Ebook CompTIA Security+: Get Certified Get Ahead SY0501 Study GuideObjective to Chapter Map 1.0 Threats, Attacks and Vulnerabilities 21% 2.0 Technologies and Tools 22% 3.0 Architecture and Design 15% 4.0 Identity and Access Management 16% 5.0 Risk Management 14% 6.0 Cryptography and PKI 12%
|||||||||||||||||||| |||||||||||||||||||| |||||||||||||||||||| |||||||||||||||||||| CompTIA Security+: Get Certified Get Ahead SY0-501 Study Guide Darril Gibson |||||||||||||||||||| |||||||||||||||||||| CompTIA Security+: Get Certified Get Ahead SY0-501 Study Guide Copyright © 2017 by Darril Gibson All rights reserved Printed in the United States of America No part of this book may be used or reproduced in any manner whatsoever without written permission except in the case of brief quotations embodied in critical articles and review For information, contact YCDA, LLC 1124 Knights Bridge Lane, Virginia Beach, VA, 23455 YCDA, LLC books may be purchased for educational, business, or sales promotional use For information, please contact Darril Gibson at darril@darrilgibson.com Copy editor: Karen Annett Technical editor: Chris Crayton Proofreader: Karen Annett Compositor: Susan Veach ISBN-10: 1-939136-05-9 ISBN-13: 978-1-939136-05-3 |||||||||||||||||||| |||||||||||||||||||| Dedication To my wife, who even after 25 years of marriage continues to remind me how wonderful life can be if you’re in a loving relationship Thanks for sharing your life with me |||||||||||||||||||| |||||||||||||||||||| Acknowledgments Books of this size and depth can’t be done by a single person, and I’m grateful for the many people who helped me put this book together First, thanks to my wife She has provided me immeasurable support throughout this project The technical editor, Chris Crayton, provided some great feedback on each of the chapters and the online labs If you have the paperback copy of the book in your hand, you’re enjoying some excellent composite editing work done by Susan Veach I’m extremely grateful for all the effort Karen Annett put into this project She’s an awesome copy editor and proofer and the book is tremendously better due to all the work she’s put into it Last, thanks to my assistant Jaena Nerona who helped with many of the details behind the scenes She helped me with some quality control and project management More, she managed most of the daily tasks associated with maintaining online web sites While I certainly appreciate all the feedback everyone gave me, I want to stress that any errors that may have snuck into this book are entirely my fault and no reflection on anyone who helped I always strive to identify and remove every error, but they still seem to sneak in Special thanks to: • Chief Wiggum for bollards installation • Nelson Muntz for personal physical security services • Martin Prince for educating us about downgrade attacks • Comp-Global-Hyper-Mega-Net for intermittent HTTP services • Edna Krabapple for her thoughtful continuing education lessons • Apu Nahasapeemapetilon for technical advice on secure coding concepts • Moe Szyslak for refreshments and uplifting our spirits with his talks about RATs About the Author Darril Gibson is the CEO of YCDA, LLC (short for You Can Do Anything) He has contributed to more than 40 books as the author, coauthor, or technical editor Darril regularly writes, consults, and teaches on a wide variety of technical and security topics and holds several certifications, including CompTIA A+, Network+, |||||||||||||||||||| |||||||||||||||||||| Security+, and CASP; (ISC)2 SSCP and CISSP; Microsoft MCSE and MCITP; and ITIL Foundations In response to repeated requests, Darril created the http://gcgapremium.com/ site where he provides study materials for several certification exams, including the CompTIA Security+ exam Darril regularly posts blog articles at http://blogs.getcertifiedgetahead.com/, and uses the site to help people