Chapter 2

Networking Basics and Terminology

The Security+ certification exam does not expect you to know
the commands to configure port security or to disable a port on a
Cisco switch, but it does expect you to understand features of the
switch that offer security.

Hub →
send to all port

Switch →
Filtering Port and MAC adresse use,

Port mirroring allows the administrator to copy traffic

from other ports to a single destination port (known as a monitoring
port)

Port security Port security is a feature of a network switch that lets

you configure a port for a specific MAC address

Capability to disable ports If you have ports on the switch that are
not being used, it is a security best practice to disable them so that
they cannot be used

For the exam, remember that a switch offers great security

because it filters traffic by sending the traffic only to the port that
the destination system resides on. You should also be able to
describe features such as port security, port mirroring, and the
capability to disable unused ports.

For the exam, remember that VLANs are a way to create

communication boundaries on the network. By default, systems in
one VLAN cannot communicate with systems in another VLAN.

For the Security+ exam, remember that a proxy server makes

the request for the Internet resource on behalf of the user, and
commonly the company filters and logs which web sites users have
visited.

Remember for the exam that fiber-optic is a more secure cable

type to use because it does not carry an electrical signal, but instead
carries data as pulses of light.
INSIDE THE EXAM
Remember Address Classes?
Although the Network+ certification exam tests you on IP addressing and
configuration concepts, you still need to know the concept of address
classes to answer related questions on the Security+ certification exam.
The following paragraphs review the key information about address
classes.

Class A addresses have an IP address in which the first octet is

between 1 and 126. Class A addresses also have a default subnet mask of
255.0.0.0. Also note that this subnet mask can be displayed as a /8 at the
end of the address—for example, 12.0.0.10/8 means that the first 8 bits
make up the subnet mask.

Class B addresses have an IP address in which the value of the first octet
is between 128 and 191. Class B addresses have a default subnet mask of
255.255.0.0 or can be displayed as /16 at the end of the address.

Class C addresses have an IP address in which the value of the first octet
is between 192 and 223. In addition, class C addresses have a default
subnet mask of 255.255.255.0, which can be displayed as /24 at the end
of the address.

As a security professional and someone taking the Security+

exam, you should be familiar with the different TCP flags because
they will help you understand the different types of port scans
covered in Chapter 4.
TCP and UDP are considered layer-4 (transport) protocols.

IP is a layer-3 protocol of the OSI model and is responsible for

logical addressing and routing.

Although the OSI model is more of a Network+ topic, it is important to remember it for the
Security+ exam because it serves as background that can help you understand networking
technologies such as network devices and access control lists. For example, if you
understand the OSI model and you read an exam question that refers to a firewall
technology that can filter based on layer-3 or layer-4 information, then you know the
technology can filter based on source and destination IP addresses (layer 3) and TCP or
UDP port information (layer 4).

ICMP is the protocol in the TCP/IP protocol suite that is

responsible for error and status reporting. Programs such as ping
and tracert use ICMP.

To be good at monitoring networks and identifying suspicious traffic, you need to

understand each of the protocol headers discussed in this chapter. For the exam, know that
ICMP type 8 is used by the echo request message, and ICMP type 0 is used by echo
reply.
ARP is responsible for converting an IP address (layer-3
address) to the physical MAC address (layer-2 address).

For the exam, remember that HTTP uses TCP port 80, while
HTTPS uses TCP port 443.

POP3 and IMAP4 are the Internet protocols for reading e-mail,
whereas SMTP is the Internet protocol for sending e-mail.

For the exam, remember that FTP is a protocol that uses two
ports. TCP port 21 carries the FTP commands from one system to
another, while TCP port 20 is responsible for transferring the data
between two hosts in an FTP session.

The Network Time Protocol (NTP) is used to synchronize the clocks of PCs
on a network or the Internet

Newer Microsoft networks such as Active Directory networks have the

PDC (Primary Domain Controller) emulator provide the time to all servers

LDAP is the industry-standard protocol for accessing a directory service and is supported
by directory services such as Microsoft’s Active Directory. LDAP uses TCP port 389 by
default.

