SKIP THE SHIPPING
Use code NOSHIP during checkout to save 40% on eligible eBooks, now through January 5. Shop now.
Register your product to gain access to bonus material or receive a coupon.
The smartest, fastest, most effective preparation for CompTIA's brand-new 2011 Security+ Exam (SYO-301)
Prepare for CompTIA Security+ SY0-301 exam success with this CompTIA Authorized Exam Cram from Pearson IT Certification, a leader in IT Certification learning and a CompTIA Authorized Platinum Partner.
CompTIA® Security+ Exam Cram, Third Edition, is the perfect study guide to help you pass CompTIA’s newly updated version of the Security+ exam. It provides coverage and practice questions for every exam topic. The book contains a set of 200 questions in two full practice exams.
Limited Time Offer: Buy CompTIA Security+ SY0-301 Authorized Exam Cram and receive a 10% off discount code for the CompTIA Security+ SYO-301 exam. To receive your 10% off discount code:
The CD-ROM contains the powerful Pearson IT Certification Practice Test engine that provides real-time practice and feedback with all the questions so you can simulate the exam.
Covers the critical information you need to know to score higher on your Security+ exam!
Kirk Hausman (CISSP, CISA, CRISC, Security+) has worked as an ISO, consultant, trainer, and IT director. He is Assistant Commandant for IT at TAMU and teaches InfoSec topics as an Adjunct Professor at UMUC and UAT.
Martin Weiss (CISSP, CISA, Security+, MCSE) leads a team of information security experts at Symantec supporting solutions to provide confidence in a connected world.
Diane Barrett (CISSP, MCSE, A+, Security+) is the director of training for Paraben Corporation and an adjunct professor for American Military University.
Companion CD
The CD-ROM contains two, complete practice exam.
Includes Exclusive Offer for 70% Off Premium Edition eBook and Practice Test
Pearson IT Certification Practice Test minimum system requirements:
Windows XP (SP3), Windows Vista (SP2), or Windows 7; Microsoft .NET Framework 4.0 Client; Pentium class 1GHz processor (or equivalent); 512 MB RAM; 650 MB disk space plus 50 MB for each downloaded practice exam
Limited Time Offer: Buy the CompTIA Security+ SY0-301 Exam Cram, Premium Edition eBook and Practice Test and receive a 10% off discount code for the CompTIA Security+ SY0-301 exam. To receive your 10% off discount code visit your pearsonITcertification.com Account page, locate the product and click on “Access Bonus Content”.
The exciting new CompTIA Security+ SY0-301 Exam Cram, Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Test. The Premium Edition eBook and Practice Test contains the following items:
About the Premium Edition Practice Test
This Premium Edition contains an enhanced version of the Pearson IT Certification Practice Test (PCPT) software with three full practice exams. In addition, it contains all the chapter-opening assessment questions from the book. This integrated learning package:
Pearson IT Certification Practice Test minimum system requirements:
Windows XP (SP3), Windows Vista (SP2), or Windows 7;
Microsoft .NET Framework 4.0 Client;
Pentium class 1GHz processor (or equivalent);
512 MB RAM;
650 MB disc space plus 50 MB for each downloaded practice exam
About the Premium Edition eBook
CompTIA Security+ SY0-301 Exam Cram is a best-of-breed exam study guide. Best-selling authors Hausman, Barrett, and Weiss share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
CompTIA Security+ SY0-301 Exam Cram presents you with an organized test preparation routine through the use of proven series elements and techniques. Exam topic lists make referencing easy. Exam Alerts, Sidebars, and Notes interspersed throughout the text keep you focused on what you need to know. Cram Quizzes help you assess your knowledge, and the Cram Sheet tearcard is the perfect last minute review.
Well-regarded for its late stage review, assessment features, and challenging review questions and exercises, this approved study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.
The approved study guide helps you master all the topics on the Security+ exam, including:
Kirk Hausman (CISSP, CISA, CRISC,Security+) has worked as an ISO, consultant, trainer, and IT director. He is Assistant Commandant for IT at TAMU and teaches InfoSec topics as an Adjunct Professor at UMUC and UAT.
Martin Weis (CISSP, CISA, Security+, MCSE) leads a team of information security experts at Symantec supporting solutions to provide confidence in a connected world.
Diane Barrett (CISSP, MCSE, A+, Security+) is the director of training for Paraben Corporation and an adjunct professor for American Military University.
