenging work and higher salaries. You've just waded through an 800-page study guide or taken a week-long class at a local training center. Lots of information to keep track of, isn't there? Well, by organizing this book according to CompTIA's exam objectives, and by breaking up the information into concise, manageable pieces, we've created what we think is the handiest exam review guide available. Throw it in your briefcase and carry it to work with you. As you read the book, you'll be able to quickly identify those areas you know best and those that require a more in-depth review.

How Is This Book Organized?

This book is organized according to the official objectives list prepared by CompTIA for the Security+ exam. The chapters correspond to the six major domains of objective and topic groupings. The exam is weighted across these six domains (topical areas) as follows:

  1. 1.0: Network Security (20%)
  2. 2.0: Compliance and Operational Security (18%)
  3. 3.0: Threats and Vulnerabilities (20%)
  4. 4.0: Application, Data, and Host Security (15%)
  5. 5.0: Access Control and Identity Management (15%)
  6. 6.0: Cryptography (12%)

Within each chapter, the top-level exam objectives from each domain are addressed in turn. In addition to a thorough review of each objective, every chapter includes two specific features: Exam Essentials and Review Questions.

Exam Essentials

At the end of each top-level objective section, you're given a short list of topics that you should explore fully before taking the test. Included in the Exam Essentials areas are notations of the key information you should have taken from that section, or from the corresponding content in the CompTIA Security+ Study Guide.

Review Questions

This feature ends every chapter and provides 10 questions to help you gauge your mastery of the chapter.

How to Use the Companion Website

We've included several additional test-preparation features on the companion website. These tools will help you retain vital exam content as well as prepare you to sit for the actual exams:

Test Engine

We've also included the Sybex Test Engine. Using this custom test engine, you can identify weak areas up front and then develop a solid studying strategy using each of these robust testing features. Our thorough readme file will walk you through the quick, easy installation process. There are two practice exams. Take these practice exams just as if you were taking the actual exam (without any reference material). When you've finished the first exam, move on to the next one to solidify your test-taking skills. If you get more than 90 percent of the answers correct, you're ready to take the certification exams.

Electronic Flashcards

You'll find flashcards for on-the-go review. These are short questions and answers, just like the flashcards you probably used to study in school. You can answer them on your PC or download them onto a portable device for quick and convenient reviewing.

Glossary of Terms in PDF

From the companion website, we have included a very useful glossary of terms in PDF format so you can easily read it on any computer. If you have to travel and brush up on any key terms, you can do so with this useful resource.

Tips for Taking the Security+ Exams

Here are some general tips for taking your exams successfully:

Performance-Based Questions

CompTIA has begun to include performance-based questions on its exams. These differ from the traditional multiple-choice questions, in that the candidate is expected to perform a task or series of tasks. Tasks could include filling in a blank, answering questions based on a video or an image, reorganizing a set into an order, or filling in fields based on a given situation or set of conditions. Don't be surprised if on the exams you are presented with a scenario and asked to complete a task. For an official description of performance-based questions from CompTIA, visit http://certification.comptia.org/news/2012/10/09/What_Is_A_Performance-Based_Question.aspx.

Exam Specifics

The Security+ SY0-401 exam consists of up to 90 questions with a time allotment of 90 minutes for the exam itself. Additional time is provided for the pre-exam elements, such as the NDA, and the post-exam survey. To pass, you must score at least 750 points on a scale of 100–900. At the completion of your test, you will receive a printout of your test results. This report will show your score and the objective topics about which you missed a question.

How to Contact the Publisher

Sybex welcomes feedback on all of its titles. Visit the Sybex website at www.sybex.com for book updates and additional certification information. You'll also find forms you can use to submit comments or suggestions regarding this or any other Sybex title.

The Security+ Exam Objectives

For easy reference and clarification, the following is a complete listing of Security+ objectives. Also, we organized this book to correspond with the official objectives list. We use the objective list's order and organization throughout the book. Each domain is covered in one chapter. Each sub-objective is a heading within a chapter.

