Introduction

The Security+ certification was developed by the Computer Technology Industry Association (CompTIA) to provide an industry-wide means of certifying the competency of computer and network administrators in the basics of securing their systems and networks. The security professional’s job is to protect the confidentiality, integrity, and availability of the organization’s valuable information assets.

According to CompTIA, the Security+ certification

. . . validates knowledge of communication security, infrastructure security, cryptography, operational security, and general security concepts. It is an international, vendor-neutral certification that is taught at colleges, universities and commercial training centers around the world.

Although not a prerequisite, it is recommended that CompTIA Security+ candidates have at least two years on-the-job networking experience, with an emphasis on security. The CompTIA Network+ certification is also recommended.

Because human error is the number one cause for a network security breach, CompTIA Security+ is recognized by the technology community as a valuable credential that proves competency with information security.

Major corporations such as Sun, IBM/Tivoli Software Group, Symantec, Motorola, Hitachi Electronics Services, and VeriSign value the CompTIA Security+ certification and recommend or require it of their IT employees.

Although most books that target certification candidates present material for you to memorize before the exam, this book is different. It guides you through procedures and tasks that solidify related concepts, thus allowing you to devote your memorization efforts to more abstract theories because you’ve mastered the practical topics through doing. Even if you do not aspire to become a security professional, this book can be a valuable primer for your career.

What Is Security+ Certification?

The Security+ certification was created to offer a foundational step into the complex world of securing information technology systems. Security+ candidates must take the Security+ exam (Exam #SY0-301), which covers various security concepts. This exam was updated for 2011 to include a broader range of security-related IT issues, like forensics, cyber security, botnets, and emerging threats. In addition, the exam was updated to cover recent and newer technologies.

Obtaining the Security+ certification does not mean you can provide sufficient system and network security services to a company. In fact, this is just the first step toward true technical knowledge and experience. By obtaining Security+ certification, you will be able to obtain more computer and network security administration experience in order to pursue more complex and in-depth knowledge and certifications.

For the latest pricing on the exam and updates to the registration procedures, call either Prometric at (866) 776-6387 or (800) 776-4276 or Pearson VUE at (877) 551-7587. You can also go to either www.2test.com or www.prometric.com (for Prometric) or www.vue.com (for Pearson VUE) for additional information or to register online. If you have further questions about the scope of the exams or related CompTIA programs, refer to the CompTIA website at www.comptia.org.

Is This Book for You?

Security Administrator Street Smarts, Third Edition is designed to give you insight into the world of a typical system and network security technician by walking you through some of the daily tasks you can expect on the job. We recommend that you invest in certain equipment to get the full effect from this book. However, much value can be derived from simply reading through the tasks without performing the steps on live equipment. Organized classes and study groups are the ideal structures for obtaining and practicing with the recommended equipment.

How This Book Is Organized

This book is organized into an initial system-setup procedure followed by 10 phases. Each phase is separated into individual tasks. The phases represent broad categories under which related responsibilities are grouped. The tasks within each phase lead you step by step through the processes required for successful completion. When performed in order, the tasks in this book approximate those required by a system security administrator over an extended period of time. The phases and their descriptions are as follows:

• Phase 1—The Grunt Work of Security presents the initial and essential objectives that a security professional needs to have in place to understand, establish the basis for, implement, and enforce security within an organization.
• Phase 2—Hardening Systems shows you where the most common vulnerabilities exist within a system: the attack points, how to identify them, and how to minimize the attack surface of a system. This phase also addresses system virtualization.
• Phase 3—Malicious Software shows you how to implement filters, scanners, and other tools to defend the system against inbound threats, such as viruses, worms, spyware, and rootkits.
• Phase 4—Secure Storage provides real-world tools and techniques to ensure that data, while residing on a system, will remain secure. Discussed are the use of file, folder, and whole-disk encryption; the assignment of permissions following the principle of least privilege; and the implementation of fault tolerance.
• Phase 5—Managing User Accounts presents procedures related to user accounts that every computer network should have implemented. These procedures include implementing a strong password policy and securing default user accounts, such as the Administrator and the Guest accounts.
• Phase 6—Network Security shows you how to configure encryption for data while it’s in transit on the corporate network, and between the telecommuter and the corporate headquarters (via VPNs) using various VPN technologies, including the newer Advanced Encryption Standard (AES). Further, it shows how to configure basic firewall rules and how to configure a wireless network with acceptable security using 802.11i and WPA.
• Phase 7—Securing Internet Activity shows you how to secure your Microsoft Internet Explorer, email, and IP settings, and how to use digital certificates in a Public Key Infrastructure (PKI) environment.
• Phase 8—Security Testing presents the use of security assessment tools to evaluate the general strength of a system, and penetration-testing tools to view your systems as an attacker would see them.
• Phase 9—Investigating Incidents shows you how to operate like a forensics investigator and how to track down and uncover hidden details of some earlier security-related event. You will learn how to configure auditing and review audit logs, how to perform a memory dump to record the contents of physical RAM, how to recover deleted files and folders, and how to use and understand a sniffer on the network to view the network traffic.
• Phase 10—Security Troubleshooting examines multiple procedures to perform disaster recovery and focuses on Safe mode, Last Known Good Configuration, and System Recovery. It also looks at procedures and tools to sanitize media for secure destruction of confidential data to allow for reuse of magnetic media. Finally, this phase takes a look at implementing a host-based intrusion detection system (HIDS).

