ASM Educational Center, Inc.
11200 Rockville Pike, Suite 220 - Rockville, MD 20852
Phone: (301) 984-7400 - E-mail: info@asmed.com - Website: www.asmed.com

Course Outline
CompTIA Security+ Certification
Boot Camp Training

Note for regular training students: please, disregard the day-based schedule


Day 1

Domain 1: Systems Security

  • Overview of Systems Security Threats
    • Privilege escalation
    • Virus
    • Worm
    • Trojan
    • Spyware
    • Spam
    • Adware
    • Rootkits
    • Botnets
    • Logic bomb
  • Security risks pertaining to system hardware and peripherals
    • BIOS
    • USB devices
    • Cell phones
    • Removable storage
    • Network attached storage
  • Implementing OS hardening practices and procedures to achieve workstation and server security
    • Hotfixes
    • Service packs
    • Patches
    • Patch management
    • Group policies
    • Security templates
    • Configuration baselines
  • Procedures to establish Application Security
    • ActiveX
    • Java
    • Scripting
    • Browser
    • Buffer overflows
    • Cookies
    • SMTP open relays
    • Instant messaging
    • P2P
    • Input validation
    • Cross-site scripting (XSS)
  • Implementing security applications
    • HIDS
    • Personal software firewalls
    • Antivirus
    • Anti-spam
    • Popup blockers
  • Virtualization Technology: purpose and application

Domain 2: Network Infrastructure

  • Ports & Protocols: Threats and Mitigation Techniques
    • Antiquated protocols
    • TCP/IP hijacking
    • Null sessions
    • Spoofing
    • Man-in-the-middle
    • Replay
    • DOS
    • DDOS
    • Domain Name Kiting
    • DNS poisoning
    • ARP poisoning
  • Network design elements and components
    • DMZ
    • VLAN
    • NAT
    • Network interconnections
    • NAC
    • Subnetting
    • Telephony
  • Network Security Tools
    • NIDS
    • NIPS
    • Firewalls
    • Proxy servers
    • Honeypot
    • Internet content filters
    • Protocol analyzers
  • Using Network Security Tools
    • NIDS
    • Firewalls
    • Proxy servers
    • Internet content filters
    • Protocol analyzers
  • Vulnerabilities and Mitigations of Network Devices
    • Privilege escalation
    • Weak passwords
    • Back doors
    • Default accounts
    • DOS
  • Vulnerabilities and Mitigations of Transmission Media
    • Vampire taps
  • Vulnerabilities and Mitigations of wireless Networking
    • Data emanation
    • War driving
    • SSID broadcast
    • Blue jacking
    • Bluesnarfing
    • Rogue access points
    • Weak encryption


Day 2

Domain 3: Access Control

  • Industry Best Practices for access control methods
    • Implicit deny
    • Least privilege
    • Separation of duties
    • Job rotation
  • Common Access Control Models
    • MAC
    • DAC
    • Role & Rule based access control
  • Organizing Users and Computers: Security Groups, Rights & Privileges.
  • Security controls to file and print resources
  • Logical Access Control Methods: Defining and Implementing
    • ACL
    • Group policies
    • Password policy
    • Domain password policy
    • User names and passwords
    • Time of day restrictions
    • Account expiration
    • Logical tokens
  • Authentication models and components
    • One, two and three-factor authentication
    • Single sign-on
  • Deploying Authentication Models and components
    • Biometric reader
    • RADIUS
    • RAS
    • LDAP
    • Remote access policies
    • Remote authentication
    • VPN
    • Kerberos
    • CHAP
    • PAP
    • Mutual
    • 802.1x
    • TACACS
  • Difference between Identification and Authentication (Identity Proofing)
  • Physical Access Security Methods
    • Physical access logs/lists
    • Hardware locks
    • Physical access control – ID badges
    • Door access systems
    • Man-trap
    • Physical tokens
    • Video surveillance – camera types and positioning

