Professional Documents
Culture Documents
Comptia Security All in One Exam Guide Exam Sy0 501 5Th Edition WM Arthur Conklin Full Chapter
Comptia Security All in One Exam Guide Exam Sy0 501 5Th Edition WM Arthur Conklin Full Chapter
Comptia Security All in One Exam Guide Exam Sy0 501 5Th Edition WM Arthur Conklin Full Chapter
ALL IN ONE
CompTIA
Security+ ®
EXAM GUIDE
Fifth Edition (Exam SY0-501)
McGraw-Hill Education is an independent entity from CompTIA®. This publication and CD-ROM may be used in assisting
students to prepare for the CompTIA Security+® exam. Neither CompTIA nor McGraw-Hill Education warrant that use
of this publication and CD-ROM will ensure passing any exam. CompTIA and CompTIA Security+ are trademarks or
registered trademarks of CompTIA in the United States and/or other countries. All other trademarks are trademarks of their
respective owners.
Chuck Cothren, CISSP, Security+, is a Field Engineer at Ionic Security applying over
20 years of information security experience in consulting, research, and enterprise envi-
ronments. He has assisted clients in a variety of industries including healthcare, banking,
information technology, retail, and manufacturing. He advises clients on topics such
as security architecture, penetration testing, training, consultant management, data loss
prevention, and encryption. He is coauthor of the books Voice and Data Security and
Principles of Computer Security.
Roger L. Davis, CISSP, CISM, CISA, is a Technical Account Manager for Microsoft
supporting enterprise-level companies. He has served as president of the Utah chapter
of the Information Systems Security Association (ISSA) and various board positions for
the Utah chapter of the Information Systems Audit and Control Association (ISACA).
He is a retired Air Force lieutenant colonel with 30 years of military and information
systems/security experience. Mr. Davis served on the faculty of Brigham Young University
and the Air Force Institute of Technology. He coauthored McGraw-Hill Education’s
Principles of Computer Security and Voice and Data Security. He holds a master’s degree in
computer science from George Washington University, a bachelor’s degree in computer
science from Brigham Young University, and performed post-graduate studies in electri-
cal engineering and computer science at the University of Colorado.
Dwayne Williams, CISSP, CASP, is Associate Director, Technology and Research,
for the Center for Infrastructure Assurance and Security at the University of Texas at
San Antonio and is the Director of the National Collegiate Cyber Defense Competi-
tion. Mr. Williams has over 24 years of experience in information systems and network
security. Mr. Williams’s experience includes six years of commissioned military service
as a Communications-Computer Information Systems Officer in the United States Air
Force, specializing in network security, corporate information protection, intrusion de-
tection systems, incident response, and VPN technology. Prior to joining the CIAS,
he served as Director of Consulting for SecureLogix Corporation, where he directed
and provided security assessment and integration services to Fortune 100, government,
public utility, oil and gas, financial, and technology clients. Mr. Williams graduated in
1993 from Baylor University with a bachelor of arts in computer science. Mr. Williams
is a coauthor of Voice and Data Security, Principles of Computer Security, and CompTIA
Security + All-in-One Exam Guide.
Higher Salaries
IT professionals with certifications on their resume command better jobs, earn higher
salaries, and have more doors open to new multi-industry opportunities.
Verified Strengths
91% of hiring managers indicate CompTIA certifications are valuable in validating
IT expertise, making certification the best way to demonstrate your competency and
knowledge to employers. (Source: CompTIA Employer Perceptions of IT Training and
Certification.)
Universal Skills
CompTIA certifications are vendor neutral—which means that certified professionals
can proficiently work with an extensive variety of hardware and software found in most
organizations.
CompTIA Disclaimer
© 2016 CompTIA Properties, LLC, used under license by CompTIA Certifications,
LLC. All rights reserved. All certification programs and education related to such pro-
grams are operated exclusively by CompTIA Certifications, LLC. CompTIA is a regis-
tered trademark of CompTIA Properties, LLC in the U.S. and internationally. Other
brands and company names mentioned herein may be trademarks or service marks of
CompTIA Properties, LLC or of their respective owners. Reproduction or dissemination
of this courseware sheet is prohibited without written consent of CompTIA Properties,
LLC. Printed in the U.S. 02544-Mar2016.
The logo of the CompTIA Approved Quality Curriculum Program and the status of
this or other training material as “Approved” under the CompTIA Approved Curriculum
Program signifies that, in CompTIA’s opinion, such training material covers the content
of CompTIA’s related certification exam. CompTIA has not reviewed or approved the
accuracy of the contents of this training material and specifically disclaims any warran-
ties of merchantability or fitness for a particular purpose. CompTIA makes no guarantee
concerning the success of persons using any such “Approved” or other training material
in order to prepare for any CompTIA certification exam.
