Security+ Guide To Network Security Fundamentals - 2nd4p

Objectives
• Identify the challenges for information security

• Define information security
Chapter 1: Information Security • Explain the importance of information security
Fundamentals
Security+ Guide to Network Security

Fundamentals
Second Edition
Security+ Guide to Network Security 2

Fundamentals, 2e
Identifying the Challenges for

Objectives
Information Security
• List and define information security terminology • Challenge of keeping networks and computers
secure has never been greater
• Describe the CompTIA Security+ certification exam
• A number of trends illustrate why security is
• Describe information security careers
becoming increasingly difficult
• Many trends have resulted in security attacks
growing at an alarming rate
Security+ Guide to Network Security 3 Security+ Guide to Network Security 4

Fundamentals, 2e Fundamentals, 2e
Identifying the Challenges for Identifying the Challenges for
Information Security (continued) Information Security (continued)
• Computer Emergency Response Team (CERT)
security organization compiles statistics regarding
number of reported attacks, including:
– Speed of attacks
– Sophistication of attacks
– Faster detection of weaknesses
– Distributed attacks
– Difficulties of patching

Identifying the Challenges for

Defining Information Security
Information Security (continued)
• Information security:
– Tasks of guarding digital information, which is typically
processed by a computer (such as a personal
computer), stored on a magnetic or optical storage
device (such as a hard drive or DVD), and transmitted
over a network spacing

Defining Information Security Defining Information Security
(continued) (continued)
• Ensures that protective measures are properly
implemented
• Is intended to protect information
• Involves more than protecting the information itself

Defining Information Security Understanding the Importance of

(continued) Information Security
• Three characteristics of information must be • Information security is important to businesses:
protected by information security:
– Prevents data theft
– Confidentiality
– Avoids legal consequences of not securing information
– Integrity
– Maintains productivity
– Availability
– Foils cyberterrorism
• Center of diagram shows what needs to be
protected (information) – Thwarts identity theft
• Information security achieved through a combination

of three entities
Preventing Data Theft Preventing Data Theft (continued)
• Security often associated with theft prevention • Theft of data is single largest cause of financial loss
due to a security breach
• Drivers install security systems on their cars to
prevent the cars from being stolen • One of the most important objectives of information
security is to protect important business and personal
• Same is true with information securityʊbusinesses
data from theft
cite preventing data theft as primary goal of
information security

Avoiding Legal Consequences Maintaining Productivity
• Businesses that fail to protect data may face serious • After an attack on information security, clean-up
penalties efforts divert resources, such as time and money
away from normal activities
• Laws include:
– The Health Insurance Portability and Accountability Act
• A Corporate IT Forum survey of major corporations
of 1996 (HIPAA) showed:
– The Sarbanes-Oxley Act of 2002 (Sarbox) – Each attack costs a company an average of $213,000
in lost man-hours and related costs
– The Cramm-Leach-Blilely Act (GLBA)
– One-third of corporations reported an average of more
– USA PATRIOT Act 2001 than 3,000 man-hours lost

Maintaining Productivity (continued) Foiling Cyberterrorism
• An area of growing concern among defense experts

are surprise attacks by terrorist groups using
computer technology and the Internet
(cyberterrorism)
• These attacks could cripple a nation’s electronic and
commercial infrastructure
• Our challenge in combating cyberterrorism is that
many prime targets are not owned and managed by
the federal government

Understanding Information Security

Thwarting Identity Theft
Terminology
• Identity theft involves using someone’s personal
information, such as social security numbers, to
establish bank or credit card accounts that are then
left unpaid, leaving the victim with the debts and
ruining their credit rating
• National, state, and local legislation continues to be
enacted to deal with this growing problem
– The Fair and Accurate Credit Transactions Act of 2003
is a federal law that addresses identity theft

Exploring the CompTIA Security+ Exploring the CompTIA Security+
Certification Exam Certification Exam (continued)
• Since 1982, the Computing Technology Industry • Exam was designed with input from security industry
Association (CompTIA) has been working to advance leaders, such as VeriSign, Symantec, RSA Security,
the growth of the IT industry Microsoft, Sun, IBM, Novell, and Motorola
• CompTIA is the world’s largest developer of vendor- • The Security+ exam is designed to cover a broad
neutral IT certification exams range of security topics categorized into five areas or
domains
• The CompTIA Security+ certification tests for mastery
in security concepts and practices

Surveying Information Security Surveying Information Security

Careers Careers (continued)
• Information security is one of the fastest growing • Sometimes divided into three general roles:
career fields – Security manager develops corporate security plans
• As information attacks increase, companies are and policies, provides education and awareness, and
becoming more aware of their vulnerabilities and are communicates with executive management about
looking for ways to reduce their risks and liabilities security issues
– Security engineer designs, builds, and tests security
solutions to meet policies and address business needs
– Security administrator configures and maintains
security solutions to ensure proper service levels and
availability
Summary Summary (continued)
• The challenge of keeping computers secure is • Information security has its own set of terminology
becoming increasingly difficult
• A threat is an event or an action that can defeat
• Attacks can be launched without human intervention security measures and result in a loss
and infect millions of computers in a few hours
• CompTIA has been working to advance the growth of
• Information security protects the integrity, the IT industry and those individuals working within it
confidentiality, and availability of information on the
• CompTIA is the world’s largest developer of vendor-
devices that store, manipulate, and transmit the
neutral IT certification exams
information through products, people, and
procedures

Objectives
• Develop attacker profiles

• Describe basic attacks
Chapter 2: Attackers and • Describe identity attacks
Their Attacks • Identify denial of service attacks
• Define malicious code (malware)
Fundamentals
Second Edition

Fundamentals, 2e
Developing Attacker Profiles
Developing Attacker Profiles
(continued)
• Six categories:
– Hackers
– Crackers
– Script kiddies
– Spies
– Employees
– Cyberterrorists

Hackers Crackers
• Person who uses advanced computer skills to attack • Person who violates system security with malicious
computers, but not with a malicious intent intent
• Use their skills to expose security flaws • Have advanced knowledge of computers and
networks and the skills to exploit them
• Destroy data, deny legitimate users of service, or
otherwise cause serious problems on computers and
networks

Script Kiddies Spies
• Break into computers to create damage • Person hired to break into a computer and steal
information
• Are unskilled users
• Do not randomly search for unsecured computers to
• Download automated hacking software from Web
attack
sites and use it to break into computers
• Hired to attack a specific computer that contains
• Tend to be young computer users with almost
sensitive information
unlimited amounts of leisure time, which they can use
to attack systems

Employees Cyberterrorists
• One of the largest information security threats to • Experts fear terrorists will attack the network and
business computer infrastructure to cause panic
• Employees break into their company’s computer for • Cyberterrorists’ motivation may be defined as
these reasons: ideology, or attacking for the sake of their principles
– To show the company a weakness in their security
or beliefs
– To say, “I’m smarter than all of you” • One of the targets highest on the list of
cyberterrorists is the Internet itself
– For money

Cyberterrorists (continued) Understanding Basic Attacks
• Three goals of a cyberattack: • Today, the global computing infrastructure is most

– Deface electronic information to spread disinformation
likely target of attacks
and propaganda • Attackers are becoming more sophisticated, moving
– Deny service to legitimate computer users away from searching for bugs in specific software
applications toward probing the underlying software
– Commit unauthorized intrusions into systems and
and hardware infrastructure itself
networks that result in critical infrastructure outages
and corruption of vital data

Social Engineering Social Engineering (continued)
• Easiest way to attack a computer system requires • Dumpster diving: digging through trash receptacles to
almost no technical ability and is usually highly find computer manuals, printouts, or password lists
successful that have been thrown away
• Social engineering relies on tricking and deceiving • Phishing: sending people electronic requests for
someone to access a system information that appear to come from a valid source
• Social engineering is not limited to telephone calls or
dated credentials

Social Engineering (continued) Password Guessing
• Develop strong instructions or company policies
regarding: • Password: secret combination of letters and numbers
that validates or authenticates a user
– When passwords are given out
• Passwords are used with usernames to log on to a
– Who can enter the premises system using a dialog box
– What to do when asked questions by another
• Attackers attempt to exploit weak passwords by
employee that may reveal protected information
password guessing
• Educate all employees about the policies and ensure
that these policies are followed

Password Guessing (continued) Password Guessing (continued)

• Characteristics of weak passwords:
– Using a short password (XYZ)
– Using a common word (blue)
– Using personal information (name of a pet)
– Using same password for all accounts
– Writing the password down and leaving it under the
mouse pad or keyboard
– Not changing passwords unless forced to do so

Password Guessing (continued) Password Guessing (continued)
• Brute force: attacker attempts to create every • Software exploitation: takes advantage of any
possible password combination by changing one weakness in software to bypass security requiring a
character at a time, using each newly generated password
password to access the system – Buffer overflow: occurs when a computer program
• Dictionary attack: takes each word from a dictionary attempts to stuff more data into a temporary storage
and encodes it (hashing) in the same way the area than it can hold
computer encodes a user’s password

Password Guessing (continued) Weak Keys

• Policies to minimize password-guessing attacks:
• Cryptography:
– Passwords must have at least eight characters
– Science of transforming information so it is secure
– Passwords must contain a combination of letters, while being transmitted or stored
numbers, and special characters
– Does not attempt to hide existence of data;
– Passwords should expire at least every 30 days “scrambles” data so it cannot be viewed by
– Passwords cannot be reused for 12 months unauthorized users
– The same password should not be duplicated and

used on two or more systems

Weak Keys (continued) Weak Keys (continued)
• Encryption: changing the original text to a secret • Algorithm is given a key that it uses to encrypt the
message using cryptography message
• Success of cryptography depends on the process • Any mathematical key that creates a detectable
used to encrypt and decrypt messages pattern or structure (weak keys) provides an attacker
with valuable information to break the encryption
• Process is based on algorithms

Mathematical Attacks Birthday Attacks

• Birthday paradox:
• Cryptanalysis: process of attempting to break an
encrypted message – When you meet someone for the first time, you
have a 1 in 365 chance (0.027%) that he has the
• Mathematical attack: analyzes characters in an same birthday as you
encrypted text to discover the keys and decrypt
the data – If you meet 60 people, the probability leaps to over
99% that you will share the same birthday with
one of these people
• Birthday attack: attack on a cryptographical system
that exploits the mathematics underlying the birthday
paradox
Examining Identity Attacks Man-in-the-Middle Attacks
• Category of attacks in which the attacker attempts to • Make it seem that two computers are communicating
assume the identity of a valid user with each other, when actually they are sending and
receiving data with a computer between them
• Can be active or passive:
– Passive attack: attacker captures sensitive data being
transmitted and sends it to the original recipient without
his presence being detected
– Active attack: contents of the message are intercepted
and altered before being sent on

Replay TCP/IP Hijacking
• Similar to an active man-in-the-middle attack • With wired networks, TCP/IP hijacking uses spoofing,
which is the act of pretending to be the legitimate
• Whereas an active man-in-the-middle attack changes
owner
the contents of a message before sending it on, a
replay attack only captures the message and then • One particular type of spoofing is Address Resolution
sends it again later Protocol (ARP) spoofing
• Takes advantage of communications between a • In ARP spoofing, each computer using TCP/IP must
network device and a file server have a unique IP address

TCP/IP Hijacking (continued) Identifying Denial of Service Attacks
• Certain types of local area networks (LANs), such as • Denial of service (DoS) attack attempts to make a
Ethernet, must also have another address, called the server or other network device unavailable by
media access control (MAC) address, to move flooding it with requests
information around the network
• After a short time, the server runs out of resources
• Computers on a network keep a table that links an IP and can no longer function
address with the corresponding address
• Known as a SYN attack because it exploits the
• In ARP spoofing, a hacker changes the table so SYN/ACK “handshake”
packets are redirected to his computer

Identifying Denial of Service Attacks Identifying Denial of Service Attacks

• Another DoS attack tricks computers into responding
to a false request
• An attacker can send a request to all computers on
the network making it appear a server is asking for a
response
• Each computer then responds to the server,
overwhelming it, and causing the server to crash or
be unavailable to legitimate users

Identifying Denial of Service Attacks Understanding Malicious Code
(continued) (Malware)
• Distributed denial-of-service (DDoS) attack: • Consists of computer programs designed to break
into computers or to create havoc on computers
– Instead of using one computer, a DDoS may use
hundreds or thousands of computers • Most common types:
– DDoS works in stages – Viruses
– Worms
– Logic bombs
– Trojan horses
– Back doors

Viruses Viruses (continued)
• Programs that secretly attach to another document or • Antivirus software defends against viruses is
program and execute when that document or
• Drawback of antivirus software is that it must be
program is opened
updated to recognize new viruses
• Might contain instructions that cause problems
• Updates (definition files or signature files) can be
ranging from displaying an annoying message to
downloaded automatically from the Internet to a
erasing files from a hard drive or causing a computer
user’s computer
to crash repeatedly

Worms Worms (continued)
• Although similar in nature, worms are different from • Worms are usually distributed via e-mail attachments
viruses in two regards: as separate executable programs
– A virus attaches itself to a computer document, such • In many instances, reading the e-mail message starts
as an e-mail message, and is spread by traveling along the worm
with the document
• If the worm does not start automatically, attackers
– A virus needs the user to perform some type of action,
can trick the user to start the program and launch the
such as starting a program or reading an e-mail
worm
message, to start the infection

Logic Bombs Trojan Horses

• Programs that hide their true intent and then reveals
• Computer program that lies dormant until triggered by themselves when activated
a specific event, for example:
• Might disguise themselves as free calendar programs
– A certain date being reached on the system calendar
or other interesting software
– A person’s rank in an organization dropping below a
specified level • Common strategies:
– Giving a malicious program the name of a file
associated with a benign program
– Combining two or more executable programs into a
single filename

Trojan Horses (continued) Back Doors
• Defend against Trojan horses with the following • Secret entrances into a computer of which the user is
products: unaware
– Antivirus tools, which are one of the best defenses • Many viruses and worms install a back door allowing
against combination programs a remote user to access a computer without the
– Special software that alerts you to the existence of a legitimate user’s knowledge or permission
Trojan horse program
– Anti-Trojan horse software that disinfects a computer
containing a Trojan horse

• Six categories of attackers: hackers, crackers, script • Identity attacks attempt to assume the identity of a
kiddies, spies, employees, and cyberterrorists valid user
• Password guessing is a basic attack that attempts to • Denial of service (DoS) attacks flood a server or
learn a user’s password by a variety of means device with requests, making it unable to respond to
valid requests
• Cryptography uses an algorithm and keys to encrypt
and decrypt messages • Malicious code (malware) consists of computer
programs intentionally created to break into
computers or to create havoc on computers

