What's New In CompTIA Security+ - Course Technology Computing Conference
Presenter: Mark Ciampa, Western Kentucky University
The new CompTIA Security+ exam (SY0-401) is projected to be rolled out in the late spring of 2014. This exam will have several significant changes from the previous exam. These include an expanded emphasis on topics such as securing mobile devices, cloud computing, cryptography, and threats and vulnerabilities. In addition, CompTIA is continuing to use performance-based questions on Security+ exams, requiring test-takers to configure firewall access control lists, match ports with services, and analyze log files. What exactly will the new Security+ exam cover? How will the updated Cengage Security+ Guide to Network Security Fundamentals 5th Edition address these changes? And what are the best ways to help students be prepared for the new Security+ exam with its performance-based questions? This session will look at what's new in CompTIA Security+ and how we can teach security to our students.
2. 431 Million
• A – The current population of the U.S.
• B – How many steps are needed to reach
your room here in the Opryland Hotel
• C – The number of adults worldwide who
experienced cybercrime last year
2
3. 14 Each Second
• A – The number of infants born
worldwide every day
• B – The number of emails you receive
from your most needy student
• C – The frequency of a cybercrime
incident worldwide
3
4. 79%
• A – Average pay raise of college
presidents over the last 5 years
• B – The number of Cengage employees
who use cengage as a password
• C – Percentage of Internet users spending
49+ hours per week online who are a
victim of cybercrime
4
5. Illicit Drugs
• A – The biggest threat on your
campus
• B – What you will need after
enduring this presentation
• C – The only activity that nets
more revenue than cybercrime
5
6. More Bad News
• Web pages that infect by simply looking at them
(6,000 new infected pages daily, or 1 every 14
seconds)
• More attacks originate in U.S. than any other country
(33%)
• Home users were the most highly targeted sector (93%
all targeted attacks)
• An infected U.S. computer has an average of 8
instances of malware
• U.S. has highest number of infected computers
6
7. Users Are Still Confused
• Massive data breach from computers belonging to
South Carolina's Department of Revenue (DOR)
• Exposed Social Security numbers of 3.8 million
taxpayers plus credit card & bank account data for
total of 74.7 GB
• Started with employee's computer infected with
malware after user opened phishing e-mail
• Attacker captured the person's username and
password
• Installed tools that captured user account
passwords on 6 servers
• Eventually gained access to 36 other systems
7
8. Users Are Still Confused
• 2012 survey of American, British and German adult
computer users
• 40% not always update software on computers when
they initially prompted
• 25% said do not clearly understand what software
updates do
• 25% said do not understand the benefits of updating
regularly
• 75% said saw update notifications but over half said
needed to see notification between 2-5 times before
decided
• 25% said do not know how to check if their software
needs updating
8
9. Uses Are Still Confused
• 88% use their home computer for online banking, stock
trading, reviewing personal medical information, and storing
financial information, health records, and resumes
• 98% agree important to be able to know risk level of a web
site before visiting it (But 64% admit don’t know how to)
• 92% think that their anti-virus software is up to date (But
only 51% have current anti-virus software that been updated
within last 7 days)
9
10. Users Are Still Confused
• 44% don’t understand firewalls
• 25% have not even heard of the term “phishing”
and only 13% can accurately define it
• 22% have anti-spyware software installed, an
enabled firewall, and anti-virus protection that
has been updated within last 7 days
10
11. Why Increase In Attacks
• Speed of attacks
• More sophisticated attacks
• Simplicity of attack tools
• Faster detection weaknesses
• Delays in user patching
• Distributed attacks
• Exploit user ignorance & confusion
11
12. User Confusion
• Confusion over different attacks: Worm or
virus? Adware or spyware? Rootkit or
Trojan?
• Confusion over different defenses:
Antivirus? Firewall? Patches?
• Users asked to make security decisions and
perform technical procedures
12
13. Think Of a User
• Will you grant permission to open this
port?
• Is it safe to un-quarantine this
attachment?
• May I install this add-in?
13
14. User Misconceptions
• I don’t have anything on my computer
they want
• I have antivirus software so I’m protected
• The IT Department takes care of security
here at school or work
• My Apple computer is safe.
