STUDYSTUDY GUIDE GUIDE · 2011-09-21 · • DNS • System • Performance • Access • Firewall...

CompTIA

Security+ SY0-201

About the Exam There are six major topic areas (domains) that make up 100% of this exam:

1.0: Systems Security (21%) 2.0: Network Infrastructure (20%) 3.0: Access Control (17%) 4.0: Assessments & Audits (15%) 5.0: Cryptography (15%) 6.0: Organizational Security (12%)

This guide will walk you through all the skills measured by the exam, as published by CompTIA.

ExamForce.com CompTIA Security+ SY0-201 Study Guide 2

Objectives Domain 1.0 Systems Security 21%

1.1 Differentiate among various systems security threats. • Privilege escalation • Virus • Worm • Trojan • Spyware • Spam • Adware • Rootkits • Botnets • Logic bomb

1.2 Explain the security risks pertaining to system hardware and peripherals.

• BIOS • USB devices • Cell phones • Removable storage • Network attached storage

1.3 Implement OS hardening practices and procedures to achieve workstation and server security.

• Hotfixes • Service packs • Patches • Patch management • Group policies • Security templates • Configuration baselines

1.4 Carry out the appropriate procedures to establish application security.

• ActiveX • Java • Scripting • Browser • Buffer overflows • Cookies • SMTP open relays • Instant messaging • P2P • Input validation • Cross-site scripting (XSS)


1.5 Implement security applications.

• HIDS • Personal software firewalls • Antivirus • Anti-spam • Popup blockers

1.6 Explain the purpose and application of virtualization technology.

Domain 2.0 Network Infrastructure 20%

2.1 Differentiate between the different ports & protocols, their respective threats and mitigation techniques.

• Antiquated protocols • TCP/IP hijacking • Null sessions • Spoofing • Man-in-the-middle • Replay • DOS • DDOS • Domain Name Kiting • DNS poisoning • ARP poisoning

2.2 Distinguish between network design elements and components.

• DMZ • VLAN • NAT • Network interconnections • NAC • Subnetting • Telephony

2.3 Determine the appropriate use of network security tools to facilitate network security.

• NIDS • NIPS • Firewalls • Proxy servers • Honeypot • Internet content filters • Protocol analyzers

2.4 Apply the appropriate network tools to facilitate network security.

• NIDS


• Firewalls • Proxy servers • Internet content filters • Protocol analyzers

2.5 Explain the vulnerabilities and mitigations associated with network devices.

• Privilege escalation • Weak passwords • Back doors • Default accounts • DOS

2.6 Explain the vulnerabilities and mitigations associated with various transmission media.

• Vampire taps 2.7 Explain the vulnerabilities and implement mitigations associated with wireless networking.

• Data emanation • War driving • SSID broadcast • Blue jacking • Bluesnarfing • Rogue access points • Weak encryption

Domain 3.0 Access Control 17%

3.1 Identify and apply industry best practices for access control methods. • Implicit deny • Least privilege • Separation of duties • Job rotation

3.2 Explain common access control models and the differences between each.

• MAC • DAC • Role & Rule based access control

3.3 Organize users and computers into appropriate security groups and roles while distinguishing between appropriate rights and privileges. 3.4 Apply appropriate security controls to file and print resources. 3.5 Compare and implement logical access control methods.

• ACL • Group policies


• Password policy • Domain password policy • User names and passwords • Time of day restrictions • Account expiration • Logical tokens

3.6 Summarize the various authentication models and identify the components of each.

• One, two and three-factor authentication • Single sign-on

3.7 Deploy various authentication models and identify the components of each.

• Biometric reader • RADIUS • RAS • LDAP • Remote access policies • Remote authentication • VPN • Kerberos • CHAP • PAP • Mutual • 802.1x • TACACS

3.8 Explain the difference between identification and authentication (identity proofing). 3.9 Explain and apply physical access security methods.

• Physical access logs/lists • Hardware locks • Physical access control – ID badges • Door access systems • Man-trap • Physical tokens • Video surveillance – camera types and positioning

Domain 4.0 Assessments & Audits 15%

4.1 Conduct risk assessments and implement risk mitigation. 4.2 Carry out vulnerability assessments using common tools.

• Port scanners • Vulnerability scanners • Protocol analyzers


• OVAL • Password crackers • Network mappers

4.3 Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning. 4.4 Use monitoring tools on systems and networks and detect security-related anomalies.

• Performance monitor • Systems monitor • Performance baseline • Protocol analyzers

4.5 Compare and contrast various types of monitoring methodologies.

• Behavior-based • Signature-based • Anomaly-based

4.6 Execute proper logging procedures and evaluate the results.

• Security application • DNS • System • Performance • Access • Firewall • Antivirus

4.7 Conduct periodic audits of system security settings.

• User access and rights review • Storage and retention policies • Group policies

Domain 5.0 Cryptography 15%

5.1 Explain general cryptography concepts. • Key management • Steganography • Symmetric key • Asymmetric key • Confidentiality • Integrity and availability • Non-repudiation • Comparative strength of algorithms • Digital signatures • Whole disk encryption


• Trusted Platform Module (TPM) • Single vs. Dual sided certificates • Use of proven technologies

5.2 Explain basic hashing concepts and map various algorithms to appropriate applications.

• SHA • MD5 • LANMAN • NTLM

5.3 Explain basic encryption concepts and map various algorithms to appropriate applications.

• DES • 3DES • RSA • PGP • Elliptic curve • AES • AES256 • One time pad • Transmission encryption (WEP TKIP, etc)

5.4 Explain and implement protocols.

• SSL/TLS • S/MIME • PPTP • HTTP vs. HTTPS vs. SHTTP • L2TP • IPSEC • SSH

5.5 Explain core concepts of public key cryptography.

• Public Key Infrastructure (PKI) • Recovery agent • Public key • Private keys • Certificate Authority (CA) • Registration • Key escrow • Certificate Revocation List (CRL) • Trust models

5.6 Implement PKI and certificate management.

• Public Key Infrastructure (PKI) • Recovery agent • Public key


• Private keys • Certificate Authority (CA) • Registration • Key escrow • Certificate Revocation List (CRL)

Domain 6.0 Organizational Security 12%

6.1 Explain redundancy planning and its components. • Hot site • Cold site • Warm site • Backup generator • Single point of failure • RAID • Spare parts • Redundant servers • Redundant ISP • UPS • Redundant connections

6.2 Implement disaster recovery procedures.

• Planning • Disaster recovery exercises • Backup techniques and practices – storage • Schemes • Restoration

6.3 Differentiate between and execute appropriate incident response procedures.

• Forensics • Chain of custody • First responders • Damage and loss control • Reporting – disclosure of

6.4 Identify and explain applicable legislation and organizational policies.

• Secure disposal of computers • Acceptable use policies • Password complexity • Change management • Classification of information • Mandatory vacations • Personally Identifiable Information (PII) • Due care • Due diligence • Due process • SLA


• Security-related HR policy • User education and awareness training

6.5 Explain the importance of environmental controls.

• Fire suppression • HVAC • Shielding

6.6 Explain the concept of and how to reduce the risks of social engineering.

• Phishing • Hoaxes • Shoulder surfing • Dumpster diving • User education and awareness training


Chapter 1

Quick Jump To:

Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6

Domain 1.0 – Systems Security 1.1 Differentiate among various systems security threats. Privilege escalation Privilege escalation refers to the act of exploiting a bug to gain access to system resources which are under the protection of an application or user. Such an act allows the application to perform actions with more privileges than intended. Virus Some university graduation projects involve the creation of harmless viruses. Nonresident viruses proactively and immediately search for victims to infect and then transfer control to the infected application program. Resident viruses don't do that. Instead, they wait in memory and upon execution infect new victims that are invoked on the system. Worm A worm is a self-replicating program which can send copies of itself to other network nodes without any user intervention. Unlike a virus, it would not attach itself to any existing programs. They exploit vulnerabilities in an operating systems to do the job. Trojan With a common type of Trojan horse, a legitimate software program might have be corrupted with malicious code which runs when the program is used. The key is that the user has to invoke the program in order to trigger the malicious code. In other words, a trojan horse simply cannot operate autonomously. Most but not all trojan horse payloads are harmful. Only a few of them are harmless. Spyware Spyware is usually installed surreptitiously on a computer for intercepting or even taking control over the victim's interaction with the computer, all done without the victim’s informed consent. This kind of software is capable of collecting different types of personal information as well as interfering with user control through installing additional program or redirecting Web browser activities. Spam E-mail spam involves having nearly identical messages sent to multiple recipients via e-mail. Spamming emails are often unsolicited and are sent in bulk. Victim addresses are usually collected from venues such as chatrooms, websites, newsgroups, and viruses. Adware Adware is a special kind of software that comes with advertising functions integrated into a software program. The reality is that many adware software are also spyware or malware.


