Page 10 - StudyBook.pdf
P. 10
xvi Foreword
Prerequisites and Preparation
In comparison to other security certifications, such as the CISSP and SANS GIAC, the Security+ is an
entry-level certification, and there are no prerequisites (prior exams or certifications) required to take the
exam. However, CompTIA specifies that the target audience for the exam consists of professionals with
two years of networking experience. We recommend that test-takers have a good grasp of basic computer
networking concepts, as mastering many of the topics—especially in the domains of communications and
infrastructure security—requires a basic understanding of network topology, protocols, and services.
Passing the A+ and Network+ exams prior to pursuing the Security+ certification, although not
required, provides an excellent foundation for a better understanding when studying security topics and is
recommended by CompTIA. Because this is a vendor-neutral exam, it also helps to have some exposure to
the computer operating systems most commonly used in a business environment: Windows and
Linux/UNIX.
Hands-on experience in working with the security devices and software covered in the exam (for
example, firewalls, certificate services, virtual private networks [VPNs], wireless access, and so forth) is
invaluable, although it is possible to pass the exam without direct hands-on experience.The Exercises in
each chapter are designed to walk readers through the practical steps involved in implementing the secu-
rity measures discussed in the text.
Exam Overview
The structure of this book is designed to closely follow the exam objectives. It is organized to make it easy
to review exam topics according to the objective domain in which they fall. Under each learning domain,
we go into detail to provide a good overview of the concepts contained in each subsection of the
CompTIA objectives. Following is a brief overview of the specific topics covered:
■ General Security Concepts: Introduction This section introduces the “AAA” triad of
security concepts: access control, authentication, and auditing. Readers are also introduced to
the terminology used in the computer security field, and learn about the primary purposes of
computer/network security: providing confidentiality of data, preserving integrity of data, and
ensuring availability of data to authorized users.
■ General Security Concepts: Access Control This section focuses on ways that network
security specialists can control access to network resources, and discusses three important types
of access control: Mandatory Access Control (MAC), Discretionary Access Control (DAC), and
Role-Based Access Control (RBAC).
■ General Security Concepts: Authentication This section covers the many available
methods for authenticating users and computers on a network (that is, validating the identity of
a user or computer before establishing a communication session). Industry standard protocols are
covered, including Kerberos (used by both UNIX and newer Windows operating systems for
authenticating users requesting access to resources), and the Challenge Handshake
Authentication Protocol, or CHAP, used for authenticating remote access users. Use of digital
certificates, tokens, and user/password authentication is discussed. Multifactor authentication
(use of more than one authentication method for added security), mutual authentication (two-
way authentication between client and server), and biometric authentication (use of physiolog-
ical characteristics to validate identity) are all thoroughly covered.
■ General Security Concepts: Nonessential services and protocols This section discusses
those services and protocols that are often installed by default on network computers, which
can be disabled for added security when not specifically needed.
www.syngress.com
