Do You Use Wikipedia

Do you use Wikipedia?  I do and I love it.  So much so that I’ve donated to them to help them keep providing the service that I value so much.  I really like the style of the articles and the way that authors police themselves to prevent problems. It’s a great resource and awesome that it’s free.

Jimmy Wales (Wikipedia Founder) sent me the following email and asked me to send it out to others.  Here it is:


Dear Darril,

Here’s how the Wikipedia fundraiser works: Every year we raise just the funds that we need, and then we stop.

Because you and so many other Wikipedia readers donated over the past weeks, we are very close to raising our goal for this year by December 31 — but we’re not quite there yet.

You’ve already done your part this year. Thank you so much. But you can help
us again by forwarding this email to a friend who you know relies on Wikipedia and asking that person to help us reach our goal today by clicking here and making a donation.

If everyone reading this email forwarded it to just one friend, we think that would be enough to let us end the fundraiser today.

Of course, we wouldn’t turn you down if you wanted to make a second donation or a monthly gift.

Google might have close to a million servers. Yahoo has something like 13,000 staff. We have 679 servers and 95 staff.

Wikipedia is the #5 site on the web and serves 470 million different people every month – with billions of page views.

Commerce is fine. Advertising is not evil. But it doesn’t belong here. Not  in Wikipedia. Wikipedia is something special. It is like a library or a public  park. It is like a temple for the mind. It is a place we can all go to think,  to learn, to share our knowledge with others.

When I founded Wikipedia, I could have made it into a for-profit company with advertising, but I decided to do something different. We’ve worked hard over the years to keep it lean and tight. We fulfill our mission, and leave waste to others.

Thanks again for your support this year. Please help spread the word by forwarding this email to someone you know.

Thanks,

Jimmy Wales

Wikipedia Founder


If you can afford to share some of your wealth, I encourage you to consider sharing some of it with the people at Wikipedia.  We all benefit.

Security+ Practice Test Questions for Your Mobile Phone

Study Security+ From Your Mobile Device

CompTIA Security+ (SY0-301) practice test questions and flash cards are now available for your mobile devices.  The content was written by Darril Gibson and includes:
  • Over 170 Flashcards
  • Over 275 Interactive Study questions with detailed explanations
  • Organized in seven practice tests based on Security+ objectives

This CompTIA Security+ SY0-301 mobile app includes relevant flashcards, interactive study questions and timed mock exams. Versions are available for your iPhone, iPad, Android phones, and Android tablets.  Check it out here:

If you’ve been studying for this exam and want to test your readiness, this app is for you. This is the only app currently on the market for the SY0-301 exam where every question includes the explanation for the correct choice, and also explains why the other choices are incorrect. Use it to ensure you pass the exam the first time you take it.


If you’re looking for a full study guide on the SY0-301 Security+  exam
that will help you pass it the first time you take it, check out this book.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

Sample Reviewer Comment

“I took the exam today and passed with an 874/900. This book gave me all I needed to pass and there wasn’t anything that wasn’t familiar. “


Mobile App Features

Practice test questions and flashcards are organized in six topics, with a topic dedicated to each of the Security+ domains:

1) Network Security
2) Compliance and Operational Security
3) Threats and Vulnerabilities
4) Application, Data and Host Security
5) Access Control and Identity Management
6) Cryptography

Comments from reviewers on mobile app:

“The app does go through the most current CompTIA objectives. I recommend this app to all CompTIA Security+ candidates.”

by ramzsmith

“The flash cards and practice test were very useful.  This is a good investment for anyone looking to get certified.  Thanks……”

by AARON IRVING

 

 

Identification, Authentication, and Authorization

If you’re studying for one of the security certifications like CISSP, SSCP, or Security+ it’s important to understand the difference between identification, authentication, and authentication. These concepts are intertwined, but have specific differences. When looking at these topics, especially for the SSCP and CISSP exams, it’s important to understand the differences between subjects and objects.

  • Subject. A subject is the active entity that accesses an object. For example, when a user accesses a file, the user is the subject. Other subjects include programs, processes, and any entity that can access a resource.
  • Object. An object is a passive entity that is being accessed by a subject. For example, when a user accesses a file, the file is the object. Other objects include databases, computers, printers, or any other resource that can be accessed by a subject.

Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide


Identification

Identification occurs when a user (or any subject) claims or professes an identity. This can be accomplished with a username, a process ID, a smart card, or anything else that can uniquely identify a subject. Security systems use this identity when determining if a subject can access an object.


