Copyright © 2014 by McGraw-Hill Education (Publisher) All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of Publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication ISBN: 978-0-07-183217-5 MHID: 0-07-183217-3 e-Book conversion by Cenveo® Publisher Services Version 1.0 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-183214-4, MHID: 0-07-183214-9 McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs To contact a representative, please visit the Contact Us pages at www.mhprofessional.com All trademarks are trademarks of their respective owners Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark Where such designations appear in this book, they have been printed with initial caps Information has been obtained by McGraw-Hill Education from sources believed to be reliable However, because of the possibility of human or mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information TERMS OF USE This is a copyrighted work and McGraw-Hill Education (“McGraw Hill”) and its licensors reserve all rights in and to the work Use of this work is subject to these terms Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited Your right to use the work may be terminated if you fail to comply with these terms THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE McGraw-Hill and its licensors not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom McGraw-Hill has no responsibility for the content of any information accessed through the work Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise I dedicate this book to my family and friends who have supported me through this and every process: My parents, John and Mary Nell, who have loved me through every adventure in my life You raised us to believe that education was a path to something better You are directly responsible for everything I am Thank you My Lauren and Max, the reasons I get up and move it every morning I hope that my example to you is that hard work can help you accomplish almost any goal … and that good luck will take care of the rest I love you both to infinity My sister, Dana, who is my fiercest supporter Thank you for being you and being there for me, no matter what The best friends you could ever have: Heather, Art, Angi, May, and Jeff I’m not sure why you continue to let me hang out with you, but I’m so glad you You guys always know when I need a break (or a Mimi-sized glass of wine … thanks!) Finally, Thomas I know you think I’m nuts when I take on JUST ONE MORE THING, but you always buoy me with your wit and spirit You are an inspiration to me, and I’m grateful for you —Dawn Dunkerley CompTIA Approved Quality Content It Pays to Get Certified In a digital world, digital literacy is an essential survival skill Certification demonstrates that you have the knowledge and skill to solve technical or business problems in virtually any business environment CompTIA certifications are highly valued credentials that qualify you for jobs, increased compensation, and promotion CompTIA Security+ Certification Helps Your Career • Security is one of the highest demand job categories growing in importance as the frequency and severity of security threats continue to be major concerns for organizations around the world • Jobs for security administrators are expected to increase by 18%—the skill set required for these types of jobs maps to the CompTIA Security+ certification • Network Security Administrators can earn as much as $106,000 per year • CompTIA Security+ is the first step in starting your career as a Network Security Administrator or Systems Security Administrator • More than 250,000 individuals worldwide are CompTIA Security+ certified • CompTIA Security+ is regularly used in organizations such as Hitachi Systems, Fuji Xerox, HP, Dell, and a variety of major U.S government contractors • Approved by the U.S Department of Defense (DoD) as one of the required certification options in the DoD 8570.01-M directive, for Information Assurance Technical Level II and Management Level I job roles Steps to Getting Certified and Staying Certified Review the exam objectives Review the certification objectives to make sure you know what is covered in the exam: http://certification.comptia.org/examobjectives.aspx Practice for the exam After you have studied for the certification exam, review and answer sample questions to get an idea of what type of questions might be on the exam: http://certification.comptia.org/samplequestions.aspx Purchase an exam voucher You can purchase exam vouchers on the CompTIA Marketplace, www.comptiastore.com Take the test! Go to the Pearson VUE website, http://www.pearsonvue.com/comptia/, and schedule a time to take your exam Stay Certified! Effective January 1, 2011, new CompTIA Security+ certifications are valid for three