IPv4 uses a 32-bit addressing scheme, while IPv6 is a 128-bit address scheme that uses a
hexadecimal address format. For the Security+ exam, you will need to know the basics
about the Ipv6 address schemes.

For the Security+ exam, you need to know that IPv6 uses a 128-bit address space. You may
also be asked to identify the Ipv6 loopback address, 0:0:0:0:0:0:0:1.

For the Security+ exam, remember that MAC flooding is when

the hacker confuses the switch into flooding all frames to all ports.
This allows the hacker to connect to any port on the switch and be
able to receive all traffic on the network.

For the Security+ exam, remember the most secure cable type to
use is fiber-optic cabling.
Chapter 2
Introduction to Security Terminology
One of the main goals of information security is to keep
information confidential. You can accomplish this by implementing
encryption of data and communications, and by implementing
access control concepts such as permissions.

Integrity involves ensuring the data that you send is what is

received on the other end of the communication. Hashing is a
popular technology used to ensure data integrity.

An often-overlooked function of information security is ensuring

availability of either data or services. Popular techniques to ensure
availability are data backups and high-availability solutions such as
RAID (Redundant Array of Independent Disks) and clustering.

The Security+ exam expects you to understand CIA and

different methods of implementing confidentiality, integrity, and
availability.

For the exam, know that before you can be given access to
resources (authorization), you must first identify yourself to the
system. Your identification information is then verified against an
authentication database to verify that you can gain access to the
system or facility (this is known as authentication).

Differentiating Authentication and Authorization

The Security+ certification exam is sure to test your knowledge on the
difference between identification, authentication, and authorization.
You will learn more about these concepts as you progress through the
chapters, but you should already know the basics at this point.
Remember that identification is how you identify yourself to the
system, such as providing a username. The verification of that identity
is done by the specification of a password, which is the authentication
process. Once authenticated, you can then access the system.

After you have been authenticated, the systems administrator can

then control what you can access on the system by authorization. An
example of authorization is configuring the Modify permission on a
folder so that you are authorized to make changes to files in the folder.

For the exam, know that the term collusion means multiple
persons involved in a task get together and take part in fraudulent
activity.
For the exam, be sure to know the difference between separation
of duties and rotation of duties.

The Security+ exam is sure to test your knowledge of some of the

different types of vulnerabilities, or sources of vulnerabilities.

For the exam, know the different types of actors that can
potentially be a security risk to your organization.

Security Policies and Standards

Before implementing a security policy within the organization,

you need to ensure that you have buy-in from management, or else
there will be no enforcement of the policy, which results in no one
following the policy

For the Security+ certification exam, know the different types of

policies. For example, be familiar with the difference between a
standard, a guideline, and a procedural policy.

The following is a listing of some of the categories of information security you should be
focused on to follow this standard:

Risk Assessment
Security Policies
Security Organization
Asset Protection
Personnel Security
Physical and Environmental Security
Communication and Operation Management
Access Control
System Maintenance
Business Continuity

For the Security+ certification exam, be familiar with what

personally identifiable information (PII) is, and be able to identify
examples of PII. PII should be protected at all times and kept
confidential.
For the Security+ certification exam, and the real world, know
that the term security control is used to identify any mechanism that
is used to protect an asset within the organization. Examples of
security controls are firewalls, antivirus software, and access
control lists.

For the Security+ certification exam, be sure to know what the

acceptable use policy (AUP) is, and be able to identify the types of
actions that would typically violate the acceptable use policy.

INSIDE THE EXAM

Security Clearance and Data Labels
Many people confuse the concepts of data classification labels and
security clearance levels; you need to understand the distinction for the
Security+ certification exam!
The classification labels (such as secret, top secret, or even
unclassified) are assigned to the information, or assets. Once all of the
assets have their classification labels assigned, you can then assign
employees their security clearance levels that determine which assets
they can access. For example, an employee with the security clearance
of top secret can access information with a top secret label assigned to
it.

For the Security+ certification exam, remember that mandatory

vacations should be enforced so that fraudulent activities
performed by employees can be more easily detected.

Be aware that security policies are designed to reduce the risk of

a security incident by defining security best practices that fit your
organization. Defining policies that control mandatory vacations,
privacy, job rotation, and separation of duties decreases the
company’s risk of a security incident occurring.