Domain 1.0 Network Security

1.1 Implement security configuration parameters on network devices and other technologies.

  • Firewalls
  • Routers
  • Switches
  • Load balancers
  • Proxies
  • Web security gateways
  • VPN concentrators
  • NIDS and NIPS
    • Behavior-based
    • Signature-based
    • Anomaly-based
    • Heuristic
  • Protocol analyzers
  • Spam filter
  • All-in-one security appliances
    • URL filter
    • Content inspection
    • Malware inspection
  • Web application firewall vs. network firewall
  • Application aware devices
    • Firewalls
    • IPS
    • IDS
    • Proxies

1.2 Given a scenario, use secure network administration principles.

  • Rule-based management
  • Firewall rules
  • VLAN management
  • Secure router configuration
  • Access control lists
  • Port security
  • 802.1x
  • Flood guards
  • Loop protection
  • Implicit deny
  • Network separation
  • Log analysis
  • Unified Threat Management

1.3 Explain network design elements and components.

  • DMZ
  • Subnetting
  • VLAN
  • NAT
  • Remote access
  • Telephony
  • NAC
  • Virtualization
  • Cloud computing
    • Platform as a service
    • Software as a service
    • Infrastructure as a service
    • Private
    • Public
    • Hybrid
    • Community
  • Layered security/Defense in depth

1.4 Given a scenario, implement common protocols and services.

  • Protocols
    • IPSec
    • SNMP
    • SSH
    • DNS
    • TLS
    • SSL
    • TCP/IP
    • FTPS
    • HTTPS
    • SCP
    • ICMP
    • IPv4
    • IPv6
    • iSCSI
    • Fibre Channel
    • FCoE
    • FTP
    • SFTP
    • TFTP
    • TELNET
    • HTTP
    • NetBIOS
  • Ports
    • 21
    • 22
    • 25
    • 53
    • 80
    • 110
    • 139
    • 143
    • 443
    • 3389
  • OSI relevance

1.5 Given a scenario, troubleshoot security issues related to wireless networking.

  • WPA
  • WPA2
  • WEP
  • EAP
  • PEAP
  • LEAP
  • MAC filter
  • Disable SSID broadcast
  • TKIP
  • CCMP
  • Antenna placement
  • Power level controls
  • Captive portals
  • Antenna types
  • Site surveys
  • VPN (over open wireless)

Domain 2.0 Compliance and Operational Security

2.1 Explain the importance of risk related concepts.

  • Control types
    • Technical
    • Management
    • Operational
  • False positives
  • False negatives
  • Importance of policies in reducing risk
    • Privacy policy
    • Acceptable use
    • Security policy
    • Mandatory vacations
    • Job rotation
    • Separation of duties
    • Least privilege
  • Risk calculation
    • Likelihood
    • ALE
    • Impact
    • SLE
    • ARO
    • MTTR
    • MTTF
    • MTBF
  • Quantitative vs. qualitative
  • Vulnerabilities
  • Threat vectors
  • Probability/threat likelihood
  • Risk-avoidance, transference, acceptance, mitigation, deterrence
  • Risks associated with Cloud Computing and Virtualization
  • Recovery time objective and recovery point objective

2.2 Summarize the security implications of integrating systems and data with third parties.

  • On-boarding/off-boarding business partners
  • Social media networks and/or applications
  • Interoperability agreements
    • SLA
    • BPA
    • MOU
    • ISA
  • Privacy considerations
  • Risk awareness
  • Unauthorized data sharing
  • Data ownership
  • Data backups
  • Follow security policy and procedures
  • Review agreement requirements to verify compliance and performance standards

2.3 Given a scenario, implement appropriate risk mitigation strategies.

  • Change management
  • Incident management
  • User rights and permissions reviews
  • Perform routine audits
  • Enforce policies and procedures to prevent data loss or theft
  • Enforce technology controls
    • Data Loss Prevention (DLP)

