Security Fundamentals

Security Fundamentals
Levels: Grades 10-12
Units of Credit: 0.5
CIP Code: 11.0450
Core Code: 35-01-00-00-036
Skill Tests: Industry Test 98-367 – MTA Security Fundamentals
Industry Test SYO - 401 CompTIA Security+

Course Description
This exam is designed to assess candidates’ knowledge of fundamental security concepts. MTA is new
certification under the Microsoft Certification Program that validates the foundational knowledge
needed to begin building a career in Microsoft technologies. It can also serve as a stepping stone to the
Microsoft Certified Solutions Associate exams. Successful candidates for this exam will earn an MTA
certification as well as access to benefits of the Microsoft Certification Program. The primary target
audience for the MTA certification is students attending high schools and two-year colleges. Candidates
for this exam are seeking to prove fundamental security knowledge and skills. Before taking this exam,
candidates should have a solid foundation knowledge of the topics outlined in this document. It is
recommended that candidates become familiar with the concepts and the technologies described in this
document. Candidates are expected to have hands-on experience with Windows Server, Windows-
based networking, Active Directory, Anti-Malware products, firewalls, network topologies and devices,
and network ports.

This will also serve as an introduction to the CompTIA Security+ exam whose objectives are included.

Optional: The CompTIA Security+ exam will certify that the successful candidate has the knowledge and
skills required to identify risk, to participate in risk mitigation activities, and to provide infrastructure,
application, information, and operational security. In addition, the successful candidate will apply
security controls to maintain confidentiality, integrity, and availability, identify appropriate technologies
and products, troubleshoot security events and incidents, and operate with an awareness of applicable
policies, laws, and regulations.

Core Standards, Objectives, and Indicators

MTA Security Objective Domain

Standard 1 Understanding Security Layers

Objective 1.1 Understand core security principles.
• Understand the concepts of confidentiality, integrity, availability.
• Understand how threat and risk impact principles; principle of least privilege; social
engineering; and attack surface.

Objective 1.2 Understand physical security.

• Understand site security, computer security, removable devices and drives, access
control, mobile device security, disable Log On Locally, and keyloggers.

Updated March 2015 Page 1

 Security Fundamentals
Objective 1.3 Understand Internet security.
• Understand browser settings, zones, and secure Web sites.

Objective 1.4 Understand wireless security.

• Understand advantages and disadvantages of specific security types; keys, SSID, and
MAC filters.

Standard 2 Understanding Operating System Security

Objective 2.1 Understand user authentication.
• Understand multifactor, smart cards, RADIUS, and Public Key Infrastructure (PKI).
• Understand the certificate chain, biometrics, Kerberos, and time skew using Run As
to preform administrative tasks and password reset procedures.

Objective 2.2 Understand permissions.

• Understand the following: file; share; registry; Active Directory; NTFS vs. FAT;
enabling or disabling inheritance; behavior when moving or copying files within the
same disk or onto another disk; multiple groups with different permissions; basic
permissions and advanced permissions; take ownership; and delegation.

Objective 2.3 Understand password policies.

• Understand the following: password complexity; account lockout; password length;
password history; time between password changes; enforce by using group policies;
and common attach methods.

Objective 2.4 Understand audit policies

• Understand the following: types of auditing; what can be audited; enabling auditing;
what to audit for specific purposes; where to save audit information; and how to
secure audit information.

Objective 2.5 Understand encryption

• Understand the following: EFS; how EFS-encrypted folders impact moving and
copying files; BitLocker (ToGo); Trusted Platform Module (TPM); software-based
encryption; MAIL encryption and signing and other uses; VPN; public key and private
key; encryption algorithms; certificate properties; certificate services; PKI/certificate
services infrastructure ; and token devices.

Objective 2.6 Understand malware.

• Understand the following: buffer overflow; worms; Trojans; and spyware.

Standard 3 Understanding Network Security

Objective 3.1 Understand dedicated firewalls.
• Understand the types of hardware firewalls and their characteristics.

Updated March 2015 Page 2

 Security Fundamentals
• Understand when to use a hardware firewall instead of a software firewall and
stateful vs. stateless inspection.

Objective 3.2 Understand Network Access Protection (NAP).

• Understand the purpose of NAP and the requirements for NAP.

Objective 3.3 Understand network isolation.

• Understand the following: VLANs; routing, honeypot, DMZ,NAT, NAT, VPN, IPsec,
and Server and Domain Isolation.

Objective 3.4 Understand protocol security.

• Understand the following: protocol spoofing; IPsec; tunneling; DNSsec; network
sniffing; and common attack methods.

