Dissecting the Security+ Exam
In this exam analysis, we tackle the CompTIA Security+ certification. (See www.comptia.org/certification/Security.) Released in early December 2002, this entry-level information security certification promises to become a popular choice for IT professionals seeking to demonstrate basic knowledge and skills in the subject matter. It’s still too early to rule on the market acceptance of this certification, but CompTIA’s global scope and strong reputation give this credential a good chance of becoming the leading entry-level information security certification.
As certification exams go, Security+ does not depart from the subject matter typical for most entry-level information security credentials. It consists of 100 multiple-choice questions across a broad array of topics—more on that soon—that must be completed in a 90-minute period. A passing score is 764 on a scale from 100 to 900, or about 85 percent. The Security+ exam costs $175 (for CompTIA members) or $225 (for non-members) and is available at both Prometric and VUE testing centers worldwide (but only in English at present). The exam code for Security+ is #SY0-101.
As an entry-level certification, Security+ seeks to identify individuals with two years of networking experience, with a strong working knowledge of TCP/IP, who also possess basic knowledge and skills in information security. To ensure the right underlying knowledge base, CompTIA recommends that candidates obtain A+ and Network+ certifications (or possess equivalent skills and knowledge). The Security+ exam objectives are broken into five information domains, weighted as shown in Table 1.
General Security Concepts
Because the overall focus of the Security+ exam is general information security concepts, skills and techniques, it’s no wonder that this domain receives the heaviest weight. This is something of a soup-to-nuts category and includes coverage of access-control methods and mechanisms, along with coverage of virtually all important or well-known authentication techniques (including Kerberos, CHAP, public key certifications, username/password logins, token-based authentication and so forth). Best security practices (including elimination of all non-essential services and protocols) are also stressed.
Likewise, this domain puts a strong emphasis on understanding various types of security threats and potential sources of attack or compromise. All well-known types of attacks, from denial of service to “man in the middle” to spoofing, session hijacking, password attacks and so forth, must be understood in principle and in historical context. Various types of malicious code—viruses, Trojan horses, logic bombs and worms—must also be understood, along with various well-known exemplars of each type. Candidates must also understand how social engineering attacks may be perpetrated against the unsuspecting and how such attacks may be foiled by implementing proper security policy and training efforts.
Finally, the role of system auditing and scanning for anomalies and attack signatures must also be understood. Throughout, Security+ coverage emphasizes that security is an ongoing process, where active vigilance and monitoring are necessary.
This domain concentrates its coverage on those aspects of client-server or peer-to-peer interaction that involve communications across private or public networks (like the Internet). Topics covered include remote-access tools and techniques and related vulnerabilities, such as wireless communications (802.1x), virtual private networks and related tunneling protocols (L2TP and PPTP), various remote-access authentication services such as RADIUS (remote authentication dial-in user service), TACACS and TACACS+ (terminal access controller access control system), plus various secure protocols such as SSH and IP Security (IPSec) designed to improve remote-access security.
Various types of remote network services are covered in detail, including e-mail, Web services, directory services, file transfer and wireless networking. All follow a general pattern of understanding related threats or vulnerabilities and how various tools and technologies can counter them. For e-mail, this means understanding basic e-mail protocols (SMTP, POP3 and IMAP4), spam, hoaxes and virus propagation and how various tools and technologies such as spam filters, the secure multipurpose Internet mail extensions protocol and pretty good privacy (PGP) software can help avert or foil threats and exposures. For Web, it means understanding vulnerabilities and exposures related to instant messaging, active content and buffer overflows, and how secure session and packet protocols like SSL or TLS and HTTP/S can help reduce threats of attack or exposure. Directory services covers potential threats or exposures and related protocols and services, but does not require in-depth knowledge on how to configure or protect such services. File transfer covers various vulnerabilities based on anonymous access, file sharing and packet sniffing, along with methods based on secure implementations and port and address filtering to avoid potential threats or exposures. In the area of wireless networking, vulnerabilities related to the transport layer, 802.11 protocols and encryption and application protocols (WEP and WAP) are covered, along with tools and techniques to mitigate or prevent unwanted access and network penetration.
This topic covers the various aspects of networking infrastructure that are relevant security concerns. It covers infrastructure devices such as firewalls, routers, switches, hubs, servers and workstations. It also includes coverage of various types of networking and removable media, such as coax, UTP/STP and fiber-optic media, as well as removable media such as tape, CDR, hard drives, diskettes and so on. Security topologies, including various security zone types such as intranets, extranets and demilitarized zones (DMZs), as well as use of virtual LANS, network address translation (NAT) and protocol tunneling to enhance privacy, security and manageability, are also covered.
Intrusion detection is another major subject, where network- and host-based detection systems receive coverage. Likewise, concepts related to honeypots and honeynets are included, as well as basic incident response concepts and techniques. Security baselines and hardening techniques for operating systems, networks, applications and services close out this topic area.
Basics of Cryptography
Cryptography deserves its own category in the collection of Security+ information domains. Basic encryption algorithms and techniques are covered, including hashing as well as symmetric (shared private key) and asymmetric (public/private key pairs). Likewise, it’s essential to understand key concepts that motivate use of cryptography—such as confidentiality, integrity, authentication, non-repudiation and access controls, including how digital signatures fit into this overall environment.
The public key infrastructure (PKI) also comes in for significant discussion and coverage, including uses for digital certificates and related policies and practices, plus certificate management, revocation, storage, trust models and key escrow and recovery. Secure standards and protocols related to PKI (Kerberos, ISAKMP and so forth) are also covered, as is the key and certificate management lifecycle.
The final domain for Security+ deals with hands-on, operational issues, best practices and security implementation concerns. The topic of physical security is covered from numerous perspectives, including access controls, forestalling social engineering and preventing eavesdropping. Other key topics include disaster recovery and bu