New York Chicago San Francisco Athens London Madrid Mexico City Milan New Delhi Singapore Sydney Toronto
McGraw-Hill Education is an independent entity from CompTIA®. This publication and CD-ROM may be used in assisting students to prepare for the CompTIA Security+® exam. Neither CompTIA nor McGraw-Hill Education warrant that use of this publication and CD-ROM will ensure passing any exam. CompTIA and CompTIA Security+ are trademarks or registered trademarks of CompTIA in the United States and/or other countries. All other trademarks are trademarks of their respective owners.
Cataloging-in-Publication Data is on file with the Library of Congress
Names: Conklin, Wm. Arthur (William Arthur), author.
Title: CompTIA security+ all-in-one exam guide, (Exam SY0-501) / Dr. Wm. Arthur Conklin, Dr. Gregory White, Chuck Cothren, Roger L. Davis, Dwayne Williams.
Description: Fifth edition. | New York : McGraw-Hill Education, [2018]
Identifiers: LCCN 2017052997| ISBN 9781260019322 (set : alk. paper) | ISBN 9781260019315 (book : alk. paper) | ISBN 9781260019308 (CD) | ISBN 1260019322 (set : alk. paper) | ISBN 1260019314 (book : alk. paper) | ISBN 1260019306 (CD)
Classification: LCC QA76.9.A25 .C667565 2018 | DDC 005.8—dc23 LC record available at https://lccn.loc.gov/2017052997
McGraw-Hill Education books are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative, please visit the Contact Us pages at www.mhprofessional.com.
All trademarks or copyrights mentioned herein are the possession of their respective owners and McGraw-Hill Education makes no claim of ownership by the mention of products that contain these marks.
1 2 3 4 5 6 7 8 9 LCR 21 20 19 18 17
ISBN: Book p/n 978-1-260-01931-5 and CD p/n 978-1-260-01930-8 of set 978-1-260-01932-2
MHID: Book p/n 1-260-01931-4 and CD p/n 1-260-01930-6 of set 1-260-01932-2
Sponsoring Editor
Amy Stonebraker
Editorial Supervisor
Janet Walden
Project Editor
Patty Mon
Acquisitions Coordinator
Claire Yee
Technical Editor
Chris Crayton
Copy Editor
William McManus
Proofreader
Claire Splan
Indexer
Ted Laux
Production Supervisor
James Kussow
Composition
Cenveo® Publisher Services
Illustration
Cenveo Publisher Services
Art Director, Cover
Jeff Weeks
Information has been obtained by McGraw-Hill Education from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
This book is dedicated to the many information security professionals who quietly work to ensure the safety of our nation’s critical infrastructures. We want to recognize the thousands of dedicated individuals who strive to protect our national assets but who seldom receive praise and often are only noticed when an incident occurs. To you, we say thank you for a job well done!
ABOUT THE AUTHORS
Dr. Wm. Arthur Conklin, CompTIA Security+, CISSP, CSSLP, GISCP, GCFA, GRID, CRISC, CASP, is an Associate Professor and Director of the Center for Information Security Research and Education in the College of Technology at the University of Houston. He holds two terminal degrees, a Ph.D. in business administration (specializing in information security), from The University of Texas at San Antonio (UTSA), and the degree Electrical Engineer (specializing in space systems engineering) from the Naval Postgraduate School in Monterey, CA. He is a fellow of ISSA and a senior member of ASQ, IEEE, and ACM. His research interests include the use of systems theory to explore information security, specifically in cyber-physical systems. He has a strong interest in cybersecurity education, and is involved with the NSA/DHS Centers of Academic Excellence in Cyber Defense (CAE CD) and the NIST National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework). He has coauthored six security books and numerous academic articles associated with information security. He is active in the DHS-sponsored Industrial Control Systems Joint Working Group (ICSJWG) efforts associated with workforce development and cybersecurity aspects of industrial control systems. He has an extensive background in secure coding and has been co-chair of the DHS/DoD Software Assurance Forum Working Group for workforce education, training, and development.
Dr. Gregory White has been involved in computer and network security since 1986. He spent 19 years on active duty with the United States Air Force and 11 years in the Air Force Reserves in a variety of computer and security positions. He obtained his Ph.D. in computer science from Texas A&M University in 1995. His dissertation topic was in the area of computer network intrusion detection, and he continues to conduct research in this area today. He is currently the Director for the Center for Infrastructure Assurance and Security (CIAS) and is a professor of computer science at the University of Texas at San Antonio (UTSA). Dr. White has written and presented numerous articles and conference papers on security. He is also the coauthor of five textbooks on computer and network security and has written chapters for two other security books. Dr. White continues to be active in security research. His current research initiatives include efforts in community incident response, intrusion detection, and secure information sharing.