Each task in this book is organized into sections aimed at giving you what you need when you need it. The first section introduces you to the task and any key concepts that can assist you in understanding the underlying technology and the overall procedure. The following describes the remaining sections:

• Scenario—This section places you in the shoes of the PC support technician, describing a situation in which you will likely find yourself. The scenario is closely related to and often solved by the task at hand.
• Scope of Task—This section is all about preparing for the task. It gives you an idea of how much time is required to complete the task, what setup procedure is needed before beginning, and any concerns or issues to look out for.
• Procedure—This is the meat of the task itself. This section lists the equipment required to perform the task in a lab environment. It also gives you the ordered steps to complete the task.
• Criteria for Completion—This final section briefly explains the outcome you should expect after completing the task. Any deviation from the result described is an excellent reason to perform the task again and watch for sources of the variation.

How to Contact the Publisher

Sybex welcomes feedback on all of its titles. Visit the Sybex website at www.sybex.com for book updates and additional certification information. You’ll also find forms you can use to submit comments or suggestions regarding this or any other Sybex title.

The Security+ Exam Objectives

The following presents the detailed exam objectives for the Security+ (SY0-301) exam.

The following table lists the domains measured by this examination and the extent to which they are represented on the exam. A more detailed breakdown of the exam objectives follows the table.

Domain	Percentage of examination
1.0 Network Security	21%
2.0 Compliance and Operational Security	18%
3.0 Threats and Vulnerabilities	21%
4.0 Application, Data and Host Security	16%
5.0 Access Control and Identity Management	13%
6.0 Cryptography	11%

Domain 1.0: Network Security

1.1 Explain the security function and purpose of network devices and technologies

• Firewalls
• Routers
• Switches
• Load balancers
• Proxies
• Web security gateways
• VPN concentrators
• NIDS and NIPS (behavior based, signature based, anomaly based, heuristic)
• Protocol analyzers
• Sniffers
• Spam filter, all-in-one security appliances
• Web application firewall vs. network firewall
• URL filtering, content inspection, malware inspection

1.2 Apply and implement secure network administration principles

• Rule-based management
• Firewall rules
• VLAN management
• Secure router configuration
• Access control lists
• Port security
• 802.1x
• Flood guards
• Loop protection
• Implicit deny
• Prevent network bridging by network separation
• Log analysis

1.3 Distinguish and differentiate network design elements and compounds

• DMZ
• Subnetting
• VLAN
• NAT
• Remote Access
• Telephony
• NAC
• Virtualization
• Cloud computing
  • Platform as a service
  • Software as a service
  • Infrastructure as a service

1.4 Implement and use common protocols

• IPSec
• SNMP
• SSH
• DNS
• TLS
• SSL
• TCP/IP
• FTPS
• HTTPS
• SFTP
• SCP
• ICMP
• IPv4 vs. IPv6

1.5 Identify commonly used default network ports

• FTP
• SFTP
• FTPS
• TFTP
• TELNET
• HTTP
• HTTPS
• SCP
• SSH
• NetBIOS

1.6 Implement wireless network in a secure manner

• WPA
• WPA2
• WEP
• EAP
• PEAP
• LEAP
• MAC filter
• SSID broadcast
• TKIP
• CCMP
• Antenna placement
• Power level controls

