This thread contains errata concerning incorrect or incomplete information in the Security+ SY0-401 Cert Guide 3rd Edition, 1st printing, and the CompTIA SY0-401 objectives. If you have any questions, please Contact Me.
Security+ Cert Guide 3rd edition, 1st printing
(Errors are in red. Modifications are in blue. Additions are not color-coded. Page numbers refer to the print book. for e-books, refer to the Chapter and Section.)
Note about the disc and test engine: In 2016 Pearson released practice tests on the Internet. You can access them by going to Pearson Test Prep. Just activate the practice exams using the code that came with your book. (Mac users rejoice! It is platform-independent because it is browser-based.)
If you are trying to install from a disc: the latest version of the practice test engine is available from this link.
Contact Pearson at this link to obtain further assistance.
Error: Ch 5, Page 207, third paragraph: There is a mistake in the third sentence. It refers to port 21. That should be port 20, which is the default data port. This concept is explained correctly on page 233.
Addition: Ch 6, Table 6-2: I did not include the Diameter protocol's port number - which is 3868. It's doubtful you will be asked this on the Security+ exam, but you never know. So, Diameter, a protocol that evolved from RADIUS, is an AAA protocol that uses TCP or SCTP as the transport mechanism (not UDP), and uses port 3868.
Addition: Ch 12, Page 486: This section fails to mention the path and log file for Windows Server 2008 and higher which is the following:
Error: Ch 12, Page 504, last line under the Case Study 12-2 Solution: This shoud say S=184.108.40.206:23, not :53.
Error: Ch 13, Page 518, Blowfish and Twofish, 3rd sentence: There is a typo. The variable key size should say 32 to 448 bits, not 1 to 448 bits.
Modification: Ch 13, Page 540, Question 26: This question can be omitted as it is a duplicate of question 4.
Modification: Ch 14, Page 569, Question 15 Explanation: The explanation doesn't state the correct answer, which is "Session layer".
Addition: Ch 16, Page 634: One acronym I didn't address is ISA. An ISA is an interconnection security agreement. It is an agreement that is established between two (or more) organizations that own and operate connected IT systems and data sets. Its purpose is to specifically document the technical and security requirements of the interconnection between the organizations. This is the type of agreement you need in this scenario because the data is sensitive and the CIO requires that there is a clear understanding of security controls to be implemented and agreed upon. As far as governing the security of data and systems, it is a more precise agreement than an SLA.
It differs from the SLA, BPA, and MoU in the following ways:
An SLA (service level agreement) is a contract between a service provider and a customer that specifies the nature of the service to be provided and the level of service that the provider will offer to the customer. It can be a very basic agreement, or it could also state the technical and performance parameters, but it will probably not include any specific security controls. A BPA (blanket purchase agreement) is a contract that allows an organization or government agency to order and pay for supplies and services that are purchased several times per year. An MoU (memorandum of understanding) is not an agreement at all, but an understanding between two organizations or government agencies. It does not specify any security controls either.
* BPA can also stand for business partner agreement. A business partner agreement is a type of contract that can establish the profits each partner will get, what responsibilities each partner will have, and exit strategies for partners. It does not have any inherent security planning in the way an ISA does.
Modification: Practice Exam 1, Page 679, Question 33: This question has been reworded.
Which of the following can allow the owner to restrict access to resources according to the identity of the user?
Error: Practice Exam 1, Page 709, Explanation for Question 54: The second sentence has a typo. It should say: "A system such as PKI creates an asymmetric key pair..." The rest of the explanation is correct, and the answer to the question is correct.
Clarification: Glossary, Page 731: The definitions for false positive and false negative have led to some confusion. They are correct, however, the concepts of IDS/IPS and authentication perhaps should not have been combined. The following clarifies how false positives and false negatives function within IDS/IPS, and within authentication:
User Authentication System:
I understand that there are arguments based on Type I and Type II errors, but for authentication, these are commonly used definitions (see citings below). However, it is better to use the terms false acceptance and false rejection for authentication systems (such as biometric systems) as shown below. This eliminates most confusion on the topic.
• False acceptance - illegitimate user Bob (User A) uses his
fingerprint to successfully gain access to Alice's (User B) tablet computer.
When thinking about false positives and false negatives, try to categorize them and think of them in terms of either IDS/IPS or authentication.
Error: Disc - Simulation 7-1: The four computers at the bottom left of the simulation (HR, Accounting, etc...) have the same IP address but with different subnet masks; for example /23, /24, and so on. This is incorrect and it would cause a failure on the network due to IP conflicts. However, the simulation still functions properly as is, and you can match the current IPs to the options in the list.
In future printings of the book the IP addresses will be changed the following:
Other Department: 10.18.255.13
For simplicity, references to CIDR (/23, /24, and so on) will be removed.
General terminology additions:
To be added to Chapter 2:
Chapter 5: Network Access Control section: Security posture remediation in network access control systems such as 802.1X include: checks of message text, URL links, and file distribution, as well as AV updates, OS updates, and verifying the proper sequence for launching programs. It also includes reporting on trends that are found when using performance analysis tools and packet capture programs which we will discuss in later chapters.
Chapter 9: Physical Security section: Some additional physical security methods include: fencing, as a barrier at the edge of an organization's property; barricades and bollards, to block access to work areas and act as perimeter guarding devices in parking areas; and actual written access lists, which security guards will use to visually find out on paper who is allowed to enter a building. Fencing and barricades also act as safety precautions to protect employees.
Chapter 11: Risk deterrence involves implementing systems and policies that mitigate risk.
When it comes to determining risk, both qualitative and quantitative risk assessments can be used to identify threats versus the likelihood of those threats.
Penetration Testing is a method of evaluating the security of a system by simulating one or more attacks on that system and by attempting to bypass security controls that are put into place.
Chapter 13: From the Diffie-Hellman section: "When used in this manner, it works in ephemeral mode, meaning that keys are generated during each portion of the key establishment process, and are used for shorter periods of time than with static keys." (You will sometimes see this referred to as an ephemeral key.)
Chapter 14: A PKI is used to govern the use of a cipher suite, which is a group of encryption, authentication, and hashing protocols used together; for example as part of a TLS connection made when connecting to a website.
Chapter 16: Lessons learned is the documented reasons for failures, errors and user issues that have been realized by an organization.
CompTIA objectives errata. This is from version 6, also known as v.6
The DES acronym is spelled out incorrectly. It should be Data Encryption Standard.
The SCADA acronym is spelled out incorrectly. It should be supervisory control and data acquisition.
|About Dave||Testimonials||FAQ||Site Map||Contact|
Copyright © David L. Prowse – Official Website - All Rights Reserved