CompTIA Security+ Exam Cram: Risk Management
Download the sample pages (includes Chapter 3 and Index)
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Part I: Network Security
CHAPTER 1: Network Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Explain the Security Function and Purpose of Network Devices and Technologies.. 2
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Load Balancers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Web Security Gateways. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
VPN Concentrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
NIDS and NIPS (Behavior Based, Signature Based,
Anomaly Based, Heuristic). . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Protocol Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Sniffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Spam Filter, All-in-one Security Appliances . . . . . . . . . . . . . . . . 11
Web Application Firewall versus Network Firewall . . . . . . . . . . . 11
URL Filtering, Content Inspection, Malware Inspection . . . . . . . 13
Apply and Implement Secure Network Administration Principles . . . . . 16
Rule-based Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
VLAN Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Secure Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 19
Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Port Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Flood Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Loop Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Implicit Deny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Prevent Network Bridging by Network Separation . . . . . . . . . . . 22
Log Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Distinguish and Differentiate Network Design Elements and Compounds.. 25
DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Intranet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Extranet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Remote Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Telephony. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
NAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Cloud Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
CHAPTER 2: Network Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Implement and Use Common Protocols . . . . . . . . . . . . . . . . . . . . . . 42
Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Secure Shell Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Domain Name Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Transport Layer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Secure Sockets Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
FTPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Hypertext Transport Protocol over Secure Sockets Layer . . . . . . . 50
Secure FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Secure Copy Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Internet Control Message Protocol . . . . . . . . . . . . . . . . . . . . . 52
IPv4 versus IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Identify Commonly Used Default Network Ports . . . . . . . . . . . . . . . . 56
Implement Wireless Networks in a Secure Manner. . . . . . . . . . . . . . . 60
Wi-Fi Protected Access (WPA) . . . . . . . . . . . . . . . . . . . . . . . . 61
WPA2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Wired Equivalent Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Extensible Authentication Protocol . . . . . . . . . . . . . . . . . . . . . 62
Protected EAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
LEAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Media Access Control Filter . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Service Set Identifier Broadcast. . . . . . . . . . . . . . . . . . . . . . . . 64
Temporal Key Integrity Protocol. . . . . . . . . . . . . . . . . . . . . . . 65
CCMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Antenna Placement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Power Level Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Part II: Compliance and Operational Security
CHAPTER 3: Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Exemplify the Concepts of Confidentiality, Integrity, and Availability . . . 70
Confidentiality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Integrity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Explain Risk-Related Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Risk Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Types of Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Identifying Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Identifying Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Measuring Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Qualitative versus Quantitative Measures . . . . . . . . . . . . . . . . . 80
Risk Reduction Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Carry Out Appropriate Risk-Mitigation Strategies . . . . . . . . . . . . . . . 90
Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Incident Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Regular Audits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Explain the Importance of Security-Related Awareness and Training . . . 97
User Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
User Habits and Expectations . . . . . . . . . . . . . . . . . . . . . . . . . 99
CHAPTER 4: Response and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Execute Appropriate Incident Response Procedures. . . . . . . . . . . . . . 104
First Responders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Damage and Loss Control . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Chain of Custody and Rules of Evidence . . . . . . . . . . . . . . . . . 105
Basic Forensic Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Explain the Impact and Proper Use of Environmental Controls . . . . . . 111
The Importance of Environmental Controls . . . . . . . . . . . . . . 111
HVAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Fire Suppression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
EMI Shielding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Temperature and Humidity Controls . . . . . . . . . . . . . . . . . . . 116
Hot-Aisle/Cold-Aisle Separation . . . . . . . . . . . . . . . . . . . . . . 117
Environmental Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . 117
Video Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Compare and Contrast Aspects of Business Continuity. . . . . . . . . . . . 120
Contrasting Business Continuity and Disaster Recovery . . . . . . . 120
Business Continuity Planning . . . . . . . . . . . . . . . . . . . . . . . . 121
Execute Disaster Recovery Plans and Procedures . . . . . . . . . . . . . . . 126
Disaster Recovery Planning . . . . . . . . . . . . . . . . . . . . . . . . . 126
Alternative Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Redundant Equipment and Connections . . . . . . . . . . . . . . . . . 132
Backup Techniques and Practices . . . . . . . . . . . . . . . . . . . . . . 136
Part III: Threats and Vulnerabilities
CHAPTER 5: Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Analyze and Differentiate Among Types of Malware . . . . . . . . . . . . . 144
Adware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Trojans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Botnets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Logic Bombs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Backdoors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Analyze and Differentiate Among Types of Attacks . . . . . . . . . . . . . . 153
Man-in-the-Middle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Distributed DoS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
DNS Poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
