Security+ SY0-401 Study Guide

PORTS
20 and 21 FTP (TCP) (20 is for data, 21 is for
connection/command/control)
22 (TCP) SSH, SCP, and SFTP (all of these are secure/encrypted)
23 Telnet
25 SMTP (TCP) - Outgoing E-mail
49 TACACS/TACACS+ (TCP)
53 DNS (UDP for queries, TCP for zone-transfers)
69 TFTP (UDP)
80 HTTP (TCP)
88 Kerberos
110 POP3 - Incoming E-mail
123 NTP (Network Time Protocol. NTP-UDP-123)
137, 138, 139 NetBIOS (file, folder, and printer sharing)
143 IMAP - also for incoming E-mail
161 SNMP (version 3 is the most secure so use this version if all
possible.)
389 LDAP (non-secure)
443 SSL and HTTPS (TCP) (SSL is used for a secure connection via a
web browser.)
636 Secure LDAP, secured with SSL or TLS
1433 MS-SQL Database
1812 1813 RADIUS (UDP)
3389 RDP (TCP) Remote Desktop
6667 IRC (Internet Relay Chat)
Confidentiality includes:
Encryption
Access Controls
Steganography
Integrity includes:
Hashing
Digital Signatures
Certificates
Non-repudiation
Availability includes:
Redundancy, Load Balancing, Clustering
Fault-tolerance, RAID-1, RAID-5, RAID-6
Patching
Safety includes:
Fencing & Lighting
Locks & CCTV
Escape Plans & Drills
Escape Routes
K-rated fencing (crash-resistant)

Security+ SY0-401 Study Guide

Testing these controls

1 - Network Security
1. Port Security and 802.1x (port authentication) will only allow
authorized devices to connect to the network. 802.1x can also be
configured to only allow authorized USERS.
2. Port Security only grants access to the network if your MAC
address (Physical/Hardware address) is on the allowed list.
3. A MAC address can be in the format: 24-0A-64-0E-01-21 or
24:0A:64:0E:01:21.
4. PAT allows many internal devices to share one public IP address.
5. WEP and WPA both use RC4 for encryption. WPA is stronger,
however, because it uses TKIP to keep rotating the encryption
key.
6. WEP uses IVs (Initilization Vectors) that are too short to be
secure. An attacker simply needs to replay the same IVs enough
times and then he can deduce the WEP key to connect to the
wireless network.
7. WPA2-CCMP is the best security choice for wireless (even better
than WPA-TKIP). Remember that CCMP = AES.
8. Disable your SSID broadcast if you dont want your wireless
network name to be easily discovered.
9. To ensure your wireless signal does not extend all the way out to
the parking-lot, lower the power level of the WAP.
10.
Isolation mode on an access point will segment each
wireless user from the other wireless users.
11.
Use open authentication for public wireless.
12.
Wireless (or wired) MAC filtering can be circumvented by
spoofing your MAC address to clone a valid MAC.
13.
Perform a wireless site-survey if your wireless network is
dropping packets during certain times of day.
14.
A Yagi is a high-gain directional antenna that uses a narrow
beam to connect WiFi over long distances.
15.
WPS (Wi-Fi Protected Setup) is a feature found on wireless
access points that makes configuring and connecting to a
wireless network quick and easy. You press the WPS button on
the WAP, then connect to it with your wireless device, input the
PIN number, and connect.
16.
The WPS PIN feature has been shown to be weak, as it is
vulnerable to WPS PIN brute-force attacks that would allow an
attacker to connect to your network, and even decipher your
wireless traffic. It is recommended to disable WPS on your WAP if
possible.
17.
If you want to have control over exactly who can have
access to your servers, put them on their own VLAN. Next, create
an ACL to explicitly identify who is allowed to access that VLAN.

Security+ SY0-401 Study Guide

18.
VOIP phone calls use the SIP and RTP sub-protocols. It is a
best-practice to put this traffic on its own VLAN to protect it.
19.
BYOD = Bring Your Own Device. Its a good idea to put
employees devices on their own VLAN to protect the corporate
network.
20.
The term Unified Threat Management describes devices
that combine several security controls into one all-inclusive
product.
21.
Subnetting allows you to divide one large network into
several ranges of IP addresses.
22.
Bind is the most popular DNS software on the internet. DNS
converts human-readable FQDNs (like www.yahoo.com) into the
IP address your computer needs.
23.
A DNS zone transfer is when two DNS servers synchronize
their databases, which uses TCP port 53.
24.
EMI shielding can prevent interference on CAT cabling. It
can also minimize the risk of data theft.
25.
If you incorrectly cable several switches together it can
cause a DoS (Denial of Service). The same could happen if you
plug both ends of a patch cable into the same switch. Use
Spanning Tree to prevent this from causing outages.
26.
In Spanning Tree, the switch with the lowest MAC address
becomes the Root Bridge.
27.
Signature-based IDS and IPS systems rely on downloading
attack signature/definition files from the vendor on a regular
basis. These files contain attacks or vulnerabilities that are
known to the vendor.
28.
Behavior/Anomaly/Heuristics based IDS systems need to be
told what type of traffic is normal for your network. Then they
will only give you an alarm when abnormal traffic is detected.
29.
IDS detects intrusions. IPS stops intrusions. Network-based
versions monitor network traffic, whereas Host-based versions
monitor one specific machine only.
30.
IDPS systems cannot read encrypted traffic. For example, if
you are using SSL to secure a website, then your IPS cannot
inspect traffic to that site.
31.
If you wish to use a packet-sniffer, your NIC must be placed
in promiscuous mode. Also, if you are connected to a switch, you
need to configure port-mirroring/spanning to receive a copy of all
network traffic.
32.
To remotely manage routers and switches, use the TELNET
or SSH protocol to access their VTY lines. This gets you access
to a command-prompt or console.
33.
SSH was designed as a secure replacement for TELNET.

