Sybex security study guide

Associate Publisher: Neil Edde Acquisitions Editor: Elizabeth Hurley Developmental Editor: Jeff Kellum Production Editor: Lori Newman Technical Editors: Warren Wyrostek, David Groth Copyeditor: Kathy GriderCarlyle Compositor: Rozi Harris, Interactive Composition Corporation Graphic Illustrator: Tony Jonick CD Coordinator: Dan Mummert CD Technician: Kevin Ly Proofreaders: Emily Hsuan, David Nash, Laurie O’Connell, Yariv Rabinovitch, Nancy Riddiough, Sarah Tannehill Indexer: Rebecca Plunkett Book Designer: Bill Gibson Cover Designer: Archer Design Cover Photographer: R.H. Smith, Natural Selection Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. Library of Congress Card Number: 2002113843 ISBN: 078214098X SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States andor other countries. Screen reproductions produced with FullShot 99. FullShot 99 © 1991–1999 Inbit Incorporated. All rights reserved. FullShot is a trademark of Inbit Incorporated. The CD interface was created using Macromedia Director, COPYRIGHT 1994, 1997–1999 Macromedia Inc. For more information on Macromedia and Macromedia Director, visit http:www.macromedia.com. The logo of the CompTIA Authorized Curriculum Program and the status of this or other training material as “Authorized” under the CompTIA Authorized Curriculum Program signifies that, in CompTIA’s opinion, such training material covers the content of the CompTIA’s related certification exam. CompTIA has not reviewed or approved the accuracy of the contents of this training material and specifically disclaims any warranties of merchantability or fitness for a particular purpose. CompTIA makes no guarantee concerning the success of persons using any such “Authorized” or other training material in order to prepare for any CompTIA certification exam. The contents of this training material were created for the CompTIA Security+ exam covering CompTIA certification exam objectives that were current as of September 2002.

Security+ ™

Study Guide

Michael Pastore

Technical Editors: Warren Wyrostek, David Groth

Copyeditor: Kathy Grider-Carlyle

Compositor: Rozi Harris, Interactive Composition Corporation

Graphic Illustrator: Tony Jonick

CD Coordinator: Dan Mummert

CD Technician: Kevin Ly

Proofreaders: Emily Hsuan, David Nash, Laurie O’Connell, Yariv Rabinovitch, Nancy Riddiough, Sarah Tannehill

Indexer: Rebecca Plunkett

Book Designer: Bill Gibson

Cover Designer: Archer Design

Cover Photographer: R.H Smith, Natural Selection

Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501 World rights reserved No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photo- copy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher.

Library of Congress Card Number: 2002113843

ISBN: 0-7821-4098-X

SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc in the United States and/or other countries.

Screen reproductions produced with FullShot 99 FullShot 99 © 1991–1999 Inbit Incorporated All rights reserved.

FullShot is a trademark of Inbit Incorporated.

The CD interface was created using Macromedia Director, COPYRIGHT 1994, 1997–1999 Macromedia Inc For more information on Macromedia and Macromedia Director, visit http://www.macromedia.com.

The logo of the CompTIA Authorized Curriculum Program and the status of this or other training material as “Authorized” under the CompTIA Authorized Curriculum Program signifies that, in CompTIA’s opinion, such training material covers the content of the CompTIA’s related certification exam CompTIA has not reviewed or approved the accuracy of the con- tents of this training material and specifically disclaims any warranties of merchantability or fitness for a particular purpose CompTIA makes no guarantee concerning the success of persons using any such “Authorized” or other training material

in order to prepare for any CompTIA certification exam.

The contents of this training material were created for the CompTIA Security+ exam covering CompTIA certification exam objectives that were current as of September 2002.

How to Become CompTIA Certified:

This training material can help you prepare for and pass a related CompTIA certification exam or exams In order to achieve CompTIA certification, you must register for and pass a CompTIA certification exam or exams.

In order to become CompTIA certified, you must:

(1) Select a certification exam provider For more information please visit http://www.comptia.org/certification/ general_information/test_locations.asp

(2) Register for and schedule a time to take the CompTIA certification exam(s) at a convenient location.

(3) Read and sign the Candidate Agreement, which will be presented at the time of the exam(s) The text of the Candidate Agreement can be found at http://www.comptia.org/certification/general_information/candidate_agreement.asp (4) Take and pass the CompTIA certification exam(s).

For more information about CompTIA’s certifications, such as their industry acceptance, benefits, or program news, please visit http://www.comptia.org/certification/default.asp

CompTIA is a non-profit information technology (IT) trade association CompTIA’s certifications are designed by subject matter experts from across the IT industry Each CompTIA certification is vendor-neutral, covers multiple technologies, and requires demonstration of skills and knowledge widely sought after by the IT industry.

