CompTIA Security+
Second Edition
Diane Barrett, Kalani K. Hausman, and Martin Weiss

CompTIA Security+ Exam Cram, Second Edition
Copyright © 2009 by Pearson Education, Inc. All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. ISBN-13: 978-0-7897-3804-2 ISBN-10: 0-7897-3804-x Library of Congress Cataloging-in-Publication Data Barrett, Diane. CompTIA security+ exam cram / Diane Barrett, Kalani K. Hausman, and Martin Weiss. — 2nd ed. p. cm. ISBN 978-0-7897-3804-2 (pbk. w/cd) 1. Electronic data processing personnel—Certification. 2. Computer networks— Examinations—Study guides. 3. Computer technicians—Certification—Study guides. I. Hausman, Kalani Kirk. II. Weiss, Martin. III. Title. QA76.3.B3644 2009 004.6—dc22 2008045337 Printed in the United States on America Second Printing: February 2009

Associate Publisher David Dusthimer Executive Editor Betsy Brown Development Editor Dayna Isley Technical Editors Pawan Bhardwaj Christopher Crayton Managing Editor Patrick Kanouse Project Editor Seth Kerney Copy Editor Keith Cline Indexer Joy Dean Lee Proofreader Language Logistics, LLC Publishing Coordinator Vanessa Evans Book Designer Gary Adair Page Layout Bronkella Publishing

Trademarks
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Que Publishing cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Windows is a registered trademark of Microsoft Corporation.

Warning and Disclaimer
Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The authors and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the CD or programs accompanying it.

Bulk Sales
Que Publishing offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside of the U.S., please contact International Sales international@pearsoned.com

Contents at a Glance
Introduction Self-Assessment Part I: System Security
CHAPTER 1 CHAPTER 2

System Threats and Risks Online Vulnerabilities

27 49

Part II: Infrastructure Security
CHAPTER 3 CHAPTER 4

Infrastructure Basics Infrastructure Security and Controls

73 109

Part III: Access Control
CHAPTER 5 CHAPTER 6

Access Control and Authentication Basics Securing Communications

141 169

Part IV: Assessments and Audits
CHAPTER 7 CHAPTER 8

Intrusion Detection and Security Baselines Auditing

193 217

Part V: Cryptography
CHAPTER 9 CHAPTER 10

Cryptography Basics Cryptography Deployment

251 275

Part VI: Organizational Security
CHAPTER 11 CHAPTER 12

Organizational Security Organizational Controls

305 331

Part VII: Practice Exams and Answers Practice Exam 1 Practice Exam 1 Answer Key Practice Exam 2 Practice Exam 2 Answer Key Part VIII: Appendix What’s on the CD-ROM Glossary Index 467 471 493 365 389 411 439

Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 The CompTIA Certification Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Taking a Certification Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Tracking Certification Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 About This Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Chapter Format and Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Exam Topics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Self-Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 CompTIA Certification in the Real World. . . . . . . . . . . . . . . . . . . . . . . . 11 The Ideal CompTIA Certification Candidate . . . . . . . . . . . . . . . . 12 Put Yourself to the Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 How to Prepare for an Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Studying for the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Testing Your Exam Readiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Dealing with Test Anxiety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Day of the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Part I: System Security Chapter 1: System Threats and Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Systems Security Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Privilege Escalation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Trojans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Adware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Logic Bombs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Protecting Against Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . 38 Security Threats to System Hardware and Peripherals. . . . . . . . . . . . . . 38 BIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 USB Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Handheld Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Removable Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Network-Attached Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Suggested Reading and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Chapter 2: Online Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Web Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Java and JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 ActiveX Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Cookies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Common Gateway Interface Vulnerabilities . . . . . . . . . . . . . . . . . . 54 Browser Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Peer-to-Peer Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Simple Mail Transport Protocol Relay . . . . . . . . . . . . . . . . . . . . . . 57 Protocol Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 File Transfer Protocol Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Anonymous Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Unencrypted Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Wireless Network Vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 WAP and i-Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Wired Equivalent Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Wi-Fi Protected Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

