CompTIA Security+ Exam Cram

IntroductionIntroduction\ Welcome to CompTIA Security+ Exam Cram, Second Edition. Whether this book is your first or your fifteenth Exam Cram series book, you’ll find information here that will help ensure your success as you pursue knowledge, experience, and certification. This book aims to help you get ready to take and pass the CompTIA Security+ exam, number SY0-201.\ This introduction explains CompTIA’s certification programs in general and talks about how the Exam Cram series can help you prepare for CompTIA’s latest certification exams. Chapters 1 through 12 are designed to remind you of everything you need to know to pass the SY0-201 certification exam. The two practice exams at the end of this book should give you a reasonably accurate assessment of your knowledge; and, yes, we’ve provided the answers and their explanations for these practice exams. Read this book, understand the material, and you’ll stand a very good chance of passing the real test.\ Exam Cram books help you understand and appreciate the subjects and materials you need to know to pass CompTIA certification exams. Exam Cram books are aimed strictly at test preparation and review. They do not teach you everything you need to know about a subject. Instead, the authors streamline and highlight the pertinent information by presenting and dissecting the questions and problems they’ve discovered that you’re likely to encounter on a CompTIA test.\ Nevertheless, to completely prepare yourself for any CompTIA test, we recommend that you begin by taking the “Self-Assessment” that immediately follows this introduction. Theself-assessment tool will help you evaluate your knowledge base against the requirements for the CompTIA Security+ exam under both ideal and real circumstances. This can also be the first step in earning more advanced security certifications.\ Based on what you learn from the self-assessment, you might decide to begin your studies with classroom training or some background reading. On the other hand, you might decide to pick up and read one of the many study guides available from Que or a third-party vendor.\ We also strongly recommend that you spend some time installing, configuring, and working with both Windows and UNIX or Linux operating systems to patch and maintain them for the best and most current security possible because the Security+ exam focuses on such activities and the knowledge and skills they can provide for you. Nothing beats hands-on experience and familiarity when it comes to understanding the questions you’re likely to encounter on a certification test. Book learning is essential, but without doubt, hands-on experience is the best teacher of all!The CompTIA Certification Program\ The Computing Technology Industry Association (http://www.comptia.org) offers numerous IT certifications, primarily aimed at entry- and intermediate-level IT professionals. Here is a list of some other relevant CompTIA certifications, briefly annotated to document their possible relevance to Security+:\ \ \ \ A+: An exam that tests basic PC hardware and software installation, configuration, diagnosing, preventive maintenance, and basic networking. This two-part exam also covers security, safety, environmental issues, communication, and professionalism. This exam is an excellent prequalifier for those interested in Security+ who might have little or no PC or computing skills or knowledge. For more information about this exam, see http://certification.comptia.org/a/default.aspx.\ \ Network+: An exam that tests basic and intermediate networking skills and knowledge, including hardware, drivers, protocols, and troubleshooting topics. This exam is an excellent prequalifier for those interested in Security+ who have little or no networking skills or knowledge. For more information about this exam, go to http://certification.comptia.org/network/default.aspx.\ \ Server+: An exam that tests server knowledge and capabilities, including RAID, SCSI, multiple CPUs, and disaster recovery. This exam is an excellent prequalifier for those interested in Security+ who have little or no server environment skills or knowledge. For more information about this exam, go to http://certification.comptia.org/server/default.aspx.\ \ Linux+: An exam that tests knowledge and management of Linux systems via command line, user administration, file permissions, software configurations, Linux-based clients, server systems, and security. For more information about this exam, go to http://certification.comptia.org/linux/default.aspx.\ \ The CompTIA exams are all vendor- and platform-neutral, which means they primarily test general skills and knowledge, instead of focusing on vendor or product specifics. Therefore, they offer certification candidates a chance to demonstrate necessary general abilities relevant in most workplaces. (This explains why employers generally look at CompTIA certifications favorably.)\ Because CompTIA changes their website often, the URLs listed above might not work in the future. You should use the Search tool on CompTIA’s site to find more information about a particular certification. Taking a Certification Exam\ After you prepare for your exam, you need to register with a testing center. At the time of this writing, the cost to take the Security+ exam is $258 for individuals. CompTIA Corporate Members receive discounts on nonmember pricing. For more information about these discounts, a local CompTIA sales representative can provide answers to any questions you might have. If you don’t pass, you can take the exam again for the same cost as the first attempt, for each attempt until you pass. In the United States and Canada, tests are administered by Prometric or VUE. Here’s how you can contact them:\ \ \ \ Prometric—You can sign up for a test through the company’s website, http://securereg3.prometric.com/. Within the United States and Canada, you can register by phone at 800-755-3926. If you live outside this region, check the Prometric website for the appropriate phone number.