Security+ Exam Objectives 3.9

3.9 Physical Access Security Methods

The idea behind physical access security methods is to keep an unauthorized user from physically touching or gaining access to a computer system or network. Though we often spend a lot of time and focus on internally securing networked systems, many times there isn’t much thought put into externally protecting them. Just how secure is a system is that is physically accessible to each and every employee? Internal attacks, misuse, and sabotage are all too common in the workplace, making physical security a must have.

·         Physical access logs/lists – Physical access logs and lists are used to show who had access to a certain piece of hardware at what time. They came in handy during auditing time as well as in the case that a security breach occurs; it’s helpful to know who could have been involved.

·         Hardware locks – Hardware locks can be used to secure highly classified servers or computer systems as well as everyday systems that may hold confidential data. These pieces of hardware are locked and secured and can only be accessed if the proper key is used to unlock the lock.

·         Physical access control (ID badges) – ID badges can be used in various methods. They can be used to enter a secure room, exit one, and various other ways.

·         Man-trap – Often only used in highly secure locations. These traps require visual identification along with authentication in order for access to be granted. Man-traps only allow one or two users at a time to enter the secured location and is able to contain someone who is hostile or isn’t able to be authenticated from accessing any sort of information.

·         Physical tokens – Simply, physical tokens are something that a user must have to access certain resources on the network. These tokens create a one-time use password to authenticate a user’s identity. SecurID is a prime example.

It is also important to be aware of door access systems. Note the different types (stand-alone and centrally managed) and be able to tell the difference between the two. Be aware of how these systems provide a sense of security. Video surveillance is also important for this section. The types of cameras used and how they are positioned is extremely important for quality physical security.

GetCertify4Less and GetCertified4Less

CompTIA Security+ Objectives 3.8

3.8 Explain the difference between identification and authentication (identity proofing).

While they are two similar words, it’s important to note that identification and authentication are not the same. When examining the two, identification is a more broad word that covers a general topic while authentication is specific and often refers to identity authentication. When it comes to authentication, there is a need for 100% proof that cannot be proven wrong. At the same time, identification is simply a match between data sets, which can or cannot be refuted.

In dictionary terms, identification is “the act of recognizing specific objects as a result of remembering.” On the other hand, authentication is “the proof that something is genuine.” Think of it this way. When something is identified you are only placing a label on it. Yes, a computer can identify a user trying to access a resource, but the important part is authenticating the user. Authentication means not only identifying the user, but ensuring that the user’s identity has been verified to be accurate.

Identification on its own can be false. Think of a birth certificate. People can forge them, and make fake ones, and so on. Though it is an obvious way of identifying someone, there isn’t any proof that the identity they are using is true.

GetCertify4Less and GetCertified4Less

CompTIA Security+ Exam Objectives 3.7

3.7 Authentication Models

When it comes to authentication, there are various models that can be used in order to prove a user’s true identity. All of these models can be used though some are more commonly used than others. Keep all of them in mind and know the differences and what type of system they are used on most often.

·         Biometric reader – Biometric readers are equipment that requires scanning or viewing of a user’s fingerprint, iris scan, and other features to authenticate. The hardware is made to scan a certain body part that is used as a piece of identification. Biometric readers have downfalls when it comes to false rejection rates

·         RADIUS – Remote Authentication Dial-in User Service, better known as RADIUS is a networking tool that allows for centralization authentication as well as authorization and accounting management in order for computers to connect and utilize a network service. RADIUS is often used by ISP companies in order to maintain internal networks, wireless networks, email services, DSL, web servers, VPNs, and others.

·         RAS – Remote Access Services can be a combination of software and hardware in order to enable remote access tools that are homed on a network. An RAS server combines multiple channels of communication into one single one. You’ll have multiple machines connecting to a single resource or a single machine connecting to various resources. RAS servers can provide virtual and physical resources.

·         LDAP – Lightweight Directory Access Protocol. The current LDAP version is Version 3 and it is used to query and change data collected in directory services that are then implemented and used on IP networks.

·         Remote access policies – Remote access policies are a set of rules that are needed to define how connections or rejected or authorized. Each rule is accompanied by conditions, remote access permission settings, and profile settings. When a connection is authorized the remote access policy allows for a certain set of connection restrictions.

·         Kerberos – Kerberos is an authentication protocol that allows for users to utilize single sign-on to a network. It uses a key distribution center that maintains and completes the process. The KDC authenticates the user or program and then provides a ticket which can be used to authenticate against other users, programs, etc. Note how widely used Kerberos is.

·         CHAP – Challenge Handshake Authentication Protocol works by challenging a system to verify a user’s or program’s identity. CHAP is an upgrade to PAP as it utilizes a one-way hashing technique unlike PAP. However, the 3 part handshake agreement is still in place.

·         PAP – Password Authentication Protocol does not provide a true sense of security but it is used to authenticate. It is known for its simplicity and is used to validate a user, through a password, before any access is granted.

Mutual, 802.1x, remote authentication, and TACACS are also important in this section. Be aware of them and make note of how they provide authentication.

