Professional Documents
Culture Documents
Higher Salaries
IT professionals with certifications on their resume command better jobs, earn higher salaries, and have
more doors open to new multi-industry opportunities.
Verified Strengths
91% of hiring managers indicate CompTIA certifications are valuable in validating IT expertise, making
certification the best way to demonstrate your competency and knowledge to employers. (Source:
CompTIA Employer Perceptions of IT Training and Certification.)
Universal Skills
CompTIA certifications are vendor neutral—which means that certified professionals can proficiently
work with an extensive variety of hardware and software found in most organizations.
Learn More: Certification.CompTIA.org/securityplus
CompTIA Disclaimer
© 2016 CompTIA Properties, LLC, used under license by CompTIA Certifications, LLC. All rights
reserved. All certification programs and education related to such programs are operated exclusively by
CompTIA Certifications, LLC. CompTIA is a registered trademark of CompTIA Properties, LLC in the
U.S. and internationally. Other brands and company names mentioned herein may be trademarks or
service marks of CompTIA Properties, LLC or of their respective owners. Reproduction or
dissemination of this courseware sheet is prohibited without written consent of CompTIA Properties,
LLC. Printed in the U.S. 02544-Mar2016.
The logo of the CompTIA Approved Quality Curriculum Program and the status of this or other
training material as “Approved” under the CompTIA Approved Curriculum Program signifies that, in
CompTIA’s opinion, such training material covers the content of CompTIA’s related certification exam.
CompTIA has not reviewed or approved the accuracy of the contents of this training material and
specifically disclaims any warranties of merchantability or fitness for a particular purpose. CompTIA
makes no guarantee concerning the success of persons using any such “Approved” or other training
material in order to prepare for any CompTIA certification exam.
Contents at a Glance
I Mission Assurance
1 Organizational Security and Compliance
IV Network Security
8 Securing Networks
14 Vulnerability Assessments
VII Appendixes
A Career Flight Path
B About the Download
Index
Contents
Acknowledgments
Check-In
I Mission Assurance
1 Organizational Security and Compliance
Objective 1.01 Explain Risk Management Processes and Concepts
Risk Control Types
Administrative
Technical
Physical
Risk Assessment
Asset Identification
Risk Analysis
Risk Likelihood and Impact
Solutions and Countermeasures
Risk Register
Risk Management Options
False Positives and Negatives
Using Organizational Policies to Reduce Risk
Security Policies
Network Security Policies
Human Resources Policies
Objective 1.02 Implement Appropriate Risk Mitigation Strategies
Change Management Policy
Incident Management and Response Policy
Perform Routine Audits
Develop Standard Operating Procedures
User Rights and Permissions Reviews
Data Loss Prevention and Regulatory Compliance
Objective 1.03 Integrate with Third Parties
Interoperability Agreements
Service Level Agreements
Business Partnership Agreements
Memorandums of Agreement/Understanding
Interconnection Security Agreement
Privacy Considerations
Risk Awareness
Unauthorized Data Sharing
Data Ownerships
Data Backup
Verification of Adherence
CHECKPOINT
REVIEW QUESTIONS
REVIEW ANSWERS
IV Network Security
8 Securing Networks
Objective 8.01 Implement Security Functionality on Network Devices and Other
Technologies
Firewalls
Routers
Switches
Load Balancers
Proxy Servers
All-in-One Security Appliances
Data Loss Prevention
Malware Inspection
Anti-spam Filter
Content Filtering
URL Filtering
Security Information and Event Management
Web Security Gateway
Intrusion Detection and Prevention
Active Detection
Passive Detection
Monitoring Methodologies
Application-Aware Devices
Protocol Analyzers
Objective 8.02 Explain Network Design Elements and Compounds
Security Zones
DMZ
Intranet
Extranet
Network Security Techniques
NAC
NAT
Internal Network Addressing
Subnetting
VLAN
Remote Access
Modems
VPN
Telephony
VoIP
Media Gateway