Chuck Cothren, CISSP, Security+, is a Field Engineer at Ionic Security applying over 20 years of information security experience in consulting, research, and enterprise environments. He has assisted clients in a variety of industries including healthcare, banking, information technology, retail, and manufacturing. He advises clients on topics such as security architecture, penetration testing, training, consultant management, data loss prevention, and encryption. He is coauthor of the books Voice and Data Security and Principles of Computer Security.
Roger L. Davis, CISSP, CISM, CISA, is a Technical Account Manager for Microsoft supporting enterprise-level companies. He has served as president of the Utah chapter of the Information Systems Security Association (ISSA) and various board positions for the Utah chapter of the Information Systems Audit and Control Association (ISACA). He is a retired Air Force lieutenant colonel with 30 years of military and information systems/security experience. Mr. Davis served on the faculty of Brigham Young University and the Air Force Institute of Technology. He coauthored McGraw-Hill Education’s Principles of Computer Security and Voice and Data Security. He holds a master’s degree in computer science from George Washington University, a bachelor’s degree in computer science from Brigham Young University, and performed post-graduate studies in electrical engineering and computer science at the University of Colorado.
Dwayne Williams, CISSP, CASP, is Associate Director, Technology and Research, for the Center for Infrastructure Assurance and Security at the University of Texas at San Antonio and is the Director of the National Collegiate Cyber Defense Competition. Mr. Williams has over 24 years of experience in information systems and network security. Mr. Williams’s experience includes six years of commissioned military service as a Communications-Computer Information Systems Officer in the United States Air Force, specializing in network security, corporate information protection, intrusion detection systems, incident response, and VPN technology. Prior to joining the CIAS, he served as Director of Consulting for SecureLogix Corporation, where he directed and provided security assessment and integration services to Fortune 100, government, public utility, oil and gas, financial, and technology clients. Mr. Williams graduated in 1993 from Baylor University with a bachelor of arts in computer science. Mr. Williams is a coauthor of Voice and Data Security, Principles of Computer Security, and CompTIA Security + All-in-One Exam Guide.
About the Technical Editor
Chris Crayton (MCSE) is an author, technical consultant, and trainer. He has worked as a computer technology and networking instructor, information security director, network administrator, network engineer, and PC specialist. Chris has authored several print and online books on PC repair, CompTIA A+, CompTIA Security+, and Microsoft Windows. He has also served as technical editor and content contributor on numerous technical titles for several leading publishing companies. He holds numerous industry certifications, has been recognized with many professional teaching awards, and has served as a state-level SkillsUSA competition judge.
Becoming a CompTIA Certified IT Professional Is Easy
It’s also the best way to reach greater professional opportunities and rewards.
Why Get CompTIA Certified?
Growing Demand
Labor estimates predict some technology fields will experience growth of more than 20% by the year 2020. (Source: CompTIA 9th Annual Information Security Trends study: 500 U.S. IT and Business Executives Responsible for Security.) CompTIA certification qualifies the skills required to join this workforce.
Higher Salaries
IT professionals with certifications on their resume command better jobs, earn higher salaries, and have more doors open to new multi-industry opportunities.
Verified Strengths
91% of hiring managers indicate CompTIA certifications are valuable in validating IT expertise, making certification the best way to demonstrate your competency and knowledge to employers. (Source: CompTIA Employer Perceptions of IT Training and Certification.)
Universal Skills
CompTIA certifications are vendor neutral—which means that certified professionals can proficiently work with an extensive variety of hardware and software found in most organizations.
Learn more about what the exam covers by reviewing the following:
• Exam objectives for key study points.
• Sample questions for a general overview of what to expect on the exam and examples of question format
• Visit online forums, like LinkedIn, to see what other IT professionals say about CompTIA exams.
Purchase a voucher at a Pearson VUE testing center or at CompTIAstore.com.
• Register for your exam at a Pearson VUE testing center
• Visit pearsonvue.com/CompTIA to find the closest testing center to yo u.
• Schedule the exam online. You will be required to enter your voucher number or provide payment information at registration.
• Take your certification exam
Congratulations on your CompTIA certification!
• Make sure to add your certification to your resume
• Check out the CompTIA Certification Roadmap to plan your next career move.
