Comptia Security+ 601 Chapter 8 Summary

CompTIA Security+ Study Guide: Exam SY0-601 8th Edition, by Mike Chapple & David Seidl


Chapter 8 summary of my notes



  1. User Identification


Common ways to assert or claim an identity:



  1. Usernames

  2. Certificates, which can be stored on a system or paired with a storage device or security token.

  3. Tokens, a physical device that may generate a code, plug in via USB, or connect via Bluetooth or other means to present a certificate or other information.

  4. SSH keys, which are cryptographic representations of identity that replace a username and password.

  5. Smartcards use an embedded chip.


Extensible Authentication Protocol, EAP, = authentication framework commonly used for wireless networks.


Password Authentication Protocol, PAP, = password-centric authentication protocol commonly used with the Point-to-Point Protocol, PPP, to authenticate users. PAP sends unencrypted passwords, making it unsuitable for use in most modern networks.


Challenge Handshake Authentication Protocol, CHAP, = authentication protocol that replaces PAP. CHAP uses an encrypted challenge and three-way handshake to send credentials.  


802.1X = IEEE standard for network access control, NAC, and it is used for authentication for devices that want to connect to a network. Supplicants send authentication requests to authenticators such as network switches, access points, or wireless controllers. Those controllers connect to an authentication server, typically via RADIUS. The RADIUS servers may then rely on a backend directory using LDAP or Active Directory as a source of identity information.  


RADIUS, Remote Authentication Dial-in User Service, = common authentication, authorization, and accounting, AAA, systems for network devices, wireless networks, and other services.


RADIUS operate via TCP or UDP and operates in a client-server model.


RADIUS sends passwords that are obfuscated by a shared secret and MD5 hash, meaning that its password security is not very strong.


RADIUS traffic between the RADIUS network access server and the RADIUS server is typically encrypted using IPSec tunnels or other protections to protect the traffic.


AAA system = users must first authenticate, typically with a username and password. The system then allows them to perform actions they are authorized to by policies or permission settings. Accounting tracks resource utilization like time, bandwidth, or CPU utilization.         


Terminal Access Controller Access Control System Plus, TACACS+, is a Cisco-designed extension to TACACS.


TACACS+ uses TCP traffic to provide authentication, authorization, and accounting services. It provides full-packet encryption as well as granular command controls, allowing individual commands to be secured as needed.


Kerberos operates on untrusted networks and uses authentication to shield its authentication traffic.


Kerberos users are composed of three main elements: the primary, which is typically the username; the instance, which helps to differentiate similar primaries; and realms, which consist of groups of users.


Kerberos key distribution centers = KDCs.


When a client wants to use Kerberos to access a service, the client requests an authentication ticket, or ticket-granting ticket, TGT.


An authentication server checks the client's credentials and responds with the TGT, which is encrypted using the ticket-granting service's, TGS, secret key.


When the client wants to use a service, the client sends the TGT to the TGS (which is usually also the KDC) and includes the name of the resource it wants to use. The TGS sends back a valid session key for the service, and the client presents the key to the service to access it.


Internet-based systems often rely on a number of core technologies to accomplish authentication:



  1. Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization information. SAML is often used between identity providers and service providers for web-based applications. Using SAML means that service providers can accept SAML assertions from a range of identity providers, making it a common solution for federated environments

  2. OpenID is an open standard for decentralized authentication. OpenID identity providers can be leveraged for third-party sites using established identities. Common example of this is the “Log in with Google” functionality that many websites provide, but Google is not the only example of a major OpenID identity provider. Microsoft, Amazon, and many other organizations are OpenID identity providers (IdPs). Relying parties (RPs) redirect authentication requests to the IdP, and then receive a response back with an assertion that the user is who they claim to be due to successful authentication, and the user is logged in using the OpenID for that user.

  3. OAuth is an open standard for authorization used by many websites. OAuth provides a method for users to determine what information to provide to third-party applications and sites without sharing credentials. May have experienced this with tools like Google Drive plug-ins that request access to your files or folders to log in with a single identity and then use multiple systems or services without reauthenticating.


Single sign-on is commonly implemented using LDAP and Kerberos such as in Windows domains and Linux infrastructures, or via a SAML implementation for web applications and federated services.


Terms commonly used in federated environments:



  1. The principal, typically a user Identity providers, IdPs, who provide identity and authentication services via an attestation process in which the IdP validates that the user is who they claim to be Service providers (SPs), who provide services to users whose identities have been attested to by an identity provider.

  2. Directory services are used in networks to provide information about systems, users, and other information about an organization. Lightweight Directory Access Protocol, LDAP, is commonly deployed as part of an identity management infrastructure and offer hierarchically organized information about the organization.

  3. organizational units, OUs. One example of an OU is security and human resources. Each of those units includes a number of entries labeled with a common name, CN.


Multifactor authentication, MFA:



  1. Something you know, including passwords, PINs, or the answer to a security question.

  2. Bluetooth token, or another object or item that is in your possession

  3. Something you are, which relies on a physical characteristic of the person who is authenticating themselves. Fingerprints, retina scans, voice prints,

  4. Somewhere you are, sometimes called a location factor, is based on your current location. GPS, network location,

  5. Something you can do, which is used in Windows 10's Picture Password feature or gesture passwords on Android phones. This is a type of knowledge factor that

  6. Something you exhibit, which could be a behavior pattern or similar characteristic. These are typically a form of the “something you are” factors, like typing speed or similar patterns.