stay abreast of changes in certification exams You can contact him through either of these sites Additionally, Darril publishes the Get Certified Get Ahead newsletter This weekly newsletter typically lets readers know of new blog posts and about updates related to CompTIA certification exams You can sign up at http://eepurl.com/g44Of Darril lives in Virginia Beach with his wife and two dogs Whenever possible, they escape to a small cabin in the country on over twenty acres of land that continue to provide them with peace, tranquility, and balance |||||||||||||||||||| |||||||||||||||||||| Table of Contents Dedication iii Acknowledgments About the Author iv iv Introduction Who This Book Is For About This Book How to Use This Book 2 Conventions Remember This Vendor Neutral Free Online Resources Additional Web Resources Assumptions Set a Goal About the Exam Passing Score Exam Prerequisites Beta Questions Exam Format Question Types Multiple Choice Performance-Based Questions Question Complexity Video 10 Exam Test Provider 10 Voucher Code for 10 Percent Off 10 Exam Domains 11 Objective to Chapter Map 11 1.0 Threats, Attacks and Vulnerabilities 21% 11 |||||||||||||||||||| |||||||||||||||||||| 2.0 Technologies and Tools 22% 15 3.0 Architecture and Design 15% 19 4.0 Identity and Access Management 16% 24 5.0 Risk Management 14% 26 6.0 Cryptography and PKI 12% 29 Recertification Requirements 32 Pre-Assessment Exam 35 Assessment Exam Answers 49 Chapter 61 Mastering Security Basics 61 Understanding Core Security Goals 62 What Is a Use Case? 62 Ensure Confidentiality 63 Encryption 63 Access Controls 63 Steganography and Obfuscation 64 Provide Integrity 64 Hashing 64 Digital Signatures, Certificates, and Non-Repudiation Increase Availability 67 Redundancy and Fault Tolerance 67 Patching 68 Resource Versus Security Constraints 68 Introducing Basic Risk Concepts 68 Understanding Control Types 69 Technical Controls 70 Administrative Controls 70 Physical Controls 71 Control Goals 71 Preventive Controls 72 Detective Controls 73 Comparing Detection and Prevention Controls 66 74 |||||||||||||||||||| |||||||||||||||||||| Corrective Controls 74 Deterrent Controls 74 Compensating Controls 74 Combining Control Types and Goals 75 Implementing Virtualization 75 Comparing Hypervisors 76 Application Cell or Container Virtualization 76 Secure Network Architecture 77 Snapshots 77 VDI/VDE and Non-Persistence 78 VMs as Files 78 Risks Associated with Virtualization 79 Running Kali Linux in a VM 80 Using Command-Line Tools 80 Windows Command Line 80 Linux Terminal 81 Understanding Switches and Getting Help 82 Understanding Case 82 Ping 82 Using Ping to Check Name Resolution 83 Beware of Firewalls 84 Using Ping to Check Security Posture 84 Ipconfig, ifconfig, and ip Netstat 86 Tracert 87 Arp 88 Chapter Exam Topic Review 88 Chapter Practice Questions 90 Chapter Practice Question Answers 92 84 Chapter 95 Understanding Identity and Access Management Exploring Authentication Concepts 96 Comparing Identification and AAA 95 96 |||||||||||||||||||| |||||||||||||||||||| Comparing Authentication Factors 97 Something You Know 97 Something You Have 103 Something You Are 106 Somewhere You Are 107 Something You Do 108 Dual-Factor and Multifactor Authentication 109 Summarizing Identification Methods 109 Troubleshooting Authentication Issues 109 Comparing Authentication Services 110 Kerberos 110 NTLM 111 LDAP and LDAPS 111 Single Sign-On 112 SSO and Transitive Trusts 113 SSO and SAML 114 SAML and Authorization 114 SSO and a Federation 114 OAuth and OpenID Connect 115 Managing Accounts 115 Least Privilege 116 Need to Know 116 Account Types 117 Require Administrators to Use Two Accounts 117 Standard Naming Convention 118 Prohibiting Shared and Generic Accounts 118 Disablement Policies 119 Recovering Accounts 119 Time-of-Day Restrictions 120 Location-Based Policies 120 Expiring Accounts and Recertification 