ALL IN ONE CompTIA Security+ - Eqbalebook.eqbal.ac.ir/Security/Certification/Security+ SY0-301/Cover... · passing any exam. CompTIA® and CompTIA Security+ are trademarks or registered

ALL IN ONE

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6/ blind folio: i

CompTIA

Security+™ E X A M G U I D E

( E x a m S Y 0 - 3 0 1 )

T h I r D E D I T I O N

147-6_FM.indd 1 6/6/11 10:22 AM

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6blind folio: ii

147-6_FM.indd 2 6/6/11 10:22 AM

ALL IN ONE

CompTIA Security+™

E X A M G U I D E( E x a m S Y 0 - 3 0 1 )

T h I r D E D I T I O N

Wm. Arthur ConklinGregory White

Dwayne Williamsroger Davis

Chuck Cothren

New York • Chicago • San Francisco • Lisbon London • Madrid • Mexico City • Milan • New Delhi

San Juan • Seoul • Singapore • Sydney • Toronto

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6 blind folio: iii

147-6_FM.indd 3 6/6/11 10:22 AM

Cataloging-in-Publication Data is on file with the Library of Congress

McGraw-Hill books are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative, please e-mail us at [email protected].

CompTIA Security+™ All-in-One Exam Guide (Exam SY0-301), Third Edition

Copyright © 2011 by The McGraw-Hill Companies. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Trademarks: McGraw-Hill, the McGraw-Hill Publishing logo, All in OneTM, and related trade dress are trademarks or registered trademarks of The McGraw-Hill Companies and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. The McGraw-Hill Companies is not associated with any product or vendor mentioned in this book.

1234567890 QFR QFR 10987654321

ISBN: Book p/n 978-0-07-177146-7 and CD p/n 978-0-07-177145-0 of set 978-0-07-177147-4

MHID: Book p/n 0-07-177146-8 and CD p/n 0-07-177145-X of set 0-07-177147-6

Sponsoring EditorTim Green

Editorial SupervisorPatty Mon

Project EditorRachel Gunn

Acquisitions CoordinatorStephanie Evans

Technical EditorBobby Rogers

Copy EditorMargaret Berson

ProofreadersWord One

IndexerJack Lewis

Production SupervisorGeorge Anderson

CompositionApollo Publishing Service

IllustrationLyssa Wald

Art Director, CoverJeff Weeks

Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

CompTIA Security+™ is the proprietary trademark of The Computing Technology Industry Association, Inc. (CompTIA). Neither the author nor McGraw-Hill is affiliated with CompTIA. CompTIA does not necessarily endorse this training material or its contents.

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6 blind folio iv

McGraw-Hill is an independent entity from CompTIA. This publication and CD may be used in assisting students to prepare for the CompTIA Security+ ™ exam. Neither CompTIA nor McGraw-Hill warrant that use of this publication and CD will ensure passing any exam. CompTIA® and CompTIA Security+ are trademarks or registered trademarks of CompTIA in the United States and/or other countries. All other trademarks are trademarks of their respective owners.

147-6_FM.indd 4 6/6/11 10:22 AM

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6 blind folio: v

AbOUT ThE AUThOrS

Dr. Wm. Arthur Conklin, Security+, CISSP, CSSLP, CSDP, DFCP, is an assistant profes-sor and the Director of the Center for Information Security Research and Education in the College of Technology at the University of Houston. Dr. Conklin’s research interests lie in the security of cyber-physical infrastructure systems, software assurance, and the application of systems theory to security issues. His dissertation was on the motivating factors for home users in adopting security on their own PCs. He has coauthored five books on information security and has written and presented numerous conference and academic journal papers. He is an active member of DHS’s ICSJWG and cochair of the Workforce, Education and Training working group, which is part of the DoD/DHS Software Assurance Forum. A former U.S. Navy officer, he was also previously the Tech-nical Director at the Center for Infrastructure Assurance and Security at the University of Texas at San Antonio.

Dr. Gregory White has been involved in computer and network security since 1986. He spent 19 years on active duty with the United States Air Force and 11 years in the Air Force Reserves in a variety of computer and security positions. He obtained his Ph.D. in computer science from Texas A&M University in 1995. His dissertation topic was in the area of computer network intrusion detection, and he continues to conduct research in this area today. He is currently the Director for the Center for Infrastructure Assurance and Security (CIAS) and is an associate professor of computer science at the University of Texas at San Antonio (UTSA). Dr. White has written and presented numerous articles and conference papers on security. He is also the coauthor for five textbooks on com-puter and network security and has written chapters for two other security books. Dr. White continues to be active in security research. His current research initiatives include efforts in community incident response, intrusion detection, and malware (botnet) de-tection and elimination.