Rootkits Rootkit originally describes those recompiled Unix tools that would hide any trace of the intruder. You can say that the only purpose of rootkit is to hide evidence from system administrators so there is no way to detect malicious special privilege access attempts. Some earlier trojan horse programs were bundled in root kits. For example, the Linux Root Kit version 3 (lrk3) which was released in December 96 had tcp wrapper trojans included and enhanced in the kit. Botnets Botnet refers to software robots which run autonomously and automatically on groups of zombie computers that are controlled remotely. Botnet servers tend to liaise with other botnet servers for forming a group for purposes of redundancy. The botnet's originator (which is the "bot herder") would control the group remotely through IRC or other means. Logic bomb Logic bomb refers to code intentionally written and inserted into software for setting off a malicious function when triggering conditions are met. 1.2 Explain the security risks pertaining to system hardware and peripherals. BIOS BIOS stands for the Basic Input/Output System. It is a simple program that runs when you first boot your PC. It starts the boot process. The BIOS is stored on an EEPROM (Electrically Erasable Programmable Read-Only Memory) chip. With special upgrade software it is possible to write codes into the BIOS to change its functionality. This would be the source of risk. USB devices Universal Serial Bus (USB) is an expansion bus that allows up to 127 devices to be simultaneously connected to a single port. USB comes in 2 implementations: 1.1 and 2.0. USB 2.0 offers a much higher data rate but is still compatible with USB 1.1 (they use identical cables and connectors). USB 1.1 has a throughput rate of 12Mbps and version 2.0 has a throughput rate of up to 480Mbps. They use the same style of connector with the “A” connector being flat and rectangular in shape and is usually plugged into the port on the PC. The “B” connector is shaped like a square with the top 2 corners cut off, and is usually plugged into the USB device or USB hub. Many digital cameras now accept one of two types of “mini-USB” connectors. USB controllers are typically integrated into the motherboard, but can be installed in an expansion card as well. The problem with USB is that it is very easy to plug external USB devices into the system. Without sufficient physical security measures malicious USB devices may be used to produce problems. Cell phones Cell phones often allow the use of accessories such as SD cards and the like, which may all be used as tools for hacking.


Removable storage Removable storage may be easily stolen as they are designed from the ground up to be removable. Again, physical security is an issue. Or, you may encrypt all contents so a stolen storage device may simply be useless. Network attached storage Network attached storage (NAS) refers to file-level computer data storage that is connected to the network for providing data access to the network clients. Since it is online it is exposed to security risks originated from the network. 1.3 Implement OS hardening practices and procedures to achieve workstation and server security. Hotfixes Service packs Vendors like Microsoft frequently releases critical updates or hotfixes to address vulnerability issues. Make sure you apply these updates without delay. A service pack is a form of an update for the OS. It typically includes all the previously released updates, including and not limited to security updates, hotfixes, and possibly other out-of-box releases.

NOTE:

Service packs typically include updates, system administration tools, drivers, and additional components bundled together for easy downloading. Each new service pack contains all the fixes that are included in previous service packs plus any new fixes, so you do not have to install a previous service pack before you install the latest one.

Patches Patch management A patch fixes a particular issue of a software product. Patch management is a discipline which involves the acquiring, testing, and installing of the appropriate patches to the administered systems. A centralized approach is preferred - you do not want your users to apply patches without seeking proper security clearance.

NOTE:

Patches must be applied in a consistent and repeatable manner, because failing to patch even a few computers means that the overall network is still vulnerable. Also, note that patches may not work perfectly in every environment. Therefore, you should thoroughly test any patches before installing in your environment.

Group policies In Windows, Group Policy contains security configuration under Computer Configuration - Windows Settings - Security Settings. You may import a pre-configured security template into the policy for configuring these settings. Security templates On a Windows Server, Security Configuration and Analysis is a tool you can use to analyze and configure computer security. To open Security Configuration and Analysis, type mmc at the command prompt. On the File menu, click Open, click the console that you want to open, and then click Open


again. Click Security Configuration and Analysis in the console tree. To add Security Templates to the MMC, type mmc at the command prompt. On the File menu, click Add/Remove Snap-in. In Add/Remove Snap-in, click Add. In Available Standalone Snap-ins, click Security Templates, click Add, click Close, and then click OK. Finally, click Save on the File menu.

NOTE:

In Windows, you may customize a predefined security template or import a security template. You may also apply a security template to local policy. However, before applying any of the security templates, you must first open a Security Configuration and Analysis database for your computer.

Configuration baselines You establish a configuration baseline for comparison of configuration purpose. This is more like for acting as a role model of server configuration. 1.4 Carry out the appropriate procedures to establish application security. ActiveX Javascript and Active X may be used to carry malicious code, which could be easily downloaded through a Web browser and executed in a totally unnoticed way. Newer browsers allow you to configure and restrict such functionalities. Java Java has its own security weakness. When a code block is marked as privileged, it can call services based on its permissions even if some of the callers do not have the relevant permissions. You should use privileged code sparingly. If you really need to, keep them as short as possible. Scripting Web based systems that run CGI and SSI may also be vulnerable. The CGI protocol is not inherently insecure, but many CGI scripts are not carefully written. Server side includes other snippets of server directives that are embedded in the HTML documents can be problematic as some of them can instruct the server to execute arbitrary system commands and CGI scripts. Browser Some web browsers are more vulnerable than the others. The key is to obtain the latest update to ensure all security holes are properly handled. Buffer overflows The majority of software vulnerabilities result from a few known kinds of coding defects. Common software defects include buffer overflows, format string vulnerabilities, integer overflow, and code/command injection. Some common languages such as C and C++ are vulnerable to all of these defects. Languages such as Java are immune to some of these defects but are still prone to code/command injection and other software defects which lead to software vulnerabilities. Cookies A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system. Countermeasures include SYN cookies or limiting the number of new connections from a source per timeframe.


SMTP open relays Open Relay allows email messages to pass from server to server until they reach their final destinations. This kind of pass-along method becomes very unpopular because most ISPs have explicitly disallowed open relay. Instant messaging P2P Certain IM software could be vulnerable as they create new vectors for distributing malware and SpIM (shorts for Spam over IM). Blocking IM could be difficult since most IM clients rely on port crawling to work. On the other hand, as P2P systems lack the tools for centralized administration, it is way more difficult to implement security protections. Input validation Sufficient input validation on the part of the web application can mitigate security risk to a certain extent. Some server side scripts can crash by processing invalid inputs. With sufficient validation only valid inputs are delivered to the server side such that server side errors can be reduced. Cross-site scripting (XSS) Cross Site Scripting is a common application-layer web attack. It mostly targets scripts embedded in a page that have been executed on the client-side. The concept is simple - it manipulates client-side scripts to execute as desired by the malicious user. 1.5 Implement security applications. HIDS HIDS is Host based IDS. With HIDS, all anti-threat applications are installed on every network computer that has been given two-way access to the Internet. Deployment wise it is not as convenient as NIDS. Personal software firewalls A firewall prevents unauthorized access to or from a private network by examining each message that passes through it and blocks those that do not meet the specified security criteria. It may be implemented in hardware or software, or a combination of both. Home users should activate the firewall function on the broadband router, or install a software based firewall on the desktop computer.

NOTE:

Personal firewall aims at protecting a single user on a single computer.


Antivirus When implementing anti virus software the key is to keep the virus signature file as update as possible. Also, do not run multiple different anti virus software programs together on the same machine. An integrated anti virus suite includes comprehensive functions against virus, spyware and email filter.

Anti-spam Spamming is always not desired and can produce the effect of DoS if stupidly configured. Spamming takes advantage of Open Relay, which allows email messages to pass from server to server until they reach their final destinations. This kind of pass-along method becomes very unpopular because most ISPs have explicitly disallowed open relay. There are also a lot of anti-spam software available on the client side, although type I and type II errors often occur. Popup blockers Pop-up blocker software can disable pop-up, pop-over or pop-under advertisement windows that would be seen while using a Web browser.


1.6 Explain the purpose and application of virtualization technology. With Virtualization technologies a single physical device can act like having multiple physical versions of itself for sharing across the network. This is usually done with the help of multiple processor cores in the same processor die. Platform virtualization is performed by the host software. As a control program, this host creates a simulated computer environment for formulating a virtual machine to serve the guest software. With full virtualization, the virtual machine will simulate sufficient hardware functionality to allow an unmodified OS to run in isolation. On the other hand, with paravirtualization the virtual machine will not simulate hardware but will simply offer a special API to serve those modified guest OS.


Chapter 2

Quick Jump To:


Domain 2.0 – Network Infrastructure 2.1 Differentiate between the different ports & protocols, their respective threats and mitigation techniques. Antiquated protocols Antiquated protocols are those that are outdated and are less technologically feasible for use in the network. They are often believed to make life more difficult. TCP/IP hijacking Connection hijacking exploits a "desynchronized state" in the TCP communication process. When the sequence number in a received packet is not the same as the expected sequence number, the connection is desynchronized and TCP may either discard or buffer the packet. When two communicating hosts are desynchronized enough, they will start to discard packets from each other. An attacker can then inject forged packets with the correct sequence numbers to trick the victims into accepting its packets. Null sessions A major vulnerability of Windows is the inter-process communications (IPC) mechanism. It is a mechanism that allows a process to communicate with another. This can take place on different computers that are connected through a network. Null sessions are not good. They allow attackers to extract system critical information such as user account names. NT, 2000 and Windows Server 2003 domain controllers are believed to be susceptible to enumeration via null sessions. To set up a null session one needs to connect to the IPC$ share on the remote target machine via a command that looks something like net use \\remotemachinename\ipc$ "" /user:"". Spoofing There are many different types of spoofing attacks. IP spoofing involves an untrusted host connecting to the network and pretending to be a trusted host. Access is then achieved by the hacker changing his IP number to that of a trusted host – that is, the intruding host fools the host on the local network into not challenging it for authentication. A new kind of spoofing is "webpage spoofing," also known as phishing. In this attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another server under control of the attacker. The intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest user names and passwords.