Types of Attacks

For the Security+ certification exam, know that social

engineering attacks involve the hacker trying to trick someone into
compromising security through social contact such as a phone call
or e-mail message.

For the exam, know that tailgating is when someone tries to slip
through the door behind you after you unlock it. Also know that
mantraps are popular security controls to help protect against
tailgating.
E-mail hoaxes are e-mail messages that users receive giving a false
story and asking the user to take some type of action. For example, the hoax
could say a certain file is causing a serious flaw in the operating system.
The e-mail could tell the reader they should delete the file, but in reality
there is nothing wrong with the file, and it may be needed for information
on important features of the operating system.

Security training and awareness are the only ways to prevent

social engineering attacks.

Spoofing is the altering of the source address to make the

information look like it came from someone else. IP spoofing and
MAC spoofing are popular methods used by hackers to bypass
filters placed on firewalls and wireless networks.

INSIDE THE EXAMNothing of Value on Your System?

When discussing security with students in the classroom, I normally have
discussions about the importance of securing your home network and
home computers. I typically get a response from a student saying, “I
don’t
have anything of value on my system, so if the hacker wants to waste
their
time with my system—so be it!”
The problem here is that even if you have nothing of value on your
system (such as credit card numbers), the hacker can still make changes
to
your system that lead you to divulge private information. For example,
the
hacker could modify the hosts file on your system so that when you type
the address of your banking site, you are led to the hacker’s fake version
of
the banking site. When you type your account number and password, the
hacker logs the information to a database and the rest is history!
For the Security+ exam, remember that the hacker could lead you to the
wrong web site by poisoning the DNS cache or by modifying the hosts
file
after compromising a system. This is known as pharming!

You should know the different types of password attacks.

For the Security+ certification exam, know that password

complexity is the countermeasure to a dictionary attack, while an
account lockout policy is a countermeasure to a brute-force attack.
An offline password attack is when the hacker copies the user
account database from your system to a flash drive and takes it
away with them in order to do the password cracking. In this
example, the password attack will not be stopped because there is
no password policy or account lockout policy at the hacker’s
location.

For the exam, know that to protect against an SQL injection

attack, the developers of the application must validate the input
before processing it.

Remember for the exam that in order to protect against injection

attacks, the developers of the application need to validate the input.
Network administrators can help secure against application attacks
by keeping the systems and applications patched.

System Security Threats

You should know that all documents should be shredded before

being disposed of in order to protect from snooping or dumpster
diving.

For the exam, know that the logic bomb virus waits for a specific
event, such as a certain date to occur, before activating the virus.

You should know that a Trojan virus typically opens a TCP/IP

port on the system to act as a back door for the hacker, and that a
worm virus is a self-replicating virus.

Spamming is when someone sends unsolicited e-mail messages to

a large number of recipients. You can protect your company from
spam messages by implementing filters on the e-mail server and by
not posting e-mail addresses on the Internet.

INSIDE THE EXAM

Keyloggers as Hardware or Software

Remember for the Security+ exam, and for the real world, that a
keylogger can be either software installed on the system by a hacker or
a hardware device that the hacker connects to the system between the
system and the keyboard.
The software keylogger typically captures keystrokes to a file on
the local system, or it can send the data to a file on a remote system.
The hardware keylogger typically records the keystrokes to the device
so that the hacker can collect the device at a later time.

Because worm viruses are known to replicate from a thumb

drive to a system, you should consider disabling the USB ports on
systems in the office.

For the exam, know that bluesnarfing is the unauthorized

retrieval of data from a Bluetooth device, and bluejacking is the
sending of unsolicited messages from one Bluetooth device to
another.

Do not confuse war dialing with war driving. War dialing is when
the hacker calls various numbers in hopes of locating a modem
connected to a phone line, while war driving is when the hacker uses
a wireless scanner to locate a wireless network.

Mitigating Security Threats

For the Security+ certification exam, know the concept of system

hardening and what is involved in system hardening—it is the
process of uninstalling unnecessary software and disabling
unneeded services from a system. Hardening also involves patching
the system and disabling unused accounts.