vi

CompTIA Security+ Exam Cram

802.11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Site Surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Network Device and Transmission Media Vulnerabilities . . . . . . . . . . . 63 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Additional Reading and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Part II: Infrastructure Security Chapter 3: Infrastructure Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Port and Protocol Threats and Mitigation Techniques. . . . . . . . . . . . . . 74 Antiquated and Older Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 TCP/IP Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Null Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Man in the Middle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Distributed DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 DNS Kiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 DNS Poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 ARP Poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Network Design Elements and Components . . . . . . . . . . . . . . . . . . . . . 88 Demilitarized Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Intranet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Extranet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Virtual Local Area Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Network Interconnections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Telephony. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Network Security Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 NIDS and HIDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Network Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . 99 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

vii

Contents

Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Internet Content Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Protocol Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Chapter 4: Infrastructure Security and Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Implementing Security Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Personal Software Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Pop-Up Blockers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Virtualization Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Applying Network Tools to Facilitate Security . . . . . . . . . . . . . . . . . . . 116 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Proxy Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Internet Content Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Protocol Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Logical Access Control Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Security Groups and Roles with Appropriate Rights and Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Security Controls for File and Print Resources . . . . . . . . . . . . . . 121 Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Group Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Password Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Logical Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Physical Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Risk and Return on Investment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Identifying Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Asset Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Risk and Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Calculating Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Calculating ROI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

viii

CompTIA Security+ Exam Cram

Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Part III: Access Control Chapter 5: Access Control and Authentication Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Mandatory Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Discretionary Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Access Control Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Mutual Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Challenge-Handshake Authentication Protocol . . . . . . . . . . . . . 150 Terminal Access Controller Access Control System Plus . . . . . 151 Remote Authentication Dial-In User Service . . . . . . . . . . . . . . . 151 IEEE 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Username and Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Multifactor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Identity Proofing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Operating System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Nonessential Services and Protocols . . . . . . . . . . . . . . . . . . . . . . . 156 Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Physical Access Security Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Physical Barriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Other Deterrents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

ix

Contents

Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Chapter 6: Securing Communications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Remote Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 802.1x Wireless Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 VPN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Dial-Up User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Secure Shell Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Remote Desktop Protocol (RDP). . . . . . . . . . . . . . . . . . . . . . . . . . 178 Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Electronic Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Secure Multipurpose Internet Mail Extension . . . . . . . . . . . . . . . 181 Pretty Good Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Undesirable Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Web Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Hypertext Transport Protocol over Secure Sockets Layer . . . . . 184 Secure Sockets Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Transport Layer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Suggested Reading and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Part IV: Assessments and Audits Chapter 7: Intrusion Detection and Security Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Methods of Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Intrusion-Detection Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Honeypots and Honeynets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Incident Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Security Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

x

CompTIA Security+ Exam Cram

Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Chapter 8: Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Using Monitoring Tools to Detect Security-Related Anomalies . . . . . 218 Performance Benchmarking and Baselining . . . . . . . . . . . . . . . . 220 Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 System Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Protocol Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Monitoring Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Behavior-Based Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Anomaly-Based Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Signature-Based Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Logging Procedures and Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Performance Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Access Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Firewall Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Antivirus Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Periodic Audits of System Security Settings . . . . . . . . . . . . . . . . . . . . . . 236 User Access and Rights Review . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Storage and Retention Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Group Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Key Management . . 263 Cryptographic Hash Functions. . . . . . . . . 279 PKI Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xi Contents Part V: Cryptography Chapter 9: Cryptography Basics. . . . . . . . . . . . . . . . . . . . . . . . 251 Encryption Algorithms . . . . . . . 265 Asymmetric Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 X. . . . . . . . . . . . . 257 Confidentiality. . . . . . . . . . . . . . . . . . . . . 256 CIA Triad. . . . . . . . . . 253 Asymmetric Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Certificate Policies . . . 281 Registration Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Exam Prep Questions. . . . . . . . . 261 Trusted Platform Module . . . . . . . . 283 . . . . . . . . . . . . . . . . . . . . . . . 273 Suggested Readings and Resources . . 277 PKIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Whole Disk Encryption . . 268 Wireless . .509 . . . . . . 262 Hashing Concepts . . . . . . . . . . . . . . . . . . . . . . . . . 252 Symmetric Keys . . . . . 259 Nonrepudiation and Digital Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Chapter 10: Cryptography Deployment . . . . . . . . . . . 258 Availability . . . . . . . . . . . . . . . . . . . . . . 264 Symmetric Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Public Key Cryptography Standards . . . . . . . . . . 282 Certificates . . . . . . . . . . . . . . . . . . . . . . 275 PKI Standards . . . . . . . . 264 Windows Authentication Hashing Algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xii CompTIA Security+ Exam Cram Certificate Practice Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Key Management and the Certificate Life Cycle. 295 Secure Shell . . 313 Service Level Agreements . . . . . . . . . . . . . . 290 M of N Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Recovery. . . . . . . . . . . . . . . 302 Part VI: Organizational Security Chapter 11: Organizational Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Suggested Readings and Resources . . . . . . . . . . . . . . 287 Key Escrow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 Redundant Sites . . . . 292 Point-to-Point Tunneling Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Centralized Versus Decentralized. . . . . . . . . . . . . 292 Protocols and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Revocation . . . . . . . . . . . . . 295 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Trust Models . . . . . . . . . . . . . . 289 Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Expiration. . . . . 289 Status Checking . . . . . . . . 290 Suspension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Key Usage . . 309 Utilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Multiple Key Pairs . . . . . . . . . 305 Disaster Recovery and Redundancy Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Destruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Redundant Equipment and Connections . . . . . 319 . . . . . . 292 SSL and TLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Renewal . . . . . . . . . . . . . . . . . . . 287 Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Layer 2 Tunneling Protocol and IP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Secure/Multipurpose Internet Mail Extensions . . . . . . . . . . . 294 Pretty Good Privacy . . . . . . . . 297 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . .

. . . 350 Shielding . . . . . 333 First Responders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Acceptable Use Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Hoaxes . . . 350 The Risks of Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 The Importance of Environmental Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . 353 Phishing . . . . . . . . 335 Applicable Legislation and Organizational Policies . 344 Due Diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 HVAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Damage and Loss Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Personally Identifiable Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Password Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Due Care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Suggested Readings and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Secure Disposal of Computers and Media . . 332 Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Answers to Exam Prep Questions . . . . . . . . . 335 Reporting and Disclosure . . . . . . . . 340 Classification of Information . . . . . . . . . . . . . . . . . . . . 332 Chain of Custody . . . . . . . . .xiii Contents Backup Techniques and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 System Restoration. . 345 Security-Related Human Resources Policy . . . . . . . . . . . . . . . . . . . . . . 331 Incident Response Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 User Education and Awareness Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 Chapter 12: Organizational Controls . . . . . . . . 344 Due Process . . 345 Service Level Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 Fire Suppression . . . . . . . . . . . . . . . . . 339 Change Management . . 320 Backup Types. . . . . 355 . . . . . . . . . . . . . 341 Separation of Duties and Mandatory Vacations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Part VII: Practice Exams and Answers Practice Exam 1 . . . . . . . . . . . . . . . . 365 Practice Exam 1 Answer Key . . . . . . . . . . . . . . . 469 Technical Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 . 356 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Answers to Exam Prep Questions . . . . . . . . . . . 470 Glossary . . . . . . . . . . . . . 471 Index . . . . 467 Custom Mode . . . . . . . . . . . . . . . . . . 390 Practice Exam 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Creating a Shortcut to the MeasureUp Practice Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Recommended Reading and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Certification Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Dumpster Diving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Answers with Explanations . . 355 User Education and Awareness Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Multiple Test Modes . . . . . . . . . . . . . 439 Answers at a Glance . . . . . . . . . . . . . . . 468 Installing the CD . . . . . . . . . . . . . . . 468 Attention to Exam Objectives . 467 Study Mode . . . . . . . .xiv CompTIA Security+ Exam Cram Shoulder Surfing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Appendix: What’s on the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Answers with Explanations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Practice Exam 2 Answer Key . . . . . . . . . 389 Answers at a Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The Security Division of EMC. is an author.About the Authors Diane Barrett is a professor in the Network Security and Computer Forensics programs at the University of Advancing Technology. with a specialization in information security. Kalani K. Diane belongs to the local chapters of several security user groups. He is also on the board of directors for the Connecticut chapter of ISSA and has authored several other books. Martin Weiss is a manager of information security gurus at RSA. health-care. including CISSP. and RSA CSE. He holds several certifications. Marty received his MBA from the Isenberg School of Management at the University of Massachusetts and currently lives in New England with his wife and three sons. He is active within the FBI InfraGard. teacher.weiss@gmail. and corporate settings. MCSE: Security. including HTCIA and InfraGard. Information Systems Audit and Control Association (ISACA) and ISSA and is currently employed as the Assistant Commandant for IT at Texas A&M University. She was also a volunteer for ISSA’s (Information Systems Audit and Control Association) Generally Accepted Information Security Principles (GAISP) in the Ethical Practices Working Group. CISM. Diane received her master’s of science degree in computer technology. CISSP. and information technology implementer with more than 20 years’ experience specializing in IT governance. including Security+. and Security+. CISA. . His experience includes medium to large-scale globally deployed networks in governmental. and enterprise security management. from Capella University. GHSC. ISSMP.com. enterprise architecture. CISSP. She holds about 15 industry certifications. higher-education. Marty can be reached at marty. Hausman. regulatory compliance. helping organizations accelerate their business by solving their most complex and sensitive security challenges. She has authored several security and forensic books.

