Security+ Study Guide

Table Of Contents

Welcome to the free Security+ Study Guide. It is our expectation that this guide will have all the
materials necessary to excel in the Security+ exam. We have here a free study guide, cram sheet, and
other materials that should help you conquer this pesky little exam.

The Security+ exam is a traditional, timed, and scored exam; the question bank for the exam is
surprisingly small and therefore many of the questions that appear in one administration of the exam
will reappear in another. What this means to you as a potential test taker is that you can prepare for the
exam by studying past questions and concepts thoroughly. This guide makes good use of previous test
questions and known tested concepts to help you pass.

This Security+ Study Guide consists of 16 lessons designed to take about one hour or less to thoroughly
read and re-read. As a general rule, you might want to complete one lesson per day, so this guide
should take roughly 16 days to complete. Of course, you can work at a faster or slower pace. Each
lesson covers only the material that you need to know to excel on the exam and is filled with previously
tested materials. At the end of each guide are questions for review that cover the information in the
lesson that should help you better prepare for the actual Security+ exam.

The best way to utilize this study guide is to read each and every lesson thoroughly. Some lessons will
inevitably be very dry and probably uninteresting; as it would turn out, the Security+ exam is full of
questions on these dry and boring topics. It is imperative, therefore, that you read every lesson at least
twice in order to understand the concepts rather than just the words presented.

Because the exam does feature some “exhibits” or pictures, the lessons in this guide will also have
pictures that are there for more than just aesthetics. The pictures in the lessons will be decidedly exam-
related and are thus important for you to understand and grasp as well.

After you read the guide and complete the review lessons, your next step will be to look at our
Security+ Cram Guide, which contains some previously covered and some new material that is
definitely going to show up on the exam. It is very brief but it is also very important that you understand
the points covered in the Cram Guide before you take the exam.
Enjoy the lessons and read carefully. You should have no trouble excelling on the CompTIA Security+
examination!

Table Of Contents

ProProfs Security+ Study Guide

Day 1: Security Concepts

Day 2: Access Control

Day 3: Methods of Authentication

Day 4: Attacks

Day 5: Remote Access

Day 6: Tunneling

Day 7: Introduction to Cryptography

Day 8: Malicious Software

Day 9: Firewalls

Day 10: Networking Overview

Day 11: Symmetric Key Cryptography

Day 12: Public-Key Cryptography

Day 13: Organizational Security

Day 14: Email and Application Security

Day 15: Security Topologies

Day 16: Security+ Study Guide Review

Extras: Security+ Cram Sheet

Definitions

Security+ Acronym List

Security+ Concepts
The Security+ exam is well-known to test heavily on concepts rather than on purely technical
knowledge. Security+ concepts relate to the ideas that govern good information security practices.
You can think of these core concepts as a sort of “constitution” or even a “charter” of information
security. Any organization or practice will inevitably have some sort of governing ideology; for the
Security+ exam (for information security), this ideology is always related to the acronym: CIA.

What’s CIA?

CIA (in this context, of course) stands for Confidentiality, Integrity, and Availability. These are the
three tenets or cornerstones of information security objectives. Virtually all practices within the umbrella
called “Information Security” are designed to provide these objectives. They are relatively simple to
understand and common-sense notions, yet the Security+ exam writers love to test on
CIA concepts. So, you should understand CIA very well in order to understand the reasoning
behind later practices as well as to ace this portion of the exam.

Confidentiality

Confidentiality refers to the idea that information should only be accessible to its intended
recipients and those authorized to receive the information. All other parties should not be able to
access the information. This is a pretty common and straight-forward idea; the US government for
example marks certain items “Top Secret,” which means that only those who are cleared to
see that information can actually view it. In this way, the government is achieving information
confidentiality. Another common example is the sharing of a secret between two friends. When the
friends tell each other the secret, they usually whisper so that nobody else can hear what they are
saying. The friends are also achieving confidentiality.

Integrity
Integrity is the idea that information should arrive at a destination as it was sent. In other words,
the information should not be tampered with or otherwise altered. Sometimes, secret information may
be sent in a locked box. This is to ensure both confidentiality and integrity: it ensures confidentiality by
assuring that only those with a key can open it; it ensures integrity by assuring that the information is
not able to be altered during delivery. Similarly, government documents are often sealed with some sort
of special stamp that is unique to an office or branch of government. In this way, the government
ensures that the people reading the documents know that the document is in fact a government
document and not a phony.

Availability

Imagine that a terrorist blocks the entrance to the Library of Congress. Though he did not necessarily
destroy the integrity of the books inside nor did he breach confidentiality, he did do something to
negatively affect the security of the Library. We deem his actions a “denial of service,” or more
appropriately, a denial of availability. Availability refers to the idea that information should be
available to those authorized to use it. When a hacker floods a web server with erroneous requests
and the web server goes down as a result of it, he denied availability to the users of the server, and
thus, one of the major tenets of information security have been compromised.

Wrap Up

Well, you’ve completed your first Security+ lesson! That wasn’t so bad, now was it? As you can see, a
lot of what is covered on the Security+ exam is actually commonsense. However, don’t take CIA lightly –
it is heavily tested! Below are a few questions that should help you review what you’ve learned today:

Quick Review

1. Which of the following are components of CIA? (Choose all that apply)

a. Confidentiality

b. Authentication

c. Integration

d. Integrity

e. Availability

f. Character

2. A user encrypts an email before sending it. The only person that can decrypt the email is
the recipient. By encrypting the email in this way, the user is attempting to preserve the:

a. Confidentiality of the recipient

b. Accessibility of the email server

c. Confidentiality of the information

d. Integrity of the information

3. A hooligan unplugs the power from the central data server at a large bank. Which of the
following describe the effect on information security?

a. Confidentiality has been breached

b. Loss of availability

c. The information has lost integrity

d. None of the above

Answers

1. The components of CIA are Confidentiality, Integrity, and Availability. The answer is (A,D,E)

2. This is a tough question that is sure to manifest itself on the exam. Don’t be confused between
confidentiality and integrity. Remember that confidentiality refers to the fact that only the recipient can
receive the information, whereas integrity means that the information is basically in the same state that
it was sent. Although the encryption may prevent others “in the middle of the communication” from
understanding the email, it does nothing to prevent them from manipulating the email being sent. So,
the answer is that it only ensures the confidentiality of the information and NOT the integrity of the
information. ( C )

3. By unplugging the power, the punk is basically denying availability to the users of the server. He is
not however actually changing the information stored on the server nor is he trying to read any sort of
confidential information. The answer is therefore that his actions produce a loss of availability (B)

Access Control
One of the most crucial areas of information security that dates back to its origins is the idea of access
control. Access control is the ability of a system to limit access to only certain users. When you
think access control, think “password.” Of course, there are many ways to authenticate users than just
passwords, but passwords are probably the most well-known way of controlling access to resources,
especially to information security laymen. We’ll now look into the specifics of access control.

Types of Access Control Factors

One of the key questions associated with access control is: How do you ensure that a user is in fact who
he claims to be? There are many ways to do so, and so they have been categorized into three types of
factors.

 Type I: What you know – Access control methods related to “what you know” include
passwords, numeric keys, PIN numbers, secret questions and answers, and so forth.
Basically, Type I access control depends on the user knowing something in order to access the
information.

 Type II: What you have – You probably use this access control method every day without
realizing it. A physical key is used to open a door to your house through a lock – a form of Type II
access control. In information security terms, Type II access control methods may include physical
keys or cards, smart cards, and other physical devices that might be used to gain access to
something.

 Type III: What you are – This form of access control is closely related to biometrics or
authentication by biological factors. Some high-tech systems may use fingerprints, retinal
scans, or even DNA to ensure that a user is who he claims to be. This type of access control is
considered the most secure because it requires that a user be physically present whereas the other
two can be compromised by theft of a password or a keycard.

The best authentication systems use more than one factor (Type) to ensure a user’s
identity; this is known as “multi-factor authentication.”
The Workings Behind Access Control

There are essentially three steps to any access control process.

1. Identification: Who is the user?

2. Authentication: Is the user who he says he is?

3. Authorization: What does the user have permission to do?

Authentication is achieved through the factors discussed above, but Authorization is actually
achieved between the reference model and the Kernel of the operating system. The reference
model is the system that directs the Kernel what it can and cannot access. A request to access
information would be sent through the reference model to verify that the user requesting access should
actually have access to what he is requesting. The kernel then acts only if the reference model directs it
to do so.

Methods of Access Control

Another very important question that should be raised when considering access control is: “Who
determines which users have access to information?” The Security+ exam suggests three different
methods of determining this:

 MAC: Mandatory Access Control is the system in which a central administrator or

administration dictates all of the access to information in a network or system. This might be used in
high-security applications, such as with the label "top-secret government information". Under MAC,
subjects (the user or process requesting access) and objects (the item being requested) are each
associated with a set of labels. When a subject requests access to an object, access is granted if
labels match, and denied if the labels do not match.
 DAC: Discretionary Access Control is the system in which the owners of files actually
determine who gets access to the information. In this system, a user who creates a sensitive file
determines (through his own discretion) who can access that sensitive file. This is considered far less
secure than MAC.
 RBAC: Role-Based Access Control is related to a system in which the roles of users determine
their access to files. For example, if Bob is a member of accounting, he should not be able to access
the engineering files.

A Last Word

Access Control is a very important and highly-tested subject! It is, like CIA, highly conceptual but
crucial to understanding information security. It is used to ensure both the confidentiality and the
integrity of information and therefore plays a large role in the CIA picture. You should spend time
understanding the Types and Methods of access control so that you can ace this portion of the exam.

Quick Review

1. On an Active Directory network the group(s) that a user is in determines his access to
files. This is a form of:

a. MAC

b. DAC

c. Type II Authentication factor

d. RBAC

e. Type I Authentication factor

2. Which of the following is not a possible description of Type III authentication?

a. Something you are

b. Fingerprints

c. Passwords

d. Retinal scans

3. Which of the following is the correct order of the access control process?

a. Identification, Authorization, Authentication

b. Authorization, Identification, Confidentiality

c. Identification, Authentication, Authorization

d. Confidentiality, Integrity, Availability

Answers

1. Because the group that the user is in determines his access to files, it is not a far step to say that his
role really determines his access to those files. The answer is RBAC. (D)

2. Passwords are Type I (something you know) rather than Type III (something you are), so the answer is
C

3. The correct order of the process is C.

Special Authentication Methods

There are some authentication methods that merit their own coverage because they are specifically tested on the
exam. Below is the information about each of them that you need to know in order to answer these kinds of questions
correctly.

Kerberos

Kerberos is an open-source and widely-accepted method of authentication that works on a shared secret key
system with a trusted third party. Before you begin to understand how Kerberos actually works, you should consider
this analogy: two people are in love and want to deliver messages of their affection to each other. The problem is that
they cannot express their love for each other openly because of a family feud. So, they entrust a mutual friend to
deliver their secrets to each other.

In essence, Kerberos does much of the same. If two users wish to communicate with each other, they must first
contact a trusted Kerberos server to obtain a shared secret key. Only the users that have this key can communicate
with each other because the key encrypts and decrypts messages. The logical part of the Kerberos server that governs
key distribution is aptly called the Key Distribution Center, or KDC. Once keys have been distributed to the two
parties wishing to communicate, Kerberos then issues what are known as “tickets” through the TGS or Ticket
Granting Server. These tickets allow for the actual communication between the clients by storing authentication
information.

Kerberos has a wide variety of applications, especially in open source software, but is not without vulnerabilities. One
is that Kerberos makes extensive use of that trusted third party. If the third party is compromised, information
confidentiality and integrity may be breached. If the third party simply fails, availability is lost. Kerberos also
uses time stamps in order to “time out” communications. Time stamps mitigate the threat of replay attacks and provide
a small measure of integrity. If two hosts are on different times, communication will be impossible.

