Systems Security (21% of exam), Network Infrastructure (20 %), Access Control (17%), Assessments and Audits (15%), Cryptography (15%), Organizational Security (12%)

This is just a brief overview of the most important concepts. I still recommend reading a book and watching the classes on VTE or Mindleaders or a program you have procured. This is a list of the well known ports KNOW THIS!!!FTP 20, 21: SSH 22 : Telnet 23 : SMTP 25 : TACACS 49 DNS 53 : Kerberos 88 : HTTP 80 : HTTPS 443 : SSL 443Network News Transfer Protocol (NNTP) 119 : IMAP4 143 : LDAP 389 : LDAP/TLS 636 LDAP/SSL 636 : POP3 110 : L2TP 1701 : PPTP 1723 : Terminal Services 3389

1) Systems Securitya) Differentiate among various systems security threatsi) Privilege escalation: This is when a vulnerability inside of the system allows a user or process access to elevated permissions (go higher up in the system without permission i.e. user becomes administrator etc) ii) Virus: A set of malicious code that attaches itself onto a system. The characteristics of a virus are: Replication mechanism(able to replicate itself onto other hosts), Activation mechanism (when the objective is executed), Objective mechanism (the damage or action that the virus is wanting to commit). Viruses are restrained in that they have to be executed by the user and are found in emails, USB flash drives, Floppies, and download. Some viruses are even circulated as a virus hoax (an email or message that tells of a virus that doesnt exist and then causes the user to delete a much needed file). Protect yourself by researching Antivirus vendor sites, urban legend sites, and programchecker.com.iii) Worm: Worms travel through a network without the assistance of a host application or user interaction. These types of malicious code do NOT need to be executediv) Trojan: This is a type of virus that looks like something benign while actually being a virus. v) Spyware: Is software that is downloaded to a system without the users knowledge and takes a certain level of control over the users system. There is the possibility of it changing the home page, redirecting browsers, installing other software, or even putting on a keylogger that records the computers keystrokes. vi) Spam: Is used to deliver malware and to consume the computers resources (bandwidth etc.). vii) Adware: These are the pop-up ads when you are on the internet. When they are malicious they are called spyware. The best protection against these is a pop-up blocker.viii) Rootkits: This is a group of programs (maybe only one program) that hide the fact that the system is under attack from a virus. A user may suspect something is wrong but a rootkit hides the virus. ix) Botnets: This is usually used when attacking with a Distributed Denial of Service attack (DDoS). A botnet is a group of computers are act as robots under the control of the central command. The computers inside the botnet are called zombies. The master is the controlling computer and the slave follows what the master commands. x) Logic Bomb: This is a string of code that will activate after a certain event. The event could be anything from a time and a date to a certain change inside of the system.b) Explain the security risks pertaining to system hardware and peripheralsi) BIOS: This is the systems firmware and is used to configure basic settings such as which device the system will try to boot from (Basic Input/Output System). This poses a great vulnerability towards the system if not password protected or better yet, locked down. ii) USB devices: Are small and can hold large amounts of data. This is obviously a risk. Not only with loss of data but also with spreading viruses. Usage can be restricted by disabling the USB root hub, disabling the USB in the BIOS, Disabling the USB driver via Group Policy, or by using third-party tools. iii) Cell phones: Are risks in that they have built in cameras and the ability to turn on their audio remotely. Attackers can also eavesdrop onto cell phone calls or can steal the phone to access your sensitive information. iv) Removable storage: The information in question is usually in reference to information in a network. Any computer in the network can have access to the information that this makes removable storage a risk (CDs, DVDs, USBs etc.)v) Network attached storage: These are the hard drives or hard drive systems that are attached directly to the network with an IP address.c) Implement OS hardening practices and procedures to achieve workstation and server securityi) Hotfixes: This is a small update similar to a patch. They are patches that can be applied without a reboot, intended to address an immediate threat, and to address a specific issue for a narrow market. To harden your system, it is best to keep these up to date. ii) Service packs: A collection of patches, hotfixes, and maybe some additional features.iii) Patches: A string of code that is used to correct a single bug or vulnerability in the operating system or application. iv) Patch management: A group of methodologies that are implemented to assure that all the systems in the network have the appropriate patches. This also includes: Testing the patches, applying the changes, and auditing the changes ( to make sure the patch was properly updated). Be sure to properly audit systems to make sure of the patches (or lack thereof) that are on the system. There are tools that help manage patches. MBSA is used to query one or multiple computers in an enterprise. It can check for current updates and basic vulnerabilities. WSUS is used by administrator to download and approve updates. SMS can be used to schedule the deployment of patches. v) Group Policies: this is used to manage multiple users and computers in a domain. It allows tan administrator to configure a setting once in the group policy object (GPO). This is usually used for a password policy. This policy includes the following: maximum password age, minimum password age, enforce password history, minimum password length, complexity requirements, and storing with reversible encryption. GPO can also give out a device policy. This restricts the use of portable devices. These restrictions are: disable autorun, preventing the installation of small devices, detect the use of small devices. vi) Security Templates: These are the starting point for security settings. They can be used as part of Group policy to ensure that systems start with a common configuration. These configurations are: account policies(password and lockout settings), Local policies(many detailed user rights settings), Restricted groups( automate the