2. CompTIA Security+ SY0-501 Exam Objectives
Security+ Exam Domain/Objectives Chapter Bloom’s Taxonomy
1.0: Threats, Attacks, and Vulnerabilities
1.1 Given a scenario, analyze indicators of compromise and
determine the type of
malware.
2 Analyze
1.2 Compare and contrast types of attacks. 2
3
5
8
11
15
Understand
Analyze
Understand
Apply/Understand
Create
Apply
1.3 Explain threat actor types and attributes. 1 Analyze/Apply
1.4 Explain penetration testing concepts. 13 Apply
1.5 Explain vulnerability scanning concepts. 13 Apply
1.6 Explain the impact associated with types of vulnerabilities.
1
3
4
5
9
3. 10
Understand
Understand
Understand
Understand
Understand
Understand
2.0: Technologies and Tools
2.1 Install and configure network components, both hardware-
and software-based,
to support organizational security.
4
6
7
8
Apply
Analyze
Apply
Analyze/Evaluate
2.2 Given a scenario, use appropriate software tools to assess
the security posture of
an organization.
8
13
14
Evaluate
Analyze/Evaluate
Evaluate
4. 2.3 Given a scenario, troubleshoot common security issues. 15
Analyze
2.4 Given a scenario, analyze and interpret output from
security technologies. 6
7
9
Analyze
Analyze
Analyze
2.5 Given a scenario, deploy mobile devices securely. 8
10
11
Apply/Evaluate
Analyze/Create
Analyze
2.6 Given a scenario, implement secure protocols. 4
5
Apply
Analyze
3.0: Architecture and Design
3.1 Explain use cases and purpose for frameworks, best
practices and secure
configuration guides.
1
15
Analyze
5. Understand
3.2 Given a scenario, implement secure network architecture
concepts. 6
7
8
13
Analyze
Apply
Apply/Evaluate
Apply
88781_ifc_hr.indd 2 8/9/17 3:41 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
Australia • Brazil • Mexico • Singapore • United Kingdom •
United States
INFORMATION SECURITY
Mark Ciampa, Ph.D.
Sixth Edition
SECURITY+ GUIDE TO
NETWORK SECURITY
CompTIA ®
7. Product Assistant: Jake Toth
Marketing Director: Michelle McTighe
Production Director: Patty Stephan
Senior Content Project Manager:
Brooke Greenhouse
Art Director: Diana Graham
Cover image(s): iStockPhoto.com/
supernitram
Printed in the United States of America
Print Number: 01 Print Year: 2017
ALL RIGHTS RESERVED. No part of this work covered by the
copy-
right herein may be reproduced or distributed in any form or by
any means, except as permitted by U.S. copyright law, without
the
prior written permission of the copyright owner.
Library of Congress Control Number: 2017950178
ISBN: 978-1-337-28878-1
LLF ISBN: 978-1-337-68585-6
Notice to the Reader
Publisher does not warrant or guarantee any of the products
described herein or perform any independent analysis in
connection with any of the product information contained
herein. Publisher does not assume, and expressly disclaims, any
obligation to obtain and include information other than that
provided to it by the manufacturer. The reader is expressly
8. warned to consider and adopt all safety precautions that might
be indicated by the activities described herein and to avoid all
potential hazards. By following the instructions contained
herein, the reader willingly assumes all risks in connection with
such
instructions. The publisher makes no representations or
warranties of any kind, including but not limited to, the
warranties of
fitness for particular purpose or merchantability, nor are any
such representations implied with respect to the material set
forth
herein, and the publisher takes no responsibility with respect to
such material. The publisher shall not be liable for any special,
consequential, or exemplary damages resulting, in whole or
part, from the readers’ use of, or reliance upon, this material.
Cengage
20 Channel Center Street
Boston, MA 02210
USA
Cengage is a leading provider of customized learning solutions
with employees residing in nearly 40 different countries and
sales
in more than 125 countries around the world. Find your local
representative at www.cengage.com.
Cengage products are represented in Canada by
Nelson Education, Ltd.