Looking for quality Practice Test Questions for the SY0-301 Security+ exam?
CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions


Authentication

Authentication is the process of proving an identity and it occurs when subjects provide appropriate credentials to prove their identity. For example, when a user provides the correct password with a username, the password proves that the user is the owner of the username. In short, the authentication provides proof of a claimed identity.

There are several methods of authentication that I’ll cover in another post, but in short they are:

  • Something you know, such as a password or PIN
  • Something you have, such as a smart card, CAC, PIV, or RSA token
  • Something you are, using biometrics

Studying SSCP?
This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide


Authorization

Once a user is identified and authenticated, they can be granted authorization based on their proven identity. It’s important to point out that you can’t have separate authorization without identification and authentication. In other words, if everyone logs on with the same account you can grant access to resources for everyone, or block access to resources for everyone. If everyone uses the same account, you can’t differentiate between users. However, when users have been authenticated with different user accounts, they can be granted access to different resources based on their identity.

In summary, it’s important to understand the differences between identification, authentication, and authorization when studying for security exams such as the Security+, SSCP, or CISSP exams. Identification occurs when a subject claims an identity (such as with a username) and authorization occurs when a subject proves their identity (such as with a password). Once the subject has a proven identity, authorization techniques can grant or block access to objects based on their proven identities.

Single Sign-On (SSO) and Federated Identity Management

If you’re studying for one of the security certifications such as CISSP, SSCP, or Security+ it’s important to understand single sign-on (SSO) concepts and federated access.

SSO refers to the ability of a user to log on or access multiple systems by providing credentials only once. It enhances security by requiring users to use and remember only one set of credentials for authentication. Once signed on using SSO, this one set of credentials is used throughout a user’s entire session.


Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide


Kerberos

Kerberos is an authentication protocol commonly used to help support SSO in many networks. When users authenticate, a Key Distribution Center (KDC) issues the user an encrypted time-stamped ticket-granting ticket (TGT). The TGT is cached on the user’s system and normally has a lifetime of 10 hours but can be renewed. Kerberos uses symmetric cryptography to encrypt tickets and in most current implementations it uses Advanced Encryption Standard  (AES). The KDC is also referred to as an authentication server (AS) or sometimes as a Kerberos authentication server (KAS).

When the user later wants to access a resource such as a file on a server, the user’s system submits the TGT with a request to access the resource. The KDC validates the TGT and sends the user a ticket (sometimes called a service ticket) for the resource.  The user’s system then submits this ticket to the host of the resource (in this case the file server) with a request to access the resource. The host checks with the KDC to ensure that the ticket is valid and if so, allows access as long as the user is authorized.

Kerberos requires all systems to be time synchronized and the default in version 5 is for all systems to be within five minutes of each other. If a system is more than five minutes off, the KDC won’t issue a TGT or any other tickets, effectively blocking all non-anonymous access on a network. It uses a database of credentials to authenticate users and uses port 88 by default.

A drawback with Kerberos is that it represents a single point of failure. If the KDC fails, all authentication stops. Additionally, if the KDC is compromised, all credentials are compromised.


Studying SSCP?  This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide


Federated Identity Management

Identity management refers to the management of user identities and their credentials. For example, usernames and passwords are stored in a database that can be accessed by Kerberos to authenticate users.  Users claim an identity and prove their identity by authenticating, such as with a password. In federated identity management, organizations join a group of organizations called a federation. All the organizations within the federation agree on a method to share identities between the organizations.

Once the federation is configured, users are able to log on one time within their organization and then access resources in other organizations without logging on again.  This is usually transparent to the user.

As an example, I have worked in an organization where we logged on with smart cards.  We had access to training sites hosted by other organizations but part of a federated identity management system.  All we had to do was access the web site using a web browser, and our credentials were automatically recognized without requiring us to take any additional steps.

In summary, SSO methods can increase security by reducing the number of passwords users must remember. Federated access allows an organization to share identities between different organizations in a common group, or federation of organizations.

Free Security+ Books from Amazon Prime

Two Security+ books are now available through the Kindle lending library, a new feature of Amazon Prime.  If you have any version of a Kindle and Amazon Prime, you can check out any available book for free for a month.  Books for both the SY0-201 and SY0-301 Security+ exams are available to check out.

