All in one security

demon-All-In-One / CompTIA Security+™ All-in-One Exam Guide / Conklin, White, Davis / 124-5/ FM All-In-One / CompTIA Security+™ All-in-One Exam Guide / Conklin, White, Davis / 124-5/ FMC

Trang 2

ALL IN ONE

CompTIA

E X A M G U I D E

Trang 3

This page intentionally left blank

Trang 4

ALL IN ONE

CompTIA

E X A M G U I D E Fourth Edition (Exam SY0-401)

Dr Wm Arthur Conklin

Dr Gregory White Chuck Cothren Roger L Davis Dwayne Williams

New York Chicago San Francisco Athens London Madrid Mexico City Milan New Delhi Singapore Sydney Toronto

McGraw-Hill Education is an independent entity from CompTIA® This publication and digital content may be used in assisting students

to prepare for the CompTIA Security+™ exam Neither CompTIA nor McGraw-Hill Education warrant that use of this publication

and digital content will ensure passing any exam CompTIA and CompTIA Security+ are trademarks or registered trademarks of

CompTIA in the United States and/or other countries All other trademarks are trademarks of their respective owners.

Trang 5

Copyright © 2015 by McGraw-Hill Education All rights reserved Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication ISBN: 978-0-07-183735-4

All trademarks are trademarks of their respective owners Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in

an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark Where such designations appear in this book, they have been printed with initial caps.

McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate training programs

To contact a representative, please visit the Contact Us page at www.mhprofessional.com.

Information has been obtained by McGraw-Hill Education from sources believed to be reliable However, because of the possibility of human or mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

TERMS OF USE

This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work Use of this work is subject to these terms Except

as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw- Hill Education’s prior consent You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited Your right

to use the work may be terminated if you fail to comply with these terms.

THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMA- TION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom McGraw-Hill Education has no responsibility for the content of any information accessed through the work Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.

Trang 6

ABOUT THE AUTHORS

Dr Wm Arthur Conklin, CompTIA Security+, CISSP, CSSLP, GISCP, CRISC, is an

Asso-ciate Professor and Director of the Center for Information Security Research and tion in the College of Technology at the University of Houston He holds two terminal degrees, a Ph.D in business administration (specializing in information security), from The University of Texas at San Antonio (UTSA), and the degree Electrical Engineer (spe-cializing in space systems engineering) from the Naval Postgraduate School in Mon-terey, CA He is a fellow of ISSA, a senior member of ASQ, and a member of IEEE and ACM His research interests include the use of systems theory to explore information security, specifically in cyber-physical systems He has coauthored six security books and numerous academic articles associated with information security He is active in the DHS-sponsored Industrial Control Systems Joint Working Group (ICSJWG) efforts associated with workforce development and cyber-security aspects of industrial control systems He has an extensive background in secure coding and is a co-chair of the DHS/

Educa-DoD Software Assurance Forum working group for workforce education, training, and development

Dr Gregory White has been involved in computer and network security since 1986

He spent 19 years on active duty with the United States Air Force and 11 years in the Air Force Reserves in a variety of computer and security positions He obtained his Ph.D in computer science from Texas A&M University in 1995 His dissertation topic was in the area of computer network intrusion detection, and he continues to conduct research in this area today He is currently the Director for the Center for Infrastructure Assurance and Security (CIAS) and is a professor of computer science at the University of Texas

at San Antonio (UTSA) Dr White has written and presented numerous articles and conference papers on security He is also the coauthor of five textbooks on computer and network security and has written chapters for two other security books Dr White continues to be active in security research His current research initiatives include efforts

in community incident response, intrusion detection, and secure information sharing

Chuck Cothren, CISSP, is a Principal Solutions Specialist at Symantec Corporation

applying a wide array of network security experience, including performing controlled penetration testing, incident response, and security management to assist a wide variety of clients in the protection of their critical data He has also analyzed security methodologies for Voice over Internet Protocol (VoIP) systems and supervisory control

and data acquisition (SCADA) systems He is coauthor of the books Voice and Data Security and Principles of Computer Security.

Roger L Davis, CISSP, CISM, CISA, is an Operations Manager at the Church of Jesus

Christ of Latter-day Saints, managing several of the Church’s information systems in over 140 countries He has served as president of the Utah chapter of the Information Systems Security Association (ISSA) and various board positions for the Utah chapter

of the Information Systems Audit and Control Association (ISACA) He is a retired Air Force lieutenant colonel with 30 years of military and information systems/security experience Mr Davis served on the faculty of Brigham Young University and the Air

Trang 7

All-In-One / CompTIA Security+™ All-in-One Exam Guide / Conklin, White, Davis / 124-5/ FM All-In-One / CompTIA Security+™ All-in-One Exam Guide / Conklin, White, Davis / 124-5/ FM

Force Institute of Technology He coauthored McGraw-Hill’s Principles of Computer Security and Voice and Data Security He holds a master’s degree in computer science from

George Washington University, a bachelor’s degree in computer science from Brigham Young University, and performed post-graduate studies in electrical engineering and computer science at the University of Colorado

Dwayne Williams, CISSP, is Associate Director, Technology and Research, for the

Center for Infrastructure Assurance and Security at the University of Texas at San Antonio and is the Director of the National Collegiate Cyber Defense Competition

Mr Williams has over 18 years of experience in information systems and network security Mr Williams’s experience includes six years of commissioned military service

as a Communications-Computer Information Systems Officer in the United States Air Force, specializing in network security, corporate information protection, intrusion detection systems, incident response, and VPN technology Prior to joining the CIAS,

he served as Director of Consulting for SecureLogix Corporation, where he directed and provided security assessment and integration services to Fortune 100, government, public utility, oil and gas, financial, and technology clients Mr Williams graduated in

1993 from Baylor University with a bachelor of arts in computer science Mr Williams

is a coauthor of Voice and Data Security and Principles of Computer Security.