Man-in-the-middle With a man in the middle attack, the attacker first intercepts electronic messages in a public key exchange, then retransmits them by substituting his own public key for the requested one. Replay A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it. On the other hand, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gains an illegitimate advantage. DOS DDOS Denial of service (DoS) attacks are not primarily a means to gain unauthorized access or control of a system. They are instead designed to render it unusable. Attackers can deny service to individual victims, such as by deliberately guessing a wrong password 3 consecutive times and thus causing the victim account to be locked (account lockout is a common tactic against password guessing), or they may overload the capabilities of a machine or network and block all users altogether. These types of attacks are, in practice, very hard to prevent, because the behavior of whole networks needs to be analyzed, not only of small pieces of code. Distributed denial of service (DDoS) is even worse - a large number of compromised hosts are used to flood a target system with network requests, thus attempting to render it unusable through resource exhaustion. Domain Name Kiting Domain kiting describes the method of exploiting loopholes in ICANN's registration procedures for earning money from temporary domain registration. Under the ICANN rules a registrant has a five-day grace period from initial registration to consider whether to hold on to the domain name or not. People can take advantage of this grace period to do things with the domain name without paying for it. DNS poisoning IP based networks need name resolution to run. Attackers may, through corrupting the name resolution mechanism, launch attack of different sorts. For example, DNS Spoofing (also known as DNS cache poisoning) can direct legitimate users to malicious web sites transparently. The SOA record of the DNS system contains a TTL value which can tell how long any DNS poisoning can last. You can check this out yourself via the nslookup command or the dig utility. ARP poisoning Spoofing can work at layer 2. ARP spoofing/poisoning is an attempt to corrupt the address resolution mechanism at layer 2. 2.2 Distinguish between network design elements and components. DMZ DMZ is a demilitarized zone like subnetwork that situates between a trusted internal network and the untrusted outside network. VLAN Virtual LAN (VLANs) refers to a group of devices on one or more LANs that are configured to communicate as if they were attached to the same wire, when in fact they are located on different LAN


segments. As VLANs are based on logical connections, they are extremely flexible in terms of configuration and application. NAT Network Address Translation (NAT) allows a LAN to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. It helps securing a network by masking the internal configuration of a private network and makes it difficult for outsider to monitor individual users. Network interconnections The Internet consists of a large number of interconnected autonomous systems which are known as ASs. Each of these ASs constitutes a distinct routing domain run by a single organization. Within an AS, all routers communicate with each other using interior gateway protocols. Outside of the organization, ASs are connected via gateways, and the gateway routers are exchanging information using exterior gateway protocols. Routers used for information exchange within ASs are called interior routers, and routers that move information between ASs are called exterior routers. NAC Network Access Control is a term that describes how access to network resources are under proper control. One example is RBAC. RBAC (Role-Based Access Control) is an access model for controlling which users have access to resources based on the role of the user. This is now the most popular access model. Under RBAC, access rights are grouped by role name. Access to resources is restricted to users who have been assigned the associated role. Each user may be assigned one or more roles, and each role may be assigned one or more privileges. Subnetting IP networks can be divided into smaller networks known as subnets. Subnetting refers to the process of dividing a larger network into several smaller subnets for the purposes of extra flexibility, more efficient use of network addresses, and broadcast traffic containment. You can have a subnet address created by borrowing bits from the host field and designating them as the subnet field. The number of borrowed bits does vary, depending on the subnet mask you specified. Do keep in mind that: • Subnet masks always use the same format and representation technique as the regular IP addresses. • Subnet masks have binary 1s in all bits specifying the network and subnetwork fields, and binary 0s

in all bits specifying the host field. Subnet mask bits always come from the left-most bits of the host field.

NOTE:

For performance and security concerns you may need to segment the network by configuring the subnet masks (which divide the total number of hosts available for one network into a smaller number available for more networks). Servers with multiple NICs can be setup as a router to perform segmentation. Do note that errors mostly occur when the subnet masks are not properly configured.

Telephony This refers to the implementation voice traffic over the network infrastructure. The ideal is to packetize voice traffic through VoIP.


Existing telephone systems (PSTNs) run with a quite reliable but less efficient method for call connections known as circuit switching. VoIP systems, on the other hand, run over the data network which makes heavy use of packet switching. 2.3 Determine the appropriate use of network security tools to facilitate network security. NIPS NIDS You rely on intrusion detection systems to detect direct unauthorized attempts and to determine if a trend of unauthorized attempts is occurring. Intrusion detection system (IDS) can be broadly classified into the following: • In a network-based IDS system, individual packets that flow through a network are analyzed. • In a host-based IDS system, activities on each individual computer are individually inspected. • In a passive IDS system, the IDS detects potential security breaches and raise alerts proactively. • In a reactive IDS system, the IDS reactively responds to any suspicious activity through logging off

the involved user and blocking network traffic from the suspected source.

NOTE:

Cisco likes to refer to IDS as IPS (Intrusion Prevention System).

Firewalls Internet poses significant security problems for organizations when protecting their information assets. The areas of control against internet threats may include corporate internet policies and procedures, firewall, intrusion detection systems, and data security controls. Firewall is the most common, even for a small home office setup. Router Packet Filtering is a form of firewall which relies on the screening router to examine the header of every packet. Application Firewall Systems allow information to flow between systems but prohibit the direct exchange of packets. Stateful Inspection Firewalls keep track of communication sessions for more accurate identification of problematic connection attempts.

NOTE:

Basic traffic filters can do the trick if you have a simple and small network which is not a target of hacking. For enhanced protection, go for a full blown firewall.


Proxy servers The two major benefits of proxy service are address hiding and caching. Since the proxy service would browse the internet on behalf of the clients, the clients have no need to expose their own IP addresses to the outside world. And, since the proxy service usually comes with a proxy cache for caching contents, browsing performance can be enhanced even when you have a large group of web users to serve. Honeypot You may use a honeypot to detect and deflect unauthorized use of your information systems. A typical honeypot consists of a computer, some real looking data and/or a network site that appears to be part of a production network but which is in fact isolated and well prepared for trapping hackers. Internet content filters You use this mostly for parental control. By filtering contents you limit the kind of web contents that may be reached from your users. Protocol analyzers Packet sniffer (another name for protocol analyzer) can be deployed to intercept and log network traffic that passes through the network. It can capture unicast, multicast and broadcast traffic provided that you put your network adapter into promiscuous mode. You may sniff to analyze network problems, or to gain information for launching a network attack. 2.4 Apply the appropriate network tools to facilitate network security. NIDS Network sensing involves real-time packet capture and analysis (that is why it is resource consuming), as well as the monitoring of logged traffic. If a sensor detects an attack, it can generate alarms or IP session logs, and may even carry out shunning - that is, to deny entry to a specific network host or network through dynamically reconfiguring and reloading a network device's ACL (if any).


IDS/IPS Sensors detect network intrusions based on signatures. A signature determines the types of network intrusions to be detected by the sensor. You may modify the existing signatures or define new ones as you see fit. Firewalls The evaluation of network infrastructure security often involves the protection of network-accessible resources from unauthorized use. You start by authenticating your user. Once authenticated, you use packet filter and/or firewall to enforce access policies. Basic traffic filter can do the trick if you have a simple and small network which is not a target of hacking. For enhanced protection, go for a full blown firewall. Keep in mind, defending against unauthorized access through firewall alone could not stop potentially harmful contents from being transmitted, unless you deploy specific technology to prevent this (example, content filtering). Proxy servers A proxy server intercepts all messages entering and leaving the network. It is more like a middle man – it makes outgoing requests on behalf of the insiders so the insiders are never exposed to the outside risks directly. Most proxy servers are software based. They usually provide caching facilities to speed up internet access in the case of network congestion. Internet content filters Most proxy server software or personal software firewall products have content filtering capability offered. In fact, even web browsers like IE can allow you to specify web sites that are not allowed to visited. Broadband routers also provide URL blocking and Domain Filtering capabilities:


Protocol analyzers Wireshark (formerly Ethereal) is a free protocol analyzer you may use for network troubleshooting and sniffing. The functionality it offers is similar to tcpdump but it provides a GUI for ease of use. 2.5 Explain the vulnerabilities and mitigations associated with network devices. Privilege escalation You should limit the ability to escalate privileges. For example, the Windows Run As function and the Linux Su command should be limited in use. Weak passwords Weak passwords are easy to crack. They are short, simple, or made with standard words that can be found from the dictionary. There are programs / OS facility that you may use to mandate the use of strong complex passwords. Back doors A backdoor refers to a generally undocumented means of getting into a system, mostly for programming and maintenance/troubleshooting needs. Most real world programs have backdoors. Creating backdoors is how a hacker can insure his ability to return to the hacked system at will. Along the development effort you should set guidelines to disallow backdoors whenever possible. Default accounts Example: some broadband routers come with the default account name admin and the default password admin. This is important to change this right away. You have to, at the least, change the default password in the case the default account name cannot be changed.