Kelly. thank you for making sure that our work was sound and on target. Carole McClendon. Hausman First.Dedication To my husband. in addition to Betsy Brown and the Pearson editorial staff. Special thanks to my coauthors. Diane. Marty and Kirk: You made this project interesting and enjoyable. Jonathan. my incredible wife. and Oliver. thanks for keeping us all on track. thank you to the entire team that helped bring this book together. Thank you Spike. —Kalani K. —Martin Weiss As always. you specifically were a tremendous help. for having the fortitude to deal with all my technology. Bill. Special thanks go to my coauthors: Martin Weiss and especially to Diane Barrett. who inspire me daily. To our editorial and technical reviewers. Max. Kobe. Betsy. —Martin Weiss . Thanks as well to the many fine employees and customers I work with at RSA. and Ollie) and. —Diane Barrett To my boys. —Kalani K. Luke. I’m thankful for the inspiration provided to me by my three boys (Kobe. Finally. for the moral support provided on those late nights. my work is dedicated to Susan. Maxwell. Thank you. of course. Thanks to everyone involved in this process from Waterside Productions and Pearson Education (and thanks to those who purchase this book in their quest for certification). and Moxie. —Diane Barrett I would like to thank my agent. and Cassandra. who coordinated the compilation of this work. Hausman Acknowledgments Publishing a book takes the collaboration and teamwork of many individuals.

Please note that I cannot help you with technical problems related to the topic of this book. and phone number. We do have a User Services group.We Want to Hear from You! As the reader of this book. however.com Mail: Dave Dusthimer Associate Publisher Que Publishing 800 East 96th Street Indianapolis. I welcome your comments.com/register for convenient access to any updates. and any other words of wisdom you’re willing to pass our way. IN 46240 USA Reader Services Visit our website and register this book at http://www. what we could do better. email address. .informit. or errata that might be available for this book. When you write. please be sure to include this book’s title and author as well as your name. Email: feedback@quepublishing. You can email or write me directly to let me know what you did or didn’t like about this book—as well as what we can do to make our books better. you are our most important critic and commentator. where I will forward specific technical questions related to the book. As the Associate Publisher for Que Publishing. We value your opinion and want to know what we’re doing right. I will carefully review your comments and share them with the author and editors who worked on the book. what areas you’d like to see us publish in. downloads.

This page intentionally left blank .

and. configuring. This introduction explains CompTIA’s certification programs in general and talks about how the Exam Cram series can help you prepare for CompTIA’s latest certification exams. and working with both Windows and UNIX or Linux operating systems to patch and maintain them for the best and most current security possible because the Security+ exam focuses on such activities and the knowledge and skills they can provide for you. The two practice exams at the end of this book should give you a reasonably accurate assessment of your knowledge. Nevertheless. Exam Cram books help you understand and appreciate the subjects and materials you need to know to pass CompTIA certification exams. Read this book. you might decide to begin your studies with classroom training or some background reading. Instead. number SY0-201. we recommend that you begin by taking the “Self-Assessment” that immediately follows this introduction. Chapters 1 through 12 are designed to remind you of everything you need to know to pass the SY0-201 certification exam. to completely prepare yourself for any CompTIA test.Introduction Welcome to CompTIA Security+ Exam Cram. and certification. understand the material. On the other hand. This can also be the first step in earning more advanced security certifications. experience. We also strongly recommend that you spend some time installing. Second Edition. and you’ll stand a very good chance of passing the real test. This book aims to help you get ready to take and pass the CompTIA Security+ exam. Exam Cram books are aimed strictly at test preparation and review. you’ll find information here that will help ensure your success as you pursue knowledge. the authors streamline and highlight the pertinent information by presenting and dissecting the questions and problems they’ve discovered that you’re likely to encounter on a CompTIA test. The self-assessment tool will help you evaluate your knowledge base against the requirements for the CompTIA Security+ exam under both ideal and real circumstances. yes. you might decide to pick up and read one of the many study guides available from Que or a third-party vendor. Nothing beats hands-on experience and familiarity when it . They do not teach you everything you need to know about a subject. we’ve provided the answers and their explanations for these practice exams. Based on what you learn from the self-assessment. Whether this book is your first or your fifteenth Exam Cram series book.