Virtualization
Cloud Computing
Everything as a Service
Cloud Deployment
CHECKPOINT
REVIEW QUESTIONS
REVIEW ANSWERS
9 Secure Network Administration
Objective 9.01 Implement and Use Common Protocols
TCP/IP
IPv4
IPv6
ICMP
HTTP and HTTPS
Telnet
SSH
FTP
TFTP
FTPS and SFTP
SCP
DNS
SNMP
IPSec
NetBIOS
iSCSI
Fibre Channel
RTP
Objective 9.02 Identify Commonly Used Default Network Ports
TCP/IP Network Ports
Objective 9.03 Analyze and Differentiate Among Types of Network Attacks
Denial of Service
Distributed Denial of Service
Ping Attack
SYN Flood
DNS Amplification
Flood Protection
Back Door
NULL Sessions
Spoofing
Smurf Attack
TCP/IP Hijacking
Man-in-the-Middle
Replay
Xmas Attack
DNS Poisoning
ARP Poisoning
Domain Kiting
Typosquatting
Client-side Attacks
Watering Hole Attack
Zero-Day Attack
Malicious Insider Threats
Objective 9.04 Apply and Implement Secure Network Administration Principles
Networking Device Configuration
Firewall Administration
Router Administration
ACL Rules
Network Separation
Unified Threat Management
Network Device Threats and Risks
Weak Passwords
Default Accounts
Transitive Access and Privilege Escalation
Network Loops
Network Device Hardening
Secure Remote Access
Device Placement
Disable Unused Services
Employ DDoS Mitigation
Firmware/OS Updates
Log Files
CHECKPOINT
REVIEW QUESTIONS
REVIEW ANSWERS
14 Vulnerability Assessments
Objective 14.01 Implement Assessment Tools and Techniques to Discover Security Threats
and Vulnerabilities
Vulnerability Assessment Tools
Banner Grabbing
Network Mappers
Port Scanners
Vulnerability Scanners
Protocol Analyzers
Password Crackers
Honeypots and Honeynets
Other Command-Line Tools
OVAL
Application Code Assessments
Objective 14.02 Implement Penetration Tests When Appropriate
White, Black, and Gray Box Testing
White Box Testing
Black Box Testing
Gray Box Testing
CHECKPOINT
REVIEW QUESTIONS
REVIEW ANSWERS
VII Appendixes
A Career Flight Path
CompTIA Security+ Exam Format
CompTIA Security+ and Beyond
Getting the Latest Information on the CompTIA Security+ Exam
Exam Tip
Points out critical topics you’re likely to see on the actual exam.
Local Lingo
Describes special terms, in detail and in a way you can easily understand.
Travel Advisory
Warns you of common pitfalls, misconceptions, and downright physical peril!
Travel Assistance
Directs you to additional sources, such as books and websites, to give you more information.
The end of the chapter gives you two handy tools. The Checkpoint reviews each objective covered in
the chapter with a handy synopsis—a great way to review quickly. The end-of-chapter Review
Questions test your newly acquired skills.
But the fun doesn’t stop there! After you’ve read the book, take advantage of the free practice exams!
Use the full practice exams to hone your skills, and keep the book handy to check answers. Appendix B
explains how to access the electronic content.
When you reach the point that you’re acing the practice questions, you’re ready to take the exam. Go
get certified!
Mike Meyers
Series Editor
Mike Meyers’ Certification Passport
Mission Assurance
Chapter 1 Organizational Security and Compliance
Chapter 2 Security Training and Incident Response
Chapter 3 Business Continuity and Disaster Recovery
Organizational Security and Compliance
ITINERARY
As part of an overall company strategy, security should be officially recognized as a critical business
objective just like any other important business objective. In the past, the IT department had to define
security and access controls for the company network and data. In today’s Internet world, corporate
management adapts the legalities of the business world to computer networks by ensuring that
electronic transfer of information is secure to protect both the company and its customers.
Organizations attempt to classify risk for various reasons. In order to provide a point of reference to
base decisions on, risk is classified by the effect it has on the organization. The organization may
classify risk, and its contributing factors, using qualitative or quantitative means, and then determine
how much risk it is willing to accept.