control of group membership such as the administrators and Domain admins), System services( used to enable and disable specific services), and software restrictions (only specific software can be allowed to run on a system).vii) Configuration baselines: This is the starting point for a systems configuration. It is very similar to a security baseline but this focuses not strictly on security aspects but is focused on system consistency (every computer has the same configuration: printers, background, screensaver, applications, etc.).d) Carry out the appropriate procedures to establish application securityi) ActiveX: This is a mini-program that gives a site pizzazz. These pose a threat when they do not have the proper Certificate Authority (CA). The CA shows that the mini-program was written by an acceptable source and does not contain malicious code. ii) Java: Java applets are similar to ActiveX controls. They too need proper certifications to be considered safe to run on your computer. Java applets will only run inside a confined area (for added protection) called a Java Virtual Machine (JVM). iii) Scripting: JavaScript is different from both of the above. It is a script language used on the Internet. It is an interpreted language and is simple text that will be read and interpreted with executed. There is also Cross-Site Scripting (XSS). This is where attackers are able to gather data from a user, without the users knowledge. The data is obtained by passing a hyperlink that contains malicious content. The best way to protect against this is to: only follow links within a site and turn off JavaScript except when absolutely needed.iv) Browser: This is used to accept the HTML code form the web server and display it. v) Buffer overflows: This is when an attacker send more input, or different input, to an application than expected. This causes erratic behavior and opens an opportunity for the attacker to access the internal buffer and insert malware. To prevent this: perform significant testing and code review and perform input validation. Keeping servers up-to-date is the best defense against this attack. vi) Cookies: This is a text file stored on a users computer that can be used for multiple purposes, but it is often used to track activity. XSS opens the door for attackers to read cookies thatvii) SMTP open relays: Simple mail transport Protocol is a mail server. An anonymous open relay (SMTP open relay) is an viii) Instant messaging: Sends all your information over plain text. Thus, it is highly vulnerable to sniffing attacks. ix) P2P: Peer-to-Peer is file sharing over a network. It is sharing files over a network and the Internet. An issue with this (not counting that it is now illegal) is Data Leakage. Data leakage is when a user is not aware that they are signed onto a P2P and their files are now spread to whoever is on the network. x) Input validation: This checks that the data is within the scope of what is expected (amount, type, etc.). If this is not done, an attacker can enter other data and thus perform an SQL injection attack. This allows the attacker to execute commands directly against the database through the web server. xi) Cross-site scripting (XSS): This is where attackers are able to gather data from a user, without the users knowledge. The data is obtained by passing a hyperlink that contains malicious content. The best way to protect against this is to: only follow links within a site and turn off JavaScript except when absolutely needed.e) Implement security applicationsi) HIDS: This is Host based Intrusion Detection System (IDS). It monitors traffic that moves through the network interface card (NIC). The strengths are: encrypted traffic can be interpreted by the host and dial up traffic can be monitored. Weaknesses are: consumes resources(because it is another piece of downloaded software), cannot monitor network traffic, expensive, and data stored locally (if corrupted, then all is lost).ii) Personal software firewalls: This is software that will monitor the traffic that passes through the NIC. In making it personal you implement it on your machine and it monitors the traffic on your machine. iii) Antivirus: This is to help protect you from viruses. This software also usually protects you from other malware (worms, trojan horses).iv) Anti-spam: Spam has become one of the main ways to send viruses and it is important to have anti-spam software on your computer. v) Popup blockers: The best defense against adware! f) Explain the purpose and application of virtualization technology: Virtualization is technology that allows a user to have multiple virtual servers on only one actual server. This is very helpful in that you can conduct testing in an isolated environment. You can also test malware and applications. Another benefit is that you can isolate network services and roles (like DNS, WINS, and DHCP). A weakness in virtualization is that the host becomes a single point of failure. 2) Network Infrastructurea) Differentiate between the different ports & protocols, their respective threats and mitigation techniques.i) Antiquated protocols: These are protocols that are no longer in common use. Some of these are NetBEUI(used to quickly set up a virtual network), IPX/SPX(was used instead of TCP/IP), and AppleTalk(was the proprietary networking protocol).ii) TCP/IP hijacking: This is where a third party takes over a session and logically disconnects a client that was originally involved in the session. CHAP has helped make this attack much more difficult by periodically re-authenticating the client. This type of attack is very difficult to pull off. iii) Null sessions: This is a logon session that represents anonymous users in Windows environments. Thus unauthenticated clients can access resources such as files, folders, and printers. The best practice to prevent this is to replace the Everyone group with the Authenticated Users. iv) Spoofing: Where a person or entity disguises itself as something else. IP Spoofing is where the source IP address is modified. Thus they can act like a trusted individual and can even attack multiple computers (a whole network). Email Spoofing is another type of spoofing where someone changes the from address to something else to make it look like it is from some credible source. v) Man-in-the-middle: This is another advanced attack. This is active interception and eavesdropping. The attacker uses a separate computer that accepts traffic from each party in a conversation and then forwards the traffic without modification. vi) Replay: Another advanced attack and this is