Security+

SY0-301 Study Guide

PORTS

20 and 21 - FTP 22 SSH, SCP, and SFTP 23 Telnet 25 SMTP 49 TACACS 53 DNS (Domain Naming System) 80 HTTP (Hypertext Transfer Protocol) 88 Kerberos 110 POP3 (Incoming Email) 143 IMAP (Email) 161 - SNMP 443 SSL, HTTPS 636 Secure LDAP 1443 MS-SQL Database 1701 L2TP 1723 PPTP 3389 RDP (Remote Desktop) 6881 6889 Bit Torrent Confidentiality Encryption and Permissions Integrity - Hashing Availability RAID-1, RAID-5, Load Balancing, and Clustering Network Security 1. IPv6 uses a long string of both numbers and alphanumeric characters to create addressing options and avoid duplicate addresses. 2. ICMP is being blocked if you cannot ping a router. 3. Implement loop protection on your switch to prevent users from causing network disruptions because of a user connecting both ends of a patch cable into different ports of a switch. 4. It is best practice to disable any unused ports to secure the switch from physical access. 5. Port security can be implemented by applying a security control which ties specific ports to a devices MAC address and prevents other devices from being able to connect to your network. 6. Use a VLAN if there is a need for departmental separation on the network. 7. VLAN segregation can be used to prevent ARP poisoning attacks across the network. 8. A firewall and VPN server can allow remote access to your corporate network. 9. The default rule in a firewalls ACLs is a Deny All, or implicit deny. 10. The last rule on a firewall should be an implicit deny, in firewall ACLs statement is called Drop All.

Security+ SY0-301 Study Guide 11. The implicit deny firewall rule set will stop network traffic that is not identifiable. 12. Stateful packet inspection will block incoming traffic that does not match an internal request. 13. Flood guards can protect against SYN attacks. 14. An IDS identifies malicious activity after it has occurred. 15. To identify a malicious attackers computer from the IDS, look for unknown MAC addresses. 16. Your users are unable to download content from certain websites. Also, the IDS keeps alerting you about suspicious traffic on the network. The most likely cause is the NIPS that is on the network is blocking activities from those websites. 17. NIDS are used to detect suspicious behavior but not react to it. 18. A NIDS can be implemented to help identify smurf attacks. 19. An IPS will stop an attack that is in progress. 20. SNMP is used to monitor network devices. 21. SNMP allows an administrator to set device traps. 22. Content filtering can be performed by a web security gateway. 23. A proxy is used to cache and filter content. 24. A load balancer can be used to optimize and distribute network traffic loads across multiple computers and networks. 25. If one server in your DMZ is unable to communicate on the Internet or the internal network, make sure the server has the correct default gateway IP address configured. 26. A VPN concentrator is used to provide secure remote access into the network. 27. A provider cloud facilitates computing for heavily utilized systems and networks. 28. A security control that is lost with cloud computing is physical control of the data. 29. Software as a Service (SaaS) is a good solution if budget requirements do not allow for additional servers or hiring new personnel. 30. Webmail would be classified as a Software as a Service (SaaS) technology. 31. The Platform as a Service (PaaS) cloud concept is described as providing an easy-to-configure operating system and on-demand computing for customers. 32. A DMZ allows access to services within it while segmenting access to the internal network. 33. EMI shielding is used to prevent someone from capturing network traffic via the network wire. 34. WEP is an unsecure protocol because of its improper use of the RC4 stream cipher. 35. Isolation mode on an access point will segment each wireless user from the other wireless users. 36. To allow only certain wireless clients on your network you should enable and configure MAC filtering.

Security+ SY0-301 Study Guide 37. AES is one of the best choices for encryption on a wireless network. 38. WPA2 provides the highest level of security on a wireless network. 39. If your wireless device keeps connecting and disconnecting from the wireless network, make sure there is not a nearby wireless network that might be interfering with yours. 40. The first thing you should look at when implementing an access point to gain more coverage is the power levels of the access point. 41. Decrease the power levels on your WAP to limit the wireless signal range. 42. Two wireless security controls that can be easily and quickly circumvented using only a network sniffer are MAC filtering and to disable the SSID broadcast.