Dwayne Williams, CISSP, is Associate Director, Technology and Research, for the Center for Infrastructure Assurance and Security (CIAS) at the University of Texas at San Antonio and is the Director of the National Collegiate Cyber Defense Competition. Mr. Williams has over 18 years of experience in information systems and network security. Mr. Williams’s experience includes six years of commissioned military service as a Com-munications–Computer Information Systems Officer in the United States Air Force, specializing in network security, corporate information protection, intrusion detection systems, incident response, and VPN technology. Prior to joining the CIAS, he served as Director of Consulting for SecureLogix Corporation, where he directed and provided security assessment and integration services to Fortune 100, government, public utility, oil and gas, financial, and technology clients. Mr. Williams graduated in 1993 from Baylor University with a bachelor of arts in computer science. Mr. Williams is a coauthor of Voice and Data Security, Security+ Certification, and Principles of Computer Security.

147-6_FM.indd 5 6/6/11 10:22 AM

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6 / blind folio vi

Roger L. Davis, CISSP, CISM, CISA, is an Operations Manager at the Church of Je-sus Christ of Latter-day Saints, managing several of the Church’s information systems in over 140 countries. He has served as president of the Utah chapter of the Informa-tion Systems Security Association (ISSA) and has held various board positions for the Utah chapter of the Information Systems Audit and Control Association (ISACA). He is a retired Air Force lieutenant colonel with 30 years of military and information sys-tems/security experience. Mr. Davis served on the faculties of Brigham Young Univer-sity and the Air Force Institute of Technology. He coauthored McGraw-Hill’s Principles of Computer Security and Voice and Data Security. He holds a master’s degree in com-puter science from George Washington University and a bachelor’s degree in computer science from Brigham Young University, and he also performed post-graduate studies in electrical engineering and computer science at the University of Colorado.

Chuck Cothren, CISSP, is a Senior Consultant at Symantec Corporation applying a wide array of network security experience, including performing controlled penetration testing, incident response, and security management. He has also analyzed security methodologies for Voice over Internet Protocol (VoIP) systems and supervisory control and data acquisition (SCADA) systems. He is coauthor of the books Voice and Data Se-curity, Security+ Certification, and Principles of Computer Security.

About the Technical EditorBobby E. Rogers is a principal information security analyst with Dynetics, Inc., a na-tional technology firm specializing in the certification and accreditation process for the U.S. government. He also serves as a penetration testing team lead for various govern-ment and commercial engagements. Bobby recently retired from the U.S. Air Force after almost 21 years, where he served as a computer networking and security specialist and designed and managed networks all over the world. His IT security experience includes several years working as an information assurance manager and a regular consultant to U.S. Air Force military units on various cybersecurity/computer abuse cases. He has held several positions of responsibility for network security in both the Department of Defense and private company networks. His duties have included perimeter security, client-side security, security policy development, security training, and computer crime investigations. As a trainer, he has taught a wide variety of IT-related subjects in both makeshift classrooms in desert tents and formal training centers. Bobby is also an ac-complished author, having written numerous IT articles in various publications and training materials for the U.S. Air Force. He has also authored numerous security train-ing videos.

He has a Bachelor of Science degree in computer information systems from Excel-sior College and two Associate in Applied Science degrees from the Community Col-lege of the Air Force. Bobby’s professional IT certifications include A+, Security+, ACP, CCNA, CCAI, CIW, CIWSA, MCP+I, MCSA (Windows 2000 & 2003), MCSE (Windows NT4, 2000, & 2003), MCSE: Security (Windows 2000 & 2003), CISSP, CIFI, CEH, CHFI, and CPTS, and he is also a certified trainer.

147-6_FM.indd 6 6/6/11 10:22 AM

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6/ blind folio vii

CompTIA Security+CompTIA Security+ is an international, vendor-neutral certification that demonstrates competency in:

• Networksecurity

• Complianceandoperationalsecurity

• Threatsandvulnerabilities

• Application,data,andhostsecurity

• Accesscontrolandidentitymanagement

• Cryptography

CompTIA Security+ not only ensures that candidates will apply knowledge of secu-rity concepts, tools, and procedures to react to security incidents, but it also ensures that security personnel are anticipating security risks and guarding against them.

Candidate job roles include: security architect, security engineer, security consul-tant/specialist, information assurance technician, security administrator, systems ad-ministrator, and network administrator, among others.

It Pays to Get CertifiedIn a digital world, digital literacy is an essential survival skill. Certification proves you have the knowledge and skill to solve business problems in virtually any business envi-ronment.

Certification makes you more competitive and employable. Research has shown that people who study technology get hired. In the competition for entry-level jobs, appli-cants with high school diplomas or college degrees who included IT coursework in their academic load fared consistently better in job interviews—and were hired in signifi-cantly higher numbers. If considered a compulsory part of a technology education, test-ing for certification can be an invaluable competitive distinction for professionals.

How Certification Helps Your Career

147-6_FM.indd 7 6/6/11 10:22 AM

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6/ blind follio: viii

Why CompTIA?• Global recognition CompTIA is recognized globally as the leading IT

nonprofit trade association and has enormous credibility. Plus, CompTIA’s certifications are vendor-neutral and offer proof of foundational knowledge that translates across technologies.