INSIDE THE EXAM

Understanding System Hardening
The Security+ certification exam will test your knowledge of the
concept of system hardening and system hardening procedures.
Remember that system hardening is the removal of unnecessary
software and the disabling of unnecessary services on the system.
These services could be susceptible to buffer overflow attacks, so the
fewer of them that are running, the better!
When hardening the system, be sure to spend some time
investigating the services that are running and then determine what
each service does. After discovering the purpose of a service, you then
need to decide if it is a service you need running or not. Make sure you
have a test system so that you can determine the results of disabling
the service and ensure it does not negatively impact the system.

For the Security+ exam, remember that part of system

hardening is to ensure that unnecessary user accounts are disabled
or removed.
It is critical for the security of the system that you keep the
system patched. Keeping a system patched will help remove
vulnerabilities in software that typically allow hackers into the
system.

Remember for the Security+ exam that port security is an

important feature of the network switch that allows you to control
which systems can connect to a specific port by MAC address.

For the Security+ exam, remember that any unused ports on the
switch should be disabled as part of the process of hardening the
network.

Remember for the Security+ exam that 802.1X is a common

authentication protocol to control who gains access to the physical
network resources such as connecting to a switch or wireless access
point.

For the exam, remember that continuous monitoring involves

constant monitoring of vulnerabilities and misconfiguration, antimalware protection, patch
deployment, and monitoring of device
configuration and statistics with SNMP.

For the Security+ certification exam, know that applications

need to be tested by purposely inputting invalid data into any data
entry screens. This type of software testing is known as fuzzing.

For the Security+ exam, remember that secure in-house

applications must start with the developer validating input. You are
sure to see a question regarding input validation on the Security+
exam!

Implementing System Security

For the Security+ exam, remember that a system connected to

an untrusted network such as a hotel network or any wireless
network should be protected by a host-based firewall.
INSIDE THE EXAMMonitoring Encrypted Traffic
For the certification exam, remember that one of the limitations of a
network-based IDS is that if you are encrypting network traffic, the
NIDS is unable to analyze that traffic against what it considers
suspicious because the NIDS cannot decipher the information.
A HIDS is software installed on the system, and as a result, it can
monitor activity that involves encrypted communication to or from that
system. The system running the HIDS software decrypts the encrypted
communication and then logs the activity; the HIDS simply looks at
the unencrypted logs on the system in order to identify suspicious
activity

For the Security+ exam, be aware of the mobile device

management features listed previously. Be sure to know the
purpose of features such as lockout, screen lock, storage
segmentation, full device encryption, and remote wiping.

For the Security+ exam, know the different deployment models

for mobile devices, such as BYOD, COPE, and CYOD.

When NTFS permissions conflict with shared folder permissions,

the most restrictive permissions will win.

For the Security+ exam, remember that data on any type of

removable drive or mobile device should be encrypted in order to
maintain confidentiality
For the Security+ exam, be familiar with TPM. Also note that if
you are using TPM to encrypt drive contents, you should have a
copy of keys so that disk contents can be decrypted if the TPM chip
or motherboard fails.

For the Security+ exam, know the di?erent techniques to ensure

data con?dentiality after a device is no longer needed. In highly
secure environments, old drives are physically destroyed to ensure
no one can recover the data on the drives.

For the exam, remember that a benefit of virtualization is that

you have fewer systems whose physical security you need to worry
about. Ensure that you follow physical security best practices with
the host system, but it is nice to worry about less hardware!

Securing the Network Infrastructure

For the Security+ exam, know that firewalls are examples of

protective controls, as they have rules configured to control what
type of traffic can enter the network. This chapter also discusses
intrusion detection systems, which in general are considered
detective controls (unless it is an active IDS, or IPS—but more on
that later!).

A packet-filtering firewall filters traffic based on fields in the

header of the packet, such as the source and destination IP address
and the source and destination port number

A stateful packet inspection firewall filters traffic by the layer-3

and layer-4 header (like a packet-filtering firewall, also known as
stateless), but in addition can filter traffic by knowing what packets
are expected during certain phases of the conversation.