Standard 4 Understand Security Software

Objective 4.1 Understand client protection.
• Understand the following: anti-virus; User Account Control (UAC); keeping client
operating system and software updated; encrypting offline folders; software
restriction policies.

Objective 4.2 Understand e-mail protection.

• Understand the following: anti-spam; anti-virus; spoofing; phishing and pharming;
client vs. server protection; SPF records; and PTR records.

Objective 4.3 Understand server protection.

• Understand the following: separation of services; hardening; keeping server
updated; secure dynamic DNS updates; disabling unsecure authentication protocols;
READ-Only Domain Controllers; separate management VLAN; Microsoft Baseline
Security Analyzer (MBSA).

Standard 5 Understand Security Careers and Ethics

Objective 5.1 Understand client protection.
• Understand the following: anti-virus; User Account Control (UAC); keeping client
operating system and software updated; encrypting offline folders; software
restriction policies.

Objective 5.2 Understand e-mail protection

• Understand the following: anti-spam; anti-virus; spoofing; phishing and pharming;
client vs. server protection; SPF records; and PTR records.

Updated March 2015 Page 3

 Security Fundamentals
Optional
CompTIA Security+
Certification Exam Objectives: SY0-401

The CompTIA Security+ Certification is aimed at an IT security professional who has:

_ A minimum of 2 years experience in IT administration with a focus on security
_ Day to day technical information security experience
_ Broad knowledge of security concerns and implementation including the topics in the
domain list below

The table below lists the domain areas measured by this examination and the approximate extent
to which they are represented in the examination:

Domain % of Examination
1.0 Network Security 20%
2.0 Compliance and Operational Security 18%
3.0 Threats and Vulnerabilities 20%
4.0 Application, Data and Host Security 15%
5.0 Access Control and Identity Management 15%
6.0 Cryptography 12%
Total 100%

Standard 1.0 Network Security

Objective 1.1 Implement security configuration parameters on network devices and other
technologies.
" Firewalls
" Routers
" Switches
" Load Balancers
" Proxies
" Web security gateways
" VPN concentrators
" NIDS and NIPS
o Behavior based
o Signature based
o Anomaly based
o Heuristic
" Protocol analyzers
" Spam filter
" UTM security appliances
o URL filter
o Content inspection
o Malware inspection
" Web application firewall vs. network firewall
" Application aware devices
o Firewalls
o IPS
o IDS

Updated March 2015 Page 4

 Security Fundamentals
o Proxies

Objective 1.2 Given a scenario, use secure network administration principles.

" Rule-based management
" Firewall rules
" VLAN management
" Secure router configuration
" Access control lists
" Port Security
" 802.1x
" Flood guards
" Loop protection
" Implicit deny
" Network separation
" Log analysis
" Unified Threat Management

Objective 1.3 Explain network design elements and components.

" DMZ
" Subnetting
" VLAN
" NAT
" Remote Access
" Telephony
" NAC
" Virtualization
" Cloud Computing
o Platform as a Service
o Software as a Service
o Infrastructure as a Service
o Private
o Public
o Hybrid
o Community
" Layered security / Defense in depth

Objective 1.4 Given a scenario, implement common protocols and services.

" Protocols
o IPSec
o SNMP
o SSH
o DNS
o TLS
o SSL
o TCP/IP
o FTPS
o HTTPS
o SCP

Updated March 2015 Page 5

 Security Fundamentals
o ICMP
o IPv4
o IPv6
o iSCSI
o Fibre Channel
o FCoE
o FTP
o SFTP
o TFTP
o TELNET
o HTTP
o NetBIOS
" Ports
o 21
o 22
o 25
o 53
o 80
o 110
o 139
o 143
o 443
o 3389
" OSI relevance

Objective 1.5 Given a scenario, troubleshoot security issues related to wireless networking.
" WPA
" WPA2
" WEP
" EAP
" PEAP
" LEAP
" MAC filter
" Disable SSID broadcast
" TKIP
" CCMP
" Antenna Placement
" Power level controls
" Captive portals
" Antenna types
" Site surveys
" VPN (over open wireless)

Standard 2.0 Compliance and Operational Security

Objective 2.1 Explain the importance of risk related concepts.
" Control types
o Technical
o Management

Updated March 2015 Page 6

 Security Fundamentals
o Operational
" False positives
" False negatives
" Importance of policies in reducing risk
o Privacy policy
o Acceptable use
o Security policy
o Mandatory vacations
o Job rotation
o Separation of duties
o Least privilege
" Risk calculation
o Likelihood
o ALE
o Impact
o SLE
o ARO
o MTTR
o MTTF
o MTBF
" Quantitative vs. qualitative
" Vulnerabilities
" Threat vectors
" Probability / threat likelihood
" Risk-avoidance, transference, acceptance, mitigation, deterrence
" Risks associated with Cloud Computing and Virtualization
" Recovery time objective and recovery point objective