DOS Newer firewalls can handle DoS by dropping DoS packets proactively. The key is that you should do this at the border router (the one on the network edge). 2.6 Explain the vulnerabilities and mitigations associated with various transmission media. Vampire taps A vampire tap refers to the connection to your coaxial cable in which a hole has been drilled through the cable's outer shield for a clamp to be connected to the inner conductor. Without proper physical security, this can allow new connections to be made even when the cable is in use. 2.7 Explain the vulnerabilities and implement mitigations associated with wireless networking. Data emanation Emanation is an act of eavesdropping. Tempest (Transient Electromagnetic Pulse Surveillance Technology) refers to the governmental program for evaluation as well as endorsement of electronic equipment almost totally safe from eavesdropping. Tempest certification requires that computer/communication equipments having passed strict testing and agreeing to those emanations rules specified in the government document NACSIM 5100A (Classified). War driving War driving refers to the unethical method of gaining free Internet access or access to private files using others' unsecured wireless LANs. It basically involves driving around with a portable computer set to promiscuous mode to intentionally receive packets that are within its range. SSID broadcast SSID broadcast is the act of broadcasting the name of the AP so that wireless clients searching for a network connection can discover and join it. It is no different from allowing the hacker's wireless client software to find the valid way in.


Blue jacking Bluesnarfing Bluejacking refers to the sending of unsolicited message over Bluetooth to Bluetooth-enabled devices. On the other hand, Bluesnarfing describes the unauthorized access of private information from the wireless device via Bluetooth connection. Rogue access points A rogue access point is basically a Wi-Fi access point which has been installed on and running in the network without authorization. A rogue peer, on the other hand, refers to an end-user computer that has bridging and wireless functionalities enabled. Weak encryption Key length is critical here. In the past, 64-bit encryption was considered pretty strong, but today 128-bit encryption would be the minimum acceptable standard. Do note that strong encryption would not necessarily make your data totally secure UNLESS the recipient of the data is positively identified.


Chapter 3

Quick Jump To:


Domain 3.0 – Access Control 3.1 Identify and apply industry best practices for access control methods. Implicit deny This means any access would be denied UNLESS it is explicitly allowed. In fact it is usually the last statement, by default, of an access-list. Least privilege Separation of duties Job rotation The decision of what access control models to implement is based on organizational policy and on two generally accepted standards of practice, which are separation of duties and least privilege. 'Least Privilege' refers to the concept of access whereby a user or program is given minimum possible privileges for doing the job. Unnecessary privileges are totally eliminated. Job rotation allows staff to get well trained on every aspect of the company. The idea is that you should cross train employees to avoid having single point of reliance. 3.2 Explain common access control models and the differences between each. MAC Controls may be characterized as either mandatory or discretionary. With mandatory controls, only administrators may make decisions that bear on or derive from the predefined policy. Access controls that are not based on established policy may be characterized as discretionary controls (or need-to-know controls). DAC With the Discretionary access control model, the creator of a file is the ‘owner’ and can grant ownership to others. Access control is at the discretion of the owner. Most common implementation is through access control lists. Discretionary access control is required for the Orange Book “C” Level. Role & Rule based access control With the Role-Based model, access rights are assigned to roles – not directly to users. Roles are usually tighter controlled than groups - a user can only have one role.


3.3 Organize users and computers into appropriate security groups and roles while distinguishing between appropriate rights and privileges. Mandatory controls are prohibitive and permissive. With the Mandatory model, control is based on security labels and categories. Access decisions are based on clearance level of the data and clearance level of the user, and, classification of the object. Rules are made by management, configured by the administrators and enforced by the operating system. Mandatory access control is required for the Orange Book “B” Level. 3.4 Apply appropriate security controls to file and print resources. Resource protection safeguards all of the organization’s computing resources (from loss or compromise) such as main storage, storage media, communications software and hardware, processing equipment, standalone computers, and printers. It helps to reduce the possibility of damage that might result from unauthorized disclosure and alteration of data by limiting opportunities for misuse. Controls for providing information security can be broadly classified as physical, technical, and administrative. They can be further classified as either preventive or detective. Preventive controls are used to avoid the occurrence of unwanted events, whereas detective controls are used to identify unwanted events after they have occurred. Since preventive controls inhibit the free use of computing resources, they can be applied only to the degree that the users are willing to accept. 3.5 Compare and implement logical access control methods. ACL Traffic filtering may be configured through ACLs. In fact, you should create access lists for each protocol you wish to filter, on a per router interface. For some protocols, you may need to create one access list to filter inbound traffic and another one to filter outbound traffic.

NOTE:

Cisco gears make extensive use of ACLs. Access control lists (ACLs) work by controlling whether routed packets are forwarded or blocked at the router's interfaces. You direct your router to examine each packet to determine whether to forward or drop the packet, on the basis of the criteria you specified within the ACLs. Valid criteria may include the source address of the traffic, the destination address of the traffic, the upper-layer protocol, and other information. You can have ACLs configured for all routed network protocols to filter the packets of those protocols as the packets pass through a router. From a practical standpoint, you should use ACLs to provide a basic level of security for accessing your network. Without proper ACLs configured, all packets passing through the router could be allowed onto all parts of your network. You should at a minimum configure ACLs on the border routers to provide a basic buffer from the outside network or from a less controlled area of your own network into a more sensitive area of your private network. On these routers you should configure ACLs for each network protocol configured on the router interfaces. Ideally you should have both the inbound traffic and the outbound traffic filtered on an interface if the performance tradeoff is justified.


Group policies You use Group Policy to restrict users and enforce limitations. The goal of group policy is to reduce Total Cost of Ownership (TCO) by easing network administration. In Windows, group policies are implemented first by Site, then by Domain, and finally by OU. Password policy Domain password policy User names and passwords Time of day restrictions Account expiration Guessing passwords is almost the most effective way to break into operating systems, and password theft is always a major problem. Good password policies should force users to select good passwords and to change them often. Take Windows as an example, the following options should be carefully configured: • Maximum password age: Do not set it to too long. • Minimum password age: Never allow users to change their password and immediately change it

back to the old password. • Password uniqueness: Set the number of remembered passwords for each user to avoid password

reuse. • Account lockout: Lockout after some failed attempts, then reset the count after a specific time period. • Lockout duration: You need this to discourage password guessing.

NOTE:

You want to use group policies (in Windows) to apply the same set of password policies across the domain, to ensure everyone follows the same rules. A domain is an administrative boundary that represents a namespace that corresponds to a DNS domain. Windows Server requires that a domain be either a root domain or a child domain in a domain hierarchy.

Logical tokens Some Web Applications may use custom tokens to render contents with properties of the server side Java objects. Logical tokens are often used for including or excluding some sections on a page, depending on whether the relevant conditions are met or not.


3.6 Summarize the various authentication models and identify the components of each. One, two and three-factor authentication Two-factor authentication describes the security process in which a user would have to provide two means of identification in order to gain access. It is more secure than one-factor authentication. For example, some internet banking facilities now require that you provide both a password and your birth date in order to log in.

Some latest security procedures require three-factor authentication, which involves the use of kind of a physical token, a password, plus certain biometric data. Single sign-on With Single sign-on (SSO) a single action of authentication and authorization would permit a valid user to access all computers and systems where permissions were granted without the need to key in multiple passwords. It aims at reducing human error and improve user experience. However, it would be difficult to implement if you have different types of systems from different vendors in a mixed environment. 3.7 Deploy various authentication models and identify the components of each. Biometric reader A biometric reader recognizes human users basing on their unique physical traits, including retinas, fingerprints, and facial patterns. Speech recognition is also a viable option. It is often considered as one of the most reliable security devices. RADIUS Remote Authentication Dial-In User Service (RADIUS) refers to an authentication and accounting system for remote access. When you dial in to the network you must enter your username and password for checking by the RADIUS server for access authorization. RAS On Windows based client computers, Internet Connection Sharing (ICS) provides network address translation, IP addressing, and name resolution services for all the client computers on a small network. The ICS computer automatically assigns IP addresses, forwards DNS names to the Internet for name resolution and assigns itself as the default gateway for connecting to the Internet. That means, with ICS there is no need to manually configure NAT.


LDAP LDAP is a protocol standard for accessing directories. It is often perceived as a simpler implementation of the X.500 standard. LDAP directories follow the X.500 model in that a directory represents a tree of directory entries, that each entry consists of a set of attributes, and that each attribute has a name, one or more values, plus a unique identifier. Remote access policies On the server side, RAS allows remote connections from the outside Windows clients. You typically use remote access policy to define actions that can be undertaken for a user or group who connect remotely. Available types of remote access permissions for users include Allow access, Deny access and Control access through Remote Access Policy. In a Windows Server native-mode domain, you can use the following three remote access policies: Explicit allow, Explicit deny and Implicit deny. Remote authentication Types of authentication for secure remote access generally include PAP, CHAP, MS-CHAP, MS-CHAP v2, EAP-MD5, EAP-TLS, and multifactor authentication that combines smart cards and EAP.

NOTE:

Modern remote authentication is typically implemented through RADIUS and TACACS+.