To learn more about Cengage platforms and services,
visit www.cengage.com
Purchase any of our products at your local college store or at
our
preferred online store www.cengagebrain.com
9. For product information and technology assistance, contact us at
Cengage Learning Customer & Sales Support, 1-800-354-9706.
For permission to use material from this text or product, submit
all
requests online at www.cengage.com/permissions.
Further permissions questions can be e-mailed to
[email protected]
Some of the product names and company names used in this
book have been used for identification purposes only
and may be trademarks or registered trademarks of their
respective manufacturers and sellers.
Windows® is a registered trademark of Microsoft Corporation.
Microsoft.is registered trademark of Microsoft
Corporation in the United States and/or other countries.
Cengage is an independent entity from Microsoft Corporation
and not affiliated with Microsoft in any manner.
88781_fm_hr_i-xxvi.indd 2 8/16/17 7:00 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
Brief Contents
INTRODUCTION....................................................................
.........................xv
PART 1
SECURITY AND ITS THREATS
..........................................................................1
10. CHAPTER 1
Introduction to Security
................................................................................3
CHAPTER 2
Malware and Social Engineering Attacks
................................................. 51
PART 2
CRYPTOGRAPHY
.......................................................................................... 97
CHAPTER 3
Basic Cryptography
..................................................................................... 99
CHAPTER 4
Advanced Cryptography and PKI
............................................................ 145
PART 3
NETWORK ATTACKS AND DEFENSES
....................................................... 189
CHAPTER 5
Networking and Server Attacks
.............................................................. 191
11. CHAPTER 6
Network Security Devices, Design, and Technology
............................. 233
CHAPTER 7
Administering a Secure Network
............................................................ 281
CHAPTER 8
Wireless Network Security
....................................................................... 321
PART 4
DEVICE
SECURITY.............................................................................
.......... 371
CHAPTER 9
Client and Application Security
............................................................... 373
iii
88781_fm_hr_i-xxvi.indd 3 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
12. Brief Contents
CHAPTER 10
Mobile and Embedded Device Security
...................................................421
PART 5
IDENTITY AND ACCESS MANAGEMENT
....................................................469
CHAPTER 11
Authentication and Account Management
............................................471
CHAPTER 12
Access Management
..................................................................................521
PART 6
RISK MANAGEMENT
...................................................................................563
CHAPTER 13
Vulnerability Assessment and Data Security
.........................................565
CHAPTER 14
Business Continuity
...................................................................................607
13. CHAPTER 15
Risk Mitigation
...........................................................................................65
1
APPENDIX A
CompTIA SY0-501 Certification Exam Objectives
...................................691
GLOSSARY
...............................................................................................
.......... 713
INDEX
...............................................................................................
..................741
iv
88781_fm_hr_i-xxvi.indd 4 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
Table of Contents
INTRODUCTION....................................................................
.......................................xv
PART 1
14. SECURITY AND ITS THREATS
.....................................................1
CHAPTER 1
Introduction to Security
...........................................................3
Challenges of Securing Information
.................................................................. 8
Today’s Security Attacks
....................................................................................8
Reasons for Successful Attacks
........................................................................12
Difficulties in Defending Against Attacks
....................................................... 14
What Is Information Security?
.......................................................................... 17
Understanding Security
....................................................................................18
Defining Information Security
.........................................................................18
Information Security Terminology
..................................................................21
Understanding the Importance of Information Security
................................ 24
Who Are the Threat Actors?
.............................................................................. 28
Script Kiddies
...............................................................................................
.... 29
Hactivists
...............................................................................................
.......... 29
15. Nation State Actors
..........................................................................................30
Insiders
...............................................................................................
.............30
Other Threat Actors
............................................................................. .............31
Defending Against Attacks
............................................................................... 32
Fundamental Security Principles
.................................................................... 32
Frameworks and Reference Architectures
...................................................... 35
Chapter Summary
..............................................................................................
35
Key Terms
...............................................................................................
............ 37
Review
Questions................................................................................
............... 37
Case Projects
...............................................................................................
....... 46
CHAPTER 2
Malware and Social Engineering Attacks .............................51
Attacks Using Malware
...................................................................................... 53
16. Circulation..............................................................................
.......................... 55
Infection
...............................................................................................
