Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Security: CompTIA
Security+ and Beyond
Second Edition
Wm. Arthur Conklin
Gregory White
Dwayne Williams
Roger Davis
Chuck Cothren
CONTENTS AT A GLANCE
Chapter I
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Cryptography
20
50
66
82
Chapter 6
Public K e y Infrastructure
Chapter 7
Chapter 8
Physical Security
Chapter 9
Network Fundamentals
Chapter 10
Infrastructure Security
Chapter I I
114
152
178
204
228
Chapter 12
Wireless Security
Chapter 13
Chapter 14
Baselines
260
294
358
Contents at a Glance
Chapter 15
388
Chapter 16
Chapter 17
W e b Components
Chapter 18
Chapter 19
Chapter 20
Risk Management
Chapter 21
Change Management
Chapter 22
Privilege Management
Chapter 23
Computer Forensics
Chapter 24
Chapter 25
Privacy
Appendix A
Appendix B
About the CD
420
444
474
524
544
560
580
596
618
640
648
Glossary 650
Index 664
Contents at a Glance
xiii
^ar
CONTENTS
Preface
Introduction
CompTIA Authorized Quality Curriculum.
Instructor and Student Web Site
xxi
xxiii
. xxvi
xxvii
Chapter I
Introduction and Security Trends I
The Security Problem
Security Incidents
Threats to Security
Security Trends
Avenues of Attack
The Steps in an Attack
M i n i m i z i n g Possible A v e n u e s o f A t t a c k
Types
of
Attacks
Chapter 1 Review
....
1
1
7
10
11
12
13
14
15
XIV
....
51
51
52
53
54
56
56
57
58
59
60
62
Chapter 4
The Role of People in Security 66
Chapter 2
General Security Concepts 20
Basic Security Terminology
Security Basics
Access Control
Authentication
Authentication and Access
Control Policies
Social Engineering
Security Policies
Change Management Policy
Classification of Information
Acceptable Use Policy
Due Care and Due Diligence
Due Process
'
Need to Know
Disposal and Destruction Policy
Service Level Agreements
Human Resources Policies
Security Models
Confidentiality Models
Integrity Models
Chapter 2 Review
Chapter 3
Operational and Organizational
Security 50
21
21
31
31
32
33
34
35
36
36
38
38
39
39
40
40
42
42
43
46
67
67
71
76
76
77
78
Chapter 5
Cryptography 82
Algorithms
Hashing Functions
SHA
Message Digest
Hashing Summary
Symmetric Encryption
DES
3DES
84
87
88
90
91
91
92
93
AES
94
CAST
95
Contents
RC
Blowfish
IDEA
Symmetric Encryption Summary
Asymmetric Encryption
RSA
Diffie-Hellman
ElGamal
ECC
Asymmetric Encryption Summary
Steganography
Cryptography Algorithm Use
Confidentiality
Integrity
Nonrepudiation
Authentication
Key Escrow
Digital Signatures
Digital Rights Management
Cryptographic Applications
Chapter 5 Review
95
97
97
97
98
98
99
100
100
101
101
103
104
104
104
105
105
106
107
108
110
Chapter 6
Public Key Infrastructure I 14
The Basics of Public Key Infrastructures
Certificate Authorities
Registration Authorities
Local Registration Authorities
Certificate Repositories
Trust and Certificate Verification
Digital Certificates
Certificate Attributes
Certificate Extensions
Certificate Lifecycles
Centralized and Decentralized
Infrastructures
Hardware Storage Devices
Private Key Protection
Key Recovery
Key Escrow
Public Certificate Authorities
In-House Certificate Authorities
Choosing Between a Public CA
and an In-House CA
Outsourced Certificate Authorities
Tying Different PKIs Together
Trus) Models
'
Contents
115
117
118
120
120
121
124
125
126
127
132
133
134
135
136
137
138
138
139
140
140
Certificate-Based Threats
Chapter 6 Review
145
147
Chapter 7
Standards and Protocols 152
PKTXandPKCS
PK1X Standards
PKCS
Why You Meed to Know the PKIX
and PKCS Standards
154
155
156
X.509
160
SSL/TLS
ISAKMP
CMP
XKMS
S/MIME
IETF S/MIME History
IETF S/MIME v3 Specifications
PGP
How PGP Works
HTTPS
IPsec
CEP
FIPS
Common Criteria for Information Technology
Security (Common Criteria or CC)
WTLS
PPTP
WEP
WEP Security Issues
ISO/IEC 27002 (Formerly ISO 17799)
Chapter 7 Review
161
162
163
164
166
166
167
168
168
169
170
170
170
158
171
171
172
172
172
173
174
Chapter 8
Physical Security 178
The Security Problem
Physical Security Safeguards
Walls and Guards
Policies and Procedures
Access Controls and Monitoring
En'oironmental Controls
Fire Suppression
Authentication
Chapter 8 Review
179
183
183
184
188
191
191
195
200
xv
Chapter 9
Network Fundamentals 204
Network Architectures
Network Topology
Network Protocols
Packets
TCP us. UDP
ICMP
