Security+ (SY0-501) Study Guide Errata Page

CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide

We work hard to ensure that the books come out without any errors, but some always sneak in.

This page is dedicated to sharing errors identified in the CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide. If you know of any errors in the book, please let me know.

Unfortunately, I repeated one error several times in the book.

I wrote incorrectly in the Certificate Formats section (Chapter 10) that Canonical Encoding Rules (CER) is a binary format and Distinguished Encoding Rules (DER) is an ASCII format. However, the following is accurate.

  • Canonical Encoding Rules (CER) is ASCII.
  • Distinguished Encoding Rules (DER) is binary.
  • Check out the DER and CER Certificates blog post for clarification.

The following errors have been corrected in the Kindle edition.

Location Correction
 Pg 82 In the Understanding Switches and Getting Help section. The following paragraph in this section isn’t technically accurate, but the difference is subtle.

——————————————-

Although Linux terminal commands use switches too, they don’t use the question mark for help. Instead, if you want basic help on a command, you can often just type the command without any switch, or use the pipe symbol (|) and the word help:

  • ping
  • ping | help

——————————————-

Entering ping or ping | help results in an error with ping and ping outputs an error message. While the error message can be helpful, it doesn’t give you the same amount of help as the man ping command. A Linux expert let me know that you can almost always get help from a command with one of the following two options:

ping –help

man ping

Check out the online Linux lab for different ways to query help on Linux systems.

Some details from a Linux Expert

You suggest:

ping | help

For getting help with ping on Linux.

Drop the pipe to help. It doesn’t help.

On most Linuxes/shells (including bash, the default shell on Kali, the distro you recommend), “help” is a shell built-in command that offers help on the shell itself, *not* executables that can be called from the shell (such as ping). And it ignores its stdin, so piping anything into it has absolutely no effect on its output.

Furthermore, when you invoke ping without any arguments, that’s an error, so the usage message that ping spits out goes to stderr, not stdout. When you make a pipeline, only stdout gets redirected to the next command in the pipeline, not stderr (unless you add extra syntax, which you did not). So, despite the pipe, “help” was not even seeing the output of “ping”.

So if, as a result of entering the above command, you saw info on how to use ping, “help” had nothing to do with it. What happened is that *both* the output of help came out (which is of absolutely no use in trying to figure out how ping works) *and* the (stderr) output of ping came out (which you would have got anyway, even if you hadn’t piped to help).

And I very much take issue with the last paragraph of that section, in which you complain about the inconsistency of help availability. On nearly every distribution of Unix/Linux I’ve used over the past thirty-something years (probably a dozen or more), nearly every command (not to mention library calls, system calls, config files) had a very well written man page.  Indeed, especially in my early years, the vast majority of what I knew about Unix (later Linux), I learned from reading man pages. I have always considered the built-in documentation on Unix/Linux vastly superior to that of DOS/Windows. (Exception: PowerShell’s documentation is stellar. But that’s such a late addition, relatively speaking, that you’d hope MS would have started getting things right by then.)

As for getting help with command line switches, your complaint of lack of consistency has a bit more legitimancy. Still, it’s relatively few commands that don’t support at least one of -h, -?, –help. And even for those that don’t, I haven’t run into a command yet that doesn’t give usage if you give it an option it doesn’t support, so –help and/or -? should nearly always get you what you need, even if only accidentally. (I supposed -h might be a bit more risky, since there’s a better chance that it’s supported but means
something other than “help”.)
Pg 93 The third sentence incorrectly states, “Non-persistence is used in a virtual desktop infrastructure (VDI), where user changes to the desktop are not changed.”

The correct sentence should be:
“Non-persistence is used in a virtual desktop infrastructure (VDI), where user changes to the desktop are not saved.”
Pg 96 In the Comparing Identification and AAA section, the second sentence should have the phrase “proving the identity” instead of “providing the identity.”

The complete sentence should be:
If you understand identification (claiming an identity, such as with a username) and authentication (proving the identity, such as with a password), it’s easier to add in the other two elements of AAA—authorization and accounting.
Pg 103 In Chapter 2, Exploring Authentication Concepts, under section title “Something You Have”.  The second sentence in the Remember This block is:

HOTP creates a one-time use password that does not expire.

It should read as:

HOTP creates a one-time use password that does not expire until it is used.
Pg 111 In Chapter 2, under NTLM section.

The second sentence in the second bullet is:

When a user attempts to log on, NTMLv2 creates an HMAC-MD5 hash composed of a combination of the username, the logon domain name (or computer name), the user’s password, the current time, and more.

It should be:

When a user attempts to log on, NTLMv2 creates an HMAC-MD5 hash composed of a combination of the username, the logon domain name (or computer name), the user’s password, the current time, and more.

The last sentence is:

If not, it uses either NTLMv2 or NLTM2 Session depending on the capabilities of the systems involved in the session.

It should be:

If not, it uses either NTLMv2 or  NTLM2 Session depending on the capabilities of the systems involved in the session.
Pg 140 In the Kindle version, Chapter 3, page 139, under section title “CompTIA Security+ objectives covered in this chapter”. The last objective is listed as:

1.3 Given a scenario, implement secure systems design.

It should be:
3.3 Given a scenario, implement secure systems design.
Pg 169  In Chapter 3,  Transparent Proxy Versus Nontransparent Proxy Remember This section. The definition for transparent proxy servers and nontransparent proxy servers is reversed.

