N10-009 Network Security Study Guide for the CompTIA Network+

General Information

This is study material for the CompTIA Network+ N10-009 exam, which replaced the old Network+ N10-008 exam as of December 20, 2024. Be sure you are studying for the right test.

Security questions occupy the least proportion of the CompTIA Network+ N10-009 exam at about 14%, but there are many important concepts in this category. Fully one-third of these questions begin with a scenario, so you’ll also need to be able to apply what you know.

Basic Network Security

Network security refers to the tools, methods, practices, and techniques used to protect a network from unauthorized access, cyberattacks, or data breaches. For the Network+ N10-009 exam, you should be familiar with and be able to explain the importance of basic network security.

Logical Security

Logical security is the protection of data in all states at the software level. Logical security involves using numerous software-based techniques such as encryption, access control lists (ACLs), certificates, authorization, and authentication.

Encryption

Encryption is the process of applying a mathematical algorithm to plaintext data to create scrambled data, which is only decipherable by applying the appropriate key for decryption. For security, data should have encryption applied to all states: in transit, at rest, and in use.

• Data in transit describes data as it actively transmits through a network or system.

• Data at rest describes data written on a disk or stored data.

• Data in use describes data that is in an inconsistent state or in active memory.

Adapted from: https://commons.wikimedia.org/wiki/File:Device-computer-icon.png https://commons.wikimedia.org/wiki/File:Bimetrical_icon_network_server_black.svg

Certificates

A certificate is a digital credential granted to an entity as proof that the entity is who it claims to be and meets a set of predefined cybersecurity rules for data protection. Certificates are commonly used to verify secure websites.

Public Key Infrastructure (PKI)

The PKI is the system that is used to create, manage, distribute, and revoke digital certificates. While the PKI is a highly complex system, the basics are as follows: A registration authority (RA) receives a request for a certificate and verifies the identity of a requesting entity. After verification, the certificate authority (CA) issues a digital certificate with a public key that is signed with the CA’s private key. Another entity, the validation authority (VA), checks the validity of the issued digital certificate by verifying the digital signature of the CA’s private key.

Self-Signed

A self-signed certificate is one that is issued and verified by the same entity. A self-signed certificate does not use a trusted third-party entity for issuance or verification. In general, a self-signed certificate is not secure, but it may be useful within a network or intranet.

Identity and Access Management (IAM)

IAM is a framework for authenticating and authorizing users to a network. An IAM system ensures users are authenticated to their assigned roles, groups, and access levels and may employ the use of the single sign-on method or multi-factor authentication.

Authentication

Authentication is a process for verifying that a user is who they claim to be, which typically involves a user name, as well as a password or verification code. Authentication methods can verify the identity of individuals, devices, or systems requesting access to a network or resource.

multi-factor authentication (MFA)—MFA is a technique that requires two or more methods of identity verification to access a resource. Identity verification can be validated using five different characteristics: something you know (e.g., a password), something you are (e.g., biometrics such as fingerprint scans, facial recognition, or iris scans), something you have (e.g., a smartcard), somewhere you are (e.g., GPS location), and something you do (e.g., patterns of behavior).

single sign-on (SSO)—SSO is an authentication method that uses one set of credentials to log in to multiple applications and resources. With SSO, when a user logs in to the primary domain, a token is created that is then used to verify the user to other connected resources automatically, without requiring reauthentication by the SSO user.

Remote Authentication Dial-In User Service (RADIUS)—RADIUS is a remote authentication protocol that stores user authentication data in a centralized database, which is then used to verify the user to the network using the User Datagram Protocol (UDP). Both RADIUS and TACACS+ are protocols based on the authentication, authorization, and accounting (AAA) framework. AAA is a security model used for centralizing authentication and simplifying administration.

Lightweight Directory Access Protocol (LDAP)—LDAP is a directory service for database management. It provides authentication similar to SSO for network data and resource access, as well as maintenance capabilities for the database. LDAP is an open-source protocol that uses TCP port 389. LDAP also has a secure version that uses SSL over TCP port 636.