CONTENTS AT A GLANCE
vii
Index.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
CONTENTS
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv
Objective Map: Exam SY0-501 . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxix
ix
Contents
xi
Collision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Weak Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Chapter 3 Threat Actors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Types of Actors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Script Kiddies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Hacktivists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Organized Crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Nation States/APT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Insiders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Competitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Attributes of Actors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Internal/External . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Level of Sophistication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Resources/Funding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Intent/Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Use of Open Source Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Chapter 4 Vulnerability Scanning and Penetration Testing . . . . . . . . . . . . . . . . 71
Penetration Testing Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Active Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Passive Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Pivot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Initial Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Escalation of Privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Black Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
White Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Gray Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Pen Testing vs. Vulnerability Scanning . . . . . . . . . . . . . . . . . . 76
Vulnerability Scanning Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Passively Test Security Controls . . . . . . . . . . . . . . . . . . . . . . . 76
Identify Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Identify Lack of Security Controls . . . . . . . . . . . . . . . . . . . . . 77
Identify Common Misconfigurations . . . . . . . . . . . . . . . . . . . 77
Intrusive vs. Non-intrusive . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Credentialed vs. Non-credentialed . . . . . . . . . . . . . . . . . . . . . 77
False Positive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Contents
xiii
VPN Concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Remote Access vs. Site-to-Site . . . . . . . . . . . . . . . . . . . . . . . . 108
IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Split Tunnel vs. Full Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . 115
TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Always-on VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
NIPS/NIDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Signature-Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Heuristic/Behavioral . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Anomaly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Inline vs. Passive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
In-Band vs. Out-of-Band . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Antispoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Layer 2 vs. Layer 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Loop Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Flood Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Forward and Reverse Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Transparent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Application/Multipurpose . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Active-Passive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Active-Active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Virtual IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
SSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
MAC Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Signal Strength . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Band Selection/Width . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Antenna Types and Placement . . . . . . . . . . . . . . . . . . . . . . . . 129
Fat vs. Thin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Controller-Based vs. Standalone . . . . . . . . . . . . . . . . . . . . . . 130
SIEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Automated Alerting and Triggers . . . . . . . . . . . . . . . . . . . . . . 131
Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Event Deduplication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Logs/WORM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Contents
xv
tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
nmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
netcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Security Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
HIDS/HIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
File Integrity Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Host-Based Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Application Whitelisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Removable Media Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Advanced Malware Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Patch Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
UTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
DLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Data Execution Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Web Application Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Chapter 8 Troubleshooting Common Security Issues . . . . . . . . . . . . . . . . . . . . . 169
Unencrypted Credentials/Clear Text . . . . . . . . . . . . . . . . . . . . . . . . 169
Logs and Events Anomalies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Permission Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Access Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Certificate Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Data Exfiltration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Misconfigured Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Weak Security Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Personnel Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Policy Violation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Insider Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Social Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Personal E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Unauthorized Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Baseline Deviation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
License Compliance Violation (Availability/Integrity) . . . . . . . . . . . 176
Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Authentication Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Contents
xvii
Corporate-Owned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
VDI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Chapter 10 Implementing Secure Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Secure Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
S/MIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
SRTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
LDAPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
FTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
SFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Secure POP/IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Voice and Video . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
E-mail and Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
File Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Domain Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Routing and Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Network Address Allocation . . . . . . . . . . . . . . . . . . . . . . . . . 208
Subscription Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Contents
xix
Supply Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Hardware Root of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
EMI/EMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Disabling Unnecessary Ports and Services . . . . . . . . . . . . . . . 247
Least Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Secure Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Trusted Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Application Whitelisting/Blacklisting . . . . . . . . . . . . . . . . . . 249
Disable Default Accounts/Passwords . . . . . . . . . . . . . . . . . . . 250
Peripherals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Wireless Keyboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Wireless Mice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Wi-Fi-Enabled MicroSD Cards . . . . . . . . . . . . . . . . . . . . . . . 251
Printers/MFDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
External Storage Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Digital Cameras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Sandboxing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Staging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Production . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Secure Baseline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Integrity Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Chapter 13 Embedded Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
SCADA/ICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Smart Devices/IoT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Wearable Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Home Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
HVAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
SoC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
RTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Printers/MFDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Camera Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Special Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Medical Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Vehicles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Aircraft/UAV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Contents
xxi
Cloud Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Cloud Deployment Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
SaaS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
PaaS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
IaaS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Private . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Public . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Hybrid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
On-Premise vs. Hosted vs. Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . 300
