Wednesday, December 28, 2011

Do You Use Wikipedia

Do you use Wikipedia? I do and I love it. So much so that I've donated to them to help them keep providing the service that I value so much. I really like the style of the articles and the way that authors police themselves to prevent problems. It's a great resource and awesome that it's free.

Jimmy Wales (Wikipedia Founder) sent me the following email and asked me to send it out to others. Here it is:

Dear Darril,

Here's how the Wikipedia fundraiser works: Every year we raise just the funds that we need, and then we stop.

Because you and so many other Wikipedia readers donated over the past weeks, we are very close to raising our goal for this year by December 31 -- but we're not quite there yet.

You've already done your part this year. Thank you so much. But you can help
us again by forwarding this email to a friend who you know relies on Wikipedia and asking that person to help us reach our goal today by clicking here and making a donation.

If everyone reading this email forwarded it to just one friend, we think that would be enough to let us end the fundraiser today.

Of course, we wouldn't turn you down if you wanted to make a second donation or a monthly gift.

Google might have close to a million servers. Yahoo has something like 13,000 staff. We have 679 servers and 95 staff.

Wikipedia is the #5 site on the web and serves 470 million different people every month – with billions of page views.

Commerce is fine. Advertising is not evil. But it doesn't belong here. Not in Wikipedia. Wikipedia is something special. It is like a library or a public park. It is like a temple for the mind. It is a place we can all go to think, to learn, to share our knowledge with others.

When I founded Wikipedia, I could have made it into a for-profit company with advertising, but I decided to do something different. We’ve worked hard over the years to keep it lean and tight. We fulfill our mission, and leave waste to others.

Thanks again for your support this year. Please help spread the word by forwarding this email to someone you know.


Jimmy Wales

Wikipedia Founder

If you can afford to share some of your wealth, I encourage you to consider sharing some of it with the people at Wikipedia. We all benefit.

Tuesday, December 27, 2011

Security+ Practice Test Questions for Your Mobile Phone

Study Security+ From Your Mobile Device

CompTIA Security+ (SY0-301) practice test questions and flash cards are now available for your mobile devices. The content was written by Darril Gibson and includes:
  • Over 170 Flashcards
  • Over 275 Interactive Study questions with detailed explanations
  • Organized in seven practice tests based on Security+ objectives
This CompTIA Security+ SY0-301 mobile app includes relevant flashcards, interactive study questions and timed mock exams. Versions are available for your iPhone, iPad, Android phones, and Android tablets. Check it out here:
If you've been studying for this exam and want to test your readiness, this app is for you. This is the only app currently on the market for the SY0-301 exam where every question includes the explanation for the correct choice, and also explains why the other choices are incorrect. Use it to ensure you pass the exam the first time you take it.

If you're looking for a full study guide on the SY0-301 Security+ exam
that will help you pass it the first time you take it, check out this book.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide
Sample Reviewer Comment
"I took the exam today and passed with an 874/900. This book gave me all I needed to pass and there wasn't anything that wasn't familiar. "

Mobile App Features

Practice test questions and flashcards are organized in six topics, with a topic dedicated to each of the Security+ domains:

1) Network Security
2) Compliance and Operational Security
3) Threats and Vulnerabilities
4) Application, Data and Host Security
5) Access Control and Identity Management
6) Cryptography

Comments from reviewers on mobile app:

"The app does go through the most current CompTIA objectives. I recommend this app to all CompTIA Security+ candidates."
by ramzsmith
"The flash cards and practice test were very useful. This is a good investment for anyone looking to get certified. Thanks......"

Monday, December 26, 2011

Identification, Authentication, and Authorization

If you're studying for one of the security certifications like CISSP, SSCP, or Security+ it's important to understand the difference between identification, authentication, and authentication. These concepts are intertwined, but have specific differences. When looking at these topics, especially for the SSCP and CISSP exams, it's important to understand the differences between subjects and objects.
  • Subject. A subject is the active entity that accesses an object. For example, when a user accesses a file, the user is the subject. Other subjects include programs, processes, and any entity that can access a resource.
  • Object. An object is a passive entity that is being accessed by a subject. For example, when a user accesses a file, the file is the object. Other objects include databases, computers, printers, or any other resource that can be accessed by a subject.

Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide


Identification occurs when a user (or any subject) claims or professes an identity. This can be accomplished with a username, a process ID, a smart card, or anything else that can uniquely identify a subject. Security systems use this identity when determining if a subject can access an object.

Looking for quality Practice Test Questions for the SY0-301 Security+ exam?
CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions


Authentication is the process of proving an identity and it occurs when subjects provide appropriate credentials to prove their identity. For example, when a user provides the correct password with a username, the password proves that the user is the owner of the username. In short, the authentication provides proof of a claimed identity.