The logo of the CompTIA Approved Quality Curriculum Program and the status of this or other training material as “Approved” under the CompTIA Approved Curriculum Program signifies that, in CompTIA’s opinion, such training material covers the content of CompTIA’s related certification exam. CompTIA has not reviewed or approved the accuracy of the contents of this training material and specifically disclaims any warranties of merchantability or fitness for a particular purpose. CompTIA makes no guarantee concerning the success of persons using any such “Approved” or other training material in order to prepare for any CompTIA certification exam.
CONTENTS AT A GLANCE
Part II
and
Part III Architecture and Design
Part IV Identity and Access Management
Part VII Appendixes and Glossary
PREFACE
Information and computer security has moved from the confines of academia to mainstream America in the last decade. From the ransomware attacks to data disclosures such as Equifax and U.S. Office of Personnel Management that were heavily covered in the media and broadcast into the average American’s home, information security has become a common topic. In boardrooms, the topic has arrived with the technical attacks against intellectual property and the risk exposure from cybersecurity incidents. It has become increasingly obvious to everybody that something needs to be done in order to secure not only our nation’s critical infrastructure, but also the businesses we deal with on a daily basis. The question is, “Where do we begin?” What can the average information technology professional do to secure the systems that he or she is hired to maintain?
The answer to these questions is complex, but certain aspects can guide our actions. First, no one knows what the next big threat will be. The APT, ransomware, data disclosures … these were all known threats long before they became the major threat du jour. What is next? No one knows, so we can’t buy a magic box to fix it. Yet. But we do know that we will do it with the people we have, at their current level of training, when it arrives. The one investment that we know will be good is in our people, through education and training. For that will be what we bring to the next incident, problem, challenge, or, collectively, our national defense in the realm of cybersecurity. One could say security today begins and ends with our people. And trained people will result in better outcomes.
So, where do you, the IT professional seeking more knowledge on security, start your studies? The IT world is overflowing with certifications that can be obtained by those attempting to learn more about their chosen profession. The security sector is no different, and the CompTIA Security+ exam offers a basic level of certification for security. CompTIA Security+ is an ideal starting point for one interested in a career in security. In the pages of this exam guide, you will find not only material that can help you prepare for taking the CompTIA Security+ examination, but also the basic information that you will need in order to understand the issues involved in securing your computer systems and networks today. In no way is this exam guide the final source for learning all about protecting your organization’s systems, but it serves as a point from which to launch your security studies and career.
One thing is certainly true about this field of study—it never gets boring. It constantly changes as technology itself advances. Something else you will find as you progress in your security studies is that no matter how much technology advances and no matter how many new security devices are developed, at its most basic level, the human is still the weak link in the security chain. If you are looking for an exciting area to delve into, then you have certainly chosen wisely. Security offers a challenging blend of technology and people issues. We, the authors of this exam guide, wish you luck as you embark on an exciting and challenging career path.
—Wm. Arthur Conklin, Ph.D. —Gregory B. White, Ph.D.
ACKNOWLEDGMENTS
We, the authors of CompTIA Security+ All-in-One Exam Guide, Fifth Edition, have many individuals who we need to acknowledge—individuals without whom this effort would not have been successful.
The list needs to start with those folks at McGraw-Hill Education who worked tirelessly with the project’s multiple authors and led us successfully through the minefield that is a book schedule and who took our rough chapters and drawings and turned them into a final, professional product we can be proud of. We thank the good people from the Acquisitions team, Amy Stonebraker and Claire Yee; from the Editorial Services team, Janet Walden; and from the Production team, James Kussow. We also thank the technical editor, Chris Crayton; the project editor, Patty Mon; the copyeditor, William McManus; the proofreader, Claire Splan; and the indexer, Jack Lewis, for all their attention to detail that made this a finer work after they finished with it. And to Tim Green, who made these journeys possible.
We also need to acknowledge our current employers who, to our great delight, have seen fit to pay us to work in a career field that we all find exciting and rewarding. There is never a dull moment in security because it is constantly changing.
We would like to thank Art Conklin for again herding the cats on this one.
Finally, we would each like to individually thank those people who—on a personal basis—have provided the core support for us individually. Without these special people in our lives, none of us could have put this work together.
—The Author Team
To Bill McManus, we have worked on several books together and your skill never ceases to amaze me—may I someday learn to express complex ideas with the grace and simplicity you deliver. Thank you again for making this a better book.
—Art Conklin
I would like to thank my wife, Charlan, for the tremendous support she has always given me.