Objectives
• Identify who is responsible for information security

• Describe security principles
Chapter 3: Security Basics • Use effective authentication methods

• Control access to computer systems
• Audit information security schemes
Fundamentals
Second Edition

Fundamentals, 2e
Identifying Who Is Responsible for Identifying Who Is Responsible for

Information Security Information Security (continued)
• When an organization secures its information, it • Bottom-up approach: major tasks of securing
completes a few basic tasks: information are accomplished from the lower levels of
– It must analyze its assets and the threats these assets
the organization upwards
face from threat agents • This approach has one key advantage: the bottom-
– It identifies its vulnerabilities and how they might be level employees have the technical expertise to
exploited understand how to secure information
– It regularly assesses and reviews the security policy to
ensure it is adequately protecting its information

Identifying Who Is Responsible for Identifying Who Is Responsible for
Information Security (continued) Information Security (continued)
• Top-down approach starts at the highest levels of the
organization and works its way down
• A security plan initiated by top-level managers has
the backing to make the plan work

Identifying Who Is Responsible for

Understanding Security Principles
Information Security (continued)
• Ways information can be attacked:
• Chief information security officer (CISO): helps – Crackers can launch distributed denial-of-service
develop the security plan and ensures it is carried out (DDoS) attacks through the Internet
• Human firewall: describes the security-enforcing role – Spies can use social engineering
of each employee – Employees can guess other user’s passwords
– Hackers can create back doors
• Protecting against the wide range of attacks calls for
a wide range of defense mechanisms

Layering Layering (continued)
• Layered security approach has the advantage of
creating a barrier of multiple defenses that can be
coordinated to thwart a variety of attacks
• Information security likewise must be created in
layers
• All the security layers must be properly coordinated
to be effective

Limiting Limiting (continued)

• Limiting access to information reduces the threat
against it
• Only those who must use data should have access
to it
• Access must be limited for a subject (a person or a
computer program running on a system) to interact
with an object (a computer or a database stored on a
server)
• The amount of access granted to someone should be
limited to what that person needs to know or do
Diversity Diversity (continued)
• Diversity is closely related to layering • You can set a firewall to filter a specific type of traffic,
such as all inbound traffic, and a second firewall on
• You should protect data with diverse layers of
the same system to filter another traffic type, such as
security, so if attackers penetrate one layer, they
outbound traffic
cannot use the same techniques to break through all
other layers • Using firewalls produced by different vendors creates
even greater diversity
• Using diverse layers of defense means that
breaching one security layer does not compromise
the whole system

Obscurity Simplicity
• Obscuring what goes on inside a system or • Complex security systems can be difficult to
organization and avoiding clear patterns of behavior understand, troubleshoot, and feel secure about
make attacks from the outside difficult
• The challenge is to make the system simple from the
inside but complex from the outside

Using Effective Using Effective Authentication
Authentication Methods Methods (continued)
• Information security rests on three key pillars: • Authentication:
– Authentication – Process of providing identity
– Access control – Can be classified into three main categories: what you
know, what you have, what you are
– Auditing
– Most common method: providing a user with a unique
username and a secret password

Username and Password (continued) Tokens
• ID management: • Token: security device that authenticates the user by

– User’s single authenticated ID is shared across
having the appropriate permission embedded into the
multiple networks or online businesses token itself
– Attempts to address the problem of users having • Passwords are based on what you know, tokens are
individual usernames and passwords for each account based on what you have
(thus, resorting to simple passwords that are easy to
• Proximity card: plastic card with an embedded, thin
remember)
metal strip that emits a low-frequency, short-wave
– Can be for users and for computers that share data radio signal

Biometrics Biometrics (continued)
• Uses a person’s unique characteristics to

authenticate them
• Is an example of authentication based on what
you are
• Human characteristics that can be used for
identification include:
– Fingerprint – Face
– Hand – Iris
– Retina – Voice

Certificates Kerberos
• The key system does not prove that the senders are • Authentication system developed by the
actually who they claim to be Massachusetts Institute of Technology (MIT)
• Certificates let the receiver verify who sent the • Used to verify the identity of networked users, like
message using a driver’s license to cash a check
• Certificates link or bind a specific person to a key • Typically used when someone on a network attempts
to use a network service and the service wants
• Digital certificates are issued by a certification
assurance that the user is who he says he is
authority (CA), an independent third-party
organization

Challenge Handshake
Kerberos (continued)
Authentication Protocol (CHAP)
• A state agency, such as the DMV, issues a driver’s
license that has these characteristics: • Considered a more secure procedure for connecting
to a system than using a password
– It is difficult to copy
– User enters a password and connects to a server;
– It contains specific information (name, address, height, server sends a challenge message to user’s computer
etc.)
– User’s computer receives message and uses a
– It lists restrictions (must wear corrective lenses, etc.) specific algorithm to create a response sent back to
– It expires on a specified date the server
– Server checks response by comparing it to its own
• The user is provided a ticket that is issued by the
calculation of the expected value; if values match,
Kerberos authentication server (AS), much as a authentication is acknowledged; otherwise, connection
driver’s license is issued by the DMV is terminated
Challenge Handshake Authentication

Mutual Authentication
Protocol (CHAP) (continued)
• Two-way authentication (mutual authentication) can
be used to combat identity attacks, such as man-in-
the-middle and replay attacks
• The server authenticates the user through a
password, tokens, or other means

Mutual Authentication (continued) Multifactor Authentication
• Multifactor authentication: implementing two or more

types of authentication
• Being strongly proposed to verify authentication of
cell phone users who use their phones to purchase
goods and services

Controlling Access to Controlling Access to Computer

Computer Systems Systems (continued)
• Restrictions to user access are stored in an access • In Microsoft Windows, an ACL has one or more
control list (ACL) access control entries (ACEs) consisting of the name
of a subject or group of subjects
• An ACL is a table in the operating system that
contains the access rights each subject (a user or • Inherited rights: user rights based on membership in
device) has to a particular system object (a folder or a group
file)
• Review pages 85 and 86 for basic folder and file
permissions in a Windows Server 2003 system

Mandatory Access Control (MAC) Role Based Access Control (RBAC)
• A more restrictive model • Instead of setting permissions for each user or group,
you can assign permissions to a position or role and
• The subject is not allowed to give access to another
then assign users and other objects to that role
subject to use an object
• Users and objects inherit all of the permissions for
the role

Auditing Information
Discretionary Access Control (DAC)
Security Schemes
• Least restrictive model • Two ways to audit a security system
• One subject can adjust the permissions for other – Logging records which user performed a specific
subjects over objects activity and when
• Type of access most users associate with their – System scanning to check permissions assigned to a
user or role; these results are compared to what is
personal computers
expected to detect any differences

• Creating and maintaining a secure environment • Basic principles for creating a secure environment:
cannot be delegated to one or two employees in an layering, limiting, diversity, obscurity, and simplicity
organization
• Basic pillars of security:
• Major tasks of securing information can be – Authentication: verifying that a person requesting
accomplished using a bottom-up approach, where access to a system is who he claims to be
security effort originates with low-level employees
and moves up the organization chart to the CEO – Access control: regulating what a subject can do with
an object
• In a top-down approach, the effort starts at the
– Auditing: review of the security settings
highest levels of the organization and works its way
down

Objectives
• Disable nonessential systems

• Harden operating systems
Chapter 4: Security Baselines • Harden applications

• Harden networks

Fundamentals
Second Edition

Fundamentals, 2e
Disabling Nonessential
Disabling Nonessential Systems
Systems (continued)
• First step in establishing a defense against computer • Early terminate-and-stay-resident (TSR) programs
attacks is to turn off all nonessential systems performed functions such as displaying an instant
calculator, small notepad, or address book
• The background program waits in the computer’s
random access memory (RAM) until the user presses • In Microsoft Windows, a background program, such
a specific combination of keys (a hot key), such as as Svchostexe, is called a process
Ctrl+Shift+P
• The process provides a service to the operating
• Then, the idling program springs to life system indicated by the service name, such as
AppMgmt

Disabling Nonessential Disabling Nonessential

Systems (continued) Systems (continued)
• Users can view the display name of a service, which
gives a detailed description, such as Application
Management
• A single process can provide multiple services

• A service can be set to one of the following modes:
– Automatic
– Manual
– Disabled
• Besides preventing attackers from attaching
malicious code to services, disabling nonessential
services blocks entries into the system


• The User Datagram Protocol (UDP) provides for a
connectionless TCP/IP transfer
• TCP and UDP are based on port numbers
• Socket: combination of an IP address and a port number
– The IP address is separated from the port number by a
colon, as in 19814611820:80

Hardening Operating
Hardening Operating Systems
Systems (continued)
• Hardening: process of reducing vulnerabilities • You can harden the operating system that runs on
the local client or the network operating system
• A hardened system is configured and updated to
(NOS) that manages and controls the network, such
protect against attacks
as Windows Server 2003 or Novell NetWare
• Three broad categories of items should be hardened:
– Operating systems
– Applications that the operating system runs
– Networks

Applying Updates Applying Updates (continued)

• Operating systems are intended to be dynamic
• A service pack (a cumulative set of updates including
• As users’ needs change, new hardware is introduced, fixes for problems that have not been made available
and more sophisticated attacks are unleashed, through updates) provides the broadest and most
operating systems must be updated on a regular complete update
basis
• A hotfix does not typically address security issues;
• However, vendors release a new version of an instead, it corrects a specific software problem
operating system every two to four years
• Vendors use certain terms to refer to the different
types of updates (listed in Table 4-3 on page 109)

Applying Updates (continued) Applying Updates (continued)
• A patch or a software update fixes a security flaw or

other problem
– May be released on a regular or irregular basis,
depending on the vendor or support team
– A good patch management system includes the
features listed on pages 111 and 112 of the text

Securing the File System Securing the File System (continued)
• Another means of hardening an operating system is • Microsoft Windows provides a centralized method of
to restrict user access defining security on the Microsoft Management
Console (MMC)
• Generally, users can be assigned permissions to
access folders (also called directories in DOS and – A Windows utility that accepts additional components
UNIX/Linux) and the files contained within them (snap-ins)
– After you apply a security template to organize security
settings, you can import the settings to a group of
computers (Group Policy object)

Securing the File System (continued) Hardening Applications
• Group Policy settings: components of a user’s • Just as you must harden operating systems, you
desktop environment that a network system must also harden the applications that run on those
administrator needs to manage systems
• Group Policy settings cannot override a global setting • Hotfixes, service packs, and patches are generally
for all computers (domain-based setting) available for most applications; although, not usually
with the same frequency as for an operating system
• Windows stores settings for the computer’s hardware
and software in a database (the registry)

Hardening Servers Hardening Servers (continued)
• Harden servers to prevent attackers from breaking • Mail server is used to send and receive electronic
through the software messages
• Web server delivers text, graphics, animation, audio, • In a normal setting, a mail server serves an
and video to Internet users around the world organization or set of users
• Refer to the steps on page 115 to harden a Web • All e-mail is sent through the mail server from a
server trusted user or received from an outsider and
intended for a trusted user

Hardening Servers (continued) Hardening Servers (continued)
• In an open mail relay, a mail server processes e-mail

messages not sent by or intended for a local user
• File Transfer Protocol (FTP) server is used to store
and access files through the Internet
– Typically used to accommodate users who want to
download or upload files

• FTP servers can be set to accept anonymous logons

using a window similar that shown in Figure 4-8
• A Domain Name Service (DNS) server makes the
Internet available to ordinary users
– DNS servers frequently update each other by
transmitting all domains and IP addresses of which
they are aware (zone transfer)

• IP addresses and other information can be used in an

attack
• USENET is a worldwide bulletin board system that
can be accessed through the Internet or many online
services
• The Network News Transfer Protocol (NNTP) is the
protocol used to send, distribute, and retrieve
USENET messages through NNTP servers

Hardening Servers (continued) Hardening Data Repositories
• Print/file servers on a local area network (LAN) allow • Data repository: container that holds electronic
users to share documents on a central server or to information
share printers
• Two major data repositories: directory services and
• Hardening a print/file server involves the tasks listed company databases
on page 119 of the text
• Directory service: database stored on the network
• A DHCP server allocates IP addresses using the that contains all information about users and network
Dynamic Host Configuration Protocol (DHCP) devices along with privileges to those resources
• DHCP servers “lease” IP addresses to clients

Hardening Data
Hardening Networks
Repositories (continued)
• Active Directory is the directory service for Windows • Two-fold process for keeping a network secure:
• Active Directory is stored in the Security Accounts – Secure the network with necessary updates
Manager (SAM) database – Properly configure it
• The primary domain controller (PDC) houses the
SAM database

Firmware Updates Firmware Updates (continued)
• RAM is volatileʊinterrupting the power source • ROM, Erasable Programmable Read-Only Memory
causes RAM to lose its entire contents (EPROM), and Electrically Erasable Programmable
Read-Only Memory (EEPROM) are firmware
• Read-only memory (ROM) is different from RAM in
two ways: • To erase an EPROM chip, hold the chip under
– Contents of ROM are fixed
ultraviolet light so the light passes through its crystal
window
– ROM is nonvolatileʊdisabling the power source does
not erase its contents • The contents of EEPROM chips can also be erased
using electrical signals applied to specific pins

Network Configuration Network Configuration (continued)
• You must properly configure network equipment to • Rule base or access control list (ACL): rules a
resist attacks network device uses to permit or deny a packet
(not to be confused with ACLs used in securing a
• The primary method of resisting attacks is to filter
file system)
data packets as they arrive at the perimeter of the
network • Rules are composed of several settings (listed on
pages 122 and 123 of the text)
• Observe the basic guidelines on page 124 of the text
when creating rules

Network Configuration (continued) Summary
• Establishing a security baseline creates a basis for

information security
• Hardening the operating system involves applying the
necessary updates to the software
• Securing the file system is another step in hardening
a system

Summary (continued)
• Applications and operating systems must be

hardened by installing the latest patches and updates
• Servers, such as Web servers, mail servers, FTP Chapter 5: Securing the Network
servers, DNS servers, NNTP servers, print/file
servers, and DHCP servers, must be hardened to
Infrastructure
prevent attackers from corrupting them or using the
server to launch other attacks Security+ Guide to Network Security
Fundamentals
Second Edition

