This page lists many relevant documents you can use to supplement your studies if desired.
The National Institute of Standards and Technology (NIST) has created many Special Publications in the 800 series that are very useful for people studying for the Security+ SY0-501 exam, and for many other cybersecurity certifications. I mentioned many of these documents in the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide, so I’m listing them here for easy access. You should be able to find them all here too.
Other links are related to other topics that I’ve discussed in the study guide. You can use them to dig into any of the topics a little deeper if desired.
Chapter 1
NIST SP 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”
SP 800-53 includes a wealth of information on security controls. It includes three relatively short chapters introducing security controls followed by multiple appendixes. Appendix F is a security control catalog that provides details on hundreds of individual security controls, divided into 21 different families.
This search should help you find it, even if it has moved.
Chapter 2
NIST SP 800-162, “Guide to Attribute Based Access Control (ABAC) Definition and Considerations”
SP 800-162 covers attribute-based access control (ABAC) topics. It starts with a working definition of ABAC and continues with detailed discussions of various uses of ABAC.
This search should help you find it, even if it has moved.
Chapter 3
NIST SP 800-81, “Secure Domain Name System (DNS) Deployment Guide”
SP 800-81 provides a solid overview of DNS, queries and zone transfers. It also covers some threats and methods to protect against those threats. Section 6 covers Domain Name System Security Extensions (DNSSEC).
This search should help you find it, even if it has moved.
RFC 1918, Address Allocation for Private Networks
https://tools.ietf.org/html/rfc1918
RFC 4193, Unique Local IPv6 Unicast Addresses
https://tools.ietf.org/html/rfc4193
List of Well-Known Ports Assigned by IANA
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
List of Protocol Numbers Assigned by IANA
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
or
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.txt
Chapter 4
4 Wi-Fi Tips from Former Apple Wi-Fi Engineer
Chapter 6
Avoiding Social Engineering and Phishing Attacks
Security Tip (ST04-014) published by US-CERT defines social engineering and phishing and includes several simple steps anyone can use to avoid these types of attacks. This information can also be reformatted and used for training within your organization.
GRIZZLY STEPPE – Russian Malicious Cyber Activity
Joint Analysis Report (JAR-16-20296A) outlines the findings by the Department of Homeland Security and the Federal Bureau of Investigation. Other relevant documents are:
- Initial joint statement stating “The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.”
- Enhanced Analysis of GRIZZLY STEPPE Activity. This 119 page document goes into great detail on the findings of the DHS and FBI and includes appendixes on APT 28 and APT 29.
Chapter 7
Pointer Basics
This page within the Stanford CS Education Library describes the use of pointers and pointer dereferencing. It also includes a link to the Pointer Fun with Binky video that explains pointers and memory.
Cross Site Scripting (XSS) Prevention
OWASP has created the XSS (Cross Site Scripting) Prevention Cheat Sheet, which provides detailed guidance on how to prevent XSS attacks.
Cross-Site Request Forgery (CSRF) Prevention
OWASP has created the Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet, which provides detailed guidance on how to prevent CSRF attacks.
Chapter 8
There is a lot more depth to SYN flood attacks and methods used to mitigate them. Additionally, attacks and mitigation techniques continue to evolve. If you’re interested in digging deeper, check out RFC 4987, “TCP SYN Flooding Attacks and Common Mitigations,” at http://tools.ietf.org/html/rfc4987.
Chapter 9
NIST SP 800-84 “Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities”
This document provides in-depth information on performing exercises for both business continuity and incident response.
This search should help you find it, even if it has moved.
Chapter 10
NIST SP 800-52 Revision 1, “Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations”
SP 800-52 provides an overview of TLS, along with minimum requirements for TLS servers and TLS clients. . a deep dive into TLS. One of the valuable components is a listing of government approved suites in Appendix C.
This search should help you find it, even if it has moved.
Cipher Suite Terminology
If you want to dig deeper into cipher suite terminology, this page should help. It also includes a comprehensive listing of cipher suites.
AES Encryption Page
You can use this page to encrypt plaintext and and see the resulting ciphertext. Try typing in “I will pass the Security+ exam”, enter a key of 123, and click Encrypt to view the ciphertext.
Hash Generator Page
You can use this page to create SHA hashes from passwords. You can type in various words or phrases and select the hash type. Try typing in “I will pass the Security+ exam”, select SHA-1 and click hash.
It should look like this:
765591c4611be5e03bea41882ffdaa159352cf49
Select SHA512 and select hash with the same phrase. It should look like this.
606f6c96a4b5b8b50ffb4cda069057ea7349e5cf8eab8497b1541adbdcedce2827a37551488554b73381e4890fb70e4d66e09e81dfab59d19ab17866a93c0214
Certificate Structures
RFC 7468 “Textual Encodings of PKIX, PKCS, and CMS Structures” covers many of the different types of certificate formats including PKCS #7, PKCS #10, and BER encoding standards.
Chapter 11
NIST SP 800-61 Revision 2, “Computer Security Incident Handling Guide”
SP 800-61 R2 provides comprehensive guidance on how to respond to incidents. It is 79 pages so it’s obviously more in-depth than topics in chapter 11, but if you want to dig deeper into any of these topics, it’s an excellent resource.
This search should help you find it, even if it has moved.
NIST SP 800-84 “Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities”
This document provides in-depth information on performing exercises for both business continuity and incident response.
This search should help you find it, even if it has moved.
NIST SP 800-47, “Security Guide for Interconnecting Information Technology Systems”
This document includes information on interconnecting IT systems and using an Interconnection Security Agreement (ISA), and a Memorandum of Understanding (MOU) or a Memorandum of Agreement (MOA). An ISA is often used to support a MOU or a MOA between organizations.