Remember that Kerberos is associated with SSO (single sign-on) technology.

Biometrics

As discussed before, biometric factors are factors of authentication that utilize the biological factors of a user. Biometric
authentication and identification is considered the most secure. Typical biometric factors include fingerprint and retinal
scans as well as photo-comparison technology.

Username / Password

The most common form of authentication system is a username and password system. This is a Type I system
and therefore relies on the difficulty of guessing the password for effectiveness. There may be questions on the
Security+ exam about what constitutes a good password. Use common sense here! A good password would
obviously consist of numbers and letters, lower and upper case, and symbols. In other words, the general rule of thumb
is that a good password is complex. Another rule of thumb is that a good password should be at least six characters
and probably eight. In fact, eight or more is the standard at the moment. Systems that allow for lost password retrieval
should not allow a malicious user to learn information about the users of a system; in addition, systems should not
elaborate as to whether a username or password is incorrect as this would aid potential attackers.

Multifactor

Multifactor authentication refers to using more than one factor to authenticate a user. Multifactor authentication
is more secure than single factor authentication in most cases. An example of multifactor authentication would be an
authentication system that required a user to have both a password and a fingerprint.

CHAP

Challenge-Handshake Authentication Protocol, or CHAP, is an authentication protocol that uses username and
password combinations that authenticate users. It is used in PPP, so its most common application is dial-up
internet access user authentication. All you really need to know about it is that it uses a three-way handshake to
prevent replay attacks. Microsoft has a version of CHAP known as MS-CHAP.

SSO

Single sign-on, or SSO, refers to the ability for a user to only be authenticated once to be provided
authorization to multiple services.

Summing it up

You will see a question on the Security+ exam on almost every one of these items. Kerberos will be tested with more
than two questions. It would be to your benefit to carefully study each of these items individually to understand what
each is all about.
Quick Review

1. Which of the following would not be a form of multifactor authentication?

a. Requiring an ATM card and a pin number

b. Requiring a secret answer to a given question

c. Requiring a fingerprint and a Kerberos ticket

d. Requiring a USB key and a password

2. Which of the following is a true statement about Kerberos?

a. It requires two distinct physical servers, one to give keys and the other to give tickets.

b. It is only used in UNIX environments.

c. Communication can only take place when both parties can utilize a trusted third party Kerberos server.

d. It is a form of biometric identification and authorization.

3. A user complains that he has to use a separate login and password for his email, his domain account, his
specialized software, and even for his computer. What would be a solution to his problems?

a. Smart card

b. SSO technology

c. Biometrics

d. CHAP

Answers:

1. All of the choices use two factors for authentication with the exception of B, which requires only one factor (an
answer to a question). (B)

2. Be careful! Kerberos is often used in UNIX environments, but it is not exclusively used in UNIX environments. Also,
the TGS and KDC servers are logically but not necessarily physically separate. Finally, choice D is totally without merit.
The answer is ( C ).
3. Because SSO provides a single sign on for multiple services, the user would desire that as a solution as it could
create fewer login screens. The answer is ( B )

Attacks and Malicious Users

(An example of a buffer-overflow attack)

A key aspect to any war is to know your enemy. If you consider the battle against malicious
users a war, then understanding the attacks that they use is crucial. Below is a listing
with descriptions of the most common kinds of attacks used by malicious hackers and other
bad people.

Social Engineering

This kind of attack is probably the most commonly successful and damaging of all attacks, yet
it requires no technical ability. Social engineering is an attack by which the attacker
manipulates people who work in a capacity of some authority so that the attacker can
get those people to do something that he desires. For example, if an attacker calls into a
business posing as a bank representative who is reporting foul activity on an account and then
proceeds to ask for a routing number, that attacker is engaged in a social engineering attack.
Remember, social engineering means manipulating people.

Dumpster Diving

This is another low-tech attack. All you have to remember about this attack is that the name is
very indicative of the nature of this attack – a dumpster diver would look through trash
and other unsecured materials to find pertinent information to either launch an attack or
carry out some other maliciously intended action.

Password Cracking
This is an attack by which the attacker wishes to gain authentication (and
authorization) to network resources by guessing the correct password. There
are three basic kinds of password cracking attacks:

 Brute Force – Every single possible combination of characters (aaa,aaA,aAA,AAA,aab…)

 Dictionary – Enter passwords from a text file (a dictionary)
 Hybrid - A variation of the Dictionary approach, but accounting for common user practices such
as alternating character cases, substituting characters ("@" in place of "A", etc), using keyboard
patterns ("1QAZ", etc), doubling passwords to make them longer, or adding incremental prefix/suffix
numbers to a basic password ("2swordfish" instead of "swordfish, etc).
Attackers know that many users use the same or similar passwords for different systems. Using a
sniffer to obtain a user's password on an unsecure platform will provide a good starting point for a
quick hybrid attack on a different, more secure platform. For example, Yahoo Messenger transmits
passwords in clear text. An attacker can easily obtain a user's Yahoo password, and then attempt to
access their bank account, or other sensitive information, using that same password or a variant of that
same password.

Most of the time when password cracking is attempted, the cracker has some means of
entering username and password combinations quickly. Usually this is through a cracking
program such as Brutus. One way to defend against cracking attacks is to put a mandatory
wait time before login attempts. Another way is to lock out the login system after a certain
number of attempts. Finally, limiting the number of concurrent connections to a login
system can slow down a cracking attack.

Flooding

Just like a flood can overwhelm the infrastructure of a locale, a flooding attack can
overwhelm the processing and memory capabilities of a network system or server.
In a flooding attack, the attacker sends an inordinate amount of packets to a server or a group
of hosts in order to overwhelm the network or server. This would, of course, cause a denial of
service to the hosts who demand whatever network resource has been overwhelmed. Some
special kinds of flooding attacks:

 SYN Flood – A flood of specially crafted SYN packets

 ICMP Ping Flood – A flood of ICMP pings

Spoofing

Spoofing is not always a form of attack but can be used in conjunction with an attack.
Spoofing is any attempt to hide the true address information of a node and is
usually associated with IP spoofing, or the practice of hiding the IP address of a node and
replacing it with another (false) IP address. One implication of a successful spoof is that
investigators cannot trace the attack easily because the IP address is false. Spoofing can be
achieved through proxy servers, anonymous Internet services, or TCP/IP vulnerabilities.

Birthday Attack

Any attack based on favorable probability is known as a birthday attack. This comes
from the statistical truth that it is far more likely in a room of 100 people to find two people
who have the same birthday than it is to find a person with a specific birthday. For the exam,
just associate birthday attack with probability.

Buffer Overflow

A buffer overflow attack is a very specific kind of attack that is very common when attacking
Application level servers and services. Basically, a buffer is a memory stack that has a certain
holding size. Through a specifically and maliciously crafted packet, information can
overflow in that stack, causing a number of problems. Some buffer overflow attacks
result in a simple denial of service while others can allow for system compromise and remote
takeover of a system. Patches are usually issued to defend against specific buffer overflow
issues.

Sniffing

A sniffing attack is one in which an attacker “sniffs” information, either off the media
directly or from regular network traffic, in order to compromise the confidentiality or
integrity of information. Un-switched Ethernet traffic can easily be sniffed when the NIC
operates in “promiscuous” mode, the mode in which the NIC reads all traffic regardless of the
destination IP address. Sniffing can be thwarted by careful attention to media security and
switched networks.

Overview

While there is certainly a dearth of space here to list all of the wonderful tricks that hackers
have up their collective sleeves, it is safe to say that the attacks that you will see on
the Security+ have been covered above. Study each one carefully and try to associate
one word with the attack that will help you remember what it’s all about; after a while, the
distinction between attacks will become more obvious and clear to you.

Quick Review

1. An attacker sends a series of malformed packets to a server causing him to gain

access to the server as the “root” user. Which attack is this most likely to be?

a. Ping

b. Birthday

c. Spoofing

d. Sniffing

e. Buffer Overflow

2. You notice a dramatic increase in the traffic going through your network. After a
close examination of the traffic, you realize that the majority of the new traffic is in
the form of empty broadcast packets sent from a single host. What is most likely
happening?

a. You are experiencing normal network activity

b. The network is revamping from under-utilization

c. The network is being flooded

d. The network is being spoofed

3. Which of the following courses of action would not prevent a social engineering
attack?

a. Mandatory security training for new computer users

b. Administrative approval for any major system changes

c. Hiring a dedicated operator to handle undirected phone calls and emails

d. Installing a firewall with NAT technology

4. You notice that there have been over a thousand login attempts in the last
minute. What might you correct in order to prevent a similar attack in the future?

a. Install Apache Web Server

b. Limit the timeout value

c. Mandate and configure a lockout time period

d. Change the access control method

Answers:

1. In a buffer overflow attack, a malformed packet is sent to overflow the heap of memory that
a server application uses. Some attacks can actually gain access to the root account. So, the
answer is (E)

2. Since the network is experiencing a dramatic increase in basically meaningless traffic from
a single host, it is likely to be an attempt at a flood attack. ( C )

3. All of the choices would inhibit the ability of an attacker to use a social engineering attack
except for (D), which would not affect the ability of an attacker to manipulate people in any
way.

4. By configuring a lockout time period ( C ) you can ensure that after a certain number of
unsuccessful attempts, further logins are disabled.

Remote Access

One of the most ever-present and ancient uses of the Internet and networking has been to provide
remote access to networks or network resources. Since the early 1980’s, different remote access
protocols have existed to allow users to remotely “dial in” to a network of choice; while some of
these protocols have come and gone, many of them remain widely in use even today in dial-
up WAN access and business VPN networks. The Security+ examination will test you on your
ability to identify the security features, benefits, and costs of several types of remote access protocols
and services.

RAS

RAS, or Remote Access Service, is a rarely-used, unsecure, and outdated Microsoft offering in the
area of remote access technology. You should know for the exam that RAS provides dial-up access
and once was the protocol of choice for connecting to the Internet.

PPP

RAS was eventually replaced by PPP, the most common dial-up networking protocol today. PPP, or
point-to-point protocol, utilizes a direct connection from a client to WAN over TCP/IP. This is
advantageous for dial-up networking services as most people today wish to be able to use
the Internet, which of course requires TCP/IP networking. When you think dial-up access, think PPP.

Secure Connections
The next group of technologies is considered “secure” in that the technologies set up an encrypted,
sometimes “tunneled,” and difficult-to-intercept connection. These are the technologies typically
employed in VPN (Virtual Private Network) applications and corporate remote networks.

PPTP

Point-to-point tunneling protocol, or PPTP, is a tunneling protocol that can encapsulate

connection-oriented PPP packets (which are simple remote access packets) into
connectionless IP packets. In doing so, the data remains within the “IP capsule,” which prevents
sniffing and other outside manipulation. PPTP is a client-server system that requires a PPTP client, a
PPTP server, and a special network access server to provide normal PPP service. PPTP is commonly used
to set up “Virtual Private Networks,” which are like LAN’s that are spread across the Internet so that
multiple remote clients can connect to one logical network.

L2TP

Like PPTP, L2TP (Layer 2 Tunneling Protocol) utilizes a tunneling protocol, but unlike PPTP, L2TP
utilizes IPSec (IP Security) to encrypt data all the way from the client to the server. Because
of this, L2TP data is difficult to intercept. L2TP can accommodate protocols other than IP to send
datagrams and is therefore more versatile; it is also common in VPN applications.

Implementation of L2TP, a popular tunnelling protocol

SSL
SSL, or Secure Sockets Layer, is a technology employed to allow for transport-layer security via public-
key encryption. What you should know about this for the exam is that SSL is typically employed over
HTTP, FTP, and other Application-layer protocols to provide security. HTTPS (HTTP over SSL)
is particularly used by web merchants, credit card validation companies, and banks to ensure data
security (think: lock icon)

Kerberos

Kerberos is a *Nix (Unix-like) technology that is also being implemented in Microsoft

technology to allow for client-server authentication over a network based on a shared key
system. Kerberos is a public-key encryption technology and therefore is considered quite modern.