Packet Delivery
Local Packet Delivery
Remote Packet Delivery
IP Addresses and Subletting
Network Address Translation
Security Zones
VLANs
Tunneling
Chapter 9 Review
205
206
207
209
210
211
213
213
214
215
217
218
222
223
224
Chapter 10
Infrastructure Security 228
Devices
Workstations
Servers
Visualization
Network Interface Cards
Hubs
Bridges
Switches
Routers
Firewalls
Wireless
Modems
Telecom/PBX
VPN
Intrusion Detection Systems
Network Access Control
Network Monitoring/Diagnostic
Mobile Devices
Device Security, Common Concerns
Media
'
Coaxial Cable
UTP/STP
Fiber
Unguided Media
Security Concerns for Transmission Media
Physical Security Concerns
Removable Media
Magnetic Media
Optical Media
XVI
229
229
231
232
232
233
233
234
235
236
238
239
240
241
241
242
242
244
244
245
245
245
247
248
. . . 249
249
250
251
253
Electronic Media
Network Attached Storage
Chapter 10 Review
254
255
256
Chapter I I
Authentication and Remote Access 260
The Remote Access Process
Identification
Authentication
Authorization
Access Control
IEEE802.1X
Wireless Protocols
RADIUS
RAD/US Authentication
RADIUS Authorization
RADIUS Accounting
Diameter
TACACS+
TACACS+ Authentication
TACACS+ Authorization
TACACS+ Accounting
Authentication Protocols
L2TP and PPTP
PPP
PPTP
EAP
CHAP
NTLM
PAP
L2TP
Telnet
SSH
VPNs
IPsec
Security Associations
IPsec Configurations
IPsec Security
Vulnerabilities of Remote Access Methods
Connection Summary
Chapter 11 Review
261
262
262
267
268
270
271
271
272
273
273
274
274
275
276
276
277
277
277
278
279
279
280
280
280
281
281
283
284
284
285
286
. . . 288
289
290
Chapter 12
Wireless Security 294
Introduction to Wireless Networking
Mobile Phones
WAP
3G Mobile Networks
295
296
298
300
Contents
Bluetooth
802.11
802.11: Individual Standards
Attacking 802.11
New Security Protocols
Implementing 802.1 X
Chapter 12 Review
300
302
304
306
310
311
314
Chapter 13
Intrusion Detection Systems and
Network Security 3 18
History of Intrusion
Detection Systems
319
IDS Overview
320
Network-Based IDSs
322
Advantages of a NIDS
326
Disadvantages
of
a
NIDS
326
Active vs. Passive NIDSs
326
Signatures
327
False Positives and False Negatives
328
IDS Models
329
Firewalls
329
How Do Firewalls Work?
331
Intrusion Prevention Systems
333
Proxy Servers
334
Internet Content Filters
336
Protocol Analyzers
336
Honeypots and Honeynets
338
Host-Based IDSs
340
Advantages of HIDSs
343
Disadvantages of HIDSs
344
Active vs. Passive HIDSs
345
Resurgence and Advancement of HIDSs . . . 345
PC-Based Malware Protection
346
Antivirus Products
346
Personal Software Firewalls
349
Pop-up Blockers
350
Windows Defender
351
Antispam
353
Chapter 13 Review
354
Chapter 14
Baselines 358
Overview of Baselines
Password Selection
Contents
377
Patch Management
Group Policies
Security Templates
Chapter 14 Review
378
380
382
384
Chapter 15
Types of Attacks and Malicious
Software 388
Avenues of Attack
The Steps in an Attack
Minimizing Possible Avenues of Attack
A t t a c k i n g C o m p u t e r Systems
and N e t w o r k s . . ".
Denial-of-Service Attacks
Backdoors and Trapdoors
Null Sessions
Sniffing
Spoofing
Man-in-the-Middle Attacks
Replay Attacks
TCP/IP Hijacking
Drive-by Download Attacks
Phishing and Pharming Attacks
Attacks on Encryption
Address System'Attacks
Password Guessing
Software Exploitation
Malicious Code
Malware Defenses
War-Dialing and War-Driving
Social Engineering
Auditing
Chapter 15 Review
389
389
. . . .
391
392
392
395
395
396
397
400
400
401
401
401
402
403
404
405
406
412
413
414
414
416
359
359
XVII
Chapter 19
Chapter 16
E-Mail and Instant Messaging 420
Security of E-Mail
Malicious Code
HoaxE-Mails
Unsolicited Commercial E-Mail (Spam)
Mail Encryption
S/MIME
PGP
Instant Messaging
Chapter 16 Review
421
423
427
428
431
432
433
435
440
Chapter 17
W e b Components 444
Current Web Components and Concerns
W e b Protocols
Encryption (SSL and TLS)
The Web (HTTP and EITTPS)
Directory Services (DAP and LDAP)
File Transfer (FTP and SFTP)
Vulnerabilities
Code-Based Vulnerabilities
Buffer Overflows
Java and JavaScript
ActiveX
Securing the Browser
CGI
Server-Side Scripts
Cookies
Signed Applets
Bnrwser Plug-ins
Application-Based Weaknesses
Open Vulnerability and Assessment
Language (OVAL)
Web 2.0 and Security
Chapter 17 Review
....