• Valued by hiring managers Hiring managers value CompTIA certification because it is vendor- and technology-independent validation of your technical skills.

• Recommended or required by government and businesses Many government organizations and corporations either recommend or require technical staff to be CompTIA certified (for example, Dell, Sharp, Ricoh, the U.S. Department of Defense, and many more).

• Three CompTIA certifications ranked in the top 10 In a study by Dice Learning of 17,000 technology professionals, certifications helped command higher salaries at all experience levels.

CompTIA Career PathwayCompTIA offers a number of credentials that form a foundation for your career in tech-nology and allow you to pursue specific areas of concentration. Depending on the path you choose to take, CompTIA certifications help you build on your skills and knowl-edge, supporting learning throughout your entire career.

147-6_FM.indd 8 6/6/11 10:22 AM

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6 / blind folio: ix

Four Steps to Getting Certified

1. Review Exam Objectives Review the certification objectives to make sure you know what is covered in the exam: http://www.comptia.org/certifications/testprep/ex-amobjectives.aspx.

2. Practice for the Exam After you have studied for the certification, take a free assessment and sample test to get an idea of what type of questions might be on the exam: http://www.comptia.org/certifications/testprep/practicetests.aspx.

3. Purchase an Exam Voucher Purchase exam vouchers on the CompTIA Mar-ketplace, which is located at: www.comptiastore.com.

4. Take the Test! Select a certification exam provider and schedule a time to take your exam. You can find exam providers at the following link: http://www.comptia.org/certifications/testprep/testingcenters.aspx.

Join the Professional CommunityThe free IT Pro online community provides valuable content to students and profes-sionals.

Career IT job resources include

• WheretostartinIT

• Careerassessments

• Salarytrends

• U.S.JobBoard

Join the IT Pro Community and get access to:

• Forumsonnetworking,security,computing,andcuttingedgetechnologies

• Accesstoblogswrittenbyindustryexperts

• Currentinformationoncuttingedgetechnologies

• AccesstovariousindustryresourcelinksandarticlesrelatedtoITandITcareers

Content Seal of QualityThis text bears the seal of CompTIA Approved Quality Content. This seal signifies that this content covers 100 percent of the exam objectives and implements important in-structional design principles. CompTIA recommends multiple learning tools to help increase coverage of the learning objectives. Look for this seal on other materials you use to prepare for your certification exam.

147-6_FM.indd 9 6/6/11 10:22 AM

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6/ blind follio: x

How to Obtain More Information

Visit Us Online Visit www.comptia.org to learn more about getting a CompTIA certification. And while you’re at it, take a moment to learn a little more about Comp-TIA. We’re the voice of the world’s IT industry. Our membership includes companies on the cutting edge of innovation.

To Contact CompTIA with Any Questions or Comments Please call 866-835-8020, extension 5, or e-mail [email protected].

Social Media Find us on Facebook, LinkedIn, Twitter, and YouTube.

147-6_FM.indd 10 6/6/11 10:22 AM

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6 / blind folio: xi

This book is dedicated to the many security professionals who daily work to ensure the safety of our nation’s critical infrastructures.

We want to recognize the thousands of dedicated individuals who strive

to protect our national assets but who seldom receive praise and often are only noticed when an incident occurs.

To you, we say thank you for a job well done!

147-6_FM.indd 11 6/6/11 10:22 AM

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6/ blind folio: xii

xiii

147-6_FM.indd 12 6/6/11 10:22 AM

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6

CONTENTS AT A GLANCE

Part I Security Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 1 General Security Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 Operational Organizational Security . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 3 Legal Issues, Privacy, and Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Part II Cryptography and Applications . . . . . . . . . . . . . . . . . . . . . . . 75

Chapter 4 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Chapter 5 Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Chapter 6 Standards and Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Part III Security in the Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . 185

Chapter 7 Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Chapter 8 Infrastructure Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Chapter 9 Authentication and Remote Access . . . . . . . . . . . . . . . . . . . . . . . . 251

Chapter 10 Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Part IV Security in Transmissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Chapter 11 Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Chapter 12 Security Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Chapter 13 Types of Attacks and Malicious Software . . . . . . . . . . . . . . . . . . . . 409

Chapter 14 E-Mail and Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Chapter 15 Web Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

xiii

147-6_FM.indd 13 6/6/11 10:22 AM

CompTIA Security+ All-in-One Exam Guide, Third Edition

xiv

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6 All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6

Part V Operational Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

Chapter 16 Disaster Recovery and Business Continuity . . . . . . . . . . . . . . . . . . 495

Chapter 17 Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

Chapter 18 Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537

Chapter 19 Privilege Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555

Chapter 20 Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581

Part VI Appendixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Appendix A OSI Model and Internet Protocols . . . . . . . . . . . . . . . . . . . . . . . . . 601

Appendix B About the CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637

xv

147-6_FM.indd 14 6/6/11 10:22 AM



xiv


CONTENTS

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxviiAcknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxixIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi

Part I Security Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 1 General Security Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3The Security+ Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Basic Security Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Security Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Quick Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Chapter 2 Operational Organizational Security . . . . . . . . . . . . . . . . . . . . . . . . 27Policies, Standards, Guidelines, and Procedures . . . . . . . . . . . . . . . 27The Security Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Logical Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Access Control Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Organizational Policies and Procedures . . . . . . . . . . . . . . . . . . . . . 38Code of Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Chapter 3 Legal Issues, Privacy, and Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Common Internet Crime Schemes . . . . . . . . . . . . . . . . . . . . . 55Sources of Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Computer Trespass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Significant U.S. Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Payment Card Industry Data Security Standards (PCI DSS) . . . 59Import/Export Encryption Restrictions . . . . . . . . . . . . . . . . . 60Digital Signature Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Digital Rights Management . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66U.S. Privacy Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66European Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

xv

147-6_FM.indd 15 6/6/11 10:22 AM


xviContents

xvii


Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68SANS Institute IT Code of Ethics . . . . . . . . . . . . . . . . . . . . . . 69


Part II Cryptography and Applications . . . . . . . . . . . . . . . . . . . . . . . 75

Chapter 4 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

SHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83RIPEMD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Message Digest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Hashing Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90CAST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92RC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Blowfish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Twofish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95IDEA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Symmetric Encryption Summary . . . . . . . . . . . . . . . . . . . . . . 96

Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Diffie-Hellman . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98ElGamal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98ECC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Asymmetric Encryption Summary . . . . . . . . . . . . . . . . . . . . . 100

Quantum Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Cryptography Algorithm Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Nonrepudiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Key Escrow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Transport Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Cryptographic Applications . . . . . . . . . . . . . . . . . . . . . . . . . . 104


147-6_FM.indd 16 6/6/11 10:22 AM


xviContents

xvii


Chapter 5 Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111The Basics of Public Key Infrastructures . . . . . . . . . . . . . . . . . . . . . 111Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Registration Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Local Registration Authorities . . . . . . . . . . . . . . . . . . . . . . . . . 118Certificate Repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Trust and Certificate Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Certificate Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Certificate Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Certificate Lifecycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Centralized or Decentralized Infrastructures . . . . . . . . . . . . . . . . . . 132Hardware Storage Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Private Key Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Key Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Key Escrow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Public Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138In-house Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Outsourced Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . 140Tying Different PKIs Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Trust Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Chapter 6 Standards and Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157PKIX/PKCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

PKIX Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160PKCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Why You Need to Know the PKIX and PKCS Standards . . . . . 166

X.509 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168ISAKMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170CMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171XKMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172S/MIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

IETF S/MIME v3 Specifications . . . . . . . . . . . . . . . . . . . . . . . . 175PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

How PGP Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178CEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179Common Criteria (CC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179WTLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

147-6_FM.indd 17 6/6/11 10:22 AM


xviiiContents

xix


WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180WEP Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

ISO/IEC 27002 (Formerly ISO 17799) . . . . . . . . . . . . . . . . . . . . . . . 180Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181


Part III Security in the Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . 185

Chapter 7 Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187The Security Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Physical Security Safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Walls and Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Policies and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Access Controls and Monitoring . . . . . . . . . . . . . . . . . . . . . . . 194Environmental Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197Fire Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201


Chapter 8 Infrastructure Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Network Interface Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213Hubs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222Telecom/PBX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223RAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 224Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224Network Monitoring/Diagnostic . . . . . . . . . . . . . . . . . . . . . . 225Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227Coaxial Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227UTP/STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228Fiber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

147-6_FM.indd 18 6/6/11 10:22 AM


xviiiContents

xix


Unguided Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230Security Concerns for Transmission Media . . . . . . . . . . . . . . . . . . . 232

Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232Removable Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Magnetic Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Optical Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Electronic Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

The Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Software as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238Platform as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238Infrastructure as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Security Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239Telephony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246


Chapter 9 Authentication and Remote Access . . . . . . . . . . . . . . . . . . . . . . . . 251The Remote Access Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

IEEE 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258RADIUS Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260DIAMETER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261TACACS+ Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263TACACS+ Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

L2TP and PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266CHAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266PAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

NT LAN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268FTP/FTPS/SFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

147-6_FM.indd 19 6/6/11 10:22 AM


xxContents

xxi


SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269IEEE 802.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273IPsec Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273IPsec Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279


Chapter 10 Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285Wireless Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Mobile Phones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290802.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291


Part IV Security in Transmissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Chapter 11 Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307History of Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . 308IDS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309Host-based IDSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Advantages of HIDSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314Disadvantages of HIDSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315Active vs. Passive HIDSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316Resurgence and Advancement of HIDSs . . . . . . . . . . . . . . . . . 316

PC-based Malware Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317Antivirus Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317Personal Software Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 319Pop-up Blocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322Windows Defender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Network-based IDSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324Advantages of a NIDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Disadvantages of a NIDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Active vs. Passive NIDSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330False Positives and Negatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332IDS Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332Intrusion Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Detection Controls vs. Prevention Controls . . . . . . . . . . . . . . 335Honeypots and Honeynets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