It should read:

A proxy server forwards requests for services from a client. It provides caching to improve performance and reduce Internet bandwidth usage. Transparent proxy servers accept and forward requests without modifying them. Nontransparent proxy servers use URL filters to restrict access to certain sites. Both types can log user activity.
Pgs 191, 199-202, 214-215  In the “IEEE 802.1x Security,” “PSK, Enterprise, and Open Modes,” and “RADIUS” sections.

802.1x should be 802.1X on these pages and throughout the book.

The Security+ SY0-501 objectives consistently use 802.1x (lower case).

4.3 Given a scenario, implement identity and access management controls.
Certificate-based authentication, IEEE 802.1x

6.3 Given a scenario, install and configure wireless security settings.
Authentication protocols, IEEE 802.1x

The 802.1 working group uses these guidelines:
– The ones with capital letters, e.g. 802.1Q or 802.1AX are independent standards
– Amendments to these standards are identified by lower case letters e.g. 802.1ah, 802.1Qbg or 802.1AEbn

There is an IEEE 802.1X independent standard but there isn’t an 802.1x standard, so 802.1X is technically accurate.
Pg 213

Pg 216

 TACACS+ was created by Cisco, but is not proprietary to Cisco.

In the Identity and Access Services section, in the TACACS+ bullet, the first sentence in the first paragraph should be:

TACACS+ is an alternative to RADIUS.

In the TACACS section, the first sentence in the second paragraph should be:

Although CISCO created TACACS+, it can interact with Kerberos.

In the Remember this, the second sentence should be:

TACACS+ can be used with Kerberos.
 Pg 433  XOR bullet. The explanation is swapped.

It should read as: 

If the two inputs are the same, it outputs False (or a binary 0).
If the two inputs are different, it outputs True (or a binary 1).
 Pg 459 In Certificate Issues section,

The third sentence incorrectly states that a cached CRL results in more traffic. Instead of “…generates a lot of traffic sent…” it should read as
This reduces traffic sent between clients and the CA.
Pg 461 In the Certificate Formats section, CER and DER are incorrectly identified as binary and ASCII, respectively. 
Canonical Encoding Rules (CER) is ASCII.
Distinguished Encoding Rules (DER) is binary.

The last sentence in the third paragraph should be:
“CER is an ASCII format and DER is a binary format.”
Pgs 461-462 In the Certificate Formats section, the first sentence in the fourth paragraph should be:

Some certificates include headers and footers to identify the contents.

The last sentence in the fifth paragraph should be:

DER-based certificates are binary encoded so they do not have headers and footers.
Pg 462 The following graphic shows a correction for Table 10-3.

In the paragraph right below Table 10-3 describing PEM, the fourth sentence should be:
“They can be formatted as CER (ASCII files) or DER (binary files).”

In the paragraph describing P7B certificates, the first sentence should be:
“P7B certificates use the PKCS version 7 (PKCS#7) format and they are CER-based (ASCII) .”

In the paragraph describing P12 certificates. the first sentence should be:
“P12 certificates use the PKCS version 12 (PKCS#12) format and they are DER based (binary).”
Pg 463 Remember this block first sentence should be:
“CER is an ASCII format for certificates and DER is a binary format.”
Pg 466 The third to last bullet in Exploring PKI Components Exam Topic Review section should be:
“CER is an ASCII format and DER is a binary format.”
Pg 471 In Chapter 10, question 15, the second sentence in the explanation should be replaced with:
“A Distinguished Encoding Rules (DER)–based certificate is a binary encoded file, but not as specific as a P12 certificate file type.”
Pg 537 3DES definition in glossary. Change Digital to Data.

It should read as “Triple Data Encryption Standard”
Pg 540 CBC definition in glossary.  The first sentence should be “A mode of operation used by some symmetric encryption ciphers.”

The full glossary definition should be:

CBC—Cipher Block Chaining. A mode of operation used by some symmetric encryption ciphers. It uses an IV for the first block and each subsequent block is combined with the previous block.
Pg 541 The third sentence in the CER glossary definition should be:
“They are ASCII encoded files.”
Pg 544 The third sentence in the DER glossary definition should be:
“They are BASE64 binary encoded files.”
 Pg 547 Firewall definition in glossary. The definitions for stateful and stateless firewalls were swapped. They are correct in the chapter. The definition should be:

firewall—A software or a network device used to filter traffic. Firewalls can be application-based (running on a host), or network-based. Stateless firewalls filter traffic using rules within an ACL. Stateful firewalls filter traffic based on its state within a session.
Pg 555 The second sentence in the P7B glossary definition should be:
They are CER-based (ASCII) and commonly used to share public keys.

The second sentence in the P12 glossary definition should be:
They are DER-based (binary) and often hold certificates with the private key.
 Pg 567 XOR definition in glossary. The explanation is swapped. It should read as:

If the two inputs are the same, it outputs False (or a binary 0).
If the two inputs are different, it outputs True (or a binary 1).