VDI/VDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Cloud Access Security Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Security as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Chapter 16 Resiliency and Automation Strategies . . . . . . . . . . . . . . . . . . . . . . . . . 307
Automation/Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Automated Courses of Action . . . . . . . . . . . . . . . . . . . . . . . . 308
Continuous Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Configuration Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Master Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Non-persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Revert to Known State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Rollback to Known Configuration . . . . . . . . . . . . . . . . . . . . 311
Live Boot Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Elasticity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Distributive Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Chapter 17 Physical Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Lighting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Signs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Fencing/Gate/Cage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Security Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Contents
xxiii
General Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Least Privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Onboarding/Offboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Permission Auditing and Review . . . . . . . . . . . . . . . . . . . . . . 350
Usage Auditing and Review . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Time-of-Day Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Recertification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Standard Naming Convention . . . . . . . . . . . . . . . . . . . . . . . . 351
Account Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Group-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 352
Location-Based Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Account Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Credential Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Password Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Disablement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Password History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Password Reuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Password Length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Chapter 19 Identity and Access Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
TACACS+ Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
TACACS+ Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
CHAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
PAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
MSCHAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
SAML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
OpenID Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
OAUTH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Shibboleth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Secure Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Contents
xxv
Personnel Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Mandatory Vacations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Job Rotation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Separation of Duties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Clean Desk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Background Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Exit Interviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Role-Based Awareness Training . . . . . . . . . . . . . . . . . . . . . . . 407
NDA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Continuing Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Acceptable Use Policy/Rules of Behavior . . . . . . . . . . . . . . . . 410
Adverse Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
General Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Social Media Networks/Applications . . . . . . . . . . . . . . . . . . . 412
Personal E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Chapter 22 Risk Management and Business Impact Analysis . . . . . . . . . . . . . . . 419
Business Impact Analysis Concepts . . . . . . . . . . . . . . . . . . . . . . . . . 419
RTO/RPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
MTBF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
MTTR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Mission-Essential Functions . . . . . . . . . . . . . . . . . . . . . . . . . 421
Identification of Critical Systems . . . . . . . . . . . . . . . . . . . . . . 421
Single Point of Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Privacy Impact Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Privacy Threshold Assessment . . . . . . . . . . . . . . . . . . . . . . . . 423
Risk Management Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Deterrent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Preventive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Detective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Corrective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Compensating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Technical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Administrative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Physical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Contents
xxvii
Chapter 24 Digital Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Order of Volatility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Chain of Custody . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Legal Hold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Data Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Standards for Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Types of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Three Rules Regarding Evidence . . . . . . . . . . . . . . . . . . . . . . 465
Capture System Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Network Traffic and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Capture Video . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Record Time Offset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Take Hashes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Screenshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Witness Interviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Preservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Strategic Intelligence/Counterintelligence Gathering . . . . . . . . . . . . 470
Active Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Track Man-Hours . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Chapter 25 Data Security and Privacy Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Data Destruction and Media Sanitization . . . . . . . . . . . . . . . . . . . . 477
Burning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Shredding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Pulping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Pulverizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Degaussing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Purging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Wiping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Data Sensitivity Labeling and Handling . . . . . . . . . . . . . . . . . . . . . 479
Confidential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Private . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Public . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Proprietary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
PII . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
PHI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Data Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Steward/Custodian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Privacy Officer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Contents
xxix
Chapter 27 Cryptographic Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Symmetric Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
3DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Blowfish/Twofish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Cipher Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
CBC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
GCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
ECB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
CTM/CTR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Stream vs. Block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Asymmetric Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
DSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Diffie-Hellman . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Elliptic Curve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
PGP/GPG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Hashing Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
MD5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
SHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
RIPEMD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Key Stretching Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
BCRYPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
PBKDF2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
XOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
ROT13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Substitution Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Chapter 28 Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Cryptographic Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
WPA2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
CCMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
TKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
PEAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Contents
xxxi
CER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
KEY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
PFX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
P12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
P7B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
PREFACE
Information and computer security has moved from the confines of academia to main-
stream America in the last decade. From the ransomware attacks to data disclosures such
as Equifax and U.S. Office of Personnel Management that were heavily covered in the
media and broadcast into the average American’s home, information security has become
a common topic. In boardrooms, the topic has arrived with the technical attacks against
intellectual property and the risk exposure from cybersecurity incidents. It has become
increasingly obvious to everybody that something needs to be done in order to secure
not only our nation’s critical infrastructure, but also the businesses we deal with on a
daily basis. The question is, “Where do we begin?” What can the average information
technology professional do to secure the systems that he or she is hired to maintain?