121 Account Maintenance 121 Credential Management 121 |||||||||||||||||||| |||||||||||||||||||| CA, 454-456 intermediate CA, 455 CRL, 457-459 OCSP, 459 CSR, 456-457 certificate, 441-442 public key, 439-445 private key, 439-445 object identifiers (OID), 456 PKI concepts, 454certificate chaining, 455-456 key escrow, 460 online versus offline CA, 456 pinning, 459 stapling, 459 trust model, 455-456 pointer dereference, 318-319 port security IEEE 802.1x, 191 MAC filtering, 195-196 switch (physical port) 155 ports comparing ports and ports, 157 disabling unnecessary ports and services, 227 firewall rules, 150, 153 logical ports, 149-153 physical ports, 155 port security, 155 taps and port mirror, 183 power redundancies preservation (of data, forensics), 495-498 preventive (security control), 72-73 principles (social engineering principles), 292- 295 authority, 293 intimidation, 293 consensus, 293 scarcity, 294 familiarity, 294 trust, 294-295 urgency, 294 printers/MFDs secure systems design, 236 embedded systems, 250-251 privacy impact assessment (BIA), 407-408 privacy officer (data role and responsibilities), Technet24.ir |||||||||||||||||||| |||||||||||||||||||| 490 privacy threshold assessment (BIA), 407-408 private (cloud model), 242 |||||||||||||||||||| |||||||||||||||||||| private key, asymmetric encryption, 424, 432, 439-445 certificate formats, 462-463 digital signature, 425 email, 446-450 HTTPS, 450-452 improper certificate and key management, 458 key escrow, 460 Rayburn box, 441 recovery agent, 460 registration and CSRs, 456-457 revoking certificates, 457 smart cards,103 TPM, 238 privilege escalation, 117-118, 287, 304, 358, 361 privileged accounts, 117 proper error handling, 322 proper input validation, 319-321 protected distribution/protected cabling (physical security), 394 protocol analyzer, 364-366 capture clear text, 110, 142, 311, 432 capture MAC and IP address, 497 connected to switch, 155 flood attack, 156 IDSs and IPSs, 182, 187 promiscuous mode, 85 protecting cabling, 394 sniffing attack, 140 tcpdump, 366 tracert command, 87 wireless attack, 195 WPA attack, 198 protocols (secure protocols), 140-149 DNSSEC, 148 FTPS, 143 HTTPS, 143, 145, 149 LDAPS, 111-112, 145 S/MIME, 450 secure POP/IMAP, 144-145 SFTP, 143 SNMPv3 SRTP, 142 Technet24.ir |||||||||||||||||||| |||||||||||||||||||| SSH, 143 SSL/TLS, 143 provisioning and deprovisioning, 327 proximity cards, 207, 384, 385 tailgating and mantraps, 386-387 proxy 167-170 application/multipurpose, 169-170 forward proxy, 167-168 reverse proxy, 169 transparent, 168-169 pseudo-random number generation, 433, 434 PSK (wireless security method), 199-201 public (cloud model), 242 public key asymmetric encryption, 424, 432, 439-445 certificate formats, 462-463 digital signature, 425 email, 446-450 HTTPS, 450-452 Rayburn box, 441 registration and CSRs, 456-457 smart cards,103 TPM, 238 public key infrastructure (PKI) 454-462 pulping (destruction and sanitization), 487 pulverizing (destruction and sanitization), 487 purging (destruction and sanitization), 487 push notification services (MDM), 247 Q qualitative (risk assessment), 349 quantitative (risk assessment), 347-349 R race conditions, 321 RADIUS identity and access services, 214-215 RADIUS Federation, 201 RAID (0, 1, 5, 6, 10), 396-397 rainbow table attack, 312-313 random number generation, 433, 434 ransomware, 274-275 RAT, 274 Rayburn box, 441 RC4, 438 recertification (account management), 121 record time offset (forensics), 497-498 |||||||||||||||||||| |||||||||||||||||||| recording microphone (mobile device), 249 recovery of data, forensics, 499 password recovery, 119 recovery sites, 409-410 cold site, 410 hot site, 409-410 warm site, 410 redundancy, 67 disk redundancies, 396-397 power redundancies, 400 server redundancy, 397 refactoring, driver manipulation, 315-316 regulatory (frameworks), 334 remote access use case, 145-146 VPNs, 207-211 