Risk can be classified as internal or external risk. Internal risk comes from elements within the
organization’s control, such as organization structure, resources (personnel, time, money, equipment,
and so on), and business goals and strategy. These elements are shifted by the organization at its own
discretion, often in reaction to external factors. External risk, on the other hand, is usually the type of
risk that the organization has limited control over. Examples of external risk factors include the stock
market, government regulation, currency valuation, international and world events, and natural
disasters. Although the organization can’t control these factors, it must plan for them and develop
strategies to mitigate risk.
To protect their assets, employees, and customers from security risks, organizations must analyze
their security practices to identify the threats to their operations and protect themselves in the most cost-
efficient way. Risks to your organization must be assessed based on their probability and impact (both
quantitative and qualitative), and then security measures or metrics should be implemented based on
this risk analysis.
To ensure security across the organization, and to assure customers that the company can be trusted,
overall security policies must be implemented to include several component policies and procedures
that govern how the organization uses computer networks, protects and distributes data, and offers
services to customers. Each component of the security policy defines specific security best practices for
a topic, such as a password policy. These policies and procedures include rules on company Internet
use, customer data privacy, company structure, and human resources hiring and termination practices.
Many companies, such as those in the financial and healthcare sector, are now required to comply with
government regulations for the protection and privacy of customer data respective to their industry.
Organizations must be diligent in crafting their policies to adhere to these regulations, and they must
employ risk mitigation techniques to avoid violating these strict standards.
For a company’s security policies to be effective, they must be communicated properly to the
employees to ensure company-wide knowledge and compliance. Rules won’t be followed if nobody
knows they exist. Many companies make use of consultants to create and draft security policies and
procedures, but these policies often aren’t communicated to the user community and aren’t used.
Employees need to be aware of security issues and procedures to protect not only themselves, but also
the company’s services and data.
This chapter describes general risk assessment and mitigation strategies, as well as organizational
policies that should be in place to protect an organization, its networks and data, its employees, and its
customers.
Objective 1.01
CompTIA Security+ Objective 5.3
Risk control types Risk control types can be separated into three logical divisions:
administrative, technical, and physical. Each risk control type is a separate but cooperative layer in
your overall risk management strategy.
Risk assessment Use risk assessments to understand your current risks, their probability and
impact, and the solutions to prevent them.
Risk management options You have several options based on the nature and probability of the
risk and the cost of the solution: avoidance, transference, acceptance, and mitigation.
Using organizational policies to reduce risk Your organizational security is critical for ensuring
that your company’s risk management plan is properly detailed, communicated, and adhered to by
your employees in all its activities through policies.
Risk register A living document used to track different types of data elements, most commonly
risk factors and risk scenarios.
False positives and negatives Legitimate actions that are perceived as a risk or threat, or security
issues that have passed your security controls as a legitimate action.
Administrative
Risk management is an ongoing high-level function within your organization. It begins with risk
assessment and analysis to identify the risk of security breaches against company assets, assess the
probability of a risk and estimate its impact, and define the steps to reduce the level of that risk. The
solutions to these risks must be properly analyzed and budgeted to ensure that the probability and
impact of the risks are properly factored into a cost-effective solution. Many risk management best
practices include controls encompassing administrative, technical, and physical aspects of the
organization, including implementation of an overall risk management framework and efforts to
improve documentation.
Technical
Technical risk control describes the actual technical measures used to prevent security risks in your
organization, which include deep-level network and system security (firewalls, antivirus scanning,
content filters, and other network security devices) and improvements in secure coding practices. These
controls perform the bulk of the risk mitigation and deterrence defined in your organizational risk
analysis.