\ \ Pearson VUE—You can contact Virtual University Enterprises (VUE) to locate a nearby testing center that administers the test and to make an appointment. You can find the sign-up web page for the exam itself at http://www.vue.com/comptia/. You can also use this web page (click the Contact button, click the View Telephone Directory by Sponsor link, and then click CompTIA) to obtain a telephone number for the company (in case you can’t or don’t want to sign up for the exam on the web page).\ \ To sign up for a test, you must possess a valid credit card or contact either Prometric or Vue for mailing instructions to send a check (in the United States). Only after payment has been verified, or a check has cleared, can you actually register for a test.\ To schedule an exam, you need to call the appropriate phone number or visit the Prometric or Vue website at least one day in advance. To cancel or reschedule an exam in the United States or Canada, you must call before 3 p.m. Eastern time the day before the scheduled test time (or you might be charged, even if you don’t show up to take the test). When you want to schedule a test, you should have the following information ready:\ \ \ \ Your name, organization, and mailing address.\ \ Your CompTIA test ID. (In the United States, this means your Social Security number; citizens of other countries should call ahead to find out what type of identification number is required to register for a test.)\ \ The name and number of the exam you want to take.\ \ A payment method. (As mentioned previously, a credit card is the most convenient method; alternative means can be arranged in advance, if necessary.)\ \ After you sign up for a test, you are told when and where the test is scheduled. You should arrive at least 15 minutes early. To be admitted into the testing room, you must supply two forms of identification, one of which must be a photo ID.Tracking Certification Status\ After you pass the exam, you are certified. Official certification is normally granted after six to eight weeks, so you shouldn’t expect to get your credentials overnight. The package for official certification that arrives includes a Welcome Kit that contains a number of elements. (See CompTIA’s website for other benefits of specific certifications.)\ \ \ \ A certificate suitable for framing, along with a wallet card.\ \ A license to use the related certification logo, which means you can use the logo in advertisements, promotions, and documents, and on letterhead, business cards, and so on. Along with the license comes a logo sheet, which includes camera-ready artwork. (Note that before you use any of the artwork, you must sign and return a licensing agreement that indicates you’ll abide by its terms and conditions.)\ \ Many people believe that the benefits of certification go well beyond the perks that CompTIA provides to new members of this elite group. We’re starting to see more job listings that request or require applicants to have CompTIA and other related certifications, and many individuals who complete CompTIA certification programs can qualify for increases in pay and responsibility. As an official recognition of hard work and broad knowledge, a certification credential is a badge of honor in many IT organizations.About This Book\ We’ve structured the topics in this book to build on one another. Therefore, some topics in later chapters make the most sense after you’ve read earlier chapters. That’s why we suggest that you read this book from front to back for your initial test preparation. If you need to brush up on a topic or if you have to bone up for a second try, you can use the index or table of contents to go straight to the topics and questions that you need to study. Beyond helping you prepare for the test, we think you’ll find this book useful as a tightly focused reference to some of the most important aspects of the Security+ certification.Chapter Format and Conventions\ Each topical Exam Cram chapter follows a regular structure and contains graphical cues about important or useful information. Here’s the structure of a typical chapter:\ \ \ \ Opening hotlists—Each chapter begins with a list of the terms, tools, and techniques that you must learn and understand before you can be fully conversant with that chapter’s subject matter. The hotlists are followed with one or two introductory paragraphs to set the stage for the rest of the chapter.\ \ Topical coverage—After the opening hotlists and introductory text, each chapter covers a series of topics related to the chapter’s subject. Throughout that section, we highlight topics or concepts that are likely to appear on a test, using a special element called an Exam Alert:\ \ Warning - This is what an alert looks like. Normally, an alert stresses concepts, terms, software, or activities that are likely to relate to one or more certification test questions. For that reason, we think any information in an alert is worthy of extra attentiveness on your part.\ \ \ \ Pay close attention to material flagged in Exam Alerts; although all the information in this book pertains to what you need to know to pass the exam, Exam Alerts contain information that is really important. Of course, you need to understand the “meat” of each chapter, too, when preparing for the test. Because this book’s material is condensed, we recommend that you use this book along with other resources to achieve the maximum benefit.\ \ \ In addition to the alerts, we provide tips and notes to help you build a better foundation for security knowledge. Although the tip information might not be on the exam, it is certainly related and will help you become a better-informed test taker.\ \ Tip - This is how tips are formatted. Keep your eyes open for these, and you’ll become a Security+ guru in no time!\ \ \ Note - This is how notes are formatted. Notes direct your attention to important pieces of information that relate to the CompTIA Security+ certification.\ \ \ \ Exam prep questions—Although we talk about test questions and topics throughout this book, the section at the end of each chapter presents a series of mock test questions and explanations of both correct and incorrect answers.