Quick Review

1. You wish to implement VPN access so that an attorney can connect to the firm’s network
remotely. Which remote access protocol might you use?

a. LDAP

b. PPTP

c. PPP

d. SSL

e. IPSec

2. A user complains that he cannot access a website because he does not have “some
protocol” enabled. What is this protocol most likely to be?

a. FTP

b. HTTP over SSL

c. FTP over SSL

d. PPTP

e. VPN

3. Your manager wants to make sure that when he dials in to a faraway corporate network,
his connection is very secure and reliable. Which of the following is the most secure and
reliable RAS?

a. RAS

b. PPP
c. PPTP

d. L2TP

e. HTTP

Answers

1. Of the choices, only PPTP can be used to implement VPN. Note that IPSec is a feature of IP and not a
remote access protocol in its own right, though it is used by L2TP. The answer is B.

2. Websites are typically accessed through the HTTP protocol, so it is likely that the website is SSL-
enabled and that he does not have that technology enabled on his client PC. The answer is B.

3. L2TP is most secure as it features both tunneling and encryption, which none of the other protocols
listed can provide. The answer is D.

Tunneling, VPN, and IPSec

In the last lesson we learned about some of the more common remote access protocols in use today.
You should recall that a remote access protocol allows remote access to a network or host and
is usually employed in dial-up networking. Alternatively, some remote access technologies are
involved in remote control of a host, such as through secure shell or Telnet.

However, another class of remote access technologies does exist. This class is related to two of the
fundamental aspects of information security: confidentiality and availability. This type of
remote access technology allows a user to securely dial in or otherwise access a remote network over
an encrypted and difficult-to-intercept connection known as a “tunnel.” These protocols are therefore
usually referred to as tunneling or secure remote access protocols.

VPN

A virtual private network is a pseudo-LAN that is defined as a private network that operates over a
public network. It allows remote hosts to dial into a network and join the network basically as if it
were a local host, gaining access to network resources and information as well as other VPN hosts. The
exam will test you on your ability to recognize different applications of VPN networks. Use common
sense here! Obviously, VPN networks would likely be employed in settings in which information security
is essential and local access to the network is not available. For example, a VPN might be utilized by
a telecommuting employee who dials into the office network.
PPTP

PPTP, or Point-to-point tunneling protocol, is a commonly implemented remote access

protocol that allows for secure dial-up access to a remote network. In other words, PPTP is a
VPN protocol. PPTP utilizes a similar framework as PPP (point-to-point protocol) for the remote access
component but encapsulates data into undecipherable packets during transmission. It is as its name
implies: an implementation of PPP that utilizes tunneling by encapsulating data.

IPSec

IPSec is a heavily tested area of the Security+ exam. You will inevitably see at least one question on
IPSec and probably around three, so it will be to your benefit to understand IPSec well. IPSec allows for
the encryption of data being transmitted from host-to-host (or router-to-router, or router-to-host… you
get the idea) and is basically standardized within the TCP/IP suite. IPSec is utilized in several
protocols such as TLS and SSL. You should know that IPSec operates in two basic modes. We will
now study these modes in greater detail.

 Transport Mode – Provides host-to-host security in a LAN network but cannot be employed over
any kind of gateway or NAT device. Note that in transport mode, only the packet’s information, and
not the headers, are encrypted.
 Tunneling Mode – Alternatively, in tunneling mode, IPSec provides encapsulation of the entire
packet, including the header information. The packet is encrypted and then allowed to be routed
over networks, allowing for remote access. Because of this, we are usually most interested (at least
for exam purposes) in the Tunneling mode.

IPSec is comprised of two basic components that provide different functionality:

 AH – Authentication Header (AH) can provide authentication of the user who sent the
information as well as the information itself
 ESP – Encapsulating Security Protocol (ESP) can provide actual encryption services which
can ensure the confidentiality of the information being sent.

 IPSec implementation

L2TP

L2TP, or Layer 2 Tunneling Protocol, is an alternative protocol to PPTP that offers the capability
for VPN functionality in a more secure and efficient manner. Rather than actually replacing PPP as a
remote access protocol or IPSec as a security protocol, L2TP simply acts as an encapsulation protocol on
a very low level of the OSI model – the Data Link layer. L2TP, therefore, commonly utilizes PPP for the
actual remote access service and IPSec for security. Note that L2TP operates on a client/server model
with the LAC (L2TP Access Concentrator) being the client and the LNS (L2TP Network Server)
acting as the server.

Quick Review

1. Your boss asks you to recommend a solution that meets the following requirements: 1) He
wishes to access the company network remotely, and 2) The access must be as secure as
possible. Which would you implement?

a. A VPN using L2TP and IPSec

b. A PPP dial-in network

c. Telnet

d. SSH

2. Which of the following components of IPSec would allow a message to be traced back to a
specific user?

a. L2TP

b. TLS

c. AH
d. ESP

3. Which of the following is a true statement regarding the difference between tunneling
and transport modes of IPSec?

a. Transport only works with remote hosts

b. Tunneling only works between remote hosts

c. Transport is more secure than tunneling

d. Transport only works between local hosts

Answers

1. Your boss is essentially asking for a solution that allows for secure remote access to the network (as
opposed to a network host, which you might recommend SSH for). The answer is A, because the VPN
satisfies his basic requirements.

2. AH provides the essential service of authentication of users sending messages. This allows a message
to be traced back to a specific host. The answer is C.

3. Transport mode is exclusive to local host traffic because only the payload is encrypted. Transport
mode will not work between remote hosts; for this, you must employ tunnelling. The answer is D.

Introduction to Cryptography

In this Security+ study guide you will notice that we like to jump around from topic to topic. This is
intentional! We want you to keep different topics fresh in your mind as some topics in the exam are
particularly boring. In this lesson, we will learn about the basics of cryptography, including
common terminology, function, and applications. In later lessons, we will take a look at the more
technical aspects of cryptography.

What is Cryptography?

Cryptography is the science of hiding the meaning of a message. Even children are familiar with the
concept of cryptography as they learn to speak to each other in “code languages” that adults cannot
understand. Rap stars employ lyrics that have alternate and more explicit meanings. The British in
World War II were able to crack the Enigma Machine, Nazi Germany’s method of ciphering critical data.

For the purposes of the Security+ exam, however, we will usually speak of cryptography in terms of IT
information security. Computers are often employed in conjunction with cryptographic services and
protocols as many of these require complex calculations that only computers can provide in a timely
manner.

AES, one of many cryptographic algorithms

How Cryptography Works

The basic concept of cryptography is very simple. In a typical cryptographic exchange, information that
is meant to be hidden for whatever reason is encrypted, or ciphered into a difficult-to-interpret form. We
call this conversion encryption because it involves the change of clear text, or understandable data,
into cipher text, or difficult-to-interpret data. The encryption process is one-half of the
entire cryptographic exchange.

At the other end of the process is decryption, or the conversion of cipher text into clear text.
Decryption is not always a part of encryption, however – some algorithms are called “hashes” as they
only apply encryption (that is, from clear to cipher text) and have no means of deciphering the
information. We will cover more on this later.

Public Key and Private Key Systems

A key is the password of sorts used to encrypt and decrypt data.

When an encryption key is made available to any host, it's known as a public key. In contrast, a
private key is confidentially shared between two hosts or entities.

A symmetric encryption algorithm uses the same key for encryption and decryption. When a
different key is used for encryption and decryption this is known as asymmetric encryption.

More complex systems require both a public key and a private key to operate. We will go into greater
detail regarding these public key systems in later lessons but you should know of their existence.

Cryptanalysis and Cracking

Cryptanalysis is the act of breaking the cipher or attempting to understand the cipher text.
Cracking is often associated with cryptanalysis as cracking a shared key is often essential to
cryptanalysis attempts. Not every cipher is decipherable – for example, some encryption algorithms are
mathematically unbreakable (they operate on randomness) and other encryption algorithms are hashes
that do not provide one-to-one functionality (that is, more than one input can result in the same output,
making reverse-encryption or cryptanalysis impossible). However, most cryptographic algorithms can
theoretically be cracked but require extraordinary amounts of computational power to do so. For
example, RSA can take millennia to crack, hardly the amount of time that a potential attacker
or cryptanalyst has available.

Applications and Functions of Cryptography

The Security+ exam will test you on your ability to recognize situations in which cryptography might be
employed. The general rule here is that cryptography is employed in settings in which data
confidentiality and integrity are desirable. For example, you would not use cryptography when
transferring MP3 files (unless those files were highly sensitive for some reason) but you would certainly
employ cryptographic methods when transferring health information. In addition to data confidentiality
and integrity, cryptography can provide non-repudiation, which is the idea that a sender of
information would not be able to refute the fact that he or she did send that information or
data. Here is a sample laundry list of some well-known functions of cryptography:

 Tunneling protocols and VPN

 Email security (PGP et al.)
 Secure file transfer (S-FTP)
 Secure access to web pages (SSL)
 Kerberos Authentication
 Certificates
 Document security

Final Thoughts

We will continue to explore more on cryptography in the lessons to come. Cryptography is a heavily-
tested portion of the Security+ exam; we will cover the subject accordingly. It is important that as you
learn the specifics of cryptography protocols you understand the basic terminology that is employed in
any discussion of them.

Quick Review

1. Your manger asks you to employ a system in which the sender of a message would not be
able to deny that he sent that message. Your manager is asking for:

a. Certificate of authenticity
b. Non-repudiation

c. Authorization

d. SSL over HTTP

2. What is the primary difference between asymmetric and symmetric encryption

algorithms?

a. The use of a public key

b. Symmetric algorithms are one-way functions

c. The relative strength of the algorithm

d. The ability to perform man-in-the-middle attacks

3. Which of the following protocols does not employ cryptography?

a. HTTPS

b. SSH

c. Telnet

d. SFTP

e. IPSec

Answers

1. The idea that a sender would not be able to deny that he sent the information is called non-
repudiation. The answer is B.

2. The primary difference between asymmetric (public key) and symmetric (private key) algorithms is
that asymmetric algorithms use both a public and a private key. The answer is A.

3. All of the listed protocols with the exception of Telnet provide some encryption functionality. Telnet
transfers all information in clear text. The answer is C.

Malicious Software: Viruses, Trojan Horses, Worms

Despite all the hype about viruses and worms, the Security+ exam actually does not heavily test on
viruses and the like. However, you will probably see at least a few questions on these topics and we will
therefore go into some detail on the differences between different types of malicious programs and how
they can be avoided or prevented from propagating.

Viruses

A computer virus is malicious software that propagates itself upon the action of a user. For
example, some viruses send emails promising great information on how to get rich quickly or pleasant
images. The user then opens some sort of executable attachment (that is almost certainly not what is
promised) and the virus either immediately acts or waits as a dormant drone to act, either upon the
request of a master host or some sort of time period. Viruses typically inflict damage by either
destroying files categorically or installing new files that drastically affect the performance
of the computer. Most viruses also act to “insert” themselves into various executable files, increasing
the likelihood that a user will re-run the malicious executable file.

One of the core tendencies of any computer virus is propagation. Most viruses include some
mechanism for both local and network propagation, including the sending of instant
messages, the setting up of web servers, and of course, emails. However, viruses are not truly
“self-propagating” in the sense that the virus is actually incapable of “forcing” itself on another host
machine in most cases. A virus typically needs user interaction to act (such as opening an attachment).
This need for user interaction is usually seen as what separates a virus from a worm.