147-6_FM.indd 20 6/6/11 10:22 AM


xxContents

xxi


Web Application Firewalls vs. Network Firewalls . . . . . . . . . . . . . . . 338Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338Internet Content Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340Web Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340Protocol Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341Network Mappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343Anti-spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343All-in-one Security Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346


Chapter 12 Security Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353Overview Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354Password Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Password Policy Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . 354Selecting a Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357Components of a Good Password . . . . . . . . . . . . . . . . . . . . . 357Password Aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Operating System and Network Operating System Hardening . . . . 358Hardening Microsoft Operating Systems . . . . . . . . . . . . . . . . 360Hardening UNIX- or Linux-Based Operating Systems . . . . . . 362

Network Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379Ports and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380Traffic Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383Securing Management Interfaces . . . . . . . . . . . . . . . . . . . . . . 386VLAN Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386IPv4 vs. IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Application Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387Application Configuration Baseline . . . . . . . . . . . . . . . . . . . . 387Application Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390Mail Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393FTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396File and Print Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397Host Software Baselining . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Group Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400


147-6_FM.indd 21 6/6/11 10:22 AM


xxiiContents

xxiii


Chapter 13 Types of Attacks and Malicious Software . . . . . . . . . . . . . . . . . . . . 409Avenues of Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

The Steps in an Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410Minimizing Possible Avenues of Attack . . . . . . . . . . . . . . . . . 412

Attacking Computer Systems and Networks . . . . . . . . . . . . . . . . . . 412Denial-of-Service Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412Backdoors and Trapdoors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416Null Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418Man-in-the-Middle Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 422Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423TCP/IP Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423Attacks on Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423Address System Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425Password Guessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425Software Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427Client-Side Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429Secure Software Development Lifecycle . . . . . . . . . . . . . . . . . 435War-Dialing and War-Driving . . . . . . . . . . . . . . . . . . . . . . . . . 436Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439


Chapter 14 E-Mail and Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445Security of E-Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446Hoax E-Mails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448Unsolicited Commercial E-Mail (Spam) . . . . . . . . . . . . . . . . . . . . . 449Mail Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458


Chapter 15 Web Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463Current Web Components and Concerns . . . . . . . . . . . . . . . . . . . . 464Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Encryption (SSL and TLS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464The Web (HTTP and HTTPS) . . . . . . . . . . . . . . . . . . . . . . . . . . 471Directory Services (DAP and LDAP) . . . . . . . . . . . . . . . . . . . . 472File Transfer (FTP and SFTP) . . . . . . . . . . . . . . . . . . . . . . . . . 474Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

147-6_FM.indd 22 6/6/11 10:22 AM


xxiiContents

xxiii


Code-Based Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476Java and JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479Securing the Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481CGI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481Server-Side Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482Signed Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485Browser Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

Application-Based Weaknesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487Open Vulnerability and Assessment Language (OVAL) . . . . . 488


Part V Operational Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

Chapter 16 Disaster Recovery and Business Continuity . . . . . . . . . . . . . . . . . . 495Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Disaster Recovery Plans/Process . . . . . . . . . . . . . . . . . . . . . . . 496Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507Secure Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508High Availability and Fault Tolerance . . . . . . . . . . . . . . . . . . . 508Failure and Recovery Timing . . . . . . . . . . . . . . . . . . . . . . . . . . 509


Chapter 17 Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515An Overview of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . 515

Example of Risk Management at the International Banking Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

Key Terms for Understanding Risk Management . . . . . . . . . . 516What Is Risk Management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518Business Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Examples of Business Risks . . . . . . . . . . . . . . . . . . . . . . . . . . 519Examples of Technology Risks . . . . . . . . . . . . . . . . . . . . . . . . 520

Risk Management Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521General Risk Management Model . . . . . . . . . . . . . . . . . . . . . . 522Software Engineering Institute Model . . . . . . . . . . . . . . . . . . 525Model Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

Qualitatively Assessing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526Quantitatively Assessing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528Qualitative vs. Quantitative Risk Assessment . . . . . . . . . . . . . . . . . . 531

147-6_FM.indd 23 6/6/11 10:22 AM


xxivContents

xxv


Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533


Chapter 18 Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537Why Change Management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538The Key Concept: Separation (Segregation)

of Duties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540Elements of Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . 542Implementing Change Management . . . . . . . . . . . . . . . . . . . . . . . . 544

The Purpose of a Change Control Board . . . . . . . . . . . . . . . . 546Code Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

The Capability Maturity Model Integration . . . . . . . . . . . . . . . . . . . 548Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550


Chapter 19 Privilege Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555User, Group, and Role Management . . . . . . . . . . . . . . . . . . . . . . . . 556

User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559Domain Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560

Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561Centralized vs. Decentralized Management . . . . . . . . . . . . . . . . . . . 562

Centralized Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562Decentralized Management . . . . . . . . . . . . . . . . . . . . . . . . . . 563The Decentralized, Centralized Model . . . . . . . . . . . . . . . . . . 564

Auditing (Privilege, Usage, and Escalation) . . . . . . . . . . . . . . . . . . . 564Privilege Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564Usage Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565Escalation Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566

Logging and Auditing of Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . 567Common Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567Periodic Audits of Security Settings . . . . . . . . . . . . . . . . . . . . 568