About the Technical EditorChris Crayton is an author, technical consultant, and trainer He has worked as a com-

puter technology and networking instructor, information security director, network administrator, network engineer, and PC specialist Chris has authored several print and online books on PC repair, Microsoft Windows, CompTIA A+, and CompTIA Secu-rity+ He has also served as technical editor and content contributor on numerous tech-

nical titles for several of the leading publishing companies, including the CompTIA A+ Certification All-in-One Exam Guide and the CompTIA A+ Certification Study Guide

He holds multiple industry certifications, has been recognized with many professional teaching awards, and serves as a state-level SkillsUSA competition judge

All-In-One / CompTIA Security+™ All-in-One Exam Guide / Conklin, White, Davis / 124-5/ FM

Trang 8

CompTIA Approved Quality Content

It Pays to Get Certified

In a digital world, digital literacy is an essential survival skill Certification strates that you have the knowledge and skill to solve technical or business problems in virtually any business environment CompTIA certifications are highly valued creden-tials that qualify you for jobs, increased compensation, and promotion

Trang 9

demon-All-In-One / CompTIA Security+™ All-in-One Exam Guide / Conklin, White, Davis / 124-5/ FM All-In-One / CompTIA Security+™ All-in-One Exam Guide / Conklin, White, Davis / 124-5/ FM

CompTIA Security+

Certification Helps Your Career

• Security is one of the highest demand job categories growing in importance as the

frequency and severity of security threats continue to be a major concern for organizations around the world

• Jobs for security administrators are expected to increase by 18%—the skill set

required for these types of jobs maps to the CompTIA Security+ certification

• Network Security Administrators can earn as much as $106,000 per year.

• CompTIA Security+ is the first step in starting your career as a Network

Security Administrator or Systems Security Administrator

• More than 250,000 individuals worldwide are CompTIA Security+ certified.

• CompTIA Security+ is regularly used in organizations such as Hitachi

Systems, Fuji Xerox, HP, Dell, and a variety of major U.S government contractors

• Approved by the U.S Department of Defense (DoD) as one of the required

certification options in the DoD 8570.01-M directive, for Information Assurance Technical Level II and Management Level I job roles

Steps to Getting Certified and Staying Certified

1 Review the exam objectives Review the certification objectives to make sure

you know what is covered in the exam:

http://certification.comptia.org/examobjectives.aspx

2 Practice for the exam After you have studied for the certification exam, review

and answer sample questions to get an idea of what type of questions might be

on the exam:

http://certification.comptia.org/samplequestions.aspx

3 Purchase an exam voucher You can purchase exam vouchers on the CompTIA

Marketplace, www.comptiastore.com

4 Take the test! Go to the Pearson VUE website, www.pearsonvue.com/comptia/,

and schedule a time to take your exam

5 Stay certified! Effective January 1, 2011, new CompTIA Security+ certifications

are valid for three years from the date of certification There are a number of ways the certification can be renewed For more information go to http://

certification.comptia.org/ce

Trang 10

For More Information

• Visit CompTIA online Go to http://certification.comptia.org/home.aspx to

learn more about getting CompTIA certified

• Contact CompTIA Please call 866-835-8020 and choose Option 2, or e-mail

questions@comptia.org

• Connect with CompTIA Find CompTIA on Facebook, LinkedIn, Twitter, and

YouTube

Content Seal of Quality

This courseware bears the seal of CompTIA Approved Quality Content This seal signifies this content covers 100 percent of the exam objectives and implements important instructional design principles CompTIA recommends multiple learning tools to help increase coverage of the learning objectives

CAQC Disclaimer

The logo of the CompTIA Approved Quality Content (CAQC) program and the status

of this or other training material as “Approved” under the CompTIA Approved Quality Content program signifies that, in CompTIA’s opinion, such training material covers the content of CompTIA’s related certification exam

The contents of this training material were created for the CompTIA Security+ exam covering CompTIA certification objectives that were current as of the date of publication

CompTIA has not reviewed or approved the accuracy of the contents of this training material and specifically disclaims any warranties of merchantability or fitness for a particular purpose CompTIA makes no guarantee concerning the success of persons using any such “Approved” or other training material in order to prepare for any CompTIA certification exam

Trang 11

Trang 12

This book is dedicated to the many information security professionals who quietly work to ensure the safety of our

nation’s critical infrastructures

We want to recognize the thousands of dedicated individuals who strive to protect our national assets but who seldom receive praise and often are only noticed when an incident

occurs

To you, we say thank you for a job well done!