An application-layer firewall can filter traffic based on the data

portion of the packet, known as the payload data. This allows the
firewall to control what types of actions, or commands, can be
passed through the firewall in the payload of the packet.

For the Security+ certification exam, know the different types of

firewall topologies such as dual-homed, screened-host, and
screened-subnet.
For the Security+ exam, know the purpose of segmenting your
network into different zones is so that you can control
communication between the zones. For example, you wouldn’t want
a system in the Internet zone or the guest zone to access resources
in the intranet zone.

INSIDE THE EXAM

Understanding DMZs
For the Security+ certification exam, know that the DMZ is an area
between two firewalls, an external firewall and an internal firewall.
The DMZ is an area on the network that you allow selected traffic
from the Internet to reach. You normally place DNS servers, web
servers, FTP servers, and SMTP servers in the DMZ.
The following ports are opened on the external firewall to allow
communication to the appropriate service inside the DMZ:
DNS UDP port 53
HTTP TCP port 80
FTP TCP port 21 (control port) and port 20 (data port)
SMTP TCP port 25
SSH TCP port 22

For the Security+ certification exam, know the purpose of a

proxy server and that it offers caching and filtering capabilities

For the Security+ exam, remember that a signature-based

system determines suspicious activity based on the signatures in a
file that you would need to program or keep up to date. An
anomaly-based system determines malicious activity based on the
activity being abnormal. Heuristic analysis monitors the activity
and knows what is suspicious based on past events.

For the Security+ certification exam, know that a network-based

IDS monitors network traffic to identify suspicious activity. Also
note that if the traffic is encrypted, the network-based IDS will be
unable to monitor the traffic.

For the Security+ exam know that the intrusion prevention

system can be a host-based intrusion prevention system (HIPS) or a
network-based intrusion prevention system (NIPS). The HIPS
detects and helps prevent intrusion attempts against a single
system, while the NIPS detects and prevents intrusions against the
network.

For the Security+ exam, be familiar with the fact that you should
secure areas of your network by segmenting networks into
communication boundaries. You can do that by breaking the
network into multiple networks and using access lists, or you can
create communication boundaries with VLANs on a switch.

For the Security+ exam, remember that NAT is used to hide the
internal IP address scheme by having all systems send traffic out
the NAT device, which replaces the source IP address in the packet
with the public IP address of the NAT device.

For the Security+ exam, be sure to be familiar with network

access control (NAC) and be able to identify scenarios where NAC
is being used.

Wireless Networking and Security

For the Security+ certification exam, ensure you are familiar

with the basics of the IEEE standards for wireless networking such
as 802.11a/b/g/n.

Wireless networks today are part of the Wi-Fi standard. The

802.11b, 802.11g, and 802.11n standards are all part of the Wi-Fi
standard and are compatible with one another.

To avoid interference on the wireless network from other

wireless devices, you have a number of solutions. First, try to
purchase items like cordless phones that run on a frequency other
than 2.4 GHz. If you are experiencing problems on the wireless
network, you could try changing the channel on the wireless
equipment and see if a different channel is more reliable. If your
cordless phones are running at the 2.4-GHz frequency, you could
also look at running your wireless network at the 5.0-GHz
frequency if your wireless access point and clients support it.

WEP can use 64-bit or 128-bit encryption keys that are made up
of a 24-bit initialization vector (IV) and then a 40-bit key (for 64-bit
encryption) or a 104-bit key (for 128-bit encryption)

For the exam, remember that WEP uses RC4 and a static key for
encryption, while WPA uses a 128-bit key that is dynamically
generated by TKIP.

For the exam, remember that WPA2 uses CCMP with AES as
the symmetric encryption algorithm for data privacy, while WPA
uses TKIP.

Remember that the SSID should be changed from the default

and SSID broadcasting should be disabled. Also note that you can
use a tool such as Acrylic WiFi or Kismet to do a wireless survey
and get a list of wireless networks that are nearby. Tools like
Kismet are able to detect hidden SSIDs because although the access
points are not broadcasting, there are still packets in the air that
contain the SSID name. If Kismet can collect enough traffic, it can
identify hidden, or cloaked, SSIDs

For the Security+ exam, remember that the wireless access point
(antennas) should be placed in the center of the building, not close
to the outer walls of the building, in order to limit connections from
outsiders.