VPN VPN is a private network that uses the Internet to connect remote sites or users together. The two common types of VPNs are: • Remote-Access - A Virtual Private Dial-up Network (VPDN) for user-to-LAN connection. • Site-to-Site - For connecting multiple fixed sites through the use of dedicated equipment and large-

scale encryption. The major encryption protocols supported by Windows based VPNs are MPPE + PPTP and IPSec + L2TP. Pre-W2K computers support PPTP. W2K and Windows 2003/08 computers can use L2TP. L2TP uses UDP port 1701. PPTP uses TCP port 1723. Kerberos Kerberos is designed by MIT for enabling two parties to exchange private information across the network. It works by assigning a ticket to each user. This ticket is embedded in messages to identify the sender of the message. Windows 2000/2003/2008 uses Kerberos for authentication within the domain. CHAP CHAP is an old standard no longer commonly in use. MS-CHAP is mainly for older MS compatible clients. PAP PAP is purely text based and is never recommended, unless you are supporting very simple devices with no processing capability at all.


Mutual This is about two-way authentication. It is like saying “I authenticate you and you authenticate me in return.” Mutual authentication would usually require public key infrastructure (PKI) deployment to the clients and to the servers. 802.1x The 802.11 WLAN standard makes use of shared-key authentication and static wired equivalent privacy (WEP) keys, which can be easily compromised today. An alternative WLAN security approach focuses on providing centralized authentication and dynamic key distribution, which is based on the IEEE 802.11 Task Group "i" end-to-end framework using 802.1X and the Extensible Authentication Protocol (EAP). IEEE 802.1X is for port-based Network Access Control. When an access point needs to run as a closed access point, authentication of the client would be done through a third-party entity, most often a RADIUS server. Strong mutual authentication using EAP-TLS and other protocols can be accordingly performed.

NOTE:

Do note that 802.1X would authenticate only at the beginning of a connection. To be safe you should use encryption afterwards.

TACACS Terminal Access Controller Access Control System (TACACS) refers to an authentication protocol that allows a remote access server to communicate with an authentication server for determining if the user has access to the network. TACACS+ is seen as a completely new protocol not to be compatible with TACACS. 3.8 Explain the difference between identification and authentication (identity proofing). Authentication refers to the process of validating the claimed identity of an end user or a device – it authenticates not only human users, but also devices. Authorization refers to the act of granting access rights. It gives you the ability to limit network services to different users via dynamically applied access lists. Accounting refers to the methods to establish who (or what) performed a certain action. In fact, the accounting function may be used for connection time billing. It may also be used to track suspicious connection attempts into the network. Identity proofing starts prior to giving someone an account and password. You give him/her an account only AFTER you have verified that he/she is really who he/she says he/she is. 3.9 Explain and apply physical access security methods. Physical access logs/lists A comprehensive security policy serves as the foundation of all your security efforts. To be sufficiently comprehensive, the policy must address both the physical and logical sides of the story. Physical security is often part of a critical part of security policy. Related access control includes practices such as restricting entrance to authorized personnel only. One may implement physical access control through a human guard or a mechanical lock or any other fancy ways.


Physical security to the server room must be adequately maintained. Floppy-less workstation may be a good idea if guest access is frequent. Biometrics in the context of computer security refers to authentication techniques that involve checking the users' measurable physical characteristics such as fingerprints and retina. Hardware locks Hardware lock is a dongle type hardware module connected to your computer and communicates with the security software running on the computer. Once you start the software, it will first search for the hardware lock on the appropriate I/O port. If the hardware lock is not attached to the port, access will not be given to running protected software.

NOTE:

Password entry lock is NOT of a detective nature.

Physical access control – ID badges Door access systems Modern ID Badges or cards can act as kind of an access control card, which serves as an electronic or electromechanical device which can replace or supplement traditional mechanical key access to a building area. With door access systems magnetic card keys of a credit card style are often used to unlock doors. Man-trap For very high security areas that require electronic security without human involvement, Man-Traps in the form of Access control security booths would be an excellent choice for access control authentication of persons requesting access, especially when combined with badge and PIN number validation. Physical tokens Physical tokens are hardware devices for authenticating remote end users. A lot of internet banking services now require bank customers to use such tokens to log on. However, mass distribution of such devices is HIGHLY EXPENSIVE. Video surveillance – camera types and positioning Detective physical controls are deployed for warning protective services personnel that physical security measures are being violated. Some of these controls are Motion detectors, Smoke and fire detectors, Closed-circuit television monitors (CCTV), Sensors and alarms. CCTV should be deployed on entrances and exits.


Chapter 4

Quick Jump To:


Domain 4.0 – Assessments & Audits 4.1 Conduct risk assessments and implement risk mitigation. Risk assessment refers to the decision process that weighs the cost of implementing preventive measures against the risk of loss from not implementing them. If it costs less to implement the measures, then go ahead. Typically, the two major cost factors that arise for the systems environment are the loss incurred from a cease in business operations due to system downtime, and the replacement cost of equipment. An audit trail refers to a record of system activities for the reconstruction and examination of the sequence of events of a transaction from its inception to output the final results. Violations may indicate either actual or attempted policy transgressions. You should frequently and regularly review the audit trail to identify and investigate successful or unsuccessful unauthorized accesses. Intrusion Detection Systems are expert systems that track users on the basis of their personal profiles to determine whether their current activities are consistent with an established norm. 4.2 Carry out vulnerability assessments using common tools. Port scanners The first 1024 ports (0-1023) are the most popular attack targets and the subjects of port scanning. They are the well known ports in use by MOST applications for listening to requests. To port scan means to scan for multiple listening ports on a target host. To port sweep means to scan multiple hosts for a specific listening port.

NOTE:

You can deter scanners by limiting the number of access attempts. Failed login attempts are good indicators of scanning activities. Attempts to exceed the pre-defined limits may result in long delays that discourage the scanning process.

Vulnerability scanners SAINT stands for Security Administrator's Integrated Network Tool, which is a network vulnerability scanning tool. On the other hand, IP-Watcher can create network traffic with spoofed source and destination addresses for the purpose of killing any user’s connection. You can use it to stop hackers. You can also use it to attack regular users. MBSA can scan for common system mis-configurations and missing security updates in Windows 2000, Windows XP, Windows Server 2003, IIS, SQL Server, Internet Explorer, and Office. Protocol analyzers You may use EtherPeek to evaluate your security setup. In particular you can use it to check and ensure that your firewall is blocking your computers from replying with valuable information to a port scan


from someone outside of your network. You can use it to easily identify the sender of stealth port scans. It can detect the true IP address of those who setup a spoofed IP connection. OVAL Open Vulnerability and Assessment Language (OVAL) refers to the international, information security, community standard that promotes open and publicly available security content, and standardizes the transfer of such information across the entire spectrum of security tools and services. It has a language for encoding system details and standardizing major steps of the assessment process. Password crackers Password guessing is often made easy with specialized cracking software. With Dictionary attack the attacker exhausts all of the words in a dictionary in an attempt to discover the password. Network mappers Nmap allows for connect scan, so if a port is open the OS will complete the TCP three-way handshake and the connection will be closed. With this scan mode no special privileges are needed but low-level control would be impossible. SYN scan generates raw IP packets by the scanner itself and then monitors for responses. The scanner first generates a SYN packet. If the target port is open, a SYN-ACK packet will be returned. The scanner then responds with a RST packet so handshake will not be completed. You may also use ACK scan to find packets that are allowed through a stateless packet filter; FIN scans to determine if ports are open/closed even when SYN packets are subjected to filtering; Protocol scan to find out what IP level protocols are enabled; Proxy scan to do scanning via a SOCKS / HTTP proxy; CatScan to find ports for erroneous packets; and ICMP scan which checks and determines if a host can respond to ICMP requests. 4.3 Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning. Through a penetration-test you actively evaluate your information security measures. The National Institute of Standards and Technology (NIST) addresses penetration testing via its Special Publication 800-42, which is titled Guideline on Network Security Testing. Generally speaking, you should first conduct a risk assessment in order to gain awareness of the main threats, then use penetration testing to identify vulnerabilities that are related to these threats. 4.4 Use monitoring tools on systems and networks and detect security-related anomalies. Performance monitor Your Windows computer may not perform well if too many programs are started automatically when you start your computer, or that you are running a program that creates memory leaks. To determine which programs are running and to be shutter down, press CTRL+ALT+DELETE and start Task Manager. You may also use perfmon to monitor the performance of your computer. However, perfmon adds extra loading to your processor and is therefore recommended only when your computer is not under peak usage.


Systems monitor System Monitor is a Windows tool that can graphically display different aspects of computer's performance. You identify problems by finding out if performance is slowed down in particular area(s). Performance baseline In terms of performance measurement, you establish a baseline for comparison purpose. In terms of security, common sources for overall security baselines include the ISO/IEC 17799 and BS 7799 and the President’s Critical Infrastructure Protection Board’s “National Strategy to Secure Cyberspace” report.

NOTE:

Baselining is a tactic of performance measurement. Your performance measurement plan should include baselines on Processor utilization, Page file utilization, Disk utilization, Memory utilization and Network utilization. Most NOS include performance monitoring features for measuring utilization of different sorts.