Trang 13

Trang 14

CONTENTS AT A GLANCE

Part I Network Security

Chapter 1 Network Device Configuration 3

Chapter 2 Secure Network Administration 25

Chapter 3 Secure Network Design 35

Chapter 4 Secure Wireless Networking 63

Part II Compliance and Operational Security Chapter 5 Risk Concepts 79

Chapter 6 System Integration Processes 101

Chapter 7 Risk Management 111

Chapter 8 Digital Forensics and Incident Response 131

Chapter 9 Security Awareness and Training 153

Chapter 10 Physical Security and Environmental Controls 169

Chapter 11 Security Controls 193

Part III Threats and Vulnerabilities Chapter 12 Attacks and Malware 205

Chapter 13 Social Engineering 235

Chapter 14 Application and Wireless Attacks 247

Chapter 15 Mitigation Techniques 267

Chapter 16 Threat and Vulnerability Discovery 289

Part IV Application, Data, and Host Security Chapter 17 Application Security Controls 317

Chapter 18 Mobile Device Security 327

Chapter 19 Host-based Security 341

Chapter 20 Securing Alternative Environments 375

Trang 15

CompTIA Security+ All-in-One Exam Guide

xiv

Part V Access Control and Identity Management

Chapter 21 Access Control and Authentication 387

Chapter 22 Account Management 417

Part VI Cryptography Chapter 23 Cryptographic Concepts 431

Chapter 24 Cryptographic Methods 447

Part VII Appendixes and Glossary Appendix A OSI Model and Internet Protocols 493

Appendix B About the Download 503

Glossary 507

Index 535

Trang 16

CONTENTS

Preface xxxi

Acknowledgments xxxiii

Introduction xxxv

Part I Network Security Chapter 1 Network Device Configuration 3

Network Devices 3

Firewalls 3

Routers 7

Switches 8

Load Balancers 9

Proxies 10

Web Security Gateways 11

VPN Concentrators 11

Intrusion Detection Systems 12

Intrusion Prevention Systems 14

Protocol Analyzers 14

Spam Filter 15

UTM Security Appliances 18

Web Application Firewall vs Network Firewall 18

Application-aware Devices 19

Chapter Review 19

Questions 20

Answers 22

Chapter 2 Secure Network Administration 25

Secure Network Administration Principles 25

Rule-based Management 25

Firewall Rules 25

VLAN Management 26

Secure Router Configuration 27

Access Control Lists 27

Port Security 28

802.1x 28

Flood Guards 29

Loop Protection 29

Implicit Deny 29

Network Separation 29

Trang 17

xvi

Log Analysis 30

Unified Threat Management 30

Chapter Review 30

Questions 30

Answers 33

Chapter 3 Secure Network Design 35

Network Design Elements and Components 35

DMZ Security Zones 35

Subnetting 37

VLAN 38

NAT 40

Remote Access 41

Telephony 41

Network Access Control (NAC) 42

Virtualization 43

Cloud Computing 43

Layered Security/Defense in Depth 45

Protocols 45

IPsec 45

SNMP 52

SSH 52

DNS 52

TLS 53

SSL 53

TCP/IP 53

FTP 53

FTPS 53

SFTP 53

TFTP 54

HTTP 54

HTTPS 54

SCP 54

ICMP 54

IPv4 54

IPv6 54

iSCSI 55

Fibre Channel 55

FCoE 55

Telnet 55

NetBIOS 55

Ports 55

OSI Relevance 56

Chapter Review 57

Questions 57

Answers 60

Trang 18

xvii

Chapter 4 Secure Wireless Networking 63

Wireless Networking 63

SSID 64

WEP 64

WPA 65

TKIP 66

WPA2 66

EAP 68

PEAP 68

LEAP 68

CCMP 68

Wireless Operations 68

MAC Filter 68

Antenna Placement 69

Power Level Controls 69

Antenna Types 69

Captive Portals 70

Site Surveys 70

VPN (Over Open Wireless) 71

Chapter Review 72

Questions 72

Answers 75

Part II Compliance and Operational Security Chapter 5 Risk Concepts 79

An Overview of Risk Management 79

Key Terms for Understanding Risk Management 80

Control Types 80

False Positives 81

False Negatives 81

Importance of Policies in Reducing Risk 82

Qualitative Risk Assessment 86

Quantitative Risk Assessment 87

Risk Calculation 90

Quantitative vs Qualitative 91

Vulnerabilities 92

Threat Vectors 93

Probability/Threat Likelihood 93

Risk Avoidance, Transference, Acceptance, Mitigation, Deterrence 94

Trang 19

xviii

The Cloud 94

Risks Associated with Cloud Computing and Virtualization 95

Virtualization 95

Recovery Time Objective and Recovery Point Objective 96

Chapter Review 96

Questions 97

Answers 100

Chapter 6 System Integration Processes 101

System-Level Processes 101

On-boarding/Off-boarding Business Partners 101

Social Media Networks 102

Interoperability Agreements 102

Privacy Considerations 103

Risk Awareness 104

Data Issues 104

Policies and Procedures 104

Agreements 105

Chapter Review 105

Questions 105

Answers 108

Chapter 7 Risk Management 111

Risk Mitigation Strategies 111

Change Management 111

Incident Management 112

User Rights and Permissions Reviews 112

Perform Routine Audits 113

Data Loss or Theft 113

Technology Controls 114

Risk Management Best Practices 114

Business Continuity Concepts 115

Fault Tolerance 119

Disaster Recovery Concepts 121

Chapter Review 126

Questions 126

Answers 129

Chapter 8 Digital Forensics and Incident Response 131

Forensic Procedures 132

Collection 132

Examination 137

Analysis 138

Reporting 139

Trang 20

xix

Incident Response Procedures 141

Preparation 142