Two Security+ Books Available 

The following two Security+ books are a part of this program so you can checkout either one without charge.

While Amazon has created Kindle applications to run on just about any platform, the lending library doesn’t currently work with these applications. I really don’t know if they plan to add it later or not.  However, if you don’t have a Kindle, you can still get these two books for only $9.99 using one of these free applications.

These Security+ books are also available in paperback versions.

 Amazon Prime Benefits

I’ve had Amazon Prime for quite a while and have been very happy with it.  It costs $79 annually but you can try it out for a free one month trial.  It has the following benefits:

  • Free two-day shipping on products shipped from Amazon
  • Instant streaming of movies and TV shows
  • Instant access to thousands of books

Kindle Versions

There are several versions of Kindles available and for reading books, I’ve been very happy with it.  I have an iPad but don’t find it as easy to read books from the iPad as the Kindle. 

Also, I recently purchased the new Kindle Fire and have been impressed with it too.  It works very similar to the iPad.  I don’t think it’ll be an iPad killer but it has a lot of similar functionality and has great potential.

If you’re studying for the Security+ exam and you have a Kindle and Amazon Prime, be sure to check out the new lending library. If you don’t have these though, you can still get some good quality Security+ study materials. Best of luck in your studies.

CAC, PIV, and Smart Card

When preparing for security exams such as Security+ or SSCP, you should know the differences between a common access card (CAC), a personal identity verification (PIV) card, and a smart card.  All three are used for authentication. More specifically, each of them are in the Something You Have factor of authentication.

Users prove their identity with authentication and there are three factors of authentication. They are commonly known as:

  • Something you know, such as a password or PIN
  • Something you have, such as a smart card, CAC, PIV, or RSA token
  • Something you are, using biometrics

Now Available
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide


 Smart Card

A smart card is a credit card sized card that has an embedded microchip and one or more certificates.  The information on the card identifies the user and the certificate also includes the user’s private key used for asymmetric cryptography.

Users are often required to enter a personal identification number (PIN) along with the smart card.  Using a smart card (something you have) and a PIN (something you know) provides multifactor authentication. Combining two or more factors of authentication is more secure than using only a single factor.

Both a CAC and PIV provide the same benefits of a smart card, but also include photo identification.

CAC

A common access card (CAC) is a smart card used by employees and other personnel in the United States Department of Defense (DoD).  A CAC includes a picture of the user along with other information such as their name.  DoD employees wear the CAC as a badge and can show it to guards to prove their identity.  They can also use it as a smart card to log onto systems.

PIV

A personal identity verification (PIV) card is also a specialized type of smart card used by personnel in United States federal agencies.  Just as a CAC does, the PIV card includes a picture of the user along with their name. A PIV can be used for visual verification of users, and then as a smart card when users log onto their computer.

Benefits of Smart Card, CAC, and PIV

Each of these provide some specific benefits worth emphasizing.  They are:

  • Authentication. A basic purpose is to allow users to prove their identity.
  • Confidentiality. The certificate can be used with asymmetric cryptography to ensure confidentiality of data.
  • Integrity. The certificate can also be used with digital signatures and provide integrity for the message.
  • Non-repudiation. In addition to providing integrity, a digital signature also provides integrity.

Security+ Practice Test Question

Q. Which of the following includes a photo and can be used for identification?

A. MAC

B. DAC

C. RBAC

D. CAC

Answer below

 

Security+ Practice Question Answer: D

A common access card (CAC) includes a picture used for identification and can also be used as a smart card. While not included in the answers, a personal identity verification (PIV) card also includes a picture and can be used as a smart card. A media access control (MAC) address is assigned to a network interface card or wireless network adapter. Discretionary access control (DAC) is an access control model; Microsoft’s NTFS uses DAC.  Role based access control (RBAC) is an access control model; RBAC uses roles or groups and users are placed into a role or group based on their assigned jobs.

Security+ CE Requirements

Security+ CE Requirements

After you pass the Security+, you’ll find that CompTIA has a requirement to earn continuing education (CE) credits to retain the certification. If you don’t meet the CE requirements, your certification will expire.  CompTIAs page provides an overview and other links for in-depth details, but this blog breaks down the basics for anyone earning the Security+ certification.

The requirements set by CompTIA for their program is very similar to the requirements for SSCP and CISSP certifications.