To contact CompTIA with any questions or comments:

Please call + 1 630 268 1818

questions@comptia.org

Sybex is an independent entity from CompTIA and is not affiliated with CompTIA in any manner Neither CompTIA nor Sybex warrants that use of this publication will ensure passing the relevant exam Security + is either a registered trademark or trademark of CompTIA in the United States and/or other countries.

TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms

by following the capitalization style used by the manufacturer.

The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible Portions of the manuscript may be based upon pre-release versions supplied by software manu- facturer(s) The author and the publisher make no representation or warranties of any kind with regard to the completeness

or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, ability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book.

merchant-Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

and/or text files (the “Software”) to be used in connection

with the book SYBEX hereby grants to you a license to use

the Software, subject to the terms that follow Your

pur-chase, acceptance, or use of the Software will constitute

your acceptance of such terms.

The Software compilation is the property of SYBEX unless

otherwise indicated and is protected by copyright to SYBEX

or other copyright owner(s) as indicated in the media files

(the “Owner(s)”) You are hereby granted a single-user

license to use the Software for your personal, noncommercial

use only You may not reproduce, sell, distribute, publish,

circulate, or commercially exploit the Software, or any

portion thereof, without the written consent of SYBEX and

the specific copyright owner(s) of any component software

included on this media.

In the event that the Software or components include specific

license requirements or end-user agreements, statements of

condition, disclaimers, limitations or warranties (“End-User

License”), those End-User Licenses supersede the terms and

conditions herein as to that particular Software component

Your purchase, acceptance, or use of the Software will

constitute your acceptance of such End-User Licenses.

By purchase, use or acceptance of the Software you further

agree to comply with all export laws and regulations of the

United States as such laws and regulations may exist from

time to time.

Software Support

Components of the supplemental Software and any offers

asso-ciated with them may be supported by the specific Owner(s)

of that material, but they are not supported by SYBEX

Infor-mation regarding any available support may be obtained from

the Owner(s) using the information provided in the appropriate

read.me files or listed elsewhere on the media.

Should the manufacturer(s) or other Owner(s) cease to offer

support or decline to honor any offer, SYBEX bears no

respo-nsibility This notice concerning support for the Software is

provided for your information only SYBEX is not the agent or

principal of the Owner(s), and SYBEX is in no way responsible

for providing any support for the Software, nor is it liable or

responsible for any support provided, or not provided, by the

Owner(s).

Warranty

SYBEX warrants the enclosed media to be free of physical

defects for a period of ninety (90) days after purchase The

Software is not available from SYBEX in any other form or

media than that enclosed herein or posted to www.sybex.com.

no charge by sending the defective media, postage prepaid, with proof of purchase to:

SYBEX Inc.

Product Support Department

1151 Marina Village Parkway Alameda, CA 94501

Web: http://www.sybex.com After the 90-day period, you can obtain replacement media

of identical format by sending us the defective disk, proof of purchase, and a check or money order for $10, payable to SYBEX.

Disclaimer

SYBEX makes no warranty or representation, either expressed

or implied, with respect to the Software or its contents, ity, performance, merchantability, or fitness for a particular purpose In no event will SYBEX, its distributors, or dealers be liable to you or any other party for direct, indirect, special, incidental, consequential, or other damages arising out of the use of or inability to use the Software or its contents even if advised of the possibility of such damage In the event that the Software includes an online update feature, SYBEX further disclaims any obligation to provide this feature for any specific duration other than the initial posting.

qual-The exclusion of implied warranties is not permitted by some states Therefore, the above exclusion may not apply to you This warranty provides you with specific legal rights; there may be other rights that you may have that vary from state to state The pricing of the book with the Software by SYBEX reflects the allocation of risk and limitations on liability con- tained in this agreement of Terms and Conditions.

Shareware Distribution

This Software may contain various programs that are distributed as shareware Copyright laws apply to both share- ware and ordinary commercial software, and the copyright Owner(s) retains all rights If you try a shareware program and continue using it, you are expected to register it Individual programs differ on details of trial periods, registration, and payment Please observe the requirements stated in appropriate files.

Copy Protection

The Software in whole or in part may or may not be protected or encrypted However, in all cases, reselling or redistributing these files without authorization is expressly forbidden except as specifically provided for by the Owner(s) therein.

copy-To Our Valued Readers:

Sybex is proud to have served as a cornerstone member of CompTIA’s Security+ Advisory Committee Just as CompTIA is committed to establishing measurable standards for certifying IT security profes-sionals, Sybex is committed to providing those individuals with the skills needed to meet those standards

By working alongside CompTIA, and in conjunction with other esteemed members of the Security+committee, it is our desire to help bridge the knowledge and skills gap that currently confronts the IT industry

Our authors, editors, and technical reviewers have worked hard to ensure that this Security + Study

Guide is comprehensive, in-depth, and pedagogically sound We’re confident that this book will meet

and exceed the demanding standards of the certification marketplace and help you, the Security+ examcandidate, succeed in your endeavors

Good luck in pursuit of your Security+ certification!