Worms

Unlike the friendly creatures that crawl beneath the crust, computer worms can be extremely
destructive and costly malicious programs that self-propagate to cause unbelievable
damage to computer networks across the world. Alternatively, worms can help provide us the
wonders of Google and Yahoo search engines. How can a worm be so good and yet so bad?

Actually, worms are not inherently evil. Worms are simply pieces of software that are able to (through
various means) self-propagate about the Internet. In many cases, computer worms provide various
services that we all love and utilize. One such worm is the World Wide Web Worm, which “crawls” the
Internet to pick up data from web pages for categorization and indexing that we later utilize through
popular search engines. Other “friendly” worms work to quickly patch software that is
vulnerable to attacks by – you guessed it – other worms!

However, some worms also do irreparable damage to computers. Many of these worms,
which carry malicious payloads, install self-destructive software or a backdoor into the PC.
Remote control of infected hosts is often a primary goal of worm writers who seek to crash high-profile
websites and services through “Denial of Service” attacks.

Trojan Horses and Backdoors

A Trojan horse or backdoor is any software that attempts to give a remote user unauthorized access to a
host machine or user account. Some backdoors actually serve a legitimate purpose (SSH, for example,
might be classified as a “backdoor”) but in general, the terms “backdoor” and especially “Trojan
horse” are associated with malicious intent.

Some popular Trojan horses include:

 BackOrfice
 NetBus
 SubSeven
 VNC (can be used legitimately but also used for unauthorized access in conjunction
with a worm)

Quick Review

1. What is a fundamental difference between a worm and a virus?

a. Worms are less destructive

b. Worms only act on the lower layers of the OSI model

c. Worms do not require user intervention

d. Worms are more destructive

2. You notice unusual network traffic on a port number whose function you cannot identify.
This is probably the mark of a (an):

a. NetBIOS session

b. Trojan horse
c. Exploit

d. Telnet session

3. Which of the following is not true of viruses?

a. They tend to carry malicious payloads

b. They can be timed to attack

c. They destroy hardware and software components of a PC

d. They can overwhelm a network

Answers:

1. Worms are truly self-propagating as they utilize exploits and other tricks to propagate without the use
of user intervention. The answer is C.

2. Trojan horses usually employ unusual port numbers and traffic. The answer is B.

3. All of the choices are true except C, because a virus cannot actually destroy hardware. The answer is
C.

Firewalls

As we continue to skip about in our lesson plans, we have now arrived at the subject of
firewalls. Firewalls are one of the most thoroughly misunderstood concepts around in
networking and security today. It is your duty to dispel some of the most common
misconceptions about firewalls not just for the purpose of passing the Security+ exam but also
for the sake of the information security community!

What is a Firewall?

A firewall is any hardware or software designed to prevent unwanted network

traffic. Some firewalls are simplistic in nature; in fact, many people use NAT devices as
firewalls as they do effectively prevent direct incoming connections to hosts behind the NAT.
Other firewalls are intricate operations, based on whitelists and blacklists, rules, and alerts.
What all firewalls have in common, however, is an ability to block incoming traffic that may be
deemed harmful.

Simple diagram of a firewall

Types of Firewalls

Because the definition of a firewall (at least as given above) is somewhat generalized, it is
hard to define the general actions and methods of firewalls. Instead, we look at the ways
different types of firewalls work. Each type of firewall has abilities, advantages, and
drawbacks; to do well on the Security+ exam, you should understand these.

Packet Filtering Firewall

A packet filtering firewall polices traffic on the basis of packet headers. IP, UDP, TCP,
and even ICMP have enough header information for a packet filtering firewall to make an
informed decision as to whether to accept or reject that packet. You can think of a packet
filtering firewall as a bouncer at a party. The bouncer may have a list of people that are
allowed to come in (a whitelist) or a list of people to specifically exclude (a blacklist). The
bouncer may even check a guest’s identification to assure that the guest is above 18.
Similarly, a packet filtering firewall simply inspects the source and destination of traffic in
making a decision on whether to allow the packet to pass through. For example, some traffic
may be addressed to a sensitive recipient and would therefore be blocked.

A packet filtering firewall can also filter traffic on the basis of port numbers. For example,
many companies now block traffic on port 27374 because it is well-known to be a
port used by the Trojan horse “SubSeven.”

Note that a packet filtering firewall basically operates through a special ACL (access
control list) in which both the white and black list of IP addresses and port numbers
are listed. In essence, this firewall operates at the Network and Transport layers of the OSI
Model. This model is notable for its simplicity, speed, and transparency – however, traffic is not
inspected for malicious content. In addition, IP addresses and DNS addresses can be hidden or
“spoofed,” as discussed in the Attacks lesson.

Circuit-Level Gateway

A circuit-level gateway is a type of firewall that operates on the Session layer of the OSI
model. Instead of inspecting packets by header/source or port information, it
instead maintains a connection between two hosts that is approved to be safe. This
is something akin to a parent who approves the people that their children can speak with on
the phone once they trust those people. In this scenario, the parent does not have to listen
into the conversation because they know they can trust the two communicating children.
Similarly, a circuit-level gateway establishes a secure connection between two hosts that have
been authenticated and trust each other.

Application-Level Gateway

As the name suggests, an application-level gateway operates in the Application layer of the
OSI model and actively inspects the contents of packets that are passed through to the
gateway. It is for this reason that application-level gateways are considered the most secure
as they can actively scan for malformed packets or malicious content. Think of an application-
level gateway as the eavesdropping parent. An eavesdropping parent has the most complete
knowledge of his or her child’s activities because he or she can listen into all of the child’s
conversations. An application-level gateway does have drawbacks, however, including speed
and routing problems. Application-level gateways are notorious for the amount of time it can
take to inspect packets.
A special kind of application-level gateway is a proxy server, which is a server that
serves as the “middle man” between two hosts that wish to communicate. In the
proxy server model, the host wishing to communicate sends a packet to the application-level
gateway (proxy server), which then makes the decision whether to forward the packet to the
intended recipient or to deny the request to send the packet.

Quick Review

1. Your manager wishes to implement some kind of device that would reject traffic
from online gambling sites and other distractions. Which of the following devices
would be most effective in achieving this solution?

a. Packet Filtering Firewall with NAT

b. Circuit-Level Gateway with ESP

c. Application-Level Gateway in the form of a Proxy Server

d. Circuit-Level Gateway with TLS

2. Which of the following is not a reason to implement a firewall?

a. To limit the number of malicious packets sent to the network

b. To reduce extraneous traffic that is deemed undesirable

c. To limit a particular host’s access to the Internet

d. To improve network throughput

3. Which of the following is true of a packet filtering firewall?

a. It implements an ACL

b. It inspects the contents of packets being filtered

c. It does not read the headers

d. None of the above

Answers

1. Only an application-level gateway can actually inspect the contents of individual packets, so
the answer must be C.

2. Although network throughput could ostensibly improve as a result of implementing a

firewall, it would not typically be reason to implement one and in most cases, a firewall acts as
a bottleneck to network traffic. The answer is D.

3. In order for a packet filtering firewall to operate, it must have a list of all of the allowable or
disallowable hosts to evaluate based on header information. The answer is A.
Networking Overview

In subsequent chapters of this study guide, we will take a look at different security topologies or ways
that networks can be set up with security in mind. Before we can do this, however, we must have a clear
understanding of different networking devices and concepts. We will now very briefly describe different
key networking components to help you understand how they are related to information security and
the exam.

A cartoon-ish network

IP Address

An IP address is a unique numeric identifier of a host machine within the scope of a TCP/IP
network. Public IP addresses are unique and individual to each host in the world, while private IP
addresses are often duplicated among different private networks. You can think of a public IP address as
a sort of telephone number and the private IP address as a sort of extension system that operates “in-
house.” All IP addresses are formed as four octets separated by a dot: for example, 192.168.1.1 is a
commonly-used private IP address.

NAT

NAT, or Network Address Translation, is a service in which a gateway can allow multiple private
hosts to operate under the guise of a single public IP address. One of the implications of NAT is
that hosts “behind” the NAT are effectively “hidden” from the rest of the Internet, with the NAT acting
as a sort of packet filtering firewall.

Router

A router can forward packets of information based on the IP address of the header of the packet.
Think of the header of the packet as a sort of shipping label for the packet in which the contents (the
package) are contained. A router can quickly examine the shipping label and send it off to the
appropriate destination.
Gateway

A gateway serves as a sort of middle-man between two networks, usually the Internet and a private
network. Many routers also serve as gateways, and many gateways have NAT functionality
built into them.

Media

The term “media” in networking refers to the physical medium of communication that the network
utilizes. In many Ethernet networks CAT-5 cabling is employed. In high-speed applications, fiber optic
media is used.

Applications and Ports

Applications, in the networking sense, refer to specific Application-layer services that hosts
provide over specific ports, or gateways into the system. For example, a web server is an
application server that provides web pages over the port TCP 80. Other Application servers include
FTP, Telnet, SSH, and Media servers.

Firewall

A firewall is a device that can selectively filter communications between two hosts. Although we
have an entire article dedicated to firewalls, it never hurts to reinforce the concept of what a firewall is
for your own extended understanding.

Switch/Hub

Hosts are connected to each other via a switch or a hub. The difference between a switch and a
hub is that a hub forwards all packets to all connected hosts whereas a switch forwards
packets only to selected recipients, increasing information confidentiality.

DMZ Host

A DMZ host is basically a “catch-all” host for requests on non-configured ports. Through a DMZ host,
undesirable network traffic can be sent to single safe host rather than any host that would be in danger
from malicious traffic.
Quick Review

1. Which of the following can be used as a sort of packet filtering firewall?

a. Proxy Server

b. Switch

c. NAT Device

d. None of the above

2. Why can’t a packet sniffer intercept switched network traffic?

a. The packet sniffer can only work in promiscuous mode

b. Switched networks direct traffic by MAC address

c. The packet sniffer can only work in latent mode

d. The port configuration is incorrect

3. Which of the following are not application services or servers? (Choose all that apply)

a. Proxy Server

b. Email Server

c. Web Server

d. DMZ Server

e. ARP Server

f. DHCP Server

Answers:

1. Only an NAT device would actually block packets based on headers (the definition of a packet filtering
firewall) because an NAT device would categorically block incoming traffic that has not established a
session. The answer is C.

2. A switch only forwards traffic to the intended recipient via MAC address (just like a router only
forwards traffic to the recipient via IP address), so the answer must be B.

3. D, E, and F are all non-application servers. DMZ servers are non-existent, and DMZ hosts would
nominally operate in the network layer of the OSI model. ARP servers would operate in the Data-Link
layer of the OSI model, and DHCP servers would operate in the Network layer of the OSI model.
Symmetric (Private) Key Cryptography

In this lesson we will learn about different symmetric key algorithms and their key features. More
importantly, we will learn about some more key concepts related to cryptography as it applies to both
symmetric and asymmetric algorithms. Finally, we will learn the advantages and disadvantages of
symmetric and asymmetric algorithms. First, let’s learn a bit about the differences between block and
stream ciphers.

Block v. Stream Ciphers

The difference between a block and a stream cipher is rather simple. A block cipher would break up a
clear text into fixed-length blocks and then proceed to encrypt those blocks into fixed-
length ciphers. Because the blocks are of a fixed length, keys can be re-used, making key
management a breeze. Typically, computer software uses block ciphers.

Stream ciphers operate on continuous (read: non-discrete) portions of data that arrives“in real time.”
In other words, stream ciphers work on information “bit-by-bit” rather than “block-by-
block.” Because the data does not need to broken down, stream ciphers are generally faster than block
ciphers, but keys are not re-usable in stream ciphers, making key management a real pain. For this
reason, stream ciphers are usually employed at the hardware level.

End-to-End Encryption

End-to-End encryption refers to a situation in which data is encrypted when it is sent and decrypted only
by the recipient. Of course, in order for the packets to be routed, the relevant TCP/IP headers must be
present and unencrypted on the packet.