Compliance and Operational Security

1. Confidentiality ensures that authorized users can only view data. Installing a mantrap and HVAC in order to protect company data is an example of confidentiality and availability. 2. Hot and cold aisles should be used to regulate cooling within a datacenter. 3. A hot site is a duplicate of the original site. 4. A cold site is the least expensive type of backup site. Just make sure the cold site meets power and connectivity requirements in case of a disaster. 5. RAID is a form of availability. Specifically RAID-1 and RAID-5. 6. Clustered servers could eliminate having a single point of failure. 7. An off-site backup is the best way to secure data. 8. A Disaster Recovery Plan (DRP) should contain a hierarchical list of critical systems. 9. Change management is a way to manage updates for operating systems and firmware. 10. If security policy states that all flash drives are banned, also make sure that this includes personal music devices. 11. A clean desk policy is implemented to reduce the risk of possible data theft and to force users to organize their work area. 12. Detective control is performing routine security audits. 13. Asset value (cost) is used when performing a quantitative risk analysis. 14. Good judgment is used for performing a qualitative risk analysis. 15. Risk cannot be eliminated. 16. Risk transference is when a company purchases insurance to reduce risk. 17. If your company is looking into a new enterprise solution, make sure a risk assessment is performed before implementation. 18. Bank account information is considered Personally Identifiable Information (PII), so make sure users are educated on how to handle these types of malicious attempts to obtain this type of information. 19. Personally Identifiable Information (PII) requires special handling and explicit policies for data retention and data distribution.

Security+ SY0-301 Study Guide 20. Using your name and birthday together are considered Personally Identifiable Information (PII). 21. After taking a forensic image of a computers memory chip you should run that image through SHA256 to ensure image integrity. 22. Forensic hashing on a drive should be done before and after the imaging process, and then hash the forensic image. 23. Hooked processes can be found in RAM. 24. To reduce a data leakage threat if your mobile devices get stolen, make sure you have the ability to remotely sanitize the devices. 25. Job rotation would be when you have to change roles with another administrator every few months. 26. User awareness and training should be performed to minimize the organizational risk posed by users. 27. Security awareness training should be coupled with employees signing a user agreement. 28. Reviewing user rights and permissions is a common routine while reviewing system audits. 29. Chain of custody provides documentation as to who, what, when, where, and maybe why; that has handled evidence. 30. Chain of custody can assist in identifying in that a system was handled properly during transportation. 31. Information disclosure is a security risk when using P2P software. 32. Detecting fraud is a security benefit of mandatory vacations. 33. CCTV is a detective security control type. 34. A video surveillance system will contain reliable proof that a building was accessed at a certain time of day. 35. Change management strategy is used to prevent ad-hoc configuration mistakes. 36. Humidity can reduce the potential for static discharge. 37. When getting rid of old hard drives you should make sure you perform a bit level erasure or overwrite all data. 38. Recovery Point Objectives and Recovery Time Objectives relate to the Business Impact Analysis of the BCP. 39. Required data labeling is used to ensure that users know what data they are handling and processing. 40. Least privilege is giving the user only the rights they need to complete their job. 41. To be able to identify hard drive evidence tampering you should implement hard drive hashing. 42. The privacy policy should be referenced if you need to know what type of user information should be collected by your website. 43. Fluorescent lighting causes EMI on ethernet cables so do not place ethernet cables over lighting when running cable. 44. A COOP (Continuity of Operations Plan) is described as restoring mission essential functions at an alternate site and performing those functions for up to 30 days.

Security+ SY0-301 Study Guide 45. Mean time to restore is a metric for determining the effectiveness of Continuity of Operations Plan or a Disaster Recovery Plan.