Objective 2.2 Summarize the security implications of integrating systems and data with third parties.
" On-boarding/off-boarding business partners
" Social media networks and/or applications
" Interoperability agreements
o SLA
o BPA
o MOU
o ISA
" Privacy considerations
" Risk awareness
" Unauthorized data sharing
" Data ownership
" Data backups
" Follow security policy and procedures
" Review agreement requirements to verify compliance and performance
standards

Objective 2.3 Given a scenario, implement appropriate risk mitigation strategies.

" Change management
" Incident management

Updated March 2015 Page 7

 Security Fundamentals
" User rights and permissions reviews
" Perform routine audits
" Enforce policies and procedures to prevent data loss or theft
" Enforce technology controls
o Data Loss Prevention (DLP)

Objective 2.4 Given a scenario, implement basic forensic procedures.

" Order of volatility
" Capture system image
" Network traffic and logs
" Capture video
" Record time offset
" Take hashes
" Screenshots
" Witnesses
" Track man hours and expense
" Chain of custody
" Big Data analysis

Objective 2.5 Summarize common incident response procedures.

" Preparation
" Incident identification
" Escalation and notification
" Mitigation steps
" Lessons learned
" Reporting
" Recovery/reconstitution procedures
" First responder
" Incident isolation
o Quarantine
o Device removal
" Data breach
" Damage and loss control

Objective 2.6 Explain the importance of security related awareness and training.
" Security policy training and procedures
" Role-based training
" Personally identifiable information
" Information classification
o High
o Medium
o Low
o Confidential
o Private
o Public
" Data labeling, handling and disposal
" Compliance with laws, best practices and standards
" User habits

Updated March 2015 Page 8

 Security Fundamentals
o Password behaviors
o Data handling
o Clean desk policies
o Prevent tailgating
o Personally owned devices
" New threats and new security trends/alerts
o New viruses
o Phishing attacks
o Zero-day exploits
" Use of social networking and P2P
" Follow up and gather training metrics to validate compliance and security
posture

Objective 2.7 Compare and contrast physical security and environmental controls.
" Environmental controls
o HVAC
o Fire suppression
o EMI shielding
o Hot and cold aisles
o Environmental monitoring
o Temperature and humidity controls
" Physical security
o Hardware locks
o Mantraps
o Video Surveillance
o Fencing
o Proximity readers
o Access list
o Proper lighting
o Signs
o Guards
o Barricades
o Biometrics
o Protected distribution (cabling)
o Alarms
o Motion detection
" Control types
o Deterrent
o Preventive
o Detective
o Compensating
o Technical
o Administrative

Objective 2.8 Summarize risk management best practices.

" Business continuity concepts
o Business impact analysis
o Identification of critical systems and components

Updated March 2015 Page 9

 Security Fundamentals
o Removing single points of failure
o Business continuity planning and testing
o Risk assessment
o Continuity of operations
o Disaster recovery
o IT contingency planning
o Succession planning
o High availability
o Redundancy
o Tabletop exercises
" Fault tolerance
o Hardware
o RAID
o Clustering
o Load balancing
o Servers
" Disaster recovery concepts
o Backup plans/policies
o Backup execution/frequency
o Cold site
o Hot site
o Warm site

Objective 2.9 Given a scenario, select the appropriate control to meet the goals of security.
" Confidentiality
o Encryption
o Access controls
o Steganography
" Integrity
o Hashing
o Digital signatures
o Certificates
o Non-repudiation
" Availability
o Redundancy
o Fault tolerance
o Patching
" Safety
o Fencing
o Lighting
o Locks
o CCTV
o Escape plans
o Drills
o Escape routes
o Testing controls

Standard 3.0 Threats and Vulnerabilities

Updated March 2015 Page 10

 Security Fundamentals
Objective 3.1 Explain types of malware.
" Adware
" Virus
" Spyware
" Trojan
" Rootkits
" Backdoors
" Logic bomb
" Botnets
" Ransomware
" Polymorphic malware
" Armored virus

Objective 3.2 Summarize various types of attacks.

