Security+401 Course Introduction

Table of Contents

CompTIA Security+ (SY0-401) Introduction .................................................................................... 2

Notices ............................................................................................................................................ 3

Security+ SY0-401 Course Objectives ............................................................................................. 4

Gap Area ......................................................................................................................................... 7

A Security+ Certified Professional................................................................................................... 8

About the Security+ SY0-401 Exam -1 .......................................................................................... 10

About the Security+ Sy0-401 Exam -2 .......................................................................................... 12

Get the most from this course ...................................................................................................... 13

Page 1 of 15

CompTIA Security+ (SY0-401) Introduction

© 2014 Carnegie Mellon University

CompTIA Security+ (SY0-401)Introduction

**001 Instructor: Hi, I'm Dean Bushmiller, and we're going to talk about Security+ version 4. This

Page 2 of 15

Notices

2

Notices© 2014 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu.

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

**002 is an introduction to the course.

Page 3 of 15

Security+ SY0-401 Course Objectives

4

Security+ SY0-401 Course Objectives

Intent• Provide a review of the Security+ “Domains”.• Supplement preparation for the Security+ certification exam.

Security+ Domains (and percentage of questions on exam)• Network Security 20%• Compliance and Operational Security 18%• Threats and Vulnerabilities 20%• Application, Data, and Host Security 15%• Access Control and Identity Management 15%• Cryptography 12%

**004 What you want to be able to do is to understand these six major sections of the technology and security in a way that you're not confused when you get to the exam. Now, one of the nice things is you may have taken a Networking+ course, so you have some of that basic background information. If you don't have the Network+, a lot of times you're going to come upon topics where I'm going to assume that knowledge is there. The nice thing is, is you can pause, take a minute, and say, "Okay, I need to look up this. I need to understand

Page 4 of 15

this protocol. I need to know how this service works." I'm going to focus in primarily on the security aspects of each one of these protocols when we talk about network security. When we talk about compliance and operations security, I'm going to talk about how to actually achieve compliance, maybe even audit and be prepared for auditing concepts and be prepared in your job for that. I really like to play the game that I call Threats and Controls, which here we're going to talk about threats and vulnerabilities. Those threats and vulnerabilities to your organization-- how do you deal with them? How do you put controls in place that make the organization secure, or how do you recognize that these particular threats and vulnerabilities are present within your organization? And then we'll dig into the application data and the host security-- how do we actually protect and defend the host-- whether that's locally on the box with antivirus, or whether that's through a network standpoint when we do intrusion detection or intrusion prevention. Then we'll talk about one of my favorite topics. If I had to pick one thing that I could clearly say that I'm an expert in, it would be access control and identity management. And then finally, something near and dear to my heart is cryptography, and we're going to talk about

Page 5 of 15

cryptography and we're going to talk about the code talkers and the Enigma machine, and then how do you apply cryptography in your environment. Now, notice the percentages here. One of the things that I worry about for people who are coming into this class is that they focus on network security, they focus on threats and vulnerabilities, and they ignore cryptography, and then when they get to the cryptography section, they totally bomb that section. And you probably could bomb one section and still pass the exam, but you need to have a balanced understanding of security in order to get past the test and actually make it out there in the real world.

Page 6 of 15

Gap Area

5

Gap Area

You should consider and use other sources in preparation for the Security+ exam!

Scope of the Security+ Domains

Scope of the this review course

Scope of the exam

The knowledge gap other sources can fill

**005 Now, when we look at the scope of this course and we look at the scope of the exam, there is going to be a gap there, and you've got to fill that gap up with your knowledge. If you're new to this, if you've never been in security before and you say, "Well, I've got plenty of years of networking experience, but I don't have any security experience," then what I'm going to say to you is: Go out and practice and play. But remember, you don't have to know everything in the exam, but you have to know enough of the concepts and have them very

Page 7 of 15

ingrained in what you do. Because as soon as you're finished the test, well then, the test is over with; you've got the Security+ certification. That may have fulfilled some sort of requirement in order for you to keep your job, but now it's time for you to be opened up to all of the security that's out there.