Neil EddeAssociate Publisher—CertificationSybex, Inc

are truly missed.

If you are preparing to take the Security+ exam, you will undoubtedly want to find as much information as you can concerning computer and phys-ical security The more information you have at your disposal and the more hands-on experience you gain, the better off you will be when attempting the exam This study guide was written with that in mind We have attempted

to dispense as much information as we can about computer security The key was to provide enough information so that you will be prepared for the

test but not too much so that you will be overloaded Using the CompTIA

Security + Exam Guide found on the CompTIA website, we have arranged

this book into chapters that represent the exam objectives If you need to concentrate on a particular objective, you will find everything you need within the chapter on which the objective is based

This book presents the material at an intermediate technical level rience with, and understanding of security concepts, operating systems, and applications systems will help you get a full understanding of the challenges facing you as a security professional

Expe-We’ve included review questions at the end of each chapter to give you a taste of what it’s like to take the exam If you’re already working in the secu-rity field, we recommend that you check out these questions first to gauge your level of expertise You can then use the book mainly to fill in the gaps

in your current knowledge You may find, as many administrators have, that working on a daily basis with security issues may not allow you to actually obtain a deep knowledge of the field Using this study guide will help you round out your knowledge base before tackling the exam

If you can answer 80 percent or more of the review questions correctly for

a given chapter, you can probably feel safe moving on to the next chapter

If you’re unable to answer that many correctly, reread the chapter and try the questions again Your score should improve

Don’t just study the questions and answers! The questions on the actual exam

will be different from the practice ones included in this book and on the CD The exam is designed to test your knowledge of a concept or objective, so use

this book to learn the objective behind the question.

xxii Introduction

What Is the Security+ Certification?

Computer security is a field that is just now starting to come into its own This field includes such a wide area of concern that it is difficult to get handle on all of the aspects associated with security The spread of viruses, malicious code, intentional sabotage, and even terrorism are a part of the areas that a security professional must be concerned about Your challenges are both to provide assistance in security efforts and to consult your organi-zation about how to improve security

The Security+ exam is primarily targeted at individuals with limited sure to security concepts The exam tests your understanding of the common technologies used in computers today, as well as your knowledge of how security impacts an organization You can expect to see questions that affect both policy issues and technical issues From the perspective of the exam, these two areas are so intertwined that they must both be covered The exam does not delve deeply into the various technical standards, but it focuses

expo-on understanding how these technologies can be implemented to improve security The exam is multiple choice, and the questions are relatively straightforward

Why Become Security+ Certified?

There are a number of reasons for becoming Security+ certified:

It demonstrates proof of professional achievement

It increases your marketability

It provides greater opportunity for advancement in your field

It is increasingly found as a requirement for some types of advanced training

It raises customer confidence in you and your company’s services.Let’s explore each reason in detail

Provides Proof of Professional Achievement

Specialized certifications are the best way to stand out from the crowd In this age of technology certifications, you will find hundreds of thousands of

administrators who have successfully completed the Microsoft and Novell certification tracks To set yourself apart from the crowd, you need a little bit more The Security+ exam is part of the CompTIA certification track that includes A+, Net+, and Server+ This exam will help you prepare for more advanced certifications as it provides a good solid grounding in security concepts, and it will give you the recognition you deserve.

Increases Your Marketability

Almost anyone can bluff their way through an interview Once you are rity certified, you will have the credentials to prove your competency And certifications are something that cannot be taken from you when you change jobs Once certified, you can take that certification with you to any of the positions you accept

secu-Provides Opportunity for Advancement

Individuals who prove themselves to be competent and dedicated are the ones who will most likely be promoted Becoming certified is a great way to prove your skill level and show your employer that you are committed to improving your skill set Look around you at those who are certified They are probably the ones who receive good pay raises and promotions

Fulfills Training Requirements

Many companies have set training requirements for their staff so that they stay up-to-date on the latest technologies Having a certification pro-gram in security provides administrators with another certification path

to follow when they have exhausted some of the other industry-standard certifications

Raises Customer Confidence

As companies discover the CompTIA advantage, they will undoubtedly require qualified staff to achieve these certifications Many companies out-source their work to consulting firms with experience working with security Those firms that have certified staff have a definite advantage over other firms that do not

Security + Testing Providers

Exam pricing may vary by country or by CompTIA membership

When you schedule the exam, you will receive instructions regarding appointment and cancellation procedures, ID requirements, and information about the testing center location In addition, you will receive a registration and payment confirmation letter Exams can be scheduled up to six weeks out

or as early as the next day

Exam prices and codes may vary based on the country in which they are administered For detailed pricing and exam registration procedures, please refer to CompTIA’s website, www.comptia.com

What to Expect on the Exam

The Security+ exam consists of 100 questions, and you are allotted

90 minutes to complete it, so use your time wisely The minimum passing score is 764, which is graded on a scale from 100 to 900 Your exam results will be displayed as soon as you complete the exam Unfortunately, candi-dates are not able to review their incorrect test questions or answers This

Prometric www.vue.com/comptia US and Canada:

procedure is in place to ensure that the integrity of the certification exam

remains secure at all times Which makes sense, it is a security exam right?