Protocol analyzers They could be hardware or software. You use them to find out exactly what is happening regarding the traffic flow on your network. Once problem is detected, isolated and recorded, you can act accordingly. Generally speaking, analyzers are capable of providing information on: • Network Statistics • Packet Capture and Decode • Trending Report 4.5 Compare and contrast various types of monitoring methodologies. Behavior-based It addresses system threats through analyzing the behaviors of applications, such as the system activities and file-system manipulation. Signature-based A signature-based system monitors electronic activities and compares them against the signature database. Anomaly-based A statistic anomaly detection mechanism discovers intrusions by looking for activities different from a user’s or system’s normal behaviors. 4.6 Execute proper logging procedures and evaluate the results. Security application On Linux, the configuration set in the syslog.conf file determines what gets logged and what does not. A “#” sign at the beginning of a line represents a comment. On Windows, you go to Event Viewer to check out the logged events. DNS On Linux, BIND based DNS uses syslogd for logging. On Windows, DNS related security events go to Security log.


System Since Vista and Windows Server 2008 the traditional Event Viewer is rewritten to support a well-defined structured XML log format. It is now called Windows Event Log. Event logs are filtered by criteria or via standard XPath expression. Performance Performance bottleneck indicates problems. For example, overall performance can slow down significantly when too high a proportion of the system memory is locked. On the other hand, sustained high levels of processor usage could mean that your CPU needs to be upgraded. Access Access logs shows resource access records. You should pay attention to failed access attempts. Too many failed access attempts usually mean there were hacking attempts. Firewall The firewall log reveals dropped / rejected packets and from there you can tell whether intrusion had taken place. Significant events on a firewall typically fall into the broad categories of critical system issues such as hardware failures, significant authorized administrative events such as ruleset changes and administrator account changes), and network connection logs. Do note that dropped connection logs would typically require more additional processing in order to derive useful information on activity taken place on your network. Antivirus Most anti virus suites allows the recording of scanning events, such as infection detection and removal events. Log files are typically listed in reverse order, mostly by date and time. 4.7 Conduct periodic audits of system security settings. User access and rights review User access rights must be periodically audited to ensure least privilege is being maintained. Users that no longer exist should be removed along with privileges granted to their accounts. Guest account should be highly restricted in use. Storage and retention policies Disk quota may be used to restrict disk usage. You should also review the file storage retention policies that are in place. Files no longer in use should be properly archived. Junk files should be removed from the file systems as early as possible. Group policies You want to be sure the right people are being placed in the right group. Privileges granted to groups and their corresponding membership must be carefully reviewed.


Chapter 5

Quick Jump To:


Domain 5.0 – Cryptography 5.1 Explain general cryptography concepts. Key management Most IPsec implementations use IKE (Internet key exchange) for key agreement and management. A key refers to a critical piece of information that controls the operation of a cryptography algorithm. Steganography Steganography describes the writing of hidden messages in such a way that a third party could hardly realize there is a hidden message. This is not the same as cryptography, which obscures the meaning of the message. Symmetric key Symmetric key algorithms use trivially related (or even identical) cryptographic keys for decryption and also encryption. They use much less computational power, but would require the use of a shared secret key on each end. The storage and exchange of such shared secret can be a source of security risk. Asymmetric key Asymmetric key algorithms use different keys so they don't have to worry about the shared secret but they consume way more CPU power. Confidentiality The most obvious application of a public key encryption system is confidentiality. In such a context, a message which a sender encrypts using the recipient's public key can only be decrypted by the recipient's paired private key. Integrity and availability A cryptographic hash function is a hash function with certain additional security properties to make it suitable for use as a primitive in various information security applications, such as authentication and message integrity. A hash function takes a long string of any length as input and produces a fixed length string as output known as a message digest or digital fingerprint. Non-repudiation In addition to message encryption, you may want to enforce non-repudiation. You may use a public key certificate (one that incorporates a digital signature) to bind a public key with an identity. In a PKI, the signature is typically of a Certificate Authority. Comparative strength of algorithms A block cipher is a symmetric key cipher. It always operates on fixed-length groups of bits that are termed blocks. DES has a block size of 64 bits and a key size of 56 bits. The truth is that the 56-bit key of DES is simply not enough to guard against brute force attacks, so 3DES was deployed to enlarge the key space by running DES 3 times, without the need to switch to a new algorithm. AES has a block size of 128 bits plus three possible key sizes, which


are 128, 192 and 256 bits. AES is getting more and more popular relative to 3DES. Diffie-Hellman key exchange is a cryptographic protocol for two stranger parties to jointly establish a shared secret key over an insecure communications channel. Digital signatures Public-key digital signature schemes rely on public-key cryptography. Generally, digital signature schemes include three algorithms: • A key generation algorithm • A signing algorithm • A verification algorithm Whole disk encryption Whole Disk Encryption protects all data on an entire computer disk drive. The engine behinds it operates at the system level that is between the operating system and the disk drive, thus providing totally transparent sector-by-sector disk encryption in background. Trusted Platform Module (TPM) Trusted Platform Module (TPM) describes the microcontroller affixed to the computing device at the motherboard level for storing keys, passwords and digital certificates. Single vs. Dual sided certificates Server side certificates and client side certificates may coexist on the same system. The idea is that a server may sometime have to act as a client for certain applications. Use of proven technologies Proven technologies have been extensively used in the field so they are known to be more solid and reliable, often with much less security problems. Using only proven technologies is one smart and effective way of preventing security problem. 5.2 Explain basic hashing concepts and map various algorithms to appropriate applications. SHA MD5 In a typical PKI a hash function is often used to turn data into a smaller number which serves as a digital sort of fingerprint. In cryptography, a good hash function allows for "one-way" operation, meaning that there is almost no way to calculate the data input value. SHA is one example. It has several variants, which are SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. They are designed by the NSA and published thru the NIST. MD5 is another example. It uses a 128-bit hash value to create a hash that is typically a 32 character hex number. LANMAN NTLM NTLM (NT LAN Manager) is an old Microsoft proprietary authentication protocol that was to be used with the SMB protocol. It is in fact the successor of the even older LANMAN (LAN Manager) protocol. It works based on a challenge-response scheme. LANMAN was mostly for used with DOS and Windows 3.1X.


5.3 Explain basic encryption concepts and map various algorithms to appropriate applications. DES DES is a popular symmetric-key encryption method that uses a 56-bit key and the block cipher method for breaking text into 64-bit blocks for further encryption. 3DES 3DES is a mode of DES which encrypts the data three times to achieve an overall key length of 192 bits. RSA RSA is an example of asymmetric algorithm. With both a public key and a private key, it is used primarily for public key encryption. It is, in fact, suitable for both signing and encryption. However, adaptive chosen ciphertext attack can be used against RSA encrypted messages. Also, timing attacks can be used against RSA's signature scheme. PGP PGP (Pretty Good Privacy) was a desktop software for providing cryptographic privacy and authentication services to email messages and attachments. Capable of using both asymmetric key encryption and symmetric key encryption algorithms, PGP has now been further developed to provide highly comprehensive security services for different types of applications. Elliptic curve Elliptic curve cryptography (ECC) is a special approach to public-key cryptography, basing on the algebraic nature of elliptic curves over finite fields. Key agreement scheme is usually based on the Diffie-Hellman scheme, while digital signature algorithm is usually based on the Digital Signature Algorithm (DSA). AES AES256 Advanced Encryption Standard (AES) as a block cipher has a fixed block size of 128 bits. The key size can be 128, 192, or 256 bits. The only successful attacks against AES implementations so far were side channel attacks. Side channel attacks do not target the cipher. Instead they target those improper implementations that leak data. One time pad It's possible to protect messages in transit (the confidentiality aspect) by means of cryptography. One method of encryption —the one-time pad —has been proven to be unbreakable when correctly used. This method uses a matching pair of key-codes, securely distributed, which are used once-and-only-once to encode and decode a single message. Transmission encryption (WEP TKIP, etc) WEP is a wireless security protocol that helps protect your information by using a WEP key to encode all network traffic before transmitting it over the airwaves. This helps prevent unauthorized users from accessing the data as it is being transmitted. WPA is a stronger form of wireless security. It is stronger because it uses Temporal Key Integrity Protocol (TKIP) to dynamically generate a new key for every packet and generate different sets of keys for each computer.


5.4 Explain and implement protocols. SSL/TLS Secure Sockets Layer is a protocol designed by Netscape Communications to enable encrypted, authenticated communications across the Internet. SSL used mostly in communications between web browsers and web servers. URLs that begin with https indicate that an SSL connection will be used. SSL provides 3 important things: privacy, authentication, and message integrity.

NOTE:

Transport Layer Security (TLS) is the successor to SSL.

S/MIME S/MIME is a secure version of the MIME protocol that supports encryption of messages via the RSA's public-key encryption technology. PGP (Pretty Good Privacy) is a technique for encrypting email messages based on the public-key method. To encrypt a message using PGP, you need to have the PGP encryption package. The official repository of PGP is at the MIT. PPTP PPTP is an encryption technology for ensuring that messages transmitted from one VPN node to another are secure. With PPTP, users can dial in to their corporate network via the Internet. Most earlier Windows OS support PPTP. HTTP vs. HTTPS vs. SHTTP HyperText Transport Protocol is the protocol for moving hypertext files across the Internet. It requires a HTTP client program on one end, and an HTTP server program on the other end. HTTP is the most important protocol used in the World Wide Web (WWW). HTTPS (Hypertext Transfer Protocol Secure) is the Secure and Encrypted form of HTTP. HTTP sends data in cleartext so HTTPS helps to secure it through SSL encryption.