14
15. What's New In CompTIA Security+
• The new CompTIA Security+ exam (SY0-401) is projected to be rolled out in
the late spring of 2014. This exam will have several significant changes
from the previous exam. These include an expanded emphasis on topics
such as securing mobile devices, cloud computing, cryptography, and
threats and vulnerabilities. In addition, CompTIA is continuing to use
performance-based questions on Security+ exams, requiring test-takers to
configure firewall access control lists, match ports with services, and
analyze log files. What exactly will the new Security+ exam cover? How
will the updated Cengage Security+ Guide to Network Security
Fundamentals 5th Edition address these changes? And what are the best
ways to help students be prepared for the new Security+ exam with its
performance-based questions? This session will look what's new in
CompTIA Security+ and how we can teach security to our students.
16. What's New In CompTIA Security+
• Current state of security
• New CompTIA Security+ exam (SY0-401)
• Teaching Security+
• Security+ Guide to Network Security
Fundamentals 5th Edition
17. What's New In CompTIA Security+
Current State of Security
24. Wireless Baby Monitor
• Marc G. was his kitchen when started hear strange sounds
coming from the nursery of his two-year-old daughter Allyson
• Marc and wife entered the nursery and heard a stranger's voice
calling out Allyson's name, cursing at her and calling her vile
names
• Voice was coming from the electronic baby monitor in Allyson's
room that contained a camera, microphone, and speaker
connected to their home Wi-Fi network
• Because they did not have any security set on their wireless
network, the attacker had been able to take control of the baby
monitor from an unknown remote location
• Parents surmised that the attacker knew their daughter's name
because he saw "Allyson" spelled out on the wall in her room
• Estimated that there are more than 100,000 wireless cameras
that can be easily be exploited because they have virtually no
security.
24
26. Twitter• Twitter account of Associated Press (AP) was broken into
and a fictitious tweet was posted claiming there were "two
explosions in the White House and [the U.S. President] is
injured“
• Even though the tweet was only visible for a matter of
minutes before it was removed, because of this fictitious
tweet the Dow Jones industrial average dropped
immediately (it recovered later in the day)
• CBS television websites 60 Minutes and 48 Hours, the New
York Times, the Wall Street Journal, the Washington Post,
Burger King, and Jeep have been victims of recent Twitter
break-ins
• U.S. Securities and Exchange Commission (SEC) recently
said that it would allow public companies to disclose
corporate information on social media sites like Twitter
26
28. Prepaid Debit Cards
• Attackers penetrated the network of a credit card processing company
that handles prepaid debit cards
• Manipulated the balances and limits on just 5 prepaid cards then used
withdraw cash from ATMs
• One month almost $5 million was fraudulently withdrawn from ATM
machines around the world in 5700 transactions
• Cell in New York City withdrew $400,000 in 750 fraudulent transactions
at 140 ATM locations in the city in only 2.5 hours
• A similar attack manipulated balances and withdrawal limits on 12 more
cards to withdraw an additional $40 million from ATM machines around
the world
• New York City cell withdrew $2.4 million in 3000 ATM transactions in just
10 hours.