remote attestation, 237 remote wipe (MDM), 246 removable media control (DLP), 257-258 replay attack, 110, 142, 206-207, 313 resource exhaustion (vulnerability), 270 retinal scanner (biometric factor), 107 reverse proxy, 169 revert to known state (snapshot, virtualization), 77-78 RFID attack, 206-207 RIPEMD, 427 risk assessment, 346-350 risk register, (risk assessment), 350, 351 risk response techniques, 346-347 accept, 347 avoid, 346 mitigate, 346-347 transfer, 346 role-based access control, 122-125 role-based awareness training (policies), 500- 501 data owner, 500 executive user, 501 privileged user, 501 system administrator, 500 system owner, 500-501 user, 501 Technet24.ir |||||||||||||||||||| |||||||||||||||||||| rollback to known configuration (snapshot, virtualization), 78 rogue AP, 203 rogue system detection, 355-356 root (certificate), 455-456 rooting (mobile device), 248 rootkit, 277 ROT13, 436 round-robin (load balancing, scheduler), 399 router 147, 154, 156-158 ACLs 141, 157-158 aggregation switch, 160 antispoofing, 158 attribute-based access control, 129 Layer switch (comparison), 166 logs, 368-369 NAT and PAT, 165 physical security, 383, 390 ping (blocked), 84 ports, 141, 150-153 rule-based access control, 126 NIDS (sensors), 183 SDN (comparison), 189-190 separation and segmentation, 166 TACACS+, 215-216 tracert (command), 87 use cases, 172 wireless, 192-193, SNMP, 172 routing and switching use case, 172 RPO, 408 RSA, 443 RTO, 408 RTOS, 253 rule-based access control, 126 S S/MIME, 450 SaaS, 240 safe (physical security), 390 SAML (identity and access services), 114 SAN (certificate), 461 sandboxing chroot, 234 code quality and testing, 324 secure staging & deployment, 234 salt and key stretching, 428-429 |||||||||||||||||||| |||||||||||||||||||| and rainbow table attacks, 312-313 SATCOM (mobile device connection), 244 SCADA, 252 scalability, 75, 398, 399 scanners/cracker (wireless), 354-355 scheduling, 399-400 screen filter, 279 screen locks (MDM), 246 screenshots (forensics), 498 script kiddie (threat actor), 268 SDN, 129, 189-190 secret algorithm, 433 secure baseline, 230-231 secure boot (and attestation), 237 secure cabinets/enclosures (physical security), secure coding techniques, 319-327 Secure DevOps, 324-327 continuous integration, 325 baselining, 325-326 immutable systems, 326 infrastructure as code, 326 security automation, 325 secure POP/IMAP, 144-145 secure token (identity and access services), 112 Security as a Service, 241-242 security automation (Secure DevOps), 325 security control types, 69-75 administrative, 70-71 compensating, 74-75 corrective, 74 deterrent, 74 detection versus prevention controls, 74 detective,73 physical, 71-72, 383-395 preventive, 72-73 technical, 70 security device/technology placement collectors, 183-184 DDoS mitigator, 171 filters, 167-168, 170-171 firewalls, 160-165 load balancers, 399 proxies, 167-168 sensors, 183-184 Technet24.ir |||||||||||||||||||| |||||||||||||||||||| SSL (TLS) accelerators, 188-189 taps and port mirror, 183 VPN concentrator, 208 security guards (physical security), 387 security through obscurity, 64, 323, 436 SED (hardware/firmware security), 237 segregation/segmentation/isolation (secure network) logical (network, VLAN), 166 physical (airgap), 166 router, 166 switch (use case) 172 virtualization, 77 VLAN, 167 self-signed (certificate), 461 separation of duties (policies), 476 server-side versus client-side execution and validation, 320-321 server redundancy, 397 service accounts, 117 service attack, 140, 304 session hijacking, 314 session keys (symmetric encryption) 435, 439, 450, 452 SFTP, 143 SHA, 64-66, 311, 312, 424, 426 shared and generic accounts/credentials, 118 Shibboleth (identity and access services), 115 shielding (physical security), 394-395 shimming, driver manipulation, 315 shoulder surfing, 279 shredding (destruction and sanitization), 487 sideloading (mobile device), 248 SIEM, 370-373 aggregation, 370 automated alerting and triggers, 370 correlation, 370 event deduplication371 logs/WORM, 371 time synchronization, 370-371 signal strength (wireless access point), 197 signs (physical security), 384 single point of failure, 395-396, 396-401 single sign-on (SSO), 112-115, 200 site-to-site (VPN), 210 SLA (agreement type), 484 SLE (risk assessment), 348 smart cards, 103 |||||||||||||||||||| |||||||||||||||||||| smart devices/IoT (embedded systems), 252 home automation, 252 wearable technology, 252 SMS (mobile device), 249 snapshots backups, 403 virtualization, 77-78 SNMP, 156, 172 SoC, 252 social media networks/applications (policies), 481-482 social engineering, 278-287 something you are, 106-107 something you do, 108 something you have, 103-105 something you know, 97-103 somewhere you are, 107-108 spear phishing, 284 special purpose (embedded system), 253-254 aircraft/UAV, 254 medical devices, 253-254 vehicles, 253-254 split tunnel versus full tunnel (VPN), 209-210 spyware, 275 SQL injection 320, 330-332 SRTP, 142 SSH, 143, 145-146, 151, 207, 310, 362, 367 SSID (wireless access point), 194-195 SSL SSL versus TLS, 144, 450-451 weak/deprecated algorithms, 434 SSL/TLS accelerators, 188-189 SSL decryptors, 189 standard naming convention (account management), 118 standard operating procedure, 474 stapling (PKI concept), 459 STARTTLS, 143, 144 stateful versus stateless (firewall), 141, 162 stateless firewall rules, 162 static code analyzers, 324 steganography, 64 372, 425, 444-445 steganography tools 444-445 steward/custodian (data role and responsibilities), 490 storage segmentation (MDM), 246 stored procedures, 331-332 strategic intelligence/counterintelligence gathering, 500 active logging, 500 stream versus block (cipher mode), 434 stress testing, 324 Technet24.ir |||||||||||||||||||| |||||||||||||||||||| substitution cipher, 436 subscription services use case, 149 supply chain (hardware/firmware security), 236 supply chain assessment (risk assessment), 351 switch, 154-156 flood guard, 156 Layer versus Layer 3, 166 loop prevention, 155-156 port security, 155 symmetric algorithms, 435-439 3DES, 438 AES, 437-438 Blowfish/Twofish, 438-439 DES, 438 RC4, 438 system sprawl and undocumented assets (vulnerability), 391 T tabletop exercise, 412 TACACS+ (identity and access services), 215-216 take hashes (forensics), 496 tailgating, 280, 386-387 tcpdump (command), 366 technical (security control), 70 templates, 230 testing penetration testing authorization, 359 vulnerability testing authorization, 359 tethering (mobile device), 250 third-party app stores (mobile device), 248 third-party libraries and SDKs, 323 threat actors (types and attributes), 268-270, 344-345 threat assessment, 344-345 environmental, 345 internal versus external, 345 manmade, 345 time-of-day restrictions (account management), 120 |||||||||||||||||||| |||||||||||||||||||| time synchronization Kerberos, 110 SIEM, 370-371 use case, 146 TKIP, 199, 201, 202, 206, 207 TLS AH, 209 certificate, 456 cipher suites, 452-453 downgrade attack, 453-454 EAP-Tunneled TLS, 201 EAP-TLS, 201 ESP, 209 HMAC, 426 HTTPS, 145, 450-452 LDAPS, 112, 144 PEAP, 201 secure file transfer, 143 secure IMAP, 144 SSL/TLS accelerators, 188-189 SSL decryptors, 189 Tunnel mode, 209 tunneling protocol (VPN), 209 Transport mode, 209 tokens, 104-1505 hardware (key fob), 104 software (in a software application), 105 tokens/cards (physical security), 385 TOTP, 104-105 TPM (hardware/firmware security), 237-238 tracert (command), 87-88 track man-hours (forensics), 500 transfer (risk response), 346 transitive trust, 113 transparent (proxy), 168-169 Transport mode (TLS), 209 Trojan, 273 trust model (PKI concept), 455-456 trusted operating system, 228 Tunnel mode (TLS), 209 tunneling/VPN, 209-210 remote access, 208-211 site-to-site, 210 tunneling protocol (TLS for VPN), 209 Twofish, 