A Security+ Certified Professional

6

A Security+ Certified Professional

Security+ certification…• This is an introductory security certification.• A first (or second) step in your security certification path

— After Network+

Security+ Certified Professionals• Participate in risk identification and mitigation• Provide security in infrastructure, application, information, and

operational contexts• Apply security controls to maintain confidentiality, integrity, and

availability• Informed of policies, laws, and regulations

This is a technical certification• 2 years of day-to-day technical security experience

**006 As a Security+ certified professional, remember, this is an introduction to security. So this should spark your interest in a whole bunch of different areas. You should-- when you're a professional, after this-- you should participate in

Page 8 of 15

risk identification and risk mitigation. Maybe you do risk assessments for your organization. Even in your little tiny scope that you have, I think that you can become more as far as security is concerned. You're going to apply security controls that protect the confidentiality, the integrity, the availability and the nonrepudiation of your organization. And you need to know about the regulations and the laws. I don't think you have to know about all the regulations and the laws; I think you have to look at the ones that are relevant to your organization and to the jurisdiction that you're in. Now, when you go to take this test. Either you know it or you don't know it. Now the answers may be long and complex and require you to go through a line of logic to actually get the answer, but there's always one right answer, and it's the technical answer.

Page 9 of 15

About the Security+ SY0-401 Exam -1

7

About the Security+ SY0-401 Exam -1

90 Minutes

90 Questions• Multiple choice• Performance-based

— Near the beginning of the test— Simulated environment — Perform a task or solve a problem— Watch your time, part of the 90 minutes— Can be saved and returned to later

Some questions are being “tested”, and not graded.

Must score 750 out of 900

**007 Now let's talk about the exam. It's 90 minutes long and it's 90 questions. It's multiple choice. Now, what's really nice is you can go online and you can do practice tests that show you how all of the buttons work within the interface before you go there. I strongly urge you to take the time to go to CompTIA, let them do the practice demo test-- they actually have a practice demo test that you can work through-- so that you know how each one of the quizzing interfaces actually works when you go to sit down and plunk down your money.

Page 10 of 15

Now, 90 minutes, 90 questions. Multi-part questions count the same. Ninety minutes, 90 questions-- the potential is there to run out of time. So you really have to focus on watching your time as you're going along. The nice thing is, it's a computer-based test. You can look at exactly how much time you have. That means that you have to have all this knowledge at your fingertips. Now, there are some seed questions that are dropped into the exam that don't count, but you don't know which ones those are, so you have to act as if every single one of these is the last question that could make the difference between passing and failing. Your score has to be 750 out of 900. That's a little bit more than 80 percent, is about the number that you have to come down to. So one out of every five questions you can get wrong, but you don't know which ones, so shoot for the moon.

Page 11 of 15

About the Security+ Sy0-401 Exam -2

8

About the Security+ Sy0-401 Exam -2

The Security+ Exam Objectives• Key areas of knowledge

— It will NOT help you pass the exam— BUT – it can help you focus

• Acronym List

http://certification.comptia.org/getCertified/certifications/security.aspx

**008 Now, when you talk about the exam objectives, you want to go to CompTIA and look on their site, and the URL is listed down at the bottom here. Take the time to go read those knowledge areas and understand what's going on, and be able to check off that list and say, "Yes, I can do these objectives. Yes, I can do these activities." Now, some of those are going to be really complex activities. Setting up a public key interface, actually installing the software for a Linux box or a Microsoft box-- and you can get both of those operating systems freely available-- and actually implementing PKI and actually

Page 12 of 15

running through the whole certificate process-- that could take hours.

Get the most from this course

9

Get the most from this course

Confidentiality, Integrity , Non-repudation, Availability

How can you promote each?

What are the threats to each asset?

What are the vulnerabilities?

What are the controls?

**009 Now, I want you to get the most from this course, and here's my last piece of advice, and you need to get ready for this piece of advice, because this is not an easy thing to do. It's an easy thing to say, not an easy thing to do. For every single slide and every single thing that we talk about, every single slide that pops up, stop for a second and ask yourself, "Okay, based on the concepts of confidentiality and integrity"-- those

Page 13 of 15

are the two primaries-- "nonrepudiation and availability, in this situation, how would you promote those concepts?" And in this situation, what are the threats to your particular assets that are out there? How could this be attacked by an evildoer on the outside? You may even go and look up the vulnerability for this particular thing that we're talking about. You could go into the National Vulnerability Database or you could go into a tool like Open Source Vulnerability Database-- OSVDB.org-- and you could type in-- if we're talking about PKI-- you could type in PKI and see how many vulnerabilities there are to that. Now, in the case if you're using OSVDB, you're talking about software vulnerabilities, so most of the time the vulnerability control is going to be to patch. When we start talking about operational controls, how will you deal with somebody that's trying to, on a physical sense-- let's say somebody's trying to crash a car into your building. You can't use software to protect yourself against that. If you want to stop people from coming into a room, you can't use software to protect you against that, but you might use a badging system. So figure out what the threats, vulnerabilities and controls are for each and every one of the topics that we talk about. Really dig into that. Maybe load some software. Maybe do some learning there.

Page 14 of 15

Notices 2015

2

Notices© 2015 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu.

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Page 15 of 15