Security Assertion Markup Language (SAML)—SAML is used to exchange user authentication and authorization data between secure web domains and is commonly used in SSO. For example, using SAML, a user can log in to a website, which is the service provider (SP), using their Google credentials, which is the identity provider (IdP). The SP sends the credentials to the IdP, which verifies the credentials and authenticates the credentials and associated authorizations. It then returns the verified data credentials back to the SP.

Terminal Access Controller Access Control System Plus (TACACS+)—The TACACS+ protocol is used for remote authentication between a remote access point (RAP) and users. TACACS+ uses a Transmission Control Protocol (TCP) connection to transmit authentication requests from the remote user, through the authentication server, and to the remote network access server.

time-based authentication—Time-based authentication is a method of authentication that places a specific time parameter on the validity of the authentication method. Time-based authentication commonly employs the use of hardware or software tokens that generate a one-time password (OTP) for identity authentication. For example, when logging in to a website, an OTP might be generated and sent via SMS message to a registered device, with the OTP being valid for five minutes.

Authorization

Authorization refers to the access an authenticated user has to network resources and functions. Authorization security is based on the principle of least privilege and can be assigned based on various factors such as user roles or physical location.

least privilege **—Least privilege, or the **principle of least privilege, is a security concept that states that any user’s access or permissions should be limited to only the resources required to perform their specific duties. For example, a user working in human resources should not require access to company financial data to perform their duties. Limiting access is a fundamental way to avoid cybersecurity threats.

role-based access control (RBAC)—RBAC is a security practice in which users are assigned access and permissions based on their roles or groups within an organization. Using RBAC streamlines the process of assigning permissions to users by placing a user in a group with previously defined permissions instead of assigning those permissions individually. For example, if a new hire is assigned to the sales force, that new hire can be added to the sales user group.

Geofencing

Geofencing defines a geographical boundary using the Global Positioning System (GPS) and then triggers an operation when that boundary is crossed. Geofencing is commonly used in applications with location-based services that can be configured to notify the administrator when a geofence has been crossed. For example, a parent is using geofencing when they have a tracking application to alert them when their child with a location-aware device leaves the boundaries of their house.

Physical Security

The physical security of a network is just as crucial as technological security practices. Physical security includes techniques and tactics for the detection and prevention of network intrusions. For the Network+ N10-009 exam, you should be able to explain the importance of physical security and be able to identify different physical security techniques.

Camera

A camera is a device that provides a video feed of the physical space within the device’s line of sight. Multiple cameras are commonly used simultaneously in closed-circuit television (CCTV) and Internet Protocol (IP) video surveillance systems. With CCTV, the camera feed is only stored locally, whereas with IP systems, the feed is transmitted to other locations via the internet.

Locks

A lock is a physical mechanism used to secure an entity or area. Locks come in numerous varieties and can be accessed through physical means, such as with a physical key, or through logical means, such as biometrics.

A locking rack is a method for securing a networking rack from physical access, usually through the use of a secure door or similar structure on the front of the rack. Locking racks can use unique keys, common keys, number locks, electronic locks, or biometric locks.

Locking cabinets are any type of storage device protected via a locking mechanism, such as file cabinets or storage cabinets. Locking cabinets can be used to secure sensitive documents or small, portable devices such as tablets.

A smart locker is a storage locker that uses an electromechanical locking mechanism and is connected to a software interface that can be used to lock, unlock, reset, or reassign locker access remotely. Smart lockers use various authentication methods, such as radio-frequency identification (RFID), near-field communication (NFC), or electronic keypads.

Deception Technology

Deception technology refers to tools used to trick a threat actor into attempting to access a fake asset. Such technology is deployed so that an organization can detect and analyze intrusions without the risk of an actual intrusion. Deception technologies range from single files to entire networks.

Honeypot

A honeypot is a security tactic that uses a segmented portion of a network to create an attractive fake target, such as a data file, for potential threat actors to attack. This simultaneously protects the network while providing information on the attack method or attacker.

Honeynet

A honeynet is an expanded version of a honeypot that creates an entire fake network for a threat actor to attack.

Common Security Terminology

To understand network security, you should be familiar with commonly used network and cybersecurity terminology.

Risk

A risk is the potential for harm to a network due to the exploitation of vulnerabilities by threats. A risk is commonly identified and assessed based on the likelihood of occurrence and the potential impact on the network or organization if the threat is realized.

Vulnerability

A vulnerability is any weak point in a network, including points that do not have security or countermeasures in place or that may have less secure countermeasures. A vulnerability may be related to hardware, software, or human error.

Exploit

An exploit is the means or tool by which a threat actor uses a vulnerability to further an attack. For example, if a threat actor uses malicious software to attack a vulnerability in a program, thereby infiltrating a company’s network and exporting their data, the malicious software would be the exploit.

Threat

In cybersecurity, a threat is anything that may compromise a system or network. Understanding threats and where they come from is integral to network security. An internal threat comes from within the network and is, therefore, behind the security controls that are designed to protect the network from outside intrusion, such as firewalls. An external threat comes from outside of the network.

Confidentiality, Integrity, and Availability (CIA) Triad

The CIA triad contains the three fundamentals of security. Confidentiality means that data contained in a network remains secure and protected against disclosure to unauthorized users or entities. Integrity means that the data contained in a network is uncorrupted or altered by unauthorized users. Availability means that data contained in a network is accessible when needed by authorized users.

Audits and Regulatory Compliance

A regulation is a rule that applies to an organization and originates from an outside entity. Compliance is adherence to applicable rules, regulations, or industry standards. An audit is a thorough examination and evaluation of an organization. Audits, either internal or external, are used to evaluate a network for regulatory compliance.

Data Locality

Data locality or localization laws protect personal data by requiring this data to be collected, processed, and stored in their country of origin. thereby requiring compliance with the data privacy laws of the origin country prior to export to other countries.

Payment Card Industry Data Security Standards (PCI DSS)

The PCI DSS are regulatory standards enforced by banking and credit providers that specify required data security measures for any entity that handles data related to payment cards, including credit cards and debit cards. If compliance is not met, the payment card services of the non-compliant entity can be revoked.

General Data Protection Regulation (GDPR)

The GDPR is a law applicable to member states of the European Union that governs how consumer data is protected and used.

Network Segmentation Enforcement

Network segmentation enforcement is the practice of separating a network’s components (logical or hardware) and controlling access to the segments. Layer 1 segmentation is the physical separation of hardware components. Layer 2 segmentation on switches can be achieved logically by creating separate virtual local area networks (VLANs) for specific segments. Layer 3 segmentation on routers or through firewalls can be achieved using access control lists (ACLs).

Internet of Things (IoT) and Industrial Internet of Things (IIoT)

IoT is a generalized term for devices that have internet or network connection capabilities. IoT devices have the ability to transmit data to and receive data from a centralized network interface via multiple connection methods, such as Bluetooth, wireless, or cellular. IoT devices use numerous wireless connection methods to communicate with other IoT devices and their centralized interface. These devices are, in general, insecure due to the limited amount of computing resources they contain. Methods for securing IoT communications include ensuring that all default passwords and settings are changed if possible, employing segmentation techniques or VLANs for communications, and staying current on updates and patches for the devices.

IIoT is a term used to describe IoT devices in the industrial setting, such as heat monitoring systems in a manufacturing facility.

Supervisory Control and Data Acquisition (SCADA), Industrial Control System (ICS), and Operational Technology (OT)

SCADA, ICS, and OT are industrial networked systems that employ the use of network-connected sensors to monitor all aspects of an industrial environment, as well as proactively detect, alert, and respond to potential problems or issues. OT is the broad term used for large networked systems used in industrial environments, with ICS being a subset of OT that is used primarily in manufacturing environments to control industrial processes, and SCADA working within ICS to provide real-time data in a centralized interface. SCADA is primarily used for monitoring and system status observation.

Guest

Guest network isolation is a wireless configuration that creates a separate network for guest connections, keeping the guest network completely separate from the primary network. Guest network isolation only provides internet access and uses client isolation to separate connected devices.

Bring Your Own Device (BYOD)

BYOD refers to the practice of using a personally owned device for business use and network access. A BYOD policy is used to define how a personal device can connect to a network and be used for work functions. BYOD policies often outline requirements addressing device security, such as requiring a personal identification number (PIN) for device unlock, disabling GPS tracking, or enabling remote wipe capabilities.