............ 61
v
88781_fm_hr_i-xxvi.indd 5 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
Table of Contentsvi
Concealment
............................................................................. ..................
..... 65
Payload Capabilities
.........................................................................................66
Social Engineering Attacks
................................................................................ 73
Psychological Approaches
............................................................................... 74
Physical Procedures
.........................................................................................80
Chapter Summary
..............................................................................................
82
17. Key Terms
...............................................................................................
............ 84
Review Questions
..............................................................................................
84
Case Projects
...............................................................................................
....... 92
PART 2
CRYPTOGRAPHY
......................................................................97
CHAPTER 3
Basic Cryptography
.................................................................99
Defining Cryptography
.................................................................................... 101
What Is Cryptography?
................................................................................... 101
Cryptography and Security
............................................................................ 105
Cryptography Constraints
...............................................................................107
Cryptographic Algorithms
............................................................................... 108
Hash Algorithms
....................................................................................... ......1
10
19. ..... 142
CHAPTER 4
Advanced Cryptography and PKI ........................................145
Implementing Cryptography
.......................................................................... 147
Key Strength
...............................................................................................
.....147
Secret Algorithms
...........................................................................................14
8
88781_fm_hr_i-xxvi.indd 6 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
Table of Contents vii
Block Cipher Modes of Operation
................................................................. 149
Crypto Service
Providers................................................................................
150
Algorithm Input Values
.................................................................................. 151
Digital Certificates
...........................................................................................
152
20. Defining Digital Certificates
............................................................................ 152
Managing Digital Certificates
.........................................................................154
Types of Digital Certificates
............................................................................158
Public Key Infrastructure (PKI)
....................................................................... 165
What Is Public Key Infrastructure (PKI)?
....................................................... 166
Trust Models
...............................................................................................
... 166
Managing PKI
...............................................................................................
...168
Key Management
............................................................................................
171
Cryptographic Transport Protocols
............................................................... 174
Secure Sockets Layer (SSL)
.............................................................................. 174
Transport Layer Security (TLS)
....................................................................... 175
Secure Shell (SSH)
...........................................................................................17
6
Hypertext Transport Protocol Secure (HTTPS)
...............................................176
Secure/Multipurpose Internet Mail Extensions (S/MIME)
............................ 177
Secure Real-time Transport Protocol (SRTP)
.................................................. 177
21. IP Security (IPsec)
...........................................................................................
177
Chapter Summary
............................................................................................
179
Key Terms
...............................................................................................
.......... 181
Review
Questions................................................................................
............. 181
Case Projects
...............................................................................................
..... 187
PART 3
NETWORK ATTACKS AND DEFENSES
....................................189
CHAPTER 5
Networking and Server Attacks ..........................................191
Networking-Based Attacks
............................................................................. 193
Interception
...............................................................................................
.....194
Poisoning
...............................................................................................
22. ........ 196
Server Attacks
...............................................................................................
... 201
Denial of Service (DoS)
...................................................................................201
Web Server Application Attacks
.................................................................... 203
Hijacking
...............................................................................................
.........209
Overflow Attacks
............................................................................................
213
Advertising Attacks
.........................................................................................
215
Browser Vulnerabilities
..................................................................................218
Chapter Summary
............................................................................................
222
88781_fm_hr_i-xxvi.indd 7 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
Table of Contentsviii
Key Terms
23. ...............................................................................................
.......... 223
Review
Questions................................................................................
............. 223
Case Projects
...............................................................................................
..... 229
CHAPTER 6
Network Security Devices, Design, and Technology .........233
Security Through Network Devices
............................................................... 235
Standard Network Devices
............................................................................ 236
Network Security Hardware
.......................................................................... 246
Security Through Network Architecture
....................................................... 260
Security Zones
......................................................................................... ......
260
Network Segregation
..................................................................................... 263
Security Through Network Technologies
...................................................... 265
Network Access Control (NAC)
...................................................................... 265
Data Loss Prevention
(DLP)............................................................................ 267
24. Chapter Summary
............................................................................................
269
Key Terms
...............................................................................................
.......... 271
Review
Questions................................................................................
............. 271
Case Projects
...............................................................................................