Handling Access Control (MAC, DAC, and RBAC) . . . . . . . . . . . . . . 569Mandatory Access Control (MAC) . . . . . . . . . . . . . . . . . . . . . 569Discretionary Access Control (DAC) . . . . . . . . . . . . . . . . . . . . 571Role-based Access Control (RBAC) . . . . . . . . . . . . . . . . . . . . . 572Rule-based Access Control (RBAC) . . . . . . . . . . . . . . . . . . . . . 572Account Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

Permissions and Rights in Windows Operating Systems . . . . . . . . . 573Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575


147-6_FM.indd 24 6/6/11 10:22 AM


xxivContents

xxv


Chapter 20 Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

Standards for Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583Types of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584Three Rules Regarding Evidence . . . . . . . . . . . . . . . . . . . . . . . 584

Collecting Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585Acquiring Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585Identifying Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587Protecting Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588Transporting Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588Storing Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588Conducting the Investigation . . . . . . . . . . . . . . . . . . . . . . . . . 589

Chain of Custody . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591Free Space vs. Slack Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592

Free Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592Slack Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592

Message Digest and Hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595


Part VI Appendixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Appendix A OSI Model and Internet Protocols . . . . . . . . . . . . . . . . . . . . . . . . . 601Networking Frameworks and Protocols . . . . . . . . . . . . . . . . . . . . . . 601OSI Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602

Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604Presentation Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605Session Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605Network Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606Data-Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606

Internet Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607Message Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608

Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609

Appendix B About the CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611LearnKey Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611Installing and Running MasterExam . . . . . . . . . . . . . . . . . . . . . . . . 611

MasterExam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612

147-6_FM.indd 25 6/6/11 10:22 AM


xxvi


Electronic Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612Removing Installation(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612

LearnKey Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . 612

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637

xxvii

147-6_FM.indd 26 6/6/11 10:22 AM



xxvi


PreFaCe

Information and computer security has moved from the confines of academia to main-stream America in the last decade. From the CodeRed, Nimda, and Slammer attacks to data disclosures to today’s Advanced Persistent Threat (APT), which were heavily cov-ered in the media and broadcast into the average American’s home, information secu-rity has become a common topic. It has become increasingly obvious to everybody that something needs to be done in order to secure not only our nation’s critical infrastruc-ture but also the businesses we deal with on a daily basis. The question is, “Where do we begin?” What can the average information technology professional do to secure the systems that he or she is hired to maintain? One immediate answer is education and training. If we want to secure our computer systems and networks, we need to know how to do this and what security entails.

Complacency is not an option in today’s hostile network environment. While we once considered the insider to be the major threat to corporate networks, and the “script kiddie” to be the standard external threat (often thought of as only a nuisance), the highly interconnected networked world of today is a much different place. The U.S. government identified eight critical infrastructures a few years ago that were thought to be so crucial to the nation’s daily operation that if one were to be lost, it would have a catastrophic impact on the nation. To this original set of eight sectors, more have re-cently been added, and they now total 17. A common thread throughout all of these, however, is technology—especially technology related to computers and communica-tion. Thus, if an individual, organization, or nation wanted to cause damage to this nation, it could attack not just with traditional weapons but also with computers through the Internet. It is not surprising to hear that among the other information seized in raids on terrorist organizations, computers and Internet information are usu-ally seized as well. While the insider can certainly still do tremendous damage to an organization, the external threat is again becoming the chief concern among many.

So, where do you, the IT professional seeking more knowledge on security, start your studies? The IT world is overflowing with certifications that can be obtained by those attempting to learn more about their chosen profession. The security sector is no different, and the CompTIA Security+ exam offers a basic level of certification for secu-rity. In the pages of this exam guide, you will find not only material that can help you prepare for taking the CompTIA Security+ examination, but also the basic information that you will need in order to understand the issues involved in securing your com-puter systems and networks today. In no way is this exam guide the final source for learning all about protecting your organization’s systems, but it serves as a point from which to launch your security studies and career.

xxvii

147-6_FM.indd 27 6/6/11 10:22 AM


xxviii


One thing is certainly true about this field of study—it never gets boring. It con-stantly changes as technology itself advances. Something else you will find as you prog-ress in your security studies is that no matter how much technology advances and no matter how many new security devices are developed, at its most basic level, the human is still the weak link in the security chain. If you are looking for an exciting area to delve into, then you have certainly chosen wisely. Security offers a challenging blend of tech-nology and people issues. We, the authors of this exam guide, wish you luck as you embark on an exciting and challenging career path.

—Wm. Arthur Conklin —Gregory B. White, Ph.D.

xxix

147-6_FM.indd 28 6/6/11 10:22 AM



xxviii


ACkNOWLEDGMENTSWe, the authors of CompTIA Security+ Certification All-in-One Exam Guide, have many individuals whom we need to acknowledge—individuals without whom this effort would not have been successful.