  7. Someone you know, which can include trust relationships from others.


One-time passwords are an important way to combat password theft and other password-based attacks.


Time-based one-time passwords, TOTPs, use an algorithm to derive a one-time password using the current time as part of the code-generation process.


Google Authenticator uses TOTP,


HMAC-based one-time password = HOTP.


HMAC = hash-based message authentication codes.


HOTP uses a seed value that both the token or HOTP code-generation application and the validation server use, as well as a moving factor.


Token = token key.


Biometric factors:


            Fingerprints


            Retina scanning


            Iris recognition systems use pattern recognition and infrared imaging


            Facial recognition


            Voice recognition systems


            Vein recognition, sometimes called vein matching


            Gait analysis measures how a person walks to identify them


Biometric technologies are assessed based on four major measures:



  1. Type I errors, or the false rejection rate, FRR. False rejection errors mean that a legitimate biometric measure was presented and the system rejected it.

  2. Type II errors, or false acceptance errors, are measured as the false acceptance rate, FAR. These occur when a biometric factor is presented and is accepted when it shouldn't be.

  3. Relative operating characteristic, ROC. The ROC compares the FRR against the FAR of a system, typically as a graph.

  4. The place on this chart where FAR and FRR cross over is called the crossover error rate.


When you assess biometrics systems, knowing their FAR and FRR will help you determine their efficacy rates.


Knowledge-based authentication, KBA. KBA is frequently used for password resets in the form of security questions.


Security+ exam outline calls security keys like YubiKeys, Titan Keys, and other USB two-factor hardware tokens “password keys.”


Password vaults, or password managers, = common solution for authentication management. They are software solutions that store, manage, and secure passwords and other information, allowing users to use strong passwords without memorizing dozens,


TPM modules or chips have a built-in cryptoprocessor used to store RSA key pairs protected by a password set by the system owner.


TPM modules can help prevent unauthorized changes to firmware and software as part of a trusted or secure boot process, and they are supported by operating systems allowing drive encryption and other cryptographic-based security features.


Hardware security modules, HSMs, = either an independent physical device or a plug-in expansion card for a computer. They integrate cryptoprocessors to securely create, store, and manage encryption keys.


There are many types of accounts:



  1. Privileged or administrative accounts,

  2. Shared and generic accounts or credentials,

  3. Service accounts associated with applications and services.


Account policies are set to provide controls about how and when accounts can be used, to control password complexity, lifespan, and other details.


In addition to controls related to passwords, account controls can leverage other information from the login process:



  1. The time of day, which can prevent employees from accessing systems after their shift,

  2. The network location of the system that is being authenticated to.

  3. Geolocation data can be used to allow logins only from a geofenced area, a predetermined, GPS data–driven location


Privileged access management, PAM, tools can be used to handle the administrative and privileged accounts. They focus on ensuring that the concept of least privilege is maintained by helping administrators specify only the minimum set of privileges needed for a role or task.


Attribute-based access control, ABAC, relies on policies that are driven by attributes of the users.


Role-based access control, RBAC, systems rely on roles that are then matched with privileges that are assigned to those roles. This makes RBAC a popular option for enterprises that can quickly categorize employees with roles like “cashier” or “database administrator” and provide users with the appropriate access to systems and data based on those roles.


An important detail for RBAC systems is that many support multiple roles for subjects. That means that you may have an active role, as well as other roles you could use. A familiar example of this might be the ability to use the sudo command on a Linux system. Users have a role as themselves (a user role), and they can also assume a superuser (root) role.


Access control lists, ACLs, apply to various objects or resources.


Mandatory access control, MAC, systems rely on the operating system to enforce control as set by a security policy administrator. 


Discretionary access control, DAC, is an access control scheme that many people are used to from their own home PCs. The most common type of discretionary access control assigns owners for objects like files and directories. The owner of a file (or directory) can set permissions that apply to the files or directory.


Privileged access management = set of controls, tools, and processes used to handle privileges for elevated accounts and rights -- accounts like administrator, root, or similar.


Conditional access describes the process of testing the security state of devices and users before allowing access to data, networks, or other resources, checking for certain conditions and allowing access based off those checks.


Filesystem controls determine which accounts, users, groups, or services can perform actions like reading, writing, and executing (running) files. Each operating system has its own set of filesystem permissions and capabilities for control.


Linux filesystem permissions are shown in file listings with the letters drwxrwxrwx, indicating whether a file is a directory, and then displaying user, group, and world (sometimes called other) permissions.


If you aren't familiar with Linux permissions and the chmod command, you should spend some time familiarizing yourself with both. You should know how to set and read permissions using both character and numeric representations; the order of user, group, and world rights; and what those rights mean for a given user based on their account's rights and group membership.


Windows file permissions can be set using the command line or the GUI.


The modify permission allows viewing as well as changing files or folders. Read and execute does not allow modification or changes but does allow the files to be run, while read and write work as you'd expect them to.