Domain 2.0 Compliance and Operational Security

2.1 Explain risk-related concepts

• Control types
  • Technical
  • Management
  • Operational
• False positives
• Importance of policies in reducing risk
  • Privacy policy
  • Acceptable use
  • Security policy
  • Mandatory vacations
  • Job rotation
  • Separation of duties
  • Least privilege
• Risk calculation
  • Likelihood
  • ALE
  • Impact
• Quantitative vs. qualitative
• Risk avoidance, transference, acceptance, mitigation, deterrence
• Risks associated to cloud computing and virtualization

2.2 Carry out appropriate risk mitigation strategies

• Implement security controls based on risk
• Change management
• Incident management
• User rights and permissions reviews
• Perform routine audits
• Implement policies and procedures to prevent data loss or theft

2.3 Execute appropriate incident response procedures

• Basic forensic procedures
  • Order of volatility
  • Capture system image
  • Network traffic and logs
  • Capture video
  • Record time offset
  • Take hashes
  • Screenshots
  • Witnesses
  • Track man hours and expense
• Damage and loss control
• Chain of custody
• Incident response: first responder

2.4 Explain the importance of security-related awareness and training

• Security policy training and procedures
• Personally identifiable information
• Information classification: Sensitivity of data (hard or soft)
• Data labeling, handling, and disposal
• Compliance with laws, best practices, and standards
• User habits
  • Password behaviors
  • Data handling
  • Clean desk policies
  • Prevent tailgating
  • Personally owned devices
• Threat awareness
  • New viruses
  • Phishing attacks
  • Zero days exploits
• Use of social networking and P2P

2.5 Compare and contrast aspects of business continuity

• Business impact analysis
• Removing single points of failure
• Business continuity planning and testing
• Continuity of operations
• Disaster recovery
• IT contingency planning
• Succession planning

2.6 Explain the impact and proper use of environmental controls

• HVAC
• Fire suppression
• EMI shielding
• Hot and cold aisles
• Environmental monitoring
• Temperature and humidity controls
• Video monitoring

2.7 Execute disaster recovery plans and procedures

• Backup/backout contingency plans or policies
• Backups, execution, and frequency
• Redundancy and fault tolerance
  • Hardware
  • RAID
  • Clustering
  • Load balancing
  • Servers
• High availability
• Cold site, hot site, warm site
• Mean time to restore, mean time between failures, recovery time objectives, and recovery point objectives

2.8 Exemplify the concepts of confidentiality, integrity, and availability (CIA)

Domain 3.0 Threats and Vulnerabilities

3.1 Analyze and differentiate among types of malware

• Adware
• Virus
• Worms
• Spyware
• Trojan
• Rootkits
• Backdoors
• Logic bomb
• Botnets

3.2 Analyze and differentiate among types of attacks

• Man-in-the-middle
• DDoS
• DoS
• Replay
• Smurf attack
• Spoofing
• Spam
• Phishing
• Spim
• Vishing
• Spear phishing
• Xmas attack
• Pharming
• Privilege escalation
• Malicious insider threat
• DNS poisoning and ARP poisoning
• Transitive access
• Client-side attacks

3.3 Analyze and differentiate among types of social engineering attacks

• Shoulder surfing
• Dumpster diving
• Tailgating
• Impersonation
• Hoaxes
• Whaling
• Vishing

3.4 Analyze and differentiate among types of wireless attacks

• Rogue access points
• Interference
• Evil twin
• War driving
• Bluejacking
• Bluesnarfing
• War chalking
• IV attack
• Packet sniffing

3.5 Analyze and differentiate among types of application attacks

• Cross-site scripting
• SQL injection
• LDAP injection
• XML injection
• Directory traversal/command injection
• Buffer overflow
• Zero day
• Cookies and attachments
• Malicious add-ons
• Session hijacking
• Header manipulation

3.6 Analyze and differentiate among types of mitigation and deterrent techniques

• Manual bypassing of electronic controls
  • Failsafe/secure vs. failopen
• Monitoring system logs
  • Event logs
  • Audit logs
  • Security logs
  • Access logs
• Physical security
  • Hardware locks
  • Mantraps
  • Video surveillance
  • Fencing
  • Proximity readers
  • Access list
• Hardening
  • Disabling unnecessary services
  • Protecting management interfaces and applications
  • Password protection
  • Disabling unnecessary accounts
• Port security
  • MAC limiting and filtering
  • 802.1x
  • Disabling unused ports
• Security posture
  • Initial baseline configuration
  • Continuous security monitoring
  • Remediation
• Reporting
  • Alarms
  • Alerts
  • Trends
• Detection controls vs. prevention controls
  • IDS vs. IPS
  • Camera vs. guard

