CompTIA Network+ (N10-009) Study Guide: Security Concepts

Identity and Access Management (IAM)

Security process for identification, authentication, and authorization of users, computers, and entities.

Personnel

Employees with user accounts and access to the system.

Endpoints

Devices (desktops, laptops, tablets, cell phones) used to access the network.

Servers

Machines for machine communication, containing mission-critical systems and encryption.

Software Roles

Applications requiring IAM, often using digital certificates.

Permissions

Define permissions based on the function an asset fulfills, applicable to personnel, endpoints, servers, and software.

IAM Systems and tools

Includes directory services and repositories, access management tools, and auditing and reporting systems.

Account Creation and Deprovisioning

Provisioning new accounts and disabling/deleting existing accounts.

Account Management

Involves resetting passwords and updating digital certificates.

Account Auditing

Reviewing account activity to ensure legitimacy.

Evaluating Identity-based Threats

Identifying and mitigating threats to IAM systems.

Maintaining Compliance

Ensuring the system meets security requirements and standards.

IAM Risks

Ensuring the system meets security requirements and standards; the biggest risk is the risk caused by accounts.

User Accounts

Standard accounts with basic permissions; least risky.

Privileged Accounts

Administrator, root, or superuser accounts with elevated permissions, requiring additional auditing.

Shared Accounts

Used in small office environments, posing a risk due to shared passwords and lack of individual accountability; not recommended.

Multifactor Authentication (MFA)

Means authenticating or proving identity using more than one method; at least two methods are required for MFA.

Two-factor Authentication (2FA)

A combination of two MFA categories; use 2FA to increase security.

Weaknesses of Passwords

Includes unchanged default credentials and common passwords.

Dictionary Attack

Guessing the password using every word or phrase in a dictionary, including variations like substituting symbols for letters.

Brute Force Attack

Trying every possible combination until the correct password is found.

Hybrid Attack

A combination of dictionary and brute force methods, using keywords related to the individual's life.

Prevention of password attacks

Password length and complexity; longer and more complex passwords are harder to crack.

Something You Have

A possession factor; examples include smart cards, RSA key fobs, and RFID tags.

Something You Are

An inherence factor; examples include fingerprints, retina scans, and voiceprints.

Something You Do

An action factor; the way a person signs his/her name, draws a pattern, or says a catchphrase.

Somewhere You Are

A location factor; geotagging is used to authenticate based on the current GPS location of a device.

Geofencing

Used to track devices and receive alerts if they enter or leave a predefined area; ensures that devices are in an authorized location for authentication.

Authentication

The process of determining whether someone or something is who/what they claim to be.

Local Authentication

Username/password verification stored locally; example includes personal laptop login.

LDAP (Lightweight Directory Access Protocol)

Centralized client/object database containing a hierarchal organization of the users, groups, servers, and systems in the network.

Kerberos

Validating user/password over the network; involves mutual authentication where the user verifies the server and the server verifies the user.

Key Distribution Center (KDC)

A component of the Kerberos protocol that manages the distribution of keys.

Ticket Granting Ticket (TGT)

A ticket used in authentication processes.

Service ticket/session key

A ticket used to access specific services after authentication.

Port 88

The network port used for Kerberos authentication.

SSO (Single Sign-On)

Single login for multiple resources.

Benefit of SSO

Simplifies access, reduces password management.

Drawback of SSO

Compromised credentials give access to all resources.

MFA

Multi-Factor Authentication can help keep secure access.

Example of SSO

Using Google account to log in to various services.

SAML (Security Assertion Markup Language)

XML-based authentication data exchange.

Roles in SSO or federated identity management

Service provider, User agent (e.g., web browser), Identity provider.

Example of SAML

Using Google as an identity provider to access a website.

RADIUS (Remote Authentication Dial-In User Service)

Centralized administration for authentication.

Usage of RADIUS

Dial-up, VPN, Wireless authentication.

Protocol for RADIUS

UDP.

Port 1812

The port used for RADIUS authentication.

Port 1813

The port used for RADIUS accounting.