Physical
Finally, physical risk controls must be created and implemented throughout your company. Best
practices include physical access controls (perimeter fencing, security passes, and surveillance),
environmental controls (fire suppression and temperature controls), as well as operational
considerations. Physical controls often include operational controls, which are concerned with how you
conduct your daily organizational business to minimize the security risk to your organization and its
business activities. This could include company-wide policies, which are created, distributed, and used
to educate your employees on how to conduct their day-to-day activities while being vigilant about
organization security, and improvement initiatives to make organizational processes more efficient and
effective. Managing risk operationally means that you are concerned with how you conduct your daily
organizational business to minimize the security risk to your organization and its business activities, and
this also includes user education and vigilant monitoring and testing to make sure your plans are being
adhered to by your organization and that its activities are constantly analyzed to protect against new
threats.
As noted previously, controls serve different functions in an organization and are generally either
compensating, corrective, detective, deterrent, directive, or preventative in nature. Compensating
controls compensate for weaknesses or inherent flaws within other controls or a lack of controls, such as
regularly scheduled third-party review of logs based on an inability to enable proper separation of duties
across system administrators. Corrective controls correct back to a trusted or “known-good” state; an
example is regularly tested backups limiting the time a critical database is offline. Detective controls
detect and characterize events or irregularities as or after they occur, such as internal or external audits
conducted on a no-notice basis. Deterrent controls deter and discourage an event from taking place (for
example, roaming security guards and cameras placed around the facilities that are continuously
monitored by personnel). Directive controls give official direction for how security measures will be
conducted within the organization; an example is an organizational policy requiring two people to
unlock and open sensitive facilities, such as those containing classified materials. Finally, preventative
controls are implemented to prevent negative events from ever occurring, such as locks that prevent
portable systems from being removed from their desktops.
Exam Tip
Administrative risk controls are the high-level risk management, assessment, and mitigations plans
that define your overall organization security. Technical risk controls are those technical measures
deployed to mitigate security risks. Physical risk controls deal with your day-to-day physical security
and the security of your organizational business activities. Understand that the controls are not
applied for one group at a time only; in fact, most of the time, a combination of controls is used. For
example, an administrative control might be a password policy, the technical control might be the
enforcement of the use of complex passwords on the system through technical means, and the
physical part might be guards walking through your building making sure written passwords are not
left on desks unsupervised.
Risk Assessment
Risk assessment and mitigation deal with identifying, assessing, and reducing the risk of security
breaches against company assets. By assessing the probability of a risk and estimating the amount of
damage that could be caused as a result, you can take steps to reduce the level of that risk.
Suppose, for example, that your company file server contains confidential company data. The file
server asset is considered extremely valuable to the company, its clients, and its competitors. In this
case, a considerable amount of financial damage may be incurred by the company in the event of server
loss, damage, or intrusion. The risks and threats posed to the server could be physical (such as damage
caused by a natural disaster or a hardware malfunction) or nonphysical (such as viruses, network hacker
attacks, and data theft if the server is easily accessible through a network). The costs associated with
reducing these risks are mitigated by the potential costs of losing data on the file server.
To help reduce these risks, you can take several actions:
Use multiple hard drives and power supplies for fault tolerance.
Implement a good backup scheme.
Protect the server through physical security, such as door access controls.
Install antivirus software.
Disable unused network services and ports to prevent network attacks.
To identify the risks that pose a security threat to your company, you can perform a risk analysis on
all parts of the company’s resources and activities. By identifying risks and the amount of damage that
could be caused by exploiting a system vulnerability, you can choose the most efficient methods for
securing the system from those risks. Risk analysis and assessment can identify where too little or even
too much security exists and where the cost of security is more than the cost of the loss due to
compromise. Ultimately, risk analysis and assessment are both a cost/benefit analysis of your security
infrastructure.
Risk analysis and assessment involve four main phases:
Asset identification Identify and quantify the company’s assets.
Risk analysis Identify and assess the possible security vulnerabilities and threats.
Risk likelihood and impact Rate your various risks according to how likely they are to occur
and their impact.
Cost of solutions Identify a cost-effective solution to protect assets.
Asset Identification
Company assets can include physical items, such as computer and networking equipment, and
nonphysical items, such as valuable data. Asset identification involves identifying both types of assets
and evaluating their worth. Asset values must be established beyond the mere capital costs; a true asset
valuation should consider a number of factors. For example, a consideration should be the cost to repair
the asset versus simply replacing the asset outright. Often, repairing the asset may be less expensive in
the short run, but the cost of the different components required to conduct a repair should be considered.