Security+ SY0-401 Study Guide

34.
If your company mandates that at least one (of your 5)
virtual terminal line (VTY) have a different password than the
others:
line vty 0 3 password banana123
line vty 4 password orangexyz
35.
A Network-based firewall controls traffic coming into your
network. A Host-based firewall controls traffic entering your PC.
These most often control traffic based on IP addresses or port
numbers.
36.
Firewall rules should always implement an implicit DENY.
This means that any traffic that does not match the allowed list
is denied.
37.
An implicit deny in your firewall means that if traffic has
not been explicitly allowed, then it is denied.
38.
A Proxy Server is a type of reverse-firewall/content-filter
that can limit and monitor employee access to external websites.
It can also cache web-pages for faster viewing.
39.
A DMZ is a single interface on your firewall that allows
inbound public web traffic. Put your public-facing servers here,
such as web, mail, DVR, etc.
40.
A DMZ is most likely found in a firewall. It could be in a
router also, but its really the firewall portion of the router that is
creating the DMZ.
41.
Use a DMZ if you want to allow outsiders to connect to
some of your servers, but still protect the rest of your company
from those outsiders.
42.
A VPN will encrypt traffic between two remote offices. It
can also allow home users to access the corporate network
securely.
43.
NAC (Network Access Control) is a concept that only allows
access to the network if certain conditions are met (like checking
credentials or running a virus scan first). You should use some
type of NAC on your inbound VPN traffic to only allow authorized
users to connect.
44.
Always change the default passwords on all equipment! If
you do not, an attacker will be able to access the administrator
account.
45.
Cloud computing can store multi-tenant data with different
security requirements.
46.
CSP = Cloud Service Provider
47.
Platform as a Service can be described as an external
entity that provides a physical or virtual instance of an installed
operating system.
48.
127.0.0.1 is known as the home address or localhost.

Security+ SY0-401 Study Guide

49.
Some forms of NAC can scan a computer before it is
allowed access to the network, and can check for the presence of
antivirus software.
50.
Load balancing vs clustering: With clustering, the servers
all talk to each other. If one goes down, another picks up the
slack and the user doesn't even notice. With load balancing, the
servers are independent from each other. If a user is directed to
one particular server, and it goes down, the user loses his
session. Thus, clustering would be better for fault-tolerance &
high availability.
51.
Session-Affinity is a feature of load-balancers that
remember individual users and which server they were
previously connected to.
52.
Air-gapping: security measure that makes one or more
computers physically isolated from other, unsecured networks.
For example, having a closed-network of secure servers that
have no outside access at all (in or out).
53.
A Captive Portal is a company website where you have to
sign-in or agree to usage terms before you can get internet
access. This may cause problems with some internet-connected
devices.
54.
The term Defense-In-Depth is where you use multiple
layers of security devices to make it harder for an attacker to
penetrate your network.

2 - Compliance and Operational Security

1. MTBF = Mean Time Between Failures. Operational time divided
by the number of failures. Ex: The router has been operating for
1 year (12 months) and has failed twice. 12 / 2 = 6 months MTBF.
2. SLE = Single Loss Expectancy. How much money is expected to
be lost during one incident. SLE = AV (asset value) x EF
(exposure factor)
3. ARO = Annualized Rate of Occurrence. How many times per year
a loss is expected due to a risk.
4. ALE = Annualized Loss Expectancy. The expected monetary loss
due to system failures/incidents over a one-year period. ALE =
SLE x ARO.
5. RTO = Recovery Time Objective. This is the desired time-frame to
restore a system after an outage.
6. RPO = Recovery Point Objective. This is the maximum desired
data-loss from an outage. The closer to zero your objective gets,
the more often you need to perform backups.
7. MOU = Memorandum Of Understanding. This is a loose
agreement between two parties to work together towards some

Security+ SY0-401 Study Guide

goal. Includes wording that defines the responsibilities of each
party involved. Could be a security risk if sharing data between
them because there may not be strict rules on how to protect the
data. A MOU usually lacks detailed security guidelines and
procedures.
8. ISA = Interconnection Security Agreement. An agreement
between two companies whose networks are connected
together, that documents the technical and security
requirements of the connection.
9. SLA = Service Level Agreement. Expected performance levels.
Includes penalties for failure to perform up to the specified level.
10.
NDA = Non Disclosure Agreement. It is a legally
enforceable contract that creates a confidential relationship
between a person who holds some kind of trade secret and a
person to whom the secret will be disclosed.
11.
The two key factors in a vulnerability assessment are
impact and likelihood. Assign a number to each, then multiply
them together. The risks with the highest risk score should be
addressed first.
12.
Risks that have a high impact, but are very unlikely, should
be transferred (to an insurance company perhaps).
13.
Risk transference is when you pay someone else to address
a risk for you.
14.
When you accept a risk, you are choosing to do nothing
about it.
15.
The three main security control types are: Operational,
Technical, Management.
16.
Examples of technical (logical) controls: 1)Least-privilege
implementation. 2)Screen-savers that lock the PCs after a brief
period of inactivity.
17.
A written security policy is a management control.
18.
Social media / social networking is a new security threat
where an employee could potentially disclose confidential or
harmful information about the company to the public at large.
19.
Information Security Awareness training can help prevent
social engineering attacks.
20.
After you have established a security awareness program,
you should devise a way to take some metrics to determine how
successful the program is.
21.
Tagging corporate assets with RFID tags could help track
when items are removed from the facility.
22.
If you have a digital locking system on the door to a room,
it is a wise idea for safety reasons to configure the lock to failopen. If the lock fails, the door will unlock. If it were the other
way around, employees could get trapped.

Security+ SY0-401 Study Guide

23.
It is a good idea to have multiple layers of security controls
for defense-in-depth. Also, wherever possible, it is good to have
diversity in your defense layers. For example, having two
firewalls by different vendors could help mitigate a flaw with one
of the firewalls.
24.
One problem with auditing is having the man-power to
review the logs. Security incidents often go un-noticed in your
logs because of this. Establish routine auditing procedures to
review the logs regularly.
25.
Separation of duties ensures that abuse by one person
cannot go un-checked. For example, one person can develop new
code, while another must test the code and deploy it. Another
example: One person can write checks, but another must sign
and distribute the checks.
26.
Mandatory vacations reduce the risk of employees working
in collusion towards some malicious goal.
27.
When employees sign a document stating how their
activities may be monitored, this is an example of an Acceptable
Use Policy and/or a Privacy Policy.
28.
A Clean Desk policy reduces the risk of data loss.
29.
Fencing, lighting, locks, and CCTVs are mostly for safety.
30.
An important security risk that is commonly overlooked by
users is minimal account security procedures.
31.
Perform routine user permission reviews to mitigate the
risk of users having more access than they should.
32.
To make sure employees only have the access they need to
do their jobs, first implement Access Control Lists, then conduct
regular User Access Reviews.
33.
Examples of implementing policies to prevent data loss
include: backing up your important files, and making users
attend this class!
34.
A proper change management plan would include system
rollback procedures in case a change to a server causes
problems.
35.
For legal reasons, be sure to configure warning banners in
all of your IT systems. For example: Warning! Authorized
personnel only!
36.
When you first start to analyze a hard-disk for a forensic
investigation, you should attach a read-only drive connector,
hash the drive, capture a system image (copy onto a new drive),
then hash the new image to be sure it matches the original hash.
37.
In a forensics investigation you should preserve evidence
in the Order Of Volatility. 1) CPU cache, 2) RAM, 3) Swap file, 4)
Hard drive. Remember CRSH!
38.
After a security incident, it is a best practice to have a
lessons-learned meeting. This is where you meet with everyone