Fundamentals, 2e
Working with the Network

Objectives
Cable Plant
• Work with the network cable plant • Cable plant: physical infrastructure of a network
(wire, connectors, and cables) used to carry data
• Secure removable media
communication signals between equipment
• Harden network devices
• Three types of transmission media:
• Design network topologies – Coaxial cables
– Twisted-pair cables
– Fiber-optic cables

Coaxial Cables Coaxial Cables (continued)
• Coaxial cable was main type of copper cabling used • Thin coaxial cable looks similar to the cable that
in computer networks for many years carries a cable TV signal
• Has a single copper wire at its center surrounded by • A braided copper mesh channel surrounds the
insulation and shielding insulation and everything is covered by an outer
• Called “coaxial” because it houses two (co) axes or shield of insulation for the cable itself
shaftsʊthe copper wire and the shielding • The copper mesh channel protects the core from
• Thick coaxial cable has a copper wire in center interference
surrounded by a thick layer of insulation that is • BNC connectors: connectors used on the ends of a
covered with braided metal shielding thin coaxial cable

Coaxial Cables (continued) Twisted-Pair Cables

• Standard for copper cabling used in computer
networks today, replacing thin coaxial cable
• Composed of two insulated copper wires twisted
around each other and bundled together with other
pairs in a jacket

Twisted-Pair Cables (continued) Fiber-Optic Cables
• Shielded twisted-pair (STP) cables have a foil • Coaxial and twisted-pair cables have copper wire at
shielding on the inside of the jacket to reduce the center that conducts an electrical signal
interference
• Fiber-optic cable uses a very thin cylinder of glass
• Unshielded twisted-pair (UTP) cables do not have (core) at its center instead of copper that transmit
any shielding light impulses
• Twisted-pair cables have RJ-45 connectors • A glass tube (cladding) surrounds the core
• The core and cladding are protected by a jacket

Fiber-Optic Cables (continued) Securing the Cable Plant

• Classified by the diameter of the core and the
diameter of the cladding • Securing cabling outside the protected network is not
the primary security issue for most organizations
– Diameters are measured in microns, each is about
1/25,000 of an inch or one-millionth of a meter • Focus is on protecting access to the cable plant in
the internal network
• Two types:
• An attacker who can access the internal network
– Single-mode fiber cables: used when data must be directly through the cable plant has effectively
transmitted over long distances bypassed the network security perimeter and can
– Multimode cable: supports many simultaneous light launch his attacks at will
transmissions, generated by light-emitting diodes

Securing the Cable Plant (continued) Securing Removable Media
• The attacker can capture packets as they travel • Securing critical information stored on a file server
through the network by sniffing can be achieved through strong passwords, network
– The hardware or software that performs such functions security devices, antivirus software, and door locks
is called a sniffer
• An employee copying data to a floppy disk or CD and
• Physical security carrying it home poses two risks:
– First line of defense – Storage media could be lost or stolen, compromising
– Protects the equipment and infrastructure itself the information
– Has one primary goal: to prevent unauthorized users – A worm or virus could be introduced to the media,
from reaching the equipment or cable plant in order to potentially damaging the stored information and
use, steal, or vandalize it infecting the network

Magnetic Media Optical Media

• Record information by changing the magnetic • Optical media use a principle for recording
direction of particles on a platter information different from magnetic media
• Floppy disks were some of the first magnetic media • A high-intensity laser burns a tiny pit into the surface
developed of an optical disc to record a one, but does nothing to
• The capacity of today’s 3 1/2-inch disks are 14 MB record a zero
• Hard drives contain several platters stacked in a • Capacity of optical discs varies by type
closed unit, each platter having its own head or
apparatus to read and write information • A Compact Disc-Recordable (CD-R) disc can record
up to 650 MB of data
• Magnetic tape drives record information in a serial
fashion • Data cannot be changed once recorded

Optical Media (continued) Electronic Media
• A Compact Disc-Rewriteable (CD-RW) disc can be
used to record data, erase it, and record again • Electronic media use flash memory for storage
– Flash memory is a solid state storage deviceʊ
• A Digital Versatile Disc (DVD) can store much larger
everything is electronic, with no moving or mechanical
amounts of data parts
– DVD formats include Digital Versatile Disc-Recordable
• SmartMedia cards range in capacity from 2 MB to
(DVD-R), which can record once up to 395 GB on a
single-sided disc and 79 GB on a double-sided disc
128 MB
• The card itself is only 45 mm long, 37 mm wide, and
less than 1 mm thick

Electronic Media (continued) Keeping Removable Media Secure
• CompactFlash card • Protecting removable media involves making sure

– Consists of a small circuit board with flash memory
that antivirus and other security software are installed
chips and a dedicated controller chip encased in a on all systems that may receive a removable media
shell device, including employee home computers
– Come in 33 mm and 55 mm thicknesses and store
between 8MB and 192 MB of data
• USB memory stick is becoming very popular
– Can hold between 8 MB and 1 GB of memory

Hardening Standard Network
Hardening Network Devices
Devices
• Each device that is connected to a network is a • A standard network device is a typical piece of
potential target of an attack and must be properly equipment that is found on almost every network,
protected such as a workstation, server, switch, or router
• Network devices to be hardened categorized as: • This equipment has basic security features that you
– Standard network devices
can use to harden the devices
– Communication devices
– Network security devices

Workstations and Servers Switches and Routers

• Workstation: personal computer attached to a • Switch
network (also called a client) – Most commonly used in Ethernet LANs
– Connected to a LAN and shares resources with other – Receives a packet from one network device and sends
workstations and network equipment it to the destination device only
– Can be used independently of the network and can – Limits the collision domain (part of network on which
have their own applications installed multiple devices may attempt to send packets
• Server: computer on a network dedicated to simultaneously)
managing and controlling the network • A switch is used within a single network
• Basic steps to harden these systems are outlined on • Routers connect two or more single networks to form
page 152 a larger network

Switches and Routers (continued) Switches and Routers (continued)
• Each agent monitors network traffic and stores that
• Switches and routers must also be protected against information in its management information base
attacks (MIB)
• Switches and routers can be managed using the • A computer with SNMP management software
Simple Network Management Protocol (SNMP), part (SNMP management station) communicates with
of the TCP/IP protocol suite software agents on each network device and collects
• Software agents are loaded onto each network the data stored in the MIBs
device to be managed • Page 154 lists defensive controls that can be set for
switches and routers

Hardening Communication Devices Modems
• A second category of network devices are those that • Most common communication device
communicate over longer distances
• Broadband is increasing in popularity and can create
• Include: network connection speeds of 15 Mbps and higher
– Modems • Two popular broadband technologies:
– Remote access servers – Digital Subscriber Line (DSL) transmits data at
– Telecom/PBX Systems 15 Mbps over regular telephone lines
– Mobile devices – Another broadband technology uses the local cable

television system

Modems (continued) Remote Access Servers
• A computer connects to a cable modem, which is • Set of technologies that allows a remote user to
connected to the coaxial cable that brings cable TV connect to a network through the Internet or a wide
signals to the home area network (WAN)
• Because cable connectivity is shared in a • Users run remote access client software and initiate a
neighborhood, other users can use a sniffer to view connection to a Remote Access Server (RAS), which
traffic authenticates users and passes service requests to
the network
• Another risk with DSL and cable modem connections
is that broadband connections are charged at a set
monthly rate, not by the minute of connect time

Remote Access Servers (continued) Remote Access Servers (continued)
• Remote access clients can run almost all network-

based applications without modification
– Possible because remote access technology supports
both drive letters and universal naming convention
(UNC) names
• Minimum security features are listed on page 158

Telecom/PBX Systems Mobile Devices
• Term used to describe a Private Branch eXchange • As cellular phones and personal digital assistants
(PDAs) have become increasingly popular, they have
• The definition of a PBX comes from the words that
become the target of attackers
make up its name:
– Private
• Some defenses against attacks on these devices use
real-time data encryption and passwords to protect
– Branch the system so that an intruder cannot “beam” a virus
– eXchange through a wireless connection

Hardening Network Security Devices Firewalls
• The final category of network devices includes those • Typically used to filter packets
designed and used strictly to protect the network
• Designed to prevent malicious packets from entering
• Include: the network or its computers (sometimes called a
– Firewalls
packet filter)
– Intrusion-detection systems • Typically located outside the network security

perimeter as first line of defense
– Network monitoring and diagnostic devices
• Can be software or hardware configurations

Firewalls (continued) Firewalls (continued)
• Filter packets in one of two ways:
• Software firewall runs as a program on a local
computer (sometimes known as a personal firewall) – Stateless packet filtering: permits or denies each
packet based strictly on the rule base
– Enterprise firewalls are software firewalls designed to
run on a dedicated device and protect a network – Stateful packet filtering: records state of a connection
instead of only one computer between an internal computer and an external server;
makes decisions based on connection and rule base
– One disadvantage is that it is only as strong as the
operating system of the computer • Can perform content filtering to block access to
undesirable Web sites

Firewalls (continued) Intrusion-Detection Systems (IDSs)

• Devices that establish and maintain network security
• An application layer firewall can defend against
worms better than other kinds of firewalls • Active IDS (or reactive IDS) performs a specific
function when it senses an attack, such as dropping
– Reassembles and analyzes packet streams instead of
packets or tracing the attack back to a source
examining individual packets
– Installed on the server or, in some instances, on all
computers on the network
• Passive IDS sends information about what
happened, but does not take action

Intrusion-Detection Systems (IDSs) Network Monitoring and
(continued) Diagnostic Devices
• Host-based IDS monitors critical operating system • SNMP enables network administrators to:
files and computer’s processor activity and memory;
– Monitor network performance
scans event logs for signs of suspicious activity
– Find and solve network problems
• Network-based IDS monitors all network traffic
instead of only the activity on a computer – Plan for network growth
– Typically located just behind the firewall • Managed device:

• Other IDS systems are based on behavior: – Network device that contains an SNMP agent
– Watch network activity and report abnormal behavior – Collects and stores management information and
makes it available to SNMP
– Result in many false alarms
Designing Network Topologies Security Zones
• Topology: physical layout of the network devices, • One of the keys to mapping the topology of a network
how they are interconnected, and how they is to separate secure users from outsiders through:
communicate – Demilitarized Zones (DMZs)
• Essential to establishing its security – Intranets
• Although network topologies can be modified for – Extranets
security reasons, the network still must reflect the
needs of the organization and users

Demilitarized Zones (DMZs)
Demilitarized Zones (DMZs)
(continued)
• Separate networks that sit outside the secure
network perimeter
• Outside users can access the DMZ, but cannot enter
the secure network
• For extra security, some networks use a DMZ with
two firewalls
• The types of servers that should be located in the
DMZ include:
– Web servers – E-mail servers
– Remote access servers – FTP servers

Intranets Extranets
• Networks that use the same protocols as the public • Sometimes called a cross between the Internet and
Internet, but are only accessible to trusted inside an intranet
users
• Accessible to users that are not trusted internal
• Disadvantage is that it does not allow remote trusted users, but trusted external users
users access to information
• Not accessible to the general public, but allows
vendors and business partners to access a company
Web site

Network Address Translation
Network Address Translation (NAT)
(NAT) (continued)
• “You cannot attack what you do not see” is the • These IP addresses are not assigned to any specific
philosophy behind Network Address Translation user or organization; anyone can use them on their
(NAT) systems own private internal network
• Hides the IP addresses of network devices from • Port address translation (PAT) is a variation of NAT
attackers
• Each packet is given the same IP address, but a
• Computers are assigned special IP addresses different TCP port number
(known as private addresses)

Honeypots Honeypots (continued)
• Computers located in a DMZ loaded with software

and data files that appear to be authentic
• Intended to trap or trick attackers
• Two-fold purpose:
– To direct attacker’s attention away from real servers on
the network
– To examine techniques used by attackers

Virtual LANs (VLANs)
(continued)
• Segment a network with switches to divide the
network into a hierarchy
• Core switches reside at the top of the hierarchy and
carry traffic between switches
• Workgroup switches are connected directly to the
devices on the network
• Core switches must work faster than workgroup
switches because core switches must handle the
traffic of several workgroup switches


Summary
(continued)
• Segment a network by grouping similar users • Cable plant: physical infrastructure (wire, connectors,
together and cables that carry data communication signals
between equipment)
• Instead of segmenting by user, you can segment a
network by separating devices into logical groups • Removable media used to store information include:
(known as creating a VLAN) – Magnetic storage (removable disks, hard drives)
– Optical storage (CD and DVD)
– Electronic storage (USB memory sticks, FlashCards)

Summary (continued)
• Network devices (workstations, servers, switches,

and routers) should all be hardened to repel attackers
• A network’s topology plays a critical role in resisting
attackers Chapter 6: Web Security
• Hiding the IP address of a network device can help
disguise it so that an attacker cannot find it
Fundamentals
Second Edition

Fundamentals, 2e
Objectives Protecting E-Mail Systems
• Protect e-mail systems • E-mail has replaced the fax machine as the primary
communication tool for businesses
• List World Wide Web vulnerabilities
• Has also become a prime target of attackers and
• Secure Web communications
must be protected
• Secure instant messaging

How E-Mail Works How E-Mail Works (continued)
• Use two Transmission Control Protocol/Internet

Protocol (TCP/IP) protocols to send and receive
messages
– Simple Mail Transfer Protocol (SMTP) handles
outgoing mail
– Post Office Protocol (POP3 for the current version)
handles incoming mail
• The SMTP server on most machines uses sendmail
to do the actual sending; this queue is called the
sendmail queue

How E-Mail Works (continued) How E-Mail Works (continued)

• Sendmail tries to resend queued messages
periodically (about every 15 minutes) • E-mail attachments are documents in binary format
(word processing documents, spreadsheets, sound
• Downloaded messages are erased from POP3 server files, pictures)
• Deleting retrieved messages from the mail server and
storing them on a local computer make it difficult to • Non-text documents must be converted into text
manage messages from multiple computers format before being transmitted
• Internet Mail Access Protocol (current version is • Three bytes from the binary file are extracted and
IMAP4) is a more advanced protocol that solves converted to four text characters
many problems
– E-mail remains on the e-mail server

E-Mail Vulnerabilities Malware
• Because of its ubiquity, e-mail has replaced floppy
• Several e-mail vulnerabilities can be exploited by disks as the primary carrier for malware
attackers:
• E-mail is the malware transport mechanism of choice
– Malware
for two reasons:
– Spam
– Because almost all Internet users have e-mail, it has
– Hoaxes the broadest base for attacks
– Malware can use e-mail to propagate itself