Domain 4: Assessments & Audits

  • Conducting Risk Assessments and implement Risk Mitigation
  • Vulnerability Assessments through common tools
    • Port scanners
    • Vulnerability scanners
    • Protocol analyzers
    • OVAL
    • Password crackers
    • Network mappers
  • Penetration Testing versus Vulnerability Scanning
  • Using Monitoring Tools to detect security-related anomalies
    • Performance monitor
    • Systems monitor
    • Performance baseline
    • Protocol analyzers
  • Monitoring Methodologies
    • Behavior-based
    • Signature-based
    • Anomaly-based
  • Logging procedures and results evaluation
    • Security application
    • DNS
    • System
    • Performance
    • Access
    • Firewall
    • Antivirus
  • Periodic Audits of system security settings
    • User access and rights review
    • Storage and retention policies
    • Group policies


Day 3

Domain 5: Cryptography

  • Cryptography Concepts
    • Key management
    • Steganography
    • Symmetric key
    • Asymmetric key
    • Confidentiality
    • Integrity and availability
    • Non-repudiation
    • Comparative strength of algorithms
    • Digital signatures
    • Whole disk encryption
    • Trusted Platform Module (TPM)
    • Single vs. Dual sided certificates
    • Use of proven technologies
  • Hashing Concepts and Algorithms
    • SHA
    • MD5
    • LANMAN
    • NTLM
  • Encryption Concepts and Algorithms
    • DES
    • 3DES
    • RSA
    • PGP
    • Elliptic curve
    • AES
    • AES256
    • One time pad
    • Transmission encryption (WEP TKIP, etc)
  • Protocols: Definition and Implementation
    • SSL/TLS
    • S/MIME
    • PPTP
    • HTTP vs. HTTPS vs. SHTTP
    • L2TP
    • IPSEC
    • SSH
  • Public Key Cryptography
    • Public Key Infrastructure (PKI)
    • Recovery agent
    • Public key
    • Private keys
    • Certificate Authority (CA)
    • Registration
    • Key escrow
    • Certificate Revocation List (CRL)
    • Trust models
  • Implementing PKI and Certificate Management
    • Public Key Infrastructure (PKI)
    • Recovery agent
    • Public key
    • Private keys
    • Certificate Authority (CA)
    • Registration
    • Key escrow
    • Certificate Revocation List (CRL)

Domain 6: Organizational Security

  • Redundancy Planning and its components
    • Hot site
    • Cold site
    • Warm site
    • Backup generator
    • Single point of failure
    • RAID
    • Spare parts
    • Redundant servers
    • Redundant ISP
    • UPS
    • Redundant connections
  • Implementing Disaster Recovery Procedures
    • Planning
    • Disaster recovery exercises
    • Backup techniques and practices – storage
    • Schemes
    • Restoration
  • Incident Response Procedures: Types and Implementation
    • Forensics
    • Chain of custody
    • First responders
    • Damage and loss control
    • Reporting – disclosure of
  • Applicable legislation and organizational policies
    • Secure disposal of computers
    • Acceptable use policies
    • Password complexity
    • Change management
    • Classification of information
    • Mandatory vacations
    • Personally Identifiable Information (PII)
    • Due care
    • Due diligence
    • Due process
    • SLA
    • Security-related HR policy
    • User education and awareness training
  • Environmental Controls
    • Fire suppression
    • HVAC
    • Shielding
  • Social Engineering: Concept of and how to reduce the risks
    • Phishing
    • Hoaxes
    • Shoulder surfing
    • Dumpster diving
    • User education and awareness training

Day 4

Review of topics, practice test, Q and A session, testing day

Note: The student is not obligated to take the exam at the end of training. He/She can take the exam when he/she feel comfortable to do it, after the training period.

ASM Educational Center, Inc.
11200 Rockville Pike, Suite 220 - Rockville, MD 20852
Phone: (301) 984-7400 - E-mail: info@asmed.com - Website: www.asmed.com

URL: www.asmed.com/programs/outlines/security+_outline.htm