2.4 Given a scenario, implement basic forensic procedures.

  • Order of volatility
  • Capture system image
  • Network traffic and logs
  • Capture video
  • Record time offset
  • Take hashes
  • Screenshots
  • Witnesses
  • Track man hours and expense
  • Chain of custody
  • Big data analysis

2.5 Summarize common incident response procedures.

  • Preparation
  • Incident identification
  • Escalation and notification
  • Mitigation steps
  • Lessons learned
  • Reporting
  • Recovery/reconstitution procedures
  • First responder
  • Incident isolation
    • Quarantine
    • Device removal
  • Data breach
  • Damage and loss control

2.6 Explain the importance of security-related awareness and training.

  • Security policy training and procedures
  • Role-based training
  • Personally identifiable information
  • Information classification
    • High
    • Medium
    • Low
    • Confidential
    • Private
    • Public
  • Data labeling, handling, and disposal
  • Compliance with laws, best practices, and standards
  • User habits
    • Password behaviors
    • Data handling
    • Clean-desk policies
    • Prevent tailgating
    • Personally owned devices
  • New threats and new security trends/alerts
    • New viruses
    • Phishing attacks
    • Zero-day exploits
  • Use of social networking and P2P
  • Follow up and gather training metrics to validate compliance and security posture

2.7 Compare and contrast physical security and environmental controls.

  • Environmental controls
    • HVAC
    • Fire suppression
    • EMI shielding
    • Hot and cold aisles
    • Environmental monitoring
    • Temperature and humidity controls
  • Physical security
    • Hardware locks
    • Mantraps
    • Video Surveillance
    • Fencing
    • Proximity readers
    • Access list
    • Proper lighting
    • Signs
    • Guards
    • Barricades
    • Biometrics
    • Protected distribution (cabling)
    • Alarms
    • Motion detection
  • Control types
    • Deterrent
    • Preventive
    • Detective
    • Compensating
    • Technical
    • Administrative

2.8 Summarize risk-management best practices.

  • Business continuity concepts
    • Business impact analysis
    • Identification of critical systems and components
    • Removing single points of failure
    • Business continuity planning and testing
    • Risk assessment
    • Continuity of operations
    • Disaster recovery
    • IT contingency planning
    • Succession planning
    • High availability
    • Redundancy
    • Tabletop exercises
  • Fault tolerance
    • Hardware
    • RAID
    • Clustering
    • Load balancing
    • Servers
  • Disaster recovery concepts
    • Backup plans/policies
    • Backup execution/frequency
    • Cold site
    • Hot site
    • Warm site

2.9 Given a scenario, select the appropriate control to meet the goals of security.

  • Confidentiality
    • Encryption
    • Access controls
    • Steganography
  • Integrity
    • Hashing
    • Digital signatures
    • Certificates
    • Non-repudiation
  • Availability
    • Redundancy
    • Fault tolerance
    • Patching
  • Safety
    • Fencing
    • Lighting
    • Locks
    • CCTV
    • Escape plans
    • Drills
    • Escape routes
    • Testing controls

Domain 3.0 Threats and Vulnerabilities

3.1 Explain types of malware.

  • Adware
  • Virus
  • Spyware
  • Trojan
  • Rootkits
  • Backdoors
  • Logic bomb
  • Botnets
  • Ransomware
  • Polymorphic malware
  • Armored virus

3.2 Summarize various types of attacks.

  • Man-in-the-middle
  • DDoS
  • DoS
  • Replay
  • Smurf attack
  • Spoofing
  • Spam
  • Phishing
  • Spim
  • Vishing
  • Spear phishing
  • Xmas attack
  • Pharming
  • Privilege escalation
  • Malicious insider threat
  • DNS poisoning and ARP poisoning
  • Transitive access
  • Client-side attacks
  • Password attacks
    • Brute force
    • Dictionary attacks
    • Hybrid
    • Birthday attacks
    • Rainbow tables
  • Typo squatting/URL hijacking
  • Watering hole attack