\ \ Details and resources—Every chapter ends with a section that provides direct pointers to CompTIA and third-party resources that offer more information about the chapter’s subject. That section also tries to rank or at least rate the quality and thoroughness of the topic’s coverage by each resource. If you find a resource you like in that collection, you should use it; don’t feel compelled to use all the resources. On the other hand, we recommend only resources that we use on a regular basis, so none of our recommendations will be a waste of your time or money. (However, purchasing them all at once probably represents an expense that many network administrators and CompTIA certification candidates might find hard to justify.)\ \ Although the bulk of this book follows this chapter structure just described, we want to point out a few other elements:\ \ \ \ “Practice Exam 1” and “Practice Exam 2” and the answer explanations provide good reviews of the material presented throughout the book to ensure that you’re ready for the exam.\ \ The Glossary defines important terms used in this book.\ \ The tear-out Cram Sheet attached next to the inside front cover of this book represents a condensed collection of facts and tips that we think are essential for you to memorize before taking the test. Because you can dump this information out of your head onto a sheet of paper just before taking the exam, you can master this information by brute force; you need to remember it only long enough to write it down when you walk into the testing room. You might even want to look at it in the car or in the lobby of the testing center just before you walk in to take the exam.\ \ The MeasureUp Practice Tests CD-ROM that comes with each Exam Cram and Exam Prep book features a powerful, state-of-the-art test engine that prepares you for the actual exam. MeasureUp Practice Tests are developed by certified IT professionals and are trusted by certification students around the world. For more information, visit http://www.measureup.com.\ \ Exam Topics\ Table I-1 lists the skills measured by the SY0-201 exam and the chapter in which the topic is discussed. Some topics are covered in other chapters, too.Table I-1  CompTIA SY0-201 Exam Topics\ \ \ \ \ \ \ \ Exam Topic\ \ \ Chapter\ \ \ \ \ Domain 1.0: Systems Security\ \ \ \ \ Differentiate among various systems security threats.\ \ \ 1\ \ \ \ \ Explain the security risks pertaining to system hardware and peripherals.\ \ \ 1\ \ \ \ \ Implement OS hardening practices and procedures to achieve workstation and server security.\ \ \ 7\ \ \ \ \ Carry out the appropriate procedures to establish application security.\ \ \ 2\ \ \ \ \ Implement security applications.\ \ \ 4\ \ \ \ \ Explain the purpose and application of virtualization technology.\ \ \ 4\ \ \ \ \ Domain 2.0: Network Infrastructure\ \ \ \ \ Differentiate between the different ports and protocols and their respective threats and mitigation techniques.\ \ \ 3\ \ \ \ \ Distinguish between network design elements and components.\ \ \ 3\ \ \ \ \ Determine the appropriate use of network security tools to facilitate network security.\ \ \ 3\ \ \ \ \ Apply the appropriate network tools to facilitate network security.\ \ \ 4\ \ \ \ \ Evaluate user systems and recommend appropriate settings to optimize performance.\ \ \ 4\ \ \ \ \ Explain the vulnerabilities and mitigations associated with network devices.\ \ \ 2\ \ \ \ \ Explain the vulnerabilities and mitigations associated with various transmission media.\ \ \ 2\ \ \ \ \ Explain the vulnerabilities and implement mitigations associated with wireless networking.\ \ \ 6\ \ \ \ \ Domain 3.0: Access Control\ \ \ \ \ Identify and apply industry best practices for access control methods.\ \ \ 5\ \ \ \ \ Explain common access control models and the differences between each.\ \ \ 5\ \ \ \ \ Organize users and computers into appropriate security groups and roles while distinguishing between appropriate rights and privileges.\ \ \ 4\ \ \ \ \ Apply appropriate security controls to file and print resources.\ \ \ 4\ \ \ \ \ Compare and implement logical access control methods.\ \ \ 4\ \ \ \ \ Summarize the various authentication models and identify the components of each.\ \ \ 5\ \ \ \ \ Deploy various authentication models and identify the components of each.\ \ \ 6\ \ \ \ \ Explain the difference between identification and authentication (identity proofing).\ \ \ 5\ \ \ \ \ Explain and apply physical access security methods.\ \ \ 5\ \ \ \ \ Domain 4.0: Assessments and Audits\ \ \ \ \ \ \ Conduct risk assessments and implement risk mitigation.\ \ \ 7\ \ \ \ \ Carry out vulnerability assessments using common tools.\ \ \ 7\ \ \ \ \ Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning.\ \ \ 7\ \ \ \ \ Domain 4.0: Assessments and Audits\ \ \ \ \ Use monitoring tools on systems and networks and detect security-related anomalies.\ \ \ 8\ \ \ \ \ Compare and contrast various types of monitoring methodologies.\ \ \ 8\ \ \ \ \ Execute proper logging procedures and evaluate the results.\ \ \ 8\ \ \ \ \ Conduct periodic audits of system security settings.\ \ \ 8\ \ \ \ \ Domain 5.0: Cryptography\ \ \ \ \ Explain general cryptography concepts.\ \ \ 9\ \ \ \ \ Explain basic hashing concepts and map various algorithms to appropriate applications.\ \ \ 9\ \ \ \ \ Explain basic encryption concepts and map various algorithms to appropriate applications.\ \ \ 9\ \ \ \ \ Explain and implement protocols.\ \ \ 10\ \ \ \ \ Explain core concepts of public key cryptography.\ \ \ 10\ \ \ \ \ Implement PKI and certificate management.\ \ \ 10\ \ \ \ \ Domain 6.0: Organizational Security\ \ \ \ \ Explain redundancy planning and its components.\ \ \ 11\ \ \ \ \ Implement disaster recovery procedures.\ \ \ 11\ \ \ \ \ Differentiate between and execute appropriate incident response procedures.\ \ \ 12\ \ \ \ \ Identify and explain applicable legislation and organizational policies.\ \ \ 12\ \ \ \ \ Explain the importance of environmental controls.\ \ \ 12\ \ \ \ \ Explain the concept of and how to reduce the risks of social engineering.\ \ \ 12\ \ \ \ Given all the book’s elements and its specialized focus, we’ve tried to create a tool that will help you prepare for and pass CompTIA Security+ Exam SY0-201. Please share with us your feedback on this book, especially if you have ideas about how we can improve it for future test takers. Send your questions or comments about this book via email to feedback@quepublishing.com. We’ll consider everything you say carefully, and we’ll respond to all suggestions. For more information about this book and other Exam Cram titles, visit our website at http://www.informit.com/examcram.\ Thanks for making this Exam Cram book a pivotal part of your certification study plan. Best of luck on becoming certified!\ \ © Copyright Pearson Education. All rights reserved.

