Security+: implementing secure protocols [updated 2021]
CompTIA updates the Security+ exam syllabus every three years. Usually, a sequence of numbers and letters denote the exam’s code; for example, SY0-501 and SY0-601 are the ongoing exam versions. During an update, several changes are made, sometimes making the previous exam obsolete. The current exam — SY0-501 — was introduced on Oct. 4, 2017, and will expire in the spring of 2021. After that, you’ll have to sit for the Security+ SY0-601 exam. With that in mind, we will highlight the changes associated with the implementation of security protocols, how the new exam mentions them, and how that varies from the soon-to-be-outdated exam.
Exam changes overview
SY0-601’s content focuses on cybersecurity threats, risk management techniques and hands-on skills using tools and technologies. As such, the domains have been reordered and renamed to reflect the newer technologies as determined in the Security+ SY0-601 JTA (Job Task Analysis).
Under SY0-501, the implementation of secure protocols was found under the Technologies and Tools domain, which covered 22% of the exam, but is now found within the Implementation domain, which now covers 25% of the exam. CompTIA has also structured the most recent exchanges to the exam in a way that candidates can explain the concepts they learn by converting them into real-life scenarios.
Exam change comparison
The SY0-501 exam emphasizes the most crucial protocols that pose a security threat within the Technologies and Tools domain. Here’s a detailed overview of each:
Network Time Protocol (NTP) — Candidates need to demonstrate how NTP can be used to conduct denial of service attacks inside the network, abusing its intention to synchronize time within various hosts. Attempts have been made to enhance this protocol’s security, such as the release of NTPsec, which comes with a reduced cost base and multiple vulnerabilities patched.
Secure Real-Time Transport Protocol (SRTP) — Here, candidates must demonstrate the ability to implement the VoIP encrypted protocol over the network for voice and video. They also need to understand the replay protection and the authentication integrity of the protocol, using the hashing function HMAC-SHA1.
Secure/Multipurpose Internet Mail Extensions (S/MIME) — This protocol tests candidates on how public and private encryption keys can be used to secure email communication. The email content is digitally signed and encrypted, and candidates need to know this security process.
Secure POP and Secure IMAP — The exam also tests the candidate’s ability to ensure the security of emails across the network. They must demonstrate how POP3 and IMAP can be advanced to implement SSL encryption.
File Transfer Protocol Secure (FTPS) — This involves discussions on how an administrator can add SSL over to FTP to allow for encrypted communication. This is important because transferring files in the clear is generally discouraged.
SSH File Transfer Protocol (SFTP) — SFTP is different from FTPS and enables the resumption of file transfers that were previously interrupted, and it’s done over SSH entirely. Here, candidates need to show a good understanding of the various aspects of the protocol.
Lightweight Directory Access Protocol (LDAP) — Candidates have to configure the security of directories of hosts and network devices over large enterprise networks. This protocol emphasizes the X.500 specification that facilitates communication between various Operating Systems. Other things discussed in detail include the techniques that help make LDAP secure by implementing LDAP Secure (LDPAS) and Simple Authentication and Security Layer (SASL) or adding SSL implementation.
Domain Name System Security Extensions (DNSSEC) — Candidates must know how to use public-key cryptography to validate the responses from DNS servers. This is besides the DNS protocol, as it wasn’t designed with security in mind.
SSH, SNMPv3 and HTTPS — Common protocols like SSL are analyzed and scenarios are given to candidates to select based on the most appropriate. For example, SNMPv3 (the encrypted SNMP protocol) significantly enhances security compared to the first and second versions of SNMP. Candidates are evaluated on the authentication, integrity and confidentiality aspects of SNMPv3. Likewise, SSH offers a secure terminal for seamless communication with switches and routers. Plus, some firewalls and switches, along with other devices managed through the web browser, require candidates to know the importance of communicating over HTTPS.
DHCP — Candidates need to show an understanding of DHCP and the security challenges it presents to an enterprise. For instance, the protocol wasn’t developed with security in mind, and until now, no secure version has been introduced. Therefore, candidates should know how to configure DHCP servers for proper authorization inside Active Directory. A few switches may enable the configuration of “trusted” interfaces such that only trusted interfaces will have the ability to allow DHCP distribution. Cybercriminals may conduct DHCP snooping attacks inside networks with the aim of exhausting DHCP servers of Internet Protocol (IP) addresses. Candidates must know how to properly configure switches to address this problem.
SY0-501 also brings use cases where scenarios and devices warrant more technologies. For instance, inside enterprise environments, there might be infrastructure that’s automatically updated courtesy of subscriptions. These may include IPS updates, Firewall updates/Malicious IP address databases and anti-malware/anti-virus signature updates.
The newer SY0-601 exam includes a few additional protocols within the Implementation domain. Here, the focus is placed on cryptography, identity and access management, wireless, PKI and end-to-end security. IT professionals must be able to implement these security protocols and measures in cloud design, mobile and wireless solutions. Here are some of the additional protocols covered:
IPSec — Candidates are examined on their ability to create secure tunnels using IPSec and form an encrypted link between devices. An effective demonstration requires an in-depth understanding of this protocol, as any configuration hiccups could allow attack vectors into the enterprise.
Authentication Header/Encapsulating Security Payloads (AH and ESP) — Candidates must be familiar with the keyed hash functions (MACs/message authentication codes) that are used to provide authentication to IPSec’s data encoding packets (DPE). They should also know the use cases of AH, i.e., it can form a security chain between multiple gateways and multiple hosts implementing AH. For encapsulating security payloads, the exam taker should demonstrate how an IT professional can use a symmetric key to ensure data confidentiality. Plus, they should be able to explain that ESP can also provide anti-replay function, connectionless data integrity and restricted traffic flow confidentiality.
Tunnel/transport mode — Candidates must demonstrate how the two distinct modes of IPSec operation vary in the policy application. For example, in the transport mode, the IP addresses present in the outer header influence what IPSec policy will be applied to the packet. In contrast, two headers are sent in the tunnel mode, and the inner IPSec packet influences the choice of IPSec policy that will secure its contents. Exam takers should be aware of these differences.
SY0-601 also contains many of the protocols present in SY0-501, including:
- Domain Name System Security Extensions (DNSSEC)
- Secure Real-Time Transport Protocol (SRTP)
- Secure/Multipurpose Internet Mail Extensions (S/MIME)
- File Transfer Protocol Secure (FTPS)
- Simple Network Management Protocol version 3 (SNMPv3)
- Lightweight Directory Access Protocol over SSL (LDAPS)
- SSH File Transfer Protocol (SFTP)
- Hypertext transfer protocol over SSL.TLS (HTTPS)
- Post Office Protocol/Internet Message Access Protocol (Secure POP and Secure IMAP)
As evident, the latest Security+ exam revises the Technologies and Tools domain, adding 3% to the exam content and listing the domain as what is now called Implementation. The SY0-601 exam highlights the protocols that are more applicable in today’s complex security environment.