Incident Identification 143

Escalation and Notification 143

Mitigation Steps 144

Lessons Learned 145

Reporting 145

Recovery/Reconstitution Procedures 146

Incident Isolation 146

Data Breach 147

Damage and Loss Control 147

Chapter Review 147

Questions 148

Answers 150

Chapter 9 Security Awareness and Training 153

Security Awareness and Training 153

Security Policy Training and Procedures 154

Role-based Training 154

Personally Identifiable Information 154

Information Classification 156

Data Labeling, Handling, and Disposal 157

Compliance with Laws, Best Practices, and Standards 157

User Habits 158

New Threats and Security Trends/Alerts 161

New Viruses 161

Phishing Attacks 162

Zero-day Exploits 162

Social Networking and P2P 163

Training Metrics and Compliance 163

Chapter Review 164

Questions 164

Answers 166

Chapter 10 Physical Security and Environmental Controls 169

Environmental Controls 169

HVAC 170

Fire Suppression 170

EMI Shielding 174

Hot and Cold Aisles 175

Environmental Monitoring 175

Temperature and Humidity Controls 175

Physical Security 175

Hardware Locks 176

Mantraps 177

Trang 21

xx

Video Surveillance 177

Fencing 179

Proximity Readers 179

Access List 180

Proper Lighting 180

Signs 180

Guards 181

Barricades 181

Biometrics 182

Protected Distribution (Cabling) 185

Alarms 185

Motion Detection 186

Control Types 186

Chapter Review 187

Questions 187

Answers 190

Chapter 11 Security Controls 193

Confidentiality 193

Integrity 194

Availability 194

Safety 195

Fencing 195

Lighting 195

Locks 196

CCTV 196

Escape Routes 196

Escape Plans 196

Drills 196

Testing Controls 196

Chapter Review 197

Questions 197

Answers 200

Part III Threats and Vulnerabilities Chapter 12 Attacks and Malware 205

Malware 205

Adware 205

Virus 206

Worms 206

Spyware 206

Trojan 207

Rootkits 207

Backdoors 208

Logic Bomb 209

Trang 22

xxi

Botnets 209 Ransomware 210 Polymorphic Malware 210 Armored Virus 210 Attack Methods 210 Man-in-the-Middle 211 Denial-of-Service 212 Distributed Denial-of-Service 213 Replay 215 Spoofing 216 Spam 219 Spim 220 Phishing 220 Spear Phishing 220 Vishing 220 Xmas Attack 221 Pharming 221 Privilege Escalation 221 Malicious Insider Threat 222 Cache Poisoning 222 TCP/IP Hijacking 225 Transitive Access 226 Client-side Attacks 226 Password Attacks 226 Typo Squatting/URL Hijacking 228 Watering Hole Attack 229 Chapter Review 229 Questions 229 Answers 233

Chapter 13 Social Engineering 235

Social Engineering Methods 235 Shoulder Surfing 236 Dumpster Diving 237 Tailgating 237 Impersonation 238 Hoaxes 239 Whaling 239 Vishing 239 Social Engineering Principles 240 Tools 240 Chapter Review 241 Questions 241 Answers 245

Trang 23

xxii

Chapter 14 Application and Wireless Attacks 247

Wireless Attacks 247 Rogue Access Points 247 Jamming/Interference 248 Evil Twin 248 War Dialing and War Driving 248 Bluetooth Attacks 249 Packet Sniffing 251 Near Field Communication 251 Replay Attacks 252

IV Attack 252 WEP/WPA Attacks 252 WPS Attacks 253 Application Attacks 253 Cross-site Scripting 253 Injections 254 Directory Traversal/Command Injection 255 Buffer Overflow 255 Integer Overflow 256 Zero-day 257 Cookies and Attachments 257 Locally Shared Objects 260 Malicious Add-ons 261 Session Hijacking 261 Client-Side Attacks 261 Arbitrary/Remote Code Execution 262 Chapter Review 262 Questions 263 Answers 265

Chapter 15 Mitigation Techniques 267

Monitoring System Logs 267 Common Logs 267 Periodic Audits of Security Settings 269 System Hardening 269 Disabling Unused Interfaces and

Unused Application Service Ports 270 Protecting Management Interfaces and Applications 271 Password Protection 271 Disabling Unused Accounts 274 Network Security 275 Network Software Updates 275 Network Device Configuration 276 802.1x 277 MAC Limiting and Filtering 278

Trang 24

xxiii

Disabling Unused Interfaces and Unused Application Service Ports 278 Rogue Machine Detection 278 Security Posture 279 Initial Baseline Configuration 279 Updates (aka Hotfixes, Service Packs, and Patches) 279 Continuous Security Monitoring 280 Remediation 281 Reporting 281 Detection Controls vs Prevention Controls 282 Chapter Review 282 Questions 283 Answers 286

Chapter 16 Threat and Vulnerability Discovery 289

Interpret Results of Security Assessment Tools 289 Tools 289 Risk Calculations 299 Threat vs Likelihood 299 Assessment Types 299 Risk 300 Threat 300 Vulnerability 300 Assessment Technique 300 Baseline Reporting 301 Code Review 301 Determine Attack Surface 302 Review Architecture 304 Review Designs 304 Penetration Testing 304 Verify a Threat Exists 305 Bypass Security Controls 305 Actively Test Security Controls 305 Exploiting Vulnerabilities 305 Vulnerability Scanning 305 Passively Testing Security Controls 306 Identify Vulnerability 306 Identify Lack of Security Controls 306 Identify Common Misconfigurations 306 Intrusive vs Non-intrusive 306 Credentialed vs Non-credentialed 307 False Positive 307 Testing 307 Black Box 307 White Box 308 Gray Box 308