NOTE:

S-HTTP is different from SSL in that it helps transmitting messages securely on an individual basis rather than on a per connection basis.

L2TP L2TP is an encryption technology that merges the best features of PPTP from Microsoft and L2F from Cisco. Newer generation of the Windows Server (such as 2000 and 2003) provide native L2TP support.


NOTE:

Microsoft Windows Servers support two types of VPN authentication: PPTP and L2TP. PPTP is mainly for compatibility with older Windows OS. L2TP is mainly for Windows 2000/2003 based network. The Secure Socket Tunneling Protocol (SSTP) is the heart of the new remote access functionality. It allows network traffic to pass through firewalls that are configured to block PPTP and/or L2TP/IPsec traffics. It works by encapsulating PPP traffic over SSL. For the setup to work, the SSTP client will establish a TCP connection with the SSTP server through a dynamically-assigned TCP port on the client side. TCP port 443 is used on the SSTP server though.

IPSEC IPsec is a framework for securing IP based communication sessions. It works by encrypting and/or authenticating each IP packet in transit. There are two modes available – the fully routable transport mode and the more secure tunnel mode. SSH Secure Shell (SSH) allows data to be exchanged via a secure channel between two hosts. Encryption allows for confidentiality and integrity of data over the insecure internet. Public-key cryptography is used for authenticating the remote host and allows the remote host to authenticate the user as needed.

NOTE:

Note that an SSH server by default would listen on the standard TCP port 22. SSH is very common on Unix like systems such as Linux. In fact, it is recommended over tools such as rlogin. It is believed that the rsh, rlogin, and rexec server should only be run on a system after carefully considering the security implications as this service offers very little security. It is strongly recommended that sshd be used for better security. You may configure rsh/rlogin so that it does not prompt any user for a password. On the host machine, you can edit (or create) /etc/hosts.equiv and add entries for all hosts you would like to allow without password authentication.

5.5 Explain core concepts of public key cryptography. Public Key Infrastructure (PKI) Also known as a trust hierarchy, a public key infrastructure is a system of digital certificates, Certificate Authorities, and other registration authorities for verifying and authenticating the validity of the parties involved in an Internet transaction. Recovery agent Public key Private keys Refer to the next section for information on these 3 items. Certificate Authority (CA) A Certificate Authority (CA) is responsible for assigning the keys for encryption, decryption and authentication. In a typical Windows network, there are 2 types of CA's, which are Enterprise CA and Stand-Alone CA. Each CA type can have a root CA and multiple subordinate CA. The general guideline is that you should work with an outside established commercial CA if your site is to be made public for e-commerce purpose.


Registration To apply for a certificate one has to register with a CA and pay the cost. Identity information will have to be submitted for verification prior to the issuance of the certificate. Key escrow Refer to the next section for information on Key escrow. Certificate Revocation List (CRL) The validity of certificates may be verified based on time and revocation status. Windows Server 2008 can make use of both CRL and OCSP for determining certificate status. In the context of Windows Server OCSP specifies the MS implementation of the Online Certificate Status Protocol addressed in RFC2560. An OCSP responder serves as the authoritative source for certificate revocation status. The major drawback is scalability as it has been designed to act on single certificate status requests. Trust models In the context of Windows, with NT 4.0 trust relationships have to be explicitly configured, which is time consuming. Windows 2008/03 (and Windows Server 2000) implement transitive trusts that flow up and down the domain tree structure, which greatly simplifies Windows network administration. 5.6 Implement PKI and certificate management. Public Key Infrastructure (PKI) Recovery agent IPsec is different from SSL in that it runs at layer 3, so it can protect both TCP and UDP traffic. SSL operates from the transport layer up so less flexibility can be offered. The goal of SSL is to provide endpoint authentication as well as communications privacy via cryptography. Most IPsec implementations use IKE (Internet key exchange). In the world of IKE, a SA (Security Association) describes how entities will utilize security services for communicating data flow securely. You are thinking about deploying IKE. IKE requires the use of SAs for identifying connection parameters. Keep in mind, an IKE SA can be used by IKE only, and that it is always bidirectional. The more SAs you establish, the more resources to be consumed, which may overload your device. Key recovery describes a PKI's capability of recovering lost or unavailable private encryption keys. The recovery agent is responsible for the job. Public key Private keys By using two different keys (one public and one private) one may provide the highest levels of security. HOWEVER, operation can be VERY heavy on system resources, especially when working on large messages. Therefore, for performance reasons this should only be used to exchange keys. The less heavy conventional secret-key cryptosystem (such as DES) should be retained for use on the bulk of the message. Certificate Authority (CA) A digital certificate is an attachment to an email message used for verifying the identity of the user who sent out the message. To send an encrypted message with digital certificate, one must first apply for it from a Certificate Authority. Note that some Certificate Authorities are commercial, while some are owned by the governments.


Certificate Revocation List (CRL) Trusted certificates MUST always be checked for validity. You can have this done trough comparing the certificate to an updated certificate revocation list (CRL). A CRL may be published periodically following a clearly defined timeframe, but may also be published right after a certificate has been revoked. For the sake of security, a CRL usually comes with a digital signature which is associated with the CA by which it is published. Note that a Hold status means the temporary invalidity of a certificate. Registration You may obtain a certificate through applying with a certificate provider such as VeriSign. You need to have a certificate signing request, which contains information such as a web site name, contact email address, and corporate information. The certificate provider would sign the request and produce the certificate accordingly. Key escrow A Key escrow describes the arrangement in which keys for decrypting encrypted data are to be held in escrow so that an authorized third person may access those keys only under certain circumstances. For this to work, technical mistrust on the security of the escrow arrangement must be overcome, which is not easy at all.


Chapter 6

Quick Jump To:


Domain 6.0 – Organizational Security 6.1 Explain redundancy planning and its components. To survive a disaster, redundancy features for hard drives, power supplies, fans, NICs, processors, UPS and the like are critical. The ability to recover relies heavily on the types of backup hardware and media you use. Possible choices include DAT, SDAT, DLT, Super DLT and other optical backup devices.

NOTE:

You use recovery controls to restore lost computing resources or capabilities and help the organization recover monetary losses caused by a security violation or an accident/disaster.

Hot site Cold site Warm site A hot site is an offsite data processing facility that is fully operational. It is equipped with both hardware and software for emergency use in the event of a disaster. A cold site is an external disaster recovery facility that provides only the physical space for emergency operations. The organization has to have its own hardware and software ready. A warm site is kind of between the two extremes, not completely “cold” and less expensive than a hot site. Backup generator A backup generator should be ready in case the main power generator in your building fails. It has the power to generate power (of course you need to feed it with fuel or another sources of emergency). Single point of failure Single point of failure is about redundancy. If there is a single point of failure, one problem can halt everything. With redundancy in mind you want to design your infrastructure in such a way that single point of failure is minimized. RAID You may use RAID (redundant array of inexpensive disks) to increase disk subsystem performance and reliability. RAID 0 / Data Striping interleaves data across multiple drives, while RAID 5 / Data Striping additionally stores parity bits from two drives on a third drive for fault tolerance. They are both fast. Spare parts You want to have commonly used parts ready just in case replacement on the spot is necessary. For hard to find older parts you want to stock them since they may have been discontinued in the market.


Redundant servers A hot spare (aka hot standby) is often implemented as a failover mechanism for providing reliability in system configurations. The hot spare is active and often stays connected as part of a working system, and would switch into operation when a key component fails. A cold spare would require that you do a lot of manual work for the switching. Cluster is the ideal but expensive high availability solution. These are two popular types of cluster servers: the fail-over cluster and the load-balancing cluster. The available types of fail-over clusters include the shared-everything cluster and the shared-nothing cluster. In a shared-nothing cluster model, all servers or cluster nodes in the cluster can own the shared cluster resources but only one node may own and manage these resources at any one time. Redundant ISP With redundant ISPs you are protecting yourself from a totally disconnected situation. You would want to do this if you have a 24x7 requirement and your ISP is not guaranteeing 100% connectivity at all time.

NOTE:

In the service level management discipline we have Service Level Agreement (SLA), which specifies that a particular level of service is agreed by the contracting parties. A SLA is therefore NOT a type of service contract, but a part of a service contract.

UPS You use Uninterruptible power supplies (UPSs) to protect your network devices against power surges, sags, brownouts, and blackouts. Surges refer to a steady and abrupt change in voltage. Spikes refer to a sudden and drastic change in voltage. Sags refer to a quick dip in available voltage. Brownouts are kind of a cross between a Sag and a complete Blackout, but not a complete loss. Redundant connections Dial-on-Demand Routing (DDR) backup refers to the method of bringing up an alternate link should the primary WAN link fail. A router configured for DDR backup can recognize that the connection to the remote site has been lost and use another connection method automatically. ISDN is a good choice for commercial purpose DDR. 6.2 Implement disaster recovery procedures. Planning Continuity Planning is about creating a plan on how to resume certain interrupted critical functions after a severe disaster. From an IT professional point of view it aims at cutting down operational risk resulting from poor security implementations through elements of risk management. Sufficient planning is essential. In your planning effort it is highly recommended that you consider the option of off site storage. With offsite storage you either replicate data to an outside location or manually take the backup medium to an outside site. This is needed if your site is located in an area where large scale disasters such as earthquakes or floods are highly possible.