438-439 Type I (hypervisor), 76 Technet24.ir |||||||||||||||||||| |||||||||||||||||||| Type II (hypervisor), 76 typo squatting, 314 U UAV, 254 UEFI (hardware/firmware security), 237 unauthorized software, 233 unencrypted credentials/clear text, 110, 364-365 unified threat management (UTM), 170-171 untrained users (vulnerability), 291 URL hijacking, 314 usage auditing and review, 371-372 USB (mobile device connection), 245 USB OTG (mobile device), 249 UTM, 170-171 use case 62-63, 142-146 directory services, 145 domain name resolution, 147-149 email and web, 144-145 file transfer, 142-143 high resiliency, 434 low latency, 459 low power devices, 444 network address allocation, 146 protocols, 141-149 remote access, 145-146 resource versus security constraints, 68 routing and switching, 172 time synchronization,146 subscription services, 149 supporting authentication, 97 supporting confidentiality, 63 supporting integrity, 64 supporting non-repudiation, 66 supporting obfuscation, 64 voice and video, 142 user (certificate), 460 V VDI (mobile device deployment model), 244 VDI/VDE (virtual desktops), 78 vendor diversity (defense-in-depth), 383 version control and change management, 326 virtual IPs (load balancing), 400 virtualization, 75-80 |||||||||||||||||||| |||||||||||||||||||| viruses, 271 vishing, 285 VLAN (isolating traffic), 166 VM escape protection, 79 VM sprawl avoidance, 79 voice and video use case, 142 voice recognition (biometric factor), 106 VPN concentrator, 208 always-on VPN, 211 IPsec, 209 AH, 209 ESP, 209 Tunnel mode, 209 Transport mode, 209 remote access versus site-to-site, 207, 208, 210-211 split tunnel versus full tunnel, 209-210 TLS, 209 vulnerability scanner, 351, 356-358 active reconnaissance, 360 configuration compliance scanner, 359 credentialed versus non-credentialed, 358 integrity measurements for baseline deviation, 231 passive versus active tools, 363 vulnerability scanning, 356-358 vulnerable business processes, 406 W waterfall (software development life-cycle model), 324-325 watering hole attack, 280-281 warm site, 410 weak/deprecated algorithms, 434 weak cipher suites (vulnerability, downgrade attack), 453-454 weak configuration (vulnerability), 226-227 weak implementations (downgrade attack), 453-454 weak security configurations, 226, 230-231 wearable technology, 252 web application firewall, 163 whaling, 284 Technet24.ir |||||||||||||||||||| |||||||||||||||||||| white box, 362 whitelist, whitelisting, 233, 245 Wi-Fi direct (mobile device), 250 Wi-Fi (mobile device connection), 244 Wi-Fi-enabled MicroSD cards (secure systems design), 236 wildcard (certificate), 461 wiping (destruction and sanitization), 486 wireless attacks, 202-207 keyboards (secure systems design), 235 mice (secure systems design), 235 scanners/cracker, 354-355 security, 192-202 zone, topology, 198 wireless security methods PSK versus Enterprise versus Open, 199- 201 WPS, 203 captive portals, 202 witness interviews (forensics), 498 WPA/ WPA2, 198, 199, 200-201, 202, 203, 206 WPS, 203 X XOR, 433, 435 Z zenmap, 353-354 zero day, 185, 190, 253, 289, 292, 316 zones/topologies, 163-165, 198 ad hoc, 198 DMZ, 163-165 extranet, 163-165 guest, 198 honeynets, 190 intranet, 163-165 NAT, 165 wireless, 198 |||||||||||||||||||| |||||||||||||||||||| Technet24.ir ... |||||||||||||||||||| CompTIA Security+: Get Certified Get Ahead SY0- 501 Study Guide Darril Gibson |||||||||||||||||||| |||||||||||||||||||| CompTIA Security+: Get Certified Get Ahead SY0- 501 Study Guide Copyright... purchase of CompTIA Security+: Get Certified Get Ahead study guide Yo u are one step closer to becoming CompTIA Security+ certified This certification has helped many individuals get ahead in their... where he provides study materials for several certification exams, including the CompTIA Security+ exam Darril regularly posts blog articles at http://blogs.getcertifiedgetahead.com/, and uses