Trang 25

xxiv

Chapter Review 308 Questions 309 Answers 312

Part IV Application, Data, and Host Security

Chapter 17 Application Security Controls 317

Secure Coding Concepts 317 Error and Exception Handling 318 Input Validation 318 Fuzzing 319 Cross-site Scripting Prevention 319 Cross-site Request Forgery 320 Application Hardening 320 Application Configuration Baseline 321 Application Patch Management 321 NoSQL Databases vs SQL Databases 321 Server-side vs Client-side Validation 322 Chapter Review 322 Questions 322 Answers 324

Chapter 18 Mobile Device Security 327

Device Security 327 Full Device Encryption 327 Remote Wiping 328 Lockout 328 Screen-locks 328 GPS 329 Application Control 329 Storage Segmentation 330 Asset Control 330 Mobile Device Management 330 Device Access Control 331 Removable Storage 331 Disabling Unused Features 331 Mobile Application Security 332 Key and Credential Management 332 Authentication 332 Geo-tagging 332 Application Whitelisting 333 Encryption 333 Transitive Trust/Authentication 333

Trang 26

xxv

BYOD Concerns 333 Data Ownership 334 Support Ownership 334 Patch Management 334 Antivirus Management 335 Forensics 335 Privacy 335 On-boarding/Off-boarding 335 Adherence to Corporate Policies 336 User Acceptance 336 Architecture/Infrastructure Considerations 336 Legal Concerns 336 Acceptable Use Policy 337 On-board Camera/Video 337 Chapter Review 337 Questions 337 Answers 339

Chapter 19 Host-based Security 341

Host Security 341 Operating System Security and Settings 341

OS Hardening 342 Anti-malware 343 Patch Management 349 Whitelisting vs Blacklisting Applications 353 Trusted OS 354 Host-based Firewalls 354 Host-based Intrusion Detection 355 Hardware Security 362 Host Software Baselining 362 Virtualization 363 Host-based Security Controls 364 Cloud Storage 364 SAN 364 Handling Big Data 365 Data Encryption 365 Hardware-based Encryption Devices 366 Data Security 367 Permissions/ACL 368 Data Policies 368 Chapter Review 369 Questions 369 Answers 373

Trang 27

xxvi

Chapter 20 Securing Alternative Environments 375

Alternative Environments 375 SCADA 376 Embedded Systems 376 Phones and Mobile Devices 377 Mainframe 378 Game Consoles 379 In-vehicle Computing Systems 379 Methods 379 Network Segmentation 379 Security Layers 380 Application Firewalls 380 Manual Updates 380 Firmware Version Control 380 Wrappers 380 Control Redundancy and Diversity 381 Chapter Review 381 Questions 381 Answers 383

Part V Access Control and Identity Management

Chapter 21 Access Control and Authentication 387

Authentication Services 387 RADIUS 388 TACACS+ 391 Common Remote Access Ports 394 Kerberos 394 LDAP 396 Secure LDAP 396 SAML 397 Authorization 397 Least Privilege 397 Separation of Duties 399 Access Control 399 Job Rotation 402 Time of Day Restrictions 403 Authentication 403 Biometrics 403 Username 403 Smart Card 403 Common Access Card 403 Personal Identity Verification Card 404 Multifactor Authentication 404 HOTP 404 TOTP 405

Trang 28

xxvii

CHAP 405 PAP 406 EAP 406 Implicit Deny 406 Trusted OS 407 Authentication Factors 407 Identification 408 Vulnerabilities 411 Federation 412 Transitive Trust/Authentication 412 Chapter Review 412 Questions 412 Answers 415

Chapter 22 Account Management 417

User, Group, and Role Management 417 User 417 Groups 418 Multiple Roles 420 Account Policy Enforcement 420 Credential Management 420 Group Policy 420 Password Policies 420 Domain Password Policy 421 Password Attacks 422 Account Auditing 423 Chapter Review 424 Questions 424 Answers 426

Part VI Cryptography

Chapter 23 Cryptographic Concepts 431

General Cryptographic Concepts 431 Symmetric 432 Public Key or Asymmetric 433 Symmetric vs Asymmetric 434 Session Keys 434 Key Exchange 435 Fundamental Methods 435 Block vs Stream 435 Elliptic Curve 436 Quantum Cryptography 437 Hashing 437 Ephemeral Keys 438

Trang 29

xxviii

Cryptographic Objectives 439 Perfect Forward Secrecy 439 Transport Encryption 439 Non-repudiation 439 Key Escrow 439 Steganography 440 Digital Signatures 441 Use of Proven Technologies 442 Chapter Review 442 Questions 442 Answers 445

Chapter 24 Cryptographic Methods 447

Hashing 447 MD5 447 SHA 448 RIPEMD 449 Symmetric Encryption 449 DES 449 3DES 449 AES 450 RC4 451 Blowfish 451 Twofish 451 Asymmetric Encryption 451 RSA 452 Diffie-Hellman 452 ECC 452 Cryptographic Applications 453 PGP 453 GnuPG/GPG 453 PAP/CHAP 454

