Acknowledgments | p. xxiii |
Preface | p. xxv |
Introduction | p. xxvii |
Authentication | p. 1 |
General Security Concepts | p. 3 |
The Security+ Exam | p. 3 |
Basic Security Terminology | p. 4 |
Security Basics | p. 4 |
Access Control | p. 15 |
Authentication | p. 18 |
Malware and Attacks | p. 27 |
Types of Attacks and Malicious Software | p. 29 |
Avenues of Attack | p. 29 |
The Steps in an Attack | p. 30 |
Minimizing Possible Avenues of Attack | p. 31 |
Attacking Computer Systems and Networks | p. 31 |
Denial of Service Attacks | p. 32 |
Backdoors and Trapdoors | p. 35 |
Sniffing | p. 35 |
Spoofing | p. 36 |
Man-in-the-Middle Attacks | p. 40 |
Replay Attacks | p. 41 |
TCP/IP Hijacking | p. 41 |
Attacks on Encryption | p. 41 |
Password Guessing | p. 43 |
Software Exploitation | p. 44 |
Malicious Code | p. 45 |
War-Dialing and War-Driving | p. 49 |
Social Engineering | p. 50 |
Auditing | p. 51 |
Security in Transmissions | p. 59 |
Remote Access | p. 61 |
The Remote Access Process | p. 61 |
Identification | p. 62 |
Authentication | p. 63 |
Authorization | p. 63 |
Telnet | p. 64 |
SSH | p. 64 |
L2TP and PPTP | p. 65 |
PPTP | p. 66 |
L2TP | p. 68 |
IEEE 802.11 | p. 68 |
VPN | p. 70 |
IPsec | p. 71 |
IPsec Configurations | p. 72 |
IPsec Security | p. 72 |
IEEE 802.1x | p. 77 |
RADIUS | p. 77 |
RADIUS Authentication | p. 78 |
RADIUS Authorization | p. 78 |
RADIUS Accounting | p. 78 |
DIAMETER | p. 80 |
TACACS+ | p. 80 |
TACACS+ Authentication | p. 81 |
TACACS+ Authorization | p. 81 |
TACACS+ Accounting | p. 82 |
Vulnerabilities | p. 83 |
E-Mail | p. 89 |
Security of E-Mail Transmissions | p. 89 |
Malicious Code | p. 90 |
Hoax E-Mails | p. 92 |
Unsolicited Commercial E-Mail (Spam) | p. 92 |
Mail Encryption | p. 94 |
Web Components | p. 103 |
Current Web Components and Concerns | p. 104 |
Protocols | p. 104 |
Encryption (SSL and TLS) | p. 105 |
The Web (HTTP and HTTPS) | p. 110 |
Directory Services (DAP and LDAP) | p. 112 |
File Transfer (FTP and SFTP) | p. 113 |
Vulnerabilities | p. 114 |
Code-Based Vulnerabilities | p. 114 |
Buffer Overflows | p. 115 |
Java and JavaScript | p. 115 |
ActiveX | p. 119 |
CGI | p. 120 |
Server-Side Scripts | p. 121 |
Cookies | p. 121 |
Signed Applets | p. 125 |
Browser Plug-Ins | p. 126 |
Wireless and Instant Messaging | p. 133 |
Wireless | p. 133 |
WAP and WTLS | p. 134 |
802.11 | p. 137 |
Instant Messaging | p. 145 |
Security for the Infrastructure | p. 153 |
Infrastructure Security | p. 155 |
Devices | p. 155 |
Workstations | p. 156 |
Servers | p. 157 |
Network Interface Cards (NICs) | p. 158 |
Hubs | p. 159 |
Bridges | p. 159 |
Switches | p. 159 |
Routers | p. 161 |
Firewalls | p. 162 |
Wireless | p. 164 |
Modems | p. 166 |
RAS | p. 167 |
Telecom/PBX | p. 167 |
VPN | p. 168 |
IDS | p. 168 |
Network Monitoring/Diagnostic | p. 170 |
Mobile Devices | p. 171 |
Media | p. 172 |
Coax | p. 172 |
UTP/STP | p. 173 |
Fiber | p. 174 |
Unguided Media | p. 176 |
Security Concerns for Transmission Media | p. 177 |
Physical Security | p. 177 |
Removable Media | p. 178 |
Magnetic Media | p. 179 |
Optical Media | p. 181 |
Electronic Media | p. 182 |
Security Topologies | p. 183 |
Security Zones | p. 183 |
VLANs | p. 186 |
NAT | p. 188 |
Tunneling | p. 189 |
Intrusion Detection Systems | p. 195 |
History of Intrusion Detection Systems | p. 196 |
IDS Overview | p. 197 |
Host-Based Intrusion Detection Systems | p. 198 |
Advantages of Host-Based IDSs | p. 203 |
Disadvantages of Host-Based IDSs | p. 203 |
Active vs. Passive Host-Based IDSs | p. 204 |
Network-Based Intrusion Detection Systems | p. 205 |
Advantages of a Network-Based IDS | p. 209 |
Disadvantages of a Network-Based IDS | p. 209 |