28
30. Economic Development Administration
• Recently Department of Homeland Security (DHS)
warned Commerce Department that a "potential"
malware infection could be occurring within its
networks
• Security administrators at the Commerce Department
identified potentially infected computers as belonging
to Economic Development Administration (EDA)
• Email sent by Commerce Department security
administrators to the EDA said that they found 146
EDA systems that could potentially be infected
• In reality, only 2 actually were infected
30
31. Economic Development Administration
• Next day Commerce Department sent a follow-up email correcting the
numbers but second email was vague and did not point out the first
email was inaccurate
• EDA interpreted the second email as a confirmation of the first
warning
• Confirmed when EDA performed a forensic analysis on 2 computers
listed in the second email and found evidence of an infection
• Commerce Department told the EDA to reimage the computers
(meaning 2 computers) to clean them of malware
• But the EDA interpreted it as an instruction to clean at least 146
systems
• When EDA said that there were too many computers to reimage
(across a network 50 computers can easily be re-imaged in one day)
the Commerce Department incorrectly assumed that the EDA had
found more computers that were infected
• Chief Information Officer (CIO) of EDA instructed that their computers
should be isolated from the network
31
32. Economic Development Administration
• Later CIO decided that these computers should be
physically destroyed: not just the hard drives cleaned or
replaced, but the entire systems--along with mice and
keyboards--should be crushed
• In 8 months EDA had spent all of the money allocated for
this destruction--$170,000--and had to stop
• Had their sights set on destroying over $3 million worth of
computer systems
• The next month the EDA requested from the Commerce
Department's IT Review Board over $26 million over the
next three years to fund its recovery efforts (request was
denied)
• EDA spent 50% of its entire IT budget ($2.7 million) in
personnel and related costs to address a total of 2 infected
computers
32
33. Economic Development Administration
• Department of Commerce launched a "comprehensive
incident response improvement project“
• Project has already used a third party to review its
incident response capabilities, hired three experienced
incident handlers, and put a new security incident
tracking system in place
• It is unknown how much this new project will finally
cost.
33
34. Emily Williams
• U.S. federal government agency that specialized in "offensive
cybersecurity" had been resistant to technology-based penetration
testing in the past
• Pen testers turned to social engineering
• Created a fake online profile of "Emily Williams," an attractive 28-year-
old who graduated from MIT and had several years of security
experience
• Profiles of Emily were posted Facebook and LinkedIn, along with a
photo (that of a server from a local restaurant that many of the
employees of this same government agency frequented)
• Testers also posted on several of MIT's university forums using the
name Emily Williams
• After only 15 hours Emily had 60 Facebook and 55 LinkedIn
connections with employees from the targeted government agency
and its contractors
• After 24 hours she already had 3 job offers from other companies
34
35. Emily Williams
• Emily then started receiving LinkedIn endorsements
for her skills, and males who worked at the
government agency offered to help her get a jump-
start on a new job within the agency
• These males said they would help her by-pass normal
procedures for receiving a laptop computer and
network access, giving her higher levels of access than
a new hire would normally have
• During Christmas holiday testers created web site with
a Christmas card and posted a link to it on Emily's
social media profiles
35
36. Emily Williams
• Anyone who visited the site was prompted to execute a
Java applet, which was actually a Trojan that exploited a
vulnerability
• Pen testers were able to gain administrative rights over
these agency computers and capture user
passwords, install applications, and steal sensitive
documents, which, in more irony, contained information
about state-sponsored attacks on foreign governments
• One of the contractors for this agency who fell for this ploy
actually worked as a developer for an antivirus vendor and
had access to the antivirus source code, which the testers
were able to see
36
37. Emily Williams
• Pen team saw that two of the agency's employees had
exchanged information on Facebook about the
upcoming birthday of the agency's head of
information security
• Head did not have a Facebook or LinkedIn account
(perhaps for security reasons), so testers directly sent
to him an email with a birthday card that pretended to
come from one of these agency's employees
• The head of security fell victim by opening the card
and infecting his computer, thus exposing the crown
jewels of the entire system
37
38. Emily Williams
• Pen testers accomplished all of their goals using Emily
Williams in 7 days
• Test validated what is widely known: because
attractive females often receive special treatment in
the male-dominated IT industry, social engineering
attacks frequently take advantage of this
• Pen team also tried a similar test by planting a fake
male social media profile to see if any of the females
at the agency would fall for it
• They did not.
38
40. Craigslist & EBay• Federal Bureau of Investigation (FBI) is warning buyers to
beware
• Attackers masquerading as legitimate sellers frequently
advertise items at "too-good-to-be-true" prices to entice a
large number of victims
• Attackers do not post photos of the item for sale but
instead offer to send a photo as an email attachment or as
a link upon request
• Photo attachments contain malware: when the recipients
open the attachment their computers become infected
• Potential buyers are encouraged request original posting
be modified so that it includes a photo
40
42. Apple• Apple's Secure Transport library found in all versions of its
operating systems since iOS 6 and OS X 10.9
• Handles establishing encrypted connection for Apple
applications (Apple
Mail, iBooks, FaceTime, Calendar, Keynote, Safari
browser, and Software Update applications)
• Library is used for the most common cryptographic transport
algorithms of Secure Sockets Layer (SSL) and Transport Layer
Security (TLS)
• A coding error in the Apple library is responsible for a
security vulnerability
42
43. Apple
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final . . .
