CompTIA Security+

SY0-501 Section 6.3- Given a scenario, use appropriate PKI, certificate management and associated components.

Certificate authorities and digital certificates Certificate Authorities The CA is the trusted authority that certifies individuals’ identities and creates electronic documents indicating that individuals are who they say they are. The electronic document is referred to as a digital certificate, and it establishes an association between the subject’s identity and a public key. The private key that is paired with the public key in the certificate is stored separately. It is important to safeguard the private key, and it typically never leaves the machine or device where it was created….

SY0-501 Section 6.2- Given a scenario, use appropriate cryptographic methods.

WEP vs. WPA/WPA2 and pre-shared key Wired Equivalent Privacy (WEP) was intended to provide basic security for wireless networks, whereas wireless systems frequently use the Wireless Application Protocol (WAP) for network communications. Over time, WPA and WPA2 have replaced WEP in most implementations. Wired Equivalent Privacy Wired Equivalent Privacy (WEP) is a wireless protocol designed to provide a privacy equivalent to that of a wired network. WEP was implemented in a number of wireless devices, including smartphones and other mobile devices. WEP was vulnerable because of weak- nesses in the…

SY0-501 Section 6.1- Given a scenario, utilize general cryptography concepts.

Cryptography is the science of encrypting, or hiding, information—something people have sought to do since they began using language. Although language allowed them to communicate with one another, people in power attempted to hide information by controlling who was taught to read and write. Eventually, more complicated methods of concealing information by shifting letters around to make the text unreadable were developed. The Romans typically used a different method known as a shift cipher. In this case, one letter of the alphabet is shifted a set number of places in…

SY0-501 Section 5.3 Install and configure security controls when performing account management, based on best practices.

Mitigate issues associated with users with multiple account/roles and/or shared accounts Account policy enforcement Policy enforcement is the manner in which the Server allows or disallows accounts that violate provisioning policies. When policy, person, or account data is changed, an account that was originally compliant with a provisioning policy can become noncompliant. Policy enforcement can be configured globally or for a specific service. Policy enforcement occurs whenever it is necessary in the server business process to ensure system integrity and perform appropriate actions. A provisioning policy governs the access rights…

SY0-501 Section 5.2 Given a scenario, select the appropriate authentication, authorization or access control.

Identification vs. authentication vs. authorization  Identification is the process whereby a network element recognizes a valid user’s identity. Authentication is the process of verifying the claimed identity of a user. A user may be a person, a process, or a system (e.g., an operations system or another network element) that accesses a network element to perform tasks or process a call. A user identification code is a non-confidential auditable representation of a user. Information used to verify the claimed identity of a user can be based on a password, Personal Identification…

SY0-501 Section 5.1 Compare and contrast the function and purpose of authentication services.

RADIUS RADIUS (Remote Authentication Dial In User Service), defined in RFC 2865, is a protocol for remote user authentication and accounting. RADIUS enables centralized management of authentication data, such as usernames and passwords. When a user attempts to login to a RADIUS client, such as a router, the router send the authentication request to the RADIUS server. The communication between the RADIUS client and the RADIUS server are authenticated and encrypted through the use of a shared secret, which is not transmitted over the network. The RADIUS server may store…

SY0-501 Section 4.4- Implement the appropriate controls to ensure data security.

Cloud Storage The first couple of PCs that this author owned booted from media (tape with one and floppies with another) and did not include hard drives. After saving up for quite a while, I bought and installed my first hard drive—costing more than $600. It had a capacity of 20 MB, and I could not fathom what I would possibly do with all of that space. Today that number is so small, it’s laughable. The trend for both individuals and enterprises has been to collect and store as much…

SY0-501 Section 4.3 Given a scenario, select the appropriate solution to establish host security.

Operating system security and settings The ability to run the administrative interfaces within the operating system, and the applications associated with them, is often the difference between a standard user and an administrative user. The person running the administrative interfaces can make configuration changesto the system(s) and modify settings in ways that can have wide-ranging consequences. For example, a user who is able to gain access to the administrative tools could delete other users, set their own ID equal to the root user, change passwords, or delete key files. To…

SY0-501 Section 4.2- Summarize mobile security concepts and technologies.

Device Security Mobile devices, such as laptops, tablet computers, and smartphones, provide security challenges above those of desktop workstations, servers, and such in that they leave the office and this increases the odds of their theft. In 2010, AvMed Health Plans, a Florida-based company, had two laptop computers stolen. Together, over one million personal customer records were on those computers, and this is but one of many similar stories that happen on a regular basis. At a bare minimum, the following security measures should be in place on mobile devices:…

SY0-501 Section 4.1-Explain the importance of application security controls and techniques.

Fuzzing Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. Let’s consider an integer in a program, which stores the result of a user’s choice between 3 questions. When the user picks one, the choice will be 0, 1 or 2. Which makes three practical cases. But what if we transmit 3, or 255? We can, because integers are stored a static size variable. If the default switch case hasn’t been implemented securely, the…