NT LAN Manager 454 Wireless 454 One-time Pads 455 Comparative Strengths and Performance of Algorithms 455 Use of Algorithms/Protocols with Transport Encryption 455 Cipher Suites 456 Key Stretching 457 The Basics of Public Key Infrastructures 457 Certificate Authorities 460 Registration Authorities 461 Trust and Certificate Verification 463 Digital Certificates 467 Certificate Attributes 468

Trang 30

xxix

Certificate Lifecycles 470 Registration and Generation 470 CSR 471 Renewal 471 Revocation 471 Suspension 474 Key Destruction 474 Private Key Protection 475 Key Recovery 476 Key Escrow 478 Public Certificate Authorities 478 Trust Models 479 Hierarchical Trust Model 481 Walking the Certificate Path 482 Peer-to-Peer Model 483 Hybrid Trust Model 484 Chapter Review 485 Questions 485 Answers 488

Part VII Appendixes and Glossary

Appendix A OSI Model and Internet Protocols 493

Networking Frameworks and Protocols 493 OSI Model 494 Application Layer 496 Presentation Layer 497 Session Layer 497 Transport Layer 497 Network Layer 497 Data Link Layer 498 Physical Layer 498 Internet Protocols 498 TCP 498 UDP 499

IP 499 Message Encapsulation 500 Review 501

Appendix B About the Download 503

Trang 31

xxx

Glossary 507Index 535

Trang 32

PREFACE

Information and computer security has moved from the confines of academia to stream America in the last decade From the CodeRed, Nimda, and Slammer attacks to data disclosures to today’s Advanced Persistent Threat (APT) that were heavily covered

main-in the media and broadcast main-into the average American’s home, main-information security has become a common topic It has become increasingly obvious to everybody that something needs to be done in order to secure not only our nation’s critical infrastruc-ture, but also the businesses we deal with on a daily basis The question is, “Where do

we begin?” What can the average information technology professional do to secure the systems that he or she is hired to maintain? One immediate answer is education and training If we want to secure our computer systems and networks, we need to know how to do this and what security entails

Complacency is not an option in today’s hostile network environment While we once considered the insider to be the major threat to corporate networks, and the

“script kiddie” to be the standard external threat (often thought of as only a nuisance), the highly interconnected networked world of today is a much different place The U.S

government identified eight critical infrastructures a few years ago that were thought to

be so crucial to the nation’s daily operation that if one were to be lost, it would have a catastrophic impact on the nation To this original set of eight sectors, more have been added, and they now total 17 Furthermore, analysis shows that in the United States, over 85 percent of this infrastructure is owned and operated by companies, not the government A common thread throughout all of these critical infrastructures, however,

is technology—especially technology related to computers and communication Thus,

if an individual, organization, or nation wanted to cause damage to this nation, it could attack not just with traditional weapons, but also with computers through the Internet It is not surprising to hear that among the other information seized in raids

on terrorist organizations, computers and Internet information are usually seized as well While the insider can certainly still do tremendous damage to an organization, the external threat is again becoming the chief concern among many

So, where do you, the IT professional seeking more knowledge on security, start your studies? The IT world is overflowing with certifications that can be obtained by those attempting to learn more about their chosen profession The security sector is

no different, and the CompTIA Security+ exam offers a basic level of certification for security CompTIA Security+ is an ideal starting point for one interested in a career

in security In the pages of this exam guide, you will find not only material that can help you prepare for taking the CompTIA Security+ examination, but also the basic information that you will need in order to understand the issues involved in securing your computer systems and networks today In no way is this exam guide the final source for learning all about protecting your organization’s systems, but it serves as a point from which to launch your security studies and career

Trang 33

xxxii

One thing is certainly true about this field of study—it never gets boring It constantly changes as technology itself advances Something else you will find as you progress in your security studies is that no matter how much technology advances and no matter how many new security devices are developed, at its most basic level, the human is still the weak link in the security chain If you are looking for an exciting area to delve into, then you have certainly chosen wisely Security offers a challenging blend of technology and people issues We, the authors of this exam guide, wish you luck as you embark on

an exciting and challenging career path

—Wm Arthur Conklin, Ph.D

—Gregory B White, Ph.D.

Trang 34

ACKNOWLEDGMENTS

We, the authors of CompTIA Security+ All-in-One Exam Guide, Fourth Edition, have many

individuals who we need to acknowledge—individuals without whom this effort would not have been successful

The list needs to start with those folks at McGraw-Hill Education who worked tirelessly with the project’s multiple authors and led us successfully through the minefield that is

a book schedule and who took our rough chapters and drawings and turned them into

a final, professional product we can be proud of We thank the good people from the Acquisitions team, Meghan Manfre and Mary Demery; from the Editorial Services team, Janet Walden; and from the Production team, George Anderson We also thank the technical editor, Chris Crayton; the project editor, Anupriya Tyagi of Cenveo Publisher Services; the copyeditor, William McManus; the proofreader, Lisa McCoy; and the indexer, Jack Lewis, for all their attention to detail that made this a finer work after they finished with it

We also need to acknowledge our current employers who, to our great delight, have seen fit to pay us to work in a career field that we all find exciting and rewarding There

is never a dull moment in security because it is constantly changing

We would like to thank Art Conklin for again herding the cats on this one

Finally, we would each like to individually thank those people who—on a personal basis—have provided the core support for us individually Without these special people

in our lives, none of us could have put this work together

To my loving wife Susan: You are my muse, my love, and my inspiration And I apologize for all the time you suffered, waiting, as I work on books

Trang 35

Trang 36

INTRODUCTION

Computer security has become paramount as the number of security incidents steadily climbs Many corporations now spend significant portions of their budget on security hardware, software, services, and personnel They are spending this money not because

it increases sales or enhances the product they provide, but because of the possible consequences should they not take protective actions

Why Focus on Security?