The answer to these questions is complex, but certain aspects can guide our actions.
First, no one knows what the next big threat will be. The APT, ransomware, data
disclosures … these were all known threats long before they became the major threat
du jour. What is next? No one knows, so we can’t buy a magic box to fix it. Yet. But we
do know that we will do it with the people we have, at their current level of training,
when it arrives. The one investment that we know will be good is in our people, through
education and training. For that will be what we bring to the next incident, problem,
challenge, or, collectively, our national defense in the realm of cybersecurity. One could
say security today begins and ends with our people. And trained people will result in
better outcomes.
So, where do you, the IT professional seeking more knowledge on security, start your
studies? The IT world is overflowing with certifications that can be obtained by those
attempting to learn more about their chosen profession. The security sector is no differ-
ent, and the CompTIA Security+ exam offers a basic level of certification for security.
CompTIA Security+ is an ideal starting point for one interested in a career in security. In
the pages of this exam guide, you will find not only material that can help you prepare
for taking the CompTIA Security+ examination, but also the basic information that you
will need in order to understand the issues involved in securing your computer systems
and networks today. In no way is this exam guide the final source for learning all about
protecting your organization’s systems, but it serves as a point from which to launch your
security studies and career.
One thing is certainly true about this field of study—it never gets boring. It constantly
changes as technology itself advances. Something else you will find as you progress in
your security studies is that no matter how much technology advances and no matter
how many new security devices are developed, at its most basic level, the human is still
the weak link in the security chain. If you are looking for an exciting area to delve into,
then you have certainly chosen wisely. Security offers a challenging blend of technology
and people issues. We, the authors of this exam guide, wish you luck as you embark on
an exciting and challenging career path.
ACKNOWLEDGMENTS
We, the authors of CompTIA Security+ All-in-One Exam Guide, Fifth Edition, have many
individuals who we need to acknowledge—individuals without whom this effort would
not have been successful.
The list needs to start with those folks at McGraw-Hill Education who worked tire-
lessly with the project’s multiple authors and led us successfully through the minefield
that is a book schedule and who took our rough chapters and drawings and turned them
into a final, professional product we can be proud of. We thank the good people from the
Acquisitions team, Amy Stonebraker and Claire Yee; from the Editorial Services team,
Janet Walden; and from the Production team, James Kussow. We also thank the technical
editor, Chris Crayton; the project editor, Patty Mon; the copyeditor, William McManus;
the proofreader, Claire Splan; and the indexer, Jack Lewis, for all their attention to detail
that made this a finer work after they finished with it. And to Tim Green, who made
these journeys possible.
We also need to acknowledge our current employers who, to our great delight, have
seen fit to pay us to work in a career field that we all find exciting and rewarding. There
is never a dull moment in security because it is constantly changing.
We would like to thank Art Conklin for again herding the cats on this one.
Finally, we would each like to individually thank those people who—on a personal
basis—have provided the core support for us individually. Without these special people
in our lives, none of us could have put this work together.
—The Author Team
To Bill McManus, we have worked on several books together and your skill never
ceases to amaze me—may I someday learn to express complex ideas with the grace and
simplicity you deliver. Thank you again for making this a better book.
—Art Conklin
I would like to thank my wife, Charlan, for the tremendous support she has always
given me.