3.3 Summarize social engineering attacks and the associated effectiveness with each attack.

  • Shoulder surfing
  • Dumpster diving
  • Tailgating
  • Impersonation
  • Hoaxes
  • Whaling
  • Vishing
  • Principles (reasons for effectiveness)
    • Authority
    • Intimidation
    • Consensus/Social proof
    • Scarcity
    • Urgency
    • Familiarity/liking
    • Trust

3.4 Explain types of wireless attacks.

  • Rogue access points
  • Jamming/interference
  • Evil twin
  • War driving
  • Bluejacking
  • Bluesnarfing
  • War chalking
  • IV attack
  • Packet sniffing
  • Near field communication
  • Replay attacks
  • WEP/WPA attacks
  • WPS attacks

3.5 Explain types of application attacks.

  • Cross-site scripting
  • SQL injection
  • LDAP injection
  • XML injection
  • Directory traversal/command injection
  • Buffer overflow
  • Integer overflow
  • Zero-day
  • Cookies and attachments
  • LSO (Locally Shared Objects)
  • Flash cookies
  • Malicious add-ons
  • Session hijacking
  • Header manipulation
  • Arbitrary code execution/remote code execution

3.6 Analyze a scenario and select the appropriate type of mitigation and deterrent techniques.

  • Monitoring system logs
    • Event logs
    • Audit logs
    • Security logs
    • Access logs
  • Hardening
    • Disabling unnecessary services
    • Protecting management interfaces and applications
    • Password protection
    • Disabling unnecessary accounts
  • Network security
    • MAC limiting and filtering
    • 802.1x
    • Disabling unused interfaces and unused application service ports
    • Rogue machine detection
  • Security posture
    • Initial baseline configuration
    • Continuous security monitoring
    • Remediation
  • Reporting
    • Alarms
    • Alerts
    • Trends
  • Detection controls vs. prevention controls
    • IDS vs. IPS
    • Camera vs. guard

3.7 Given a scenario, use appropriate tools and techniques to discover security threats and vulnerabilities.

  • Interpret results of security assessment tools
  • Tools
    • Protocol analyzer
    • Vulnerability scanner
    • Honeypots
    • Honeynets
    • Port scanner
    • Passive vs. active tools
    • Banner grabbing
  • Risk calculations
    • Threat vs. likelihood
  • Assessment types
    • Risk
    • Threat
    • Vulnerability
  • Assessment technique
    • Baseline reporting
    • Code review
    • Determine attack surface
    • Review architecture
    • Review designs

3.8 Explain the proper use of penetration testing versus vulnerability scanning.

  • Penetration testing
    • Verify a threat exists
    • Bypass security controls
    • Actively test security controls
    • Exploiting vulnerabilities
  • Vulnerability scanning
    • Passively testing security controls
    • Identify vulnerability
    • Identify lack of security controls
    • Identify common misconfigurations
    • Intrusive vs. non-intrusive
    • Credentialed vs. non-credentialed
    • False positive
  • Black box
  • White box
  • Gray box

Domain 4.0 Application, Data, and Host Security

4.1 Explain the importance of application security controls and techniques.

  • Fuzzing
  • Secure coding concepts
    • Error and exception handling
    • Input validation
  • Cross-site scripting prevention
  • Cross-site Request Forgery (XSRF) prevention
  • Application configuration baseline (proper settings)
  • Application hardening
  • Application patch management
  • NoSQL databases vs. SQL databases
  • Server-side vs. Client-side validation