Also, it’s important to remember that this might only be a temporary solution—one that could come
back to haunt you (and your pockets) in the long run.
Another consideration is the depreciation value of the asset over time. This might reduce the amount
of capital available to make a repair-or-replace decision. It is important to consider the amount of
revenue that is generated by the asset, which might also shape your decision. Think about it this way: if
it costs $10,000 to replace an asset, and that asset generates $2000 worth of revenue daily based on its
function, the loss of that asset ($10,000) has to be considered along with the loss of its revenue ($2000
daily), and that contributes to the total asset valuation and quite quickly begins adding up.
A harder-to-quantify aspect is the value that the asset might be to a competitor. For example, a list of
a company’s clients can be easily re-created from backup if the original is lost or destroyed, but if the
list finds its way into the hands of a competitor, the resulting financial damage could be devastating.
Finally, you should consider the exposure factor, or the percentage of the asset that could be lost
during an event. In many cases, negative events do not render the asset completely unusable. For
example, a server could experience degradation in its ability to effectively host a web application, but
not be completely offline and unavailable. This is important to understand, because calculating the
exposure factor allows you to better determine how much loss your organization can bear during an
event, which in turn allows for you to better understand how much money, time, or other supporting
resources should be devoted to repairing or replacing an asset. Generally, exposure factors are expressed
in decimal format and relate to the percentage loss associated with the exposure. For example, a 50
percent loss would be 0.5, with a total loss being expressed as 1. As you can see, understanding the
asset value is much more complicated than the list price of the asset itself, and ultimately the value and
the criticality of the assets you’re trying to protect drive the costs involved in securing that asset.
Exam Tip
The single loss expectancy (SLE) is calculated by multiplying the asset value (AV) and the exposure
factor (EF).
Risk Analysis
Risk analysis deals with identifying, assessing, and reducing the risk of security breaches against
company assets. By assessing the probability of a risk and estimating the amount of damage that could
be caused as a result, you can take steps to reduce the level of that risk. To identify the risks that pose a
security threat to your company, you can perform a risk analysis on all parts of the company’s resources
and activities. There are two generally accepted ways to perform a risk analysis: qualitative and
quantitative.
Quantitative risk analysis is a strict dollar-amount calculation of the exact cost of the loss or a specific
company asset because of a disaster. This is a straightforward method that can be applied for simple
situations. For example, if a hard drive in a RAID (redundant array of inexpensive disks) system fails, it
is simply replaced with a new hard drive. There is no loss of data because the information is rebuilt
from the rest of the array.
Qualitative risk analysis must consider tangible and several other intangible factors in determining
costs. Consider a denial-of-service network attack on your company’s web store server that causes four
hours of downtime and corrupted data on a back-end transactional database. You are not only faced with
the monetary loss from your website being down and customers not being able to order products for
many hours, but also the time it takes to perform countermeasures against the attack, get your web
server back into operation, recover any lost data from your database, and consider data that cannot be
recovered. The costs in this scenario include the manpower hours in recovering from the attack, the loss
of orders from the web store during the downtime, monetary loss from corrupted data that cannot be
restored, and even potential loss of future business from disgruntled customers.
Exam Tip
Quantitative risk analysis is a dollar-amount calculation of the exact cost of a loss due to disaster.
Qualitative risk analysis includes intangible factors, such as loss of potential business, in determining
costs
Additional risks are often ignored in a risk analysis regarding virtualization technology and cloud
computing. Using virtualization technology, a computer can host multiple instances of an operating
system environment, all running from the same computer on the same hardware. The consolidation of
many different types of services on the same hardware creates a security risk because if that system is
hacked or fails, it will take down every virtualized server that runs on the system.
Travel Assistance
Considering risk and incorporating risk analysis are covered in more depth in Chapter 3.