one where an attack replays data that was already part of a communication session. This is usually done to impersonate another individual. This attack can be prevented with Kerberos because it requires that the internal clock of all computers be within five minutes of each other. This greatly narrows the time that the attacker has to less than 5 minutes to implement the attack.vii) DOS: Denial of service attack is used to make certain services unavailable to users. There are two types of DOS attacks. The first is SYN Flood Attack and it disrupts the TCP initiation process by withholding the third packet of the TCP three-way hand shake. The next type is the Smurf Attack. It sends out a ping as a broadcast (a ping is usually one-to-one) and it spoofs the source Ip. Thus the victim gets flooded with ICMP (used in diagnostics for and uses IP addresses) replies. viii) DDOS: This is where the attack is done with a Botnet. ix) Domain name kiting: This is an underhanded way to not pay for a domain name. Each domain has a 5 day free period and this is just dropping the name before the 5 days are up and then reinstating it again. x) DNS poisoning: Domain Name System is what allows us to simply type out google.com instead of the IP address. It also locates the following: mail servers, domain controllers in a network using Service (SRV) records, and domain controllers holding specific roles or sunning specific services using SRV records. The name resolution results are cached on the server and on the client. DNS poisoning occurs when the cache holding the names redirects the client to bogus web sites. xi) ARP Poisoning: This can be used in a DDoS to mislead computers about the actual MAC address of a system. Address resolution protocol is used to resolve the IP addresses to MAC addresses on a subnet. The poisoning stops the computer form communicating with other hosts. Thus the entire subnets become isolated for attack. b) Distinguish between network design elements and componentsi) DMZ: The demilitarized zone (DMZ) is a buffer zone between the private network (intranet) and the Internet. This adds another layer of security for internet-facing servers. The DMZ has firewalls as bookends around if (one at the internet side and another at the intranet side). Internet-facing servers like web servers, mail servers, or PTF servers accessible from the Internet would be placed in the DMZ with very specific rules on both firewalls on what is allowed inside the DMZ and the intranet. ii) VLAN: The virtual local area network uses a switch to group several different computers to a virtual network. This allows computers to be grouped on the same network by logical needs instead of physical location (no need for a physical router connecting the machines). The traffic is isolated between the computers and thus adds a level of security. iii) NAT: Network address translation is a protocol that translates the public IP address into a private IP and the private back into public. Private UPs are internal to a network, and public IPs are accessible on the Internet. NAT translates and allows internal clients access to the Internet while still hiding them from attackers on the Internet. A static NAT uses one-to-one mapping. Dynamic NAT uses multiple public IPs, and NAT can decide which public ones to use based on load (many people can use the same public IP). NAT is NOT compatible with IPSec. iv) Network interconnections: Inside th Open Systems Interconnection reference model there are 7 distinct layers (this is how networks are interconnected). Layer 1 Physical and it contains hubs, NICs, Ethernet, Token rings. Layer 2 Data contains switches, MAC, PPP. Layer 3 Network containsrouters, and layer 3 switches, IP, IPSec, ICMP, ARP. Layer 4 Transport contains TLS, TCP, UDP. Layer 5 Session contains SSL, NetBIOS. Layer 6 Presentation contains ASCII, EBCDIC, TIFF, JPG. Application Layer application-proxy firewall operates on all layers up to the application layer it also contains HTTP, HTTPS, FTP, DNS, SMTP, SNMP, and more. KNOW THE LAYERS IN ORDER AND HAVE A CONCEPT OF WHAT THEY CONTAIN!v) NAC: Network access control adds a layer of restricted access to your private network. It includes three primary components: authentication (clients provide credentials before access), remote access policies (this controls after they are authenticated what and when different elements in the network are accessable to them), and Inspection and control (this makes sure they are running up to date anti-malware software. If they are not, they are given only restricted access to the network).vi) Subnetting: this is used to divide a single range of IPs into multiple smaller ranges of IPs. This is to increase effeciency and isolate. vii) Telephony: This is contained in Dial-up remote accesses. It uses telephone technology to connect computers. c) Determine the appropriate use of network security tools to facilitate network securityi) NIDS: Network based Intrusion Detection System monitors activity on the network. This is installed on network devices (firewalls and routers) as sensors and taps. All the info gathered is sent back to the central server hosting a console to monitor activity. This does not read the anomalies on individual systems unless it has a significant influence on network traffic. These sensors can be put on either side of the networks firewall and reads what traffic occurs related to that position (what makes it through or all the information). ii) NIPS: Network intrusion prevention system is an extension of NIDS and is made to catch an attack in real-time(at the actually occurrence). It defends the network from attackers actively attacking it. NIPS will also be at the Firewalls in actuality (in-line) while NIDS will simply have sensors. iii) Firewalls: These are design to filter traffic. It can be hardware-based (will have 2 or more NICs) or software-based (monitor traffic through a single NIC). A stateful firewall has the ability to examine multiple packets that are involved in a network connection. Application firewall was discussed above. A firewall has the ability to filter content such as, spam, attachments, URLs, and certificates. There are also firewall logs that record any activity of interest. This is the first place an administrator will look to see if an intrusion has taken place. iv) Proxy servers: These are found in many networks. They can perform performance caching (short-term storage of content to make access quicker and easier for others on the network) and can use content filters to restrict access. The proxy server will also contain the