Active vs. Passive Network-Based IDSs | p. 210 |
Signatures | p. 210 |
False Positives and Negatives | p. 212 |
IDS Models | p. 212 |
Preventative Intrusion Detection Systems | p. 213 |
IDS Products and Vendors | p. 214 |
Honeypots | p. 214 |
Incident Response | p. 216 |
Security Baselines | p. 223 |
Overview | p. 223 |
Password Selection | p. 224 |
Password Policy Guidelines | p. 224 |
Selecting a Password | p. 225 |
Components of a Good Password | p. 226 |
Password Aging | p. 226 |
Operating System and Network Operating System Hardening | p. 227 |
Hardening Microsoft Operating Systems | p. 228 |
Hardening UNIX- or Linux-Based Operating Systems | p. 243 |
Network Hardening | p. 258 |
Software Updates | p. 259 |
Device Configuration | p. 259 |
Ports and Services | p. 261 |
Traffic Filtering | p. 263 |
Application Hardening | p. 265 |
Application Patches | p. 266 |
Web Servers | p. 266 |
Mail Servers | p. 269 |
FTP Servers | p. 271 |
DNS Servers | p. 271 |
File and Print Services | p. 272 |
Active Directory | p. 272 |
Cryptography and Applications | p. 277 |
Cryptography | p. 279 |
Algorithms | p. 280 |
Hashing | p. 283 |
SHA | p. 283 |
Message Digest (MD) | p. 284 |
Hashing Summary | p. 286 |
Symmetric Encryption | p. 286 |
DES | p. 287 |
3DES | p. 289 |
AES | p. 290 |
CAST | p. 291 |
RC | p. 291 |
Blowfish | p. 294 |
IDEA | p. 295 |
Symmetric Encryption Summary | p. 296 |
Asymmetric Encryption | p. 296 |
RSA | p. 297 |
Diffie-Hellman | p. 298 |
ElGamal | p. 298 |
ECC | p. 299 |
Asymmetric Encryption Summary | p. 300 |
Usage | p. 300 |
Confidentiality | p. 300 |
Integrity | p. 301 |
Nonrepudiation | p. 301 |
Authentication | p. 301 |
Digital Signatures | p. 302 |
Key Escrow | p. 302 |
Public Key Infrastructure | p. 307 |
The Basics of Public Key Infrastructures | p. 307 |
Certificate Authorities | p. 310 |
Registration Authorities | p. 311 |
Local Registration Authorities | p. 314 |
Certificate Repositories | p. 314 |
Trust and Certificate Verification | p. 315 |
Digital Certificates | p. 319 |
Certificate Attributes | p. 321 |
Certificate Extensions | p. 322 |
Certificate Lifecycles | p. 323 |
Centralized or Decentralized Infrastructures | p. 330 |
Hardware Storage Devices | p. 332 |
Private Key Protection | p. 332 |
Key Recovery | p. 334 |
Key Escrow | p. 335 |
Public Certificate Authorities | p. 336 |
In-House Certificate Authorities | p. 337 |
Outsourced Certificate Authorities | p. 338 |
Tying Different PKIs Together | p. 339 |
Trust Models | p. 340 |
Standards and Protocols | p. 357 |
PKIX/PKCS | p. 359 |
PKIX Standards | p. 360 |
PKCS | p. 362 |
Why You Need to Know | p. 364 |
X.509 | p. 364 |
SSL/TLS | p. 366 |
ISAKMP | p. 368 |
CMP | p. 369 |
XKMS | p. 370 |
S/MIME | p. 372 |
IETF S/MIME v3 Specifications | p. 373 |
PGP | p. 374 |
How It Works | p. 374 |
Where Can You Use PGP? | p. 375 |
HTTPS | p. 375 |
IPsec | p. 375 |
CEP | p. 376 |
FIPS | p. 376 |
Common Criteria (CC) | p. 377 |
WTLS | p. 377 |
WEP | p. 377 |
WEP Security Issues | p. 378 |
ISO 17799 | p. 378 |
Operational Security | p. 383 |
Operational/Organizational Security | p. 385 |
Security Operations in Your Organization | p. 385 |
Policies, Procedures, Standards, and Guidelines | p. 386 |
The Security Perimeter | p. 386 |
Physical Security | p. 388 |
Access Controls | p. 388 |
Physical Barriers | p. 390 |
Social Engineering | p. 390 |
Environment | p. 391 |
Fire Suppression | p. 392 |
Wireless | p. 396 |
Electromagnetic Eavesdropping | p. 397 |
Shielding | p. 398 |
Location | p. 398 |
Disaster Recovery, Business Continuity, and Organizational Policies | p. 405 |
Disaster Recovery | p. 405 |
Disaster Recovery Plans/Process | p. 406 |
Backups | p. 408 |
Utilities | p. 413 |