NOTE:

You should publish the backup plan so people are all aware of the backup plan.


Disaster recovery exercises This is about testing and practicing what you have planned for. In other words, you try out your proposed solutions. Exercises may take place several times a year, to test as many of the recovery processes as possible, in full scale. Backup techniques and practices – storage You may back up your data into removable magnetic media drives such as the Iomega zip drive and the Imation super disk. Connections for these removable magnetic media drives typically come in ATA, USB, PC card, parallel, and floppy cable formats. The most common external interface is USB. Parallel port is rarely in use due to poor performance. Tape media may be cheaper or have a higher capacity (when cost is taken into consideration) than disk media. Tape drives are more suited for complete backups of entire hard drives or servers. Because it is suited best for mass backup, tape can be difficult to use for copying single files. Flash memory media uses a special type of solid state memory chip that requires no power to maintain its contents. Flash memory can be easily moved from digital cameras to notebook or desktop computers and can even be connected directly to photo printers or self-contained display units. Flash memory card readers usually connect to the PC via USB. CD based medium comes in a standard size of 700MB capacity. DVD (digital versatile disk), on the other hand, is a high capacity CD. DVD uses the same optical technology as CD with the main difference being high density. The DVD standard dramatically increases the storage capacity of a CD-ROM sized disc, and is currently available in 2 capacities: 4.7GB and 8GB for the DVD-DL or dual layer standard. Recordable DVD standards include DVD-RAM, DVD-R/RW, and DVD+R/RW. The good thing about these removable media is that you can take the backup away. However, such flexibility can actually produce vulnerability in terms of security. Physical security measures must be in place or the media can be stolen. Schemes You need to define a proper schedule for doing backups. Remember, backup across the network or even inside the LAN can consume bandwidth and can slow things down. Therefore, you should avoid doing backups during peak hours. On the other hand, large scale backups need time to complete so you must budget for what to backup and how to get the backup done. Differential backup or incremental backup takes less time to backup but would require more effort in doing the restore. You need to assess the tradeoff carefully.

NOTE:

Timing is important – backing up large chunks of data is time and resource consuming. It can be bandwidth exhaustive too. A normal/full backup includes all files. Slowest backup but fastest restore. Incremental backup has the fastest backup but slowest restore. Differential backup is in between the two. In any case you must start with a full backup the very first time you backup your data.

Restoration With full backup you restore from only one set of media. With differential / incremental backups you need several tapes. When doing the restore the network is going to get extremely busy so it may be a good idea to do it offline, then put the restored system back online once done.


6.3 Differentiate between and execute appropriate incident response procedures. Forensics It is a branch of forensic science, with focus on collecting and processing legal evidence found in digital mediums. It must adhere to the standards of evidence in order to be admissible in any court of law. Special care would have to be taken when handling evidence such as a suspect’s files. Possible dangers to the evidence may include viruses, electromagnetic damage, and/or booby traps. Chain of custody An Information custodian is usually an IT person with primary responsibilities dealing with backup and recovery of the business information. On the other hand, a User manager is the immediate manager or supervisor of an employee who has ultimate responsibility for all user IDs and information assets owned by the company employees. The chain of custody is primarily important for crime investigation and for presenting evidence in court. It ensures the evidence presented has not been manipulated. Each evidentiary copy made out of the original data source would need to be validated in order to be claimed as an exact mirror image of the original source. First responders Care MUST be taken for protecting the original source data. A formal chain of evidence record that follows the evidence from capture through to presenting in court must be established and recorded. First responders must keep this in mind - they must retain the original data as much as possible and avoid tampering with the data. Damage and loss control For damage control the best thing to do is to isolate the problem areas. Containment is the key at this stage. After the problem is well contained, you work to recover from the losses. Reporting – disclosure of Your staff must be advised on who to report an incident to when things go wrong. Every detail must be properly documented and later be incorporated in an incident report which is to be prepared by the investigating staff. 6.4 Identify and explain applicable legislation and organizational policies. Secure disposal of computers Most environmental concerns with computers lie with the traditional monitor (the cathode ray tube CRT). Security wise, disposal of equipments can be a problem due to dumpster diving. If you have older hard drives to dispose, you should thoroughly "clean" those drives first. You may hire a company to degauss your drives, or you may buy the necessary equipment to do it on your own, but the equipment itself is very expensive. You may also download and use DBAN, which will write over all the data for a number of passes. Acceptable use policies State clearly the acceptable use policy up front to avoid later disputes. Make your staff fully informed on the policy and the consequence of not following the policy.


Password complexity Fixed passwords are used for a defined period of time and are often easy for hackers to compromise. Dynamic or one-time passwords are different for each log-on and are preferred over fixed passwords. Generally speaking, dynamic passwords are created by a token that is programmed to generate passwords randomly. Change management Security controls tend to degrade over time because an organization is constantly changing. Therefore, change management concerns must be thoroughly considered. You cannot afford to ignore change control. Change controls are helpful for regulating changes to the existing configurations in place. You use them to maintain the integrity of the network gears currently in place via the systematic control of configuration changes. Classification of information Classification of corporate information based on business risk, data value, or other criteria makes good business sense because not all information has the same value or use. Data classification is one good way to lower the cost of protecting data and improve the overall quality of corporate decision making. It is ALWAYS recommended for ALL TYPES of businesses. When establishing a data classification scheme, it is recommended that you have a corporate policy implemented stating that the data is an asset of the corporation and must be protected. In that document, the policy must state that information that will be classified based on data value, sensitivity, risk of loss or compromise, and legal and retention requirements. In fact, such a policy document provides the IS officer the necessary authority to start and implement the project. Orange Book refers to the US Department of Defense Trusted Computer System Evaluation Criteria. Although originally written for military systems, the security classifications are now broadly used within the computer industry. The Orange Book security categories range from D (Minimal Protection) to A (Verified Protection). Mandatory vacations Mandatory vacation for employees as a security measure is often subject to debate. Some said by doing that the company can have the time to do checking and inspection when the employee is off. Personally Identifiable Information (PII) Personally identifiable information serves to identify you as a specific person. Information can include name, mailing address, e-mail address, phone number, birth date, etc. Due care Due diligence Due process Due care describes the conduct that a reasonable person will exercise under a particular situation. Due diligence involves the performance of an investigation with a certain standard of care. Due process refers to the principle that the government has to respect all of an individual's legal rights. SLA Refer to the previous section on Redundant ISP for information on SLA.


Security-related HR policy Thorough background checks may be required as part of the recruitment effort. This is especially applicable when the company has to work on highly sensitive information at all time. Make sure you hire only good people. You need to realize that the majority of threats are from internal sources. User education and awareness training Awareness building and training are the keys to successful security implementation. Unintentional user errors are the major sources of weaknesses in any security implementation. 6.5 Explain the importance of environmental controls. Fire suppression The primary risk to people during a fire would be smoke inhalation. On the other hand, combustion could damage your equipments. Major elements that sustain combustion are fuel, oxygen, heat, and a chemical chain reaction. HVAC HVAC stands for "heating, ventilating, and air conditioning". It is all about climate control. Remember, computer equipment can be damaged under excessive heat and moisture. On the other hand, in a highly secure computer room you still need proper air circulation and climate control or users would have difficulties stationing in there. Shielding Proper shielding of communication wires (such as network cables) would be essential for protecting against wiretapping, especially against emanation. Shielding against shoulder surfing refers to the use of some means to block viewing of one’s activities. See the section on shoulder surfing for further information. 6.6 Explain the concept of and how to reduce the risks of social engineering. Technically speaking, all Social Engineering techniques are based on flaws in human logic known as cognitive biases. These bias flaws are used in various combinations to create attack techniques. Phishing Hoaxes Phishing applies to emails appearing to come from a legitimate business requesting "verification" of information and warning of some dire consequence if it is not done. A hoax describes the deliberate attempt to deceive or trick one into believing that something is real when in fact it isn't. Shoulder surfing Shoulder surfing refers to the use of direct observation to gain information without the consent of the victim. To prevent shoulder surfing, one may shield paperwork, screen display or the keypad from view through whatever means that would work comfortably for the user.


Dumpster diving As said previously Dumpster diving refers to the action of rummaging through trash to find useful things. It is sometimes called Information Diving, which is made possible as most people simply don’t care about the sensitivity of items they trash. User education and awareness training Social engineering attacks can only be effectively prevented by non-computer means, particularly through education and awareness training.

NOTE:

Social engineering attacks exploit flaws in human logic so proper training is the only effective way against them.


STUDYSTUDY GUIDE GUIDE · 2011-09-21 · • DNS • System • Performance • Access • Firewall...

Documents

Transcript of STUDYSTUDY GUIDE GUIDE · 2011-09-21 · • DNS • System • Performance • Access • Firewall...