Malware (continued) Malware (continued)

• Users must be educated about how malware can
• A worm can enter a user’s computer through an e- enter a system through e-mail and proper policies
mail attachment and send itself to all users listed in must be enacted to reduce risk of infection
the address book or attach itself as a reply to all
– E-mail users should never open attachments with
unread e-mail messages
these file extensions: .bat, .ade, .usf, .exe, .pif
• E-mail clients can be particularly susceptible to
macro viruses • Antivirus software and firewall products must be
installed and properly configured to prevent malicious
– A macro is a script that records the steps a user code from entering the network through e-mail
performs
– A macro virus uses macros to carry out malicious • Procedures including turning off ports and eliminating
functions open mail relay servers must be developed and
enforced
Spam Spam (continued)
• The amount of spam (unsolicited e-mail) that flows • According to a Pew memorial Trust survey, almost
across the Internet is difficult to judge half of the approximately 30 billion daily e-mail
messages are spam
• The US Congress passed the Controlling the Assault
of Non-Solicited Pornography and Marketing Act of • Spam is having a negative impact on e-mail users:
2003 (CAN-SPAM) in late 2003 – 25% of users say the ever-increasing volume of spam
has reduced their overall use of e-mail
– 52% of users indicate spam has made them less
trusting of e-mail in general
– 70% of users say spam has made being online
unpleasant or annoying

Spam (continued) Hoaxes
• Filter e-mails at the edge of the network to prevent • E-mail messages that contain false warnings or
spam from entering the SMTP server fraudulent offerings
• Use a backlist of spammers to block any e-mail that • Unlike spam, are almost impossible to filter
originates from their e-mail addresses
• Defense against hoaxes is to ignore them
• Sophisticated e-mail filters can use Bayesian filtering
– User divides e-mail messages received into two piles,
spam and not-spam

Hoaxes (continued) E-Mail Encryption
• Any e-mail message that appears as though it could • Two technologies used to protect e-mail messages
not be true probably is not as they are being transported:
• E-mail phishing is also a growing practice – Secure/Multipurpose Internet Mail Extensions
• A message that falsely identifies the sender as – Pretty Good Privacy

someone else is sent to unsuspecting recipients

Secure/Multipurpose Internet Mail

Pretty Good Privacy (PGP)
Extensions (S/MIME)
• Functions much like S/MIME by encrypting messages
• Protocol that adds digital signatures and encryption using digital signatures
to Multipurpose Internet Mail Extension (MIME) • A user can sign an e-mail message without
messages encrypting it, verifying the sender but not preventing
anyone from seeing the contents
• Provides these features:
• First compresses the message
– Digital signatures – Interoperability – Reduces patterns and enhances resistance to
– Message privacy – Seamless integration cryptanalysis
• Creates a session key (a one-time-only secret key)
– Tamper detection
– This key is a number generated from random
movements of the mouse and keystrokes typed

Pretty Good Privacy (PGP) Pretty Good Privacy (PGP)
• Uses a passphrase to encrypt the private key on the
local computer
• Passphrase:
– A longer and more secure version of a password
– Typically composed of multiple words
– More secure against dictionary attacks

Examining World Wide Web

JavaScript
Vulnerabilities
• Buffer overflow attacks are common ways to gain • Popular technology used to make dynamic content
unauthorized access to Web servers
• When a Web site that uses JavaScript is accessed,
• SMTP relay attacks allow spammers to send the HTML document with the JavaScript code is
thousands of e-mail messages to users downloaded onto the user’s computer
• Web programming tools provide another foothold for
• The Web browser then executes that code within the
Web attacks
browser using the Virtual Machine (VM)ʊa Java
• Dynamic content can also be used by attackers interpreter
– Sometimes called repurposed programming (using
programming tools in ways more harmful than
originally intended)

JavaScript (continued) JavaScript (continued)
• Several defense mechanisms prevent JavaScript
programs from causing serious harm:
– JavaScript does not support certain capabilities
– JavaScript has no networking capabilities
• Other security concerns remain:
– JavaScript programs can capture and send user
information without the user’s knowledge or
authorization
– JavaScript security is handled by restrictions within the
Web browser

Java Applet Java Applet (continued)
• A separate program stored on a Web server and

downloaded onto a user’s computer along with HTML
code
• Can also be made into hostile programs
• Sandbox is a defense against a hostile Java applet
– Surrounds program and keeps it away from private
data and other resources on a local computer
• Java applet programs should run within a sandbox

Java Applet (continued) Java Applet (continued)
• Two types of Java applets:
– Unsigned Java applet: program that does not come
from a trusted source
– Signed Java applet: has a digital signature proving the
program is from a trusted source and has not been
altered
• The primary defense against Java applets is using
the appropriate settings of the Web browser

ActiveX ActiveX (continued)

• ActiveX controls represent a specific way of
• Set of technologies developed by Microsoft implementing ActiveX
• Outgrowth of two other Microsoft technologies: – Can perform many of the same functions of a Java
applet, but do not run in a sandbox
– Object Linking and Embedding (OLE)
– Have full access to Windows operating system
– Component Object Model (COM)
• Not a programming language but a set of rules for • ActiveX controls are managed through Internet
how applications should share information Explorer
• ActiveX controls should be set to most restricted
levels

ActiveX (continued) Cookies
• Computer files that contains user-specific information

• Need for cookies is based on Hypertext Transfer
Protocol (HTTP)
• Instead of the Web server asking the user for this
information each time they visits that site, the Web
server stores that information in a file on the local
computer
• Attackers often target cookies because they can
contain sensitive information (usernames and other
private information)

Cookies (continued) Common Gateway Interface (CGI)

• Can be used to determine which Web sites you view
• Set of rules that describes how a Web server
• First-party cookie is created from the Web site you communicates with other software on the server and
are currently viewing vice versa
• Some Web sites attempt to access cookies they did • Commonly used to allow a Web server to display
not create information from a database on a Web page or for a
– If you went to wwwborg, that site might attempt to get user to enter information through a Web form that is
the cookie A-ORG from your hard drive deposited in a database
– Now known as a third-party cookie because it was not
created by Web site that attempts to access the cookie

Common Gateway Interface (CGI)
83 Naming Conventions
(continued)
• CGI scripts create security risks • Microsoft Disk Operating System (DOS) limited
– Do not filter user input properly
filenames to eight characters followed by a period
and a three-character extension (e.g., Filename.doc)
– Can issue commands via Web URLs
• Called the 83 naming convention
• CGI security can be enhanced by:
• Recent versions of Windows allow filenames to
– Properly configuring CGI contain up to 256 characters
– Disabling unnecessary CGI scripts or programs
• To maintain backward compatibility with DOS,
– Checking program code that uses CGI for any Windows automatically creates an 83 “alias” filename
vulnerabilities for every long filename

83 Naming Conventions (continued) Securing Web Communications

• The 83 naming convention introduces a security • Most common secure connection uses the Secure
vulnerability with some Web servers Sockets Layer/Transport Layer Security protocol
– Microsoft Internet Information Server 40 and other Web
servers can inherit privileges from parent directories • One implementation is the Hypertext Transport
instead of the requested directory if the requested Protocol over Secure Sockets Layer
directory uses a long filename
• Solution is to disable creation of the 83 alias by
making a change in the Windows registry database
– In doing so, older programs that do not recognize long
filenames are not able to access the files or
subdirectories

Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
(continued)
• SSL protocol developed by Netscape to securely
transmit documents over the Internet • TLS protocol guarantees privacy and data integrity
between applications communicating over the
– Uses private key to encrypt data transferred over Internet
the SSL connection
– An extension of SSL; they are often referred to as
– Version 20 is most widely supported version SSL/TLS
– Personal Communications Technology (PCT), • SSL/TLS protocol is made up of two layers
developed by Microsoft, is similar to SSL


Secure Hypertext Transport
Protocol (HTTPS)
(continued)
• TLS Handshake Protocol allows authentication • One common use of SSL is to secure Web HTTP
between server and client and negotiation of an communication between a browser and a Web server
encryption algorithm and cryptographic keys before – This version is “plain” HTTP sent over SSL/TLS and
any data is transmitted named Hypertext Transport Protocol over SSL
• FORTEZZA is a US government security standard • Sometimes designated HTTPS, which is the

that satisfies the Defense Messaging System security extension to the HTTP protocol that supports it
architecture • Whereas SSL/TLS creates a secure connection
– Has cryptographic mechanism that provides message between a client and a server over which any amount
confidentiality, integrity, authentication, and access of data can be sent security, HTTPS is designed to
control to messages, components, and even systems
transmit individual messages securely

Securing Instant Messaging
(continued)
• Depending on the service, e-mail messages may • Some tasks that you can perform with IM:
take several minutes to be posted to the POP3 – Chat
account
– Images
• Instant messaging (IM) is a complement to e-mail
that overcomes these – Sounds
– Allows sender to enter short messages that the – Files

recipient sees and can respond to immediately – Talk
– Streaming content


Summary
(continued)
• Steps to secure IM include: • Protecting basic communication systems is a key to
– Keep the IM server within the organization’s firewall
resisting attacks
and only permit users to send and receive messages • E-mail attacks can be malware, spam, or hoaxes
with trusted internal workers
• Web vulnerabilities can open systems up to a variety
– Enable IM virus scanning
of attacks
– Block all IM file transfers
• A Java applet is a separate program stored on the
– Encrypt messages Web server and downloaded onto the user’s
computer along with the HTML code

Summary (continued)
• ActiveX controls present serious security concerns

because of the functions that a control can execute
• A cookie is a computer file that contains user-specific Chapter 7: Protecting Advanced
information
Communications
• CGI is a set of rules that describe how a Web server
communicates with other software on the server
• The popularity of IM has made this a tool that many Fundamentals
organizations are now using with e-mail
Second Edition

Fundamentals, 2e
Hardening File Transfer

Objectives
Protocol (FTP)
• Harden File Transfer Protocol (FTP) • Three ways to work with FTP:
• Secure remote access – Web browser
• Protect directory services – FTP client
• Secure digital cellular telephony – Command line
• Harden wireless local area networks (WLAN) • FTP servers can be configured to allow
unauthenticated users to transfer files (called
anonymous FTP or blind FTP)

Hardening File Transfer Protocol Hardening File Transfer Protocol
(FTP) (continued) (FTP) (continued)
• Vulnerabilities associated with using FTP • FTP active mode
– FTP does not use encryption – Client connects from any random port >1,024 (PORT
N) to FTP server’s command port, port 21 (Step 1)
– Files being transferred by FTP are vulnerable to man-
in-the-middle attacks – Client starts listening to PORT N+1 and sends the FTP
command PORT N+1 to the FTP server
• Use secure FTP to reduce risk of attack
• FTP passive mode
– Secure FTP is a term used by vendors to describe
encrypting FTP transmissions – Client initiates both connections to server
• Most secure FTP products use Secure Socket Layers – When opening an FTP connection, client opens two
(SSL) to perform the encryption local random unprivileged ports >1,024

Hardening File Transfer Protocol

Secure Remote Access
(FTP) (continued)
• Windows NT includes User Manager to allow dial-in
access, while Windows 2003 uses Computer
Management for Workgroup access and Active
Directory for configuring access to the domain
• Windows 2003 Remote Access Policies can lock
down a remote access system to ensure that only
those intended to have access are actually granted it

Tunneling Protocols Tunneling Protocols (continued)
• Tunneling: technique of encapsulating one packet of

data within another type to create a secure link of
transportation

Point-to-Point Tunneling Point-to-Point Tunneling Protocol

Protocol (PPTP) (PPTP) (continued)
• Most widely deployed tunneling protocol
• Connection is based on the Point-to-Point Protocol
(PPP), widely used protocol for establishing
connections over a serial line or dial-up connection
between two points
• Client connects to a network access server (NAS) to
initiate connection
• Extension to PPTP is Link Control Protocol (LCP),
which establishes, configures, and tests the
connection
Layer 2 Tunneling Protocol (L2TP) Authentication Technologies
• Represents a merging of features of PPTP with • Authenticating a transmission to ensure that it comes
Cisco’s Layer 2 Forwarding Protocol (L2F), which from an approved sender can provide an increased
itself was originally designed to address some of the level of security for remote access users
weaknesses of PPTP
• Unlike PPTP, which is primarily implemented as
software on a client computer, L2TP can also be
found on devices such as routers

IEEE 8021x IEEE 8021x (continued)

• Based on a standard established by the Institute for • Network supporting the 8021x protocol consists of
Electrical and Electronic Engineers (IEEE) three elements:
• Gaining wide-spread popularity – Supplicant: client device, such as a desktop computer
or personal digital assistant (PDA), which requires
• Provides an authentication framework for 802-based secure network access
LANs (Ethernet, Token Ring, wireless LANs)
– Authenticator: serves as an intermediary device
• Uses port-based authentication mechanisms between supplicant and authentication server
– Switch denies access to anyone other than an – Authentication server: receives request from supplicant
authorized user attempting to connect to the network through authenticator
through that port

IEEE 8021x (continued) IEEE 8021x (continued)
• Several variations of EAP can be used with 8021x:

– EAP-Transport Layer Security (EAP-TLS)
– Lightweight EAP (LEAP)
– EAP-Tunneled TLS (EAP-TTLS)
– Protected EAP (PEAP)
– Flexible Authentication via Secure Tunneling (FAST)

Remote Authentication Dial-In User Terminal Access Control Access

Service (RADIUS) Control System (TACACS+)
• Originally defined to enable centralized authentication • Industry standard protocol specification that forwards
and access control and PPP sessions username and password information to a centralized
server
• Requests are forwarded to a single RADIUS server
• Whereas communication between a NAS and a
• Supports authentication, authorization, and auditing TACACS+ server is encrypted, communication
functions between a client and a NAS is not
• After connection is made, RADIUS server adds an
accounting record to its log and acknowledges the
request
• Allows company to maintain user profiles in a central
database that all remote servers can share
Secure Transmission Protocols Secure Shell (SSH)
• One of the primary goals of the ARPANET (which
• PPTP and L2TP provide a secure mechanism for became today’s Internet) was remote access
preventing eavesdroppers from viewing
transmissions • SSH is a UNIX-based command interface and
protocol for securely accessing a remote computer
• Suite of three utilities—slogin, ssh, and scp
• Can protect against:
– IP spoofing
– DNS spoofing
– Intercepting information