If you don’t have your Security+ yet, check out this book
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide


Fees

You’re required to pay $49 annually or a total fee of $147 for a three year period. In many cases, your employer will pay this fee, but if your employer doesn’t provide the benefit, you’ll have to pay yourself. You won’t be able to log any CE credits until you enroll, agree to the Code of Ethics policy, and pay the required fees.

Interestingly, the Code of Ethics policy disappears after you agree to it.

Multiple Certifications

If you have multiple certifications, you only have to pay for the highest level certification. For example, if you earned the A+, Network+, and Security+ certifications, you only need to meet the CE requirements for Security+ and your A+ and Network+ certifications will automatically be renewed.

Credits Required

You’re required to earn 50 Continuing Education Units (CEUs) for the Security+ certification during the three year period after passing the exam. CompTIA provides a full listing of activities that will earn you credits.  Here is a short listing to give you an idea of approved activities and how many credits you can get for them.

  • Attend approved training 1 CEU per hour
  • Work experience 3 CEUs per year
  • College course 3 CEUs per credit hour
  • Writing a blog article (500+ words) 1 CEU
  • Writing a book (150 + pages)  20 CEUs
  • Teaching or instructing 1 CEU per hour
  • Create teaching or instructor materials 2 CEUs per hour

There are maximum number of CEUs you can in many of the categories. For example, you’re limited to a maximum of 9 CEUs for work experience and a maximum of 40 CEUs for a college course.


After earning you Security+, go for the SSCP
SSCP Systems Security Certified Practitioner All-in-One Exam Guide


Submitting Credits

You are required to submit your continuing education credits online and this can help you track your progress. You use your CompTIA credentials to logon and then will have access to enroll in the program.  When you select an activity, it often enters the number of units for the item.

When you submit your CEUs you’re required to also provide documentation to support the activity. For example, if you attend training, you’d need to provide the completion certificate.

Expired Certifications

You aren’t required to enroll in the CE program or pay the annual fees. If you don’t, your certification will expire after three years.  If you’ve moved on to higher level certifications such as the CISSP, this may not be important to you.

If you later decide you want to renew your certification, you’ll have to take the exam again to recertify. If the certification has expired, you won’t be able to pay the fees and submit past CEUs.

Stay Certified

In summary, if you want keep your certification, you’ll need to meet the Security+ CE requirements by doing the following:

  • Enroll in the CE program
  • Agree to the Code of Ethics
  • Pay your annual fees
  • Submit a total of 50 CEUs

HTH,

Darril Gibson

November Newsletter (Security+ and SSCP)

In case you missed it, the recent edition of the Get Certified Get Ahead newsletter went out on November 29th. It includes several useful links to relevant topics on the Security+ and SSCP exams.

Even though it’s too late to sign up for the past edition, you can still view it here. And of course, it’s not too late to sign up for the December edition.

Security+ and SSCP

This edition is focused on security topics for people studying for the Security+ and SSCP exams. It also includes an offer for free review copies of my newly released SSCP Systems Security Certified Practitioner All-in-One Exam Guide book. (Sorry though, it’s too late to get one of the five free SSCP review books offered in the newsletter. Maybe next months newsletter will have another freebie available you can get for yourself.)

This edition also includes a few links to some interesting articles on the Internet such as the Top 5 Information Security Certifications written by Ed Tittle. Another article lists Security+ as the most common security certification.

If you’d like to see anything in the next edition, feel free to enter a comment on this page or send me a message from here.

Security+ Tips

I also talked a little about Twitter. In case you don’t know it, I tweet daily Security+ tips and you can view them here.  Here are a few recent tweets related to fault tolerance on the SY0-301 exam:

  • Failover clusters provide high availability for servers. They can remove a server as a single point of failure.
  • RAID-1 uses two disks as a mirror. RAID-5 uses three or more disks using striping with parity.
  • RAID subsystems, such as RAID-1 and RAID-5, provide increased availability for systems.
  • Elements such as RAID, failover clustering, UPS, and generators remove many single points of failure.
  • A single point of failure is any component whose failure results in the failure of an entire system.

Best of luck in your studies,

Darril Gibson

Security+ Practice Test Question Hardware Device

Here’s a practice test question for anyone planning on taking the SY0-301 Security+ exam.

Security+ Practice Test Question

Your organization has an existing server and you want to add a hardware device to provide encryption capabilities. What is the easiest way to accomplish this?