..... 279
CHAPTER 7
Administering a Secure Network ........................................281
Secure Network Protocols
.............................................................................. 283
Simple Network Management Protocol (SNMP)
........................................... 285
Domain Name System (DNS)
........................................................................ 286
File Transfer Protocol
(FTP)............................................................................ 288
Secure Email Protocols
..................................................................................290
Using Secure Network Protocols
....................................................................291
Placement of Security Devices and Technologies
........................................ 292
25. Analyzing Security Data
.................................................................................. 295
Data from Security Devices
........................................................................... 296
Data from Security Software
......................................................................... 297
Data from Security Tools
............................................................................... 298
Issues in Analyzing Security Data
................................................................. 298
Managing and Securing Network Platforms
................................................ 300
Virtualization
...............................................................................................
..300
Cloud Computing
...........................................................................................30
4
Software Defined Network (SDN)
..................................................................306
Chapter Summary
............................................................................................
309
88781_fm_hr_i-xxvi.indd 8 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
Table of Contents ix
26. Key Terms
...............................................................................................
.......... 310
Review
Questions................................................................................
............. 311
Case Projects
.............................................................................................. .
..... 318
CHAPTER 8
Wireless Network Security
..................................................321
Wireless Attacks
...............................................................................................
324
Bluetooth
Attacks...................................................................................
........ 324
Near Field Communication (NFC) Attacks
.....................................................327
Radio Frequency Identification (RFID) Attacks
............................................. 330
Wireless Local Area Network Attacks
.............................................................332
Vulnerabilities of IEEE Wireless Security
....................................................... 341
Wired Equivalent Privacy
.............................................................................. 342
Wi-Fi Protected Setup
31. CHAPTER 10
Mobile and Embedded Device Security ..............................421
Mobile Device Types and Deployment
.......................................................... 423
Types of Mobile Devices
................................................................................ 424
Mobile Device Risks
.........................................................................................
432
Mobile Device
Vulnerabilities........................................................................
432
Connection Vulnerabilities
............................................................................ 436
Accessing Untrusted Content
........................................................................ 436
Deployment Model Risks
............................................................................... 438
Securing Mobile Devices
................................................................................. 439
32. Device Configuration
..................................................................................... 439
Mobile Management Tools
............................................................................446
Mobile Device App Security
..........................................................................448
Embedded Systems and the Internet of Things
........................................... 449
Embedded
Systems...................................................................................
.....449
Internet of Things
...........................................................................................45
1
Security Implications
..................................................................................... 452
Chapter Summary
............................................................................................
455
Key Terms
...............................................................................................
.......... 457
34. ............................................................................. 492
What You Do: Behavioral Biometrics
............................................................ 498
88781_fm_hr_i-xxvi.indd 10 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
Table of Contents xi
Where You Are: Geolocation
.........................................................................499
Single Sign-on
...............................................................................................
.... 500
Account Management
..................................................................................... 502
Chapter Summary
39. PART 6
RISK MANAGEMENT
..............................................................563
CHAPTER 13
Vulnerability Assessment and Data Security ....................565
Assessing the Security Posture
...................................................................... 567
What Is Vulnerability Assessment?
............................................................... 567
Vulnerability Assessment Tools
.....................................................................573
Vulnerability Scanning
.................................................................................... 584
Penetration Testing
.........................................................................................
586
Practicing Data Privacy and Security
............................................................. 588
40. What Is Privacy?
.............................................................................................
589
Risks Associated with Private Data
...............................................................590
Maintaining Data Privacy and Security
......................................................... 592
Chapter Summary
............................................................................................
596
Key Terms
...............................................................................................
.......... 598
Review
Questions................................................................................
............. 598
Case Projects
...............................................................................................
..... 604
CHAPTER 14
41. Business Continuity
..............................................................607
What Is Business Continuity?
......................................................................... 609
Business Continuity Planning (BCP)
.............................................................609
Business Impact Analysis (BIA)
...................................................................... 611
Disaster Recovery Plan (DRP)
.........................................................................612
Fault Tolerance Through Redundancy
.......................................................... 615
Servers
...............................................................................................
............ 616
Storage
...............................................................................................