43
44. Apple• 2 "goto fail" lines in a row
• First line would be executed if there is an error
triggered by the "if ((err = SSLHashSHA1.update" line
• Second line is not based on a condition (even though it
is indented) and "goto fail" will always be
executed, even if there was not an error
• Code leaps over another call and result is that a
verification will always succeed and never fail
• Attackers could perform man-in-the-middle attack and
return false data that appears that it came from a valid
web server and has been cryptographically verified
44
46. Deadliest Attack• Insulin pump worn by diabetics that administers insulin as
an alternative to multiple daily injections
• Diabetic security researcher demonstrated wireless attack
on an insulin pump that could secretly change the delivery
dosage of insulin to the patient up to 300 feet away
• Another security researcher broke into defibrillator used to
stabilize heartbeats and reprogrammed it, then disabled
power-save mode so the battery ran down in hours instead
of years
• Threat was so real that a former vice president of the U.S.
had his defibrillator removed and replaced with one that
lacked capabilities that an attacker might exploit
46
47. Deadliest Attack• Department of Homeland Security (DHS) report entitled
"Attack Surface: Healthcare and Public Health Sector" says
“now becoming a major concern. . . . pose a significant
threat to the public and private sector"
• Food and Drug Administration (FDA), which regulates the
design and manufacture of medical devices issued an "FDA
Safety Communication" document recommending that
medical device manufacturers and health care facilities
should "take steps to assure that appropriate safeguards
are in place to reduce the risk of failure due to
cyberattack”
• FDA has stated that for any medical devices that do not
"appropriately address" security risks "might consider"
withholding its approval of the device
47
48. Director of National Intelligence
• What is our greatest global threat?
• A – Terrorism
• B – Weapons of mass destruction
• C – Cybersecurity
48
49. What's New In CompTIA Security+
• Current state of security
• New CompTIA Security+ exam (SY0-401)
• Teaching Security+
• Security+ Guide to Network Security
Fundamentals 5th Edition
50. What's New In CompTIA Security+
New CompTIA exam (SY0-401)
54. 5
Security+ SY0-401 contains primarily updates and expansion of existing SY0-301
objectives to include current technologies and security concerns.
There are more scenario based objectives, which are often used for performance based
questions in CompTIA exams.
Notable updates
Expansion of common protocols and services
More content devoted to risk, including risks due to systems integration with third
parties and how to plan for them
New emphasis on mobile security and BYOD
Risk mitigation in static environments including SCADA and Android/iOS.
Expanded and elevated (scenario based) authentication, authorization and access
control, including federation.
Changes in SY0-401 (Spring 2014)
55. .