NAT to transform the IPs from private to public. These can either be static or dynamic.v) HOneypot: This is a server that looks like an easy target for an attacker. Uses of these are to divert attackers from the live network and to allow observation of the attacker. vi) Internet content filters: This is a firewall that contains the ability to filter content. vii) Protocol analyzers: This captures and analysis packets on a network. That means that ANY data sent in plain text can be observed and analyzed by the protocol analyzer. Wireshark is a popular one. These analyzers can be used to analyze traffic, capture and display clear text, analyze TCP/IP sessions (SYN flood attack), monitor specific traffic or network traffic, and detect internal computer being used as zombies with a botnet. Protocol analyzers can be used for good or bad. They are used in sniffer attacks. There are two main modes of protocol analyzers: non-promiscuous (only traffic passing through the NIC) and promiscuous (all traffic that reaches the NIC). d) Apply the appropriate network tools to facilitate network security.(these are handled above)i) NIDSii) Firewallsiii) Proxy serversiv) Internet content filtersv) Protocol analyzerse) Explain the vulnerabilities and mitigations associated with network devicesi) Privilege escalationii) Weak passwordsiii) Back doors: Some developers keep back doors for ease of access but since they bypass all the regular security measures, they are a danger to keep open. iv) Default accounts DOS: Rename the administrator account and have a complex password to protect from attacks. Also, disable the user accounts. f) Explain the vulnerabilities and mitigations associated with various transmission mediai) Vampire taps: This is any tap that tries to gain access by tapping into the physical wire. Fiber optic cable is the most difficult to tap but coaxial and twisted pair are easy. g) Explain the vulnerabilities and implement mitigations associated with wireless networkingi) Data emanation: These are data transmissions that can be capture outside the source (physical cable or wireless). Fiber optic is not susceptible to emanations. These emanations are NOT taps they are electronic losses of data. They can jump from cables that are close to each other. Coaxial cables are highly susceptible to this. Wireless data transference is also highly susceptible to data emanation because anyone with the correct channel can get the information. You should secure your wireless network with WPA2 (WEP and WPA are considered compromised). ii) War driving: The act of going around trying to find an open wireless connection.iii) SSID broadcast: The broadcast of the wireless signal so that anybody can see it. This should be disabled and changed from its default. iv) Bluejacking: This is using someones Bluetooth signal without the persons knowledge. The bluejacker can send information and packets with your signal (so it gets traced to you). Stop discovery mode to prevent this. v) Bluesnarfing: This is the unauthorized observation of data that is sent over the Bluetooth signal. Turn off discovery mode to protect yourself. vi) Rogue access points: This is a wireless access point (WAP) that is placed in a network with some sort of attack in mind. It is used as a sniffer to broadcast all the information that is passed through the wired network. The first part of prevention if one is found is to disable it, contain it, or isolate the threat. vii) Weak encryption: WEP has weak encryption and is almost no help against an intrusion. WPA2 has the best encryption for a wireless network. 3) Access controla) Indentify and apply industry best practices for access control methodsi) Implicit deny: This is when those who are not specifically allowed into the network are not allowed access.ii) Least privilege: The user is only allowed the specified privileges and nothing more (if you need to print you can use the printer and nothing more)iii) Separation of duties: This is a principle that prevents any one person from being able to complete all the functions of a critical or sensitive process. This is to prevent fraud, theft, and errors.iv) Job rotation: This rotates each person to the different jobs to learn the processes and procedures of each. This is to keep a person to have the only knowledge about a job. This also prevents collusion (two or more people engaged in a secret activity for the purpose of fraud). Because of the rotation, one person is not working at the same activity long enough to effectively commit fraud. b) Explain common access control models and the differences between eachi) MAC: Mandatory access control uses labels (assigned to users and objects) to determine access. Once the matching labels are found the appropriate access is granted. These labels are called Top Secret, Secret, and Confidential (the lattice model). Those who are Top Secret get access to Top Secret objects and so on and so forth. This access method is broken down into labels.ii) DAC: Discretionary access control makes every object have an owner and the owner establishes access to his/her object. The owner has full and explicit control of his object. The owner can easily change the permissions and thus making this a dynamic access control. The only downside is that these dynamic changes in access make it susceptible to Trojan horse attacks (owner unwittingly giving access to a disguised virus).iii) Role and rule based access control: Each user has a role and has access to the objects that are associated with that role. So, a change in role is a change in access (phone answerer, head of department, RA guys, Event Managers, etc all have different roles and thus different access). c) Organize users and computers into appropriate security groups and roles while distinguishing between appropriate rights and privilegesd) Apply appropriate security controls to file and print resourcese) Compare and implement logical access control methodsi) ACL: Access control lists are used to specifically identify what traffic is allowed and what traffic is not allowed. Most ACLs run off of an implicit deny (if you dont have specific permission you are denied).Routers use ACLs as a list of rules that define what traffic is allowed. ii) Group policies: This allows an administrator to configure a setting once in the group policy object (GPO) and apply the setting to many users and every computer in the domain. This can also be done to specific users and computers in the network (Organization Units OUs).iii) Password policy: This is good to make sure that the users have a secure enough password. The