.............617
Networks
...............................................................................................
..........621
Power
42. ...............................................................................................
.............. 622
Recovery Sites
...............................................................................................
. 622
Data
...............................................................................................
................. 623
Environmental Controls
.................................................................................. 628
Fire Suppression
............................................................................................
628
Electromagnetic Disruption Protection
..........................................................631
HVAC
...............................................................................................
................631
Incident Response
...........................................................................................
633
What Is Forensics?
.........................................................................................
43. 633
88781_fm_hr_i-xxvi.indd 12 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
Table of Contents xiii
Incident Response Plan
................................................................................. 633
Forensics Procedures
..................................................................................... 634
Chapter Summary
............................................................................................
640
Key Terms
...............................................................................................
.......... 642
47. 88781_fm_hr_i-xxvi.indd 13 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
88781_fm_hr_i-xxvi.indd 14 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
The number one concern of computer professionals today
continues to
be information security, and with good reason. Consider the
evidence:
over 1.5 billion Yahoo user accounts were compromised in just
two
separate attacks.1 A ransom of $1 million dollars was paid to
unlock
48. files that had been encrypted by ransomware.2 A global
payment sys-
tem used to transfer money between countries was compromised
by
attackers who stole $81 billion from the central bank of
Bangladesh.3 It
is estimated that global spending on products and services to
prevent
these attacks will exceed $1 trillion cumulatively between 2017
and
2021. But despite the huge sum spent on protection, cybercrime
will
still cost businesses over $6 trillion by 2021.4
As attacks continue to escalate, the need for trained security
per-
sonnel also increases. It is estimated that there are currently
over
1.5 million unfilled security jobs worldwide and this will grow
by 20
percent to 1.8 million by the year 2022.5 According to the U.S.
Bureau of
Labor Statistics (BLS) “Occupational Outlook Handbook,” the
job out-
look for information security analysts through 2024 is expected
49. to grow
by 18 percent, faster than the average growth rate.6
To verify security competency, most organizations use the
Comput-
ing Technology Industry Association (CompTIA) Security+
certification,
a vendor-neutral credential. Security+ is one of the most widely
recog-
nized security certifications and has become the security
foundation
for today’s IT professionals. It is internationally recognized as
validat-
ing a foundation level of security skills and knowledge. A
successful
Security+ candidate has the knowledge and skills required to
identify
threats, attacks and vulnerabilities; use security technologies
and tools;
understand security architecture and design; perform identity
and access
management; know about risk management; and use
cryptography.
Security+ Guide to Network Security Fundamentals, Sixth
50. Edition is
designed to equip learners with the knowledge and skills needed
to
be information security professionals. Yet it is more than an
“exam
prep” book. While teaching the fundamentals of information
security
by using the CompTIA Security+ exam objectives as its
framework, it
takes a comprehensive view of security by examining in-depth
the
attacks against networks and computer systems and the
necessary
defense mechanisms. Security+ Guide to Network Security
Fundamen-
tals, Sixth Edition is a valuable tool for those who want to learn
about
security and who desire to enter the field of information
security. It
also provides the foundation that will help prepare for the
CompTIA
Security+ certification exam.
xv
51. INTRODUCTION
88781_fm_hr_i-xxvi.indd 15 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
Introductionxvi
Intended Audience
This book is designed to meet the needs of students and
professionals who want to
master basic information security. A fundamental knowledge of
computers and net-
works is all that is required to use this book. Those seeking to
pass the CompTIA Secu-
rity+ certification exam will find the text’s approach and
content especially helpful; all
Security+ SY0-501 exam objectives are covered in the text (see
Appendix A). Security+
Guide to Network Security Fundamentals, Sixth Edition covers
all aspects of network and
52. computer security while satisfying the Security+ objectives.
The book’s pedagogical features are designed to provide a truly
interactive learning
experience to help prepare you for the challenges of network
and computer security.
In addition to the information presented in the text, each chapter
includes Hands-On
Projects that guide you through implementing practical
hardware, software, network,
and Internet security configurations step by step. Each chapter
also contains case stud-
ies that place you in the role of problem solver, requiring you to
apply concepts pre-
sented in the chapter to achieve successful solutions.