July
2013
August
2013
September
2013
October
2013
November
2013
December
2013
January
2014
February
2014
March
2014
Remaining
2014
2013-2014
Translation
Schedule
Exam
Retirements
CompTIA 2013 Product Calendar Effective October 1, 2013
dates subject to change
A+ (701/702)
8/31/13-English 12/31/13-
All Languages
Green IT
IT for Sales
12/31/13
PDI+
1/31/2014
CDIA+ (225-030)
3/31/14-All Languages
Healthcare IT
A+ (800 Series)
Japanese-June 2013
German- September 2013
LAM Spanish- Q4 2013
Thai- Q4 2013
Arabic- Q1 2014
French- Q4 2013
Chinese- Q4 2013
Security+ (SYO-004)
Item Writing
September 16-20,2013
Mobility+ (MBO-001) Cut
Score Workshop
Aug 19-23
Network+ (N10-005) Item
Refresh
Aug 26-30
CASP Refresh JTA
Oct 7-11, 2013
October 1, 2013
Launch
CVO-001
iOS: IOS-001
Android : ADR-001
October 15, 2013
Launch
Security+ (SY0-401)
May 2014
CASP (CAS-002)
August 2014
Network+ (NI0-006)
Q4 2014
Strata IT Fundamentals
(FC0-U51)
Security+ (SY0-004)
JTA
July 8-12, 2013
Security+ (SY0-401)
Objectives Release
Security+ Refresh Cut Score
Nov 11-15, 2013
MB0-001
November 1, 2013
Launch
56. What's New In CompTIA Security+
• SY0-401 exam objectives released to general
public December 2013
• SY0-401 exam goes live May 2014
• SY0-301 exam objectives 11 pages
• SY0-401 exam objectives 15 pages
63. Personal Observations
• Somewhat deceptive about how much new
material has been added
• New material is more an expansion of
existing topics than entirely new topics
(going deeper instead of wider)
• Watch for Given a scenario as trigger for
performance-based questions
65. What's New In CompTIA Security+
• Current state of security
• New CompTIA Security+ exam (SY0-401)
• Teaching Security+
• Security+ Guide to Network Security
Fundamentals 5th Edition
69. We Can’t Win
• Information security should not be viewed as a
war to be won or lost
• Just as crime like burglary can never be
completely eradicated neither can attacks against
technology
• The goal is not a complete victory but instead
maintaining equilibrium
69
70. We Can’t Win
• As attackers take advantage of a weakness in a
defense, defenders must respond with an
improved defense
• Information security is an endless cycle between
attacker and defender
70
74. Which Is Better?
• thisisaverylongpassword
• Xp4!e%
• Length always trumps complexity
75. Length Over Complexity
• Keyboard had only 3 keys: A, B, and C
• Had to create a 2-character password
• How many different passwords could we
create?
• What’s the relationship between those
numbers?
78. Tennessee Password Policy
• Have 3 of the following 4 characteristics:
• Upper case characters (A-Z)
• Lower case characters (a-z)
• Digits (0-9)
• Non alphanumeric characters (~ ! # % * _ -)
• Is not a word in any language, slang, dialect, or jargon, etc.
• Is not based on personal information.
• Minimum of eight (8) characters
79. Password Paradox
• Password paradox – For password to remain secure it should never be
written down but must be committed to memory.
• Password should also be of a sufficient length and complexity that an
attacker cannot easily determine
• Paradox: although lengthy and complex passwords should be used and
never written down, it is very difficult to memorize these types of
passwords.
• Users have multiple accounts for computers at work, school, and
home, e-mail accounts, banks, online Internet stores, and each account
has its own password
80. Weak Passwords
• Common word (Eagles)
• Short passwords (ABCDEF)
• Personal information (name of a child or pet)
• Write password down
• Predictable use of characters
• Not change password
• Reuse same password
82. Password Principles
1. Any password that can be
memorized is a weak password
2. Any password that is repeated on
multiple accounts is a weak
password
83. Password Management Application
• Use technology instead of our memory for password management
• Password management application – Allow user to store username
and password, along with other account details
• Application is itself protected by a single strong password, and can
even require the presence of a file on a USB flash drive before the
program will open
• Allows user to retrieve usernames and passwords without the need to
remember or even type them
• Allows for very strong passwords:
85. Password Management Application
• In-memory protection - Passwords are encrypted while the application is running
to conceal passwords
• Key files - In order to open the password database key file must also be present
• Lock to user account - The database can be locked so that it can only be opened by
the same person who created it
• Password groupings - User passwords can be arranged as a tree, so that a group
can have subgroups
• Random password generator - A built-in random password generator can create
strong random passwords based on different settings
87. If You Rely On Memory Only
• Length is more important than complexity
• Do not use passwords that consist of dictionary words or phonetic words
• Do not use birthdays, family member names, pet names, addresses, or any
personal information
• Do not repeat characters (xxx) or use sequences (abc, 123, qwerty)
• Minimum of 12 characters in length or for accounts that require higher security a
minimum of 18 characters is recommended
• Consider using a longer passphrase but not in normal English sequence: not
theraininspainfallsmainlyontheplain but instead use in sequence
mainlyinonthethespainrainfalls
• Use nonkeyboard characters
88. 88
Use Nonkeyboard Characters
• Make passwords stronger with special characters not on
keyboard
• Created by holding down ALT key while simultaneously typing
a number on numeric keypad (but not the numbers across the
top of the keyboard); ALT + 0163 produces £.