Threats and Vulnerabilities

1. A malicious attacker is also known as a black hat. 2. The primary difference between a virus and a worm is that a worm is self- replicating, whereas a virus is not. 3. Keygens (Key Generators) are well known to contain Trojans. Beware!!! 4. Trojans are commonly installed via a thumb drive. 5. A rootkit is a system-level kernel module that is used to modify file system operations. 6. A botnet can be installed on a PC by the user visiting a malicious/compromised website and the software being installed on the PC. After this has occurred the user will notice slow performance and a lot of outbound connections to various websites. 7. If your computer is part of a botnet, if you turn the computer off you will not be able to retrieve data from memory, system processes, and network processes. 8. Botnets will typically use IRC for command and control activities. 9. A man-in-the-middle attack is when there is interruption of network traffic accompanied by the insertion of malicious code. 10. DoS attacks commonly happen to web servers and more often by a single external user. 11. An example of a DoS attack is if you notice your web server logs shows that the online store crashes after a single external user has executed a particular search string. 12. DDoS and Smurf attacks create additional network traffic in order to congest the network. 13. Spear phishing targets specific employees/person of a company. 14. ARP poisoning allows traffic to be redirected through a malicious machine by sending false hardware address updates to a switch. 15. To prevent host enumeration by a sweeping device the ICMP protocol should be blocked. 16. Hiring a secure shredding and disposal service would be to mitigate dumpster diving. 17. Whaling is a social engineering attack that targets executives and high-profile targets. 18. An example of a vishing attack is you receive a call that is an automated recording stating it is from your credit card company. The recording asks you to state your credit card information to verify you identity. Dont do this! 19. Using password protected screen savers, password masking, and privacy screens would be used to mitigate shoulder surfing. 20. Mantraps are good at stopping tailgating.

Security+ SY0-301 Study Guide 21. Tailgating is when you allow another person access through a physical access system without them verifying their credentials. 22. War driving attacks can be reduced by proper wireless antenna placement and reducing radio power settings. 23. Evil twin is a wireless attack where a rogue, or counterfeit, access point uses the same SSID of a legitimate access point. 24. A rogue access point is an unauthorized wireless router that allows access to a secure network. 25. Data can still be stolen by a bluesnarfing attack on a smartphone even if the screen-lock is enabled and disk encrypted. 26. To prevent cross-site scripting you must implement validate input to remove hypertext. 27. Preventing the use of HTML tags can mitigate cross-site scripting. 28. Cross-site scripting can be manifested as a JavaScript image tag or embedded HTML image object in an email. 29. An example of a command injection is when a command has been entered into an HTML form. 30. JavaScripts that are being used to send random data to another service on the same system is most likely attempting a buffer overflow. 31. Initial vector can be compromised by a buffer overflow. 32. You are creating a new program and allocate 32 bytes for a string variable. However, you do not adequately ensure that more than 32 bytes cannot be copied into the variable. Your program might be vulnerable to a buffer overflow. 33. NOOP sled or instructions indicates a buffer overflow attack occurred. 34. If you need to prevent unauthorized people into your office building you could use proximity readers and security guards. 35. A protocol analyzer can determine if an application is transmitting passwords in clear-text. 36. A protocol analyzer lets you view the IP headers on a data packet. 37. Content inspection is actively monitoring data traffic in order to find malicious code or malicious behavior. 38. When conducting a corporate vulnerability assessment you should organize data based on severity and asset value. 39. A vulnerability scan is a passive attempt to identify weaknesses, but it does not exploit it. 40. A vulnerability scan is a management control type. 41. A good reason to preform a penetration test is to determine the impact of a threat. 42. Penetration testing should be done with the consent of the owner and with preset conditions because the testing actively tests security controls and can cause system instability. 43. White box penetration testing is a software testing technique whereby explicit knowledge of the internal workings of the item being tested is used to select the test data.

Security+ SY0-301 Study Guide 44. A gray box penetration test is performed with limited inside knowledge of the network.