administrator can control password length, complexity, maximum age, minimum age, password history (prevent the use of previously used passwords), and store the passwords using reversible encryption (this is a very weak encryption). iv) Domain password policy: This just makes all the users in a domain follow the password policy. v) User names and passwords: vi) Time of day restrictions: This specifies when certain users can log onto the network.vii) Account expiration: account expiration can be set to be done automatically and will not let the user log on after the set expiration. viii) Logical Tokens: This is used in a single sign-on environment to identify a user and a users group membership. Every user and group is identified with security identifiers (SIDs) and a logical token contains all the SIDs associated with a user.f) Summarize the various authentication models and identify the components of eachi) One, two and three-factor authentication: There are three different factors of identification: what you know (password, username), what you have (CAC card, token, etc.), and something you are (biometrics, retina scanners, finger prints, etc.). Three-factor authentication uses all three.ii) Single sign-on (SSO): This refers to the ability of a user to use a single set of credentials to sign on for an entire session. This increases security in that it reduces the temptation to write down passwords and other credentials. g) Deploy various authentication models and identify the components of eachi) Biometric reader: There are three types of biometric readers: retina scanners, fingerprint scanners, and hand written signature. There are four possible results from the scanning process: False acceptance (accepts and unauthorized user), false rejection (incorrectly rejects an authorized user), True acceptance (correctly accepts an authorized user), and True rejection (accurately determines an unauthorized user). ii) RADIUS: Remote authentication Dial-in user service is a centralized authentication service. Instead of each RAS server needing separate databases to know who to authenticate, they send the info to the RADIUS and they are authenticated there. iii) RAS: Remote access service is used to provide access to an internal network from an outside source. RADIUS and TACACS/TACACS+ provide a centralized method of authentication of multiple RAS servers. This uses multiple authentication mechanism: PAP, CHAP, MS-CHAP, MS-CHAPv2.iv) LDAP: Lightweight Directory access protocol specifies formats and methods to query directories. Active Directory uses this protocol format. It is also an extension of the X.500 standard.v) Remote access policies: These are used after the authentication to control access to a network. This can allow or deny access to the connection. One or more of the conditions stated in the policy must be met before access is allowed. These can be used to control ho and when users connect to the server(from home or from work etc.).vi) Remote authentication: This is what allows a user to access a network from outside the network (like connecting to Area52 from home). vii) VPN: Virtual private network allows a connection to a private network over a public one (i.e. the Internet). The VPN server has a public IP that allows it to connect to any other host on the internet. Tunneling is what connects the network together. These tunnels are: L2F not used, PPTP has known vulnerabilities, and L2TP is the most common and secured with IPSec (not compatible with NAT, so the VPN has to communicate with a public IP). SSTP is a already secured tunnel that is compatible with NAT, VPN can have private and public IPs (this is brand new and not implemented much yet).viii) Kerberos: this is a commonly used authentication protocol used in Windows. This uses time-stamped tickets to insure time synchronization between computers. It is symmetric and the most common method for distributing its tickets is the Key Distribution Center (KDC). The PKI is for asymmetric key distribution. ix) CHAP: Challenge Hand-shake authentication protocol is a much used authentication method. It is where a client tries to log in, the server sends back a nonce(number used once), the client sends back a common secret (PIN number etc., and it is encrypted), the server then compares the response and the nonce with what it knows. If it matches, we have authentication. x) PAP: Password authentication policy sends passwords over for authentication in clear text. This is rarely used today. xi) Mutual: This is where the user authenticates himself to the server and the server authenticates himself to the user. xii) 802.1x: the IEEE 802.1x protocol is designed to provide authentication when a user connects to a specific access point, a logical port. This is used to secure the authentication process before the client is accepted into the server. WEP is the worst type of security, WPA is the second best, and WPA2 is the best and newest. xiii) TACACS and TACACS+: This is the same as RADUIS but it encrypts both the username and password. h) Explain the difference between identification and authentication (indentify proofing): Authentication is simple giving the authenticator previously known credentials. Identity proofing is something that is used to identify before those credentials are issued, as an extra measure of identification, or to grant access if the user forgets their credentials. Identity proofing can be seen in drivers licenses, safety questions (mothers maiden name, etc.), and birth certificates etc. i) Explain and apply physical access security methodsi) Physical access logs/lists: We are given building access cards and a unique PIN number for when the building goes into security lock down. Access logs/lists contain the information of who entered/exited the building and when. This can be used to show when piggybacking (following somebody closely to gain access) and tailgating (same thing but with a car) has occurred (when there is no record of entrance of there is a record of exiting). ii) Hardware locks: Everyday locks you have in your house (deadbolts, etc.).iii) Physical access control ID badgesiv) Door access systems: Door only opens with the use of some sort of access method (access car, PIN, etc). v) Man-trap: These are used as protection against piggybacking/tailgating. Mantraps are buffer areas that are placed between the unsecure sector and the secure one. They usually capture the attacker thus preventing them from going forward or backwards. An example of this is a turnstile that can be locked before turning completely to the other side. vi) Physical