All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM / Blind Folio i Mike Meyers’ Security+™ CompTIA Certification Guide 00-FM.indd 1 20/03/21 7:04 PM All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM / Blind Folio ii ABOUT THE AUTHORS Mike Meyers, CompTIA A+, CompTIA Network+, CompTIA Security+, is the indus- try’s leading authority on CompTIA certifications and the best-selling author of ten editions of CompTIA A+ Certification All-in-One Exam Guide (McGraw Hill). He is the president and founder of Total Seminars, LLC, a major provider of PC and network repair seminars for thousands of organizations throughout the world, and a member of CompTIA. Scott Jernigan, CompTIA ITF+, CompTIA A+, CompTIA Network+, CompTIA Security+, MCP, is the author or co-author (with Mike Meyers) of over two dozen IT certification books, including CompTIA IT Fundamentals (ITF+) Certification All-in- One Exam Guide (McGraw Hill). He has taught seminars on building, fixing, and se- curing computers and networks all over the United States, including stints at the FBI Academy in Quantico, Virginia, and the UN Headquarters in New York City, New York. About the Technical Editor Matt Walker is currently a member of the Cyber Security Infrastructure team at Kennedy Space Center with DB Consulting. An IT security and education professional for more than 20 years, he has served in multiple positions ranging from director of the Network Training Center and a curriculum lead/senior instructor for Cisco Networking Academy on Ramstein AB, Germany, to instructor supervisor and senior instructor at Dynetics, Inc., in Huntsville, Alabama, providing onsite certification-awarding classes for (ISC)2, Cisco, and CompTIA. Matt has written and contributed to numerous technical training books for NASA, Air Education and Training Command, and the US Air Force, as well as commercially (CEH Certified Ethical Hacker All-in-One Exam Guide, now in its fourth edition), and continues to train and write certification and college-level IT and IA security courses. 00-FM.indd 2 20/03/21 7:04 PM All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM / Blind Folio iii Mike Meyers’ Security+™ CompTIA Certification Guide Third Edition (Exam SY0-601) Mike Meyers Scott Jernigan New York Chicago San Francisco Athens London Madrid Mexico City Milan New Delhi Singapore Sydney Toronto McGraw Hill is an independent entity from CompTIA® and is not affiliated with CompTIA in any manner. This publication and accompanying media may be used in assisting students to prepare for the CompTIA Security+ exam. Neither CompTIA nor McGraw Hill warrants that use of this publication and accompanying media will ensure passing any exam. CompTIA and CompTIA Security+ are trademarks or registered trademarks of CompTIA in the United States and/or other countries. All other trademarks are trademarks of their respective owners. The CompTIA Marks are the proprietary trademarks and/or service marks of CompTIA and its affiliates used under license from CompTIA. 00-FM.indd 3 20/03/21 7:04 PM Copyright © 2021 by McGraw Hill. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. ISBN: 978-1-26-047370-4 MHID: 1-26-047370-8 The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-047369-8, MHID: 1-26-047369-4. eBook conversion by codeMantra Version 1.0 All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trade- marked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringe- ment of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com. Information has been obtained by McGraw Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw Hill, or others, McGraw Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. TERMS OF USE This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, IN- CLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICU- LAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM / Blind Folio v For the great friends from around the world who shared this crazy lockdown with us: Andre de Gooyert, Tullowit, Alice Pozzi, Zak Morrill, Patricia Grace, Jose Braden, and so many others. Cheers! —Mike and Scott 00-FM.indd 5 20/03/21 7:04 PM All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM / Blind Folio vi This page intentionally left blank 00-FM.indd 6 20/03/21 7:04 PM All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM CONTENTS AT A GLANCE Chapter 1 Risk Management ......................................................... 1 Chapter 2 Cryptography .............................................................77 Chapter 3 Identity and Account Management .................................. 153 Chapter 4 Tools of the Trade ...................................................... 217 Chapter 5 Securing Individual Systems .......................................... 267 Chapter 6 The Basic LAN .......................................................... 327 Chapter 7 Securing Wireless LANs ................................................ 371 Chapter 8 Securing Public Servers ................................................ 401 Chapter 9 Securing Dedicated Systems .......................................... 435 Chapter 10 Physical Security ....................................................... 479 Chapter 11 Protocols and Applications ............................................ 503 Chapter 12 Testing Infrastructure .................................................. 557 Chapter 13 Dealing with Incidents ................................................. 601 Appendix A Exam Objective Map ................................................... 661 Appendix B About the Online Content ............................................. 699 Glossary ................................................................. 703 Index .................................................................... 769 vii 00-FM.indd 7 20/03/21 7:04 PM All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM / Blind Folio viii This page intentionally left blank 00-FM.indd 8 20/03/21 7:04 PM All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM CONTENTS Acknowledgments ...................................... xix Introduction .......................................... xxi Chapter 1 Risk Management ........................................... 1 Module 1-1: Defining Risk ............................... 2 Asset ........................................... 2 Likelihood ....................................... 3 Threat Actor ..................................... 3 Vulnerability and Threat ............................ 5 Circling Back to the Risk Definition ................... 6 Vectors ......................................... 6 Threat Intelligence ................................ 7 Module 1-2: Risk Management Concepts .................... 16 Infrastructure ..................................... 16 Security Controls .................................. 18 Risk Management Frameworks ....................... 18 Module 1-3: Security Controls ............................ 25 Control Categories ................................ 25 Control Types .................................... 25 Module 1-4: Risk Assessment ............................. 27 Risk Assessment Processes and Concepts ................ 28 Quantitative Risk Assessment ........................ 33 Qualitative Risk Assessment ......................... 36 Putting It All Together: Risk Analysis .................. 37 Risk Response .................................... 38 Module 1-5: Business Impact Analysis ...................... 40 BIA Basics ....................................... 41 Types of Impact ................................... 43 Locating Critical Resources .......................... 45 Calculating Impact ................................ 45 Calculating Downtime ............................. 46 Module 1-6: Data Security and Data Protection ............... 47 Organizing Data .................................. 48 Legal and Compliance .............................. 51 Data Destruction .................................. 56 Privacy Breaches .................................. 58 ix 00-FM.indd 9 20/03/21 7:04 PM