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1The CompTIA Certification Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Taking a Certification Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Tracking Certification Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4About This Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Chapter Format and Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Exam Topics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Self-Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11CompTIA Certification in the Real World. . . . . . . . . . . . . . . . . . . . . . . . 11The Ideal CompTIA Certification Candidate . . . . . . . . . . . . . . . . 12Put Yourself to the Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14How to Prepare for an Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Studying for the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Testing Your Exam Readiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Dealing with Test Anxiety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Day of the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Part I: System SecurityChapter 1: System Threats and Risks . . . . . . . . . . . . . . . . . . . . . . . 27Systems Security Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Privilege Escalation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Trojans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Adware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Logic Bombs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Protecting Against Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . 38Security Threats to System Hardware and Peripherals. . . . . . . . . . . . . . 38BIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38USB Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Handheld Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Removable Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Network-Attached Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Suggested Reading and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Chapter 2: Online Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . 49Web Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Java and JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50ActiveX Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Cookies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Common Gateway Interface Vulnerabilities . . . . . . . . . . . . . . . . . . 54Browser Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Peer-to-Peer Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Simple Mail Transport Protocol Relay . . . . . . . . . . . . . . . . . . . . . . 57Protocol Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58File Transfer Protocol Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Anonymous Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Unencrypted Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Wireless Network Vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60WAP and i-Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Wired Equivalent Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Wi-Fi Protected Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62802.11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Site Surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Network Device and Transmission Media Vulnerabilities . . . . . . . . . . . 63Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Part II: Infrastructure SecurityChapter 3: Infrastructure Basics . . . . . . . . . . . . . .. . . . . . . . . 73Port and Protocol Threats and Mitigation Techniques. . . . . . . . . . . . . . 74Antiquated and Older Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . 76TCP/IP Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Null Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Man in the Middle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Denial of Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Distributed DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83DNS Kiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85DNS Poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85ARP Poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Network Design Elements and Components . . . . . . . . . . . . . . . . . . . . . 88Demilitarized Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Intranet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Extranet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Virtual Local Area Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Network Interconnections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Telephony. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Network Security Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98NIDS and HIDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Network Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . 99Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Internet Content Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Protocol Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Chapter 4: Infrastructure Security and Controls . . . . . . . . . . . . . . 109Implementing Security Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Personal Software Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Pop-Up Blockers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Virtualization Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Applying Network Tools to Facilitate Security . . . . . . . . . . . . . . . . . . . 116Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Proxy Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Internet Content Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Protocol Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Logical Access Control Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Security Groups and Roles with Appropriate Rights and Privileges . . . . . . 