Security+ SY0-401 Study Guide

involved and discuss what happened, how it happened, and what
changes need to be made to prevent it from happening again.
39.
Conducting table-top exercises is a great way to begin
developing an Incident Response Plan.
40.
When a system gets compromised with malware, the most
effective measure would be to wipe the hard disk, reinstall the
OS from the original installation media, then restore the
company data from backup. Restoring the OS from backup could
potentially just restore the malware as well.
41.
Clustering is when you have a group of servers working
together to increase processing power for an application. It also
creates fault-tolerance and load-balancing.
42.
RAID systems are an inexpensive way to increase data
availability.
43.
Redundancy could prevent data loss due to servers
crashing during a power outage.
44.
A Hot Site is an active location that can be used
immediately during a disaster at your main site
45.
To test your Continuity Of Operations Plan, try doing a live
test like powering off a critical server for a day or so.
46.
Succession planning is creating a staff hierarchy map, and
planning out who will take which duties should a member of the
management team become unavailable due to an incident or
disaster.
47.
Datacenter hot and cold aisles use racks of servers, one
behind the other, facing in opposite directions. Hot air goes out
the backs into the hot aisle.
48.
The HVAC system in your datacenter is to ensure the
availability of the data.
49.
If you use an FM-200 (CO2) fire-suppression system, be
sure to connect it to your HVAC system so the air shuts off when
the CO2 is activated.
50.
K-rated fencing is crash-test certified.
51.
When working with PII, you must abide by the principles of
data handling.
52.
RAID levels:
a. RAID 0: Two striped disks minimum, no parity. For
performance.
b. RAID 1: Exactly two mirrored disks. No stripes. No parity.
For fault-tolerance.
c. RAID 5: At least three striped disks. One parity stripe. For
fault-tolerance AND performance.
d. RAID 6: At least four striped disks. Two parity stripes. For
fault-tolerance AND performance.
53.
Logical Security: Software safeguards for an organizations
systems, including user identification and password access,

Security+ SY0-401 Study Guide

authenticating, access rights and authority levels. These
measures are to ensure that only authorized users are able to
perform actions or access information.

3 - Threats and Vulnerabilities

1. A vulnerability scan causes very little impact on the system
being tested.
2. If a vulnerability scan detects an un-patched application on your
server, and that application does not even exist on the server,
this is a false-positive.
3. Penetration testing, however, actively tests security controls and
can cause system instability.
4. A Honeypot or a Honeynet could help you research current attack
methods being launched against your company, while at the
same time protecting your company. This is because the attacker
is targeting a fake system.
5. A Buffer Overflow is an attempt to write too much data into an
applications memory. If successful, this can crash the application
and cause a DoS.
6. If your application frequently crashes due to memory errors, and
you suspect malware, it is probably a buffer overflow attack.
7. You open an e-mail attachment, and your application crashes.
This could be due to a buffer overflow attack in the attachment.
8. XSRF = Cross Site Request Forgery. To mitigate this threat: 1) Use
input validation. 2) Restrict and sanitize the use of special
characters in input.
9. A Web Application Firewall (WAF) is software or a hardware
device that can protect a web server from web-based attacks like
cross-site scripting, buffer overflows, directory traversal, etc.
10.
A Zero-Day exploit is one that has just been announced, or
is so new that there isnt even a fix for it yet.
11.
A Logic Bomb is a type of attack that can be executed
when a certain date or condition is met.
12.
If some employees are getting the same phishing e-mail,
add the senders domain to your block list to prevent the email
from being received by other employees.
13.
Use baseline reporting to monitor the security posture of
your systems. Another good idea is continuous security
monitoring.
14.
The term Advanced Persistent Threat describes a group of
well organized attackers, possibly from an enemy country, who
use very sophisticated and targeted attacks.
15.
White Box testing is when you have intimate knowledge of
the system being tested. With Black Box you have no knowledge.

Security+ SY0-401 Study Guide

Gray Box is the middle ground and you have limited knowledge
of the system being tested.
16.
Typo Squatting is when a competitor registers frequently
mis-spelled versions of your company URL, and directs that
traffic to their own site.
17.
Ransomware holds your data hostage, and if you dont pay
the attacker, your data will be deleted (or will remain unreadable).
18.
An armored virus is difficult to reverse-engineer in a lab.
19.
Key-generators are well known for containing trojans. Be
sure to only run software from reputable sources.
20.
When anti-virus software identifies a benign application as
malware, it is known as a false-positive.
21.
False positives result in significant overhead from incorrect
reporting.
22.
Tracking cookies sometimes appear as spyware to your
anti-spyware software.
23.
If a heuristic/behavior/anomaly-based system detects an
attack, even though your signature-based systems missed it,
then this is a zero-day attack.
24.
The term Scarcity describes a social-engineering trick
where the attacker gets the user to click on a link for a limited
time or limited quantity offer.
25.
An IV attack intercepts wireless authentication traffic in an
attempt to gain access to the wireless network.
26.
A DDoS attack originates from numerous IP addresses.
27.
A DDoS (Distributed Denial of Service) is where multiple
computers attack a single target to deplete its resources and
make it unavailable to others.
28.
If you want to prevent someone from attaching a rogue
access point to your switch, simply use port security and define
authorized MAC addresses.
29.
If you have five wireless networks, and suddenly you see a
sixth SSID show up on your scan, someone has set up a rogue
access point.
30.
If your wireless network is supposed to have only one SSID
and four WAPs, but your scan shows one SSID and five BSSIDs (5
WAPS), then you likely have an evil twin. (BSSID is the MAC
address of the WAP and serves to identify individual WAPs on the
wireless network)
31.
Defense against Evil-Twin: Many wireless NIC apps will
allow you to specify the MAC address (BSSID) of a trusted WAP.
Now if someone tries to impersonate a SSID, your NIC won't
connect to it because it has the wrong MAC address.
32.
Disabling SSID broadcast stops someone who is passively
sniffing the network from seeing the SSID name. To further hide