tokens: These are one time passwords that are physical and in your hand. It may be a key fob (a little LED display that has a password that changes every 60 sec or so and is synchronized with the server). vii) Video surveillance camera types and positioning: Place them in public areas, alert employees of their existence, and do not record audio. Place them around and in the secured areas. The different types of cameras are: wireless, wired, low-light (can record in low-light conditions), color, and black-and-white (usually low-light cameras are black/white). Camera positioning is very important (entrances, exits, and overall activity). There are also fixed cameras and PTZ (can move, zoom, tilt) cameras.4) Assessment and Auditsa) Conduct risk assessments and implement risk mitigation: Risk assessment is the first step in risk management. It can be done in 2 different ways: quantitative and qualitative. Quantitative assessment measures in monetary forms. The two measurement s are impact (the negative result of the attack) and asset value (the revenue value or replacement value of an asset). An example of a quantitative value contains the following: single loss expectancy (SLE), annualized rate of occurrence (ARO), and annualized loss expectancy (ALE and is the multiplication of the two earlier ones). Qualitative assessment is based on probability and impact (low, medium, high or a scale of 1-10). Probability is the likelihood the event will occur and the Impact is the negative result. You multiply the two results to get the risk assessment. b) Carry our vulnerability assessments using common toolsi) Port scanners: This is used to determine what ports are open on a system. Administrators can use this to see what ports are not needed to be open and attackers can use it to find vulnerability in the defenses. ii) Vulnerability scanners: This is the most effective way to identify security holes. These scanners will look for weak passwords, open ports, and much more. A popular scanner is Nessus. iii) Protocol analyzers: Captures and displays packets on a network. Anything sent in clear text can be read and shown by a protocol analyzer. A popular one is WireShark. It can be used to discover passwords sent in clear text, analyze TCP/IP traffic to gain more information on SYN flood attacks or malformed packets, and analyze traffic related to a specific protocol. There are two modes that a protocol analyzer can run in: Promiscuous (capture all traffic that reaches the NIC) and non-promiscuous (Only traffic that is addressed to the NIC).iv) OVAL: Open Vulnerability and Assessment Language is an international standard. This is a standard that vulnerability assessment scanners follow. The three standard steps are: collectioning system characteristics and configuration information of a system, analyzing the system to determine the current state, and report results. v) Password crackers: There are many types of brute force attacks and comparative analysis. Under brute force: Dictionary (uses common words to guess password) and brute force (uses every possible combination). For comparative analysis: John the ripper( used on multiple platforms, often to find weak passwords), Cain and Abel (used on windows to find passwords; can sniff, use dictionary, brute force, and cryptanalysis attacks), Ophcrack (used on windows and through rainbow tables), Airsnort (discovers WEP keys on wireless), Aircrack (WEP and WPA cracking), L0phtCrack (used on older windows systems.c) Network mappers: Nmap is a popular network mapping tool that combines the features of a ping scanner and a port scanner to learn what systems are operational and what services are running on these systems.d) Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning: Penetration testing is used to actually try to take advantage of the vulnerabilities. Vulnerability scanning is used to simply find the vulnerable places. e) Use monitoring tools on systems and networks and detect security related anomaliesi) Performance monitor: This shows what the systems performance is. It is used to create a performance baseline by taking readings every 30 min for 7 days. An attack will show a large increase in performance for no apparent reason.ii) Systems monitor: iii) Performance: There will be a change in the computers performance if under attack.iv) Baseline: A baseline is needed to show what performance is normal under working and non-working conditions. v) Protocol analyzersf) Compare and contrast various types of monitoring methodologiesi) Behavior-based: This is the same thing as anomaly-based.ii) Signature-based: This uses databases of predetermined traffic patterns. It recognizes the type of attack. This is the simplest and easiest to implement.iii) Anomaly-based: The computer creates a baseline of normal behavior and this type of monitoring knows what is normal. So, it can determine if the computer is acting abnormally. g) Execute proper logging procedures and evaluate the resultsi) Security application: ii) DNS:iii) Systemiv) Performancev) Accessvi) Firewallvii) Antivirush) Conduct periodic audits of system security settingsi) User access and rights reviewii) Storage and retention policiesiii) Group policies5) Cryptographya) Explain general cryptography conceptsi) Key management (it is best to think of these as certificates): There are multiple possibilities when it comes to key management. One of the issues that occurs with key management is where to generate the keys and then where to store them. There is centralized generation (generating keys in one location and is considered the bestall the certificates for a group are made in one domain/area), decentralized management( where the keys are made on individual computers), and the hybrid model (some are made one way and others are made the other way). A Key Escrow is where keys are stored. A recovery agent is who recovers your keys from the Escrow.ii) Steganography: Hiding one type of file inside another. This is where a code(malicious or not) is hidden in lets say a picture (.gif) file. Each color type can be a bit (red 1 is 0 and blue 14 is 11001). This can be done in any media type file.iii) Symmetric key: Shared Secret key is where the information is encrypted with a secret key and is decrypted with the same key. The is used for LARGE and FAST encryptions. The issue is that there has to be some way to communicate the secret keys to each other. iv) Asymmetric key: Public key encryption is where the message is encrypted with a public key and is decrypted with a private key. The keys are mathematically related. Everyone