PART I

Security Concepts
Chapter 1
Chapter 2
Chapter 3

General Security Concepts
Operational Organizational Security
Legal Issues, Privacy, and Ethics


CHAPTER

General Security Concepts
Learn about the Security+ exam
s ,EARN BASIC TERMINOLOGY ASSOCIATED WITH COMPUTER AND INFORMATION SECURITY
s $ISCOVER THE BASIC APPROACHES TO COMPUTER AND INFORMATION SECURITY
s $ISCOVER VARIOUS METHODS OF IMPLEMENTING ACCESS CONTROLS
s $ETERMINE METHODS USED TO VERIFY THE IDENTITY AND AUTHENTICITY OF AN INDIVIDUAL

Why should you be concerned with taking the Security+ exam? The goal of taking the
Computing Technology Industry Association (CompTIA) Security+ exam is to prove
that you’ve mastered the worldwide standards for foundation-level security practitioners. With a growing need for trained security professionals, the CompTIA Security+
exam gives you a perfect opportunity to validate your knowledge and understanding of
the computer security field. The exam is an appropriate mechanism for many different
individuals, including network and system administrators, analysts, programmers, web
designers, application developers, and database specialists to show proof of professional achievement in security. According to CompTIA, the exam is aimed at individuals who have
s ! MINIMUM OF TWO YEARS OF EXPERIENCE IN )4 ADMINISTRATION WITH A FOCUS ON
security
s $AY

TO
DAY technical information security experience
s "ROAD KNOWLEDGE OF SECURITY CONCERNS AND IMPLEMENTATION INCLUDING THE
topics that are found in the specific domains
The exam’s objectives were developed with input and assistance from industry and
GOVERNMENT AGENCIES
INCLUDING SUCH NOTABLE EXAMPLES AS THE &EDERAL "UREAU OF )NVESTIGATION &")
THE .ATIONAL )NSTITUTE OF 3TANDARDS AND 4ECHNOLOGY .)34
THE 53 3ECRET
Service, the Information Systems Security Association (ISSA), the Information Systems
Audit and Control Association (ISACA), Microsoft Corporation, RSA Security, MotoroLA
.OVELL
3UN -ICROSYSTEMS
6ERI3IGN
AND %NTRUST

3

1


CompTIA Security+ All-in-One Exam Guide, Third Edition

4

The Security+ Exam
The Security+ exam is designed to cover a wide range of security topics—subjects about
which a security practitioner would be expected to know. The test includes information
from six knowledge domains:
Knowledge Domain


Percent of Exam

.ETWORK 3ECURITY

21%

Compliance and Operational Security

18%

Threats and Vulnerabilities

21%

!PPLICATION
$ATA
AND (OST 3ECURITY

16%

Access Control and Identity Management

13%

Cryptography

11%

The Network Security knowledge domain covers basic networking principles and

devices. The domain is concerned with both wired and wireless networks and the security issues introduced when computers are connected to local networks as well as the
Internet. The Compliance and Operational Security domain examines a number of operational security issues such as risk assessment and mitigation, incident response, disaster
recovery and business continuity, training and awareness, and environmental controls.
Since it is important to know what threats it is that you are protecting your systems and
networks from, the third domain examines the many different types of attacks that can
occur and the vulnerabilities that these attacks may exploit. The fourth domain, Application, Data, and Host Security, covers those things that individuals can do to protect
individual hosts. This may include items such as encryption, patching, antivirus measures, and hardware security. In the Access Control and Identity Management domain,
fundamental concepts and best practices related to authentication, authorization, and
access control are addressed. Account management and authentication services are also
addressed in this domain. The last domain, Cryptography, has long been part of the basic security foundation of any organization, and an entire domain is devoted to details
on its various aspects.
The exam consists of a series of questions, each designed to have a single best answer or response. The other available choices are designed to provide options that an
individual might choose if he or she had an incomplete knowledge or understanding
of the security topic represented by the question. The exam questions are chosen from
the more detailed objectives listed in the outline shown in Figure 1-1, an excerpt from
the 2011 objectives document obtainable from the CompTIA web site at http://www.
comptia.org/certifications/listed/security.aspx.
CompTIA recommends that individuals who want to take the Security+ exam have
THE #OMP4)! .ETWORK CERTIFICATION AND TWO YEARS OF TECHNICAL NETWORKING EXPERIENCE

WITH AN EMPHASIS ON SECURITY /RIGINALLY ADMINISTERED ONLY IN %NGLISH
THE EXAM IS NOW
OFFERED IN TESTING CENTERS AROUND THE WORLD IN THE %NGLISH
3PANISH
*APANESE
#HINESE

and German languages. Consult the CompTIA web site at www.comptia.org to determine a location near you.