There are several methods of authentication that I'll cover in another post, but in short they are:
  • Something you know, such as a password or PIN
  • Something you have, such as a smart card, CAC, PIV, or RSA token
  • Something you are, using biometrics

Studying SSCP?
This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide


Once a user is identified and authenticated, they can be granted authorization based on their proven identity. It's important to point out that you can't have separate authorization without identification and authentication. In other words, if everyone logs on with the same account you can grant access to resources for everyone, or block access to resources for everyone. If everyone uses the same account, you can't differentiate between users. However, when users have been authenticated with different user accounts, they can be granted access to different resources based on their identity.

In summary, it's important to understand the differences between identification, authentication, and authorization when studying for security exams such as the Security+, SSCP, or CISSP exams. Identification occurs when a subject claims an identity (such as with a username) and authorization occurs when a subject proves their identity (such as with a password). Once the subject has a proven identity, authorization techniques can grant or block access to objects based on their proven identities.

Wednesday, December 21, 2011

Single Sign-On (SSO) and Federated Identity Management

If you're studying for one of the security certifications such as CISSP, SSCP, or Security+ it's important to understand single sign-on (SSO) concepts and federated access.

SSO refers to the ability of a user to log on or access multiple systems by providing credentials only once. It enhances security by requiring users to use and remember only one set of credentials for authentication. Once signed on using SSO, this one set of credentials is used throughout a user’s entire session.

Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide


Kerberos is an authentication protocol commonly used to help support SSO in many networks. When users authenticate, a Key Distribution Center (KDC) issues the user an encrypted time-stamped ticket-granting ticket (TGT). The TGT is cached on the user's system and normally has a lifetime of 10 hours but can be renewed. Kerberos uses symmetric cryptography to encrypt tickets and in most current implementations it uses Advanced Encryption Standard (AES). The KDC is also referred to as an authentication server (AS) or sometimes as a Kerberos authentication server (KAS).

When the user later wants to access a resource such as a file on a server, the user's system submits the TGT with a request to access the resource. The KDC validates the TGT and sends the user a ticket (sometimes called a service ticket) for the resource. The user's system then submits this ticket to the host of the resource (in this case the file server) with a request to access the resource. The host checks with the KDC to ensure that the ticket is valid and if so, allows access as long as the user is authorized.

Kerberos requires all systems to be time synchronized and the default in version 5 is for all systems to be within five minutes of each other. If a system is more than five minutes off, the KDC won't issue a TGT or any other tickets, effectively blocking all non-anonymous access on a network. It uses a database of credentials to authenticate users and uses port 88 by default.
A drawback with Kerberos is that it represents a single point of failure. If the KDC fails, all authentication stops. Additionally, if the KDC is compromised, all credentials are compromised.

Studying SSCP?
This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide

Federated Identity Management

Identity management refers to the management of user identities and their credentials. For example, usernames and passwords are stored in a database that can be accessed by Kerberos to authenticate users. Users claim an identity and prove their identity by authenticating, such as with a password. In federated identity management, organizations join a group of organizations called a federation. All the organizations within the federation agree on a method to share identities between the organizations.
Once the federation is configured, users are able to log on one time within their organization and then access resources in other organizations without logging on again. This is usually transparent to the user.

As an example, I have worked in an organization where we logged on with smart cards. We had access to training sites hosted by other organizations but part of a federated identity management system. All we had to do was access the web site using a web browser, and our credentials were automatically recognized without requiring us to take any additional steps.

In summary, SSO methods can increase security by reducing the number of passwords users must remember. Federated access allows an organization to share identities between different organizations in a common group, or federation of organizations.

Friday, December 9, 2011

Free Security+ Books from Amazon Prime

Two Security+ books are now available through the Kindle lending library, a new feature of Amazon Prime. If you have any version of a Kindle and Amazon Prime, you can check out any available book for free for a month. Books for both the SY0-201 and SY0-301 Security+ exams are available to check out.

Two Security+ Books Available

The following two Security+ books are a part of this program so you can checkout either one without charge.
While Amazon has created Kindle applications to run on just about any platform, the lending library doesn't currently work with these applications. I really don't know if they plan to add it later or not. However, if you don't have a Kindle, you can still get these two books for only $9.99 using one of these free applications.

These Security+ books are also available in paperback versions.

Amazon Prime Benefits

I've had Amazon Prime for quite a while and have been very happy with it. It costs $79 annually but you can try it out for a free one month trial. It has the following benefits:
  • Free two-day shipping on products shipped from Amazon
  • Instant streaming of movies and TV shows
  • Instant access to thousands of books

Kindle Versions

There are several versions of Kindles available and for reading books, I've been very happy with it. I have an iPad but don't find it as easy to read books from the iPad as the Kindle.

Also, I recently purchased the new Kindle Fire and have been impressed with it too. It works very similar to the iPad. I don't think it'll be an iPad killer but it has a lot of similar functionality and has great potential.

If you're studying for the Security+ exam and you have a Kindle and Amazon Prime, be sure to check out the new lending library. If you don't have these though, you can still get some good quality Security+ study materials. Best of luck in your studies.