Secure Recovery | p. 414 |
High Availability and Fault Tolerance | p. 414 |
Policies and Procedures | p. 415 |
Security Policies | p. 415 |
Privacy | p. 419 |
Service Level Agreements | p. 420 |
Human Resources Policies | p. 420 |
Code of Ethics | p. 422 |
Incident Response Policies | p. 422 |
Administrative Controls | p. 431 |
Security and Law | p. 433 |
Import/Export Encryption Restrictions | p. 433 |
United States Law | p. 434 |
Non-U.S. Laws | p. 436 |
Digital Signature Laws | p. 436 |
Non-U.S. Laws | p. 437 |
Digital Rights Management | p. 438 |
Privacy Laws | p. 440 |
United States Laws | p. 440 |
European Laws | p. 441 |
Computer Trespass | p. 442 |
Convention on Cybercrime | p. 442 |
Privilege Management | p. 447 |
User, Group, and Role Management | p. 448 |
User | p. 448 |
Groups | p. 449 |
Role | p. 450 |
Single Sign-On | p. 451 |
Centralized vs. Decentralized Management | p. 452 |
Centralized Management | p. 452 |
Decentralized Management | p. 453 |
The Decentralized, Centralized Model | p. 454 |
Auditing (Privilege, Usage, and Escalation) | p. 454 |
Privilege Auditing | p. 454 |
Usage Auditing | p. 455 |
Escalation Auditing | p. 456 |
Handling Access Control (MAC, DAC, and RBAC) | p. 457 |
Mandatory Access Control (MAC) | p. 457 |
Discretionary Access Control (DAC) | p. 458 |
Role-Based Access Control (RBAC) | p. 459 |
Computer Forensics | p. 463 |
Evidence | p. 464 |
Standards for Evidence | p. 464 |
Types of Evidence | p. 464 |
Three Rules Regarding Evidence | p. 465 |
Collecting Evidence | p. 465 |
Acquiring Evidence | p. 466 |
Identifying Evidence | p. 467 |
Protecting Evidence | p. 468 |
Transporting Evidence | p. 468 |
Storing Evidence | p. 468 |
Conducting the Investigation | p. 468 |
Chain of Custody | p. 470 |
Free Space vs. Slack Space | p. 470 |
Free Space | p. 470 |
Slack Space | p. 471 |
What's This Message Digest and Hash? | p. 471 |
Analysis | p. 472 |
Risk Management | p. 477 |
An Overview of Risk Management | p. 477 |
Example of Risk Management at the International Banking Level | p. 478 |
Key Terms Essential to Understanding Risk Management | p. 478 |
What Is Risk Management? | p. 479 |
Business Risks | p. 480 |
Examples of Business Risks | p. 480 |
Examples of Technology Risks | p. 481 |
Risk Management Models | p. 481 |
General Risk Management Model | p. 482 |
Software Engineering Institute Model | p. 484 |
Qualitatively Assessing Risk | p. 485 |
Quantitatively Assessing Risk | p. 487 |
Qualitative vs. Quantitative Risk Assessment | p. 489 |
Tools | p. 490 |
Change Management | p. 495 |
Why Change Management? | p. 495 |
The Key Concept: Segregation of Duties | p. 497 |
Elements of Change Management | p. 498 |
Implementing Change Management | p. 500 |
The Purpose of a Change Control Board | p. 501 |
Code Integrity | p. 503 |
The Capability Maturity Model | p. 503 |
Appendixes | p. 509 |
About the CD-ROM | p. 511 |
System Requirements | p. 511 |
LearnKey Online Training | p. 511 |
Installing and Running MasterExam | p. 511 |
MasterExam | p. 512 |
Electronic Book | p. 512 |
Help | p. 512 |
Removing Installation(s) | p. 512 |
Technical Support | p. 512 |
LearnKey Technical Support | p. 512 |
OSI Model and Internet Protocols | p. 513 |
Networking Frameworks and Protocols | p. 513 |
OSI Model | p. 514 |
Application Layer | p. 516 |
Presentation Layer | p. 517 |
Session Layer | p. 517 |
Transport Layer | p. 517 |
Network Layer | p. 517 |
Data-Link Layer | p. 518 |
Physical Layer | p. 518 |
Internet Protocols | p. 518 |
TCP | p. 518 |
UDP | p. 519 |
IP | p. 519 |
Message Encapsulation | p. 520 |
Review | p. 521 |
Glossary | p. 523 |
Index | p. 537 |
Table of Contents provided by Ingram. All Rights Reserved. |