Professional Documents
Culture Documents
Security Fundamentals
Levels: Grades 10-12
Units of Credit: 0.5
CIP Code: 11.0450
Core Code: 35-01-00-00-036
Skill Tests: Industry Test 98-367 – MTA Security Fundamentals
Industry Test SYO - 401 CompTIA Security+
Course Description
This exam is designed to assess candidates’ knowledge of fundamental security concepts. MTA is new
certification under the Microsoft Certification Program that validates the foundational knowledge
needed to begin building a career in Microsoft technologies. It can also serve as a stepping stone to the
Microsoft Certified Solutions Associate exams. Successful candidates for this exam will earn an MTA
certification as well as access to benefits of the Microsoft Certification Program. The primary target
audience for the MTA certification is students attending high schools and two-year colleges. Candidates
for this exam are seeking to prove fundamental security knowledge and skills. Before taking this exam,
candidates should have a solid foundation knowledge of the topics outlined in this document. It is
recommended that candidates become familiar with the concepts and the technologies described in this
document. Candidates are expected to have hands-on experience with Windows Server, Windows-
based networking, Active Directory, Anti-Malware products, firewalls, network topologies and devices,
and network ports.
This will also serve as an introduction to the CompTIA Security+ exam whose objectives are included.
Optional: The CompTIA Security+ exam will certify that the successful candidate has the knowledge and
skills required to identify risk, to participate in risk mitigation activities, and to provide infrastructure,
application, information, and operational security. In addition, the successful candidate will apply
security controls to maintain confidentiality, integrity, and availability, identify appropriate technologies
and products, troubleshoot security events and incidents, and operate with an awareness of applicable
policies, laws, and regulations.
The table below lists the domain areas measured by this examination and the approximate extent
to which they are represented in the examination:
Domain % of Examination
1.0 Network Security 20%
2.0 Compliance and Operational Security 18%
3.0 Threats and Vulnerabilities 20%
4.0 Application, Data and Host Security 15%
5.0 Access Control and Identity Management 15%
6.0 Cryptography 12%
Total 100%
Objective 1.5 Given a scenario, troubleshoot security issues related to wireless networking.
" WPA
" WPA2
" WEP
" EAP
" PEAP
" LEAP
" MAC filter
" Disable SSID broadcast
" TKIP
" CCMP
" Antenna Placement
" Power level controls
" Captive portals
" Antenna types
" Site surveys
" VPN (over open wireless)
Objective 2.2 Summarize the security implications of integrating systems and data with third parties.
" On-boarding/off-boarding business partners
" Social media networks and/or applications
" Interoperability agreements
o SLA
o BPA
o MOU
o ISA
" Privacy considerations
" Risk awareness
" Unauthorized data sharing
" Data ownership
" Data backups
" Follow security policy and procedures
" Review agreement requirements to verify compliance and performance
standards
Objective 2.6 Explain the importance of security related awareness and training.
" Security policy training and procedures
" Role-based training
" Personally identifiable information
" Information classification
o High
o Medium
o Low
o Confidential
o Private
o Public
" Data labeling, handling and disposal
" Compliance with laws, best practices and standards
" User habits
Objective 2.7 Compare and contrast physical security and environmental controls.
" Environmental controls
o HVAC
o Fire suppression
o EMI shielding
o Hot and cold aisles
o Environmental monitoring
o Temperature and humidity controls
" Physical security
o Hardware locks
o Mantraps
o Video Surveillance
o Fencing
o Proximity readers
o Access list
o Proper lighting
o Signs
o Guards
o Barricades
o Biometrics
o Protected distribution (cabling)
o Alarms
o Motion detection
" Control types
o Deterrent
o Preventive
o Detective
o Compensating
o Technical
o Administrative
Objective 2.9 Given a scenario, select the appropriate control to meet the goals of security.
" Confidentiality
o Encryption
o Access controls
o Steganography
" Integrity
o Hashing
o Digital signatures
o Certificates
o Non-repudiation
" Availability
o Redundancy
o Fault tolerance
o Patching
" Safety
o Fencing
o Lighting
o Locks
o CCTV
o Escape plans
o Drills
o Escape routes
o Testing controls
Objective 3.3 Summarize social engineering attacks and the associated effectiveness with each attack.
" Shoulder surfing
" Dumpster diving
" Tailgating
" Impersonation
" Hoaxes
" Whaling
Objective 3.6 Analyze a scenario and select the appropriate type of mitigation and deterrent
techniques.
" Monitoring system logs
o Event logs
o Audit logs
o Security logs
Objective 3.7 Given a scenario, use appropriate tools and techniques to discover security threats and
vulnerabilities.
" Interpret results of security assessment tools
" Tools
o Protocol analyzer
o Vulnerability scanner
o Honeypots
o Honeynets
o Port scanner
o Passive vs. active tools
o Banner grabbing
" Risk calculations
o Threat vs. likelihood
" Assessment types
o Risk
o Threat
o Vulnerability
" Assessment technique
o Baseline reporting
o Code review
o Determine attack surface
o Review architecture
o Review designs
Objective 3.8 Explain the proper use of penetration testing versus vulnerability scanning.
Objective 4.3 Given a scenario, select the appropriate solution to establish host security.
" Operating system security and settings
" OS hardening
" Anti-malware
o Antivirus
o Anti-spam
o Anti-spyware
o Pop-up blockers
" Patch management
" White listing vs. black listing applications
" Trusted OS
" Host-based firewalls
" Host-based intrusion detection
" Hardware security
o Cable locks
o Safe
o Locking cabinets
" Host software baselining
" Virtualization
o Snapshots
o Patch compatibility
o Host availability/elasticity
o Security control testing
o Sandboxing
Objective 4.5 Compare and contrast alternative methods to mitigate security risks in static
environments.
" Environments
o SCADA
o Embedded (Printer, Smart TV, HVAC control)
o Android
o iOS
o Mainframe
o Game consoles
o In-vehicle computing systems
" Methods
o Network segmentation
o Security layers
o Application firewalls
o Manual updates
o Firmware version control
o Wrappers
o Control redundancy and diversity
Objective 5.3 Install and configure security controls when performing account management, based on
best practices.
" Mitigate issues associated with users with multiple account/roles and/or
shared accounts
" Account policy enforcement
o Credential management
o Group policy
Objective 6.3 Given a scenario, use appropriate PKI, certificate management and associated
components.
" Certificate authorities and digital certificates
o CA
o CRLs
o OCSP
o CSR
" PKI
" Recovery agent
" Public key
" Private key
" Registration
" Key escrow
" Trust models