445
445
446
452
453
454
455
455
456
457
459
460
461
461
462
464
465
467
468
468
470
Chapter 18
Secure Software Development 474
The Software Engineering Process
Process Models
Secure Development Lifeci/cle
Threat Modeling Steps
Chapter 18 Review
475
475
476
478
488
493
493
495
502
502
503
503
505
505
506
507
513
513
513
515
....
516
520
Chapter 20
Risk Management 524
An Overview of Risk Management
Example of Risk Management at
the International Banking Level
Risk Management Vocabulary
What Is Risk Management?
Business Risks
Examples of Business Risks
Examples of Technology Risks
Risk Management Models
General Risk Management Mode!
Software E n g i n e e r i n g I n s t i t u t e Model
Model Application
Qualitatively Assessing Risk
Quantitatively Assessing Risk
Adding Objectivity to
a Qualitative Assessment
A Common Objective Approach
Qualitative vs. Quantitative
Risk Assessment
Tools
Chapter 20 Review
525
....
525
526
527
528
528
529
529
529
532
533
533
535
535
536
537
538
539
Contents
Chapter 21
Change Management 544
Why Change Management?
545
The Key Concept: Separation of Duties
547
Elements of Change Management
548
Implementing Change Management
550
The Purpose of a Change Control Board
....
551
Code Integrity
553
The Capability Maturity Model Integration . . . 553
Chapter 21 Review
555
Chapter 22
Privilege Management 560
User, Group, and Role Management
User
Group
Role
Password Policies
Domain Password Policy
Single Sign-On
Time of Day Restrictions
Tokens
Account and Passxvord Expiration
Security Controls and Permissions
Access Control Lists
Handling Access Control
(MAC, DAC, and RBAC)
Mandatory Access Control (MAC)
Discretionary Access Control (DAC)
Role-Based Access Control (RBAC)
Rule-Based Access Control (RBAC)
Chapter 22 Review
561
561
563
564
564
565
567
568
568
569
570
571
573
573
574
575
575
576
Chapter 23
Computer Forensics 580
Evidence
Standards for Evidence
Types of Evidence
Three Rules Regarding Evidence
Collecting Evidence
Acquiring Evidence
Identifying Evidence
Protecting Evidence
Transporting Ei'idence
Storing Evidence
Conducting the Investigation
Chain of Custody
Free Space vs. Slack Space
Free Space
Slack Space
Contents
582
582
582
583
583
583
585
585
586
586
586
587
588
588
588
588
589
591
Chapter 24
Legal Issues and Ethics 596
Cybercrime
Common Internet Crime Schemes
Sources of Laws
Computer Trespass
Significant LI.S. Laws
Payment Card Industry Data
Security Standard (PCI DSS)
Import/Export Encryption
Restrictions
Non-U.S.Laws .
Digital Signature Laws
Digital Rights Management
Ethics .\ . . .'
'
SANS Institute IT Code of Ethics1
Chapter 24 Review
Essay Quiz
597
599
600
600
601
....
604
605
607
607
609
611
612
614
617
Chapter 25
Privacy 618
Personally Identifiable
Information (PIT)
Sensitive PII
Notice, Choice, and Consent
U.S. Privacy Laws
Privacy Act of 1974
Freedom of Information Act (FOIA)
Family Education Records
and Privacy Act (FERPA)
U.S. Computer Fraud and Abuse
Act(CFAA)
U.S. Children's Online Privacy
Protection Act (COPPA)
'.
Video Privacy Protection Act (VPPA)
....
Health
Insurance Portability
& Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
California Senate Bill 1386 (SB 1386)
U.S. Banking Rules and Regulations
Payment Card Industry Data
Security Standard (PCI DSS)
Fair Credit Reporting Act (FCRA)
Fair and Accurate Credit
Transactions Act (FACTA)
Non-Federal Privacy Concerns
in the United States
619
620
620
620
621
621
622
622
623
623
624
625
625
625
626
627
627
628
XIX
629
629
629
631
631
632
632
633
634
634
sr,.
636
Appendix B
About the CD 648
S stem
V
Requirements
LearnKey Online Training
Installing and Running MasterExam
MasterExam
Electronic Book
Hel
P
Removing Installation(s)
Technical Support
LearnKey Technical Support
I Glossary
Appendix A
Objectives Map: CompTIA
Security+ 640
xx
I Index
648
648
648
648
649
649
649
649
649
650
664
Contents