" Man-in-the-middle
" DDoS
" DoS
" Replay
" Smurf attack
" Spoofing
" Spam
" Phishing
" Spim
" Vishing
" Spear phishing
" Xmas attack
" Pharming
" Privilege escalation
" Malicious insider threat
" DNS poisoning and ARP poisoning
" Transitive access
" Client-side attacks
" Password attacks
o Brute force
o Dictionary attacks
o Hybrid
o Birthday attacks
o Rainbow tables
" Typo squatting/URL hijacking
" Watering hole attack

Objective 3.3 Summarize social engineering attacks and the associated effectiveness with each attack.
" Shoulder surfing
" Dumpster diving
" Tailgating
" Impersonation
" Hoaxes
" Whaling

Updated March 2015 Page 11

 Security Fundamentals
" Vishing
" Principles (reasons for effectiveness)
o Authority
o Intimidation
o Consensus/Social proof
o Scarcity
o Urgency
o Familiarity/liking
o Trust

Objective 3.4 Explain types of wireless attacks.

" Rogue access points
" Jamming/Interference
" Evil twin
" War driving
" Bluejacking
" Bluesnarfing
" War chalking
" IV attack
" Packet sniffing
" Near field communication
" Replay attacks
" WEP/WPA attacks
" WPS attacks

Objective 3.5 Explain types of application attacks.

" Cross-site scripting
" SQL injection
" LDAP injection
" XML injection
" Directory traversal/command injection
" Buffer overflow
" Integer overflow
" Zero-day
" Cookies and attachments
" LSO (Locally Shared Objects)
" Flash Cookies
" Malicious add-ons
" Session hijacking
" Header manipulation
" Arbitrary code execution / remote code execution

Objective 3.6 Analyze a scenario and select the appropriate type of mitigation and deterrent
techniques.
" Monitoring system logs
o Event logs
o Audit logs
o Security logs

Updated March 2015 Page 12

 Security Fundamentals
o Access logs
" Hardening
o Disabling unnecessary services
o Protecting management interfaces and applications
o Password protection
o Disabling unnecessary accounts
" Network security
o MAC limiting and filtering
o 802.1x
o Disabling unused interfaces and unused application service ports
o Rogue machine detection
" Security posture
o Initial baseline configuration
o Continuous security monitoring
o Remediation
" Reporting
o Alarms
o Alerts
o Trends
" Detection controls vs. prevention controls
o IDS vs. IPS
o Camera vs. guard

Objective 3.7 Given a scenario, use appropriate tools and techniques to discover security threats and
vulnerabilities.
" Interpret results of security assessment tools
" Tools
o Protocol analyzer
o Vulnerability scanner
o Honeypots
o Honeynets
o Port scanner
o Passive vs. active tools
o Banner grabbing
" Risk calculations
o Threat vs. likelihood
" Assessment types
o Risk
o Threat
o Vulnerability
" Assessment technique
o Baseline reporting
o Code review
o Determine attack surface
o Review architecture
o Review designs

Objective 3.8 Explain the proper use of penetration testing versus vulnerability scanning.

Updated March 2015 Page 13

 Security Fundamentals
" Penetration testing
o Verify a threat exists
o Bypass security controls
o Actively test security controls
o Exploiting vulnerabilities
" Vulnerability scanning
o Passively testing security controls
o Identify vulnerability
o Identify lack of security controls
o Identify common misconfigurations
o Intrusive vs. non-intrusive
o Credentialed vs. non-credentialed
o False positive
" Black box
" White box
" Gray box

Standard 4.0 Application, Data and Host Security

Objective 4.1 Explain the importance of application security controls and techniques.
" Fuzzing
" Secure coding concepts
o Error and exception handling
o Input validation
" Cross-site scripting prevention
" Cross-site Request Forgery (XSRF) prevention
" Application configuration baseline (proper settings)
" Application hardening
" Application patch management
" NoSQL databases vs. SQL databases
" Server-side vs. Client-side validation

Objective 4.2 Summarize mobile security concepts and technologies.

" Device security
o Full device encryption
o Remote wiping
o Lockout
o Screen-locks
o GPS
o Application control
o Storage segmentation
o Asset tracking
o Inventory control
o Mobile device management
o Device access control
o Removable storage
o Disabling unused features
" Application security
o Key management

Updated March 2015 Page 14

 Security Fundamentals
o Credential management
o Authentication
o Geo-tagging
o Encryption
o Application whitelisting
o Transitive trust/authentication
" BYOD concerns
o Data ownership
o Support ownership
o Patch management
o Antivirus management
o Forensics
o Privacy
o On-boarding/off-boarding
o Adherence to corporate policies
o User acceptance
o Architecture/infrastructure considerations
o Legal concerns
o Acceptable use policy
o On-board camera/video

Objective 4.3 Given a scenario, select the appropriate solution to establish host security.
" Operating system security and settings
" OS hardening
" Anti-malware
o Antivirus
o Anti-spam
o Anti-spyware
o Pop-up blockers
" Patch management
" White listing vs. black listing applications
" Trusted OS
" Host-based firewalls
" Host-based intrusion detection
" Hardware security
o Cable locks
o Safe
o Locking cabinets
" Host software baselining
" Virtualization
o Snapshots
o Patch compatibility
o Host availability/elasticity
o Security control testing
o Sandboxing

Objective 4.4 Implement the appropriate controls to ensure data security.