years from the date of certification There are a number of ways the certification can be renewed For more information, go to: http://certification.comptia.org/ce For More Information Visit CompTIA online Go to http://certification.comptia.org/home.aspx to learn more about getting CompTIA certified Contact CompTIA Please call 866-835-8020 and choose Option 2, or e-mail questions@comptia.org Connect with CompTIA Find CompTIA on Facebook, LinkedIn, Twitter, and YouTube Content Seal of Quality This courseware bears the seal of CompTIA Approved Quality Content This seal signifies this content covers 100 percent of the exam objectives and implements important instructional design principles CompTIA recommends multiple learning tools to help increase coverage of the learning objectives CAQC Disclaimer The logo of the CompTIA Approved Quality Content (CAQC) program and the status of this or other training material as “Approved” under the CompTIA Approved Quality Content program signifies that, in CompTIA’s opinion, such training material covers the content of CompTIA’s related certification exam The contents of this training material were created for the CompTIA Security+ exam covering CompTIA certification objectives that were current as of the date of publication CompTIA has not reviewed or approved the accuracy of the contents of this training material and specifically disclaims any warranties of merchantability or fitness for a particular purpose CompTIA makes no guarantee concerning the success of persons using any such “Approved” or other training material in order to prepare for any CompTIA certification exam Contents Acknowledgments Check-In I Organizational Security Organizational Security and Compliance Objective 1.01 Explain Risk-Related Concepts Risk Control Types Risk Assessment Risk Management Options False Positives and Negatives Use Organizational Policies to Reduce Risk Objective 1.02 Implement Appropriate Risk Mitigation Strategies Change Management Policy Incident Management and Response Policy Perform Routine Audits User Rights and Permissions Reviews Data Loss Prevention and Regulatory Compliance Objective 1.03 Integrate with Third Parties Interoperability Agreements Privacy Considerations Risk Awareness Unauthorized Data Sharing Data Ownerships Data Backup Verification of Adherence Security Training and Incident Response Objective 2.01 Explain the Importance of Security-Related Awareness and Training Accessing Policy Documentation Data and Documentation Policies Best Practices for User Habits Objective 2.02 Analyze and Differentiate Among Types of Social Engineering Attacks Phishing Whaling Shoulder Surfing Tailgating Pharming Spim Vishing Spam Hoaxes Objective 2.03 Execute Appropriate Incident Response Procedures Preparation Incident Identification First Responders Incident Isolation Damage and Loss Control Escalation Policy Reporting and Notification Mitigation and Recovery Steps Lessons Learned Objective 2.04 Implement Basic Forensic Procedures Collection and Preservation of Evidence Business Continuity and Disaster Recovery Objective 3.01 Compare and Contrast Aspects of Business Continuity Recovery Plans Objective 3.02 Execute Disaster Recovery Plans and Procedures High Availability and Redundancy Planning Fault Tolerance Objective 3.03 Select the Appropriate Control to Meet the Goals of Security Objective 3.04 Explain the Impact and Proper Use of Environmental Controls Facility Construction Issues Environmental Issues Cable Shielding Fire Suppression II Cryptography Cryptography and Encryption Basics Objective 4.01 Utilize the Concepts of Cryptography Information Assurance Algorithms Steganography Digital Signatures Basic Hashing Concepts Message Digest Hashing Secure Hash Algorithm (SHA) RIPEMD HMAC Objective 4.02 Use and Apply Appropriate Cryptographic Tools and Products Symmetric Encryption Algorithms Asymmetric Encryption Algorithms One-Time Pad Quantum Cryptography Implementing Encryption Protocols Wireless Encryption Public Key Infrastructure Objective 5.01 Explain the Core Concepts of Public Key Infrastructure Digital Certificates Certificate Authorities Trust Models Key Management and Storage Objective 5.02 Implement PKI, Certificate Management, and Associated Components Certificate Lifecycle Certificate Renewal III Access Control and Identity Management Access Control Objective 6.01 Explain the Fundamental Concepts and Best Practices Related to Authentication, Authorization, and Access Control Users and Resources Access Control Best Practices Access Control Models Objective 6.02 Implement Appropriate Security Controls When Performing Account Management User Account Policies User Access Reviews Credential Management Security Roles and Privileges File and Print Security Controls Objective 6.03 Analyze