and security. but without doubt. including RAID. instead of focusing on vendor or product specifics. communication.aspx. For more information about this exam. This exam is an excellent prequalifier for those interested in Security+ who might have little or no PC or computing skills or knowledge.org/ linux/default. . they offer certification candidates a chance to . briefly annotated to document their possible relevance to Security+: . Therefore. This two-part exam also covers security. For more information about this exam. This exam is an excellent prequalifier for those interested in Security+ who have little or no networking skills or knowledge. Server+: An exam that tests server knowledge and capabilities. For more information about this exam.comptia. go to http://certification.and platform-neutral.comptia. Book learning is essential. which means they primarily test general skills and knowledge. safety.org/network/default.org/server/default. and basic networking.org) offers numerous IT certifications. primarily aimed at entry. Here is a list of some other relevant CompTIA certifications. . Linux-based clients. A+: An exam that tests basic PC hardware and software installation. protocols. including hardware.comptia. and professionalism.aspx. con- figuration. . hands-on experience is the best teacher of all! The CompTIA Certification Program The Computing Technology Industry Association (http://www. preventive maintenance. diagnosing.org/a/default.aspx. go to http://certification. Network+: An exam that tests basic and intermediate networking skills and knowledge.comptia.comptia. software configurations. see http://certification.and intermediatelevel IT professionals. file permissions. user administration.aspx. Linux+: An exam that tests knowledge and management of Linux systems via command line. The CompTIA exams are all vendor. SCSI. and disaster recovery. For more information about this exam. This exam is an excellent prequalifier for those interested in Security+ who have little or no server environment skills or knowledge. and troubleshooting topics.2 CompTIA Security+ Exam Cram comes to understanding the questions you’re likely to encounter on a certification test. multiple CPUs. environmental issues. server systems. go to http://certification. drivers.

you need to call the appropriate phone number or visit the Prometric or Vue website at least one day in advance. Within the United States and Canada.com/comptia/. If you live outside this region. even if you don’t show up to take the test). the cost to take the Security+ exam is $258 for individuals. . You can find the sign-up web page for the exam itself at http://www. for each attempt until you pass. check the Prometric website for the appropriate phone number. When you want to schedule a test. If you don’t pass. To schedule an exam. You can also use this web page (click the Contact button. To cancel or reschedule an exam in the United States or Canada.) Because CompTIA changes their website often. http://securereg3. or a check has cleared. At the time of this writing. you can register by phone at 800-755-3926. To sign up for a test.m. In the United States and Canada. Prometric—You can sign up for a test through the company’s website. you can take the exam again for the same cost as the first attempt. CompTIA Corporate Members receive discounts on nonmember pricing. click the View Telephone Directory by Sponsor link. tests are administered by Prometric or VUE.com/.prometric. Here’s how you can contact them: . and then click CompTIA) to obtain a telephone number for the company (in case you can’t or don’t want to sign up for the exam on the web page). a local CompTIA sales representative can provide answers to any questions you might have. you need to register with a testing center. you should have the following information ready: .vue. the URLs listed above might not work in the future.3 Introduction demonstrate necessary general abilities relevant in most workplaces. you must possess a valid credit card or contact either Prometric or Vue for mailing instructions to send a check (in the United States). Pearson VUE—You can contact Virtual University Enterprises (VUE) to locate a nearby testing center that administers the test and to make an appointment. can you actually register for a test. you must call before 3 p. For more information about these discounts. Taking a Certification Exam After you prepare for your exam. Only after payment has been verified. (This explains why employers generally look at CompTIA certifications favorably. Eastern time the day before the scheduled test time (or you might be charged. You should use the Search tool on CompTIA’s site to find more information about a particular certification.