Chapter 1: General Security Concepts

5
1.0 Network Security 
 
 
 
 
 
 

1.1  
1.2  
1.3  
1.4  
1.5  
1.6  

Explain the security function and purpose of network devices and technologies 
Apply and implement secure network administration principles 
Distinguish and differentiate network design elements and compounds 
Implement and use common protocols 
Identify commonly used default network ports 
Implement wireless network in a secure manner 

2.0 Compliance and Operational Security 
 
 
 
 

 
 
 
 

 
 
 
 
 
 
 
 

2.1  
2.2  
2.3  
2.4  
2.5  
2.6  
2.7  
2.8  

Explain risk related concepts 
Carry out appropriate risk mitigation strategies 
Execute appropriate incident response procedures 
Explain the importance of security related awareness and training 
Compare and contrast aspects of business continuity 
Explain the impact and proper use of environmental controls 
Execute disaster recovery plans and procedures 

Exemplify the concepts of confidentiality, integrity and availability (CIA) 

3.0 Threats and Vulnerabilities 
 
 
 
 
 
 
 

 
 
 
 
 
 
 

3.1  
3.2  
3.3  
3.4  
3.5  
3.6  
3.7  

Analyze and differentiate among types of malware 
Analyze and differentiate among types of attacks 
Analyze and differentiate among types of social engineering attacks 

Analyze and differentiate among types of wireless attacks 
Analyze and differentiate among types of application attacks 
Analyze and differentiate among types of mitigation and deterrent techniques 
Implement assessment tools and techniques to discover security threats and 
vulnerabilities 
    3.8   Within the realm of vulnerability assessments, explain the proper use of penetration 
testing versus vulnerability scanning 

4.0 Application, Data and Host Security 
    4.1   Explain the importance of application security 
    4.2   Carry out appropriate procedures to establish host security 
    4.3   Explain the importance of data security 

5.0 Access Control and Identity Management 
    5.1   Explain the function and purpose of authentication services 
    5.2   Explain the fundamental concepts and best practices related to authentication, 
authorization and access control 
    5.3   Implement appropriate security controls when performing account management 

6.0 Cryptography 
 
 
 
 

 
 
 
 


6.1  
6.2  
6.3  
6.4  

Summarize general cryptography concepts 
Use and apply appropriate cryptographic tools and products 
Explain the core concepts of public key infrastructure 
Implement PKI, certificate management and associated components 

Figure 1-1 #OMP4)! 3ECURITY %XAM /BJECTIVES WWWCOMPTIAORGCERTIFICATIONSLISTEDSECURITYASPX

PART I

 
 
 
 
 
 


CompTIA Security+ All-in-One Exam Guide, Third Edition

6
The exam consists of 100 questions to be completed in 90 minutes. A minimum
passing score is considered 750 out of a possible 900 points. Results are available immediately after you complete the exam. An individual who fails to pass the exam the
first time will be required to pay the exam fee again to retake the exam, but no mandatory waiting period is required before retaking it the second time. If the individual
again fails the exam, a minimum waiting period of 30 days is required for each subsequent retake. For more information on retaking exams, consult CompTIA’s retake policy, which can be found on its web site.
This All-in-One Security + Certification Exam Guide is designed to assist you in preparing for the Security+ exam. It is organized around the same objectives as the exam and

ATTEMPTS TO COVER THE MAJOR AREAS THE EXAM INCLUDES 5SING THIS GUIDE IN NO WAY GUARantees that you will pass the exam, but it will greatly assist you in preparing to meet the
challenges posed by the Security+ exam.

Basic Security Terminology
The term hacking is used frequently in the media. A hacker was once considered an individual who understood the technical aspects of computer operating systems and networks. Hackers were individuals you turned to when you had a problem and needed
extreme technical expertise. Today, as a result of the media use, the term is used more
often to refer to individuals who attempt to gain unauthorized access to computer systems or networks. While some would prefer to use the terms cracker and cracking when
referring to this nefarious type of activity, the terminology generally accepted by the
public is that of hacker and hacking. A related term that is sometimes used is phreaking,
which refers to the “hacking” of computers and systems used by the telephone company.

Security Basics
Computer security is a term that has many meanings and related terms. Computer security entails the methods used to ensure that a system is secure. The ability to control
who has access to a computer system and data and what they can do with those resources must be addressed in broad terms of computer security.
Seldom in today’s world are computers not connected to other computers in networks. This then introduces the term network security to refer to the protection of the
multiple computers and other devices that are connected together in a network. Related
to these two terms are two others, information security and information assurance, which
place the focus of the security process not on the hardware and software being used but
on the data that is processed by them. Assurance also introduces another concept, that
of the availability of the systems and information when users want them.
Since the late 1990s, much has been published about specific lapses in security that
have resulted in the penetration of a computer network or in denying access to or the
use of the network. Over the last few years, the general public has become increasingly
aware of its dependence on computers and networks and consequently has also become interested in their security.