—Gregory B. White
Josie, Macon, and Jet, thank you for the love, support, and laughs.
—Chuck Cothren
Geena, all I am is because of you. Thanks for being my greatest support. As always,
love to my powerful children and wonderful grandkids!
—Roger L. Davis
To my wife and best friend Leah for your love, energy, and support—thank you for
always being there. To my kids—this is what Daddy was typing on the computer!
—Dwayne Williams
xxxiii
INTRODUCTION
Computer security has become paramount as the number of security incidents steadily
climbs. Many corporations now spend significant portions of their budget on security
hardware, software, services, and personnel. They are spending this money not because
it increases sales or enhances the product they provide, but because of the possible con-
sequences should they not take protective actions.
xxxiv
Introduction
xxxv
by how many of the most recent security events have occurred as a result of a security
bug that was discovered months prior to the security incident, and for which a patch has
been available, but for which the community has not correctly installed the patch, thus
making the incident possible. The reasons for these failures are many, but in the end the
solution is a matter of trained professionals at multiple levels in an organization working
together to resolve these problems.
But the issue of trained people does not stop with security professionals. Every user,
from the board room to the mail room, plays a role in the cybersecurity posture of a
firm. Training the non-security professional in the enterprise to use the proper level of
care when interacting with systems will not make the problem go away either, but it will
substantially strengthen the posture of the enterprise. Understanding the needed training
and making it a reality is another task on the security professional’s to-do list.
Because of the need for an increasing number of security professionals who are trained
to some minimum level of understanding, certifications such as the CompTIA Security+
have been developed. Prospective employers want to know that the individual they are
considering hiring knows what to do in terms of security. The prospective employee, in
turn, wants to have a way to demonstrate his or her level of understanding, which can
enhance the candidate’s chances of being hired. The community as a whole simply wants
more trained security professionals.
The goal of taking the CompTIA Security+ exam is to prove that you’ve mastered the
worldwide standards for foundation-level security practitioners. The exam gives you a per-
fect opportunity to validate your knowledge and understanding of the computer security
field, and it is an appropriate mechanism for many different individuals, including network
and system administrators, analysts, programmers, web designers, application developers,
and database specialists, to show proof of professional achievement in security. According
to CompTIA, the exam is aimed at individuals who have
•• A minimum of two years of experience in IT administration with a focus on security
•• Day-to-day technical information security experience
•• Broad knowledge of security concerns and implementation, including the topics
that are found in the specific CompTIA Security+ domains
The exam objectives were developed with input and assistance from industry and
government agencies. The CompTIA Security+ exam is designed to cover a wide range of
security topics—subjects about which a security practitioner would be expected to know.
The test includes information from six knowledge domains:
Introduction
xxxvii
Preparing Yourself for the
CompTIA Security+ Exam
CompTIA Security+ All-in-One Exam Guide, Fifth Edition, is designed to help prepare
you to take the CompTIA Security+ certification exam SY0-501.
Objective Map
The objective map that follows this introduction has been constructed to allow you
to cross-reference the official exam objectives with the objectives as they are presented
and covered in this book. References have been provided for the objective exactly as
CompTIA presents it, the section of the exam guide that covers that objective and a
chapter reference.
TIP Tips provide suggestions and nuances to help you learn to finesse your
job. Take a tip from us and read the Tips carefully.
CAUTION When you see a Caution, pay special attention. Cautions appear
when you have to make a crucial choice or when you are about to undertake
something that may have ramifications you might not immediately anticipate.
Read them now so you don’t have regrets later.
EXAM TIP Exam Tips give you special advice or may provide information
specifically related to preparing for the exam itself.
Introduction
xxxix
Objective Map: Exam SY0-501
Official Exam Objective All-in-One Coverage Chapter No.
1.0 Threats, Attacks, and Vulnerabilities
1.1 Given a scenario, analyze indicators of Malware and Indicators 1
compromise and determine the type of malware. of Compromise
1.2 Compare and contrast types of attacks. Attacks 2
1.3 Explain threat actor types and attributes. Threat Actors 3
1.4 Explain penetration testing concepts. Vulnerability Scanning 4
and Penetration Testing
1.5 Explain vulnerability scanning concepts. Vulnerability Scanning 4
and Penetration Testing
1.6 Explain the impact associated with types Vulnerabilities and Impacts 5
of vulnerabilities.