—Gregory B. White
Josie, Macon, and Jet, thank you for the love, support, and laughs.
—Chuck Cothren
Geena, all I am is because of you. Thanks for being my greatest support. As always, love to my powerful children and wonderful grandkids!
—Roger L. Davis
To my wife and best friend Leah for your love, energy, and support—thank you for always being there. To my kids—this is what Daddy was typing on the computer!
—Dwayne Williams
INTRODUCTION
Computer security has become paramount as the number of security incidents steadily climbs. Many corporations now spend significant portions of their budget on security hardware, software, services, and personnel. They are spending this money not because it increases sales or enhances the product they provide, but because of the possible consequences should they not take protective actions.
Why Focus on Security?
Security is not something that we want to have to pay for; it would be nice if we didn’t have to worry about protecting our data from disclosure, modification, or destruction from unauthorized individuals, but that is not the environment we find ourselves in today. Instead, we have seen the cost of recovering from security incidents steadily rise along with the number of incidents themselves. Cyber-attacks and information disclosures are occurring so often that one almost ignores them on the news. But with the theft of over 145 million consumers’ credit data from Equifax, with the subsequent resignation of the CSO and CEO, and hearings in Congress over the role of legislative oversight with respect to critical records, a new sense of purpose with regard to securing data may be at hand. The days of paper reports and corporate “lip-service” may be waning, and the time to meet the new challenges of even more sophisticated attackers has arrived. This will not be the last data breach, nor will attackers stop attacking our systems, so our only path forward is to have qualified professionals defending our systems.
A Growing Need for Security Specialists
In order to protect our computer systems and networks, we need a significant number of new security professionals trained in the many aspects of computer and network security. This is not an easy task as the systems connected to the Internet become increasingly complex with software whose lines of code number in the millions. Understanding why this is such a difficult problem to solve is not hard if you consider just how many errors might be present in a piece of software that is several million lines long. When you add the factor of how fast software is being developed—from necessity as the market is constantly changing—understanding how errors occur is easy. Not every “bug” in the software will result in a security hole, but it doesn’t take many to have a drastic effect on the Internet community. We can’t just blame the vendors for this situation, because they are reacting to the demands of government and industry. Many vendors are fairly adept at developing patches for flaws found in their software, and patches are constantly being issued to protect systems from bugs that may introduce security problems. This introduces a whole new problem for managers and administrators—patch management. How important this has become is easily illustrated
by how many of the most recent security events have occurred as a result of a security bug that was discovered months prior to the security incident, and for which a patch has been available, but for which the community has not correctly installed the patch, thus making the incident possible. The reasons for these failures are many, but in the end the solution is a matter of trained professionals at multiple levels in an organization working together to resolve these problems.
But the issue of trained people does not stop with security professionals. Every user, from the board room to the mail room, plays a role in the cybersecurity posture of a firm. Training the non-security professional in the enterprise to use the proper level of care when interacting with systems will not make the problem go away either, but it will substantially strengthen the posture of the enterprise. Understanding the needed training and making it a reality is another task on the security professional’s to-do list.
Because of the need for an increasing number of security professionals who are trained to some minimum level of understanding, certifications such as the CompTIA Security+ have been developed. Prospective employers want to know that the individual they are considering hiring knows what to do in terms of security. The prospective employee, in turn, wants to have a way to demonstrate his or her level of understanding, which can enhance the candidate’s chances of being hired. The community as a whole simply wants more trained security professionals.
The goal of taking the CompTIA Security+ exam is to prove that you’ve mastered the worldwide standards for foundation-level security practitioners. The exam gives you a perfect opportunity to validate your knowledge and understanding of the computer security field, and it is an appropriate mechanism for many different individuals, including network and system administrators, analysts, programmers, web designers, application developers, and database specialists, to show proof of professional achievement in security. According to CompTIA, the exam is aimed at individuals who have
• A minimum of two years of experience in IT administration with a focus on security
• Day-to-day technical information security experience
• Broad knowledge of security concerns and implementation, including the topics that are found in the specific CompTIA Security+ domains
The exam objectives were developed with input and assistance from industry and government agencies. The CompTIA Security+ exam is designed to cover a wide range of security topics—subjects about which a security practitioner would be expected to know. The test includes information from six knowledge domains:
1.0
The Threats, Attacks and Vulnerabilities domain covers indicators of compromise and types of malware; types of attacks; threat actor types and attributes; penetration testing concepts; vulnerability scanning concepts; and the impact of types of vulnerabilities. The Technologies and Tools domain examines installing and configuring network components, both hardware and software-based, to support organizational security; using the appropriate software tools to assess the security posture of an organization; troubleshooting common security issues; analyzing and interpreting output from security technologies; deploying mobile devices securely; and implementing secure protocols.