Link Encryption

In Link encryption, every packet is encrypted at every point between two communicating hosts. In
this formulation, information sent to one router is encrypted by the host and decrypted by the router,
which then re-encrypts the information with a different key and sends it to the next point. Of course, in
this formulation, the headers are also encrypted. The obvious drawbacks include speed and vulnerability
to “man-in-the-middle” attacks.

Key Strength

A cryptovariable, or key, is the value applied to encrypted or clear text in order to decrypt or
encrypt the text. The length of the key, in bits, is usually a good indicator of the strength of the key. A
128-bit key is, for example, much stronger than a 32-bit key.
Symmetric Key Cryptography

In a symmetric key cryptosystem, a single key is used to encrypt and decrypt data between two
communicating hosts. In order to break the system, an attacker must either: A) discover the key
through trial-and-error, or discover the key during the initial “key agreement.”

(From Navy) Symmetric Key Encryption Schema

Symmetric key protocols are known to be faster and stronger than their asymmetric counterparts but do
possess unique disadvantages that we will discuss later. We will now look at some common symmetric
algorithms.

DES

DES is an outdated 64-bit block cipher that uses a 56-bit key. It is a symmetric algorithm that splits the
64-bit block into two separate blocks under the control of the same key. It is considered highly insecure
and unreliable and has been replaced by 3DES.

3DES

Triple DES or 3DES is the partial successor to DES but is still considered outdated and slow. It uses three
separate 56-bit keys for an effective key length of 168 bits. However, a vulnerability exists that would
allow a hacker to reduce the length of the key, reducing the time it would take to crack the key. In
addition, 3DES is very slow by today’s standards and would not be practical to use in encrypting large
files.

AES

AES is the true successor to DES and uses a strong algorithm with a strong key. It is based on the
Rijndael Block Cipher. The Rijndael Block Cipher can utilize different block and key lengths (including
128, 192, and 256 bit keys) to produce a fast and secure symmetric block cipher. The Twofish algorithm,
an alternative to Rijndael, utilizes 128-bit blocks for keys up to 256 bits.
IDEA

All you have to remember about IDEA is that:

 PGP uses IDEA to ensure email security, and

 It operates using 64-bit blocks and a 128-bit key

RC5

RSA Security developed RC5, a fast, variable-length, variable-block symmetric cipher. It can
accommodate a block size of up to 128 bits and a key up to 2048 bits.

Symmetric v. Asymmetric

Here is a quick run-down of the advantages of symmetric and asymmetric algorithms:

Symmetric

 Faster and easier to implement

 Lower overhead on system resources

Asymmetric

 Scalable and does not require much administration

 Easier for users to use

Quick Review

1. Which of the following symmetric ciphers is used in PGP for email security?

a. IDEA

b. PGP Security

c. RC5

d. Blockfish

2. Which of the following is not an advantage of asymmetric algorithms?

a. Scalability

b. Multiple functionality
c. Speed

d. Provides confidentiality and authentication

3. Why is DES considered “insecure?”

a. Buffer overflow exploit

b. Man-in-the-middle attack potential

c. Weak key length

d. All of the above

Answers

1. PGP (Pretty Good Privacy) uses IDEA for encryption. The answer is A.

2. Although asymmetric algorithms can be fast, they are generally slower than their symmetric
counterparts, making Speed an issue for these algorithms. The answer is C.

3. DES is insecure because its key length is so short (56 bits). The answer is C.

Public Key Cryptography

Public Key Cryptography is a widely-applied form of cryptography commonly utilized in many

network transactions. The Security+ exam will test you on your both your understanding of how
public key systems work as well as your ability to discern between different types of public key
algorithms. The exam will also cover PKI, or public-key infrastructure.

The workings of Public Key Cryptography

Unlike private key systems, in which two communicating users share a secret key for encryption and
decryption, public key systems utilize widely-available and unique “public keys,” as well as
“private keys,” to securely transmit confidential data.

Here’s how a public key transaction works: Assume we have two users, Pat and Jill, and that Pat wishes
to send Jill a secret love note. Pat encrypts the love note using Jill’s public key. The message is sent via
email to Jill. Jill then can read the message by decrypting the message with her private key. Note that in
order for this transaction to take place, only Jill has to know her private key. This is the beauty of a
public key (or asymmetric) system. Through this transaction, known as secure message format, the
confidentiality of the message is assured: only Jill can read it!

Public-key cryptography can also be applied to validate the authenticity of a message. In this
formulation, Pat would send Jill a message using his private key (therefore encrypting the message). To
read the message, Jill would use Pat’s public key. In doing so, Jill has affirmed that the message was in
fact sent by Pat. This is known as open message format.

In order to ensure both information authenticity and confidentiality, signed and secure message
format may be employed. Extending the love note example, Pat would first encrypt the message with
Jill’s public key and then encrypt that encrypted message with his own private key. When the message
is sent to Jill, she can use Pat’s public key to verify the message was indeed from Pat. But the message
is still encrypted! To overcome this, she can use her own private key to decrypt the message.

(From Navy) Public Key Schema

Public Key Protocols

 RSA is an asymmetric key transport protocol that can be used to transmit private keys
between hosts. The algorithm utilizes large prime numbers for effectiveness. The process can be
explained very simply – Pat encrypts the private key with Jill’s public key, and Jill decrypts the
message with her private key to reveal the private key.
 Diffie-Hellman is a key agreement protocol that can be used to exchange keys. It uses
logarithms to ensure security in the algorithm. In the Diffie-Hellman operation, Pat and Jill each use
their own private keys with the public key of the other person to create a shared secret key. Note
that Diffie-Hellman is vulnerable to man-in-the-middle attacks.
 El Gamal is an extension of Diffie-Hellman that includes encryption and digital signatures.
Message Digesting

A message digest is something of an unreadable, condensed version of a message. More

specifically, a message digest utilizes a one-way hash function to calculate a set-length version of a
message that cannot be deciphered into clear text. Message digests are usually employed in situations
in which it would be undesirable to be able to decrypt the message. One such application is in modern
username/password systems, in which the password is stored using a hash function or digest. After the
password has been hashed, it cannot be un-hashed. When a user attempts to login with a password,
the password he types is also hashed so that the two hashes (rather than the two passwords) are
compared against each other. Note that the hash assumes that a hashed value cannot be deciphered
and that no two messages will produce the same hash.

Hashing Protocols

 MD5 is the most commonly-used hash protocol and uses a 128-bit digest. It is very fast in
hashing a message and is also open-source.
 SHA-1 is a more secure implementation of a hashing protocol that uses a 160-bit digest and
“pads” a message to create a more difficult-to-decipher hash.

Quick Review

1. Which of the following ensures message confidentiality, but not authenticity?

a. Secure message format

b. Open message format

c. Signed and secure message format

d. Symmetric cryptography

2. Which of the following is not an asymmetric protocol?

a. Diffie-Hellman

b. El Gamal

c. 3DES

d. RSA
3. Why is a hash more difficult to decipher than a standard encryption protocol?

a. It is a one-way function

b. It uses strong encryption techniques

c. It uses large prime numbers

d. It uses discrete logarithms

Answers

1. Secure message format works by encrypting a message with the public key of the intended recipient,
ensuring confidentiality but not integrity. The answer is A.

2. 3DES is the only listed protocol that does not utilize a public key system. The answer is C.

3. Because a hash is a one-way function, the only way to decipher it is to try a large number of hashes
of cleartext until one matches the original hash. The answer is A.
Organizational Security

Thus far, we have learned the tough stuff – the technically-oriented portions of the exam. We haven’t
finished learning all of the technical items yet, either! However, we will take a short break from the
technical aspects of the exam to take a look at organizational security, a relatively simple and
common-sense portion of the exam you should do quite well on.

Physical Security

Physical security refers to the aspects of information security that are related to physical
threats, such as fire or natural disasters. We will cover some basic physical security threats below:

Fire

Remember that fire needs heat, oxygen, and fuel to burn. Also remember that there are four classes of
fires:

 A, which includes common combustibles

 B, which includes burnable fuels
 C, which includes electronics
 D, which includes chemical and other fires

There are also three common methods of fire detection:

 Heat-sensing, which detects fires by temperature

  Flame-sensing, which detects fires by the flicker of a flame or infrared detection
 Smoke-sensing, which detects fires by variations in light intensity or presence of CO2

There are also a number of different systems to suppress fire:

 Water: Traditional method and effective against Class A fires

 CO2: Suppresses by removing O2 element. Useful against Class B and C fires
 Soda acid: Combination of chemicals used to eliminate Class A, B fires
 Halon: Useful against A,B, and C fires but illegal by Montreal Protocol (ozone depleting)

HVAC

You should note that HVAC (heating, ventilation, and air conditioning) simply refers to the typical
environmental controls that we would call “air conditioning.” For the purposes of the exam, you should
use common sense and note that:

 High temperatures can cause computer equipment, especially processors, to over-heat and
perform poorly
 High humidity can cause corrosion in equipment due to water damage
 Low humidity creates an environment suited for too much static electricity (ESD)

Electricity and Power

Remember that electrical power originates from a utility substation or a power grid and that it
would be to your best interest to have access to electric distribution panels (circuit breakers and so
forth). Also note some of the following information on electric power:

 EPO (Emergency power-off) switches are used to shut down power immediately
 Backup power sources can be used to ensure continuity in the case of a disaster
 Backup sources should be used in critical applications, such as servers and physical access
equipment

ESD is also covered on the exam, so you should know that:

 ESD is electrostatic discharge, a convoluted term for static electricity build-up and release
 ESD can be prevented by 40 to 60 percent humidity levels, grounding, and antistatic floor
mats (and other antistatic material)

Electric noise is the crossover or interference that occurs in electrical wires due to high-energy
electrons “crossing over” into another wire or signal. To avoid this, you should:
  Use power line conditioners and surge protectors
 Grounding and shielded cabling

Business Continuity and Disaster Recovery Planning

The idea of business continuity revolves around the premise that your business should continue to
operate in the face of a disaster. Disaster recovery planning, in contrast, is related to the effort to
recover infrastructure that fails as the result of a disaster.

Quick Review

1. Which of the following fires can be put out easily with water?

a. Class A

b. Class B

c. Class C

d. Class D

2. Which of the following conditions would have little effect on the ability for systems to
continue functioning?

a. 80% humidity

b. 15% humidity

c. -10 degrees Celsius temperature

d. 100 degrees Celsius temperature

e. 0% humidity

3. Which of the following should be included in a BCP (business continuity plan)?

a. How information on servers that come down will later be retrieved

b. How to salvage existing equipment

c. How to shift the load of processing to backup emergency servers

d. How to mitigate the risk of a network attack.

Answers

1. Only Class A fires can be effectively extinguished with water. The answer is A.
2. While mild humidity, dryness, or high temperatures can result in equipment failure, slightly
uncomfortable low temperatures will rarely result in equipment failure. The answer is C.
3. Answers A and B are concerned with how to recover assets that had been lost after the disaster.
Answer D is not concerned with continuity planning, but rather, risk mitigation. The answer is C.

Email and Application Security

Some of the Security+ exam will test you on your knowledge of some basic email, Internet, and
application security issues. Although the amount of detail of knowledge that is required is quite minimal,
you must still have a working knowledge of some simple email and application security concepts.