Security is not something that we want to have to pay for; it would be nice if we didn’t have to worry about protecting our data from disclosure, modification, or destruction from unauthorized individuals, but that is not the environment we find ourselves in today Instead, we have seen the cost of recovering from security incidents steadily rise along with the number of incidents themselves Cyber-attacks and information disclo-sures are occurring so often that one almost ignores them on the news But the theft of over 40 million credit and debit card numbers from Target, with the subsequent resig-nation of the CIO and CEO, may indicate a new sense of urgency, a new sense of pur-pose with regard to securing data The days of paper reports and corporate “lip-service”

may be waning, and the time to meet the new challenges of even more sophisticated attackers has arrived Then months later, Home Depot reports an even larger security breach The battle will be long, with defenders adapting and protecting and attackers searching for weaknesses and vulnerabilities Who will win? It depends on the vigilance

of the defenders, for the attackers are here to stay

A Growing Need for Security Specialists

In order to protect our computer systems and networks, we need a significant number of new security professionals trained in the many aspects of computer and network secu-rity This is not an easy task as the systems connected to the Internet become increas-ingly complex with software whose lines of codes number in the millions Understand-ing why this is such a difficult problem to solve is not hard if you consider just how many errors might be present in a piece of software that is several million lines long

When you add the factor of how fast software is being developed—from necessity as the market is constantly changing—understanding how errors occur is easy

Not every “bug” in the software will result in a security hole, but it doesn’t take many to have a drastic effect on the Internet community We can’t just blame the vendors for this situation, because they are reacting to the demands of government and industry Most vendors are fairly adept at developing patches for flaws found in their software, and patches are constantly being issued to protect systems from bugs that may introduce security problems This introduces a whole new problem for managers and administrators—patch management How important this has become is easily

Trang 37

xxxvi

illustrated by how many of the most recent security events have occurred as a result of

a security bug that was discovered months prior to the security incident, and for which

a patch has been available, but for which the community has not correctly installed the patch, thus making the incident possible One of the reasons this happens is that many

of the individuals responsible for installing the patches are not trained to understand the security implications surrounding the hole or the ramifications of not installing the patch Many of these individuals simply lack the necessary training

Because of the need for an increasing number of security professionals who are trained to some minimum level of understanding, certifications such as the CompTIA Security+ have been developed Prospective employers want to know that the individual they are considering hiring knows what to do in terms of security The prospective employee, in turn, wants to have a way to demonstrate his or her level of understanding, which can enhance the candidate’s chances of being hired The community as a whole simply wants more trained security professionals

The goal of taking the CompTIA Security+ exam is to prove that you’ve mastered the worldwide standards for foundation-level security practitioners The exam gives you a perfect opportunity to validate your knowledge and understanding of the computer security field, and it is an appropriate mechanism for many different individuals, including network and system administrators, analysts, programmers, web designers, application developers, and database specialists, to show proof of professional achievement in security According to CompTIA, the exam is aimed at individuals who have

• A minimum of two years of experience in IT administration with a focus on security

• Day-to-day technical information security experience

• Broad knowledge of security concerns and implementation, including the topics that are found in the specific CompTIA Security+ domains

The exam objectives were developed with input and assistance from industry and government agencies, including such notable examples as the Federal Bureau of Investigation (FBI), the National Institute of Standards and Technology (NIST), the U.S

Secret Service, the Information Systems Security Association (ISSA), the Information Systems Audit and Control Association (ISACA), Microsoft Corporation, RSA Security, Motorola, Novell, Sun Microsystems, VeriSign, and Entrust

The CompTIA Security+ exam is designed to cover a wide range of security topics—

subjects about which a security practitioner would be expected to know The test includes information from six knowledge domains:

2.0 Compliance and Operational Security 18%

3.0 Threats and Vulnerabilities 20%

4.0 Application, Data and Host Security 15%

5.0 Access Control and Identity Management 15%

Trang 38

xxxvii

The Network Security knowledge domain covers basic networking principles and

devices The domain is concerned with both wired and wireless networks and the security issues introduced when computers are connected to local networks as well as

the Internet The Compliance and Operational Security domain examines a number of

operational security issues such as risk assessment and mitigation, incident response, disaster recovery and business continuity, training and awareness, and environmental controls Since it is important to know what threats it is that you are protecting your

systems and networks from, the third domain, Threats and Vulnerabilities, examines the

many different types of attacks that can occur and the vulnerabilities that these attacks

may exploit The fourth domain, Application, Data and Host Security, covers those things

that individuals can do to protect individual hosts This may include items such as

encryption, patching, antivirus measures, and hardware security In the Access Control and Identity Management domain, fundamental concepts and best practices related to

authentication, authorization, and access control are addressed Account management

and authentication services are also addressed in this domain The last domain, tography, has long been part of the basic security foundation of any organization, and