The list needs to start with those folks at McGraw-Hill who worked tirelessly with the project’s multiple authors and contributors and led us successfully through the mine-field that is a book schedule, and who took our rough chapters and drawings and turned them into a final, professional product we can be proud of. We thank all the good peo-ple from the Acquisitions team, Tim Green and Stephanie Evans; from the Editorial Services team, Patty Mon; and from the Illustration and Production team, George Ander-son?. We also thank the technical editor, Bobby Rogers; the project editor, Rachel Gunn; the copyeditor, Margaret Berson; the proofreaders; and the indexer, Jack Lewis, for all their attention to detail that made this a finer work after they finished with it.

We also need to acknowledge our current employers, who, to our great delight, have seen fit to pay us to work in a career field that we all find exciting and rewarding. There is never a dull moment in security because it is constantly changing.

We would like to thank Art Conklin for herding the cats on this one.Finally, we would each like to thank those people who—on a personal basis—have

provided the core support for us individually. Without these special people in our lives, none of us could have put this work together.

I would like to thank my wife, Charlan, for the tremendous support she has always given me. Through numerous moves, assignments, and jobs, you have always been sup-portive and willing to put up with yet one more crazy project that I always seem to get involved in. I would also like to publicly thank the United States Air Force, which pro-vided me numerous opportunities since 1986 to learn more about security than I ever knew existed.

—Gregory B. White, Ph.D.

To Susan, my muse and love, for all the time you suffered as I work on books.

—Art Conklin, Ph.D.

Special thanks to Josie for all her support.—Chuck Cothren

Geena, thanks for being my best friend and my greatest support. Anything I am is because of you. Love to my kids and grandkids!

—Roger L. Davis

To my wife and best friend, Leah, for your love, energy, and support—thank you for always being there. To my kids—this is what Daddy was typing on the computer!

—Dwayne Williams

xxix

147-6_FM.indd 29 6/6/11 10:22 AM

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6/ blind follio: xxx

xxxi

147-6_FM.indd 30 6/6/11 10:22 AM


INTrODUCTION

Computer security is becoming increasingly important today as the number of security incidents steadily climbs. Many corporations now spend significant portions of their budgets on security hardware, software, services, and personnel. They are spending this money not because it increases sales or enhances the product they provide, but because of the possible consequences should they not take protective actions.

Why Focus on Security?Security is not something that we want to have to pay for; it would be nice if we didn’t have to worry about protecting our data from disclosure, modification, or destruction by unauthorized individuals, but that is not the environment we find ourselves in to-day. Instead, we have seen the cost of recovering from security incidents steadily rise along with the number of incidents themselves. Since September 11, 2001, this has taken on an even greater sense of urgency as we now face securing our systems not just from attack by disgruntled employees, juvenile hackers, organized crime, or competi-tors; we now also have to consider the possibility of attacks on our systems from terror-ist organizations. If nothing else, the events of September 11, 2001, showed that any-body is a potential target. You do not have to be part of the government or a govern-ment contractor; being an American is sufficient reason to make you a target to some, and with the global nature of the Internet, collateral damage from cyber attacks on one organization could have a worldwide impact.

A Growing Need for Security SpecialistsIn order to protect our computer systems and networks, we will need a significant num-ber of new security professionals trained in the many aspects of computer and network security. This is not an easy task as the systems connected to the Internet become increas-ingly complex, with software whose lines of code number in the millions. Understand-ing why this is such a difficult problem to solve is not hard if you consider just how many errors might be present in a piece of software that is several million lines long. When you add the additional factor of how fast software is being developed—from ne-cessity, as the market is constantly changing—understanding how errors occur is easy.

Not every “bug” in the software will result in a security hole, but it doesn’t take many to have a drastic effect on the Internet community. We can’t just blame the ven-dors for this situation because they are reacting to the demands of government and industry. Most vendors are fairly adept at developing patches for flaws found in their software, and patches are constantly being issued to protect systems from bugs that may introduce security problems. This introduces a whole new problem for managers and administrators—patch management. How important this has become is easily illus-trated by how many of the most recent security events have occurred as a result of a

xxxi

147-6_FM.indd 31 6/6/11 10:22 AM


xxxii


security bug that was discovered months prior to the security incident, and for which a patch has been available, but for which the community has not correctly installed the patch, thus making the incident possible. One of the reasons this happens is that many of the individuals responsible for installing the patches are not trained to understand the security implications surrounding the hole or the ramifications of not installing the patch. Many of these individuals simply lack the necessary training.

Because of the need for an increasing number of security professionals who are trained to some minimum level of understanding, certifications such as the Security+ have been developed. Prospective employers want to know that the individual they are considering hiring knows what to do in terms of security. The prospective employee, in turn, wants to have a way to demonstrate his or her level of understanding, which can enhance the candidate’s chances of being hired. The community as a whole simply wants more trained security professionals.

Preparing Yourself for the Security+ ExamCompTIA Security+ Certification All-in-One Exam Guide is designed to help prepare you to take the CompTIA Security+ certification exam SY0-301. When you pass it, you will dem-onstrate that you have that basic understanding of security that employers are looking for. Passing this certification exam will not be an easy task, for you will need to learn many things to acquire that basic understanding of computer and network security.