Chapter Descriptions
Here is a summary of the topics covered in each chapter of this
book:
Chapter 1, “Introduction to Security,” introduces the network
security fundamen-
tals that form the basis of the Security+ certification. It begins
by examining the cur-
rent challenges in computer security and why security is so
53. difficult to achieve. It then
defines information security in detail and explores why it is
important. Finally, the
chapter looks at the fundamental attacks, including who is
responsible for them, and
defenses.
Chapter 2, “Malware and Social Engineering Attacks,” examines
attacks that use
different types of malware, such as viruses, worms, Trojans, and
botnets. It also looks
at the different types of social engineering attacks.
Chapter 3, “Basic Cryptography,” explores how encryption can
be used to protect
data. It covers what cryptography is and how it can be used for
protection, and then
examines how to protect data using three common types of
encryption algorithms:
hashing, symmetric encryption, and asymmetric encryption. It
also covers how to use
cryptography on files and disks to keep data secure.
Chapter 4, “Advanced Cryptography and PKI,” examines how to
implement cryp-
54. tography and use digital certificates. It also looks at public key
infrastructure and key
management. This chapter covers different transport
cryptographic algorithms to see
how cryptography is used on data that is being transported.
Chapter 5, “Networking and Server Attacks,” explores the
different attacks that
are directed at enterprises. It includes networking-based attacks
as well as server
attacks.
88781_fm_hr_i-xxvi.indd 16 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
Introduction xvii
Chapter 6, “Network Security Devices, Design, and
Technology,” examines how
to protect networks through standard network devices and
55. network security hard-
ware. It also covers implementing security through network
architectures and network
technologies.
Chapter 7, “Administering a Secure Network,” looks at the
techniques for admin-
istering a network. This includes understanding common
network protocols and the
proper placement of security devices and technologies. It also
looks at analyzing secu-
rity data and securing network platforms such as virtualization,
cloud computing, and
software defined networks.
Chapter 8, “Wireless Network Security,” investigates the
attacks on wireless
devices that are common today and explores different wireless
security mechanisms
that have proven to be vulnerable. It also covers several secure
wireless protections.
Chapter 9, “Client and Application Security,” examines
securing the client
through hardware and peripherals through hardware and the
56. operating system. It also
looks at physical security to create external perimeter defenses
and internal physical
access security. This chapter also covers application security
vulnerabilities and the
development of secure apps.
Chapter 10, “Mobile and Embedded Device Security,” looks at
the different types
of mobile devices and the risks associated with these devices. It
also explores how to
secure these devices and the applications running on them.
Finally, it examines how
embedded systems and the Internet of Things devices can be
secured.
Chapter 11, “Authentication and Account Management,” looks
at authentication
and the secure management of user accounts to enforce
authentication. It covers the
different types of authentication credentials that can be used to
verify a user’s identity
and how a single sign-on might be used. It also examines the
techniques and technol-
ogy used to manage user accounts in a secure fashion.
57. Chapter 12, “Access Management,” introduces the principles
and practices of
access control by examining access control terminology, the
standard control mod-
els, and managing access through account management. It also
covers best practices,
implementing access control, and identity and access services.
Chapter 13, “Vulnerability Assessment and Data Security,”
explains what vulner-
ability assessment is and examines the tools and techniques
associated with it. It also
explores the differences between vulnerability scanning and
penetration testing. The
chapter concludes with an examination of data privacy.
Chapter 14, “Business Continuity,” covers the importance of
keeping business
processes and communications operating normally in the face of
threats and disrup-
tions. It explores business continuity, fault tolerance,
environmental controls, and inci-
dent response.
58. Chapter 15, “Risk Mitigation,” looks at how organizations can
establish and main-
tain security in the face of risk. It defines risk and the strategies
to control it. This chap-
ter also covers practices for reducing risk and troubleshooting
common security issues.
88781_fm_hr_i-xxvi.indd 17 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
Introductionxviii
Appendix A, “CompTIA SY0-501 Certification Examination
Objectives,” provides
a complete listing of the latest CompTIA Security+ certification
exam objectives and
shows the chapters and headings in the book that cover material
associated with each
objective, as well as the Bloom’s Taxonomy level of that
coverage.