Application, Data and Host Security

1. Fuzzing can allow an intruder to identify vulnerabilities in a closed source application. 2. Input validation should be implemented to avoid SQL injection attacks. 3. Input validation will ensure that certain characters and commands entered on a web server are not interpreted as legitimate data and not passed on to backend servers. 4. Determining what ports are open on a system can let you know what services are running. 5. Integrity has been compromised if a bulk update process fails and writes incorrect data throughout your database. 6. If a user is crashing a program due to improper input, the programmer probably failed to configure some sort of error handling. 7. Secure coding concepts is a hardening step of an application during the SDLC. 8. Application hardening will ensure that your application is secure. Part of this process is to make sure unnecessary services are disabled. 9. If your database servers are being compromised by a database user account with the default password, then your operational procedures are missing application hardening. 10. When installing an application you should perform software updates to the application and make sure vendor-provided hardening documentation is reviewed and applied. 11. Patch management is a great way to combat operating system vulnerabilities. 12. A part of patch management is to verify new software changes on a test system. 13. A benefit of having a standardized server image is mandated security configurations have been made to the operating system. 14. You can use baseline reporting to identify an applications security posture. 15. If you need to know if certain network behavior is normal or not, look at the baseline reporting. 16. Secure code review practices should happen from the start in software development. 17. An antivirus scanner is most unlikely to discover a logic bomb and pharming. 18. If you are receiving emails containing advertisements you should implement some sort of anti-spam filtering. 19. Enable the pop-up blocker to prevent unwanted windows from opening in a browser. 20. A host-based firewall is installed on a single computer to prevent intrusion. 21. To protect the operating system from malicious software you should disable any unused services and update the HIPS signature.

Security+ SY0-301 Study Guide 22. A locking cabinet would be great to use to prevent theft of devices and unused assets. 23. ServerA requires high availability. ServerB requires high security. The configurations for the servers are as follows: ServerA fails open, and ServerB fails closed. 24. SELinux is a trusted operating system implementation that is used to prevent malicious code from executing on UNIX/Linux system. 25. Device encryption can be used by a mobile device to ensure confidentiality of the data. 26. GPS tracking could be a security vulnerability for a mobile device and can be disabled. However, GPS can come in handy if you have mobile workers and need to recover a lost mobile device. 27. Most smartphones now have a remote wipe feature that allows the owner to remotely send a command to their stolen smartphone and tell it to erase all data. 28. Virtual machines should have the same security requirements as physical machines. 29. A network-based DLP (data loss prevention) can help reduce the risk of users emailing confidential data to others outside of the company. 30. Using full disk encryption is a way to mitigate data loss if a mobile/portable device is compromised. 31. Trusted Platform Module (TPM) is a hardware chip that is used to store encryption keys and is used for full disk encryption. 32. Trusted Platform Module (TPM) and Hardware Security Module (HSM) provide storage for RSA or asymmetric keys and can assist in user authentication. 33. A Hardware Security Module (HSM) is a removable device used to encrypt data. 34. A Hardware Security Module (HSM) can be added to an existing server to provide encryption capabilities. 35. Hardware Security Modules (HSM) are used to generate and store keys, even SSL session keys.

Access Control and Identity Management

1. The RADIUS protocol encrypts password packets from client to server. 2. Administrators that have both a regular user account and an administrator user account have the two accounts to prevent escalation of privileges. 3. RADIUS is used for 802.1x authentication, even for wireless networks. 4. Kerberos is an access, authentication, and authorization protocol that is more secure than TACACS, RADIUS, and LDAP. 5. TACACS+ uses multiple-challenge responses for authentication, authorization, and auditing. 6. TACACS+ is used to authenticate users accessing a network device. 7. Kerberos uses tickets to identify users to the network.