How This Book Is OrganizedThe book is divided into sections and chapters to correspond with the objectives of the exam itself. Some of the chapters are more technical than others—reflecting the nature of the security environment, where you will be forced to deal with not only technical details but also other issues, such as security policies and procedures as well as training and education. Although many individuals involved in computer and network security have advanced degrees in math, computer science, information systems, or computer or electrical engineering, you do not need this technical background to address security effectively in your organization. You do not need to develop your own cryptographic algorithm; for example, you simply need to be able to understand how cryptography is used along with its strengths and weaknesses. As you progress in your studies, you will learn that many security problems are caused by the human element. The best technol-ogy in the world still ends up being placed in an environment where humans have the opportunity to foul things up—and all too often do.

Part I: Security Concepts The book begins with an introduction to some of the basic elements of security.

Part II: Cryptography and Applications Cryptography is an important part of secu-rity, and this part covers this topic in detail. The purpose is not to make cryptographers out of readers but to instead provide a basic understanding of how cryptography works and what goes into a basic cryptographic scheme. An important subject in cryptogra-phy, and one that is essential for the reader to understand, is the creation of public key infrastructures, and this topic is covered as well.

147-6_FM.indd 32 6/6/11 10:22 AM


xxxii


Introduction

xxxiiiPart III: Security in the Infrastructure The next part concerns infrastructure issues. In this case, we are not referring to the critical infrastructures identified by the White House several years ago (identifying sectors such as telecommunications, banking and finance, oil and gas, and so forth) but instead the various components that form the backbone of an organization’s security structure.

Part IV: Security in Transmissions This part discusses communications security. This is an important aspect of security because, for years now, we have connected our computers together into a vast array of networks. Various protocols in use today that the security practitioner needs to be aware of are discussed in this part.

Part V: Operational Security This part addresses operational and organizational is-sues. This is where we depart from a discussion of technology again and will instead discuss how security is accomplished in an organization. Because we know that we will not be absolutely successful in our security efforts—attackers are always finding new holes and ways around our security defenses—one of the most important topics we will address is the subject of security incident response and recovery. Also included is a dis-cussion of change management (addressing the subject we alluded to earlier when ad-dressing the problems with patch management), security awareness and training, inci-dent response, and forensics.

Part VI: Appendixes There are two appendixes in CompTIA Security+ All-in-One Exam Guide. Appendix A provides an additional in-depth explanation of the OSI model and Internet protocols, should this information be new to you, and Appendix B explains how best to use the CD-ROM included with this book.

Glossary Located just before the index, you will find a useful glossary of security terminology, including many related acronyms and their meanings. We hope that you use the glossary frequently and find it to be a useful study aid as you work your way through the various topics in this exam guide.

Special Features of the All-in-One Certification SeriesTo make our exam guides more useful and a pleasure to read, we have designed the All-in-One Certification series to include several conventions.

IconsTo alert you to an important bit of advice, a shortcut, or a pitfall, you’ll occasionally see Notes, Tips, Cautions, and Exam Tips peppered throughout the text.

NOTE Notes offer nuggets of especially helpful stuff, background explanations, and information, and terms are defined occasionally .

147-6_FM.indd 33 6/6/11 10:22 AM


xxxiv


TIP Tips provide suggestions and nuances to help you learn to finesse your job . Take a tip from us and read the Tips carefully .

CAUTION When you see a Caution, pay special attention . Cautions appear when you have to make a crucial choice or when you are about to undertake something that may have ramifications you might not immediately anticipate . Read them now so you don’t have regrets later .

EXAM TIP Exam Tips give you special advice or may provide information specifically related to preparing for the exam itself .

End-of-Chapter Reviews and Chapter TestsAn important part of this book comes at the end of each chapter, where you will find a brief review of the high points along with a series of questions followed by the answers to those questions. Each question is in multiple-choice format. The answers provided also include a small discussion explaining why the correct answer actually is the correct answer.

The questions are provided as a study aid to you, the reader and prospective Secu-rity+ exam taker. We obviously can’t guarantee that if you answer all of our questions correctly you will absolutely pass the certification exam. Instead, what we can guarantee is that the questions will provide you with an idea about how ready you are for the exam.

The CD-ROMCompTIA Security+ Certification All-in-One Exam Guide also provides you with a CD-ROM of even more test questions and their answers to help you prepare for the certifi-cation exam. Read more about the companion CD-ROM in Appendix B.

Onward and UpwardAt this point, we hope that you are now excited about the topic of security, even if you weren’t in the first place. We wish you luck in your endeavors and welcome you to the exciting field of computer and network security.

147-6_FM.indd 34 6/6/11 10:22 AM

Documents

ALL IN ONE CompTIA Security+ - Eqbalebook.eqbal.ac.ir/Security/Certification/Security+ SY0-301/Cover... · passing any exam. CompTIA® and CompTIA Security+ are trademarks or registered