Email Security

Email is a wonderful tool, no doubt, but it is not without security issues. Typical email configurations
allow for senders of email to spoof their addresses and send email messages in plain text. Even worse, it
is difficult for a recipient of an email to verify that the sender is actually who sent the message!
Thankfully, we have a few security tools at our disposal to ensure confidentiality (through
encryption) and integrity (through encryption, digital signatures, and strong passwords).
Here are some of those tools:

 S/MIME, or Secure Multipurpose Internet Mail Extensions, provides basic cryptographic services
for email sent via the Internet. Most popular browsers and email clients support S/MIME,
making it among the more popular cryptographic email security services available.
 MOSS, or MIME Object Security Services, is a less-common, more extensive suite of security
services for email.
 PEM, or Privacy Enhanced Mail, provides 3DES encryption for email.
 PGP, or Pretty Good Privacy, is an open-source and extremely popular email security suite
that uses IDEA to encrypt email and validate signatures.

Email also has a few security vulnerabilities:

 Spam is one of the most commonly mentioned nuisances, but did you know it is actually
considered a security threat? By clogging the email server, widespread spam denies to the user
 availability, a key component of the CIA triangle. Some spam solutions include user education,
email filtering, and reporting of Spam to the proper authorities (where necessitated by law)
 Open relays are email servers that forward email without any kind of authentication. In other
words, open relays allow malicious users to send bulk email without logging into an email server. A
good email security setup always includes a non-open relay server (or authenticated
relay server).
 Malicious Software: Obviously, viruses and worms are a large problem. Many propagate via email
messages that are automatically sent by infected hosts. One of the more common solutions is to
virus scan and filter incoming email.

Internet Security

The Internet can be a dangerous place, and so, we are interested in protecting users from malicious web
sites (with browser scripts) as well as protecting the information that users send to web sites.

 SSL is a connection-oriented standard designed to allow for secure cryptographic

communication between two hosts via the Internet. TLS is the newest version of SSL.
 S-HTTP is a connectionless standard that provides for symmetric encryption, message
digests, and client-server authentication.
 Browser Scripts/Vulnerabilities are controls, scripts, programs, or other software that can
run from the browser and cause damage to a host. In particular, ActiveX controls are well-
known for their often malicious content. The best way to protect against browser buffer overflows is
to remain vigilant and updated on the latest patches.

Quick Review

1. Which of the following is not a program or tool used to ensure email security?

a. S/MIME

b. MOSS

c. SSH

d. PGP

2. You notice that many users are complaining that their emails are being rejected by the
servers that they send the emails to. You also notice that the reason that they are being
rejected is because those servers have supposedly received bulk email from your domain.
Assuming that your users are innocent of spamming others, the most likely cause of this is:

a. A man-in-the-middle attack is changing all of the users’ messages to spam

b. A spoof attack is falsely identifying the emails as originating from your domain name
c. A worm has spread to your network

d. Your email server is configured for open relay

3. Which of the following is least likely to be associated with browser security?

a. ActiveX controls

b. Javascripts

c. Birthday attacks

d. Buffer overflows

e. Malicious CGI code

Answers

1. SSH is used to maintain a secure remote access connection between two hosts. The answer is C.

2. Although choices A, B, and C are theoretically possible, they are unlikely. It would be cumbersome
and counter-intuitive to an attacker to change every email message sent; if he had the ability to do this,
he would just send his own messages. Similarly, although a spoof attack is possible, it would be difficult
for the attacker to spoof his IP address without the use of a proxy; unless your server is a proxy server,
he probably would not target your domain name. Finally, a worm might have spread to your network,
but most worms do not send out unsolicited bulk (junk) email. The answer is D, because in most cases,
open relays lead to spam and bulk email.

3. Birthday attacks are related to probability and therefore unlikely to be associated with browser
security. The answer is C.

Security Topologies

One of the most essential portions of information security is the design and topology of secure
networks. What exactly do we mean by “topology?” Usually, a geographic diagram of a network comes
to mind. However, in networking, topologies are not related to the physical arrangement of equipment,
but rather, to the logical connections that act between the different gateways, routers, and
servers. We will take a closer look at some common security topologies.

Screening Router

In a screening router setup, the router acts as the sole gateway and gatekeeper between the
un-trusted, outside network (i.e. the Internet) and the trusted network (i.e. LAN). The router
maintains sole discretion on which traffic to allow in by implementing an ACL, or access control list. The
router in this setup, which blocks traffic based on source, destination, and other header information, is
analogous to Saint Peter, who acts as the gatekeeper into Heaven. Some of the advantages of screening
routers include their transparency and simplicity. However, in the screening router setup, the router is
the sole point of failure and depends heavily on the administrator to maintain a favorable ACL. Also, a
screening router has difficulty in masking internal network structure.

Dual-Homed Gateway

The dual-home gateway is a screening router setup that implements a bastion host between the
screening (external) router and the trusted network. A bastion host is a host that is configured to
withstand most attacks and can additionally function as a proxy server. By adding the bastion host, no
direct communication exists between the external network and the trusted network, masking the
internal network structure and allowing for traffic to be screened twice. It is considered fail-safe in that if
one of the components (bastion host, router) fails, the security system remains available. However, it is
cumbersome and rather slow in comparison to other topologies.

Screened Host Gateway

A screen host gateway is essentially a dual-homed gateway in which outbound traffic (from
trusted to un-trusted) can move unrestricted. Incoming traffic must first be screened and then
sent to the bastion host, like in a dual-homed gateway. This is a less secure but more transparent
system than dual-homed gateway.

Screened-Subnet
A screened-subnet setup works to employ a bastion host between two screening routers. What this
provides is a special zone for publicly available services (around the bastion host) and transparent access for
users on the trusted network. The zone around the bastion host that operates publicly and whose traffic to the
trusted network is screened is known as a DMZ zone; for this reason, bastion hosts are sometimes referred to
as DMZ hosts. Remember for the exam that a DMZ host would always be well-secured, just like a bastion
host would be.

IDS

An intrusion detection system, or IDS, can track or detect a possible malicious attack on a
network. For the exam, you will have to know about some division of IDS classifications:

 Active v. Passive IDS: An active IDS will attempt to thwart any kind of detected
attacks without user intervention. A passive IDS simply monitors for malicious activity
and then alerts the operator to act, or in other words, requires their intervention. Passive IDS is less
susceptible to attacks on the IDS system as it does not automatically act.
 Network v. Host IDS: A network-based IDS is one that operates as its own node on a
network, while host-based IDS systems require agents to be installed on every protected
host.*
 Knowledge v. Behavior IDS: A knowledge-based IDS works by assessing network traffic
and comparing it with known malicious signatures, much like antivirus software. A behavior-
based IDS analyzes baselines or normal conditions of network traffic; it then compares them to
possibly malicious levels of traffic. Note that this type of IDS produces more false alarms.

Honeypot

A honeypot is designed to lure attackers or malicious users into attempting an attack on a

fictional or purposefully-weak host and then recording the patterns of their activity or the source of the
attack. A honeypot can also act as bait for the rest of the network by luring attackers to an “easy
target.”

Quick Review

1. Which of the following topologies features a demilitarized zone or DMZ?

a. Active IDS

b. Passive IDS

c. Dual-Homed Gateway

d. Screened-Subnet

2. Why would behavior-based IDS require less maintenance than knowledge-based IDS?
a. Behavior-based systems necessarily work without user intervention

b. Knowledge-based IDS can only work on a screened-subnet or screened host gateway topology.

c. No DMZ host is required in a behavior-based IDS

d. Behavior-based systems do not require signatures or libraries of attacks

3. Your company wishes to implement a web server, email server, and voice-over-IP server
that are accessible to the rest of the Internet. However, it wants to ensure that the
structure and hosts within the rest of the network are totally protected from outside access.
Which of the following setups would provide this functionality?

a. Dual-Homed Gateway

b. Screened Host Gateway

c. Screening Router

d. Screened-Subnet

Answers

1. The screened-subnet topology features a DMZ between two screening routers, effectively isolating
the publicly-accessible zone from the rest of the trusted network. The answer is D.

2. Because behavior-based systems compare baseline use levels to current or potentially malicious
levels, they do not require signatures of libraries, decreasing the amount of active administrator
maintenance that is required. The answer is D.

3. A screened-subnet gateway provides a protected zone for public services. The answer is D.

Security+ Study Guide Review

We would like to wrap up some of the points that we’ve covered previously and introduce you to the
kinds of questions that you will encounter on the real Security+ examination. Therefore, this review will
feature questions that are sure to have you thinking; it is hoped that, from reading the
guide, you will be fully prepared to do well.

Questions

1. Your manager asks you to implement a system that can filter out unwanted content, such
as viruses and unproductive Internet content. The best way to accomplish this would be
through a system that implements a:

a. Circuit-level gateway
b. Proxy server

c. Packet filtering firewall

d. DMZ host

e. Bastion host

2. Which of the following is the function of PGP?

a. Filter unwanted Internet traffic

b. Create a buffered security zone

c. Provide access control functionality

d. Boot a *Nix server that is not operational as the result of an attack

e. Provide message encryption services

3. How do mandatory access controls protect access to restricted resources?

a. Sensitivity labelling

b. User-level share permissions

c. Server-level share permissions

d. Role-oriented permissions

e. ACL lists

4. You notice a rapid increase in the number of ICMP requests coming from a single host.
The requests are continuous and have been occurring for minutes. What kind of attack are
you likely experiencing?

a. Ping flood

b. Smurf

c. Birthday

d. Buffer overflow

e. You are not experiencing an attack

5. Your company requires secure remote access through a terminal to a server. Which of the
following would provide such secure access?

a. Telnet

b. SSH
c. FTP

d. SSL

e. Ethernet

6. Which of the following is an advantage of symmetric-key cryptography in comparison to

asymmetric-key cryptography?

a. Symmetric keys are stronger than asymmetric keys

b. Symmetric key systems are more scalable than asymmetric systems

c. Symmetric key systems are faster than their asymmetric counterparts

d. Symmetric key systems can operate in more than layers of the OSI model than can asymmetric
systems

e. None of the above

7. Which of the following is not a way that IDS systems are commonly classified?

a. Active

b. Passive

c. Latent

d. Knowledge-based

e. Behaviour-based

8. Which of the following provides tunneling over the data-link layer?

a. IPSec

b. L2TP

c. PPP

d. PPTP

e. VPN

9. Which of the following authentication factors is considered the strongest?

a. Type 1

b. Type 2

c. Type 3

d. Type 4
e. Type 5

10. You setup a packet-filtering firewall that accepts or rejects traffic based on the IP
address of the source. What kind of attack is this firewall specifically vulnerable to?

a. Buffer overflow

b. Man-in-the-Middle attack

c. Smurfing

d. Spoofing

e. Distributed denial of service

11. Your manager complains that he cannot remember his password. You have also lost your
copy of the password, but the MD5 hash of the password is stored in the database. How can
you use the MD5 hash to recover the password?

a. Decrypt the hash using a shared secret key

b. Decrypt the hash using a public encryption system

c. Encrypt the hash using a shared secret key

d. Encrypt the hash of the hash using a shared secret key

e. You cannot recover the password from the hash

12. Which of the following parts of the CIA triangle are effectively ensured by cryptography?

a. Confidentiality Only

b. Integrity Only

c. Accessibility Only

d. Accessibility and Integrity Only

e. Confidentiality and Integrity Only

13. Which of the following is not a parameter of a security association in IPSec?

a. SPI

b. Source IP Address

c. Destination IP Address

d. Security Protocol ID
14. Which of the following is not considered a physical security threat?

a. Fire

b. Water

c. Severe Weather

d. Electricity

e. Buffer Overflow

15. Which of the following is a layer-3 device that connects two dissimilar network
segments?

a. Bridge

b. Switch

c. Hub

d. Router

e. Gateway

Answers

1. A proxy server is the best way to filter content because it prevents a direct connection between a
local and remote host and therefore can effectively filter incoming and outgoing traffic. Answer: B

2. PGP, which stands for “Pretty Good Privacy,” is used to provide message signing and encryption
services. Answer: E

3. Mandatory is the key word in mandatory access control, which means that the sensitivity of
information is determined at the top of the decision-making tree rather than up to the user’s discretion.
To accomplish such a task, sensitivity labeling is necessary. Answer: A