119Security Controls for File and Print Resources . . . . . . . . . . . . . . 121Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Group Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Password Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Logical Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Physical Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Risk and Return on Investment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Identifying Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Asset Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Risk and Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Calculating Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Calculating ROI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Part III: Access ControlChapter 5: Access Control and Authentication Basics . .. . . . . . . 141Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Mandatory Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Discretionary Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Access Control Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Mutual Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Challenge-Handshake Authentication Protocol . . . . . . . . . . . . . 150Terminal Access Controller Access Control System Plus . . . . . 151Remote Authentication Dial-In User Service . . . . . . . . . . . . . . . 151IEEE 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Username and Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Multifactor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Identity Proofing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Operating System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Nonessential Services and Protocols . . . . . . . . . . . . . . . . . . . . . . . 156Patch Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Physical Access Security Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Physical Barriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Other Deterrents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Chapter 6: Securing Communications. . . . . . . . . . . . . . . . . . . . . . 169Remote Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170802.1x Wireless Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171VPN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Dial-Up User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Secure Shell Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Remote Desktop Protocol (RDP). . . . . . . . . . . . . . . . . . . . . . . . . . 178Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Electronic Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Secure Multipurpose Internet Mail Extension . . . . . . . . . . . . . . . 181Pretty Good Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Undesirable Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183Web Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Hypertext Transport Protocol over Secure Sockets Layer . . . . . 184Secure Sockets Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Transport Layer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Suggested Reading and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Part IV: Assessments and AuditsChapter 7: Intrusion Detection and Security Baselines . . . . . . 193Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Methods of Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Intrusion-Detection Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197Honeypots and Honeynets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Incident Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Security Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215Chapter 8: Auditing. . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . 217Using Monitoring Tools to Detect Security-Related Anomalies . . . . . 218Performance Benchmarking and Baselining . . . . . . . . . . . . . . . . 220Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221System Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222Protocol Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225Monitoring Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226Behavior-Based Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227Anomaly-Based Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228Signature-Based Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Logging Procedures and Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Performance Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Access Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234Firewall Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Antivirus Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Periodic Audits of System Security Settings . . . . . . . . . . . . . . . . . . . . . . 236User Access and Rights Review . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Storage and Retention Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 240Group Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247Part V: CryptographyChapter 9: Cryptography Basics. . . . . . . . . . . . . . . . . . . . 251Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Symmetric Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253Asymmetric Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256CIA Triad. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Confidentiality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259Nonrepudiation and Digital Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . 259Whole Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261Trusted Platform Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262Hashing Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263Cryptographic Hash Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . 264Windows Authentication Hashing Algorithms. . . . . . . . . . . . . . . 264Symmetric Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265Asymmetric Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273Suggested Readings and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274Chapter 10: Cryptography Deployment . . . . . . . . . . . . . . . . . . . . . . . 275PKI Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277PKIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277Public Key Cryptography Standards . . . . . . . . . . . . . . . . . . . . . . . 278X.509 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279PKI Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Registration Authorities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282Certificate Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283Certificate Practice Statements. . . . . . . . . . . . . . . . . . . . . . . . . . . . 283Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Trust Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Key Management and the Certificate Life Cycle. . . . . . . . . . . . . . . . . . 286Centralized Versus Decentralized. . . . . . . . . . . . . . . . . . . . . . . . . . 287Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287Key Escrow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288Expiration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289Status Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290Suspension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290M of N Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290Renewal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291Destruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291Key Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291Multiple Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292Protocols and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292SSL and TLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292Point-to-Point Tunneling Protocol . . . . . . . . . . . . . . . . . . . . . . . . 293Layer 2 Tunneling Protocol and IP Security . . . . . . . . . . . . . . . . 294Secure/Multipurpose Internet Mail Extensions . . . . . . . . . . . . . 294Pretty Good Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Suggested Readings and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302Part VI: Organizational SecurityChapter 11: Organizational Security . . . . . . . . . . . . . . . . . 305Disaster Recovery and Redundancy Planning . . . . . . . . . . . . . . . . . . . . 306Redundant Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309Utilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311Redundant Equipment and Connections . . . . . . . . . . . . . . . . . . . 313Service Level Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319Backup Techniques and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320Backup Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321System Restoration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327Suggested Readings and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Chapter 12: Organizational Controls . . . . . . . . . . . . . . . . . . . . . . . . 331Incident Response Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332Chain of Custody . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333First Responders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334Damage and Loss Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335Reporting and Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335Applicable Legislation and Organizational Policies . . . . . . . . . . . . . . . 336Secure Disposal of Computers and Media . . . . . . . . . . . . . . . . . . 337Acceptable Use Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338Password Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340Classification of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341Separation of Duties and Mandatory Vacations . . . . . . . . . . . . . . 342Personally Identifiable Information . . . . . . . . . . . . . . . . . . . . . . . . 343Due Care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344Due Diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344Due Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345Service Level Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345Security-Related Human Resources Policy . . . . . . . . . . . . . . . . . 346User Education and Awareness Training. . . . . . . . . . . . . . . . . . . . 346The Importance of Environmental Controls . . . . . . . . . . . . . . . . . . . . . 347Fire Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348HVAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350Shielding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350The Risks of Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354Hoaxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355Shoulder Surfing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355Dumpster Diving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355User Education and Awareness Training. . . . . . . . . . . . . . . . . . . . 356Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360Recommended Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . 361Part VII: Practice Exams and AnswersPractice Exam 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365Practice Exam 1 Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . 389Answers at a Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389Answers with Explanations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390Practice Exam 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Practice Exam 2 Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . 439Answers at a Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439Answers with Explanations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440Appendix: What’s on the CD-ROM . . . . . . . . . . . . . . . . . . . . 467Multiple Test Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467Study Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467Certification Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467Custom Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468Attention to Exam Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468Installing the CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468Creating a Shortcut to the MeasureUp Practice Tests . . . . . . . . . . . . . 469Technical Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 471Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493