lOMoAR cPSD| 60399657
WGU C845 SSCP EXAM STUDY GUIDE
INFORMATION SYSTEM SECURITY
This guide covers essential SSCP topics organized into logical sections. Each section includes core
concepts, best practices, and comparisons where needed.
I. Security Fundamentals & Access Control
1. Configuration Management & Access Control Models
● Configuration Management Practice
○ Purpose: Maintain system integrity via version control, audits, and baseline settings.
○ Key Focus: Change management processes and accurate configuration documentation.
● Access Control Models
○ Decentralized (Discretionary Access Control – DAC): Local decisions at the resource
level; users manage their own permissions.
○ Mandatory Access Control (MAC): Centralized, strict policies defined by the
organization.
○ Role-Based Access Control (RBAC): Access based on a user’s role within the
organization.
○ Additional Methods:
■ Capability Tables: Map subjects (users/processes) to permitted operations on
objects.
■ Access Control Lists (ACLs): Collections of Access Control Entries (ACEs)
that specify allowed or denied permissions. ● Device Authentication & Administrative Shares
○ Device Authentication: Uses certificates, tokens, or cryptographic keys to verify a device’s
identity.
○ Administrative Shares: Hidden network shares (e.g., C$, ADMIN$) used for remote
management (note: these pose security risks if not managed properly).
2. Account Management
● Steps in Account Management:
○ Provisioning: Create accounts with appropriate roles and permissions.
○ Modification: Update accounts as roles or job functions change.
○ Deactivation/Deletion: Disable or remove accounts that are no longer needed. ○
Periodic Review: Regularly audit account permissions and activity.
, lOMoAR cPSD| 60399657
○ Password/Authentication Management: Enforce strong credentials and consider using
shadow password systems (storing hashed passwords in secure files like /etc/shadow
on UNIX/Linux).
II. Network Security
1. VPNs and WiFi Security
● VPN Protocols:
○ ESP (Encapsulating Security Payload): Provides encryption (with optional
authentication).
○ AH (Authentication Header): Provides authentication and integrity without encryption.
○ MBSA: A Microsoft tool that scans for security misconfigurations and missing updates.
● WiFi Security:
○ WEP: Insecure due to weak encryption and predictable initialization vectors.
○ WPA (with TKIP): Improved over WEP but has known vulnerabilities.
○ WPA2/WPA3: Use AES encryption and robust key management (with WPA3 offering
enhanced security).
2. Firewalls, NAT, and Network Protocols
● Types of Firewalls:
○ Traditional Architectures:
■ Single-tier: One firewall (e.g., typical home router).
■ Two-tier: Perimeter firewall with a Demilitarized Zone (DMZ).
■ Three-tier: Adds an internal firewall for extra protection.
○ Other Types:
■ Packet Filtering Firewalls
■ Stateful Inspection Firewalls
■ Proxy-Based Firewalls
■ Next-Generation Firewalls (NGFW) ●
Network Address Translation (SNAT):
○ SNAT (Source NAT): Translates private IP addresses to a public IP address for outbound
traffic.
● Additional Network Technologies:
○ MPLS (Multi-Protocol Label Switching): Improves routing efficiency and traffic
management.
○ FCoE (Fibre Channel over Ethernet): Converges storage and data networks, carrying
Fibre Channel traffic over Ethernet.
WGU C845 SSCP EXAM STUDY GUIDE
INFORMATION SYSTEM SECURITY
This guide covers essential SSCP topics organized into logical sections. Each section includes core
concepts, best practices, and comparisons where needed.
I. Security Fundamentals & Access Control
1. Configuration Management & Access Control Models
● Configuration Management Practice
○ Purpose: Maintain system integrity via version control, audits, and baseline settings.
○ Key Focus: Change management processes and accurate configuration documentation.
● Access Control Models
○ Decentralized (Discretionary Access Control – DAC): Local decisions at the resource
level; users manage their own permissions.
○ Mandatory Access Control (MAC): Centralized, strict policies defined by the
organization.
○ Role-Based Access Control (RBAC): Access based on a user’s role within the
organization.
○ Additional Methods:
■ Capability Tables: Map subjects (users/processes) to permitted operations on
objects.
■ Access Control Lists (ACLs): Collections of Access Control Entries (ACEs)
that specify allowed or denied permissions. ● Device Authentication & Administrative Shares
○ Device Authentication: Uses certificates, tokens, or cryptographic keys to verify a device’s
identity.
○ Administrative Shares: Hidden network shares (e.g., C$, ADMIN$) used for remote
management (note: these pose security risks if not managed properly).
2. Account Management
● Steps in Account Management:
○ Provisioning: Create accounts with appropriate roles and permissions.
○ Modification: Update accounts as roles or job functions change.
○ Deactivation/Deletion: Disable or remove accounts that are no longer needed. ○
Periodic Review: Regularly audit account permissions and activity.
, lOMoAR cPSD| 60399657
○ Password/Authentication Management: Enforce strong credentials and consider using
shadow password systems (storing hashed passwords in secure files like /etc/shadow
on UNIX/Linux).
II. Network Security
1. VPNs and WiFi Security
● VPN Protocols:
○ ESP (Encapsulating Security Payload): Provides encryption (with optional
authentication).
○ AH (Authentication Header): Provides authentication and integrity without encryption.
○ MBSA: A Microsoft tool that scans for security misconfigurations and missing updates.
● WiFi Security:
○ WEP: Insecure due to weak encryption and predictable initialization vectors.
○ WPA (with TKIP): Improved over WEP but has known vulnerabilities.
○ WPA2/WPA3: Use AES encryption and robust key management (with WPA3 offering
enhanced security).
2. Firewalls, NAT, and Network Protocols
● Types of Firewalls:
○ Traditional Architectures:
■ Single-tier: One firewall (e.g., typical home router).
■ Two-tier: Perimeter firewall with a Demilitarized Zone (DMZ).
■ Three-tier: Adds an internal firewall for extra protection.
○ Other Types:
■ Packet Filtering Firewalls
■ Stateful Inspection Firewalls
■ Proxy-Based Firewalls
■ Next-Generation Firewalls (NGFW) ●
Network Address Translation (SNAT):
○ SNAT (Source NAT): Translates private IP addresses to a public IP address for outbound
traffic.
● Additional Network Technologies:
○ MPLS (Multi-Protocol Label Switching): Improves routing efficiency and traffic
management.
○ FCoE (Fibre Channel over Ethernet): Converges storage and data networks, carrying
Fibre Channel traffic over Ethernet.