Chapter 1: General Security Concepts

7


The “CIA” of Security
Almost from its inception, the goals of computer security have been threefold: confidentiality, integrity, and availability—the “CIA” of security. Confidentiality ensures that
only those individuals who have the authority to view a piece of information may do
SO .O UNAUTHORIZED INDIVIDUAL SHOULD EVER BE ABLE TO VIEW DATA TO WHICH THEY ARE NOT
entitled. Integrity is a related concept but deals with the modification of data. Only authorized individuals should be able to change or delete information. The goal of availability is to ensure that the data, or the system itself, is available for use when the authorized user wants it.
As a result of the increased use of networks for commerce, two additional security
goals have been added to the original three in the CIA of security. Authentication deals
with ensuring that an individual is who he claims to be. The need for authentication in
an online banking transaction, for example, is obvious. Related to this is nonrepudiation,
which deals with the ability to verify that a message has been sent and received so that
the sender (or receiver) cannot refute sending (or receiving) the information.
EXAM TIP Expect questions on these concepts as they are basic to the
UNDERSTANDING OF WHAT WE HOPE TO GUARANTEE IN SECURING OUR COMPUTER
SYSTEMS AND NETWORKS

The Operational Model of Security
For many years, the focus of security was on prevention. If you could prevent somebody
from gaining access to your computer systems and networks, you assumed that they
were secure. Protection was thus equated with prevention. While this basic premise was
true, it failed to acknowledge the realities of the networked environment of which our
SYSTEMS ARE A PART .O MATTER HOW WELL YOU THINK YOU CAN PROVIDE PREVENTION
SOMEBODY

PART I

As a result of this increased attention by the public, several new terms have become
commonplace in conversations and print. Terms such as hacking, virus, TCP/IP, encryption, and firewalls now frequently appear in mainstream news publications and have
found their way into casual conversations. What was once the purview of scientists and
engineers is now part of our everyday life.
With our increased daily dependence on computers and networks to conduct everything from making purchases at our local grocery store to driving our children to school

(any new car these days probably uses a small computer to obtain peak engine performance), ensuring that computers and networks are secure has become of paramount
importance. Medical information about each of us is probably stored in a computer
somewhere. So is financial information and data relating to the types of purchases we
make and store preferences (assuming we have and use a credit card to make purchases). Making sure that this information remains private is a growing concern to the
general public, and it is one of the jobs of security to help with the protection of our
privacy. Simply stated, computer and network security is essential for us to function
effectively and safely in today’s highly automated environment.


CompTIA Security+ All-in-One Exam Guide, Third Edition

8
always seems to find a way around the safeguards. When this happens, the system is left
unprotected. What is needed is multiple prevention techniques and also technology to
alert you when prevention has failed and to provide ways to address the problem. This
results in a modification to the original security equation with the addition of two new
elements—detection and response. The security equation thus becomes
0ROTECTION  0REVENTION  $ETECTION  2ESPONSE
This is known as the operational model of computer security %VERY SECURITY TECHNIQUE
AND TECHNOLOGY FALLS INTO AT LEAST ONE OF THE THREE ELEMENTS OF THE EQUATION %XAMPLES OF
the types of technology and techniques that represent each are depicted in Figure 1-2.

Security Principles
An organization can choose to address the protection of its networks in three ways: ignore security issues, provide host security, and approach security at a network level. The
last two, host and network security, have prevention as well as detection and response
components.
If an organization decides to ignore security, it has chosen to utilize the minimal
AMOUNT OF SECURITY THAT IS PROVIDED WITH ITS WORKSTATIONS
SERVERS
AND DEVICES .O ADDITIONAL SECURITY MEASURES WILL BE IMPLEMENTED %ACH hOUT

OF
THE
BOXv SYSTEM HAS CERtain security settings that can be configured, and they should be. To protect an entire
network, however, requires work in addition to the few protection mechanisms that
come with systems by default.
Host Security Host security takes a granular view of security by focusing on protecting each computer and device individually instead of addressing protection of the network as a whole. When host security is implemented, each computer is expected to
protect itself. If an organization decides to implement only host security and does not
include network security, it will likely introduce or overlook vulnerabilities. Many enviRONMENTS INVOLVE DIFFERENT OPERATING SYSTEMS 7INDOWS