INSIDE THE EXAMSecuring Wireless Networks

The Security+ certification exam expects you to understand wireless
networking and security best practices. Securing wireless networks is
critical because an unauthorized individual does not have to physically
be in your building to gain access to the network. The unauthorized
person could be sitting in a car outside your building or even in the
next office building.
The following are the key points to remember when securing a
wireless network:
Set a password for the admin account.
Change the SSID.
Disable SSID broadcasting.
Use MAC filtering.
Configure encryption with WPA2.
Place the access point in the center of the building.
Lower the power levels to control how far a wireless signal can
travel.
Use a VPN solution for high-security environments.

For the Security+ exam, remember that war driving is driving

around with a laptop to locate wireless networks. War chalking is
drawing symbols on buildings or sidewalks to note that a wireless
network is near.

For the exam, remember that a rogue access point is a huge

vulnerability to the network. You should perform regular wireless
scans with software such as Acrylic WiFi, Cain & Abel, or Kismet
to locate any rogue wireless access points.

For the certification exam, know that WEP, WPA, and WPA2
encryption have been cracked. Understand that WPA2 should be
used because it is considered the most secure of the three, but
because it has also been cracked, you should treat wireless clients as
remote clients and use a VPN solution to secure the communication.

Authentication

For the Security+ exam, be sure to know the different factors of

authentication and that biometrics offers the strongest form of
authentication.

INSIDE THE EXAM

Multifactor Authentication Schemes
The Security+ certification exam is sure to test your knowledge on
multifactor authentication schemes, so be sure that you are
comfortable with identifying two-factor authentication and three-factor
authentication schemes.
The following are common examples of two-factor authentication
schemes:
Physical token and password This is an example of
authenticating with something you have and something you
know.
Smartcard and PIN Again, this is an example of
authenticating with something you have and something you
know.
Biometrics and password This example is using an
authentication scheme that uses something you are combined
with something you know.
The exam will try to trick you by giving you examples that may
look like multifactor authentication but are not because the exam-ples
use the same authentication scheme. For example, using a retina scan
and fingerprint for authentication is still only single-factor authentication
because they are both examples of something you are. Another
example of single-factor authentication would be a username and
password because they are both examples of something you know.

or the Security+ certification exam, be sure to know the

different authentication factors and how to identify multifactor
authentication such as two-factor authentication or three-factor
authentication.

The Security+ exam expects you to know that single sign-on

(SSO) allows a user to authenticate to the network once and access
multiple systems without needing to provide additional credentials.

The Security+ exam expects you to know the different

authentication methods just listed. Be sure to know that the KDC is
used in Kerberos as the system that sends tickets to clients who
need to access services on the network.

The Security+ certification exam expects you to know the

common authentication protocols used in networking
environments.

The Security+ exam expects you to know the protocols that offer
authentication, authorization, and accounting (AAA) services to the
network. Remember that RADIUS, DIAMETER, and TACACS+
offer AAA services.

For the exam, remember the difference between identification

and authentication. Identification is presenting identifying
information such as a username, while authentication is proving
you are that person—in this example, by knowing the password

Other Authentication Protocols

There are a number of other authentication protocols or methods used by
systems and applications to authenticate users to an environment. The
following identify some other authentication technologies you should be
familiar with for the Security+ exam:

LDAP The Lightweight Directory Access Protocol is an Internet

protocol designed for access to a directory service over TCP port 389
and allows LDAP-enabled applications to authenticate to a directory
and then retrieve information about objects stored in the directory.

Secure LDAP Secure LDAP is the LDAP protocol using Secure

Sockets Layer (SSL) over TCP port 636 to encrypt the
communication between the client and LDAP system.

SAML Security Assertion Markup Language is an XML standard

that is designed to allow systems to exchange authentication and
authorization information. This is often used with identity federation
and claims-based authentication.

TOTP Time-based One-Time Password is an algorithm used by

authentication systems that involves passwords being generated
based on the current time.

HOTP HMAC-based One-Time Password is a Hash-based Message

Authentication Code (HMAC) algorithm used to generate passwords.