The Architecture and Design domain examines the use cases and purposes for frameworks, best practices, and secure configuration guides; secure network architecture concepts; secure systems design; secure staging deployment concepts; the security implications of embedded systems; secure application development and deployment concepts; cloud and virtualization concepts; resiliency and automation strategies to reduce risk; and the importance of physical security controls. The fourth domain, Identity and Access Management, covers identity and access management concepts; identity and access services; identity and access management controls; and common account management practices.
The Risk Management domain covers the importance of policies, plans, and procedures related to organizational security; concepts of business impact analysis; concepts of risk management processes; incident response procedures; basic concepts of forensics; concepts of disaster recovery and continuity of operations; types of security controls; and data security and privacy practices. The last domain, Cryptography and PKI, covers the basic concepts of cryptography; cryptography algorithms and their basic characteristics; how to install and configure wireless security settings, and how to implement public key infrastructure.
The exam consists of a series of questions, each designed to have a single best answer or response. The other available choices are designed to provide options that an individual might choose if he or she had an incomplete knowledge or understanding of the security topic represented by the question. The exam will have both multiple-choice and performance-based questions. Performance-based questions present the candidate with a task or a problem in a simulated IT environment. The candidate is given an opportunity to demonstrate his or her ability in performing skills. The exam questions are based on the CompTIA Security+ Certification Exam Objectives: SY0-501 document obtainable from the CompTIA website at https://certification.comptia.org/certifications/security.
CompTIA recommends that individuals who want to take the CompTIA Security+ exam have the CompTIA Network+ certification and two years of IT administration experience with an emphasis on security. Originally administered only in English, the exam is now offered in testing centers around the world in the English, Japanese, Portuguese, and Simplified Chinese. Consult the CompTIA website at www.comptia.org to determine a test center location near you.
The exam consists of a maximum of 90 questions to be completed in 90 minutes. A minimum passing score is considered 750 out of a possible 900 points. Results are available immediately after you complete the exam. An individual who fails to pass the exam the first time will be required to pay the exam fee again to retake the exam, but no mandatory waiting period is required before retaking it the second time. If the individual again fails the exam, a minimum waiting period of 30 days is required for each subsequent retake. For more information on retaking exams, consult CompTIA’s retake policy, which can be found on its website.
Preparing Yourself for the CompTIA Security+ Exam
CompTIA Security+ All-in-One Exam Guide, Fifth Edition, is designed to help prepare you to take the CompTIA Security+ certification exam SY0-501.
How This Book Is Organized
The book is divided into sections and chapters to correspond with the objectives of the exam itself. Some of the chapters are more technical than others—reflecting the nature of the security environment, where you will be forced to deal with not only technical details, but also other issues such as security policies and procedures as well as training and education. Although many individuals involved in computer and network security have advanced degrees in math, computer science, information systems, or computer or electrical engineering, you do not need this technical background to address security effectively in your organization. You do not need to develop your own cryptographic algorithm, for example; you simply need to be able to understand how cryptography is used, along with its strengths and weaknesses. As you progress in your studies, you will learn that many security problems are caused by the human element. The best technology in the world still ends up being placed in an environment where humans have the opportunity to foul things up—and all too often do.
As you can see from the table of contents, the overall structure of the book is designed to mirror the objectives of the CompTIA Security+ exam. The majority of the chapters are designed to match the objectives order as posted by CompTIA. There are occasions where the order differs slightly, mainly to group terms by contextual use.
In addition, there are two appendixes in this book. Appendix A provides an additional in-depth explanation of the OSI Model and Internet protocols, should this information be new to you, and Appendix B explains how best to use the CD-ROM included with the book.
Located just before the Index, you will find a useful Glossary of security terminology, including many related acronyms and their meaning. We hope that you use the Glossary frequently and find it to be a useful study aid as you work your way through the various topics in this exam guide.
Special Features of the All-in-One Series
To make these exam guides more useful and a pleasure to read, the All-in-One series has been designed to include several features.
Objective Map
The objective map that follows this introduction has been constructed to allow you to cross-reference the official exam objectives with the objectives as they are presented and covered in this book. References have been provided for the objective exactly as CompTIA presents it, the section of the exam guide that covers that objective and a chapter reference.