4. Unusually large numbers of ICMP packets are usually employed in a ping flood attack. In this attack,
the number of packets is supposed to be so great that the system is overwhelmed and succumbs to the
attack, denying availability. Answer: A

5. Only SSH provides secure access through the Internet to a terminal. Telnet provides remote access
over cleartext. Answer: B
6. While symmetric key systems can prove difficult to manage and are cumbersome for many users,
they offer a greater degree of speed as fewer and less complex calculations are involved in the process.
Answer: C

7. IDS systems are not classified by latency, as such a concept makes no sense in that context.
Answer: C

8. L2TP stands for “Layer 2 Tunneling Protocol.” This should help you remember that L2TP indeed
provides tunneling over Layer 2, or the Data Link layer of the OSI model. Answer: B

9. As Types 4 and 5 are fictitious types of authentication factors, we are left with a choice between
Types 1, 2, and 3. Although Types 1 and 2 can offer strong factors, biometric identification (“what you
are”) is usually considered the strongest, as it is difficult to impersonate a fingerprint. Answer: C

10. Because the firewall discerns traffic by IP address, the best way to circumvent this firewall would be
to make it appear that your IP address is different than it really is. To do this, you would have to “spoof”
your IP address. Answer: D

11. A hash, by definition, is a one-way function that encrypts a message for digesting. Therefore, it is
impossible to actually “decrypt” the hash. Answer: E

12. Cryptography can both protect the contents of a message and ensure that a message remains the
same as when it was sent. Therefore, cryptography can be used to ensure confidentiality and integrity.
Availability, or the idea that systems should be available, is not ensured by cryptography. Answer: E

13. Because the destination IP address is not a security interest in IPSec transmissions, it is not included
on the security association. Answer: C

14. A buffer overflow, while a serious threat to system stability, is a logical rather than a physical
vulnerability. Answer: E

15. A router operates in the Network layer of the OSI model and is typically used to adjoin two dislike
network segments together (and forward packets based on IP address). Answer: D

Your Progress and Final Thoughts

If you scored between 0 and 7 questions correct, you need to study the entire guide again. Obviously,
you are lacking in mulitple areas of the security+ examination and could therefore benefit from
reading all of the subject areas in depth.

If you scored between 8 and 11 questions correct, you should take a close look at the subject areas of
the questions that you missed and carefully re-read and review the lessons in the guide
concerning those specific areas. If you took the exam today, you would probably not pass with this
sort of score.

If you scored between 12 and 15 questions correct, great job! You should probably glance over some of
the questions that you missed and the corresponding guide article, but you are most likely ready to
move on to our cram sheet. If you took the exam today, you would likely pass it.

We wish you the best of luck in your pursuit of Security+ certification. Be sure to check out our
Security+ Cram Sheet and take plenty of practice exams! We hope you do well.

-----------------------------------------------------------------------------------------------------------------------------------
See the following page for the Cram Sheet
-----------------------------------------------------------------------------------------------------------------------------------
Security+ Certification Cram Guide & Study Notes

Hopefully, you did well on the review featured in our study guide. In this cram guide, we would like to
give you some short tips on what to study for the Security+ exam to ensure a great score. It is
organized by the same criteria that CompTIA organizes the actual exam and is therefore
comprehensive, covering many of the specialized points that you will encounter while taking the exam.

Topic 1: General Security Concepts

 Your ability to understand the CIA triangle (Confidentiality, Integrity, and Availability) will help
you in many questions that are indirectly related to the triangle on the exam. Remember that
confidentiality refers to the idea that information should remain only accessible to those who are
meant to access it; integrity is the concept that information should remain in the same form as it
was originally intended (i.e. not maliciously changed); availability refers to the idea that information
should be accessible (think Denial of Service)
 Remember that access control refers to the ability to protect the confidentiality of information
through controlling a user’s access to that information. Remember the three types of authentication
factors:
 Type 1: What you know: Information, like passwords
 Type 2: What you have: Items, like lock-and-key or cards
 Type 3: What you are (Most secure): Biometrics, like fingerprints
 Accountability refers to the idea that a user should be accountable to actions performed under
his/her name. Non-repudiation is the idea that a user should not be able to repudiate that he/she is
responsible for something (for example, a file may say to have been edited by John, but how do we
know John actually edited it?)
 Make sure you understand Kerberos. Look back in the Security+ Study Guide if you do not. Here
is a condensed sequence of events: Client sends login information to KDC (Key Distribution Center),
which verifies a client’s credentials and sends a request to TGS (Ticket Granting Server). The TGS
sends a TGT (Ticket Granting Ticket) to the client.
 SSO stands for Single Sign-On, or the idea that you can sign on to many services through a single
username and password system rather than having one per each
 Make sure you understand and can recognize each of these attacks, as you will be tested on at
least two of these on the exam:
 SYN Flood: Sending TCP packets to deny availability
  ICMP Flood: Sending ICMP (usually ping) packets to deny availability
 UDP Flood: Sending UDP packets to deny availability
 Smurf: A special ICMP Flood attack that broadcasts ICMP requests
 Buffer Overflow: Sending a malformed packet that overflows a memory address to deny
availability and possibly gain privileges (destroy confidentiality/integrity)
 Backdoor: Gain access through a secret program (Trojan horse)
 Sniffing: Read information off the network
 Spoofing: Hiding or disguising an address to make it appear that the requests come from
another source
 Man-in-the-Middle: Intercepting packets and changing the contents (denies confidentiality
and integrity)
 Replay: Session key sniffed and then used
 Birthday attack: Probability-based
 Social engineering: Low-tech attack on people who don’t understand security
 Virus: Propagates through user action (usually email)
 Worm: Self-propagating and uses exploits

Topic 2: Communication Security

 Remote Access Technologies include PPP (widely used for dial-up TCP/IP access), PPTP (tunneled
PPP), RADIUS (UDP-based), TACACS+ (similar to radius, but TCP-based and Cisco proprietary)
 VPN stands for Virtual Private Networking and allows for tunneled remote access
 L2TP operates on the Data-Link layer; IPSec operates over Network layer and has two protocols:
AH and ESP
 Telnet allows remote terminal access over clear text. SSH allows this access over an encrypted
connection
 S/MIME, MOSS, PEM, PGP all email security programs. PGP is popular and uses IDEA
 Applets are programs that run in a browser: Some include C#, VB.Net, Java, and ActiveX
 S-HTTP is connectionless while SSL is connection-oriented; SSL 3.0 is known as TLS
 Cookies simply store information for websites to use (they are not inherently malicious)
 S-FTP is FTP over SSL (Transport Layer); TFTP offers no authentication or encryption
 Active Directory is Microsoft’s implementation of LDAP
 DNS maps IP addresses to DNS names
 Disk spanning allows a file system to be spread over multiple physical drives
 WTLS is WAP’s built-in security system and operates off over TLS
 802.11 is the standard for wireless, and includes sub-standards a, b, g, and n
 SSID is the name of a network based in infrastructure mode
 WEP is weak security system for wireless LAN’s; WEP operates on Layers 1 and 2 (Physical and
Data link)
  802.1x is a key management protocol that uses EAP

Topic 3: Infrastructure Security

 Make sure you know some basic networking concepts and hardware:
 Routers connect dissimilar networks
 Hubs forward packets without regard to MAC address. Switches forward packets based on
MAC address. Switches are less susceptible to sniffing
 Firewalls control traffic between a trusted and un-trusted network
 Cladding is the glass insulator in fiber optic cabling
 STP cabling is said to be shielded against EMI, or electric interference
 Also, for the Security+ exam, an understanding of the types of firewalls is essential:
 Packet filtering: Works by examining headers
 Circuit-level gateway: Maintains state information (connection-based)
 Application-level gateway: Examines each packet coming in for content
 Proxy server: Special application-level gateway that ensures no direct connection
between an un-trusted and trusted network
 ACL is the list that defines the rules that a packet filtering firewall follows
 The exam tests heavily on the security zone designs or topologies:
 Screening router: One router between the trusted and un-trusted
 Dual-homed gateway: A bastion host and router between trusted and un-trusted
 Screened host gateway: A bastion host that can examine traffic between trusted and un-
trusted
 Screened-subnet: A bastion host (and DMZ zone) between two routers
 It’s important to understand the distinctions of IDS systems:
 Active: Finds and attempts to circumvent threats (more susceptible to attacks)
 Passive: Finds threats and alerts administrator
 Network-based: Operates as independent network node
 Host-based: Requires that special software be installed on each node
 Knowledge-based: Works using signatures and known attacks
 Behavior-based: Works by analyzing baseline v. real-time network traffic
 Relaying refers to the behavior of SMTP servers that will send a message from any source
(should be disabled)
 Patches fix security issues from vendors
 Anonymous services allow access without authentication

Topic 4: Basics of Cryptography

  The work factor of an algorithm refers to the amount of resources and time it takes for the
algorithm to operate
 Encryption is the process of converting clear text into cipher text
 Decryption is the process of converting cipher text into clear text
 A key is the value that can encrypt or decrypt text
 Cipher text is encrypted text. Clear text is plain or un-encrypted text
 Public-key or asymmetric algorithms are more scalable and easier to manage than symmetric or
secret key algorithms, but they require more overhead and are slower
 End-to-End encryption refers to the idea that packets are encrypted at the source and decrypted
at the destination
 AES is a symmetric algorithm based on Rijndael Block Cipher
 Block ciphers encrypt clear text “block-by-block” while stream ciphers encrypt text in “real time”
 Symmetric algorithms include: DES, 3DES, AES, IDEA
 Asymmetric algorithms include: Diffie-Hellman, RSA, El Gamal
 Hashes do not allow for the decryption of cipher text. Think of a hash as a special type of
cryptographic "one-way," one-to-one function
 Here is a brief overview of how asymmetric or public-key cryptography works:
 Billy wants to send Sue information. Billy encrypts the information with Sue's public key,
which everyone knows
 Sue receives the information Bill sent and decrypts it with her private key, which only Sue
knows
 Sue sends Bill information back, encrypting it with his public key
 Bill decrypts the information using his private key

Topic 5: Organizational Security

 Use common sense! We won’t go over all of the silly details regarding how CompTIA feels about
the use of attack dogs to monitor physical security. However, we will note some important ideas
about protection from fire:
 Fire requires fuel, heat, and oxygen to burn
 Combustion’s products are water, carbon dioxide, and heat
 Different classes of fires require different suppressants
 Business Continuity Planning refers to continuing normal day-to-day operations after a disaster
 Disaster Recovery Planning refers to fixing the problems a disaster causes
 PVC piping releases toxic chemicals when burned
 A power spike is a rush of power
 A UPS (Uninterrupted Power Supply) is a battery that stores power for temporary usage in the
case of a power outage. The point of the UPS is to prevent system failure and provide continuity
  Electrical noise refers to electrical interference from other electronic devices on the action of an
electronic device
 Clustering data systems increases reliability
 Fault tolerance refers to the ability of a system to withstand multiple points of failure
 Backup types that you should know for the exam:
 Full: The information is backed up in entirety
 Differential: Only the data changed since the last full backup is backed up
 Incremental: Only the data changed since the last full or incremental backup is backed up
 The greatest amount of time that a system can withstand being un-operational is called the MTD
or maximum tolerable downtime
 Risk analysis is the practice of assessing which threats are relevant and pressing
 Information should always be given on a "Need-to-know" basis, meaning that a user should only
know what he or she absolutely needs to know
 Separation of Duties refers to the idea that multiple individuals should be responsible for the
operation of a system