The risk of a single point of failure for cloud computing is very similar. Cloud computing aggregates
services in a virtual environment where all aspects of the cloud—from the platform, to the software, to
the entire infrastructure—are based on a distributed web service. If the cloud service fails, you may lose
all access to your services and data until the cloud service is restored.
Travel Assistance
See Chapter 8 for more detailed information on virtualization and cloud computing.
Overall, your risk assessment must be wide in scope to use both quantitative and qualitative analysis
to determine your risk factors from all aspects of your company’s operations.
Exam Tip
The annual loss expectancy (ALE) is calculated by multiplying the annual rate of occurrence (ARO)
and the single loss expectancy (SLE).
Exam Tip
The cost of the risk management solution shouldn’t exceed the value of the asset if it’s lost. For
example, if a file server and its data are valued at $35,000 and the proposed security solution to
protect it costs $150,000, then it doesn’t make sense to implement the proposed solution.
Risk Register
A risk register is a living document used to track different types of data elements, most commonly risk
factors and risk scenarios. It might also include data that describes different technical or management
findings contributing to the risk. Additionally, threats, vulnerabilities, assets, likelihood, and impact data
can be included in the risk register. For example, a risk register might include the following items:
Risk factors
Threat agents, threats, and vulnerabilities
Risk scenarios
Criticality, severity, or priority of risk
Asset information
Impact of the risk on an asset
Likelihood of the threat exercising the vulnerability
Status of risk response actions
Resources that may be committed to respond to risk
Risk ownership information
Planned milestones toward the risk response
Exam Tip
A false positive is a legitimate action that is perceived as a risk or threat. A false negative is a security
issue that has passed your security controls as a legitimate action. Although neither is particularly
desirable, the false negative is a much worse scenario because it could allow unauthorized access to
systems or data.
Security Policies
The following policies concern general organizational security, including physical access, access control
to data, and security through proper organizational structures and data security principles.
Physical Access Security Policy As part of your organization’s overall access control policy, you
must have a strong physical access policy and ensure that all employees are educated on its use.
Depending on the security level of the company, physical security may include guarded or unguarded
entrances. Even on guarded premises, the use of security access cards makes sure that only identified
and authenticated employees can enter a facility. Security access cards are coded with the authorization
level of the user, who will be able to access only areas of the facility that are required by his job
function. For example, only network and systems administrators would be able to access a server and
networks communications room with their access card.
Employees must be trained to always close automatically locking doors behind them and not allow
other unidentified people to follow them through. Most security access cards have photographs on them
to further identify users in the event they are challenged for their identity. Employees must be
encouraged to report suspicious individuals within the premises who are unfamiliar and do not have
proper identification.
A published organizational security policy for physical access allows your employees to have proper
knowledge of security procedures and be equally active in the responsibility for physical security.
Access Control Policies The following access control policies help provide a consistent organizational
structure and procedures to prevent internal fraud and corruption in your organization:
Least privilege The least privilege principle grants users only the access rights they need to
perform their job functions. This requires giving users the least amount of access possible to
prevent them from abusing more powerful access rights.
Separation of duties The separation of duties ensures that one single individual isn’t tasked with
high-security and high-risk responsibilities. Certain critical responsibilities are separated between
several users to prevent corruption.
Job rotation Job rotation provides improved security because no employee retains the same
amount of access control for a position indefinitely. This prevents internal corruption from
employees who take advantage of their long-term position and security access.
Mandatory vacations Mandatory vacation policies require employees to use their vacations at
specific times of the year or use all their vacation days allotted for a single year. This policy helps
detect security issues with employees, such as fraud or other internal hacking activities, because the
anomalies might surface while the user is away.
Travel Assistance
These access control concepts and best practices are discussed in more detail in Chapter 6.
This Radiator Cover is Built so That Shelves may be Inserted Quickly for Use
as a Cabinet
The object of this game is to pass a marble from one end to the
other of the “roadway,” under the “bridges,” and over the “inclines,”
without dropping it. A stop must be made at each hole. The device is
made as follows: Cut two pieces of wood, ¹⁄₄ by 1³⁄₄ by 12 in., and
join them to form a right angle. Cut pieces of cardboard, 4 each, 1³⁄₄
by 2¹⁄₂ in. wide, with a ³⁄₄-in. hole in the center, for inclines B, and 1³⁄₄
by 3 in., for bridges A; also two pieces 1³⁄₄ in. square for stops C.