organization. promotions. Along with the license comes a logo sheet. Official certification is normally granted after six to eight weeks. citizens of other countries should call ahead to find out what type of identification number is required to register for a test. As an official recognition of hard work and broad knowledge. . along with a wallet card. and so on. We’re starting to see more job listings that request or require applicants to have CompTIA and other related certifications.) After you sign up for a test. A payment method. so you shouldn’t expect to get your credentials overnight. (See CompTIA’s website for other benefits of specific certifications. A license to use the related certification logo. one of which must be a photo ID.4 CompTIA Security+ Exam Cram . and documents. business cards. which means you can use the logo in advertisements. this means your Social Security number. and mailing address. Tracking Certification Status After you pass the exam. . you are certified. A certificate suitable for framing. a credit card is the most convenient method.) . and on letterhead. The package for official certification that arrives includes a Welcome Kit that contains a number of elements. To be admitted into the testing room.) Many people believe that the benefits of certification go well beyond the perks that CompTIA provides to new members of this elite group. (As mentioned previously. The name and number of the exam you want to take. alternative means can be arranged in advance. (Note that before you use any of the artwork. you must sign and return a licensing agreement that indicates you’ll abide by its terms and conditions. if necessary. (In the United States. and many individuals who complete CompTIA certification programs can qualify for increases in pay and responsibility. . Your name. you are told when and where the test is scheduled.) . You should arrive at least 15 minutes early. you must supply two forms of identification. . a certification credential is a badge of honor in many IT organizations. Your CompTIA test ID. which includes camera-ready artwork.

Topical coverage—After the opening hotlists and introductory text. Here’s the structure of a typical chapter: . Beyond helping you prepare for the test. we think you’ll find this book useful as a tightly focused reference to some of the most important aspects of the Security+ certification. tools. For that reason. Chapter Format and Conventions Each topical Exam Cram chapter follows a regular structure and contains graphical cues about important or useful information. The hotlists are followed with one or two introductory paragraphs to set the stage for the rest of the chapter. Exam Alerts contain information that is really important. That’s why we suggest that you read this book from front to back for your initial test preparation. software. you can use the index or table of contents to go straight to the topics and questions that you need to study. you need to understand the “meat” of each chapter. terms. Pay close attention to material flagged in Exam Alerts. Of course. we think any information in an alert is worthy of extra attentiveness on your part.5 Introduction About This Book We’ve structured the topics in this book to build on one another. an alert stresses concepts. If you need to brush up on a topic or if you have to bone up for a second try. too. Opening hotlists—Each chapter begins with a list of the terms. Throughout that section. although all the information in this book pertains to what you need to know to pass the exam. some topics in later chapters make the most sense after you’ve read earlier chapters. each chapter covers a series of topics related to the chapter’s subject. or activities that are likely to relate to one or more certification test questions. and techniques that you must learn and understand before you can be fully conversant with that chapter’s subject matter. Therefore. using a special element called an Exam Alert: EXAM ALERT This is what an alert looks like. we highlight topics or concepts that are likely to appear on a test. when . Normally. .

we recommend that you use this book along with other resources to achieve the maximum benefit. don’t feel compelled to use all the resources. and you’ll become a Security+ guru in no time! NOTE This is how notes are formatted. In addition to the alerts. If you find a resource you like in that collection.6 CompTIA Security+ Exam Cram preparing for the test.) . Details and resources—Every chapter ends with a section that provides direct pointers to CompTIA and third-party resources that offer more information about the chapter’s subject. On the other hand. Notes direct your attention to important pieces of information that relate to the CompTIA Security+ certification. (However. you should use it. Because this book’s material is condensed. the section at the end of each chapter presents a series of mock test questions and explanations of both correct and incorrect answers. so none of our recommendations will be a waste of your time or money. Although the tip information might not be on the exam. TIP This is how tips are formatted. we provide tips and notes to help you build a better foundation for security knowledge. we recommend only resources that we use on a regular basis. That section also tries to rank or at least rate the quality and thoroughness of the topic’s coverage by each resource. Exam prep questions—Although we talk about test questions and topics throughout this book. . Keep your eyes open for these. it is certainly related and will help you become a better-informed test taker. . purchasing them all at once probably represents an expense that many network administrators and CompTIA certification candidates might find hard to justify.