4.2 Summarize mobile security concepts and technologies.

  • Device security
    • Full device encryption
    • Remote wiping
    • Lockout
    • Screen locks
    • GPS
    • Application control
    • Storage segmentation
    • Asset tracking
    • Inventory control
    • Mobile device management
    • Device access control
    • Removable storage
    • Disabling unused features
  • Application security
    • Key management
    • Credential management
    • Authentication
    • Geo-tagging
    • Encryption
    • Application whitelisting
    • Transitive trust/authentication
  • BYOD concerns
    • Data ownership
    • Support ownership
    • Patch management
    • Antivirus management
    • Forensics
    • Privacy
    • On-boarding/off-boarding
    • Adherence to corporate policies
    • User acceptance
    • Architecture/infrastructure considerations
    • Legal concerns
    • Acceptable use policy
    • On-board camera/video

4.3 Given a scenario, select the appropriate solution to establish host security.

  • Operating system security and settings
  • OS hardening
  • Anti-malware
    • Antivirus
    • Anti-spam
    • Anti-spyware
    • Pop-up blockers
  • Patch management
  • Whitelisting vs. blacklisting applications
  • Trusted OS
  • Host-based firewalls
  • Host-based intrusion detection
  • Hardware security
    • Cable locks
    • Safe
    • Locking cabinets
  • Host software baselining
  • Virtualization
    • Snapshots
    • Patch compatibility
    • Host availability/elasticity
    • Security control testing
    • Sandboxing

4.4 Implement the appropriate controls to ensure data security.

  • Cloud storage
  • SAN
  • Handling big data
  • Data encryption
    • Full disk
    • Database
    • Individual files
    • Removable media
    • Mobile devices
  • Hardware-based encryption devices
    • TPM
    • HSM
    • USB encryption
    • Hard drive
  • Data in transit, Data at rest, Data in use
  • Permissions/ACL
  • Data policies
    • Wiping
    • Disposing
    • Retention
    • Storage

4.5 Compare and contrast alternative methods to mitigate security risks in static environments.

  • Environments
    • SCADA
    • Embedded (printer, Smart TV, HVAC control)
    • Android
    • iOS
    • Mainframe
    • Game consoles
    • In-vehicle computing systems
  • Methods
    • Network segmentation
    • Security layers
    • Application firewalls
    • Manual updates
    • Firmware version control
    • Wrappers
    • Control redundancy and diversity

Domain 5.0 Access Control and Identity Management

5.1 Compare and contrast the function and purpose of authentication services.

  • RADIUS
  • TACACS+
  • Kerberos
  • LDAP
  • XTACACS
  • SAML
  • Secure LDAP

5.2 Given a scenario, select the appropriate authentication, authorization or access control.

  • Identification vs. authentication vs. authorization
  • Authorization
    • Least privilege
    • Separation of duties
    • ACLs
    • Mandatory access
    • Discretionary access
    • Rule-based access control
    • Role-based access control
    • Time of day restrictions
  • Authentication
    • Tokens
    • Common access card
    • Smart card
    • Multifactor authentication
    • TOTP
    • HOTP
    • CHAP
    • PAP
    • Single sign-on
    • Access control
    • Implicit deny
    • Trusted OS
  • Authentication factors
    • Something you are
    • Something you have
    • Something you know
    • Somewhere you are
    • Something you do
  • Identification
    • Biometrics
    • Personal identification verification card
    • Username
  • Federation
  • Transitive trust/authentication

5.3 Install and configure security controls when performing account management, based on best practices.

  • Mitigate issues associated with users with multiple account/roles and/or shared accounts
  • Account policy enforcement
    • Credential management
    • Group policy
    • Password complexity
    • Expiration
    • Recovery
    • Disablement
    • Lockout
    • Password history
    • Password reuse
    • Password length
    • Generic account prohibition
  • Group-based privileges
  • User-assigned privileges
  • User access reviews
  • Continuous monitoring

Domain 6.0 Cryptography

6.1 Given a scenario, utilize general cryptography concepts.

  • Symmetric vs. asymmetric
  • Session keys
  • In-band vs. out-of-band key exchange
  • Fundamental differences and encryption methods
    • Block vs. stream
  • Transport encryption
  • Non-repudiation
  • Hashing
  • Key escrow
  • Steganography
  • Digital signatures
  • Use of proven technologies
  • Elliptic curve and quantum cryptography
  • Ephemeral key
  • Perfect forward secrecy