and Differentiate Among Types of Mitigation and Deterrent Techniques Physical Barriers availability integrity sensitivity and users restoration restricting accounts retention and storage policies retinal/iris scans revoking certificates rights and permissions See also permissions Rijndael encryption standard RIPEMD (RACE Integrity Primitives Evaluation Message Digest) risk analysis performing for business continuity qualitative quantitative Review Answer Review Question risk assessment asset identification impact probability quantitative scope solutions and countermeasures threat profiles See also threats risk awareness risk control types explained management operational technical risk likelihood and impact ALE (annual loss expectancy) ARO (annual rate of occurrence) SLE (single loss expectancy) risk management asset identification explained false negatives false positives impact probability solutions and countermeasures threat profiles risk management options acceptance avoidance deterrence mitigation Review Question transference risk mitigation strategies change management policies Check Points DLP (data loss prevention) implementing incident management and response regulatory compliance Review Question routine audits user permissions reviews user rights reviews risk reduction human resources policies network security policies security policies risk-related concepts rlogin (remote login) rogue machine detection roles and privileges See also privileges rootkits application firmware kernel library persistent rotation of job duties router administration overview Review Question routers RPO (recovery point objective) rsh (remote shell) RTO (recovery time objective) rule-based access control overview Review Answer S SaaS (Software as a Service) sabotage safety control SAML (Security Assertion Markup Language) explained Review Question SANs (storage area networks) saving logs memory dumps SCADA (Supervisory Control and Data Acquisition) systems explained Review Answer Review Question scanning methodologies scarcity, relevance to social engineering SCP (Secure Copy) protocol scr files, vulnerability to viruses screenshots, taking SECaaS (Security as a Service) secure coding Secure LDAP See SSL (Secure Sockets Layer) encryption protocol secure remote access secure web sessions security See information security security appliances antispam filters content filtering malware inspection URL filtering See also network security security audits security awareness, importance of security baselining security controls availability Checkpoint confidentiality integrity safety vulnerability See also information security security devices security guards considering Review Question security incidents handling public information investigating preparing for reporting and disclosure See also incident response security levels authentication authorization identification security logging applications security metrics security patches Review Answer Review Question security policies access control distributing human resources mandatory vacations network physical access security posture baseline configuration monitoring methodologies remediation security roles and privileges groups roles users See also roles and privileges security tokens See also tokens security training, importance of security zones dividing networks into DMZ (demilitarized zone) extranets firewalls intranets Review Question security-related anomalies IDS (intrusion detection systems) IPS (intrusion prevention systems) network monitors performance baselines performance monitors protocol analyzers system monitors See also bypass of security equipment sensitive data, viewing See also data and documentation policies sensitivity of resources separation of duties server certificates server compromise server patch management server-side validation service levels database servers e-mail file servers Internet servers networking telecom services, disabling unused session hijacking Session layer of OSI model SFTP (Secure FTP) protocol explained Review Answer SHA (Secure Hash Algorithm) shoulder surfing signal strength signature scans signature-based monitoring Review Answer Review Question single sign-on best practices explained Review Question single-factor authentication best practices site surveys antenna type antennal placement MIMO (Multiple In Multiple Out) physical environment power level controls software SLAs (service level agreements) overview Review Answer SLE (single loss expectancy) explained Review Answer SLIP (Serial Line Internet Protocol) smart cards overview Review Answer Review Question S/MIME (Multipurpose Internet Mail Extensions) smoke detectors SMTP TCP/IP port number smurf attacks overview Review Answer SNMP (Simple Network Management Protocol) SNMP (Simple Network