Secure Shell (SSH) (continued) IP Security (IPSec)
• Different security tools function at different layers of

the Open System Interconnection (OSI) model
• Secure/Multipurpose Internet Mail Extensions
(S/MIME) and Pretty Good Privacy (PGP) operate at
the Application layer
• Kerberos functions at the Session layer

IP Security (IPSec) (continued) IP Security (IPSec) (continued)
• IPSec is a set of protocols developed to support the
secure exchange of packets
• Considered to be a transparent security protocol
• Transparent to applications, users, and software
• Provides three areas of protection that correspond to
three IPSec protocols:
– Authentication
– Confidentiality
– Key management

IP Security (IPSec) (continued) IP Security (IPSec) (continued)
• Supports two encryption modes:

– Transport mode encrypts only the data portion
(payload) of each packet, yet leaves the header
encrypted
– Tunnel mode encrypts both the header and the data
portion
• IPSec accomplishes transport and tunnel modes by
adding new headers to the IP packet
• The entire original packet is then treated as the data
portion of the new packet
IP Security (IPSec) (continued) Virtual Private Networks (VPNs)
• Both Authentication Header (AH) and Encapsulating • Takes advantage of using the public Internet as if it
Security Payload (ESP) can be used with Transport were a private network
or Tunnel mode, creating four possible transport
• Allow the public Internet to be used privately
mechanisms:
– AH in transport mode
• Prior to VPNs, organizations were forced to lease
expensive data connections from private carriers so
– AH in tunnel mode employees could remotely connect to the
– ESP in transport mode organization’s network
– ESP in tunnel mode

Virtual Private Networks (VPNs) Virtual Private Networks (VPNs)

• Two common types of VPNs include:
– Remote-access VPN or virtual private dial-up network
(VPDN): user-to-LAN connection used by remote users
– Site-to-site VPN: multiple sites can connect to other
sites over the Internet
• VPN transmissions achieved through communicating
with endpoints
– An endpoint can be software on a local computer, a
dedicated hardware device such as a VPN
concentrator, or even a firewall

Protecting Directory Services
(continued)
• A directory service is a database stored on the • Purpose of X500 was to standardize how data was
network itself and contains all information about stored so any computer system could access these
users and network devices directories
• A directory service contains information such as the • Information is held in a directory information base
user’s name, telephone extension, e-mail address, (DIB)
and logon name
• Entries in the DIB are arranged in a directory
• The International Standards Organization (ISO) information tree (DIT)
created a standard for directory services known as
X500


Securing Digital Cellular Telephony
(continued)
• The early use of wireless cellular technology is
• The X500 standard defines a protocol for a client known as First Generation (1G)
application to access the X500 directory called the
Directory Access Protocol (DAP) • 1G is characterized by analog radio frequency (RF)
signals transmitting at a top speed of 96 Kbps
• The DAP is too large to run on a personal computer
• 1G networks use circuit-switching technology
• The Lightweight Directory Access Protocol (LDAP),
or X500 Lite, is a simpler subset of DAP • Digital cellular technology, which started in the early
1990s, uses digital instead of analog transmissions
• Digital cellular uses packet switching instead of
circuit-switching technology

Wireless Application Protocol (WAP)
Wireless Application Protocol (WAP) (continued)
• Provides standard way to transmit, format, and
display Internet data for devices such as cell phones
• A WAP cell phone runs a microbrowser that uses
Wireless Markup Language (WML) instead of HTML
– WML is designed to display text-based Web content on
the small screen of a cell phone
– Because the Internet standard is HTML, a WAP
Gateway (or WAP Proxy) must translate between WML
and HTML

Wireless Transport Layer Hardening Wireless Local Area

Security (WTLS) Networks (WLAN)
• Security layer of the WAP • By 2007, >98% of all notebooks will be wireless-
enabled
• Provides privacy, data integrity, and authentication
for WAP services • Serious security vulnerabilities have also been
created by wireless data technology:
• Designed specifically for wireless cellular telephony – Unauthorized users can access the wireless signal
from outside a building and connect to the network
• Based on the TLS security layer used on the Internet
– Attackers can capture and view transmitted data
• Replaced by TLS in WAP 20 – Employees in the office can install personal wireless
equipment and defeat perimeter security measures
– Attackers can crack wireless security with kiddie scripts

IEEE 80211 Standards IEEE 80211 Standards (continued)
• A WLAN shares same characteristics as a standard • In September 1999, a new 80211b High Rate was
data-based LAN with the exception that network amended to the 80211 standard
devices do not use cables to connect to the network • 80211b added two higher speeds, 55 and 11 Mbps
• RF is used to send and receive packets • With faster data rates, 80211b quickly became the
• Sometimes called Wi-Fi for Wireless Fidelity, network standard for WLANs
devices can transmit 11 to 108 Mbps at a range of • At same time, the 80211a standard was released
150 to 375 feet
• 80211a has a maximum rated speed of 54 Mbps and
also supports 48, 36, 24, 18, 12, 9, and 6 Mbps
transmissions at 5 GHz

WLAN Components WLAN Components (continued)
• Each network device must have a wireless network • An access point (AP) consists of three major parts:
interface card installed
– An antenna and a radio transmitter/receiver to send
• Wireless NICs are available in a variety of formats:
and receive signals
– Type II PC card – Mini PCI
– An RJ-45 wired network interface that allows it to
– CompactFlash (CF) card – USB device connect by cable to a standard wired network
– USB stick – Special bridging software

Service Set Identifier (SSID)
Basic WLAN Security
Beaconing
• Two areas: • A service set is a technical term used to describe a
– Basic WLAN security
WLAN network
– Enterprise WLAN security • Three types of service sets:
• Basic WLAN security uses two new wireless tools – Independent Basic Service Set (IBSS)
and one tool from the wired world: – Basic Service Set (BSS)
– Service Set Identifier (SSID) beaconing – Extended Service Set (ESS)
– MAC address filtering • Each WLAN is given a unique SSID
– Wired Equivalent Privacy (WEP)

MAC Address Filtering Wired Equivalent Privacy (WEP)

• Another way to harden a WLAN is to filter MAC
addresses • Optional configuration for WLANs that encrypts
packets during transmission to prevent attackers from
• The MAC address of approved wireless devices is viewing their contents
entered on the AP
• Uses shared keysʊthe same key for encryption and
• A MAC address can be spoofed decryption must be installed on the AP, as well as
each wireless device
• When wireless device and AP first exchange packets,
the MAC address of the wireless device is sent in • A serious vulnerability in WEP is that the IV is not
plaintext, allowing an attacker with a sniffer to see the properly implemented
MAC address of an approved device • Every time a packet is encrypted it should be given a
unique IV
Wired Equivalent Privacy (WEP)
Untrusted Network
(continued)
• The basic WLAN security of SSID beaconing, MAC
address filtering, and WEP encryption is not secure
enough for an organization to use
• One approach to securing a WLAN is to treat it as an
untrusted and unsecure network
• Requires that the WLAN be placed outside the
secure perimeter of the trusted network

Untrusted Network (continued) Trusted Network
• It is still possible to provide security for a WLAN and

treat it as a trusted network
• Wi-Fi Protected Access (WPA) was crafted by the
WECA in 2002 as an interim solution until a
permanent wireless security standard could be
implemented
• Has two components:
– WPA encryption
– WPA access control
Trusted Network (continued) Summary
• The FTP protocol has several security
• WPA encryption addresses the weaknesses of WEP vulnerabilities—it does not natively use encryption
by using the Temporal Key Integrity Protocol (TKIP) and is vulnerable to man-in-the-middle attacks
• TKIP mixes keys on a per-packet basis to improve • FTP can be hardened by using secure FTP (which
security encrypts using SSL)
• Although WPA provides enhanced security, the IEEE • Protecting remote access transmissions is
80211i solution is even more secure particularly important in today’s environment as more
• 80211i is expected to be released sometime in 2004 users turn to the Internet as the infrastructure for
accessing protected information

Summary (continued)
• Authenticating a transmission to ensure it came from
the sender can provide increased security for remote
access users
• SSH is a UNIX-based command interface and
protocol for securely accessing a remote computer Chapter 8: Scrambling Through
• A directory service is a database stored on the Cryptography
network itself and contains all the information about
users and network devices
• Digital cellular telephony provides various features to
operate on a wireless digital cellular device Fundamentals
• WLANs have a dramatic impact on user access to Second Edition
data
Fundamentals, 2e
Objectives Cryptography Terminology
• Define cryptography • Cryptography: science of transforming information so

it is secure while being transmitted or stored
• Secure with cryptography hashing algorithms
• Steganography: attempts to hide existence of data
• Protect with symmetric encryption algorithms
• Encryption: changing the original text to a secret
• Harden with asymmetric encryption algorithms
message using cryptography
• Explain how to use cryptography

Cryptography Terminology Cryptography Terminology

• Decryption: reverse process of encryption • Weak key: mathematical key that creates a
detectable pattern or structure
• Algorithm: process of encrypting and decrypting
information based on a mathematical procedure • Plaintext: original unencrypted information (also
known as clear text)
• Key: value used by an algorithm to encrypt or decrypt
a message • Cipher: encryption or decryption algorithm tool used
to create encrypted or decrypted text
• Ciphertext: data that has been encrypted by an
encryption algorithm

Cryptography Terminology
How Cryptography Protects
(continued)
• Intended to protect the confidentiality of information
• Second function of cryptography is authentication
• Should ensure the integrity of the information as well
• Should also be able to enforce nonrepudiation, the
inability to deny that actions were performed
• Can be used for access control

Securing with Cryptography Hashing

Defining Hashing
Algorithms
• One of the three categories of cryptographic • Hashing, also called a one-way hash, creates a
algorithms is known as hashing ciphertext from plaintext
• Cryptographic hashing follows this same basic
approach
• Hash algorithms verify the accuracy of a value
without transmitting the value itself and subjecting it
to attacks
• A practical use of a hash algorithm is with automatic
teller machine (ATM) cards

Defining Hashing (continued) Defining Hashing (continued)
• Hashing is typically used in two ways:

– To determine whether a password a user enters is
correct without transmitting the password itself
– To determine the integrity of a message or contents of
a file
• Hash algorithms are considered very secure if the
hash that is produced has the characteristics listed
on pages 276 and 277 of the text

Defining Hashing (continued) Message Digest (MD)
• Message digest 2 (MD2) takes plaintext of any length

and creates a hash 128 bits long
– MD2 divides the message into 128-bit sections
– If the message is less than 128 bits, data known as
padding is added
• Message digest 4 (MD4) was developed in 1990 for
computers that processed 32 bits at a time
– Takes plaintext and creates a hash of 128 bits
– The plaintext message itself is padded to a length of
512 bits
Message Digest (MD)
Secure Hash Algorithm (SHA)
(continued)
• Message digest 5 (MD5) is a revision of MD4 • Patterned after MD4 but creates a hash that is
designed to address its weaknesses 160 bits in length instead of 128 bits
– The length of a message is padded to 512 bits • The longer hash makes it more resistant to attacks
– The hash algorithm then uses four variables of 32 bits • SHA pads messages less than 512 bits with zeros
each in a round-robin fashion to create a value that is and an integer that describes the original length of
compressed to generate the hash
the message

Protecting with Symmetric Encryption Protecting with Symmetric Encryption

Algorithms Algorithms (continued)
• Most common type of cryptographic algorithm (also • Can be classified into two distinct categories based
called private key cryptography) on amount of data processed at a time:
• Use a single key to encrypt and decrypt a message – Stream cipher (such as a substitution cipher)
• With symmetric encryption, algorithms are designed – Block cipher

to decrypt the ciphertext • Substitution ciphers substitute one letter or character
– It is essential that the key be kept confidential: if an for another
attacker secured the key, she could decrypt any – Also known as a monoalphabetic substitution cipher
messages
– Can be easy to break

Algorithms (continued) Algorithms (continued)
• A homoalphabetic substitution cipher maps a single
plaintext character to multiple ciphertext characters
• A transposition cipher rearranges letters without
changing them
• With most symmetric ciphers, the final step is to
combine the cipher stream with the plaintext to create
the ciphertext


Algorithms (continued) Algorithms (continued)
• A block cipher manipulates an entire block of
plaintext at one time
• The plaintext message is divided into separate blocks
of 8 to 16 bytes and then each block is encrypted
independently
• The blocks can be randomized for additional security

Triple Data Encryption
Data Encryption Standard (DES)
Standard (3DES)
• One of the most popular symmetric cryptography
algorithms
• Uses three rounds of encryption instead of just one
• DES is a block cipher and encrypts data in 64-bit
• The ciphertext of one round becomes the entire input
blocks
for the second iteration
• The 8-bit parity bit is ignored so the effective key
• Employs a total of 48 iterations in its encryption
length is only 56 bits
(3 iterations times 16 rounds)
• DES encrypts 64-bit plaintext by executing the
• The most secure versions of 3DES use different keys
algorithm 16 times
for each round
• The four modes of DES encryption are summarized
on pages 282 and 283
Advanced Encryption Advanced Encryption Standard

Standard (AES) (AES) (continued)
• Approved by the NIST in late 2000 as a replacement • Performs three steps on every block (128 bits) of
for DES plaintext
• Process began with the NIST publishing • Within step 2, multiple rounds are performed
requirements for a new symmetric algorithm and depending upon the key size:
requesting proposals – 128-bit key performs 9 rounds
• Requirements stated that the new algorithm had to – 192-bit key performs 11 rounds
be fast and function on older computers with 8-bit,
32-bit, and 64-bit processors – 256-bit key uses 13 rounds

International Data Encryption
Rivest Cipher (RC)
Algorithm (IDEA)
• Family of cipher algorithms designed by Ron Rivest • IDEA algorithm dates back to the early 1990s and is
used in European nations
• He developed six ciphers, ranging from RC1 to RC6,
but did not release RC1 and RC3 • Block cipher that processes 64 bits with a 128-bit key
with 8 rounds
• RC2 is a block cipher that processes blocks of 64 bits
• RC4 is a stream cipher that accepts keys up to
128 bits in length

Hardening with Asymmetric

Blowfish
Encryption Algorithms
• Block cipher that operates on 64-bit blocks • The primary weakness of symmetric encryption
algorithm is keeping the single key secure
• Can have a key length from 32 to 448 bits
• This weakness, known as key management, poses a
number of significant challenges
• Asymmetric encryption (or public key cryptography)
uses two keys instead of one
– The private key typically is used to encrypt the
message
– The public key decrypts the message