6.2 Given a scenario, use appropriate cryptographic methods.

  • WEP vs. WPA/WPA2 and preshared key
  • MD5
  • SHA
  • RIPEMD
  • AES
  • DES
  • 3DES
  • HMAC
  • RSA
  • Diffie-Hellman
  • RC4
  • One-time pads
  • NTLM
  • NTLMv2
  • Blowfish
  • PGP/GPG
  • TwoFish
  • DHE
  • ECDHE
  • CHAP
  • PAP
  • Comparative strengths and performance of algorithms
  • Use of algorithms/protocols with transport encryption
    • SSL
    • TLS
    • IPSec
    • SSH
    • HTTPS
  • Cipher suites
    • Strong vs. weak ciphers
  • Key stretching
    • PBKDF2
    • Bcrypt

6.3 Given a scenario, use appropriate PKI, certificate management, and associated components.

  • Certificate authorities and digital certificates
    • CA
    • CRLs
    • OCSP
    • CSR
  • PKI
  • Recovery agent
  • Public key
  • Private key
  • Registration
  • Key escrow
  • Trust models

Security+ Acronyms

Here are the acronyms of security terms that CompTIA deems important enough that they're included in the objectives list for the exam. We've repeated them here exactly as listed by CompTIA.

  1. 3DES—Triple Digital Encryption Standard
  2. AAA—Authentication, Authorization, and Accounting
  3. ACL—Access Control List
  4. AES—Advanced Encryption Standard
  5. AES256—Advanced Encryption Standards 256bit
  6. AH—Authentication Header
  7. ALE—Annualized Loss Expectancy
  8. AP—Access Point
  9. API—Application Programming Interface
  10. ARO—Annualized Rate of Occurrence
  11. ARP—Address Resolution Protocol
  12. ASP—Application Service Provider
  13. AUP—Acceptable Use Policy
  14. BAC—Business Availability Center
  15. BCP—Business Continuity Planning
  16. BIA—Business Impact Analysis
  17. BIOS—Basic Input / Output System
  18. BPA—Business Partners Agreement
  19. BYOD—Bring Your Own Device
  20. CA—Certificate Authority
  21. CAC—Common Access Card
  22. CAN—Controller Area Network
  23. CAPTCHA—Completely Automated Public Turning Test to Tell Computers and Humans Apart
  24. CCMP—Counter-Mode/CBC-Mac Protocol
  25. CCTV—Closed-circuit television
  26. CERT—Computer Emergency Response Team
  27. CHAP—Challenge Handshake Authentication Protocol
  28. CIO—Chief Information Officer
  29. CIRT—Computer Incident Response Team
  30. COOP—Continuity of Operation Planning
  31. CP—Contingency Planning
  32. CRC—Cyclical Redundancy Check
  33. CRL—Certification Revocation List
  34. CSR—Control Status Register
  35. CSU—Channel Service Unit
  36. CTO—Chief Technology Officer
  37. DAC—Discretionary Access Control
  38. DDOS—Distributed Denial of Service
  39. DEP—Data Execution Prevention
  40. DES—Digital Encryption Standard
  41. DHCP—Dynamic Host Configuration Protocol
  42. DHE—Data-Handling Electronics
  43. DLL—Dynamic Link Library
  44. DLP—Data Loss Prevention
  45. DMZ—Demilitarized Zone
  46. DNAT—Destination Network Address Transaction
  47. DNS—Domain Name Service (Server)
  48. DOS—Denial of Service
  49. DRP—Disaster Recovery Plan
  50. DSA—Digital Signature Algorithm
  51. DSL—Digital Subscriber line
  52. DSU—Data Service Unit
  53. EAP—Extensible Authentication Protocol
  54. ECC—Elliptic Curve Cryptography
  55. ECDHE—Elliptic Curve Diffie-Hellman Key Exchange