59. Features
To aid you in fully understanding computer and network
security, this book includes
many features designed to enhance your learning experience.
• Maps to CompTIA Objectives. The material in this text covers
all the CompTIA
Security+ SY0-501 exam objectives.
• Chapter Objectives. Each chapter begins with a detailed list of
the concepts to be
mastered in that chapter. This list provides you with both a
quick reference to the
chapter’s contents and a useful study aid.
• Today’s Attacks and Defenses. Each chapter opens with a
vignette of an actual
security attack or defense mechanism that helps to introduce the
material covered
in that chapter.
• Illustrations and Tables. Numerous illustrations of security
vulnerabilities,
attacks, and defenses help you visualize security elements,
60. theories, and concepts.
In addition, the many tables provide details and comparisons of
practical and
theoretical information.
• Chapter Summaries. Each chapter’s text is followed by a
summary of the concepts
introduced in that chapter. These summaries provide a helpful
way to review the
ideas covered in each chapter.
• Key Terms. All the terms in each chapter that were introduced
with bold text are
gathered in a Key Terms list, providing additional review and
highlighting key con-
cepts. Key Term definitions are included in the Glossary at the
end of the text.
• Review Questions. The end-of-chapter assessment begins with
a set of review
questions that reinforce the ideas introduced in each chapter.
These questions help
you evaluate and apply the material you have learned.
Answering these questions
will ensure that you have mastered the important concepts and
61. provide valuable
practice for taking CompTIA’s Security+ exam.
• Hands-On Projects. Although it is important to understand the
theory behind
network security, nothing can improve on real-world
experience. To this end,
each chapter provides several Hands-On Projects aimed at
providing you with
practical security software and hardware implementation
experience. These proj-
ects use the Windows 10 operating system, as well as software
downloaded from
the Internet.
• Case Projects. Located at the end of each chapter are several
Case Projects. In these
extensive exercises, you implement the skills and knowledge
gained in the chapter
through real design and implementation scenarios.
88781_fm_hr_i-xxvi.indd 18 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
62. WCN 02-200-203
Introduction xix
New to This Edition
• Maps fully to the latest CompTIA Security+ exam SY0-501
• Completely revised and updated with expanded coverage on
attacks and defenses
• New chapter units: Security and Its Threats, Cryptography,
Network Attacks and
Defenses, Device Security, Identity and Access Management,
and Risk Management
• Earlier coverage of cryptography and advanced cryptography
• All new “Today’s Attacks and Defenses” opener in each
chapter
• New and updated Hands-On Projects in each chapter covering
some of the latest
security software
• More Case Projects in each chapter
• Expanded Information Security Community Site activity in
each chapter allows
63. learners to interact with other learners and security
professionals from around the
world
• All SY0-501 exam topics fully defined
• Linking of each exam sub-domain to Bloom’s Taxonomy (see
Appendix A)
Text and Graphic Conventions
Wherever appropriate, additional information and exercises
have been added to this
book to help you better understand the topic at hand. Icons
throughout the text alert
you to additional materials. The following icons are0 used in
this textbook:
The Note icon draws your attention to additional helpful
material
related to the subject being described.
Tips based on the author’s experience provide extra informa-
tion about how to attack a problem or what to do in real-world
situations.
64. The Caution icons warn you about potential mistakes or prob-
lems, and explain how to avoid them.
Hands-On Projects help you understand the theory behind
network
security with activities using the latest security software and
hardware.
The Case Projects icon marks Case Projects, which are scenario-
based assignments. In these extensive case examples, you are
asked to implement independently what you have learned.
Certification icons indicate CompTIA Security+ objectives
covered
under major chapter headings.
Hands-On Projects
Case Projects
Certification
Note
Tip
65. Caution
88781_fm_hr_i-xxvi.indd 19 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part.
WCN 02-200-203
Introductionxx
Instructor’s Materials
Everything you need for your course in one place. This
collection of book-specific
lecture and class tools is available online. Please visit
login.cengage.com and log in to
access instructor-specific resources on the Instructor
Companion Site, which includes
the Instructor’s Manual,