Cryp-an entire domain is devoted to details on its various aspects

The exam consists of a series of questions, each designed to have a single best answer

or response The other available choices are designed to provide options that an vidual might choose if he or she had an incomplete knowledge or understanding of the security topic represented by the question The exam will have both multiple-choice and performance-based questions Performance-based questions present the candidate with a task or a problem in a simulated IT environment The candidate is given an opportunity to demonstrate his or her ability in performing skills The exam questions are chosen from the more detailed objectives listed in the outline shown in Figure 1, an excerpt from the 2014 objectives document obtainable from the CompTIA website at http://certification.comptia.org/getCertified/certifications/security.aspx

indi-CompTIA recommends that individuals who want to take the indi-CompTIA Security+

exam have the CompTIA Network+ certification and two years of technical networking experience, with an emphasis on security Originally administered only in English, the exam is now offered in testing centers around the world in the English, Spanish, Japanese, Chinese, German, and other languages Consult the CompTIA website at www.comptia.org to determine a location near you

The exam consists of a maximum of 100 questions to be completed in 90 minutes

A minimum passing score is considered 750 out of a possible 900 points Results are available immediately after you complete the exam An individual who fails to pass the exam the first time will be required to pay the exam fee again to retake the exam, but no mandatory waiting period is required before retaking it the second time If the individual again fails the exam, a minimum waiting period of 30 days is required for each subsequent retake For more information on retaking exams, consult CompTIA’s retake policy, which can be found on its website

Trang 39

xxxviii

Figure 1 The CompTIA Security+ (SY0-401) exam objectives

1.0 Network Security

1.1 Implement security configuration parameters on network devices and other technologies.

1.2 Given a scenario, use secure network administration principles.

1.3 Explain network design elements and components.

1.4 Given a scenario, implement common protocols and services.

1.5 Given a scenario, troubleshoot security issues related to wireless networking.

2.0 Compliance and Operational Security

2.1 Explain the importance of risk related concepts.

2.2 Summarize the security implications of integrating systems and data with third parties.

2.3 Given a scenario, implement appropriate risk mitigation strategies.

2.4 Given a scenario, implement basic forensic procedures.

2.5 Summarize common incident response procedures.

2.6 Explain the importance of security related awareness and training.

2.7 Compare and contrast physical security and environmental controls.

2.8 Summarize risk management best practices.

2.9 Given a scenario, select the appropriate control to meet the goals of security.

3.0 Threats and Vulnerabilities

3.1 Explain types of malware.

3.2 Summarize various types of attacks.

3.3 Summarize social engineering attacks and the associated effectiveness with each attack.

3.4 Explain types of wireless attacks.

3.5 Explain types of application attacks.

3.6 Analyze a scenario and select the appropriate type of mitigation and deterrent techniques.

3.7 Given a scenario, use appropriate tools and techniques to discover security threats and vulnerabilities.

3.8 Explain the proper use of penetration testing versus vulnerability scanning.

4.0 Application, Data and Host Security

4.1 Explain the importance of application security controls and techniques.

4.2 Summarize mobile security concepts and technologies.

4.3 Given a scenario, select the appropriate solution to establish host security.

4.4 Implement the appropriate controls to ensure data security.

4.5 Compare and contrast alternative methods to mitigate security risks in static environments.

5.0 Access Control and Identity Management

5.1 Compare and contrast the function and purpose of authentication services.

5.2 Given a scenario, select the appropriate authentication, authorization or access control.

5.3 Install and configure security controls when performing account management, based on best practices.

6.0 Cryptography

6.1 Given a scenario, utilize general cryptography concepts.

6.2 Given a scenario, use appropriate cryptographic methods.

6.3 Given a scenario, use appropriate PKI, certificate management and associated components.

Trang 40

xxxix

Preparing Yourself for the CompTIA Security+ Exam

CompTIA Security+ All-in-One Exam Guide, Fourth Edition, is designed to help prepare

you to take the CompTIA Security+ certification exam SY0-401

How This Book Is Organized

The book is divided into sections and chapters to correspond with the objectives of the exam itself Some of the chapters are more technical than others—reflecting the nature

of the security environment, where you will be forced to deal with not only technical details, but also other issues such as security policies and procedures as well as training and education Although many individuals involved in computer and network security have advanced degrees in math, computer science, information systems, or computer

or electrical engineering, you do not need this technical background to address security effectively in your organization You do not need to develop your own cryptographic algorithm, for example; you simply need to be able to understand how cryptography is used, along with its strengths and weaknesses As you progress in your studies, you will learn that many security problems are caused by the human element The best technol-ogy in the world still ends up being placed in an environment where humans have the opportunity to foul things up—and all too often do

As you can see from the table of contents, the overall structure of the book is designed

to mirror the objectives of the CompTIA Security+ exam The majority of the chapters are designed to match the objectives order as posted by CompTIA There are occasions where the order differs slightly, mainly to group terms by contextual use

In addition, there are two appendixes in this book Appendix A provides an additional

in-depth explanation of the OSI Model and Internet protocols, should this information

be new to you, and Appendix B explains how best to use the digital resources that are available for download with thisthe book

Located just before the Index, you will find a useful Glossary of security terminology, including many related acronyms and their meaning We hope that you use the Glossary frequently and find it to be a useful study aid as you work your way through the various topics in this exam guide

Special Features of the All-in-One Series

To make these exam guides more useful and a pleasure to read, the All-in-One series has been designed to include several features

Objective Map

The objective map that follows this introduction has been constructed to allow you to cross-reference the official exam objectives with the objectives as they are presented and covered in this book References have been provided for the objective exactly as Comp-TIA presents it, the section of the exam guide that covers that objective, and a chapter and page reference

Định dạng
Số trang	607
Dung lượng	20,53 MB