Security+ SY0-301 Study Guide 8. LDAP is a single point of user management. 9. MSCHAPv2 and PEAP can be used in conjunction with each other to provide mutual authentication. 10. Lanman is susceptible to brute force attacks because of its ability to only store seven uppercase characters of data. 11. Lanman passwords can be discovered by brute force cracking the first seven characters and then the second part of the password. 12. NTLM is a backwards compatible and replaces Lanman. 13. PEAP-TLS requires a CA to authenticate. Remember that TLS = certificate = CA. 14. Single sign-on (SSO) centrally authenticates multiple clients and applications against a federated user database. 15. FTP servers use ACLs to determine what a user can or cannot do on the FTP server. 16. A role-based access control is a system of controlling which users have access to a resources based on the role or job function of the user. 17. Password recovery is an example of allowing your users to perform a self- service password reset. 18. An example of a biometric device is a fingerprint scanner. 19. A biometric authentication system would help prevent intruders from entering an office building that currently has a PIN authentication system. 20. A thumbprint scanner test the human authentication process of something a user is. 21. A proximity card reader test the human authentication process of something a user has. 22. Tokens allow a user to have a one-time password. 23. RSA tokens provide a rolling password for one-time use. 24. Least privilege implementation is a technical control. 25. Account disablement will ensure that terminated users no longer have access to the network. 26. MAC filtering is a form of Network Access Control (NAC). 27. ACLs can be configured to allow remote access into a network. 28. An example of a multifactor authentication is using a pin number and a smart card. 29. Common Access Card (CAC) is a form of photo identification. 30. It is a good idea to periodically review the user rights on a server to maintain the security of the system. 31. If a user that is trying to authenticate through a NAC-enabled network, but is not prompted for their credentials, their computer is missing the authentication agent. 32. A representation of a complex password policy that enforces lower case passwords using letters a through z where n is the password length is 26n. 33. You should implement a time of day restriction and use access control lists if you need to keep a group of users from accessing the network after 5:00pm and prevent them from accessing another groups network.

Security+ SY0-301 Study Guide 34. Password length requirements will require users to have a password of a specific length. If the password length is not exact, or longer, the password cannot be used. 35. Minimum age time must be implemented with password history in order to prevent users from re-using the same password. 36. Password expiration can ensure that a user has to change their password once it has been reset and emailed to them by an administrator.

Cryptography

1. Steganography is inserting, or hiding data within other files. This data can be password protected and encrypted. 2. Symmetric key cryptography uses the same key on each end of the transmission medium. One key to encrypt and decrypt. 3. Symmetric key sharing is the sharing of one key with trusted parties. 4. AES encryption has a 128-bit block size, with key sizes of 128, 192 and 256 bits. 5. DES encryption has a key size of 56 bits. 6. 3DES encryption has a key size of 168 bits. 7. In asymmetric encryption, the public key is used to encrypt and the corresponding private key is used to decrypt. Also, the private key can encrypt and the corresponding public key can decrypt..this is ture, but not secure as anyone can use the public key. 8. Elliptical curve cryptography is an approach to public-key cryptography that uses smaller key sizes and less computational resources than algorithms that are calculated against a finite field. 9. RSA encryption and authenticates data going from one computer to another computer. 10. Digital signatures provide integrity and non-repudiation. 11. IPSec can used to create a site-to-site VPN tunnel between offices. 12. SFTP is an extension of SSH. 13. SFTP is a secure way to transfer files from a host computer. 14. FTPS is a secure method of utilizing FTP. 15. SSH is most commonly used to remotely administer a Unix/Linux system. 16. Hardware encryption is faster than software encryption and is available on computers using TPM. 17. A user has been terminated from the company and their account has been deleted. You need to recover a file that was encrypted with the users private key. Two outcomes are likely to happen. One, the data will not be recoverable because the account, along with the private key, was deleted. Two, you are able to use the recovery agent to decrypt the data. 18. A public key can be found in your Internet browsers trusted root CA store. 19. Revoked certificates are stored in the Certificate Revocation List (CRL). 20. If your web servers private key has been compromised you must submit, or publish, the public key to the CRL.

Security+ SY0-301 Study Guide 21. Your CRL should be available to the public. 22. Public keys are used to decrypt the hash of a digital signature. 23. A key escrow maintains a secure copy of a users private key for the sole purpose of recovering the key if it has become lost. 24. A key escrow should be established in your PKI implementation if data loss is unacceptable. 25. A recovery agent is used to recover private keys. 26. One of the duties of a Certification Authority (CA) is to verify the authenticity of certificate contents. 27. In the realm of PKI, a trusted third-party is also known as a certification authority. 28. A self-signed certificate is probably being used if your web browser does not recognize a certificate issuer.

Security+ SY0-301 Study Guide