  56. EFS—Encrypted File System
  57. EMI—Electromagnetic Interference
  58. ESN—Electronic Serial Number
  59. ESP—Encapsulated Security Payload
  60. FTP—File Transfer Protocol
  61. FTPS—Secured File Transfer Protocol
  62. GPG—Global Property Guide
  63. GPO—Group Policy Object
  64. GPS—Global Positioning System
  65. GPU—Graphic Processing Unit
  66. GRE—Generic Routing Encapsulation
  67. HDD—Hard Disk Drive
  68. HIDS—Host Based Intrusion Detection System
  69. HIPS—Host Based Intrusion Prevention System
  70. HMAC—Hashed Message Authentication Code
  71. HOTP—HMAC based One Time Password
  72. HSM—Hardware Security Module
  73. HTML—HyperText Markup Language
  74. HTTP—Hypertext Transfer Protocol
  75. HTTPS—Hypertext Transfer Protocol over SSL
  76. HVAC—Heating, Ventilation Air Conditioning
  77. IaaS—Infrastructure as a Service
  78. ICMP—Internet Control Message Protocol
  79. ID—Identification
  80. IDS—Intrusion Detection System
  81. IKE—Internet Key Exchange
  82. IM—Instant messaging
  83. IMAP4—Internet Message Access Protocol v4
  84. IP—Internet Protocol
  85. IPSEC—Internet Protocol Security
  86. IRC—Internet Relay Chat
  87. IRP—Incident Response Procedure
  88. ISA—Interconnection Security Agreement
  89. ISP—Internet Service Provider
  90. ISSO—Information Systems Security Officer
  91. ITCP—IT Contingency Plan
  92. IV—Initialization Vector
  93. KDC—Key Distribution Center
  94. L2TP—Layer 2 Tunneling Protocol
  95. LAN—Local Area Network
  96. LDAP—Lightweight Directory Access Protocol
  97. LEAP—Lightweight Extensible Authentication Protocol
  98. MaaS—Monitoring as a Service
  99. MAC—Mandatory Access Control/Media Access Control
  100. MAC—Message Authentication Code
  101. MAN—Metropolitan Area Network
  102. MBR—Master Boot Record
  103. MD5—Message Digest 5
  104. MOU—Memorandum of Understanding
  105. MPLS—Multi-Protocol Layer Switch
  106. MSCHAP—Microsoft Challenge Handshake Authentication Protocol
  107. MTBF—Mean Time Between Failures
  108. MTTR—Mean Time to Recover
  109. MTTF—Mean Time to Failure
  110. MTU—Maximum Transmission Unit
  111. NAC—Network Access Control
  112. NAT—Network Address Translation
  113. NDA—Non-Disclosure Agreement
  114. NIDS—Network Based Intrusion Detection System
  115. NIPS—Network Based Intrusion Prevention System
  116. NIST—National Institute of Standards & Technology
  117. NOS—Network Operating System
  118. NTFS—New Technology File System
  119. NTLM—New Technology LANMAN
  120. NTP—Network Time Protocol
  121. OCSP—Online Certificate Status Protocol
  122. OLA—Open License Agreement
  123. OS—Operating System
  124. OVAL—Open Vulnerability Assessment Language
  125. P2P—Peer to Peer
  126. PAM—Pluggable Authentication Modules
  127. PAP—Password Authentication Protocol
  128. PAT—Port Address Translation
  129. PBKDF2—Password-Based Key Derivation Function 2
  130. PBX—Private Branch Exchange
  131. PCAP—Packet Capture
  132. PEAP—Protected Extensible Authentication Protocol
  133. PED—Personal Electronic Device
  134. PGP—Pretty Good Privacy
  135. PII—Personally Identifiable Information
  136. PIV—Personal Identity Verification
  137. PKI—Public Key Infrastructure
  138. POTS—Plain Old Telephone Service
