Errata – Security+ Cert Guide, 3rd Edition

4321

Updated 4/20/2017

(Errors are in red. Modifications are in blue. Additions are not color-coded. Page numbers refer to the print book. for e-books, refer to the Chapter and Section.)

Note about the disc and test engine: In 2016 Pearson released practice tests on the Internet. You can access them by going to Pearson Test Prep. Just activate the practice exams using the code that came with your book. (Mac users rejoice! It is platform-independent because it is browser-based.)

If you are trying to install from a disc: the latest version of the practice test engine is available from this link.

Contact Pearson at this link to obtain further assistance.

Error: Ch 5, Page 207, third paragraph: There is a mistake in the third sentence. It refers to port 21. That should be port 20, which is the default data port. This concept is explained correctly on page 233.

Addition: Ch 6, Table 6-2: I did not include the Diameter protocol’s port number – which is 3868. It’s doubtful you will be asked this on the Security+ exam, but you never know. So, Diameter, a protocol that evolved from RADIUS, is an AAA protocol that uses TCP or SCTP as the transport mechanism (not UDP), and uses port 3868.

Addition: Ch 12, Page 486: This section fails to mention the path and log file for Windows Server 2008 and higher which is the following:

%SystemRoot%\System32\Winevt\Logs\Security.evtx

Error: Ch 12, Page 504, last line under the Case Study 12-2 Solution: This shoud say S=207.50.135.54:23, not :53.

Error: Ch 13, Page 518, Blowfish and Twofish, 3rd sentence: There is a typo. The variable key size should say 32 to 448 bits, not 1 to 448 bits.

Modification: Ch 13, Page 540, Question 26: This question can be omitted as it is a duplicate of question 4.

Modification: Ch 14, Page 569, Question 15 Explanation: The explanation doesn’t state the correct answer, which is “Session layer”.

Addition: Ch 16, Page 634: One acronym I didn’t address is ISA. An ISA is an interconnection security agreement. It is an agreement that is established between two (or more) organizations that own and operate connected IT systems and data sets. Its purpose is to specifically document the technical and security requirements of the interconnection between the organizations. This is the type of agreement you need in this scenario because the data is sensitive and the CIO requires that there is a clear understanding of security controls to be implemented and agreed upon. As far as governing the security of data and systems, it is a more precise agreement than an SLA.

It differs from the SLA, BPA, and MoU in the following ways:

An SLA (service level agreement) is a contract between a service provider and a customer that specifies the nature of the service to be provided and the level of service that the provider will offer to the customer. It can be a very basic agreement, or it could also state the technical and performance parameters, but it will probably not include any specific security controls. A BPA (blanket purchase agreement) is a contract that allows an organization or government agency to order and pay for supplies and services that are purchased several times per year. An MoU (memorandum of understanding) is not an agreement at all, but an understanding between two organizations or government agencies. It does not specify any security controls either.

* BPA can also stand for business partner agreement. A business partner agreement is a type of contract that can establish the profits each partner will get, what responsibilities each partner will have, and exit strategies for partners. It does not have any inherent security planning in the way an ISA does.

Modification: Practice Exam 1, Page 679, Question 33: This question has been reworded.

Which of the following can allow the owner to restrict access to resources according to the identity of the user?

Error: Practice Exam 1, Page 709, Explanation for Question 54: The second sentence has a typo. It should say: “A system such as PKI creates an asymmetric key pair…” The rest of the explanation is correct, and the answer to the question is correct.

Clarification: Glossary, Page 731: The definitions for false positive and false negative have led to some confusion. They are correct, however, the concepts of IDS/IPS and authentication perhaps should not have been combined. The following clarifies how false positives and false negatives function within IDS/IPS, and within authentication:

IDS/IPS:
(This concept is covered in Chapter 7.) You have a system that evaluates data. The system tests for conditions such as corrupt or malicious data. If it finds actual bad data and blocks or quarantines it, then we have a positive (also known as a true positive). This means that it positively found and blocked the bad data. The system did its job correctly.
But, if the system classifies a piece of data as corrupt when it is actually a perfectly good piece of data, and it blocks and/or quarantines that data, then it is known as a false positive. That is because the system did its job (as far as it was concerned), and it positively found what it thought to be bad data, even though the data wasn’t bad at all.
So:
– Detecting and blocking an intrusion is a positive.
• False positive example – Sending an innocuous e-mail to a spam folder.
• False negative example – Not rejecting actual spam; and allowing that spam into an e-mail inbox.

User Authentication System:
(This concept is covered in Chapter 9.) Here you have a system that is evaluating users that are trying to identify themselves to a system. This happens in systems that use username/password logins, and systems that use biometrics for example.
If the system correctly identifies a legitimate user, and allows that user access to the network, than it is known as a positive – the system did its job.
If the system correctly identifies an illegitimate user, and does not allow that user access to the network, than it is known as a negative – again, the system did its job.
But, if the system authenticates a user that is not legitimate, and allows that user access to the network, then it is known as a false positive. The system failed.
Finally, if the system fails to authenticate a user that is legitimate, then it is known as a false negative. The system again has failed.
So:
– Authenticating a legitimate user is positive.
• False positive – illegitimate user Bob (User A) uses his fingerprint to successfully gain access to Alice’s (User B) tablet computer.
• False negative – Alice (User B) is unable to gain access to her own tablet computer using her fingerprint.