Fasten them with tacks as shown. The marble should be large
enough so that it will rest in the holes at B.
Decorative Toys and Boxes
Made at Home
By Bonnie E. Snow
The Outlines for the Horse and Rider and the Parrot may be Made by
Enlarging These Sketches. The Color Scheme Indicated is Suggestive
Only and may be Varied to Suit Individual Taste
FIG. 3
The Tools Required are Found in Most Boys’ Workshops, and a Satisfactory
Saw Table may be Made Easily, as Shown in Detail
An outline drawing of the form to be cut out of the wood must first
be made, to the exact size that the object is to be. There is much
satisfaction if working out the form of the animal or other figure,
especially for the boy or girl who has the time necessary to do good
work. If desired, the figure may be traced from a picture obtained
from a book, magazine, or other source. Cut a piece of wood to the
size required for the design, and place a sheet of carbon paper over
it; or if none is available, rub a sheet of paper with a soft pencil, and
use this as a carbon paper, the side covered with the lead being
placed next to the wood. The carbon paper and the sheet bearing
the design should then be held in place on the wood with thumb
tacks, or pins, and the transfer made with a pencil, as shown in Fig.
4. The design should be placed on the wood so that the weaker
parts, such as the legs of the horse, will extend with the length
instead of across the grain of the wood. In some instances, where a
complicated form is cut out, it is necessary to use wood of several
plies, and where this is available it is worth while to use it for all of
this work. For smaller objects wood ³⁄₁₆ in. thick is suitable, and stock
up to ¹⁄₂ in. in thickness may be used. Whitewood, basswood, poplar
and other soft, smooth-grained woods are suitable.
FIG. 4 FIG. 5
The Design is Traced Carefully onto the Wood and Then Cut Out with the
Coping Saw, on the Saw Table
When the design has been outlined satisfactorily, place the piece
of wood on the saw table with the design on the upper side. Holding
the wood down firmly, as shown in Fig. 5, and sawing in the notch of
the saw table, cut into the edge slowly. Apply light pressure on the
downstroke only, as the upstroke is not intended to cut, and turn the
piece to keep the saw on the line and in the notch. It is important that
the saw be held vertically so that the edge of the cut-out portion will
be square. With proper care and a little practice, the edges may be
cut so smoothly that only a light sandpapering will be required to
produce a smooth edge. When the figure has been cut out, smooth
the edges by trimming them carefully with a sharp knife, if necessary,
and sandpaper them lightly to remove sharp corners. A fine
sandpaper, about No. ¹⁄₂, is suitable for this purpose. The figure is
then ready for painting. The white is put on first and the other colors
applied over it, when dry.
Oil paints may be used, and a varnish or shellac applied over them
to give a high grade of work, but this process requires much care,
considerable skill, and long drying between coats to prevent “runs” in
the colors.
FIG. 6
Water-color paint, which can be purchased in powder form at paint
stores, mixed with water to the consistency of cream is a satisfactory
coloring material, and is easy to apply. Five cents’ worth of each of
the colors used—yellow, red, blue, black, and white—will be
sufficient for several toys. Mix each color in a separate saucer, and
use a small water-color brush to apply the paint. In painting the
horse and rider, the horse is first painted entirely white, and then the
black spots are applied after the color is dry. The rider’s coat is
painted red; the trousers blue; the hat and leggings buff, as indicated
in Fig. 1. Mix a brushful of yellow with a brushful of red, and add
about three brushfuls of white. A half brushful of black may be added
to dull the color, if desired. The flesh tone for the rider’s face is made
by mixing a little red with white. When the colors are dry, all edges
are outlined with a heavy line of black, not less than ¹⁄₈ in. in width.
This outline may be evenly applied with the point of the brush.