knows your public key but only you have your private key. Digitally signed emails are encrypted with your private key and then decrypted with your public one to show that it came from you. If you do not know what keys are, LEARN QUICKLY!!! v) Confidentiality: This is where the only person who can observe the data is who you want to observe it. vi) Integrity and availability: Integrity is saying that the data has not changed and availability is saying that it is accessible to who you want to be able to access it. vii) Non-repudiation: The person who sent it really is the person who sent it. They cannot deny it.viii) Comparative strength of algorithms: These are mathematical in nature. The best one is AES and it is able to use almost any bit size. DES is weak and 3DES is using DES three separate times on the data. ix) Digital signatures: These use an asymmetric key for non-repudiation. (encrypted with private key and decrypted with public key).x) Whole disk encryption: It is what it saysreally strong and good but takes a long time. xi) Trusted platform module (TPM): This uses a pre-shared key (PSK) to encrypt. The user can encrypt with the key and decrypts with the key. This is essentially software combined with hardware to encrypt data. This is used when you password protect your laptop.xii) Single vs. Dual sided certificates: Single sided certificates are used to validate one direction (usually with the server validating its identity to the clients). The clients do not validate back. In mutual authentication two of these can be used (one by client and other by server) but only one dual sided certificate is needed for this. Dual-sided certificates are used with a small number of clients. Two certificates are issued: one to the server and the matching one to the client.xiii) Use of proven technologiesb) Explain basic hashing concepts and map various algorithms to appropriate applications (KNOW what HASHING IS!!!)i) Hashing: this is essentially giving the data a fingerprint of a set length. Does NOT encrypt! It is only used for integrity. They are ONE-WAY. This means you cannot un-hash something to see the original message. ii) SHA: This is the best type of hashing algorithm and can use many lengths of hashes. Currently has 3 types (sha0, sha1(160 bits) is most popular, sha2) they are working on sha3. All are labeled from shortest to longest.iii) MD5: Message Digest 5 is used to make a 128 bit hashiv) LANMAN: Oldest and not used much any morev) NTLM: Introduced as an improvement over LANMAN. Still not as good as SHA1.c) Explain basic encryption concepts and map various algorithms to appropriate applicationsi) DES: Symmetric key encryption. Very weak and uses a very small key of only 56 bits.ii) 3DES: Triple DES uses DES encryption three times with three different 56 bit keys. This is processor intensive and is very slow. iii) RSA: Is an asymmetric key encryption key that focuses on the properties of large prime numbers. Key lengths are 1024 and even 2048 bits long. THOSE ARE HUGE PRIME NUMBERS!!!iv) PGP: Pretty good privacy is used on many email servers. It uses a certificates for authentication. While certs are usually validated by a certificate authority(CA), PGP uses a web-of-trust format to validate certificates. A user must accept a certificate without the promise of a third-party validation. It is decentralized and peer-to-peer. v) Elliptic curve: Uses elegant advanced mathematics to encrypt. Usually used on small, hand held devices. vi) AES: Advanced Encryption Standard can use different key lengths and is considered the strongest and the fastest of the stronger encryptions. vii) AES256: Uses bit lengths of 256. viii) One time pad: This uses an encryption key only once. This is seen in a physical key fob(an LED display that shows you your key and that is synced up with the desired server. The display changes every 60sec or over a desired time).ix) Transmission encryption (WEP TKIP, etc.): WEP uses RC4 stream cipher encryption, which is actually really strong but WEP had horrible key management and thus making WEP the worst. TKIP(temporal key integrity) was implemented with WPA (Wi-fi protected access) as a replacement for WEP. It still uses RC4 but it manages it keys with TKIP. Older users and hardware will still implement this method. Newer hardware will use WPA2. WPA2 uses AES for instead of RC4 for encryption purposes. d) Explain and implement protocolsi) SSL/TLS: SSL (secure socket layer) is commonly used on the internet to encrypt data and it runs on the Session layer of the OSI model. It uses both symmetric (for encrypting the data) and asymmetric (to encrypt the secret session key from the symmetric encryption) encryption methods. Transfer layer security (TLS) was made as replacement for SSL (strangely SSL is still widely used) and runs on the transportation layer of the OSI model. TLS essentially does the exact same thing the same way as SSL but it uses the Diffie-Hellman asymmetric algorithm to privately share the session key. ii) S/MIME: Secure/Multipurpose Internet Mail Extensions is an email protocol that is used in email messaging applications. It provides confidentiality, integrity, authentication, and non-repudiation. This is run on a Public Key Infrastructure and makes use of digital signatures. iii) PPTP: Point to Point tunneling protocol is a tunneling protocol used in making VPNs. It has known vulnerabilities and is slowly not being used any more. It is encrypted with Microsoft Point to Point Encryption. iv) HTTP vs. HTTPS vs. SHTTP: All of these deliver HTML (hypertext markup language) formatted pages. HTTP is not secure. HTTPS is secure and data is encrypted using SSL(secure socket layer). SHTTP is an alternate method of encrypting but it is rarely used. v) L2TP: Layer two tunneling protocol is more commonly used than PPTP. It is made by combining Layer two Forwarding and PPTP. It does not encrypt the tunnel itself but it is commonly seen using IPSec. vi) IPSEC: This application is used to apply security to tunneling (commonly used on L2TP). It secures the data in two ways: Authentication Header(used for authentication only) and encapsulating Security Payload (ESP)(and encrypts the data and provides confidentiality. This however, encrypts ALL data coming through the tunnel, thus making it difficult for viruses to be detected because they are encrypted). vii) SSH: Secure Shell is placed on the wire to prevent the effectiveness of sniffing attacks and protocol analyzers. The applications commonly used are: securely log in to a remote host, remotely execute a command, to secure FTP traffic. This