Domain 4.0 Application, Data and Host Security
1. Fuzzing (4.1)
Fuzzing is a testing method that uses a brute force technique to send data to software or hardware inputs and then notice the response or reaction. The purpose is to discover programming or design flaws that need fixing or which can be exploited. Both security professionals and hackers use fuzzing tools. These tools can operate autonomously to craft random or sequential input data sets in order to stress test a target.
2. Cross-site Request Forgery (XSRF) prevention (4.1)
Cross-site Request Forgery (XSRF) is an attack that takes advantage of a Web server’s trust in an authenticated client. Usually attacks of this type wait until a valid client authenticates to a server before launching and making command requests to the server as if it were the client. The flaw is the server assuming that an authenticated client will only make valid and reasonable requests. This is a bad assumption. Prevention of XSRF must take place at both the client and server. Clients should avoid risky behavior to prevent malware infection and run current anti-malware scanners. Servers should limit the abilities or functions clients can access and re-request authentication when a sensitive action is requested.
3. Cable locks (4.2)
Cable locks are an important part of portable device physical security. A cable lock is used to secure a notebook or other device to a less mobile object (preferable immovable) using a looping cable along with a lock that connects into a K-slot on the device. Cable locks are not insurmountable; a good set of wire cutters or an adept lock-pick may be able to bypass the protection. However, the presence of a cable lock mandates the additional effort in a theft attack, thus reducing the attack’s success rate.
4. Mobile Devices (4.2)
There are several mobile device specifics on the objectives list, including screen lock, strong password, device encryption, remote wipe/sanitation, voice encryption, and GPS tracking. Most of these are standard security issues on desktops and notebooks. Smartphones are somewhat more vulnerable to remote wiping and GPS tracking. Often, these services must be installed and configured prior to a loss or theft event.
5. Data Loss Prevention (DLP) (4.3)
Data Loss Prevention (DLP) is the focus plan and policy to prevent data from being disclosed to unauthorized entities, especially outsiders and hackers. Most of the efforts related to data access, encryption, tracking, and confidentiality protection are part of the DLP solution. Showing sufficient DLP is also an important part of regulation compliance.
Domain 5.0 Access Control and Identity Management
1. Common Access Card (5.2)
The Common Access Card (CAC) has been commonly used by the government and military of the USA since the early 2000s; however, CACs are found in many private companies as well. The CAC is a smart card commonly used to control physical and logical access into a secured environment. It often consists of a photo ID, smart card technologies, and proximity mechanisms (such as RFID).
2. Personal identification verification card (5.2)
A personal identification verification (PIV) card is a more generic form of a CAC. It is any form of ID card that can be used to confirm or check someone’s identity. A PIV could refer to a driver’s license, an access badge, a photo ID, or a visitor’s badge, etc.
Domain 6.0 Cryptography
1. Miscellaneous Cryptography Items (6.0)
This domain contains several new topics not included on the previous exam. The topics are not new to the IT security realm as they are standard elements of most cryptography discussions. They include: block vs. stream, transport encryption, WEP vs. WPA/WPA2 and preshared key, RIPEME, HMAC, RC4, Blowfish, whole disk encryption, TwoFish, SSL, TLS, IPSec, SSH, HTTPS, and PKI.
The descriptions and definitions of some of the new Security+ topics listed here are designed to pique your interest. This is not an exhaustive coverage of these issues, but they point to a larger discussion of security topics that require greater context.