After you’ve successfully passed your Security+ exam with flying colors, CompTIA will award you with your certification that is good for life Within four to six weeks of passing your exam, you will receive your official Comp-TIA Security+ certificate and ID card (If you do not receive these within eight weeks of taking the test, go ahead and contact CompTIA directly using the information found in your registration packet.)

Who Should Buy This Book?

If you want to acquire a solid foundation in computer security, and your goal is to prepare for the exam by learning how to develop and improve security, this book is for you You’ll find clear explanations of the concepts you need to grasp and plenty of help to achieve the high level of professional competency you need in order to succeed in your chosen field

If you want to become certified as a Security+ holder, this book is nitely for you However, if you just want to attempt to pass the exam with-out really understanding security, this study guide is not for you It is written for people who want to acquire hands-on skills and in-depth knowledge of computer security

defi-In addition to reading the book, you might consider downloading and reading the white papers on security

How to Use This Book and the CD

We’ve included several testing features in both the book and on the CD-ROM bound at the front of the book These tools will help you retain vital exam content, as well as prepare to sit for the actual exam Using our custom test engine, you can identify weak areas up front and then develop a solid studying strategy using each of these robust testing features Our thorough readme will walk you through the quick and easy installation process

xxvi Introduction

Before You Begin At the beginning of the book (right after this

intro-duction, in fact) is an assessment test that you can use to check your ness for the actual exam Take this test before you start reading the book

readi-It will help you determine the areas you may need to brush up on The answers to each assessment test appear on a separate page after the last question of the test Each answer also includes an explanation and a note telling you in which chapter this material appears

Chapter Review Questions To test your knowledge as you progress

through the book, there are review questions at the end of each chapter

As you finish each chapter, answer the review questions and then check to see if your answers are right—the correct answers appear on the page fol-lowing the last review question You can go back to reread the section that deals with each question you got wrong to ensure that you get the answer correctly the next time you are tested on the material

Electronic “Flashcards” You’ll also find 150 flashcard questions for

on-the-go review Download them right onto your Palm device for quick and convenient reviewing

Test Engine In addition to the assessment test and the chapter review

tests, you’ll find two sample exams Take these practice exams just as if you were taking the actual exam (i.e., without any reference material) When you have finished the first exam, move onto the next one to solidify your test-taking skills If you get more than 90 percent of the answers correct, you’re ready to go ahead and take the certification exam

Full Text of the Book in PDF Also, if you have to travel but still need

to study for the Citrix MetaFrame exam and you have a laptop with a CD-ROM drive, you can carry this entire book with you just by taking along the CD-ROM The CD-ROM contains this book in PDF (Adobe Acrobat) format so it can be easily read on any computer

Exam Objectives

CompTIA goes to great lengths to ensure that their certification grams accurately reflect the IT industry’s best practices They do this by establishing Cornerstone committees for each of their exam programs Each committee is comprised of a small group of IT professionals, training providers, and publishers who are responsible for establishing the exam’s baseline

pro-competency level and who determine the appropriate target audience level Once these factors are determined, CompTIA shares this information with a

group of hand-selected Subject Matter Experts, more commonly called

SME’s These folks are the true brainpower behind the certification gram In the case of this exam, they are IT-seasoned pros from the likes of Microsoft, Sun Microsystems, Verisign, and RSA Security, just to name a few They review the committee’s findings, refine them, and shape them into

pro-the objectives you see before you CompTIA calls this process a Job Task

Analysis (JTA) Finally, CompTIA conducts a survey to ensure that the

objectives and weightings are indeed truly reflective of the job requirements Only then can the SME’s go to work writing the hundreds of questions needed for the exam And, in many cases, they have to go back to the drawing board for further refinements before the exam is ready to go live in its final state So, rest assured the content you are about to learn will serve you long after you take the exam

Exam objectives are subject to change at any time without prior notice and at CompTIA’s sole discretion Please visit the certification page of CompTIA’s website at www.comptia.org for the most current listing of exam objectives