TACACS+ (Terminal Access Controller Access-Control System Plus)

Cisco proprietary authentication/authorization.

Usage of TACACS+

802.1X network authenticator.

Protocol for TACACS+

TCP (slower than RADIUS).

Benefits of TACACS+

Can provide some additional security features.

Time-Based Authentication

A security mechanism that generates temporary dynamic passwords or tokens.

TOTP (Time-Based One-Time Passwords)

Most often implemented as part of MFA.

Benefit of Time-Based Authentication

Enhances security, resistant to replay attacks.

Implementation of Time-Based Authentication

Software (Google Authenticator), Hardware (RSA Key fob).

Least Privilege

Users should use the lowest level of permissions necessary to complete job functions.

Role-based Access

Methods of Access Control.

Discretionary Access Control (DAC)

Access control method where owners of resources determine access permissions.

Mandatory Access Control (MAC)

Access control policy where the computer system determines access.

Need-to-Know Principle

Users must have both the necessary clearance level and a need to know to access information.

Role-Based Access Control (RBAC)

Access control model based on defining roles for job functions.

Data Encryption

A fundamental method for securing data.

Unencrypted Data (Cleartext/Plaintext)

Easily accessible and viewable format.

Encrypted Data (Ciphertext)

Scrambled up and unreadable without the proper decryption key.

Benefits of Encryption

Mitigates risks associated with access control failures.

Data State

Location of data within a processing system.

Data at Rest

Data stored on memory, hard drives, or storage devices

Data in Transit/Motion

Data moving between systems or within a system

Data in Use/Processing

Data being read into memory or processed by the CPU

Internet Protocol Security (IPSec)

A secure network protocol suite that provides authentication and encryption of data packets to create a secure encrypted communication path between two computers over an internet protocol network

Confidentiality

Achieved through data encryption

Integrity

Ensured by hashing data before transmission and verifying upon receipt

Anti-replay

Prevents duplicate packet transmission and attacks involving captured and resent packets

Key Exchange Request

Initiates the VPN connection

IKE Phase 1

Authenticates parties and establishes a secure channel for negotiation

Diffie-Hellman key exchange

Utilizes Diffie-Hellman key exchange to create a shared secret key for establishing secure tunnels

IKE Phase 2

Conducts three two-way exchanges between the peers, from the initiator to the receiver

Aggressive Mode

Fewer exchanges for faster initial connection; less secure

Quick Mode

Only occurs after IKE already established the secure tunnel in Phase 1

Data Transfer

Allows data transfer over the secure tunnel using negotiated parameters

IPSec Tunnel Termination

Occurs when security associations are terminated through mutual agreement or due to timeout

Transport Mode

Uses original IP header; suitable for client-to-site VPNs

Tunneling Mode

Encapsulates the entire packet; suitable for site-to-site VPNs

Authentication Header (AH)

Provides data integrity and origin authentication, but not confidentiality

Encapsulating Security Payload (ESP)

Provides authentication, integrity, replay protection, and confidentiality of the data

Public Key Infrastructure (PKI)

A system of hardware, software, policies, procedures, and people that is based on asymmetric encryption

Asymmetric Encryption

Uses public and private keys for encryption and decryption

Public Key

Used to encrypt data.

Private Key

Used to decrypt data.

Authenticity

Verifies the identity of the data sender.

Certificate Authority (CA)

A trusted third party that issues digital certificates and maintains trust between CAs worldwide.

Key Escrow

Secure storage of cryptographic keys, allowing retrieval in cases of key loss or legal investigations.

Public Key Cryptography

Encryption and decryption process that is just one small part of the overall PKI.

PKI

Encompasses the entire system of managing digital keys and certificates.

AES

Used to create a secure tunnel for data transfer.

Digital Certificate

A digitally signed electronic document that binds a public key with a user's identity.

X.509 Protocol

Standard for digital certificates within PKI, containing owner/user information and certificate authority details.

Wildcard Certificate

Allows multiple subdomains to use the same public key certificate.