ARP Poisoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Spoofing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Privilege Escalation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Malicious Insider Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Analyze and Differentiate Among Types of Social Engineering Attacks. . . 165
Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Dumpster Diving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Tailgating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Analyze and Differentiate Among Types of Wireless Attacks . . . . . . . . 171
Rogue Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
War Driving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Bluejacking/Bluesnarfing . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Packetsniffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
IV Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Analyze and Differentiate Among Types of Application Attacks . . . . . . 175
Browser Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Code Injections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Directory Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Header Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Zero-day. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
CHAPTER 6: Deterrents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Analyze and Differentiate Among Types of Mitigation and Deterrent Techniques . . 184
Manual Bypassing of Electronic Controls . . . . . . . . . . . . . . . . 185
Monitoring System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Hardening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Security Posture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Detection Controls versus Prevention Controls . . . . . . . . . . . . 196
Implement Assessment Tools and Techniques to Discover Security Threats and Vulnerabilities. .. 199
Vulnerability Scanning and Interpreting Results . . . . . . . . . . . . 199
Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Risk Calculation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Assessment Technique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Within the Realm of Vulnerability Assessments, Explain the Proper Use of Penetration Testing versus Vulnerability Scanning . . . . 207
Penetration Testing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Vulnerability Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Part IV: Application, Data, and Host Security
CHAPTER 7: Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Explain the Importance of Application Security . . . . . . . . . . . . . . . . 214
Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Secure Coding Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Cross-site Scripting Prevention . . . . . . . . . . . . . . . . . . . . . . . 220
Cross-site Request Forgery Prevention . . . . . . . . . . . . . . . . . . 221
Application Configuration Baseline . . . . . . . . . . . . . . . . . . . . 222
Application Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Application Patch Management . . . . . . . . . . . . . . . . . . . . . . . 226
CHAPTER 8: Host Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Carry Out Appropriate Procedures to Establish Host Security. . . . . . . 232
Operating System Security and Settings . . . . . . . . . . . . . . . . . 234
Anti-malware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Hardware Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Host Software Baselining . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Virtualization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
CHAPTER 9: Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Explain the Importance of Data Security . . . . . . . . . . . . . . . . . . . . . 256
Data Loss Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Data Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Hardware-based Encryption Devices . . . . . . . . . . . . . . . . . . . 265
Cloud Computing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Part V: Access Control and Identity Management
CHAPTER 10: Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Authentication Strength. . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Single versus Multifactor Authentication . . . . . . . . . . . . . . . . . 280
Common Authentication Forms . . . . . . . . . . . . . . . . . . . . . . 281
Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Anonymous Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Authorization Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
CHAPTER 11: Access Control and Account Management. . . . . . . . . . . . . . . . . . . . . . 295
Explain the Fundamental Concepts and Best Practices Related to Access Control. . .. . 296
Access Control Forms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Access Control Best Practices . . . . . . . . . . . . . . . . . . . . . . . . 301
Implement Appropriate Security Controls when Performing Account Management . .. 304
Account Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Security Groups and Roles with Appropriate
Rights and Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Time-of-Day Restrictions and Account Expiration . . . . . . . . . . 309
Part VI: Cryptography
CHAPTER 12: Cryptography Tools and Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Summarize General Cryptography Concepts . . . . . . . . . . . . . . . . . . 314
Symmetric versus Asymmetric. . . . . . . . . . . . . . . . . . . . . . . . 314
Transport Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Nonrepudiation and Digital Signatures . . . . . . . . . . . . . . . . . . 318
Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Key Escrow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Use of Proven Technologies . . . . . . . . . . . . . . . . . . . . . . . . . 321
Elliptic Curve and Quantum Cryptography . . . . . . . . . . . . . . . 322
Use and Apply Appropriate Cryptographic Tools and Products . . . . . . 324
Wireless Encryption Functions . . . . . . . . . . . . . . . . . . . . . . . 325
Cryptographic Hash Functions . . . . . . . . . . . . . . . . . . . . . . . 325
HMAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Symmetric Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . 328
Asymmetric Encryption Algorithms . . . . . . . . . . . . . . . . . . . . 330
One-time-pads. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Whole Disk Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Use of Algorithms with Transport Encryption . . . . . . . . . . . . . 334
CHAPTER 13: Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Explain the Core Concepts of Public Key Infrastructure. . . . . . . . . . . 340
Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Registration Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Certificate Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Certificate Practice Statement . . . . . . . . . . . . . . . . . . . . . . . . 346
Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Trust Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Implement PKI, Certificate Management, and Associated Components . 350
Centralized versus Decentralized . . . . . . . . . . . . . . . . . . . . . . 351
Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Key Escrow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Expiration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Status Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Suspension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
M of N Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Renewal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Destruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Key Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Multiple Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Part VII: Practice Exams and Answers
Practice Exam 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Answers to Practice Exam 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Practice Exam 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Answers to Practice Exam 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
TOC, 9780789748294, 11/18/2011