2.0 Technologies and Tools
2.1 Install and configure network components, Network Components 6
both hardware- and software-based, to support
organizational security.
2.2 Given a scenario, use appropriate software tools Security Tools and 7
to assess the security posture of an organization. Technologies
2.3 Given a scenario, troubleshoot common Troubleshoot Common 8
security issues. Security Issues
2.4 Given a scenario, analyze and interpret output Security Tools and 7
from security technologies. Technologies
2.5 Given a scenario, deploy mobile devices securely. Mobile Devices 9
2.6 Given a scenario, implement secure protocols. Implementing 10
Secure Protocols
3.0 Architecture and Design
3.1 Explain use cases and purpose for frameworks, Architecture Frameworks 11
best practices and secure configuration guides. and Secure Network
Architectures
3.2 Given a scenario, implement secure network Architecture Frameworks 11
architecture concepts. and Secure Network
Architectures
3.3 Given a scenario, implement secure Secure Systems Design 12
systems design. and Deployment
3.4 Explain the importance of secure staging Secure Systems Design 12
deployment concepts. and Deployment
3.5 Explain the security implications of Embedded Systems 13
embedded systems.
3.6 Summarize secure application development and Application Development 14
deployment concepts. and Deployment
3.7 Summarize cloud and virtualization concepts. Cloud and Virtualization 15
PART I
Threats, Attacks,
and Vulnerabilities
Chapter 1 Malware and Indicators of Compromise
Chapter 2 Attacks
Chapter 3 Threat Actors
Chapter 4 Vulnerability Scanning and Penetration Testing
Chapter 5 Vulnerabilities and Impacts
1
In this chapter, you will
• Examine the types of malware
• Understand the different types of malicious software that exist, including viruses,
worms, Trojan horses, logic bombs, and rootkits
• Learn how artifacts called indicators of compromise can tell you if a system has
been attacked
There are various forms of malicious software, software that is designed to compromise
an end system, leaving it vulnerable to attack. In this chapter we examine the various
types of malware (malicious software) and indicators of compromise that demonstrate a
system has been attacked.
Certification Objective This chapter covers CompTIA Security+ exam objective 1.1,
Given a scenario, analyze indicators of compromise and determine the type of malware.
This is a performance-based question testable objective, which means expect a question
in which one must employ the knowledge based on a scenario. The best answer to a ques-
tion will depend upon details in the scenario, not just the question. The question may
also involve tasks other than just picking the best answer from a list. Instead, choices,
such as order things on a diagram, rank order answers, match two columns of items, may
be found.
Malware
Malware refers to software that has been designed for some nefarious purpose. Such soft-
ware can be designed to cause damage to a system, such as by deleting all files, or it can be
designed to create a backdoor in the system to grant access to unauthorized individuals.
Generally the installation of malware is done so that it is not obvious to the authorized
users. Several different types of malicious software can be used, such as viruses, Trojan
Polymorphic Malware
The detection of malware by anti-malware programs is primarily done through the use
of a signature. Files are scanned for sections of code in the executable that act as markers,
unique patterns of code that enable detection. Just as the human body creates antigens
that match marker proteins, anti-malware programs detect malware through unique
markers present in the code of the malware.
Malware writers are aware of this functionality and have adapted methods to defeat
it. One of the primary means of avoiding detection by sensors is the use of polymorphic
code, which is code that changes on a regular basis. These changes or mutations are
designed not to affect the functionality of the code, but rather to mask any signature
from detection. Polymorphic malware is malware that can change its code after each use,
making each replicant different from a detection point of view.
Viruses
The best-known type of malicious code is the virus. Much has been written about viruses
because several high-profile security events have involved them. A virus is a piece of mali-
cious code that replicates by attaching itself to another piece of executable code. When
the other executable code is run, the virus also executes and has the opportunity to infect
other files and perform any other nefarious actions it was designed to do. The specific way
that a virus infects other files, and the type of files it infects, depends on the type of virus.
The first viruses created were of two types—boot sector viruses and program viruses.
Armored Virus
When a new form of malware/virus is discovered, antivirus companies and security
researchers will decompile the program in an attempt to reverse engineer its functionality.