I understand that there are arguments based on Type I and Type II errors, but for authentication, these are commonly used definitions (see citings below). However, it is better to use the terms false acceptance and false rejection for authentication systems (such as biometric systems) as shown below. This eliminates most confusion on the topic.

• False acceptance – illegitimate user Bob (User A) uses his fingerprint to successfully gain access to Alice’s (User B) tablet computer.
• False rejection – Alice (User B) is unable to gain access to her own tablet computer using her fingerprint.

When thinking about false positives and false negatives, try to categorize them and think of them in terms of either IDS/IPS or authentication.

https://www.ieee.org/publications_standards/publications/authors/sample_biometrics_pdf.pdf

http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8173.pdf

https://security.stackexchange.com/questions/23218/false-negative-in-biometrics

http://aircconline.com/avc/V3N3/3316avc02.pdf

http://www.cs.bham.ac.uk/~mdr/teaching/modules03/security/students/SS3/handout/

https://www.researchgate.net/post/Is_there_any_tool_can_calculate_FN_False_negative_and_FP_False_positive_for_authentication_method

Error: Disc – Simulation 7-1: The four computers at the bottom left of the simulation (HR, Accounting, etc…) have the same IP address but with different subnet masks; for example /23, /24, and so on. This is incorrect and it would cause a failure on the network due to IP conflicts. However, the simulation still functions properly as is, and you can match the current IPs to the options in the list.

In future printings of the book the IP addresses will be changed the following:

HR: 10.18.255.10

Accounting: 10.18.255.11

IT: 10.18.255.12

Other Department: 10.18.255.13

For simplicity, references to CIDR (/23, /24, and so on) will be removed.

General terminology additions:

To be added to Chapter 2:
There are other computer environments that need to be considered when mitigating the risk of your network. They include: embedded systems (meaning systems with a computer built-in to the device), often a basic computer, and usually with no moving parts such as magnetic disks; mainframe computers; gaming consoles; and vehicle computing systems.
Embedded computing systems include printers, all-in-one SOHO router devices, smart televisions, and HVAC and SCADA controls. These types of systems usually cannot have antivirus software or firewall software installed to them, and so they rely on external protection such as hardware-based firewalls, IDS, and IPS solutions.
Mainframes are larger and more powerful computers. Historically they were associated with centralized computing, where one computer served all of the needs of a group of dumb terminals. But today they are more powerful computers along the lines of servers which may incorporate virtualization, extreme hardware utilization and redundancy. They control bulk data for the largest corporations and for government agencies. These systems are much more complex and as such can be more difficult to secure. Hardware modules have firmware that needs to be updated periodically, and software requires protection from malware, even though these computers utilize less known operating systems. Plus, a security administrator needs to be aware of TCP/IP updates that might be required on a mainframe, which if not installed could leave the system open to compromise. Because mainframes are often mission-critical, these TCP/IP concerns and other issues need to be addressed quickly.
Gaming consoles pose the same type of risks as desktop computers. They are susceptible to malware and as such should be updated often. However, a much more prominent threat is the compromise of credit cards. When applications are written for gaming consoles, they should be carefully validated to make sure that credit card fraud does not occur. We talk more about this later in the book.
In-vehicle systems include consumer-based vehicle systems such as Microsoft Sync, MyLink, and so on, but also include industrial systems used for shipping and transportation, which might be portable, or built-into the dash of the vehicle. Generally, these systems require periodic firmware updates, but this can only be done by an authorized repair center or at the vehicle dealer shop.

Chapter 5: Network Access Control section: Security posture remediation in network access control systems such as 802.1X include: checks of message text, URL links, and file distribution, as well as AV updates, OS updates, and verifying the proper sequence for launching programs. It also includes reporting on trends that are found when using performance analysis tools and packet capture programs which we will discuss in later chapters.

Chapter 9: Physical Security section: Some additional physical security methods include: fencing, as a barrier at the edge of an organization’s property; barricades and bollards, to block access to work areas and act as perimeter guarding devices in parking areas; and actual written access lists, which security guards will use to visually find out on paper who is allowed to enter a building. Fencing and barricades also act as safety precautions to protect employees.

Chapter 11: Risk deterrence involves implementing systems and policies that mitigate risk.

When it comes to determining risk, both qualitative and quantitative risk assessments can be used to identify threats versus the likelihood of those threats.

Penetration Testing is a method of evaluating the security of a system by simulating one or more attacks on that system and by attempting to bypass security controls that are put into place.

Chapter 13: From the Diffie-Hellman section: “When used in this manner, it works in ephemeral mode, meaning that keys are generated during each portion of the key establishment process, and are used for shorter periods of time than with static keys.” (You will sometimes see this referred to as an ephemeral key.)

Chapter 14: A PKI is used to govern the use of a cipher suite, which is a group of encryption, authentication, and hashing protocols used together; for example as part of a TLS connection made when connecting to a website.

Chapter 16: Lessons learned is the documented reasons for failures, errors and user issues that have been realized by an organization.

—————————–

CompTIA objectives errata. This is from version 6, also known as v.6

Updated 6/30/2014.

The DES acronym is spelled out incorrectly. It should be Data Encryption Standard.

The SCADA acronym is spelled out incorrectly. It should be supervisory control and data acquisition.