Hardening with Asymmetric
Rivest Shamir Adleman (RSA)
Encryption Algorithms (continued)
• Asymmetric algorithm published in 1977 and
patented by MIT in 1983
• Most common asymmetric encryption and
authentication algorithm
• Included as part of the Web browsers from Microsoft
and Netscape as well as other commercial products
• Multiplies two large prime numbers

Diffie-Hellman Elliptic Curve Cryptography
• Unlike RSA, the Diffie-Hellman algorithm does not • First proposed in the mid-1980s
encrypt and decrypt text
• Instead of using prime numbers, uses elliptic curves
• Strength of Diffie-Hellman is that it allows two users
• An elliptic curve is a function drawn on an X-Y axis as
to share a secret key securely over a public network
a gently curved line
• Once the key has been shared, both parties can use
• By adding the values of two points on the curve, you
it to encrypt and decrypt messages using symmetric
can arrive at a third point on the curve
cryptography

Understanding How to Use
Digital Signature
Cryptography
• Cryptography can provide a major defense against • Encrypted hash of a message that is transmitted
attackers along with the message
• If an e-mail message or data stored on a file server is • Helps to prove that the person sending the message
encrypted, even a successful attempt to steal that with a public key is whom he/she claims to be
information will be of no benefit if the attacker cannot
• Also proves that the message was not altered and
read it
that it was sent in the first place

Benefits of Cryptography Benefits of Cryptography (continued)
• Five key elements:

– Confidentiality
– Authentication
– Integrity
– Nonrepudiation
– Access control

Pretty Good Privacy (PGP) and Pretty Good Privacy (PGP) and GNU
GNU Privacy Guard (GPG) Privacy Guard (GPG) (continued)
• PGP is perhaps most widely used asymmetric • GPG versions run on Windows, UNIX, and Linux
cryptography system for encrypting e-mail messages operating systems
on Windows systems
• PGP and GPG use both asymmetric and symmetric
– Commercial product cryptography
• GPG is a free product • PGP can use either RSA or the Diffie-Hellman
algorithm for the asymmetric encryption and IDEA for
the symmetric encryption

Microsoft Windows Encrypting Microsoft Windows Encrypting File

File System (EFS) System (EFS) (continued)
• Encryption scheme for Windows 2000, Windows XP • The FEK is encrypted with the user’s public key and
Professional, and Windows 2003 Server operating the encrypted FEK is then stored with the file
systems that use the NTFS file system
• EFS is enabled by default
• Uses asymmetric cryptography and a per-file
• When using Microsoft EFT, the tasks recommended
encryption key to encrypt and decrypt data
are listed on page 293 of the text
• When a user encrypts a file, EFS generates a file
encryption key (FEK) to encrypt the data

UNIX Pluggable Authentication UNIX Pluggable Authentication
Modules (PAM) Modules (PAM) (continued)
• When UNIX was originally developed, authenticating • A solution is to use PAMs
a user was accomplished by requesting a password
• Provides a way to develop programs that are
from the user and checking whether the entered
independent of the authentication scheme
password corresponded to the encrypted password
stored in the user database /etc/passwd
• Each new authentication scheme requires all the
necessary programs, such as login and ftp, to be
rewritten to support it

Linux Cryptographic File

Summary
System (CFS)
• Linux users can add one of several cryptographic • Cryptography seeks to fulfill five key security
systems to encrypt files functions: confidentiality, authentication, integrity,
nonrepudiation, and access control
• One of the most common is the CFS
• Hashing, also called a one-way hash, creates a
• Other Linux cryptographic options are listed on pages
ciphertext from plaintext
294 and 295 of the text
• Symmetric encryption algorithms use a single key to
encrypt and decrypt a message

Summary (continued)
• A digital certificate helps to prove that the person

sending the message with a public key is actually
whom they claim to be, that the message was not
altered, and that it cannot be denied that the
Chapter 9: Using and
message was sent Managing Keys
• The most widely used asymmetric cryptography
system for encrypting e-mail messages on Windows Security+ Guide to Network Security
systems is PGP Fundamentals
Second Edition

Fundamentals, 2e
Understanding Cryptography
Objectives
Strengths and Vulnerabilities
• Explain cryptography strengths and vulnerabilities • Cryptography is science of “scrambling” data so it
cannot be viewed by unauthorized users, making it
• Define public key infrastructure (PKI)
secure while being transmitted or stored
• Manage digital certificates
• When the recipient receives encrypted text or another
• Explore key management user wants to access stored information, it must be
decrypted with the cipher and key to produce the
original plaintext

Symmetric Cryptography Asymmetric Cryptography Strengths
Strengths and Weaknesses and Vulnerabilities
• Identical keys are used to both encrypt and decrypt • With asymmetric encryption, two keys are used
the message instead of one
• Popular symmetric cipher algorithms include Data – The private key encrypts the message
Encryption Standard, Triple Data Encryption – The public key decrypts the message
Standard, Advanced Encryption Standard, Rivest
Cipher, International Data Encryption Algorithm, and
Blowfish
• Disadvantages of symmetric encryption relate to the
difficulties of managing the private key

Asymmetric Cryptography Strengths

Digital Signatures
and Vulnerabilities (continued)
• Asymmetric encryption allows you to use either the
• Can greatly improve cryptography security,
public or private key to encrypt a message; the
convenience, and flexibility
receiver uses the other key to decrypt the message
• Public keys can be distributed freely
• A digital signature helps to prove that:
• Users cannot deny they have sent a message if they
– The person sending the message with a public key is
have previously encrypted the message with their who they claim to be
private keys
– The message was not altered
• Primary disadvantage is that it is computing-intensive
– It cannot be denied the message was sent

Digital Certificates Certification Authority (CA)
• Digital documents that associate an individual with its • The owner of the public key listed in the digital
specific public key certificate can be identified to the CA in different
ways
• Data structure containing a public key, details about
the key owner, and other optional information that is – By their e-mail address
all digitally signed by a trusted third party – By additional information that describes the digital
certificate and limits the scope of its use
• Revoked digital certificates are listed in a Certificate
Revocation List (CRL), which can be accessed to
check the certificate status of other users

Certification Authority (CA) Understanding Public Key

(continued) Infrastructure (PKI)
• The CA must publish the certificates and CRLs to a • Weaknesses associated with asymmetric
directory immediately after a certificate is issued or cryptography led to the development of PKI
revoked so users can refer to this directory to see • A CA is an important trusted party who can sign and
changes issue certificates for users
• Can provide the information in a publicly accessible • Some of its tasks can also be performed by a
directory, called a Certificate Repository (CR) subordinate function, the RA
• Some organizations set up a Registration Authority • Updated certificates and CRLs are kept in a CR for
(RA) to handle some CA, tasks such as processing users to refer to
certificate requests and authenticating users

The Need for PKI Description of PKI
• Manages keys and identity information required for
asymmetric cryptography, integrating digital
certificates, public key cryptography, and CAs
• For a typical enterprise:
– Provides end-user enrollment software
– Integrates corporate certificate directories
– Manages, renews, and revokes certificates
– Provides related network services and security
• Typically consists of one or more CA servers and
digital certificates that automate several tasks
Public Key Cryptography

PKI Standards and Protocols
Standards (PKCS)
• A number of standards have been proposed for PKI • Numbered set of standards that have been defined
– Public Key Cryptography Standards (PKCS)
by the RSA Corporation since 1991
– X509 certificate standards • Composed of 15 standards detailed on pages 318

and 319 of the text

X509 Digital Certificates X509 Digital Certificates (continued)
• X509 is an international standard defined by the

International Telecommunication Union (ITU) that
defines the format for the digital certificate
• Most widely used certificate format for PKI
• X509 is used by Secure Socket Layers
(SSL)/Transport Layer Security (TLS), IP Security
(IPSec), and Secure/Multipurpose Internet Mail
Extensions (S/MIME)

Trust Models Trust Models (continued)

• Refers to the type of relationship that can exist
between people or organizations
• In the direct trust, a personal relationship exists
between two individuals
• Third-party trust refers to a situation in which two
individuals trust each other only because each
individually trusts a third party
• The three different PKI trust models are based on
direct and third-party trust

Trust Models (continued) Managing Digital Certificates
• The web of trust model is based on direct trust • After a user decides to trust a CA, they can download
the digital certificate and public key from the CA and
• Single-point trust model is based on third-party trust
store them on their local computer
– A CA directly issues and signs certificates
• CA certificates are issued by a CA directly to
• In an hierarchical trust model, the primary or root individuals
certificate authority issues and signs the certificates
for CAs below it • Typically used to secure e-mail transmissions
through S/MIME and SSL/TLS

Managing Digital Certificates

Managing Digital Certificates (continued)
(continued)
• Server certificates can be issued from a Web server,
FTP server, or mail server to ensure a secure
transmission
• Software publisher certificates are provided by
software publishers to verify their programs are
secure

Certificate Policy (CP) Certificate Practice Statement (CPS)
• Published set of rules that govern operation of a PKI • More technical document compared to a CP
• Begins with an opening statement outlining its scope • Describes in detail how the CA uses and manages
certificates
• Should cover at a minimum the topics listed on
page 325 of the text • Covers topics such as those listed on pages 325 and
326 of the text

Certificate Life Cycle Exploring Key Management
• Typically divided into four parts: • Because keys form the very foundation of the
– Creation
algorithms in asymmetric and PKI systems, it is vital
that they be carefully managed
– Revocation
– Expiration
– Suspension

Centralized and Decentralized
Key Storage
Management
• Key management can either be centralized or • It is possible to store public keys by embedding them
decentralized within digital certificates
• An example of a decentralized key management • This is a form of software-based storage and doesn’t
system is the PKI web of trust model involve any cryptography hardware
• Centralized key management is the foundation for • Another form of software-based storage involves
single-point trust models and hierarchical trust storing private keys on the user’s local computer
models, with keys being distributed by the CA

Key Storage (continued) Key Usage
• Storing keys in hardware is an alternative to • If you desire more security than a single set of public
software-based keys and private (single-dual) keys can offer, you can
choose to use multiple pairs of dual keys
• Whether private keys are stored in hardware or
software, it is important that they be adequately • One pair of keys may be used to encrypt information
protected and the public key could be backed up to another
location
• The second pair would be used only for digital
signatures and the public key in that pair would never
be backed up

Key Handling Procedures Summary
• Certain procedures can help ensure that keys are • One of the advantages of symmetric cryptography is
properly handled: that encryption and decryption using a private key is
– Escrow – Expiration
usually fast and easy to implement
– Renewal – Revocation • A digital signature solves the problem of

authenticating the sender when using asymmetric
– Recovery – Suspension cryptography
– Destruction
• With the number of different tools required for
asymmetric cryptography, an organization can find
itself implementing piecemeal solutions for different
applications
Summary (continued)
• PKCS is a numbered set of standards that have been

defined by the RSA Corporation since 1991
• The three PKI trust models are based on direct and
third-party trust Chapter 10: Operational Security
• Digital certificates are managed through CPs and
CPSs
Fundamentals
Second Edition

Fundamentals, 2e
Hardening Physical Security with
Objectives
Access Controls
• Harden physical security with access controls • Adequate physical security is one of the first lines of
defense against attacks
• Minimize social engineering
• Protects equipment and the infrastructure itself
• Secure the physical environment
• Has one primary goal: to prevent unauthorized users
• Define business continuity
from reaching equipment to use, steal, or vandalize
• Plan for disaster recovery

Hardening Physical Security with Controlling Access with

Access Controls (continued) Physical Barriers
• Configure an operating system to enforce access • Most servers are rack-mounted servers
controls through an access control list (ACL), a table
• A rack-mounted server is 175 inches (445 cm) tall
that defines the access rights each subject has to a
and can be stacked with up to 50 other servers in a
folder or file
closely confined area
• Access control also refers to restricting physical
• Rack-mounted units are typically connected to a KVM
access to computers or network devices
(keyboard, video, mouse) switch, which in turn is
connected to a single monitor, mouse, and keyboard

Controlling Access with Physical Controlling Access with Physical
Barriers (continued) Barriers (continued)

Controlling Access with Physical Controlling Access with Physical

Barriers (continued) Barriers (continued)
• In addition to securing a device itself, you should also • Cipher locks are combination locks that use buttons
secure the room containing the device you push in the proper sequence to open the door
• Two basic types of door locks require a key: • Can be programmed to allow only the code of certain
– A preset lock (key-in-knob lock) requires only a key for people to be valid on specific dates and times
unlocking the door from the outside
• Basic models can cost several hundred dollars each
– A deadbolt lock extends a solid metal bar into the door while advanced models can run much higher
frame for extra security
• To achieve the most security when using door locks, • Users must be careful to conceal which buttons they
observe the good practices listed on pages 345 and push to avoid someone seeing the combination
346 of the text (shoulder surfing)
Controlling Access with Physical
Controlling Access with Biometrics
Barriers (continued)
• Biometrics uses a person’s unique characteristics to
• Other physical vulnerabilities should be addressed,
authenticate that person
including:
• Some human characteristics used for identification
– Suspended ceilings include fingerprint, face, hand, iris, retina, and voice
– HVAC ducts • Many high-end biometric scanners are expensive,
can be difficult to use, and can produce false
– Exposed door hinges positives (accepting unauthorized users) or false
negatives (restricting authorized users)
– Insufficient lighting
– Dead-end corridors

Minimizing Social Engineering Securing the Physical Environment
• The best defenses against social engineering are a • Take steps to secure the environment itself to reduce
strong security policy along with adequate training the risk of attacks:
• An organization must establish clear and direct – Limiting the range of wireless data signals
policies regarding what information can be given out – Shielding wired signals
and under what circumstances
– Controlling the environment
– Suppressing the risk of fires

Limiting Wireless Signal Range Shielding a Wired Signal
• The insulation and shielding that covers a copper
• Use the following techniques to limit the wireless cable does not always prevent a signal from leaking
signal range: out or having an even stronger signal affect the data
– Relocate the access point transmission on the cable
– Substitute 80211a for 80211b • This interference (noise) can be of several types
– Add directional antenna • Radio frequency interference (RFI) refers to
– Reduce power interference caused by broadcast signals from a
radio frequency (RF) transmitter, such as from a
– Cover the device
commercial radio or television transmitter
– Modify the building