3.7 Implement assessment tools and techniques to discover security threats and vulnerabilities

• Vulnerability scanning and interpret results
• Tools
  • Protocol analyzer
  • Sniffer
  • Vulnerability scanner
  • Honeypots
  • Honeynets
  • Port scanner
• Risk calculations
  • Threat vs. likelihood
• Assessment types
  • Risk
  • Threat
  • Vulnerability
• Assessment technique
  • Baseline reporting
  • Code review
  • Determine attack surface
  • Architecture
  • Design reviews

3.8 Within the realm of vulnerability assessments, explain the proper use of penetration testing vs. vulnerability scanning

• Penetration testing
  • Verify a threat exists
  • Bypass security controls
  • Actively test security controls
  • Exploiting vulnerabilities
• Vulnerability scanning
  • Passively testing security controls
  • Identify vulnerability
  • Identify lack of security controls
  • Identify common misconfiguration
• Black box
• White box
• Gray box

Domain 4.0 Application, Data and Host Security

4.1 Explain the importance of application security

• Fuzzing
• Secure coding concepts
• Error and exception handling
• Input validation
• Cross-site scripting prevention
• Cross-site Request Forgery (XSRF) prevention
• Application configuration baseline (proper settings)
• Application hardening
• Application patch management

4.2 Carry out appropriate procedures to establish host security

• Operating system security and settings
• Anti-malware
  • Anti-virus
  • Anti-spam
  • Anti-spyware
  • Pop-up blockers
  • Host-based firewalls
• Patch management
• Hardware security
  • Cable locks
  • Safe
  • Locking cabinets
• Host software baselining
• Mobile devices
  • Screen lock
  • Strong password
  • Device encryption
  • Remote wipe/sanitation
  • Voice encryption
  • GPS tracking
• Virtualization

4.3 Explain the importance of data security

• Data Loss Prevention (DLP)
• Data encryption
  • Full disk
  • Database
  • Individual files
  • Removable media
  • Mobile devices
• Hardware-based encryption devices
  • TPM
  • HSM
  • USB encryption
  • Hard drive
  • Cloud computing

Domain 5.0 Access Control and Identity Management

5.1 Explain the function and purpose of authentication services

• RADIUS
• TACACS
• TACACS+
• Kerberos
• LDAP
• XTACACS

5.2 Explain the fundamental concepts and best practices related to authentication, authorization, and access control

• Identification vs. authentication
• Authentication (single factor) and authorization
• Multifactor authentication
• Biometrics
• Tokens
• Common access card
• Personal identification verification card
• Smart card
• Least privilege
• Separation of duties
• Single sign-on
• ACLs
• Access control
• Mandatory access control
• Discretionary access control
• Role/rule-based access control
• Implicit deny
• Time of day restrictions
• Trusted OS
• Mandatory vacations
• Job rotation

5.3 Implement appropriate security controls when performing account management

• Mitigates issues associated with users with multiple account/roles
• Account policy enforcement
  • Password complexity
  • Expiration
  • Recovery
  • Length
  • Disablement
  • Lockout
• Group-based privileges
• User-assigned privileges

Domain 6.0 Cryptography

6.1 Summarize general cryptography concepts

• Symmetric vs. asymmetric
• Fundamental differences and encryption methods
• Block vs. stream
• Transport encryption
• Non-repudiation
• Hashing
• Key escrow
• Steganography
• Digital signatures
• Use of proven technologies
• Elliptic curve and quantum cryptography

6.2 Use and apply appropriate cryptographic tools and products

• WEP vs. WPA/WPA2 and preshared key
• MD5
• SHA
• RIPEMD
• AES
• DES
• 3DES
• HMAC
• RSA
• RC4
• Onetime pads
• CHAP
• PAP
• NTLM
• NTLMv2
• Blowfish
• PGP/GPG
• Whole disk encryption
• TwoFish
• Comparative strengths of algorithms
• Use of algorithms with transport encryption
  • SSL
  • TLS
  • IPSec
  • SSH
  • HTTPS

6.3 Explain the core concepts of public key infrastructure

• Certificate authorities and digital certificates
  • CA
  • CRLs
• PKI
• Recovery agent
• Public key
• Private key
• Registration
• Key escrow
• Trust models

6.4 Implement PKI, certificate management, and associated components

• Certificate authorities and digital certificates
  • CA
  • CRLs
• PKI
• Recovery agent
• Public key
• Private keys
• Registration
• Key escrow
• Trust models