CompTIA Security+ SY0-601 Exam Key Facts To Know - Domain 3.0: Implementation

1. You can make LDAP traffic confidential and secure by using TLS technology operating over port 636.

2. Web traffic is unencrypted over HTTP and occurs by default over port 80.

3. Encrypted web traffic over HTTPS occurs by default over port 443.

4. FTP SSH uses TCP port 22 by default.

5. Port security is a Layer 2 traffic control feature that enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port.

6. Loop protection makes additional checks in Layer 2 switched networks.

7. A flood guard is a firewall feature to control network activity associated with DoS attacks.

8. Static code analysis is a white-box software testing process for detecting bugs early in the program development.

9. Dynamic code analysis is based on observing how the code behaves during execution.

10. Fuzzing is a black-box software testing process by which semi-random data is injected into a program or protocol stack to detect bugs.

11. Sandboxing provides a safe execution environment for untrusted programs.

12. Test environments should be isolated from development environments.

13. Staging environments reduce the risk of introducing issues before solutions are deployed in production.

14. Baselines can establish patterns of use that later can help identify variations that identify unauthorized access attempts.

15. Smart cards use embedded systems with an operating system on the included chip.

16. The Waterfall SDLC model starts with a defined set of requirements and a well-developed plan, and adjustments are confined to the current development stage.

17. The Agile SDLC model starts with less rigorous guidelines and allows for adjustments during the process.

18. Secure DevOps includes security in the SDLC, ensuring that security is built in during the development process.

19. A CI server continually compiles, builds, and tests each new version of code committed to the central repository without user interaction.

20. Immutability means that a valuable program, configuration, or server will never be modified in place.

21. System hardening involves disabling unnecessary ports and services.

22. To keep an attacker from exploiting software bugs, an organization must continually apply manufacturers’ patches and updates.

Commonly used services and associated ports include the following:
15: Netstat
20 and 21: FTP
22: SSH/SFTP/SCP
23: Telnet
25: SMTP
53: DNS
80: HTTP
123: NTP
389: LDAP
443: HTTPS
636: LDAPS
989 and 990: FTPS
1812: RADIUS
3389: RDP


23. TPM chips are secure cryptoprocessors used to authenticate hardware devices.

24. A file integrity checker tool computes a cryptographic hash and compares the result to known good values to ensure that the file has not been modified.

25. Signature-based methods detect known signatures or patterns.

26. A VPN concentrator is used to allow multiple external users to access internal network resources using secure features that are built in to the device. They are deployed when a single device needs to handle a very large number of VPN tunnels.

27. NAC offers a method of enforcement which helps ensure that computers are properly configured.

28. Zero trust is a model that provides granular and dynamic access control, regardless of where the user or application resides, and doesn’t place trust in the entire network.

29. A screened subnet is a small network between the internal network and the Internet that provides a layer of security and privacy.

30. NAT acts as a liaison between an internal network and the Internet across a routing device. It allows multiple computers to connect to the Internet using one IP address.

31. Network segregation, isolation, and segmentation are effective controls an organization can implement to mitigate the effect of a network intrusion.

32. Air gaps are physically isolated machines or networks.

33. Network taps, SPAN, and mirror ports are the primary methods used to get network traffic to network monitoring tools.

34. The purpose of a VLAN is to unite network nodes logically into the same broadcast domain, regardless of their physical attachment to the network.

35. Intrusion detection is managed by two basic methods: knowledge-based and behavior-based detection.

36. An IDS monitors packet data by using behavior-based (to identify anomalies) or knowledge-based methods, operating in network-based or host-based configurations.

37. NIDSs and NIPSs are designed to catch attacks in progress within a network, not just on individual machines or the boundary between private and public networks.

38. Proxy servers can be placed between the private network and the Internet for Internet connectivity or can be placed internally for web content caching.

39. Firewalls separate external and internal networks and include the following types:
Packet-filtering firewalls (network layer, Layer 3)
Proxy-service firewalls, including circuit level (session layer, Layer 5) and application level (application layer, Layer 7) gateways
Stateful inspection firewalls (application layer, Layer 7)


40. A stateless firewall works as a basic access control list filter.

41. Stateful firewalls are a deeper inspection firewall type that analyze traffic patterns and data flows, often combining layered security and known as next-gen firewalls.

42. Wireless access methods, from the least secure to the most secure, include open authentication, shared authentication, and EAP.

43. WPA-Personal requires a password shared by all devices on the network.

44. WPA-Enterprise requires certificates and uses an authentication server from which keys are distributed.

45. WPA2 and WPA3 favor CCMP over TKIP common to WPA. TKIP should still be used for systems that are unable to support 802.1i.

46. EAP authentication protocols include EAP-TLS, PEAP, EAP-TTLS, and EAP-FAST. Only EAP-TLS requires a client certificate, and only EAP-FAST does not require a server certificate.

47. EAP is an authentication framework and is used by WPA, WPA2, and WPA3 for authentication.

48. PEAP encapsulates EAP in a TLS tunnel and only requires a certificate on the server.

49. Jailbreaking and rooting mobile devices removes restrictions imposed by the manufacturer and can introduce risk.

50. Employees who leave an organization should have their accounts disabled but not deleted.

51. Generic accounts used by multiple users must be prohibited.

52. When working with logical controls, two models exist for the assignment of permissions and rights: user based and role or group based.

53. Too many failed authentication attempts should incur a penalty, such as account lockout.

54. Enforcing password history prevents users from reusing old passwords.

55. Auditing user permissions is a common method for identifying access violations and issues.

56. A federation system allows accessibility from each domain. Accounts in one area can be granted access rights to any other resource, whether local or remote within the domains.

57. Remote access authentication includes RADIUS or TACACS+.

58. RADIUS provides authentication and authorization functions in addition to network access accounting functions, but it does not provide further access control.

59. Kerberos supports mutual authentication, protecting against on-path attacks.

60. Using PAP is strongly discouraged because user passwords are easily readable.

61. OAuth provides authorization services and does not provide authentication such as OpenID and SAML.

62. SAML offers single sign-on capabilities.

63. The IdP is the source of a username and password and authenticates the user. The SP provides service to the user.

64. Access controls includes MAC, DAC, ABAC, and RBAC.

65. CACs and PIV cards provide smart card functions for identity and authentication.

66. Implicit deny is an access control practice in which resource availability is restricted to only logins that are explicitly granted access.

67. PKI relies on asymmetric key cryptography using certificates, which are digitally signed blocks of data issued by a CA.

68. A CSR is generated and submitted before a CA signs a certificate.

69. A root CA should be taken offline to reduce the risk of key compromise because this would compromise the entire chain or system.

70. The three types of validated certificates are DV, OV, and EV certificates.

71. EV certificates provide the highest level of trust and require the most effort for a CA to validate.

72. DER and PFX certificates are binary encoded; PEM and P7B certificates are ASCII encoded, and the contents can easily be cut and pasted.

73. Ensuring a certificate’s validity is accomplished through a CRL or OCSP.

74. OCSP stapling puts the responsibility of OCSP requests on the web server instead of on the issuing CA.

75. Key escrow stores the private key with a trusted third party.