Shielding a Wired Signal (continued) Shielding a Wired Signal (continued)
• Electromagnetic interference (EMI) may be caused • The source of near end crosstalk (NEXT) interference
by a variety of sources is usually from another data signal being transmitted
– A motor of another source of intense electrical activity • Loss of signal strength is known as attenuation
can create an electromagnetic signal that interferes
with a data signal • Two types of defenses are commonly referenced for
shielding a signal
– EMI can also be caused by cellular telephones,
citizens’ band and police radios, small office or – Telecommunications Electronics Material Protected
household appliances, fluorescent lights, or loose from Emanating Spurious Transmissions (TEMPEST)
electrical connections – Faraday cage

Shielding a Wired Signal (continued) Reducing the Risk of Fires
• TEMPEST • In order for a fire to occur, four entities must be

– Classified standard developed by the US government
present at the same time:
to prevent attackers from picking up stray RFI and EMI – Sufficient oxygen to sustain the combustion
signals from government buildings
– Enough heat to raise the material to its ignition
• Faraday cage temperature
– Metallic enclosure that prevents the entry or escape of – Some type of fuel or combustible material
an electromagnetic field
– A chemical reaction that is the fire itself
– Consists of a fine-mesh copper screening directly
connected to an earth ground

Reducing the Risk of Fires Reducing the Risk of Fires

• Refer to page 355 for the types of fires, their fuel • Systems can be classified as:
source, how they can be extinguished, and the types – Water sprinkler systems that spray the room with
of handheld fire extinguishers that should be used pressurized water
• Stationary fire suppression systems that integrate – Dry chemical systems that disperse a fine, dry powder
into the building’s infrastructure and release a over the fire
suppressant in the entire room are used
– Clean agent systems that do not harm people,
documents, or electrical equipment in the room

Understanding Business Continuity
Understanding Business Continuity
(continued)
• Process of assessing risks and developing a • The basic steps in creating a BCP:
management strategy to ensure that business can – Understand the business
continue if risks materialize
– Formulate continuity strategies
• Business continuity management is concerned with
developing a business continuity plan (BCP) – Develop a response
addressing how the organization can continue in the – Test the plan
event that risks materialize

Maintaining Utilities Maintaining Utilities (continued)
• Disruption of utilities should be of primary concern for • A UPS can complete the following tasks:
all organizations – Send a special message to the network administrator’s
• The primary utility that a BCP should address is computer, or page or telephone the network manager
electrical service to indicate that the power has failed
– Notify all users that they must finish their work
• An uninterruptible power supply (UPS) is an external
immediately and log off
device located between an outlet for electrical power
and another device – Prevent any new users from logging on
– Primary purpose is to continue to supply power if the – Disconnect users and shut down the server
electrical power fails

Establishing High Availability
Creating and Maintaining Backups
through Fault Tolerance
• The ability to endure failures (fault tolerance) can • Data backups are an essential element in any BCP
keep systems available to an organization • Backup software can internally designate which files
• Prevents a single problem from escalating into a total have already been backed up by setting an archive
disaster bit in the properties of the file
• Four basic types of backups:
• Can best be achieved by maintaining redundancy
– Full backup
• Fault-tolerant server hard drives are based on a
– Differential backup
standard known as Redundant Array of Independent
Drives (RAID) – Incremental backup
– Copy backup
Creating and Maintaining Backups Creating and Maintaining Backups

• Develop a strategy for performing backups to make
sure you are storing the data your organization needs
• A grandfather-father-son backup system divides
backups into three sets:
– A daily backup (son)
– A weekly backup (father)
– A monthly backup (grandfather)

Creating and Maintaining Backups
Planning for Disaster Recovery
(continued)
• Business continuity is concerned with addressing
anything that could affect the continuation of service
• Disaster recovery is more narrowly focused on
recovering from major disasters that could cease
operations for an extended period of time
• Preparing for disaster recovery always involves
having a plan in place

Creating a Disaster Recovery Plan (DRP) Identifying Secure Recovery
• A DRP is different from a business continuity plan • Major disasters may require that the organization
temporarily move to another location
• Typically addresses what to do if a major catastrophe
occurs that could cause the organization to cease • Three basic types of alternate sites are used during
functioning or directly after a disaster
• Should be a detailed document that is updated – Hot site
regularly – Cold site
• All DRPs are different, but they should address the – Warm site
common features shown in the outline on pages 367
and 368 of the text
Identifying Secure Recovery
Protecting Backups
(continued)
• A hot site is generally run by a commercial disaster • Data backups must be protected from theft and
recovery service that allows a business to continue normal environmental elements
computer and network operations to maintain
• Tape backups should be protected against strong
business continuity
magnetic fields, which can destroy a tape
• A cold site provides office space but customer must
• Be sure backup tapes are located in a secure
provide and install all equipment needed to continue
environment that is adequately protected
operations
• A warm site has all equipment installed but does not
have active Internet or telecommunications facilities

• Adequate physical security is one of the first lines of • Disaster recovery is focused on recovering from
defense against attacks major disasters that could potentially cause the
organization to cease operations for an extended
• Physical security involves restricting with access
period of time
controls, minimizing social engineering attacks, and
securing the environment and infrastructure • A DRP typically addresses what to do if a major
catastrophe occurs that could cause the organization
• Business continuity is the process of assessing risks
to cease functioning
and developing a management strategy to ensure
that business can continue if risks materialize

Objectives
• Define the security policy cycle

• Explain risk identification
Chapter 11: Policies and • Design a security policy
Procedures • Define types of security policies
• Define compliance monitoring and evaluation
Fundamentals
Second Edition

Fundamentals, 2e
Understanding the Security Understanding the Security Policy

Policy Cycle Cycle (continued)
• First part of the cycle is risk identification
• Risk identification seeks to determine the risks that
an organization faces against its information assets
• That information becomes the basis of developing a
security policy
• A security policy is a document or series of
documents that clearly defines the defense
mechanisms an organization will employ to keep
information secure
Reviewing Risk Identification
Reviewing Risk Identification
(continued)
• First step in security policy cycle is to identify risks
• Involves the four steps:
– Inventory the assets
– Determine what threats exist against the assets and
by which threat agents
– Investigate whether vulnerabilities exist that can be
exploited
– Decide what to do about the risks

Asset Identification Asset Identification (continued)
• An asset is any item with a positive economic value • After an inventory of assets has been created and
their attributes identified, the next step is to determine
• Many types of assets, classified as follows:
each item’s relative value
– Physical assets – Data
• Factors to be considered in determining the relative
– Software – Hardware
value are listed on pages 386 and 387 of the text
– Personnel
• Along with the assets, attributes of the assets need to
be compiled

Threat Identification Threat Identification (continued)
• A threat is not limited to those from attackers, but • A valuable tool used in threat modeling is the
also includes acts of God, such as fire or severe construction of an attack tree
weather
• An attack tree provides a visual image of the attacks
• Threat modeling constructs scenarios of the types of that may occur against an asset
threats that assets can face
• The goal of threat modeling is to better understand
who the attackers are, why they attack, and what
types of attacks may occur

Threat Identification (continued) Vulnerability Appraisal
• After assets have been inventoried and prioritized

and the threats have been explored, the next
question becomes, what current security weaknesses
may expose the assets to these threats?
• Vulnerability appraisal takes a current snapshot of
the security of the organization as it now stands

Vulnerability Appraisal (continued) Risk Assessment
• To assist with determining vulnerabilities of hardware • Final step in identifying risks is to perform a risk
and software assets, use vulnerability scanners assessment
• These tools, available as free Internet downloads and • Risk assessment involves determining the likelihood
as commercial products, compare the asset against a that the vulnerability is a risk to the organization
database of known vulnerabilities and produce a
• Each vulnerability can be ranked by the scale
discovery report that exposes the vulnerability and
assesses its severity • Sometimes calculating anticipated losses can be
helpful in determining the impact of a vulnerability

Risk Assessment (continued) Risk Assessment (continued)
• Formulas commonly used to calculate expected

losses are:
– Single Loss Expectancy
– Annualized Loss Expectancy
• An organization has three options when confronted
with a risk:
– Accept the risk
– Diminish the risk
– Transfer the risk

Designing the Security Policy What Is a Security Policy?
• A policy is a document that outlines specific
• Designing a security policy is the logical next step in requirements or rules that must be met
the security policy cycle
– Has the characteristics listed on page 393 of the text
• After risks are clearly identified, a policy is needed to
– Correct vehicle for an organization to use when
mitigate what the organization decides are the most establishing information security
important risks
• A standard is a collection of requirements specific to
the system or procedure that must be met by
everyone
• A guideline is a collection of suggestions that should
be implemented
Balancing Control and Trust Designing a Policy
• To create an effective security policy, two elements • When designing a security policy, you can consider a
must be carefully balanced: trust and control standard set of principles
• Three models of trust: • These can be divided into what a policy must do and
– Trust everyone all of the time
what a policy should do
– Trust no one at any time

– Trust some people some of the time

Designing a Policy (continued) Designing a Policy (continued)
• Security policy design should be the work of a team

and not one or two technicians
• The team should have these representatives:
– Senior level administrator
– Member of management who can enforce the policy
– Member of the legal staff
– Representative from the user community

Elements of a Security Policy

Elements of a Security Policy
(continued)
• Because security policies are formal documents that
outline acceptable and unacceptable employee
behavior, legal elements are often included in these
documents
• The three most common elements:
– Due care
– Separation of duties
– Need to know

Due Care Separation of Duties
• Term used frequently in legal and business settings • Key element in internal controls
• Defined as obligations that are imposed on owners • Means that one person’s work serves as a
and operators of assets to exercise reasonable care complementary check on another person’s
of the assets and take necessary precautions to
• No one person should have complete control over
protect them
any action from initialization to completion

Need to Know Types of Security Policies

• Umbrella term for all of the subpolicies included
• One of the best methods to keep information within it
confidential is to restrict who has access to that • In this section, you examine some common security
information policies:
• Only that employee whose job function depends on – Acceptable use policy
knowing the information is provided access – Human resource policy
– Password management policy
– Privacy policy
– Disposal and destruction policy
– Service-level agreement

Types of Security Policies Types of Security Policies

Types of Security Policies

Acceptable Use Policy (AUP)
(continued)
• Defines what actions users of a system may perform
while using computing and networking equipment
• Should have an overview regarding what is covered
by this policy
• Unacceptable use should also be outlined

Human Resource Policy Password Management Policy
• Policies of the organization that address human • Although passwords often form the weakest link in
resources information security, they are still the most widely
used
• Should include statements regarding how an
employee’s information technology resources will be • A password management policy should clearly
addressed address how passwords are managed
• In addition to controls that can be implemented
through technology, users should be reminded of
how to select and use passwords

Privacy Policy Disposal and Destruction Policy
• Privacy is of growing concern among today’s • A disposal and destruction policy that addresses the
consumers disposing of resources is considered essential
• Organizations should have a privacy policy that • The policy should cover how long records and data
outlines how the organization uses information it will be retained
collects
• It should also cover how to dispose of them

Service-Level Agreement (SLA) Understanding Compliance
Policy Monitoring and Evaluation
• Contract between a vendor and an organization for • The final process in the security policy cycle is
services compliance monitoring and evaluation
• Typically contains the items listed on page 403 • Some of the most valuable analysis occurs when an
attack penetrates the security defenses
• A team must respond to the initial attack and
reexamine security policies that address the
vulnerability to determine what changes need to be
made to prevent its reoccurrence

Incidence Response Policy

Incidence Response Policy
(continued)
• Outlines actions to be performed when a security
breach occurs
• Most policies outline composition of an incidence
response team (IRT)
• Should be composed of individuals from:
– Senior management – IT personnel
– Corporate counsel – Human resources
– Public relations

Ethics Policy Summary
• The security policy cycle defines the overall process
• Codes of ethics by external agencies have for developing a security policy
encouraged its membership to adhere to strict ethical
• There are four steps in risk identification:
behavior within their profession
– Inventory the assets and their attributes
• Codes of ethics for IT professionals are available
from the Institute for Electrical and Electronic – Determine what threats exist against the assets and by
Engineers (IEEE) and the Association for Computing which threat agents
Machinery (ACM), among others – Determine whether vulnerabilities exist that can be
exploited by surveying the current security
• Main purpose of an ethics policy is to state the infrastructure
values, principles, and ideals each member of an
organization must agree to – Make decisions regarding what to do about the risks
Summary (continued)
• A security policy development team should be formed

to create the information security policy
• An incidence response policy outlines actions to be
performed when a security breach occurs Chapter 12: Security Management
• A policy addressing ethics can also be formulated by
an organization
Fundamentals
Second Edition

Fundamentals, 2e
Objectives Understanding Identity Management
• Define identity management • Identity management attempts to address problems

and security vulnerabilities associated with users
• Harden systems through privilege management
identifying and authenticating themselves across
• Plan for change management multiple accounts
• Define digital rights management • Solution may be found in identity management
• Acquire effective training and education – A user’s single authenticated ID is shared across
multiple networks or online businesses

Understanding Identity Understanding Identity

Management (continued) Management (continued)
• Four key elements:
– Single sign-on (SSO)
– Password synchronization
– Password resets
– Access management

Understanding Identity Understanding Identity
Management (continued) Management (continued)
• SSO allows user to log on one time to a network or • Password resets reduce costs associated with
system and access multiple applications and systems password-related help desk calls
based on that single password – Identity management systems let users reset their own
• Password synchronization also permits a user to use passwords and unlock their accounts without relying on
a single password to log on to multiple servers the help desk
– Instead of keeping a repository of user credentials, • Access management software controls who can
password synchronization ensures the password is the access the network while managing the content and
same for every application to which a user logs on business that users can perform while online

Hardening Systems Through

Responsibility
Privilege Management
• Privilege management attempts to simplify assigning • Responsibility can be centralized or decentralized
and revoking access control (privileges) to users • Consider a chain of fast-food restaurants
– Each location could have complete autonomyʊit can
decide whom to hire, when to open, how much to pay
employees, and what brand of condiments to use
– This decentralized approach has several advantages,
including flexibility
– A national headquarters tells each restaurant exactly
what to sell, what time to close, and what uniforms to
wear (centralized approach)

Responsibility (continued) Assigning Privileges
• Responsibility for privilege management can likewise • Privileges can be assigned by:
be either centralized or decentralized – The user
• In a centralized structure, one unit is responsible for – The group to which the user belongs
all aspects of assigning or revoking privileges
– The role that the user assumes in the organization
• A decentralized organizational structure delegates
authority for assigning or revoking privileges to
smaller units, such as empowering each location to
hire a network administrator to manage privileges