A. TPM

B. HSM

C. DLP

D. IaaS

Answer below:

If you’re looking for a Study Guide on the SY0-301 exam that can help you take and pass the Security+ exam the first time you take it, check out the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide. It covers 100 percent of the CompTIA Security+ SY0-301 objectives using real-world examples of security principles in action to help you master the important concepts. It also includes over 450 realistic practice questions with in-depth explanations. You’ll know why the correct answer is correct, why the incorrect answers are incorrect, and be able to pass this exam the first time you take it.

If you think you’re ready for the exam, but just want some realistic practice questions to test your readiness, check out this book instead: CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions. It includes 275 practice test questions with in-depth explanations and is available for only $9.99 on the Kindle.

Answer

Your organization has an existing server and you want to add a hardware device to provide encryption capabilities. What is the easiest way to accomplish this?

A. TPM

B. HSM

C. DLP

D. IaaS

The correct answer is B.

A hardware security module (HSM) is a hardware device you can  add to a server to provide encryption capabilities.

A Trusted Platform Module (TPM) is a chip embedded  into a motherboard that also provides hardware encryption, but you can’t easily  add a TPM to an existing server.

A Data Loss Prevention (DLP) device can reduce the risk of employees e-mailing  confidential information outside the organization.

Organizations use Infrastructure as a Service (IaaS) to  rent access to hardware such as servers via the cloud to limit their hardware footprint and personnel costs.

TPM, HSM, and DLP are covered in depth in Chapter 5 of CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide. IaaS and other cloud computing topics are covered in Chapter 4.

Systems Security Certified Practitioner (SSCP)

The Systems Security Certified Practitioner (SSCP) is a logical next step for many people that have earned the CompTIA Security+ and is often used by people as a stepping stone to the much more difficult CISSP certification. The SSCP certification is more technical than the CISSP, which has a much broader focus. Objectives for the SSCP are contained in the Candidate Information Bulletin (CIB) which you can get from this page.

Here are some overall details on the certification:

SSCP Seven Domains

The SSCP has objectives listed in the following seven domains:

  • Access Controls
  • Cryptography
  • Malicious Code and Activity
  • Monitoring and Analysis
  • Networks and Communications
  • Risk, Response and Recovery
  • Security Operations and Administration

Candidates must have at least one year of direct full-time security work experience in one or more of these seven domains.  After passing the exam, you’ll be required to submit a resume documenting this experience. Additionally, your application must be endorsed by someone that holds a certification with (ISC)2 and can attest to the accuracy of your resume.  If you don’t know someone with a certification, you can still turn in your application, but it will take longer to complete the endorsement process.

If you don’t have the required experience, you can still take the exam and earn the Associate of (ISC)2 designation for the SSCP. You’ll then have two years to get the required experience and change this over to a fully certified SSCP.


Released ahead of schedule and now available:
SSCP Systems Security Certified Practitioner All-in-One Exam Guide


About the SSCP Exam

The exam includes 125 multiple choice questions with each question having four choices. Only 100 questions are graded and the additional 25 questions are used for research purposes but you won’t know questions are graded and which questions are research questions. In other words, answer them all as if they are graded questions. The questions are weighted with some questions more difficult than others. A passing score of 700 out of a possible 1000 points is required to pass.

It is a paper-based exam. You’ll be given a test booklet and a bubble sheet to fill in your answers. For each question, you use the old-fashioned number 2 pencil to fill in the correct bubble.  When you’re done, you turn in your answer sheet. You’ll get the results via email within 4 to 6 weeks after taking the exam.

Expect to take it in a large ballroom in a hotel or some similar setting with other people taking exams such as the CISSP, or CSSLP exams. Several proctors will be walking around the room during the exam.

You’ll have three hours to take the exam and this is strictly timed. If you need to take a break, you can usually walk to the back of the room and have a drink or snack if you brought it with you. Signout sheets are commonly used for people that need to use the restroom.  However, all of this time still counts towards your three hours. Other exams are longer. For example, other people in the room will probably be taking the CISSP exam which is six hours long.

Registering for the SSCP Exam

The exam costs $300 if you’re taking it in the United States. If you register and pay for the exam at least 16 days earlier, you get a break and it only costs $250. You can view the full price list here which includes prices for all the exams and the cost in other countries and currencies.

When you’re ready to register for the exam, you can start the process here. During this process, you’ll be required to commit to abiding to the Code of Ethics. This is also included in the objectives for the exam so you should look this over before starting the registration process.

Good luck!