Topic 6: Tables & Charts

Cryptographic Algorithms and Protocols

Replaced
Name Type Algorithm Size Strength
By

DES Symmetric Block cipher 64 bit (56 + 8 parity) Very weak 3DES

3DES Symmetric Block cipher 192 bit (168 bit + 24 parity) Moderate AES

AES Symmetric Rijndael Block cipher Variable (128, 192, 256) Strong N/A

RSA Block mode Very

RC5 Symmetric Variable (up to 2048) N/A
cipher Strong

RSA Asymmetric Key transport 512 Strong N/A

Diffie-
Asymmetric Key exchange N/A Moderate El Gamal
Hellman

Very
El Gamal Asymmetric Key exchange N/A N/A
Strong

Hash Rivest MD5 Block 512 bit block processing/ 128 bit
MD5 Strong MD6, et. Al.
(Digest) Hash digest

Very
SHA-1 Hash Rivest SHA Hash 512-bit processing/160 bit digest N/A
Strong

Very
HMAC Hash Keyed Digest Variable N/A
Strong

Fire Suppression Technology

Fire Fuel Suppression Tech

Class

Common organic
A Water
combustibles

Carbon dioxide, soda acid,

B Fuels
Halon

C Electrical fires Carbon dioxide, Halon

D Chemical Halon, specialized agents

Remote Access Technologies

Typ Protoc Replaced

Name Features
e ol By

PPP RAS PAP, CHAP, EAP TCP/IP N/A

RADIUS RAS PAP, CHAP UDP N/A

TACACS RAS PAP, CHAP UDP TACACS+

TACACS+ RAS Many TCP N/A

PPP tunneling, PAP, CHAP,

PPTP VPN Layer 2 L2F, L2TP
EAP

L2F VPN Cisco Based Layer 2 N/A

L2TP VPN Combines PPTP and Cisco Layer 2 N/A

IPSec VPN Transport / Tunnel mode Layer 3 N/A

CompTIA SECURITY+ DEFINITIONS

SECURITY+ DEFINITIONS

Privilege Creep If you forget to revoke the old privileges, the user may have access to more
information than they need. Over time, this can result in a situation know as privilege creep. The user
may acquire administrative privileges to the system by accident.

Computer Viruses Computer viruses are applications that carry out malicious actions.

CIA Of Security Topology Confidentiality, Integrity and Availability.

Spoofing Tricks something or someone into thinking something legitimate is occurring.

Phishing It is a form of social engineering where you simply ask someone for a piece of information
that you are missing by making it look as if it is a legitimate request.

War Driving Is when you drive around town with a laptop looking for wireless access points that can be
communicated with.

Phreaker Someone who abuses phone systems, as opposed to data systems.

Platform Hardening Is the process of making a workstation and server more secure.

Thin Clients Systems that don’t provide any disk storage or removable media on their workstations.
Thin clients download applications, data and any other information they need in order to run from
dedicated servers.

Honey Pot Is a computer that has been designated as a target for computer attacks, it is designed to
be broken and gather information.

Gap In The WAP If the interconnection between the WAP server and the Internet isn’t encrypted,
packets between the devices may be intercepted.

Site Survey Involves listening in on an existing wireless network using commercially available
technologies. It’s the primary method used to gather data about wireless networks.

Footprinting The process of systematically identifying the network and its security posture.

View Ports For Well Known Network Operations This file contains port numbers for well-known
services defined by IANA. All you have to do to access it is navigate to the following file and open it with
notepad. %WinDir%\system32\drivers\etc\services

TCP Wrappers They are low-level logging packages designed for Unix systems which provide
additional detailed logging on activity using a specific protocol.

Tailgating A method of gaining entry to electronically locked systems by following someone through
the door they just unlocked.

Chip Creep Unsoldered chips over time work their way out of the sockets that they are in.

PASS Method The recommended method to use a fire extinguisher is Pull, Aim, Squeeze, and Sweep.

Collusion It’s an agreement between two or more parties established for the purpose of committing
deception or fraud.

Three A’s Of Forensics Acquire the evidence, Authenticate the evidence, and Analyze the evidence.

SECURITY+ ACRONYM LIST

0–9

3DES Triple Data Encryption Standard

ACL Access Control List

AD Active Directory

AD-IDS Anomaly Detection Intrusion Detection System

AES Advanced Encryption Standard

AFS Apple File Sharing

AH Authentication Header

ALE Annual Loss Expectancy

APIs Application Program Interfaces

APIPA Automatic Private Internet Protocol Addressing

ARO Annualized Rate of Occurrence

ARP Address Resolution Protocol

ASR Automated System Recovery

BCP Business Continuity Plan

BGP Border Gateway Protocol

BIA Business Impact Analysis

CA Certificate Authority

CAST Carlisle Adams Stafford Tavares

CBF Critical Business Functions

CC Common Criteria

CD-R Compact Disk Recordable

CEI Computer Ethics Institute

CESA Cyberspace Electronic Security Act

CFO Chief Financial Officer

CGI Common Gateway Interface

CHAP Challenge Handshake Authentication Protocol

CMP Certificate Management Protocols

CN Canonical Name

CO Central Office

CPS Certificate Practice Statement

CPSR Computer Professionals of Social Responsibility

CRL Certificate Revocation List

CSIRT Computer Security Incident Response Team

CSS Central Security Service

D

DAC Discretionary Access Control

DDoS Distributed Denial of Service

DES Data Encryption Standard

DFS Distributed File System

DHCP Dynamic Host Configuration Protocol

DMZ Demilitarized Zone

DN Distinguished Name

DNS Domain Name Service

DoS Denial of Service

DRP Disaster Recovery Plan

DSA Digital Signature Algorithm

DSL Digital Subscriber Line

DSSS Direct Sequence Spread Spectrum

EAL Evaluation Assurance Level

ECC Elliptic Curve Cryptography

EIGRP Enhanced Interior Gateway Routing Protocol

EM Emergency Management

EMI Electromagnetic Interference

ESP Encapsulating Security Payload

EULA End User License Agreement

FAT File Allocation Table

FERPA Family Educational Rights and Privacy Act

FHSS Frequency Hopping Spread Spectrum

FIPS Federal Information Processing Standard

FTP File Transfer Protocol

GFS Grandfather Father Son

GSM Global System for Mobile Communications

GUID Globally Unique Identifier

H-IDS Host-based Intrusion Detection System

HIPAA Health Insurance Portability and Accountability

HR Human Resources

HTML Hyper Text Markup Language

HTTP Hyper Text Transfer Protocol

HTTPS Hyper Text Transfer Protocol Secure

I&A Identification and Authentication

IANA Internet Assigned Numbers Authority

ICMP Internet Control Message Protocol

ID Intrusion Detection

IDEA International Data Encryption Algorithm

IDS Intrusion Detection System

IEEE Institute of Electrical and Electronics Engineers

IETF Internet Engineering Task Force

IGMP Internet Group Management Protocol

IGRP Interior Gateway Routing Protocol

IIS Internet Information Server

IM Instant Messaging

IMAP Internet Message Access Protocol

IP Internet Protocol

IPSec Internet Protocol Security

IPX/SPX Internetwork Packet Exchange / Sequenced Packet Exchange

IR Infrared

IRP Incident Response Plan

IS Information Systems

ISDN Integrated Systems Digital Network

ISN Initial Sequence Number

ISO International Organization for Standardization

ISP Internet Service Provider

ITU International Telecommunications Union

JFS Journaled File System

KDC Key Distribution Center

KEA Key Exchange Algorithm

L2F Layer Two Forwarding

L2TP Layer Two Tunneling Protocol

LCP Link Control Protocol

LDAP Lightweight Data Access Protocol

LRA Local Registration Authority

MAC Mandatory Access Control

MAC Media Access Control

MAC Message Authentication Code

MDA Message Digest Algorithm

MD-IDS Misuse Detection Intrusion Detection System

MIME Multipurpose Internet Mail Extensions

MOV Metal Oxide Varistor

MS-CHAP Microsoft Challenge Handshake Authentication Protocol

MSSP Managed Security Service Provider

MTBF Mean Time Before Failure

MTTR Mean Time To Repair

NAT Network Address Translation

NCP Network Control Protocol

NDA Nondisclosure Agreement

NDS Netware/Novell Directory Services

NetBEUI Network Basic Input Output System Extended User Interface

NetBIOS Network Basic Input Output System

NFS Network File System

NIC Network Interface Card

N-IDS Network-based Intrusion Detection System

NIST National Institute of Standards and Technology

NLM Netware Loadable Modules

NNTP Network News Transfer Protocol

NOC Network Operations Center

NOS Network Operating System

NSS Netware Storage Service

NTFS New Technology File System

OCSP Online Certificate Status Protocol

OES Open Enterprise Server

OFDM Orthogonal Frequency Division Multiplexing

OS Operating System

OSPF Open Shortest Path First

OU Organizational Unit

PAP Password Authentication Protocol

PBX Private Branch Exchange

PDA Personnel Digital Assistant

PGP Pretty Good Privacy

PKC Public Key Cryptography

PKCS Public Key Cryptography Standards

PKI Public Key Infrastructure

PKIX Public Key Infrastructure X.509

POP Post Office Protocol

POTS Plain Old Telephone Service

PPP Point to Point Protocol

PPTP Point to Point Tunneling Protocol

RA Registration Authority

RAS Remote Access Services

RADIUS Remote Authentication Dial-In User Service

RAID Redundant Array of Independent/Inexpensive Disks

RBAC Role-Based Access Control

RC Ron’s Code OR Rivest’s Cipher

RDN Relative Distinguished Name

RF Radio Frequency

RFC Request For Comments

RFI Radio Frequency Interference

RIP Routing Information Protocol

RPC Remote Procedure Call

RRAS Routing and Remote Access Services

RSA Rivest Shamir Adleman

RSH Remote Shell

SAINT Security Administrator’s Integrated Network Tool

SEI Software Engineering Institute

SET Secure Electronic Transfer

SHA Secure Hash Algorithm

S-HTTP Secure Hypertext Transport Protocol

SIM Subscriber Identification Model

SLA Service Level Agreement

SLE Single Loss Expectancy

SLIP Serial Line Internet Protocol

S/MIME Secure Multipurpose Internet Mail Extensions

SMS Systems Management Server

SMTP Simple Mail Transfer Protocol

SNMP Simple Network Management Protocol

SPX Sequenced Packet Exchange

SQL Structured Query Language

SSH Secure Shell

SSID Service Set Identifier

SSL Secure Socket Layer

SSO Single Sign On

STP Shielded Twisted Pair

TACACS Terminal Access Controller Access Controller System

TCP/IP Transmission Control Protocol / Internet Protocol

TCSEC Trusted Computer Systems Evaluation Criteria

TFTP Trivial File Transfer Protocol

TLS Transport Layer Security

UDP User Datagram Protocol

UPN User Principal Name

UPS Uninterruptible Power Supply

USA PATRIOT Uniting and Strengthening America by Providing Appropriate Tools Required and Obstruct
Terrorism

UTP Unshielded Twisted Pair

UV Ultraviolet

VLAN Virtual Local Area Network

VNC Virtual Network Computing

VoIP Voice over Internet Protocol

VPN Virtual Private Network

W3C World Wide Web Consortium

WAP Wireless Access Point

WAP Wireless Application Protocol

WAN Wide Area Networks

WDP Wireless Datagram Protocol

WEP Wired Equivalent Privacy

WINS Windows Internet Naming Service

WML Wireless Markup Language

WSP Wireless Session Protocol

WTLS Wireless Transport Layer Security

WTP Wireless Transaction Protocol

WWW World Wide Web

XKMS eXtensible Markup Language Key Management Specifications

XML eXtensible Markup Language

Resource URLs:

http://www.proprofs.com/mwiki/index.php/Category:Security-Plus

http://www.proprofs.com/mwiki/index.php?title=Comptia_Security%2B_Study_Guide

http://www.proprofs.com/mwiki/index.php?title=Comptia_Security%2B_Certification_Exam