Security+ SY0-401 Study Guide

your wireless network, you also need to disable broadcast-proberequest responses. A probe-request is where a client actively
broadcasts a request for SSID's, and all the WAPs in the area
respond back with their SSID.
33.
Vishing is calling people on the phone attempting to trick
them, either into giving out information, or for some other
malicious reason.
34.
When an attacker maps out a companys staff hierarchy in
order to send targeted e-mails, this is known as Whaling. (going
after the big fish)
35.
Social Engineering could take advantage of principals of
urgency, intimidation, familiarity, authority, etc.
36.
War dialing is a step used in verifying the strength of the
security controls on a modem pool.
37.
DNS poisoning and host-file tampering can cause you to be
directed to spoofed/fake websites.
38.
Bluejacking is sending unwanted advertisements to a
mobile device.
39.
Changing the key punch locks on your doors to proximity
readers instead can mitigate shoulder surfing.
40.
It is recommended to not give too much personal
information on social-media sites as to prevent cognitive
password attacks.
41.
If a user has forgotten his/her password on a passwordprotected file, you could try using a brute-force attack to guess
the password.
42.
Use a password cracker to check the complexity of users
passwords.
43.
If you wish to view successful and failed log-in attempts for
your systems, check the security log.
44.
An ARP poisoning attack can be used to later launch a
man-in-the-middle attack.
45.
The fastest way to find out which version of SSH is running
on a remote server is by banner grabbing. Try connecting and
look at the banner information displayed. It will contain version
number.
46. DEP (Data Execution Prevention) is a security feature in modern
OSs that protects the PCs memory from malware.
47.
You would use a Protocol Analyzer (sniffer) to identify a
problem between two systems that arent communicating
properly.
48.
Active vs passive scanning: passive sends no traffic to the
target; it only listens. Active sends traffic and then watches the
replies.
49.
You find a rogue switch hidden in the ceiling above the
CEOs office, with various cables connected to his office. This was

Security+ SY0-401 Study Guide

likely placed there by an attacker to do packet sniffing on the
CEOs traffic.
50.
The BEST way to prevent tailgating is the use of security
guards. If you have a limited budget though, you could just use a
camera and DVR to monitor access. That would let you detect
tailgating, but not necessarily prevent it.
51.
An attack against an application using a malicious file on
your workstation would be considered a client-side attack.
52.
In Linux, you can lock a user in his home directory by
using what is known as rootjail. You could try to use a directorytraversal attack to attempt to break out of rootjail (../../../).
53.
Referrer URL is a field in the HEADER of web traffic that
lists the website that referred, or redirected the user to the new
site. It shows where the web request originated.
54.
CVEs = Common Vulnerabilities and Exposures. There are
lists of these on a few popular websites.
55.
Exploit kits are tools that can take advantage of CVEs.
56.
Many botnets, Trojans, and other malware can be remotecontrolled using IRC, which uses port 6667.
57.
Syslog is a service that collects events from your network
and stores them in log files with time & date stamps. For added
security, set up a remote Syslog server and only give several
authorized admins access to it.

4 - Application, Data, and Host Security

1. Patch Management is a formalized, structured process for
keeping your operating systems, applications, hardware etc.
updated with the most recent fixes and security patches.
2. Patch Management involves acquiring, testing, deploying, and
then auditing patches.
3. If you have a group of servers that for some reason you cannot
update or patch regularly, segment them into their own
network/vlan to protect them.
4. Virtual machines are a great platform to test new
patches/applications/security controls before deployment.
5. Virtual machines contain a snapshot feature that lets you quickly
make a clone/copy. Its a good idea to do this before installing
new patches, applications, etc. to a VM. If something goes wrong,
just roll it back to the snapshot you made.
6. Virtual Machine Bridged-Mode vs NAT: With Bridged mode, the
host NIC acts like a switch, so the VM appears on the network
just like any other computer, has its own MAC, and gets its own
IP address from the DHCP server. With NAT mode, the host NIC

Security+ SY0-401 Study Guide

acts like a router, so the VM then is on its "own" network and is
hidden from other networks.
7. Hardening is the process of reducing a systems attack surface,
and strengthening a systems security posture. For example, to
harden an OS you would disable/remove unnecessary services
and programs.
8. A good way to implement OS hardening is the use of GPOs
(Group Policy Objects).
9. Input Validation should always be done on the server side/backend. Its ok to do it on the front-end also, but always assume
data going to your database server is potentially hostile and
must be sanitized.
10.
Input Validation helps protect against buffer overflows,
SQL/command injection, cross-site-scripting (XSS), and cross-siterequest-forgery (XSRF) attacks.
11.
Using a WAF (Web Application Firewall) in front of your web
& database servers will provide input validation services and
sanitize the incoming data.
12.
Fuzzing is an application testing technique that sends the
app unusual or unexpected input. Basically it blasts the program
with random characters.
13.
One very common risk that affects businesses day-to-day
is the lack of antivirus software or old/outdated virus signatures.
14.
Encrypted TCP wrappers can protect your data while intransit.
15.
If you use application whitelisting, then only approved
applications (with digital signatures) can be run. (for example,
Microsofts Applocker)
16.
Application blacklisting is the reverse of whitelisting. Where
whitelisting creates a list of known-good programs that are
allowed to run, blacklisting creates a list of known programs that
are NOT allowed to run.
17.
Your applications should be robust enough to handle
errors/exceptions without being disabled. Craft your application
in such a way that if a program module crashes, the module will
automatically restart.
18.
Error and exception handling is a common problem that
developers need to consider. When an exception happens, dont
let it disable the app. Also, the error message should not give
away vital information about the applications inner
programming code. Example: Error 12: Contact the
Administrator
19.
Error and exception handling, along with input validation,
helps prevent buffer overflow attacks.