Management Protocol) TCP/IP port number SNMP community string social engineering authority defined effectiveness of familiarity hoaxes impersonation intimidation pharming phishing scarcity security abuses shoulder surfing social proof spam spim tailgating types of attacks urgency vishing whaling social proof, relevance to social engineering software access software updates son backup method sound detector SOX (Sarbanes-Oxley) spam spare equipment redundancy clustering list of components load balancing redundant Internet lines servers system configuration backups See also redundancy planning spear phishing spim spoofing attacks spread-spectrum technology DSSS explained FHSS OFDM spyware SQL (Structured Query Language) databases SQL injection attacks SSH (Secure Shell) explained TCP/IP port number SSID (service set identifier) explained Review Answer SSL (Secure Sockets Layer) encryption protocol overview as variant of SHA See also LDAPS stealth viruses steganography overview Review Answer storage and retention policies storage segmentation storing private keys STP (shielded twisted-pair) cabling stream ciphers strong passwords subnetting substitution cipher, explained succession planning Checkpoints considering Review Answer Review Question switches symmetric encryption block ciphers Review Answer stream ciphers symmetric keys SYN (synchronous) flood SYN scanning system auditing baselines event logs user access rights review system configuration backups system hardening applications disabling accounts disabling services management interfaces password protection system image, capturing system logs system monitors system user accounts systems architecture, documenting systems security, explained T TACACS (Terminal Access Controller Access-Control System) tailgating TCP port 21 TCP scanning TCP Wrappers TCP/IP (Transmission Control Protocol/Internet Protocol) TCP/IP hijacking TCP/IP network ports DNS FTP HTTP HTTPS IMAP (Internet Message Access Control) LDAP (Lightweight Directory Access Protocol) NetBIOS NTP (Network Time Protocol) overview POP3 RDP (Remote Desktop Protocol) SMTP SNMP (Simple Network Management Protocol) SSH (Secure Shell) Telnet TCP/IP services, port numbers for technical risk control telephony Telnet protocol explained TCP/IP port number temperature controls hot and cold aisles humidity Review Answer sensitivity of computers to termination policy return of company equipment return of identification securing work area suspension of accounts testing backups testing methods black box gray box Review Question white box testing recovery plans testing security controls TFTP (Trivial File Transfer Protocol) theft, preventing third party agreements See agreements third-party trust threat assessment threat awareness phishing security controls viruses threat vectors threats employees equipment malfunctions impact intruders likelihood malicious hackers natural disasters risks See also risk assessment threats in alternative environments embedded systems mitigating SCADA (Supervisory Control and Data Acquisition) systems three-factor authentication Review Answer Review Question time restrictions, setting TKIP attacks TLS (Transport Layer Security) protocol tokens Review Answer using See also security tokens TOTP (Time-based One-time Password) explained Review Answer TPM (trusted platform module) explained overview Review Answer training See security training transitive access Transport layer of OSI model transposition cipher, explained Triple DES (3DES) Trojan horses overview Review Question trust models hierarchical model overview third-party trust web of trust Trusted OS twisted-pair cabling two-factor authentication best practices Review Question Twofish cryptography typosquatting attacks U UDP port, listening on UDP scanning unauthorized access unauthorized data sharing unified threat management UNIX access-control protection Unix systems shadow password databases unused accounts, disabling unused services, disabling UPS (uninterruptible power supply) urgency, relevance to social engineering URL block lists URL filtering user access Review Question reviews user account policies account expiry dates logon attempts machine restrictions naming conventions restricting accounts time restrictions tokens unused accounts user habits access tailgating best practices clean desks data handling IM (instant messaging) laws P2P applications password policy personally owned devices regulations Review Question social networking/media standards workstation locking See also high-level users user hierarchy, setting up user permissions Review Answer reviews user rights reviews overview Review Answer users and resources access security grouping authentication authorization identification levels of security See also access controls UTP (unshielded twisted-pair) cabling V vacation See mandatory vacations validation requests vbs files, vulnerability to viruses ventilation verification of adherence video, capturing video monitoring video surveillance infrared detector motion detector photoelectric detector protected distribution proximity detector sound detector virtual machines virtualization technology overview Review Question using virus file types bat com dll doc/.docx html mdb scr vbs xls/.xlsx zip virus signature files overview Review Answer viruses armored boot sector companion file infector macro memory-resident overview Review Answer stealth threat awareness vishing VLANs (virtual LANs) MAC address-based port-based protocol-based Review Answer voice scans VPN (virtual private networks) VPN protocols best practices IPSec L2TP (Layer Tunneling Protocol) PPTP (Point-to-Point Tunneling Protocol) Review Answer VPN to RADIUS server VPN wireless access VPNs (virtual private networks) vulnerability and threat assessments, performing vulnerability assessment tools application code assessments banner grabbing honeynets honeypots network mappers OVAL (Open Vulnerability and Assessment Language) password crackers port scanners protocol analyzers using vulnerability assessments vulnerability scanning false positives misconfigurations overview penetration testing security controls W WAP (Wireless Access Protocol) war chalking war dialing war driving warm site, explained warm swap, explained water, using as fire suppressant watering hole attacks overview Review Answer weak passwords web application vulnerabilities ActiveX arbitrary code execution buffer overflows CGI (Common Gateway Interface) scripts command injection cookies and session hacking directory traversal header manipulation HTML attachments JavaScript malicious add-ons privilege escalation proof-of-concept exploit Review Question XML (Extensible Markup Language) injection XSRF (cross-site request forgery) XSS (cross-site scripting) zero-day attacks web browser security cookies pop-up blockers private web browsing data Review Question security modes trusted sites web of trust web proxy servers web security gateways overview Review Answer web security threats websites GFI LANguard network security scanner IEEE wireless standards Nessus vulnerability scanner network ports well-known ports WEP (wireless encryption protocol) whaling overview Review Answer white box testing whitelists whole disk encryption wireless access antenna placement overview site surveys WLAN topologies wireless attacks access points (evil twins) Bluetooth vulnerabilities data emanation eavesdropping IV (initialization vector) NFC (Near-field communication) packet sniffing replay TKIP war chalking war driving WEP (wireless encryption protocol) WPA (Wi-Fi Protected Access) WPA2 WPS (Wi-Fi Protected Setup) wireless authentication protocols EAP (Extensible Authentication Protocol) LEAP (Lightweight Extensible Authentication Protocol) PEAP (Protected Extensible Authentication Protocol) VPN wireless access See also protocols wireless cell, explained wireless encryption cipher suites GPG (GNU Privacy Guard) PGP (pretty good privacy) S/MIME (Multipurpose Internet Mail Extensions) SSL protocol TLS WEP (wireless encryption protocol) WPA (Wi-Fi Protected Access) WPA2 wireless networks access point security captive portals and cells IR (infrared) technology MAC address filtering narrowband technology personal firewalls popularity of securing spread-spectrum technology SSID (service set identifier) WEP security WLANs (wireless LANs) WPA and WPA2 security WPS (Wi-Fi Protected Setup) wireless protocols 802.11 Bluetooth IEEE standards overview See also protocols WLAN terms WLAN topologies WLANs (wireless LANs) workstation patch management worms overview Review Answer WPA (Wi-Fi Protected Access) WPA and WPA2 security WPA2 attacks encryption protocols Review Answer WPA-PSK WPS (Wi-Fi Protected Setup) X xls/.xlsx files, vulnerability to viruses Xmas attacks XML (Extensible Markup Language) injection XSRF (cross-site request forgery) XSS (cross-site scripting) overview vulnerabilities Z zero-day threats explained overview zip files, vulnerability to viruses ... concentrate of certification knowledge! Your Destination: CompTIA Security+ Certification This book is your passport to CompTIA s Security+ certification, the vendor-neutral, industrystandard certification. .. Technical Support B Career Flight Path CompTIA Security+ Exam Format CompTIA Security+ and Beyond Getting the Latest Information on the CompTIA Security+ Exam Index Acknowledgments Many thanks... material covers the content of CompTIA s related certification exam The contents of this training material were created for the CompTIA Security+ exam covering CompTIA certification objectives that