- Security+ SY0-601 Certification
- Security+ SY0-601: Passing the Security+ Exam
- Security+ SY0-601: Definitions and Catchwords
- Security+ SY0-601: 1.0 Threats, Attacks, and Vulnerabilities
- Security+ SY0-601: 1.1 Social Engineering Techniques
- Security+ SY0-601: 1.2 Indicators of Attack
- Security+ SY0-601: 1.3 Application Attacks
- Security+ SY0-601: 1.4: Network Attack Indicators
- Security+ SY0-601: 1.5: Threat Actors, Vectors, and Intelligence Sources
- Security+ SY0-601: 1.6: Vulnerabilities
- Security+ SY0-601: 1.7: Security Assessment
- Security+ SY0-601: 1.8: Penetration Testing
- Security+ SY0-601: 2.0 Architecture and Design
- Security+ SY0-601: 2.1 Enterprise Security Architecture
- Security+ SY0-601: 2.2: Virtualization and Cloud Security
- Security+ SY0-601: 2.3: Secure Application Development, Deployment and Automation
- Security+ SY0-601: 2.4: Authentication and Authorization
- Security+ SY0-601: 2.5: Implementing Cybersecurity Resilience
- Security+ SY0-601: 2.6: Embedded and Specialized Systems
- Security+ SY0-601: 2.7: Physical Security Controls
- Security+ SY0-601: 2.8: Cryptography
- Security+ SY0-601: 3.0: Implementation
- Security+ SY0-601: 3.1 Secure Protocols
- Security+ SY0-601: 3.2: Host and Application Security
- Security+ SY0-601: 3.3: Secure Network Design
- Security+ SY0-601: 3.4: Wi-Fi Security
- Security+ SY0-601: 3.5: Secure Mobile Solutions
- Security+ SY0-601: 3.6: Cybersecurity Solutions in the Cloud
- Security+ SY0-601: 3.7: Identity and Account Management Controls
- Security+ SY0-601: 3.8: Implement Authentication and Authorization Solutions
- Security+ SY0-601: 3.9: Public Key Infrastructure
- Security+ SY0-601: 4.0: Operations and Incident Response
- Security+ SY0-601: 4.1: Tools to Assess Organizational Security
- Security+ SY0-601: 4.2: Policies, Processes, and Procedures for Incident Response
- Security+ SY0-601: 4.3: Appropriate Data Sources for Investigation
- Security+ SY0-601: 4.4: Mitigation Techniques
- Security+ SY0-601: 4.5: Digital Forensics
- Security+ SY0-601: 5.0: Governance, Risk, and Compliance
- Security+ SY0-601: 5.1: Types of Controls
- Security+ SY0-601: 5.2 Regulations, Standards, and Frameworks
- Security+ SY0-601: 5.3: Policies and Organizational Security
- Security+ SY0-601: 5.4: Risk Management Processes and Concepts
- Security+ SY0-601: 5.5: Privacy and Sensitive Data
- Security+: My Favorite Free Tools
- Security+ : Sample Questions
- Passing the CompTIA Exams
- Understanding CompTIA Objectives Using Bloom’s Taxonomy
Chapter 24: Implement Authentication and Authorization Solutions
A lot of this material should look familiar from Chapter 12. The emphasis here is on actual implementation.
Authentication management
Password keys
Password vaults
TPM: Trusted platform module
HSM: Hardware security module
Knowledge-based authentication
Authentication / Authorization
EAP
CHAP: Challenge-Handshake Authentication Protocol
Shibboleth
MS-CHAPv2: The industry-standard contemporary CHAP, used even by Cisco.
PAP: Password Authentication Protocol
802.1x
RADIUS
SSO: Single sign-on
SAML: Security Assertion Markup Language
TACACS+: Terminal Access Controller Access Control System Plus
Remote Access
PAP
CHAP
MSCHAPv2
RADIUS and TACACS+
Open Authorization Standard
SAML
OpenID Connect
OAUTH
Access Control
Access control comprises mechanisms for limiting access to information or resources, based on
-
-
- user identity
- membership in groups
-
Routers and operating systems store this information in an Access Control List (ACL).
An ACL consists of access control entries (ACEs).
A guide to understanding Cisco Access Control Lists:
Cisco Access Control Lists (ACL) at
https://web.archive.org/web/20120803051759/http://www.networkclue.com/routing/Cisco/access-lists/index.aspx
Another example courtesy of JLSNet:
https://web.archive.org/web/20120229184518/http://www.jlsnet.co.uk/index.php?page=cc_access
What these rules look like as Linux kernel firewall rules (thanks to the JustLinux Forums):
https://web.archive.org/web/20120229184518/http://www.jlsnet.co.uk/index.php?page=cc_access
Access Control Models
ABAC: Attribute-based access control
RBAC: Role-based access control
All access is defined by a user’s specific role, for instance:
-
-
-
-
- Manager
- Accountant
- HR
-
-
-
One user may have many roles.
RBAC (601) or RB-RBAC (501): Rule-based (role-based) access control (a concept almost entirely unique to CompTIA).
Yes, this is a thing. The Security+ test may ask about Rule-Based Access Control, or Rule-Based Role-Based Access Control (RB-RBAC). Think of this as a protocol where a rule-based mechanism like a router assigns a role to a user based on those rules.
MAC: Mandatory access control
This type of access control is used in government and military environments where objects are labelled as “Top Secret” or “Secret,” for example.
No subject can alter another subject’s access level.
All access is strictly defined at the object level:
-only members of a specific group have access.
and at the group level:
-access to an object requires membership in a certain group.
You cannot read up (above your security grade), and
You cannot save down (to below your security grade).
DAC: Discretionary access control (MS DOS and Windows for Workgroups)
This is the least restrictive model. Think of Windows workgroup permissions: the user of a PC shares a folder, assigns a password, and sets permission (for instance, read-only).
The user decides everything.
Conditional access
Privileged access management
Filesystem permissions
Securing File Systems
This is all about restricting user access, primary through Access Control Lists (ACLs).
In Windows
NTFS allows file and folder access permissions (though older versions only controlled folder permissions).
FAT32 provides no access control.
Active Directory provides domain-based management (and replaces the older NT Domain model).
The Microsoft Management Console (MMC) is a utility that can control almost every aspect of a system.
MMC accepts “snap-ins” for expanded functionality.
The Security Template snap-in organizes security attributes in one screen.
Groups of computers sharing a security configuration are Group Policy Objects.
Group Policy Settings define these configurations.
Domain-based settings, however, cannot be overridden by group policy settings.
Windows rights based on group membership are inherited rights. These may include:
-
-
-
- Full Control
- Modify
- Read
- List Contents
- Execute
- Write
-
-
In Linux
Basic file and folder permissions can be controlled at the operating system level.
Larger networks use domain services and directories:
-
-
- Network Information Service (NIS)
- Novell Directory Services
- OpenLDAP: Sun, Netscape and other directory services
-
Cloud Authentication
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html