• To see a list of all the available non-keyboard characters click
Start and Run and enter charmap.exe; click on character and
the code ALT + 0xxx will appear in lower-right corner if can be
reproduced in Windows
91. What's New In CompTIA Security+
• Current state of security
• New CompTIA Security+ exam (SY0-401)
• Teaching Security+
• Security+ Guide to Network Security
Fundamentals 5th Edition
92. What's New In CompTIA Security+
Security+ Textbook 5th Edition
93. Security+ 5e
• Security+ Guide to Network Security Fundaments, 5e
(9781305093911)
• Available August 1, 2014
• Maps completely to new SY0-401 exam objectives
• Retains popular format
• Increased from 14 to 15 chapters (new chapter on Mobile
Device Security)
• Increased chapter length by 2-3 pages
94. Security+ 5e
• Cryptography moved up to Chapters 5-6
• New “Today’s Attacks & Defenses” openers
• New sectional units
• New and updated Review Questions, Hands-On
Projects, Case Projects
• New lecture videos
• New material on companion web site to be updated
regularly
95. Security+ 5e
• Chapter 1: Introduction to Security
– Challenges of Securing Information
– What Is Information Security?
– Who Are the Attackers?
– Attacks and Defenses
96. Security+ 5e
THREATS
• Chapter 2: Malware and Social Engineering Attacks
– Attacks Using Malware
– Social Engineering Attacks
• Chapter 3: Application and Networking-Based Attacks
– Application Attacks
– Networking-Based Attacks
97. Security+ 5e
BASIC SECURITY
• Host, Application, and Data Security
– Securing the Host
– Securing static environments
– Application Security
– Securing Data
98. Security+ 5e
CRYPTOGRAPHY
• Chapter 5: Basic Cryptography
– Defining Cryptography
– Cryptographic Algorithms
– Using Cryptography
• Chapter 6: Advanced Cryptography
– Digital Certificates
– Public Key Infrastructure (PKI)
– Key Management
– Transport Encryption Algorithms
99. Security+ 5e
NETWORK SECURITY
• Chapter 7: Network Security
– Security through network devices
– Security through network technologies
– Security through network design elements
• Chapter 8: Administering a Secure Network
– Common Network Protocols
– Network Administration Principles
– Securing Network Applications
100. Security+ 5e
MOBILE SECURITY
• Chapter 9: Wireless Network Security
– Wireless Attacks
– Vulnerabilities of IEEE 802.11 Security
– Wireless Security Solutions
• Chapter 10: Mobile Device Security
– Types Mobile Devices
– Mobile Device Risks
– Securing Mobile Devices
101. Security+ 5e
ACCESS CONTROL AND IDENTITY MANAGEMENT
• Chapter 11: Access Control Fundamentals
– What is access control?
– Implementing access control
– Authentication Services
• Chapter 12: Authentication and Account Management
– Authentication Credentials
– Single sign-on
– Account Management
102. Security+ 5e
COMPLIANCE & OPERATIONAL SECURITY
• Chapter 13: Business Continuity
– What is business continuity?
– Disaster recovery
– Environmental Controls
– Incident Response Procedures
– Forensics
• Chapter 14: Risk Mitigation
– Controlling Risk
– Reducing Risk through Policies
– Awareness and Training
103. Security+ 5e
COMPLIANCE & OPERATIONAL SECURITY
• Chapter 15: Vulnerability Assessment and
Third Party Integration
–Vulnerability Assessment
–Vulnerability Scanning vs. Penetration Testing
–Third Party Integration
–Summary
104. What's New In CompTIA Security+
• Current state of security
• New CompTIA Security+ exam (SY0-401)
• Teaching Security+
• Security+ Guide to Network Security
Fundamentals 5th Edition
105. What's New In CompTIA Security+
mark.ciampa@wku.edu