Implicit deny Implicit deny is a security concept that relates to

authentication by denying anyone access to a system until they are
authenticated.

Trusted OS A term used to identify a system that implements

multiple layers of security such as authentication and authorization to
determine who can access a system and what they can do.

Federation A term used to describe authenticating and authorizing

users across organizations and application boundaries.

Transitive trust The term associated with allowing access based on

a trust model. For example, if ComputerA trusts ComputerB, and
ComputerB trusts ComputerC, then ComputerA will trust
ComputerC in a transitive system via the trust to ComputerB.

OAUTH OAUTH is an industry-standard protocol for authorizing

applications to access user information without exposing sensitive
information such as a password.

OpenID Connect OpenID Connect is the authentication protocol

that works with the OAUTH authorization protocol. OpenID Connect
allows applications to retrieve information about the authentication
session.

Shibboleth Shibboleth is a software implementation that uses

SAML tokens and federation services for SSO (single sign-on)
applications.

Secure token A secure token is a hardware token that a user uses to

gain access to network resources. The secure token could come in the
form of a smartcard or key fob.

NTLM NT LAN Manager is a security protocol found on older

Microsoft networks that provided authentication services to the
network. NTLM has been replaced by Kerberos.

Access Control

For the exam, remember that authorization is implemented by

using access control methods.

Administrative (management) control An administrative control,

also known as a management control, is a written policy, procedure,
or guideline. You create administrative controls first when designing
your security policy because they will dictate the other types of
controls that need to be used. Examples of administrative controls are
the password policy, hiring policy, employee screening, mandatory
vacations, and security awareness training.

Logical (technical) control A logical control, also known as a

technical control, is responsible for controlling access to a particular
resource. Examples of logical controls are firewalls, encryption,
passwords, intrusion detection systems (IDSs), or any other
mechanism that controls access to a resource. Another example is
group policies, which are technical controls that you use to
implement the password policy (administrative control) defined by
your organization..
User training is imperative for the administrative team that will be
implementing the logical controls, such as firewalls and IDSs,
because they need to thoroughly understand both the environment in
which the controls will be implemented and the actual technical
controls. The training should cover not only the organization’s
policies, but also how to properly configure each of these devices.

Physical control Physical controls are used to control access to the

property, building(s), or campus of the organization. Examples of
physical controls are doors, locks, fences, security guards, lockdown
cables (cable locks), and video surveillance equipment.

Operational control Operational controls are controls that are part

of day-to-day activities needed to keep operations going. A good
example of an operational control is backups

For the Security+ exam, remember that administrative controls

are the security policies being defined, while a logical control
(technical) is the implementation of a protection mechanism such as
a firewall or antivirus software.
The Security+ certification exam will test your knowledge of
these security principles, so be sure to be familiar with them for the
exam.
For the Security+ certification exam, remember that
discretionary access control (DAC) involves configuring
permissions on a resource.

For the exam, remember that mandatory access control involves

employees gaining access to resources based on their clearance level
and the data classification label assigned to the resource.
For the Security+ certification exam, you are expected to know
the term trusted operating system, which refers to an OS that has
been evaluated and determined to follow strict security practices
such as mandatory access control. The most widely accepted
international standard for security evaluation is the Common
Criteria for Information Technology Security Evaluation, usually
referred to as Common Criteria.

For the Security+ certification exam, remember role-based

access control involves placing users into containers (known as
roles) and those roles are assigned privileges to perform certain
tasks. When a user is placed in the role, they inherit any capabilities
that the role has been assigned.

For the exam, be sure to know these different types of accounts.

Also remember that a shared account used by multiple employees
makes it difficult to audit who performs the actions. From an
auditing point of view, you want to ensure every employee has their
own account.

The Security+ exam expects you to understand proper usage of

groups and permissions. Remember that the user is assigned to the
group, and the group is assigned the permissions.
For the Security+ exam, remember that a permission is a
person’s level of access to a resource, while a right is their privilege
to perform a specific task.

The Security+ exam does not expect you to know how to

configure access lists on a Cisco router, but for the exam, remember
that most access control lists have an implicit deny. This means that
unless an entry in the list allows access, access is denied.