" Cloud storage

Updated March 2015 Page 15

 Security Fundamentals
" SAN
" Handling Big Data
" Data encryption
o Full disk
o Database
o Individual files
o Removable media
o Mobile devices
" Hardware based encryption devices
o TPM
o HSM
o USB encryption
o Hard drive
" Data in-transit, Data at-rest, Data in-use
" Permissions/ACL
" Data policies
o Wiping
o Disposing
o Retention
o Storage

Objective 4.5 Compare and contrast alternative methods to mitigate security risks in static
environments.
" Environments
o SCADA
o Embedded (Printer, Smart TV, HVAC control)
o Android
o iOS
o Mainframe
o Game consoles
o In-vehicle computing systems
" Methods
o Network segmentation
o Security layers
o Application firewalls
o Manual updates
o Firmware version control
o Wrappers
o Control redundancy and diversity

Standard 5.0 Access Control and Identity Management

Objective 5.1 Compare and contrast the function and purpose of authentication services.
" RADIUS
" TACACS+
" Kerberos
" LDAP
" XTACACS

Updated March 2015 Page 16

 Security Fundamentals
" SAML
" Secure LDAP

Objective 5.2 Given a scenario, select the appropriate authentication, authorization or

access control.
" Identification vs. authentication vs. authorization
" Authorization
o Least privilege
o Separation of duties
o ACLs
o Mandatory access
o Discretionary access
o Rule-based access control
o Role-based access control
o Time of day restrictions
" Authentication
o Tokens
o Common access card
o Smart card
o Multifactor authentication
o TOTP
o HOTP
o CHAP
o PAP
o Single sign-on
o Access control
o Implicit deny
o Trusted OS
" Authentication factors
o Something you are
o Something you have
o Something you know
o Somewhere you are
o Something you do
" Identification
o Biometrics
o Personal identification verification card
o Username
" Federation
" Transitive trust/authentication

Objective 5.3 Install and configure security controls when performing account management, based on
best practices.
" Mitigate issues associated with users with multiple account/roles and/or
shared accounts
" Account policy enforcement
o Credential management
o Group policy

Updated March 2015 Page 17

 Security Fundamentals
o Password complexity
o Expiration
o Recovery
o Disablement
o Lockout
o Password history
o Password reuse
o Password length
o Generic account prohibition
" Group based privileges
" User assigned privileges
" User access reviews
" Continuous monitoring

Standard 6.0 Cryptography

Objective 6.1 Given a scenario, utilize general cryptography concepts.
" Symmetric vs. asymmetric
" Session keys
" In-band vs. out-of-band key exchange
" Fundamental differences and encryption methods
o Block vs. stream
" Transport encryption
" Non-repudiation
" Hashing
" Key escrow
" Steganography
" Digital signatures
" Use of proven technologies
" Elliptic curve and quantum cryptography
" Ephemeral key
" Perfect forward secrecy

Objective 6.2 Given a scenario, use appropriate cryptographic methods.

" WEP vs. WPA/WPA2 and preshared key
" MD5
" SHA
" RIPEMD
" AES
" DES
" 3DES
" HMAC
" RSA
" Diffie-Hellman
" RC4
" One-time pads
" NTLM
" NTLMv2
" Blowfish

Updated March 2015 Page 18

 Security Fundamentals
" PGP/GPG
" TwoFish
" DHE
" ECDHE
" CHAP
" PAP
" Comparative strengths and performance of algorithms
" Use of algorithms/protocols with transport encryption
o SSL
o TLS
o IPSec
o SSH
o HTTPS
" Cipher suites
o Strong vs. weak ciphers
" Key stretching
o PBKDF2
o Bcrypt

Objective 6.3 Given a scenario, use appropriate PKI, certificate management and associated
components.
" Certificate authorities and digital certificates
o CA
o CRLs
o OCSP
o CSR
" PKI
" Recovery agent
" Public key
" Private key
" Registration
" Key escrow
" Trust models

Updated March 2015 Page 19