User Privileges Group Privileges
• If privileges are assigned by user, the needs of each • Instead of assigning privileges to each user, a group
user should be closely examined to determine what can be created and privileges assigned to the group
privileges they need over which objects
• As users are added to the group, they inherit those
• When assigning privileges on this basis, the best privileges
approach is to have a baseline security template that
applies to all users and then modify as necessary

Role Privileges Auditing Privileges
• Instead of setting permissions for each user or group, • You should regularly audit the privileges that have
you can assign permissions to a position or role and been assigned
then assign users and other objects to that role
• Without auditing, it is impossible to know if users
• The users inherit all permissions for the role have been given too many unnecessary privileges
and are creating security vulnerabilities

Usage Audit Usage Audits (continued)
• Process of reviewing activities a user has performed

on the system or network
• Provides a detailed history of every action, the date
and time, the name of the user, and other information

Privilege Audit Escalation Audits
• Reviews privileges that have been assigned to a • Reviews of usage audits to determine if privileges
specific user, group, or role have unexpectedly escalated
• Begins by developing a list of the expected privileges • Privilege escalation attack: attacker attempts to
of a user escalate her privileges without permission
• Certain programs on Mac OS X use a special area in
memory called an environment variable to determine
where to write certain information

Planning for Change Management Change Management Procedures
• Change management refers to a methodology for • Because changes can affect all users, and
making changes and keeping track of those changes uncoordinated changes can result in unscheduled
service interruptions, many organizations create a
• Change management involves identifying changes
Change Management Team (CMT) to supervise the
that should be documented and then making those
changes
documentations
• Duties of the CMT include those listed on page 427

Change Management
Changes That Should Be Documented
Procedures (continued)
• Process normally begins with a user or manager • Although change management involves all types of
completing a Change Request form changes to information systems, two major types of
security changes need to be properly documented
• Although these forms vary widely, they usually
include the information shown on pages 427 and 428 • First, any change in system architecture, such as
of the text new servers, routers, or other equipment being
introduced into the network

Changes that Should Be

Documenting Changes
Documented (continued)
• Other changes that affect the security of the • Decisions must be made regarding how long the
organization should also be documented: documentation should be retained after it is updated
– Changes in user privileges • Some security professionals recommend all
– Changes in the configuration of a network device documentation be kept for at least three years after
any changes are made
– Deactivation of network devices
• At the end of that time, documentation should be
– Changes in client computer configurations
securely shredded or disposed of so that it could not
– Changes in security personnel be reproduced

Understanding Digital Rights
Content Providers
Management (DRM)
• Data theft is usually associated with stealing an
• Most organizations go to great lengths to establish a electronic document from a company or credit card
security perimeter around a network or system to information from a consumer
prevent attackers from accessing information
• Another type of electronic thievery is illegal electronic
• Information security can also be enhanced by duplication and distribution of intellectual property,
building a security fence around the information itself which includes books, music, plays, paintings, and
• Goal of DRM is to provide another layer of security: photographs
an attacker who can break into a network still faces – Considered theft because it deprives the creator or
another hurdle in trying to access information itself owner of the property of compensation for their work
(known as royalties)

Enterprise Document Protection

Enterprise Document Protection
(continued)
• Protecting documents through DRM can be • Server-based DRM is a more comprehensive
accomplished at one of two levels approach
• First level is file-based DRM; focuses on protecting – Server-based products can be integrated with
content of a single file Lightweight Directory Access Protocol (LDAP) for
authentication and can provide access to groups of
– Most document-creation software now allows a user to users based on their privileges
determine the rights that the reader of the document
may have
– Restrictions can be contained in metadata (information
about a document)

Enterprise Document Protection Acquiring Effective Training and
(continued) Education
• Organizations should provide education and training
at set times and on an ad hoc basis
• Opportunities for security education and training:
– New employee is hired
– Employee is promoted or given new responsibilities
– New user software is installed
– User hardware is upgraded
– Aftermath of an infection by a worm or virus
– Annual department retreats
How Learners Learn How Learners Learn (continued)
• Learning involves communication: a person or

material developed by a person is communicated to a
receiver
• In the United States, generation traits influence how
people learn
• Also understand that the way you were taught may
not be the best way to teach others

How Learners Learn (continued) How Learners Learn (continued)
• Most individuals were taught using a pedagogical

approach
• Adult learners prefer an andragogical approach

Available Resources Summary
• Seminars and workshops are a good means of • Identity management provides a framework in which
learning the latest technologies and networking with a single authenticated ID is shared across multiple
other security professionals in the area networks or online businesses
• Print media is another resource for learning content • Privilege management attempts to simplify assigning
and revoking access control to users
• The Internet contains a wealth of information that can
be used on a daily basis to keep informed about new • Change management refers to a methodology for
attacks and trends making and keeping track of changes

Summary (continued)
• In addition to a security perimeter around a network

or system, prevent attackers from accessing
information by building a security fence around the
information itself
Chapter 13: Advanced Security
• Education is an essential element of a security
and Beyond
infrastructure
Fundamentals
Second Edition

Fundamentals, 2e
Objectives Understanding Computer Forensics
• Define computer forensics • Computer forensics can attempt to retrieve

information—even if it has been altered or erased—
• Respond to a computer forensics incident
that can be used in the pursuit of the criminal
• Harden security through new solutions
• The interest in computer forensics is heightened:
• List information security jobs and skills – High amount of digital evidence
– Increased scrutiny by legal profession
– Higher level of computer skills by criminals

Forensics Opportunities Forensics Opportunities and
and Challenges Challenges (continued)
• Computer forensics creates opportunities to uncover • Ways computer forensics is different from standard
evidence impossible to find using a manual process investigations:
• One reason that computer forensics specialists have – Volume of electronic evidence
this opportunity is due to the persistence of evidence – Distribution of evidence
– Electronic documents are more difficult to dispose of – Dynamic content
than paper documents
– False leads
– Encrypted evidence
– Hidden evidence

Responding to a Computer
Securing the Crime Scene
Forensics Incident
• Generally involves four basic steps similar to those of • Physical surroundings of the computer should be
standard forensics: clearly documented
– Secure the crime scene • Photographs of the area should be taken before
– Collect the evidence anything is touched
– Establish a chain of custody • Cables connected to the computer should be labeled
to document the computer’s hardware components
– Examine and preserve the evidence
and how they are connected
• Team takes custody of the entire computer along with
the keyboard and any peripherals
Preserving the Data Preserving the Data (continued)
• Computer forensics team first captures any volatile • After retrieving volatile data, the team focuses on the
data that would be lost when computer is turned off hard drive
and moves data to a secure location
• Mirror image backup (or bit-stream backup) is an
• Includes any data not recorded in a file on the hard evidence-grade backup because its accuracy meets
drive or an image backup: evidence standards
– Contents of RAM • Mirror image backups are considered a primary key
– Current network connections to uncovering evidence; they create exact replicas of
the computer contents at the crime scene
– Logon sessions
• Mirror image backups must meet the criteria shown
– Network configurations on pages 452 and 453 of the text
– Open files

Establishing the Chain of Custody Examining Data for Evidence

• As soon as the team begins its work, must start and • After a computer forensics expert creates a mirror
maintain a strict chain of custody image of system, original system should be secured
• Chain of custody documents that evidence was under and the mirror image examined to reveal evidence
strict control at all times and no unauthorized person
was given the opportunity to corrupt the evidence • All exposed data should be examined for clues
• Hidden clues can be mined and exposed as well
• Microsoft Windows operating systems use Windows
page file as a “scratch pad” to write data when
sufficient RAM is not available

Examining Data for Examining Data for Evidence
Evidence (continued) (continued)
• Slack is another source of hidden data
• Windows computers use two types of slack
• RAM slack: pertains only to the last sector of a file
• If additional sectors are needed to round out the
block size for the last cluster assigned to the file, a
different type of slack is created
• File slack (sometimes called drive slack): padded
data that Windows uses comes from data stored on
the hard drive

Examining Data for Evidence Examining Data for Evidence


Hardening Security Through Exploring Information Security Jobs
New Solutions and Skills
• Number of attacks reported, sophistication of attacks, • Need for information security workers will continue to
and speed at which they spread continues to grow grow for the foreseeable future
• Recent attacks include characteristics listed on pages • Information security personnel are in short supply;
457 and 458 of the text those in the field are being rewarded well
• Defenders are responding to the increase in the level
and number of attacks • Security budgets have been spared the drastic cost-
cutting that has plagued IT since 2001
• New techniques and security devices are helping to
defend networks and systems • Companies recognize the high costs associated with
weak security and have decided that prevention
• The most recent developments and announcements outweighs cleanup
are listed on pages 458 and 459 of the text
Exploring Information Security Jobs

and Skills (continued)
TCP/IP Protocol Suite
• Most industry experts agree security certifications • One of the most important skills is a strong
continue to be important knowledge of the foundation upon which network
communications rests, namely Transmission Control
• Preparing for the Security+ certification will help you Protocol/Internet Protocol (TCP/IP)
solidify your knowledge and skills in cryptography, • Understanding TCP/IP concepts helps effectively
firewalls, and other important security defenses troubleshoot computer network problems and
diagnose possible anomalous behavior on a network

Packets Firewalls
• No matter how clever the attacker is, they still must • Firewalls are essential tools on all networks and often
send their attack to your computer with a packet provide a first layer of defense
• To recognize the abnormal, you must first understand • Network security personnel should have a strong
what is normal background of how firewalls work, how to create
access control lists (ACLs) to mirror the
organization’s security policy, and how to tweak
ACLs to balance security with employee access

Routers Intrusion-Detection Systems (IDS)

• Routers form the heart of a TCP/IP network • Security professionals should know how to administer
and maintain an IDS
• Configuring routers for both packet transfer and
packet filtering can become very involved • Capabilities of these systems has increased
dramatically since first introduced, making them
mandatory for today’s networks
• One problem is that IDS can produce an enormous
amount of data that requires checking

Other Skills Computer Forensic Skills
• A programming background is another helpful tool for • Computer forensic specialists require an additional
security workers level of training and skills:
• Security workers should also be familiar with
penetration testing – Basic forensic examinations
– Once known as “ethical hacking,” probes vulnerabilities – Advanced forensic examinations

in systems, networks, and applications
– Incident responder skills
– Managing computer investigations


• Forensic science is application of science to • Searching for digital evidence includes looking at
questions of interest to the legal profession “obvious” files and e-mail messages
• Several unique opportunities give computer forensics
the ability to uncover evidence that would be • Need for information security workers will continue to
extremely difficult to find using a manual process grow, especially in computer forensics
• Computer forensics also has a unique set of • Skills needed in these areas include knowledge of
challenges that are not found in standard evidence TCP/IP, packets, firewalls, routers, IDS, and
gathering, including volume of electronic evidence,
how it is scattered in numerous locations, and its penetration testing
dynamic content


Security+ Guide To Network Security Fundamentals - 2nd4p

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security+ Guide To Network Security Fundamentals - 2nd4p

Uploaded by

Copyright:

Available Formats

Objectives

• Identify the challenges for information security

Security+ Guide to Network Security

Security+ Guide to Network Security 2

Identifying the Challenges for

Security+ Guide to Network Security 3 Security+ Guide to Network Security 4

Security+ Guide to Network Security 5 Security+ Guide to Network Security 6

Identifying the Challenges for

Security+ Guide to Network Security 7 Security+ Guide to Network Security 8

Security+ Guide to Network Security 9 Security+ Guide to Network Security 10

Defining Information Security Understanding the Importance of

• Information security achieved through a combination

Security+ Guide to Network Security 13 Security+ Guide to Network Security 14

Avoiding Legal Consequences Maintaining Productivity

Security+ Guide to Network Security 15 Security+ Guide to Network Security 16

• An area of growing concern among defense experts

Security+ Guide to Network Security 17 Security+ Guide to Network Security 18

Understanding Information Security

Security+ Guide to Network Security 19 Security+ Guide to Network Security 20

Security+ Guide to Network Security 21 Security+ Guide to Network Security 22

Surveying Information Security Surveying Information Security

Security+ Guide to Network Security 25 Security+ Guide to Network Security 26

• Develop attacker profiles

Security+ Guide to Network Security 2

Security+ Guide to Network Security 3 Security+ Guide to Network Security 4

Security+ Guide to Network Security 5 Security+ Guide to Network Security 6

Security+ Guide to Network Security 7 Security+ Guide to Network Security 8

Security+ Guide to Network Security 9 Security+ Guide to Network Security 10

• Three goals of a cyberattack: • Today, the global computing infrastructure is most

Security+ Guide to Network Security 11 Security+ Guide to Network Security 12

Social Engineering Social Engineering (continued)

Security+ Guide to Network Security 13 Security+ Guide to Network Security 14

Security+ Guide to Network Security 15 Security+ Guide to Network Security 16

Password Guessing (continued) Password Guessing (continued)

Security+ Guide to Network Security 17 Security+ Guide to Network Security 18

Security+ Guide to Network Security 19 Security+ Guide to Network Security 20

Password Guessing (continued) Weak Keys

– The same password should not be duplicated and

Security+ Guide to Network Security 21 Security+ Guide to Network Security 22

Security+ Guide to Network Security 23 Security+ Guide to Network Security 24

Mathematical Attacks Birthday Attacks

Security+ Guide to Network Security 27 Security+ Guide to Network Security 28

Replay TCP/IP Hijacking

Security+ Guide to Network Security 29 Security+ Guide to Network Security 30

Security+ Guide to Network Security 31 Security+ Guide to Network Security 32

Identifying Denial of Service Attacks Identifying Denial of Service Attacks

Security+ Guide to Network Security 33 Security+ Guide to Network Security 34

Security+ Guide to Network Security 35 Security+ Guide to Network Security 36

Viruses Viruses (continued)

Security+ Guide to Network Security 37 Security+ Guide to Network Security 38

Security+ Guide to Network Security 39 Security+ Guide to Network Security 40

Logic Bombs Trojan Horses

Security+ Guide to Network Security 41 Security+ Guide to Network Security 42

Security+ Guide to Network Security 43 Security+ Guide to Network Security 44

Summary Summary (continued)

Security+ Guide to Network Security 45 Security+ Guide to Network Security 46

• Identify who is responsible for information security

Chapter 3: Security Basics • Use effective authentication methods

Security+ Guide to Network Security 2

Identifying Who Is Responsible for Identifying Who Is Responsible for

Security+ Guide to Network Security 3 Security+ Guide to Network Security 4

Security+ Guide to Network Security 5 Security+ Guide to Network Security 6