is a secure channel between two computers. e) Explain core concepts of public key cryptographyi) Public key infrastructure (PKI): This is a group of technologies that are used to request, create, manage, store, distribute, and revoke digital certificates. It is asymmetric. Know about CAs, Certificates, and Key management.ii) Recovery agent: This is a person or group who are used to recover or restore cryptographic keys. One person could have all of the key or multiple people could have multiple pieces and must recover the key together. iii) Public key: Keys that everyone knows that are unique to you.iv) Private keys: Unique keys that only you knowv) Certificate Authority (CA): This is the individual who gives out certificates. If they are trusted by the website and you have the certificate, then your certificate will allow you to access the website. There are also private and public CAs. The public ones are accessible to everyone (this is the majority). Private CAs are commonly used to support Outlook Web Access (OWA). They are used when a more secure connection is being used and they only want certain groups access to the CA.vi) Registrationvii) Key escrow: Place used to store keys. viii) Certificate Revocation list (CRL): (pronounced crill) This is the list of certificates that have been revoked. Some common reasons for revocation are: the private key is compromised, CA discovers that certificate was improperly used, or the certificate has been superseded. ix) Trust models: There are two main models to find a trusted CA: in the hierarchal model there is a root CA that if it is trusted then all the other CAs underneath it are trusted, in the web-of-trust it is a peer to peer trusting.f) Implement PKI and certificate managementi) Public Key Infrastructure (PKI)ii) Recover agentiii) Public keyiv) Private Keysv) Certificate Authority (CA)vi) Registrationvii) Key escrowviii) Certificate revocation list (CRL)6) Organizational securitya) Explain redundancy planning and its componentsi) Hot site: The most expensive backup site option. The site includes software, equipment, and communications. It is essentially the exact same as the original site and it simply not running like the first one is. It can take over operations in minutes. ii) Cold site: Very basic utilities and is cheapest but slowest to get up and running. iii) Warm site: Somewhere in between the two above options. iv) Backup generator : Takes over the power when the original power source goes out. Usually a Uninterruptible power source (UPS) is used while the generator is started up. v) Single point of failure: This is a point where if it fails the whole system becomes inoperable. vi) RAID: Redundant Array of Independent (or inexpensive) disks is different type of disk redundancy models. The main ones are RAID-0, RAID-1, RAID-5, RAID-10, Raid-0 is actually not used for redundancy. It is simply used for the system to write and record information more quickly. It only uses striping (where different pieces of data are stored on different disks) and all the disks being used need to be available to have all the data. Raid-1 is a redundancy model and it uses disk mirroring. One disk is written on and the other writes down the exact same thing. Raid-5 uses striping along with data parities. What this means is that disks stripe the information but also contain a parity(essentially a copy of the data being striped to the other disk). This method contains at least 3 disks. Raid-10 is a combination of raid-0 and raid-1.vii) Spare parts: Spare parts for the machines. viii) Redundant servers: This is used in failover clusters where one or more servers are in a cluster formation. At least one server is active and at least one server is inactive. When the active goes down the inactive is activated and takes over the load. ix) Redundant ISP: For a company that needs constant access to the internet, it is best to have multiple Internet Service Providers just in case your main server goes down. x) UPS: Uninterruptible power supply and it is a small amount of power that keeps the system up for 5-10 min (sometimes longer or shorter) and this allows the secondary power supply (backup generator) to start up and begin taking the load. xi) Redundant connectionsb) Implement disaster recovery proceduresi) Planningii) Disaster recovery exercisesiii) Backup techniques and practices storage: There are three types of backups: full, incremental, and differential. A full-backup backups everything and usually takes a very long time to do. An incremental backup backups only the information that has changed since the previous backups (full or incremental). To be restored, all the incremental backups and the previous full one must be restored. A differential backup backups all the information that has changed since the previous full backup. It simply over-writes the previous differential backup and includes all the data that was on that particular backup as well. To restore this one you only need the last full backup and the latest differential backup. iv) Schemesv) Restorationc) Differentiate between and execute appropriate incident-response proceduresi) Forensics: Analyzes the computer to investigate a crime.ii) Chain of custody: This will provide that the evidence given is the evidence found. iii) First respondersiv) Damage and loss controlv) Reporting disclosure ofd) Identify and explain applicable legislation and organizational policiesi) Secure disposal of computersii) Acceptable use policiesiii) Password complexityiv) Change managementv) Classification of informationvi) Mandatory vacationsvii) Personally identifiable information (PII)viii) Due care: These are the steps a company has taken to protect against the risksix) Due diligence: This refers to the companys obligation to spend appropriate time and effort to identify the risks to data and systems it manages.x) Due process: xi) SLA: Service level agreement is the expected amount of service that vendors provide ( example: Alabama Power on 99.9% of the time. If they fall below that percentage that is a breach of the SLA).security-related HR policyxii) User education and awareness traininge) Explain the importance of environmental controlsi) Fire suppression: Dont use water on electronics or CO2 on humans.ii) HVAC: Heating, ventilation, and air conditioning. iii) Shieldingf) Explain the concept of and how to reduce the risks of social engineering( you should already know what these are and how to prevent them (it is just logical))i) Phishingii) Hoaxesiii) Shoulder surfingiv) Dumpster divingv) User education and awareness training