Security+ SY0-401 Study Guide

20.
Code Review/Peer Review is having a developer inspect
another developers code for errors or anything malicious. Its
part of change management.
21.
DLP = Data Loss Prevention. This is whatever
hardware/software/policies you have in place to prevent
confidential data from leaving your company.
22.
Full-disk encryption prevents clear text access and is
strong protection for data at-rest.
23.
File-level encryption will ensure that a file remains
encrypted, even when copied to a USB drive or across the
network. With full-disk encryption, once the file is read into
memory, it is no longer encrypted.
24.
TPM and HSM are hardware devices that can generate and
store private keys.
25.
Some tablets these days have TPM chips inside.
26.
Hardware encryption is always faster than software
encryption. On a server, you can use a HSM (Hardware Security
Module) for this.
27.
If you are going to encrypt USB drives, you must
implement the encryption correctly, or else the security controls
on the drives could be bypassed.
28.
If you issue bootable USB drives to employees, create two
partitions. On the first partition put your bootable OS. The second
partition can be used for your company data, and should be
encrypted.
29.
Database field encryption can secure the data in case an
attacker somehow gets a copy of the whole database.
30.
Encrypted files are generally larger than unencrypted files.
31.
Deploying mobile devices on your network could be a large
security risk due to the potential of your data leaking to the
outside world.
32.
One way to reduce the risk of company-issued mobile
devices, is to disable the use of removable media.
33.
Before sending hard drives off to be destroyed, it is
recommended to first encrypt the disk, then wipe/sanitize it.
34.
If you want to delete sensitive data, be sure to implement
some type of Data Sanitization routine.
35.
Degaussing is the act of magnetically erasing all data on a
disk.
36.
Mobile Device Management (MDM) is an industry term for
the administration of mobile devices when connected to a
corporate network.
37.
BYOD = Bring Your Own Device. If you are allowing
employee devices to connect to the corporate network, be sure
to require screen-locks and device encryption in case the device
gets lost or stolen.

Security+ SY0-401 Study Guide

38.
A good practice to prevent the leaking of sensitive
documents is to put all of your printers on a separate printer
network/vlan.
39.
If a security flaw has been announced, Asset Tracking will
let you know if your company has any of the affected systems.
40.
Be careful about using geo-tagging on pictures you take!
For example, if you post to Facebook geo-tagged pictures of your
house, then everyone will know your address.
41.
You can disable geo-tagging in a phones camera app so it
wont include GPS coordinates in the photos. If you want to
completely stop geo-tagging for all your apps, turn off LocationServices in your phones settings.
42.
If temporary employees need access to a folder, a good
idea would be to create a new security group, maybe
tempworkers, assign the group the read permission to the
folder, and add the employees to the group.
43.
Design reviews can help ensure that your systems and
software are being developed properly.
44.
Controls that could be used to secure a smart phone:
a. Screen lock
b. Device Encryption
c. Remote Wipe
d. GPS Tracking
e. Strong Password
45.
Controls that could be used to secure a server:
a. Strong password
b. Pop-up blocker
c. Cable locks
d. Antivirus
e. Host Based Firewall
46.
SAN = Storage Area Network. Its a whole network of disks
used for data storage. A VSAN is a type of VLAN but specifically
for your SAN. It isolates groups of disks/storage-servers just like a
VLAN isolates groups of users.
47.
SAN: fibre channel vs iSCSI: if you're using an Ethernet
network and VLANS, use iSCSI as the protocol to access the SAN.
If you're using fiber networks and creating VSANS, you could use
fibre channel instead, which is theoretically faster.

5 - Access Control and Identity Management

1. USB token and PIN, when used together, offer two-factor
authentication.
2. Username, password, and PIN, when used together, are singlefactor. (theyre all something you know)

Security+ SY0-401 Study Guide

3. Thumb-readers = something you are. Smart cards =
something you have.
4. SomeWHERE you are: Authentication factor that helps prove your
identity by the location your traffic is coming from.
5. The more authentication factors you have (know, have, are, etc.)
the stronger/more secure the system is.
6. Account lockout settings could foil brute-force attacks against
passwords, PIN numbers, or any other something you know
authentication factors.
7. To prevent users from re-using existing passwords, you need to
use both password history and minimum password age controls.
8. Use some form of SSO (Single Sign-On) to access data from
multiple applications across the company.
9. Kerberos and LDAP are used for SSO (Single Sign-On)
functionality.
10.
An LDAP query for john@example.com would contain
verbiage such as dn: cn=John, dc=example, dc=com.
11.
With Kerberos, the TGT (Ticket Granting Ticket) is used for
authentication.
12.
Kerberos packages user credentials in a ticket.
13.
Kerberos utilizes a KDC (Key Distribution Center) to issue
tickets.
14.
Kerberos is an authentication protocol that can
communicate with an Active Directory infrastructure.
15.
Two drawbacks of Kerberos are that it is a central point of
failure, and it is prone to time restrictions. Make sure all your
clocks are synchronized!
16.
Kerberos includes time-stamping, so all clocks MUST be
synchronized, usually with NTP.
17.
Kerberos mutually authenticates clients and servers, and
allows an admin to centrally revoke a client certificate to deny
access.
18.
Security guards can provide access based on facial
recognition.
19.
If you wish to change the admin password across many
computers at once, use a group policy.
20.
The two best ways to secure passwords are length and
complexity. Length is most important, followed closely by
complexity.
21.
The best password complexity uses upper-case, lower-case,
special characters, and numbers. The more of these types of
characters you use, the more complex the password.
22.
SAML = Security Assertion Markup Language. Its an XML
based open standard for exchanging authentication and
authorization information between different parties.

Security+ SY0-401 Study Guide

23.
SAML is an open SSO standard that allows for the exchange
of authentication and authorization information across many
applications.
24.
SAML uses terms such as Identity Provider, Service
Provider, and User/Principal.
25.
TOTP = Time-based One Time Password. This uses a
password that is only valid for a short period of time. An RSA
token is an example of this.
26.
If you need to create a temporary user account for a temp
worker, a contractor, or a consultant, be sure to use account
expiration when creating the account. (in case you forget to
delete the account later)
27.
Account expiration disables accounts when the time limit is
up.
28.
Disable unnecessary user/system accounts to prevent
unauthorized log-ins.
29.
To better protect your customer data, utilize encryption
and stronger access control.
30.
In a Unix environment, the Root account is the Admin
account. Be sure this has a strong password!
31.
RADIUS, TACACS, TACACS+, and Diameter are all AAA
services (Authentication, Authorization, Accounting/Auditing).
32.
Diameter is a new AAA system designed to replace RADIUS
and is even more secure.
33.
Some of Diameters advances over RADIUS include the use
of SCTP (Stream Control Transmission Protocol) and TLS
(Transport Layer Security) for reliable packet transmission.
RADIUS only uses UDP which is unreliable.
34.
Both 802.1x (port authentication) and WPA2-Enterprise
would require a RADIUS server (or some type of AAA server).
35.
RADIUS is better than TACACS+ in a mixed-vendor
environment since RADIUS is more compatible with different
operating systems and apps.
36.
When using an AAA server (like RADIUS for example)
together with EAP, client computers will need certificates
installed or users need their own certificates. Either way, the
user or device must present a valid certificate to be allowed
access to the network.
37.
It is a wise idea to prohibit the use of shared accounts!
Shared accounts make it impossible to track individual user
activities.
38.
A great way to manage folder security on a server is to
create security groups for each folder and assign the appropriate
users to each group.
39.
If you have an employee who needs to view documents
belonging to several different departments, create a new security

Security+ SY0-401 Study Guide

group, add that employee, then give that group permissions to
view all the required documents.
40.
Time of Day access control will limit what times/days users
can access the network.
41.
Rule-Based Access Control (RBAC) is used by firewalls and
ACLs.
42.
Use group-based privileges and RBAC (Role-Based Access
Control) if your department has high employee turnover. (yes,
another RBAC!)
43.
Separation of Duties helps prevent abuse by employees
who handle too many job functions. (use Role-Based Access
Control and create separate roles)
44.
MAC (Mandatory Access Control) is used more by
governments. DAC (Discretionary Access Control) is used more
by corporations.
45.
DAC allows you to set file and folder permissions on objects
you create/own.
46.
The MAC access control model is used in Trusted OS
implementations.
47.
Mandatory Access Control (MAC) is based on security
classifications, sensitivity labeling, and need-to-know.
48.
The MAC access control model uses file sensitivity labels
such as Secret, Confidential, Restricted, and Unclassified.
49.
A Trusted-OS implementation will separate data according
to their sensitivity labels, and forces the services to operate
within a strict rule set. For example, it wont let secret and
confidential data co-mingle.
50.
Continuous monitoring and review of user access can help
detect the unauthorized use of valid employee accounts.
51.
CHAP and PAP are used to authenticate point-to-point
connections (a connection between two routers, for example).

6 - Cryptography
1. SSL was a huge achievement in providing worldwide internet
security with the signing of certificates.
2. TLS is a competitor to SSL. It is actually better than SSL.
3. Using a wildcard certificate reduces the certificate management
burden.
4. A single wildcard certificate can be used for many different
devices/computers/web-pages within the same domain.
5. Subject Alternative Name (SAN) certificates can be used with
multiple different domains. For example, one cert can be used to
protect www.mycompany.com and www.mycompany.net. This is
different from a wildcard certificate. A wildcard cert can protect

Security+ SY0-401 Study Guide

all first-level subdomains of one particular domain. For example
*.example.com. That's <anything> at example.com.
6. Hashing converts data into a string of characters that cannot be
reversed.
7. A birthday-attack is an attempt to crack hashed passwords by
using a list of the most commonly used passwords.
8. Salting makes password hashes harder to decrypt by adding
additional text to each password before it is hashed.
9. Hashing is used to verify data integrity and to detect changes.
Some hashing algorithms include MD5, SHA-0, SHA-1,2,3, HMAC,
and RIPEMD.
10.
You could take hashes of all your system files to create a
baseline. Later, if you suspect someone has tampered with a file,
take new hashes and compare to the baseline.
11.
Both MD5 and SHA are well known for having collisions.
MD5 is worse.
12.
Digital signatures provide a method to ensure data is
authentic and originated from the claimed source. They also
provide an integrity check by hashing the message first.
13.
Encryption can secure data in-transit as well as data atrest. Encryption ensures the confidentiality of the data.
14.
A stream cipher encrypts data one bit at a time as its
being transmitted.
15.
A block-cipher encrypts one block of data at a time, sends
it, then works on the next block.
16.
Steganography attempts to hide data in other files, usually
in image or sound files.
17.
For confidentiality, use the recipients public key to
encrypt, and the recipients private key to decrypt.
18.
For signing, use the senders private key to encrypt the
message digest, then use the senders public key to decrypt the
message digest.
19.
Signing is also used for non-repudiation. The sender cannot
deny having sent an e-mail. Signing proves where the
message/data came from.
20.
Use a dual-key-pair to both sign and encrypt an e-mail.
Senders keys for signing, and recipients keys for the
encryption/confidentiality part.
21.
SSH (Secure Shell) can encrypt data in-transit. PGP/GPG
can encrypt data in-transit or data at-rest.
22.
RC4 can be used for wireless encryption and can use keys
anywhere from 40 to 128 bits long.
23.
The CRL (Certificate Revocation List) is a database of
revoked certificates and contains the public keys of the revoked
certs.

Security+ SY0-401 Study Guide

24.
In case the companys primary CA is unavailable, be sure
that a copy of the CRL is available to each of your company
locations to ensure that users with bad certificates cannot gain
access to the network.
25.
When an employee is terminated, update the CRL
immediately so he/she cannot use his/her smart card to access
the building or network.
26.
A smart card is an employee badge that is encoded with
encryption keys and specific personal information. They can be
used to provide access to the network, to sign e-mails, or to
encrypt/decrypt the employees data.
27.
Certificates can be used for many things, including client
authentication, signing, and encrypting data at-rest or data intransit.
28.
If your CA has been compromised, be sure to publish the
CAs public key to the CRL to warn users not to trust anything
signed with the CAs stolen keys.
29.
OCSP = Online Certificate Status Protocol. This is a
competitor to the CRL protocol and can remotely check the
status of a certificate. OCSP query responses are either good,
unknown, or revoked.
30.
If you receive a new smart-card, be sure the admin
publishes the new certificate to your companys Global Address
List (GAL) so you can send signed e-mails or receive encrypted emails from others.
31.
If a website needs a new certificate, generate a CSR
(Certificate Signing Request) for the site, and submit it to the CA
(Certificate Authority).
32.
When you generate a CSR, the first step that is done is that
a private key is created using RSA. Next, a public key is derived
from that private key. The public key is then sent to the CA (in
the CSR) to be signed.
33.
In PKI (Public Key Infrastructure), a CA issues and signs all
root certificates.
34.
In a large PKI deployment, the Root CA can certify
intermediate CAs.
35.
In PKI, all parties involved must trust the CA.
36.
If you create a new CA for your company, be sure to deploy
the new CA certificates to all clients. Otherwise, theyll get
certificate warnings when visiting sites that have certs issued by
the CA.
37.
If your e-mail client states that a digital signature is invalid
and the sender cannot be verified, you are most concerned with
the integrity of the digital signature. The authenticity is
questionable.

Security+ SY0-401 Study Guide

38.
When securing data in-transit using IPSec, you have to
choose the mode, encryption method, and security associations.
39.
RC4 encryption is commonly used by WEP, TKIP(WPA), and
SSL.
40.
If company A trusts company B, and B trusts C, then A
trusts C also. This describes a transitive trust.
41.
When you need to read an ex-employees encrypted data,
have the Recovery Agent retrieve the employees key from Key
Escrow.
42.
ECC (Elliptical Curve Cryptography) is an asymmetric
cipher that creates stronger encryption with shorter-length keys.
43.
ECC is recommended for mobile devices that need minimal
overhead.
44.
ECDSA = Elliptic Curve Digital Signature Algorithm. Based
on ECC and used for digital signatures.
45.
ECDHE = Elliptic Curve Diffie-Hellmen Exchange. Key
exchange using ECC instead of RSA.
46.
AES comes in 3 bit-strengths. AES=128 bit, also AES-192,
and AES-256.
47.
PGP can be used to protect e-mail, and uses asymmetric
cryptography for the key exchange.
48.
To digitally sign an e-mail with PGP, you first need to create
a public and private key. Remember that PGP is asymmetric!
49.
One-time pads are considered unbreakable when properly
used, and require both parties to exchange the encryption key
before communicating.
50.
Be wary if your application developer wants to create and
use his own encryption protocol. New protocols often introduce
unexpected vulnerabilities, even if developed with secure and
tested libraries.
51.
To protect VPN traffic, you can use IPSec or SSL.
52.
Diffie-Hellman can be used for key exchange in a VPN
tunnel.
53.
Digitally signing data does two things: First, it proves the
data is authentic, and second, it provides an integrity check and
can prove the data has not been changed or tampered with.
54.
TLS is similar to SSL and can be used, for example, to
secure the connection between two mail servers.
55.
HTTPS uses an asymmetric key to open a session, then
exchanges a symmetric key for the remainder of the session.
56.
Secure LDAP can use SSL or TLS for encryption.
57.
SFTP (port 22) is the encrypted version of FTP. Used to
secure the transferring of large files over a network.
58.
SNMP can be used to monitor network devices and gather
performance data.

Security+ SY0-401 Study Guide

59.
Fuzzy hashing can detect similarities in malware. Its not
just black-and-white like regular hashing. Now the items being
compared can be similar and dont need to be an exact match.
60.
RDP sessions are encrypted by default (as long as youre
using a current version of RDP).
61.
While RDP is generally secure, you can further secure it by
forcing it to use a TLS/SSL certificate and travel over port 443
instead of the default 3389.
62.
NetBIOS is a communication protocol often used for file
and printer sharing, and uses ports 137, 138, and 139.
63.
Resetting an employees password will break the link to his
encrypted files and he wont be able to access them any longer.
64.
Key stretching is making a weak key more secure by using
one of several methods to make it longer.
65.
Perfect Forward Secrecy (PFS), when enabled in IPSec,
protects the session keys should a private key be discovered.
Basically, it forces a brand-new session key to be used every
time the IPSec tunnel is established.
66.
PFS creates ephemeral keys that are short-lived
encryption keys that never get used again.
67.
PBKDF2 = Password-Based Key Derivation Function 2. This
takes a users password and creates an encryption key from it.
68.
A Recovery Agent is a "master" encryption key for your
network. If an employee encrypts a file, then either loses his key,
leaves the company, or refuses to decrypt it, you can use the
DRA (Data Recovery Agent) to decrypt the file.
69.
Hardware security modules (HSMs) can provide a
hardened, tamper-resistant environment for secure cryptographic
processing, key protection, and key management. (can be used
to protect your key escrow!)
70.
SFTP and FTPS are both secure replacements to FTP. (along
with SCP)
71.
HTTP can use SSL or TLS for security. Both create an HTTPS
session. TLS is the new name for SSL and is much more secure,
especially since SSLv3 had some major vulnerabilities.
72.
With Secure LDAP (LDAPS), the LDAP queries are protected
with SSL certificates, just like HTTPS is.
73.
Be sure your client computers trust the CA that signed the
LDAP server's certificate!

Acronyms
3DES

- Triple Digital Encryption Standard

Security+ SY0-401 Study Guide

AAA
ACL
AES
AH
ALE
AP
ARO
ARP
AUP
BCP
BIOS
BOTS
BSSID
BYOD
CA
CAC
CAN
CCMP
CCTV
CERT
CHAP
CIRT
COOP
CRC
CRL
CSR
DAC
DCFLD
D
DDOS
DEP
DES
DH
DHCP
DLL
DLP
DMZ
DNS
DOS
DRP
DSA
DTP
EAP
ECC

Authentication, Authorization, Accounting/Auditing

Access Control List
Advanced Encryption Standard
Authentication Header
Annualized Loss Expectancy
Access Point
Annualized Rate of Occurrence
Address Resolution Protocol
Acceptable Use Policy
Business Continuity Plan
Basic Input / Output System
Network Robots
Basic Service Set Identifier
Bring Your Own Device
Certificate Authority
Common Access Card
Controller Area Network
Counter-Mode / CBC-Mac Protocol
Closed Circuit Television
Computer Emergency Response Team
Challenge Handshake Authentication Protocol
Computer Incident Response Team
Continuity Of Operations Plan
Cyclical Redundancy Check
Certificate Revocation List
Certificate Signing Request
Discretionary Access Control
Defense Computer Forensics Labs Data-Dump

Distributed Denial Of Service

Data Execution Prevention
Digital Encryption Standard
Diffie-Hellman
Dynamic Host configuration Protocol
Dynamic Link Library
Data Loss Prevention
Demilitarized Zone
Domain Name Service / Server
Denial Of Service
Disaster Recovery Plan
Digital Signature Algorithm
Dynamic Trunking Protocol
Extensible Authentication Protocol
Elliptic Curve Cryptography

Security+ SY0-401 Study Guide

EF
EFS
EMI
ESP
FTP
GPG
GPO
GPS
GPU
GRE
HDD
HIDS
HIPS
HMAC
HSM
HTML
HTTP
HTTPS
HVAC
IaaS
ICMP
ID
IKE
IM
IMAP4
IP
IPSEC
IRC
ISA
ISP
IV
KDC
L2TP
LANMA
N
LDAP
LEAP
MAC
MAC
MAN
MBR
MD5
MDM
MOU

Exposure Factor
Encrypting File System
Electromagnetic Interference
Encapsulating Security Payload
File Transfer Protocol
GNU Privacy Guard
Group Policy Object
Global Positioning System
Graphics Processing Unit
Generic Routing Encapsulation
Hard Disk Drive
Host-based Intrusion Detection System
Host-based Intrusion Prevention System
Hashed Message Authentication Code
Hardware Security Module
Hypertext Markup Language
Hypertext Transfer Protocol
Hypertext Transfer Protocol over SSL
Heating, Ventilation, Air Conditioning
Infrastructure as a Service
Internet Control Message Protocol
Identification
Internet Key Exchange
Instant Messaging
Internet Message Access Protocol v4
Internet Protocol
Internet Protocol Security
Internet Relay Chat
Interconnection Security Agreement
Internet Service Provider
Initialization Vector
Key Distribution Center
Layer-2 Tunneling Protocol
Local Area Network Manager

Lightweight Directory Access Protocol

Lightweight Extensible Access Protocol
Mandatory Access Control / Media Access Control
Message Authentication Code
Metropolitan Area Network
Master Boot Record
Message Digest 5
Mobile Device Management
Memorandum Of Understanding

Security+ SY0-401 Study Guide

MSCH
AP
MTBF
MTU
NAC
NAT
NIDS
NIPS
NIST
NOS
NTFS
NTLM
NTP
OCSP
OOV
OS
OSI
OTP
OVAL
PAP
PAT
PBX
PEAP
PED
PGP
PII
PIV
PKI
POTS
PPP
PPTP
PSK
PTZ
RA
RAD
RADIU
S
RAID
RAS
RBAC
RBAC
RDP
RPO
RSA

- Microsoft Challenge Handshake Protocol

-

Mean Time Between Failures

Maximum Transmission Unit
Network Access Control
Network Address Translation
Network-based Intrusion Detection System
Network-based Intrusion Prevention System
National Institute of Standards and Technology
Network Operating System
New Technology File System
New Technology Local Area Network Manager
Network Time Protocol
Online Certificate Status Protocol
Order Of Volatility
Operating System
Open Standards Interconnect
One Time Pad
Open Vulnerability Assessment Language
Password Authentication Protocol
Port Address Translation
Private Branch Exchange
Protected Extensible Authentication Protocol
Personal Electronic Device
Pretty Good Privacy
Personally Identifiable Information
Personal Identity Verification
Public Key Infrastructure
Plain Old Telephone Service
Point to Point Protocol
Point to Point Tunneling Protocol
Pre-Shared Key
Pan, Tilt, Zoom
Recovery Agent
Rapid Application Development
Remote Authentication Dial-In User Service

Redundant Array of Inexpensive/Independent Disks

Remote Access Server
Role-Based Access Control
Rule-Based Access Control
Remote Desktop Protocol
Recovery Point Objective
Rivest, Shamir, & Adleman

Security+ SY0-401 Study Guide

RTO
RTP
S/MIM
E
SaaS
SAML
SCADA
SCAP
SCP
SCSI
SDLC
SDLM
SEH
SFTP
SHA
SHTTP
SIM
SIP
SLA
SLE
SMTP
SNMP
SONET
SPIM
SSH
SSID
SSL
SSO
STP
TACAC
S
TCP/IP
TGT
TKIP
TLS
TOTP
TPM
UAT
UPS
URL
USB
UTM
UTP
VLAN

- Recovery Time Objective

- Real-time Transport Protocol
- Secure / Multi-purpose Internet Mail Extensions
-

Software as a Service
Security Assertion Markup Language
Supervisory Control And Data Acquisition
Security Content Automation Protocol
Secure Copy Protocol
Small Computer System Interface
Software / System Development Life Cycle
Software Development Life-cycle Methodology
Structured Exception Handling
Secure File Transfer Protocol
Secure Hashing Algorithm
Secure Hypertext Transfer Protocol
Subscriber Identity Module
Session Initiation Protocol
Service Level Agreement
Single Loss Expectancy
Simple Mail Transfer Protocol
Simple Network Management Protocol
Synchronous Optical Network Technologies
Spam over IM
Secure Shell
Service Set Identifier
Secure Socket Layer
Single Sign-On
Shielded Twisted Pair
Terminal Access Controller Access Control System

Transmission Control Protocol / Internet Protocol

Ticket Granting Ticket
Temporal Key Integrity Protocol
Transport Layer Security
Time-based One Time Password
Trusted Platform Module
User Acceptance Testing
Uninterruptable Power Supply
Universal Resource Locator
Universal Serial Bus
Unified Threat Management
Unshielded Twisted Pair
Virtual Local Area Network

Security+ SY0-401 Study Guide

VM
VoIP
VPN
VTC
VTY
WAF
WAP
WEP

WIDS
WIPS
WPA
XSRF
XSS

Virtual Machine
Voice over Internet Protocol
Virtual Private Network
Video Teleconferencing
Virtual Teletype Terminal
Web Application Firewall
Wireless Access Point
Wired Equivalent Privacy / Wireless Encryption
Protocol
Wireless Intrusion Detection System
Wireless Intrusion Prevention System
Wi-Fi Protected Access
Cross-Site Request Forgery
Cross-Site Scripting