GetCertify4Less and GetCertified4Less

CompTIA Security+ Exam Objectives 3.6

3.6 Authentication Models

Without proper authentication, security can go right out the window. What is the point of a security system if there is no process set to authenticate users and processes on a computer system or a server? Authentication is a must have as it is necessary in order for a person to prove their identity to a system, such as a website, a computer system, a server, and others. Authentication is a complex process but can be simple; think of just usernames and passwords, those are both ways to authenticate a user. However, more complex systems utilize certain credentials aside from a password and/or username. Authentication calls for a user to have an identity and then prove that identity is true.

Keep in mind the three parts of authentication:

1.       Something you have (ie. an access card/smart card)

2.       Something you know (password/username)

3.       Something you are (iris scan, fingerprint, etc.)

·         One, two and three-factor authentication

Multi-factor authentication requires that a user provide two or more means of authentication in order to prove their identity. The security purpose is obvious; the more ways a user can authenticate, the greater chance the user is using a true identity. When only one authentication factor is required it is known as single-factor authentication. Think of a username and password.

The next is a two-factor authentication which is sometimes known as strong authentication. When two or more factors are used there is more security because two or more attacks have to take place in order to take or steal the authentication. It can be helpful to use a password along with a biometric authentication.

·         Single sign-on – Referenced often as SSO, single sign-on is the relationship between the network and the client where the client is allowed to log-on one time and all of the resources available are based on that sign-on. This is the opposite of a user having to sign-on multiple times to multiple servers to access information or resources on them.

Today, the something you are part of authentication has become extremely popular. Consider biometrics and how this type of authentication has become widely used. Fingerprint and iris scanners have become a very common means for proving identity.

GetCertify4Less and GetCertified4Less

CompTIA Security+ Exam Objectives 3.5

3.5 Logical Access Control Methods

Logical access control methods are extremely important to computer and network security. The purpose of these methods is to implement a new level of security so that users have proper privileges and so that accounts and passwords meet necessary security requirements.

·         ACL – ACL is an access control list which houses information that specifies whether or not a user or group has certain accesses and privileges. These lists are set up by the system administrator and control what users can see and access on a network as well as on a computer system. When you’re on a work computer, ACLs are often used to keep users from downloading programs, changing system settings and so on.

·         Group policies – Group policies have become the easiest way to restrict or give access to certain operating system components and resources. The settings that are put in place during these group policies are automatically applied and updated as necessary.

·         Password policy – Password policy is simply the set of written rules that are part of a security policy that dictate specific password requirements of both device and user passwords. This usually involves a minimum length, special characters, maximum password age, and so on. Think of a Windows OS system which requires at least an 8 character length password. Some websites require passwords with upper and lowercase letters along with a special character.

·         Domain password policy – This policy is the password policy that is set within a GPO which is then distributed throughout a Microsoft Active Directory domain to all of the domain users.

·         User names and passwords – User names and passwords should have certain requirements in order to be used. This makes hacking and cracking much harder. Passwords should expire in a certain amount of days.

·         Time of day restrictions – Time of day restrictions are often used by companies and employers who have a workforce that utilizes computers for most of the work day. The idea behind these restrictions is that users really only need access during scheduled working hours. After normal working hours, restrictions are put in place to increase security and decrease the chance of an internal or external attack.

·         Account expiration – Each and every account on a network needs to have an expiration date. Accounts that are not in use for a certain amount of days should expire; those in use do not have a set expiration date.

·         Logical tokens – Logical tokens can be compared to certificates in the idea that they hold a user’s access privileges and rights.

GetCertify4Less and GetCertified4Less

CompTIA Announces a Price Increase

As of January 1, 2011, CompTIA A+, Security+ and Network+ certifications are only valid for 3 years. Not only has the CompTIA Certification policy changed, so have the prices.

Per the CompTIA site:
"While CompTIA is reluctant to adjust pricing, our operating costs have increased each year while pricing has remained unchanged since 2008.

CompTIA is committed to making investments to enhance the content and global recognition of its programs. Plans for 2011 include the launch of several new certifications and many current certifications receiving relevant updates."

Click here for the 2011 CompTIA Retial Price List

Click here for discount CompTIA vouchers 

GetCertify4Less and GetCertified4Less

CompTIA Security+ Exam Objectives 3.4

3.4 Apply appropriate security controls to file and print resources.

The idea behind this section is to make note of the appropriate security controls that are necessary to control what type of information is filed and printed on a computer system as well on a network. It’s vital that these controls are implemented and maintained as required. A flaw or lack of these security controls can lead to a high security risk.

When it comes to applying the appropriate security controls to file and print resources, the controls that are put in place are extremely dependent upon the goal and mission of the organization or company. Before any type of security controls can be put in place, the company must have a clear goal as well as an understanding of the type of information they will be working with. For example, a company that is working with private and classified information will need much higher security controls than an organization that has a project that is only public information with no sort of important classification. When it comes to security controls to file and print, many times separation of duties and least privilege are implemented.

Imagine if a U.S. Agency had no security controls for the documents that were filed and printed within its resources. Think about the highly classified information that could be leaked to the media and public eyes that should not see it. Wikileaks is an obvious example of a lack of property security controls. There wasn’t enough control put on documents that allowed them to somehow become leaked, despite their security classification.

GetCertify4Less and GetCertified4Less