CompTIA also publishes relative weightings for each of the exam’s tives The following table lists the five Security+ objective domains and the extent to which they are represented on the actual exam For example, expect to spend more time answering a few more questions that pertain to authentication from the first domain, General Security Concepts, rather than questions on algorithms from the fourth domain, Basics of Cryptography As you use this study guide, you will find that we have tried to administer just the right dosage of objective knowledge to you by tailoring our coverage to mirror the percentages that CompTIA uses

xxviii Introduction

1 General Security Concepts

1.1 Access Control1.1.1 MAC/DAC/RBAC1.2 Authentication

1.2.1 Kerberos1.2.2 CHAP1.2.3 Certificates1.2.4 Username/Password1.2.5 Tokens

1.2.6 Multi-Factor1.2.7 Mutual Authentication1.2.8 Biometrics

1.3 Non-essential Services and Protocols – Disabling unnecessary systems/process/programs

1.4 Attacks1.4.1 DOS/DDOS1.4.2 Back Door1.4.3 Spoofing1.4.4 Man in the Middle1.4.5 Replay

1.4.6 TCP/IP Hijacking1.4.7 Weak Keys1.4.8 Mathematical1.4.9 Social Engineering1.4.10 Birthday

1.4.11 Password Guessing

1.4.11.1 Brute Force1.4.11.2 Dictionary

1.5 Malicious Code

1.5.1 Viruses1.5.2 Trojan Horses1.5.3 Logic Bombs1.5.4 Worms1.6 Social Engineering

1.7 Auditing – Logging, system scanning

2 Communication Security

2.1 Remote Access

2.1.1 802.1x2.1.2 VPN2.1.3 RADIUS2.1.4 TACACS/+2.1.5 L2TP/PPTP2.1.6 SSH

2.1.7 IPSEC2.1.8 Vulnerabilities2.2 Email

2.2.1 S/MIME2.2.2 PGP2.2.3 Vulnerabilities

2.2.3.1 Spam2.2.3.2 Hoaxes2.3 Web

2.3.1 SSL/TLS2.3.2 HTTP/S2.3.3 Instant Messaging

2.3.3.1 Vulnerabilities

xxx Introduction

2.3.3.2 8.3 Naming Conventions2.3.3.3 Packet Sniffing

2.3.3.4 Privacy2.3.4 Vulnerabilities

2.3.4.1 Java Script2.3.4.2 ActiveX2.3.4.3 Buffer Overflows2.3.4.4 Cookies

2.3.4.5 Signed Applets2.3.4.6 CGI

2.3.4.7 SMTP Relay2.4 Directory – Recognition not administration2.4.1 SSL/TLS

2.4.2 LDAP2.5 File Transfer2.5.1 S/FTP2.5.2 Blind FTP/Anonymous2.5.3 File sharing

2.5.4 Vulnerabilities

2.5.4.1 Packet Sniffing2.6 Wireless

2.6.1 WTLS2.6.2 802.11x2.6.3 WEP/WAP2.6.4 Vulnerabilities

2.6.4.1 Site Surveys

3 Infrastructure Security

xxxii Introduction

3.3.2 VLANs3.3.3 NAT3.3.4 Tunneling3.4 Intrusion Detection3.4.1 Network Based

3.4.1.1 Active Detection3.4.1.2 Passive Detection3.4.2 Host Based

3.4.2.1 Active Detection3.4.2.2 Passive Detection3.4.3 Honey Pots

3.4.4 Incident Response3.5 Security Baselines

3.5.1 OS/NOS Hardening (Concepts and processes)

3.5.1.1 File System3.5.1.2 Updates (Hotfixes, Service Packs, Patches)3.5.2 Network Hardening

3.5.2.1 Updates (Firmware)3.5.2.2 Configuration

3.5.2.2.1 Enabling and Disabling Services

and Protocols3.5.2.2.2 Access control lists3.5.3 Application Hardening

3.5.3.1 Updates (Hotfixes, Service Packs, Patches)3.5.3.2 Web Servers

3.5.3.3 Email Servers3.5.3.4 FTP Servers3.5.3.5 DNS Servers

3.5.3.7 File/Print Servers3.5.3.8 DHCP Servers3.5.3.9 Data Repositories

3.5.3.9.1 Directory Services3.5.3.9.2 Databases

4 Basics of Cryptography

4.1 Algorithms

4.1.1 Hashing4.1.2 Symmetric4.1.3 Asymmetric4.2 Concepts of using cryptography

4.2.1 Confidentiality4.2.2 Integrity

4.2.2.1 Digital Signatures4.2.3 Authentication

4.2.4 Non-Repudiation

4.2.4.1 Digital Signatures4.2.5 Access Control

4.3 PKI

4.3.1 Certificates – Make a distinction between what certificates are used for what purpose Basics only

4.3.1.1 Certificate Policies4.3.1.2 Certificate Practice Statements4.3.2 Revocation

4.3.3 Trust Models4.4 Standards and Protocols

4.5 Key Management/Certificate Lifecycle

4.5.1 Centralized vs Decentralized

xxxiv Introduction

4.5.2 Storage

4.5.2.1 Hardware vs Software4.5.2.2 Private Key Protection4.5.3 Escrow

4.5.4 Expiration4.5.5 Revocation

4.5.5.1 Status Checking4.5.6 Suspension

4.5.6.1 Status Checking4.5.7 Recovery

4.5.7.1 M of N Control4.5.8 Renewal

4.5.9 Destruction4.5.10 Key Usage

4.5.10.1 Multiple Key Pairs (Single, Dual)

5 Operational/Organizational Security

5.1 Physical Security5.1.1 Access Control

5.1.1.1 Physical Barriers5.1.1.2 Biometrics5.1.2 Social Engineering5.1.3 Environment

5.1.3.1 Wireless Cells5.1.3.2 Location5.1.3.3 Shielding5.1.3.4 Fire Suppression5.2 Disaster Recovery

5.5 Privilege Management

5.5.1 User/Group/Role Management

xxxvi Introduction

5.5.2 Single Sign-on5.5.3 Centralized vs Decentralized5.5.4 Auditing (Privilege, Usage, Escalation)5.5.5 MAC/DAC/RBAC