Much can be determined from reverse engineering, such as where the malware came
from, how it works, how it communicates, how it spreads, and so forth. Armoring mal-
ware can make the process of determining this information much more difficult, if not
impossible. Some malware, such as the Zeus Trojan, employs encryption in ways to pre-
vent criminals from stealing the intellectual property of the very malware that they use.
Crypto-malware
Crypto-malware is an early name given to malware that encrypts files on a system and
then leaves them unusable either permanently, acting as a denial of service, or temporar-
ily until a ransom is paid, making it ransomware, which is discussed in the next section.
Crypto-malware is typically completely automated, and when targeted as a means of
denial of service, the only repair mechanism is to rebuild the system. This can be time
consuming and/or impractical in some cases, making this attack mechanism equivalent
to physical destruction of assets.
PART I
including medical devices in England’s National Health Service (NHS). This ransom-
ware created havoc by exploiting a vulnerability in Microsoft Windows systems that was
exposed by the group known as Shadow Brokers.
Ransomware
Ransomware is a form of malware that performs some action and extracts ransom from
a user. A current ransomware threat, first appearing in 2013, is CryptoLocker. Cryp-
toLocker is a Trojan horse that will encrypt certain files using RSA public key encryption.
When the user attempts to get the files, they are provided with a message instructing
them how to purchase the decryption key. Because the system is using 2048-bit RSA
encryption, brute force decryption is out of the realm of recovery options. RSA encryp-
tion is covered in more detail in Chapter 27. The system is highly automated and users
have a short time window to get the private key. Failure to get the key will result in the
loss of the data.
EXAM TIP Cryto-malware and ransomware are both new to the Security+
objectives. Adding these attack vectors and how to differentiate them from
other attacks to your knowledgebase will be useful for the exam.
Worm
It was once easy to distinguish between a worm and a virus. Recently, with the introduc-
tion of new breeds of sophisticated malicious code, the distinction has blurred. Worms
are pieces of code that attempt to penetrate networks and computer systems. Once a
penetration occurs, the worm will create a new copy of itself on the penetrated system.
Reproduction of a worm thus does not rely on the attachment of the virus to another
piece of code or to a file, which is the definition of a virus.
Viruses were generally thought of as a system-based problem, and worms were
network-based. If the malicious code is sent throughout a network, it may subsequently
be called a worm. The important distinction, however, is whether the code has to attach
itself to something else (a virus) or if it can “survive” on its own (a worm).
Some examples of worms that have had high profiles include the Sobig worm of 2003,
the SQL Slammer worm of 2003, the 2001 attacks of Code Red and Nimba, and the
2005 Zotob worm that took down CNN Live. Nimba was particularly impressive in
that it used five different methods to spread: via e-mail, via open network shares, from
browsing infected websites, using the directory traversal vulnerability of Microsoft IIS
4.0/5.0, and most impressively through the use of backdoors left by Code Red II and
sadmind worms.
EXAM TIP Worms act like a virus but also have the ability to travel without
human action.
[Kirjoitettu v. 1822.]
B. LAURIN TUOMISET.
Evästetty emoltansa
Hemmuilla, heluilla
Vyötetty suosin-vyöllä
Tuli poika pohjan maille.
Tahto siellä talvellakin,
Vilullakin viekastella,
Mutkaelen muotoansa.
Kyttä kyyrymöisissänsä
Puikkiipi puistossa:
Juristi kuret-lanka,
Siirsi surma silmukkansa
Pienen herjän hengen päälle;
Että luuli lumiseksi
Jänikseksi jähmettyvän.
Kaapajaapi kainaloonsa,
Laukasi lankaansa,
Sieppasi silmukasta
Helma-lapsen hermottoman.
Suukosteli surmattua.
Polvillansa porkan päällä,
Sadatellen sallimusta:
Evästetty Emoltansa
Hemmuilla, heluilla,
Vyötetty suosin-vyöllä.
Tuli poika pohjan maille.
Tahto siellä talvellakin,
Vilullakin viekastella,
Mutkaelen muotoansa.
Kaappajaapi kainaloonsa,
Laukasi lankansa,
Sieppasi silmukasta
Helma-lapsen hermottoman.
Suukosteli surmattua
Polvillansa porkan päällä
Sadatellen sallimusta: