Network Security Study Guide for the CompTIA Network+

General Information

Approximately 19% of the questions on the CompTIA Network+ exam will assess your knowledge of security concepts and procedures. A fluid knowledge of security issues is vital for anyone working on network-related projects. About one-fifth of these questions will begin with a scenario and could require expertise in types of attacks, remote access methods, and physical security.

Basic Security Concepts

The proper implementation of security concepts, protocols, and practices is vital to the security of any network. While cybersecurity is a highly complex subject, you should be able to identify and explain common security concepts.

Confidentiality, Integrity, Availability (CIA)

The CIA triad are the three fundamentals of security. Confidentiality means that data contained in a network remains secure and protected against disclosure to unauthorized users or entities. Integrity means that the data contained in a network is uncorrupted or altered by unauthorized users. Availability means that data contained in a network is accessible when needed by authorized users.

Threats

In cybersecurity, a threat is anything that may compromise a system or network. Understanding threats and where they come from is integral to network security.

Internal

An internal threat is one that comes from within the network and is, therefore, behind the security controls that are designed to protect the network from outside intrusion, such as firewalls. The most prominent internal threat to a network is authorized users.

External

An external threat is one that comes from outside of the network. External threats are greatly varied and can include individuals, such as script kiddies (inexperienced hackers), and groups, such as advanced persistent threats (APTs), which are threats that remain hidden within a system.

Vulnerabilities

A vulnerability is any weak point in a network, including points that do not have security or countermeasures in place or that may have less secure countermeasures. A vulnerability may be hardware based, software based, or human based.

Common Vulnerabilities and Exposures (CVE)

The CVE system is a database of known vulnerabilities with information pertaining to that vulnerability, including what the threat is, what is vulnerable to the threat, and any known mitigation techniques for the vulnerability. The MITRE Corporation maintains the CVE system and uses the Common Vulnerability Scoring System (CVSS) to rank and classify vulnerabilities.

Zero-Day

A zero-day threat is one that has not been identified yet and does not yet have a signature (the identifying markers of a threat) or a defined mitigation technique. A zero-day threat can be as simple as a bug in an operating system (OS) or extremely complex, such as a new form of malware.

Exploit

An exploit is a means, such as a tool, by which a threat actor uses a vulnerability to further an attack. For example, if a threat actor uses malicious software to attack a vulnerability in a program, thereby infiltrating a company’s network and exporting their data, the malicious software would be the exploit.

Least Privilege

Least privilege, or the principle of least privilege, is a security concept that states that any user’s access or permissions should be limited to only the resources required to perform their specific duties. For example, a user working in human resources should not require access to company financial data to perform their duties. Limiting access is a fundamental way to avoid cybersecurity threats.

Role-Based Access Control (RBAC)

RBAC is a security practice in which users are assigned access and permissions based on their roles or groups within an organization. Using RBAC streamlines the process of assigning permissions to users by placing a user in a group with previously defined permissions instead of assigning those permissions individually. For example, if a new hire is assigned to the sales force, that new hire can be added to the sales user group.

Zero Trust

Zero trust refers to the strategy of restricting access to every resource in a network by default. In other words, verification must occur before users access any of those resources. Zero trust supports the principle of least privilege.

Defense in Depth

Defense in depth, also known as a layered security approach, is a security method that involves using security techniques at multiple points throughout a network. For example, a network could use access control lists, firewalls, data encryption, network segmentation, and physical security measures to create defense in depth.

Network Segmentation Enforcement

Network segmentation enforcement is the practice of separating a network’s components (logical or hardware) and controlling access to the segments. Layer 1 segmentation is the physical separation of hardware components. Layer 2 segmentation on switches can be achieved logically by creating separate virtual local area networks (VLANs) for specific segments. Layer 3 segmentation on routers or through firewalls can be achieved using access control lists (ACLs).

Perimeter Network

A perimeter network, also known as a demilitarized zone (DMZ), is a portion of a network created using a screened subnet that places publicly accessible resources, such as web servers, between two firewalls to isolate the perimeter network from the rest of the network.

Separation of Duty (SOD)

SOD is a security concept that states that operations vulnerable to misuse, fraud, or abuse by internal entities should be split into separate tasks, with a different entity responsible for each task. For example, large transfers of funds in an organization may require one person to request the transfer and a second person to execute the transfer.

Network Access Control (NAC)

NAC is a security technique that requires the host requesting access to have its security posture evaluated prior to access. For example, an NAC system may look to ensure that all OS or antimalware updates have been installed prior to access.

Honeypot

A honeypot is a security tactic that uses a segmented portion of a network to create an attractive fake target, such as a data file, for potential threats to attack. This simultaneously protects the network while providing information on the attack or attacker. A honeynet is an expanded version of a honeypot that creates an entire fake network for a threat actor to attack.

Authentication Methods

An authentication method is a process for verifying that a user is who they claim to be, which typically involves a user name of some type as well as a password or verification code. Authentication methods can be used to verify the identity of individuals, devices, or systems that request access to a network or resource.

Multi-Factor Authentication (MFA)

MFA is a technique that requires two or more methods of identity verification to access a resource. Identity verification can be validated using five different characteristics: something you know (password), something you are (biometrics), something you have (smartcards), somewhere you are (GPS location), and something you do (behavior).

Terminal Access Controller Access-Control System Plus (TACACS+)

The TACACS+ protocol is used for remote authentication between a remote access point (RAP) and users. TACACS+ uses a Transmission Control Protocol (TCP) connection to transmit authentication requests from the remote user, through the authentication server, and to the remote network access server.

Single Sign-On (SSO)

SSO is an authentication method that uses one set of credentials to log in to multiple applications and resources. With SSO, when a user logs in to the primary domain, a token is created that is then used to verify the user to other connected resources automatically, without requiring re-authentication by the SSO user.

Remote Authentication Dial-In User Service (RADIUS)

RADIUS is a remote authentication protocol that stores user authentication data in a centralized database, which is then used to verify the user to the network using the User Datagram Protocol (UDP). Both RADIUS and TACACS+ are protocols based on the authentication, authorization, and accounting (AAA) framework. AAA is a security model used for centralizing authentication and simplifying administration.

Lightweight Directory Access Protocol (LDAP)

LDAP is a directory service for database management. It provides authentication, similar to SSO, for network data and resource access, as well as maintenance capabilities for the database. LDAP is an open-source protocol that uses TCP port 389. LDAP also has a secure version that uses SSL over TCP port 636.

Kerberos

Originally developed at the Massachusetts Institute of Technology (MIT), Kerberos is a security system used for authentication between trusted systems , such as an internal network, over an unsecure system, such as the internet. Kerberos is an open-source system that uses secret-key cryptography and a ticketing system for all communications.

Local Authentication

Local authentication is an authentication method that authorizes a user through a local machine rather than a domain. The user authentication data is stored directly on the machine. For example, facial recognition on a smartphone uses local authentication.

802.1X

802.1x is an Institute of Electrical and Electronics Engineers (IEEE) standard for access control on port-based networks that can be applied to wired or wireless networks. The 802.1x standard specifies the use of three components: the supplicant is the entity requesting access to the network, the authenticator is the device that receives the request from the supplicant, and the authentication server actually performs the centralized authentication.

Extensible Authentication Protocol (EAP)

EAP is a framework that defines which actions occur during the authentication process. It was designed to bolster the original 802.1x standard. The Protected EAP (PEAP), EAP Flexible Authentication via Secure Tunneling (EAP-FAST), and EAP Transport Layer Security (EAP-TLS) are different versions of the EAP protocol, with each defining how communication will occur.

Risk Management

Risk management is a method of protecting network data and resources that involves identifying, assessing, and controlling threats to the network. The goal of risk management is to prevent and minimize the impact of threats to the network, its resources, and its data.

Security Risk Assessments

A security risk assessment is designed to identify threats, vulnerabilities, and security weak points in a network. The assessment is then used to mitigate potential threats and improve the security of the network. Security risk assessments use multiple techniques to create a comprehensive view of the network and its associated risks.

Threat Assessment

A threat assessment is a security assessment that identifies perceived or potential threats to the network, their possible impact, the current security practices related to the threats, and their likelihood of occurrence. This data is combined, evaluated, and analyzed to create a risk rating, which is then used to make informed decisions for action related to the risk.

Vulnerability Assessment

A vulnerability assessment is a methodical approach to identifying potential weaknesses in the security of a network. A vulnerability scanner is a software tool that probes a network for weaknesses, identifies found weaknesses, and quantifies the severity of the weakness.

Penetration Testing

Penetration testing is a simulated attack on a program, system, or network that is designed to not only identify vulnerabilities, as a vulnerability scan does, but to also attempt to exploit the vulnerabilities that are found.

There are three primary strategies for penetration testing. In a blind test the testing team is provided very limited information, while the security team is alerted that an attack is to be expected. In a double-blind test the testing team is again provided with very limited information, but the security team is not alerted that an attack is to be expected. A target test is one in which both the testing team and the security team are provided with extensive information about the network and what kind of test will be done.

Posture Assessment

A posture assessment is an evaluation of an organization’s current security environment. A posture assessment looks at all aspects of an organization and its network, including hardware security, software security, logical security, and physical security, as well as its policies, procedures, and protocols, including current employee awareness and training.

Business Risk Assessments

A business risk assessment uses risk management techniques to evaluate potential threats to a business and the possible ramifications of these threats, which allows for proper mitigation based on the business’s specific requirements. During a business risk assessment, business assets are identified, the potential risks for each asset are defined, and the impact of the realized risks are identified through a process called threat modeling. With this information, the business can decide which mitigation technique should be employed in response.

Process Assessment

A process assessment is a risk assessment that evaluates the processes, policies, and procedures used within the business. A process assessment focuses on what steps are taken to achieve a goal and should be continually evaluated for optimal performance and security.

Vendor Assessment

A vendor is an entity that is not a part of a business but works for or with a business, requiring a link of shared data or information between the vendor and the business. A vendor assessment includes assessing a vendor’s security measures and access to the primary network. It also involves an evaluation of the service level agreements (SLAs) and contracts associated with that vendor.

Security Information and Event Management (SIEM)

A SIEM system is software, hardware, or services that provide integration of multiple security technologies into a single interface. Data aggregation and correlation, event alerting, compliance data, forensic analysis, data retention, and centralized dashboards are common services available in a SIEM system.