5.6 Forensics (Awareness, conceptual knowledge and understanding — know what your role is.)

5.6.1 Chain of Custody5.6.2 Preservation of Evidence5.6.3 Collection of Evidence5.7 Risk Identification

5.7.1 Asset Identification5.7.2 Risk Assessment5.7.3 Threat Identification5.7.4 Vulnerabilities5.8 Education – Training of end users, executives and HR5.8.1 Communication

5.8.2 User Awareness5.8.3 Education5.8.4 Online Resources5.9 Documentation

5.9.1 Standards and Guidelines5.9.2 Systems Architecture5.9.3 Change Documentation5.9.4 Logs and Inventories5.9.5 Classification

5.9.5.1 Notification5.9.6 Retention/Storage5.9.7 Destruction

Tips for Taking the Security+ Exam

Here are some general tips for taking your exam successfully:

Bring two forms of ID with you One must be a photo ID, such as a driver’s license The other can be a major credit card or a passport Both forms must contain a signature

Arrive early at the exam center so you can relax and review your study materials, particularly tables and lists of exam-related information

Read the questions carefully Don’t be tempted to jump to an early conclusion Make sure you know exactly what the question is asking

Don’t leave any unanswered questions Unanswered questions are scored against you

There will be questions with multiple correct responses When there is more than one correct answer, a message at the bottom of the screen will prompt you to “Choose all that apply.” Be sure to read the messages displayed

When answering multiple-choice questions you’re not sure about, use a process of elimination to get rid of the obviously incorrect answers first This will improve your odds if you need to make an educated guess

On form-based tests, because the hard questions will eat up the most time, save them for last You can move forward and backward through the exam

For the latest pricing on the exams and updates to the registration procedures, visit CompTIA’s website at www.comptia.org

About the Author

Mike Pastore is an MCP, A+, Net+, Security+ certified professional He has over 25 years of experience in IT, including management, administration, and development He has consulted with a number of organizations on computer and computer security issues Michael has been involved in CompTIA certifications for several years, and he has worked with CompTIA

on several exams Michael also teaches computer and management topics at several colleges You can e-mail him at mikepast@aol.com

5. An Internet server interfaces with TCP/IP at which layer of the DOD model?

xl Assessment Test

9. An attack that is designed to overload a particular protocol or service

is referred to as which kind of attack?

A. Verification that information is accurate

B. Verification that ethics are properly maintained

C. Establishment of clear access control of data

D. Verification that data is kept private and secure

13. Which mechanism is used by PKI to allow immediate verification of a certificate’s validity?

pro-A. Your user inadvertently downloaded a virus using IM

B. Your user has a potentially defective hard drive

C. Your user is hallucinating and should increase his medication

D. The system is suffering from power surges

16. The mechanism used to enable or disable access to a network resource based on an IP address is referred to as what?

A. NDS

B. ACL

C. Hardening

D. Port blocking

xlii Assessment Test

17. Which of the following would provide additional security to an Internet WWW server?

A. Changing the port address to 80

B. Changing the port address to 1019

C. Adding a firewall to block Port 80

D. WWW servers cannot be secured

18. What is a program that exists primarily to propagate and spread to other systems called?

A. Social engineering

B. Access control

C. Perimeter screening

D. Behavioral engineering

20. Which of the following is a major security problem with FTP servers?

A. Password files are stored in an unsecure area on disk

B. Memory traces can corrupt file access

C. User IDs and passwords are unencrypted

D. FTP sites are unregistered

21. Which system would you install to provide active protection and fication of security problems in a network connected to the Internet?

xliv Assessment Test

25. Which algorithm is used to create a temporary secure session for the exchange of key information?

A. KDC

B. KEA

C. SSL

D. RSA

26. You are being asked to consult on security for hand-held devices, such

as a PDA You are told you must use an asymmetric system Which security standard would you recommend?