  139. PPP—Point-to-point Protocol
  140. PPTP—Point-to-Point Tunneling Protocol
  141. PSK—Pre-Shared Key
  142. PTZ—Pan-Tilt-Zoom
  143. RA—Recovery Agent
  144. RAD—Rapid application development
  145. RADIUS—Remote Authentication Dial-in User Server
  146. RAID—Redundant Array of Inexpensive Disks
  147. RAS—Remote Access Server
  148. RBAC—Role-Based Access Control
  149. RBAC—Rule-Based Access Control
  150. RC4—RSA Variable Key Size Encryption Algorithm
  151. RIPEMD—RACE Integrity Primitives Evaluation Message Digest
  152. ROI—Return of Investment
  153. RPO—Recovery Point Objective
  154. RSA—Rivest, Shamir, & Adleman
  155. RTO—Recovery Time Objective
  156. RTP—Real-Time Transport Protocol
  157. S/MIME—Secure/Multipurpose Internet Mail Extensions
  158. SAML—Security Assertions Markup Language
  159. SaaS—Software as a Service
  160. SAN—Storage Area Network
  161. SCADA—System Control and Data Acquisition
  162. SCAP—Security Content Automation Protocol
  163. SCEP—Simple Certificate Enrollment Protocol
  164. SCSI—Small Computer System Interface
  165. SDLC—Software Development Life Cycle
  166. SDLM—Software Development Life Cycle Methodology
  167. SEH—Structured Exception Handler
  168. SFTP—Secured File Transfer Protocol
  169. SHA—Secure Hashing Algorithm
  170. SHTTP—Secure Hypertext Transfer Protocol
  171. SIEM—Security Information and Event Management
  172. SIM—Subscriber Identity Module
  173. SLA—Service Level Agreement
  174. SLE—Single Loss Expectancy
  175. SMS—Short Message Service
  176. SMTP—Simple Mail Transfer Protocol
  177. SNMP—Simple Network Management Protocol
  178. SOAP—Simple Object Access Point
  179. SONET—Synchronous Optical Network Technologies
  180. SPIM—Spam over Internet Messaging
  181. SQL—Structured Query Language
  182. SSD—Solid State Drive
  183. SSH—Secure Shell
  184. SSL—Secure Sockets Layer
  185. SSO—Single Sign On
  186. STP—Shielded Twisted Pair
  187. TACACS+—Terminal Access Controller Access Control System
  188. TCP/IP—Transmission Control Protocol/Internet Protocol
  189. TKIP—Temporal Key Integrity Protocol
  190. TLS—Transport Layer Security
  191. TOTP—Top of the Page
  192. TPM—Trusted Platform Module
  193. TSIG—Transaction Signature
  194. UAT—User Acceptance Testing
  195. UEFI—Unified Extensible Firmware Interface
  196. UDP—User Datagram Protocol
  197. UPS—Uninterruptable Power Supply
  198. URI—Uniform Resource Identifier
  199. URL—Universal Resource Locator
  200. USB—Universal Serial Bus
  201. UTM—Unified Threat Management
  202. UTP—Unshielded Twisted Pair
  203. VDI—Virtualization Desktop Infrastructure
  204. VLAN—Virtual Local Area Network
  205. VoIP—Voice over IP
  206. VPN—Virtual Private Network
  207. VTC—Video Teleconferencing
  208. WAF—Web-Application Firewall
  209. WAP—Wireless Access Point
  210. WEP—Wired Equivalent Privacy
  211. WIDS—Wireless Intrusion Detection System
  212. WIPS—Wireless Intrusion Prevention System
  213. WPA—Wireless Protected Access
  214. WPA2—WiFi Protected Access 2
  215. WPS—WiFi Protected Setup
  216. WTLS—Wireless TLS
  217. XML—Extensible Markup Language
  218. XSRF—Cross-Site Request Forgery
  219. XSS—Cross-Site Scripting