29. Which access control method is primarily concerned with the role that individuals have in the organization?

Answers to Assessment Test

1. A A privilege audit is used to determine that all groups, users, and other accounts have the appropriate privileges assigned according to the policies of an organization For more information, see Chapter 9

2. D A mantrap is a device, such as a small room, that limits access to

a small number of individuals Mantraps typically use electronic locks and other methods to control access

3. B Public Keys Cryptography Standards are a set of voluntary dards for public key cryptography This set of standards is coordinated

stan-by RSA Incorporated

4. B Wired Equivalent Privacy (WEP) is designed to provide security equivalent to that of a wired network WEP has is known to have vulnerabilities and is not considered highly secure For additional information, see Chapter 4

5. C The Process layer interfaces with applications and encapsulates traffic through the Host-to-Host or Transport layer, the Internet layer and the Network Access layer For more information, see Chapter 2

6. B L2TP is a tunneling protocol that can be used between LANs L2TP is not secure, and you would want to use IPSec with it to provide data security For more information, see Chapter 3

7. A A DMZ is an area in a network that allows restrictive access to untrusted users, and it isolates the internal network from access by external users and systems This is accomplished using routers and firewalls to limit access to sensitive network resources For more information, see Chapter 1

8. C A key recovery process must be able to recover a previous key

If the previous key can’t be recovered, all of the information that used that key will be irrecoverably lost

9. D A flood attack is designed to overload a protocol or service by repeatedly initiating a request for service This type of attack usually results in a DoS situation occurring This may be caused by the pro-tocol freezing or from excessive bandwidth usage in the network as a result of the requests For more information, see Chapter 2

Answers to Assessment Test

10. B A sensor collects data from the data source and passes it on to the analyzer If the analyzer determines that unusual activity has occurred,

an alert may be generated For additional information, see Chapter 4

11. A Hardening is the term used to describe the process of securing

a system This is accomplished in many ways, including disabling unneeded protocols For additional information on hardening, see Chapter 5

12. A The goal of integrity is to verify that information being used is accurate and has not been tampered with Integrity is coupled with accountability to ensure that data is accurate and that a final authority exists to verify this, if needed For more information, see Chapter 1

13. D Online certificate status protocol (OCSP) is the mechanism used

to immediately verify if a certificate is valid The CRL is published on

a regular basis, but it is not current once it is published For additional information, see Chapter 7

14. B Partitioning is the process of breaking a network into smaller ponents that can each be individually protected The concept is the same as building walls in an office building For additional information, see Chapter 6

com-15. A IM and other systems allow unsuspecting users to download files that may contain viruses Due to a weakness in the file extensions naming conventions, a file that appears to have one extension may actually have another extension An example of this might be

mydocument.doc.vbs This file would appear in many applications

as mydocument.doc, but it is actually a Visual Basic script and could contain malicious code For additional information, see Chapter 4

16. B Access Control Lists (ACLs) are used to allow or deny an IP address access to a network ACL mechanisms are implemented in many routers, firewalls, and other network devices For additional information, see Chapter 5

17. B The default port for a WWW server is Port 80 By changing the port to 1019, you force users to specify this port when they are using

a browser This provides a little additional security for your website Adding a firewall to block Port 80 would secure your website so much that no one would be able to access it For more information, see Chapter 3

18. D A worm is designed to multiply and propagate Worms may carry viruses that cause systems destruction, but that is not their primary mission For more information, see Chapter 2

19. A Social engineering is the method of using human intelligence methods to gain access or information about your organization For additional information, see Chapter 6

20. C FTP in most environments sends account and password information unencrypted This makes these accounts vulnerable to network sniffing For additional information, see Chapter 5

21. A An Intrusion Detection System provides active monitoring and rules-based responses to unusual activities on a network A firewall provides passive security by preventing access from unauthorized traffic If the firewall were compromised, the IDS would notify you based on rules it is designed to implement For more information, see Chapter 3

22. B The chain of custody ensures that each step taken with evidence

is documented and accounted for from the point of collection Chain

of custody is the Who, What, When, Where, and Why of evidence storage For additional information, see Chapter 10

23. A Steganography is the process of hiding one message in another Steganography may also be referred to as electronic watermarking For additional information, see Chapter 7

24. C The use policy is also referred to as the usage policy It should state acceptable uses of computer and organizational resources by employees This policy should outline consequences of noncompliance For additional information, see Chapter 10

25. B The Key Exchange Algorithm (KEA) is used to create a temporary session to exchange key information This session creates a secret key that is used When the key has been exchanged, the regular session begins

26. A Elliptical Curve Cryptosystem (ECC) would probably be your best choice for a PDA ECC is designed to work with smaller processors The other systems may be options, but they require more computing powerthan ECC For additional information, see Chapter 7

Answers to Assessment Test

27. B An incremental backup will generally be the fastest of the back methods because it backs up only the files that have changed since the last incremental or full backup See Chapter 9 for more information.

28. C Biometrics is the authentication process that uses physical characteristics, such as a palm print or retinal pattern, to establish identification For more information, see Chapter 1

29. C Role-Based Access Control (RBAC) is primarily concerned with providing access to systems that a user needs based on the role they have in the organization For more information, see Chapter 9

30. A Computer forensics is the process of investigating a computer system to determine the cause of an incident Part of this process would

be gathering evidence For additional information, see Chapter 10

1

General Security Concepts

THE FOLLOWING COMPTIA SECURITY+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER:

for people to help monitor and secure the data and information that people use to accomplish their work These advances also put technologies into the hands of people who frequently do not have the experience and knowledge to protect it As a computer security professional, you have a primary respon-sibility to protect and safeguard the information that your organization uses Security is a high growth area in the computer industry, and the need for qualified people is increasing very rapidly Your pursuit of the Security+certificate is a good first step in this process

In this chapter, we will discuss the various aspects of computer security

as they relate to your job This chapter introduces the basics of computer security and provides you several models that you can use to understand the risks that your organization faces and steps you must take in order to minimize those risks

Information Security

The term information security covers a wide array of activities in an

organization It includes both products and processes to prevent unauthorized access, modification, and deletion of information, knowledge, data, and facts This area also involves the protection of resources by preventing them from being disrupted by situations or attacks that may be largely beyond the control

of the person responsible for information security

From the perspective of a computer professional, you are dealing with issues that are much bigger than merely protecting computer systems from viruses You are protecting many of the most valuable assets of an organization

Information Security 3

from people who are highly motivated to misuse those assets Some of these people may already be inside your organization Fortunately, most of them will be outsiders

Unfortunately, this job is not getting any easier to do Information about weaknesses and vulnerabilities in most commercial systems are well known and documented Your adversaries can use search engines to find vulnera-bilities on virtually any product or operating system They can learn how to exploit the most likely weaknesses that exist in that system You can buy books on computer hacking, join newsgroups on the Internet, and access websites that detail how to exploit system weaknesses

In many situations, you will find yourself dealing with inherent nesses in the products you use In short, you must assume that you are under attack right now, even as you read this book The next section discusses in more detail the considerations you must make in order to have a reasonable chance of securing your information, networks, and computers Make sure you understand that we are talking about reasonable There is no such thing

weak-as a completely secure network One of the first things you must develop is

a bit of paranoia It is important to remember that you are dealing with both systems’ vulnerabilities, and human vulnerabilities While they are not the same, they certainly affect the organization significantly

Information security includes three areas of primary focus These areas address different parts of computer security An effective computer security plan and process must evaluate the risks and create strategies and methods

to address them This section focuses on three areas:

Physical Security

Operational Security

Management and Policies

Each of these areas is vital to assure security in an organization You can think about this as a three-legged stool If any one of the legs of your stool breaks, you will fall down and hurt yourself You must look at the overall business and address all the issues the business faces concerning computer security Figure 1.1 shows how these three components of computer security interact to provide a reasonably secure environment

Part of your job is to make recommendations to management about needs and deficiencies, take action to minimize the risks and exposure of your information and systems, and establish, enforce, and maintain the security

of the systems with which you work This is no small task, and you must

do each element well in order to have a reasonable chance of maintaining security in your organization

F I G U R E 1 1 The security triad

Physical Security

Physical security involves the protection of your assets and information

from physical access by unauthorized personnel These threats often present themselves as service technicians, janitors, customers, vendors, or even employees They can steal your equipment, damage it, or take documents from offices, garbage cans, or filing cabinets Their motivations may be as simple as greed or as complicated as a desire to steal your trade secrets to sell

to a competitor as an act of vengeance

Physical security is relatively easy to accomplish You secure facilities

by controlling access to the office, shredding unneeded documents, ing security systems, and limiting access to sensitive areas in the business Most office buildings provide perimeter and corridor security during unoccupied hours

install-Many office complexes also offer roving security patrols, multiple lock access control methods, and electronic or password access Typically, the facility managers handle these arrangements They will not generally deal with internal security as it relates to your records, computer systems, and papers That is clearly your responsibility in most situations

Physical

Security