measureup. Exam Topics Table I-1 lists the skills measured by the SY0-201 exam and the chapter in which the topic is discussed. Some topics are covered in other chapters. state-of-the-art test engine that prepares you for the actual exam. “Practice Exam 1” and “Practice Exam 2” and the answer explanations provide good reviews of the material presented throughout the book to ensure that you’re ready for the exam. The tear-out Cram Sheet attached next to the inside front cover of this book represents a condensed collection of facts and tips that we think are essential for you to memorize before taking the test. you need to remember it only long enough to write it down when you walk into the testing room. For more information. The MeasureUp Practice Tests CD-ROM that comes with each Exam Cram and Exam Prep book features a powerful.7 Introduction Although the bulk of this book follows this chapter structure just described. . You might even want to look at it in the car or in the lobby of the testing center just before you walk in to take the exam.com. . MeasureUp Practice Tests are developed by certified IT professionals and are trusted by certification students around the world. visit http://www. we want to point out a few other elements: . you can master this information by brute force. . The Glossary defines important terms used in this book. Because you can dump this information out of your head onto a sheet of paper just before taking the exam. too. .

Explain the vulnerabilities and mitigations associated with network devices. Explain the vulnerabilities and mitigations associated with various transmission media. Distinguish between network design elements and components. Explain the purpose and application of virtualization technology. 7 7 7 5 5 4 4 4 5 6 5 5 . Compare and implement logical access control methods.0: Network Infrastructure Differentiate between the different ports and protocols and their respective threats and mitigation techniques.0: Systems Security Differentiate among various systems security threats. 6 Domain 3. Deploy various authentication models and identify the components of each. Apply appropriate security controls to file and print resources. Implement security applications. Summarize the various authentication models and identify the components of each. Determine the appropriate use of network security tools to facilitate network security. Apply the appropriate network tools to facilitate network security. 3 3 3 4 4 2 2 1 1 7 2 4 4 Explain the vulnerabilities and implement mitigations associated with wireless networking. Evaluate user systems and recommend appropriate settings to optimize performance. Explain the difference between identification and authentication (identity proofing). Carry out vulnerability assessments using common tools. Explain common access control models and the differences between each. Explain and apply physical access security methods. Domain 2.0: Access Control Identify and apply industry best practices for access control methods. Within the realm of vulnerability assessments. Implement OS hardening practices and procedures to achieve workstation and server security.8 CompTIA Security+ Exam Cram TABLE I-1 Exam Topic CompTIA SY0-201 Exam Topics Chapter Domain 1. explain the proper use of penetration testing versus vulnerability scanning. Explain the security risks pertaining to system hardware and peripherals. Carry out the appropriate procedures to establish application security. Domain 4.0: Assessments and Audits Conduct risk assessments and implement risk mitigation. Organize users and computers into appropriate security groups and roles while distinguishing between appropriate rights and privileges.

Domain 6.com/examcram. Explain the concept of and how to reduce the risks of social engineering. Best of luck on becoming certified! . visit our website at http://www. We’ll consider everything you say carefully.0: Organizational Security Explain redundancy planning and its components.0: Assessments and Audits Use monitoring tools on systems and networks and detect security-related anomalies. For more information about this book and other Exam Cram titles. 11 11 12 12 12 12 9 9 10 10 10 8 8 8 8 Explain basic encryption concepts and map various algorithms to appropriate applications. and we’ll respond to all suggestions.0: Cryptography Explain general cryptography concepts.9 Introduction TABLE I-1 Exam Topic Continued Chapter Domain 4. Compare and contrast various types of monitoring methodologies. Execute proper logging procedures and evaluate the results.com. Thanks for making this Exam Cram book a pivotal part of your certification study plan. especially if you have ideas about how we can improve it for future test takers. Explain the importance of environmental controls. Explain core concepts of public key cryptography. we’ve tried to create a tool that will help you prepare for and pass CompTIA Security+ Exam SY0-201. Domain 5. Send your questions or comments about this book via email to feedback@quepublishing. 9 Given all the book’s elements and its specialized focus. Explain basic hashing concepts and map various algorithms to appropriate applications. Implement disaster recovery procedures. Differentiate between and execute appropriate incident response procedures. Identify and explain applicable legislation and organizational policies. Please share with us your feedback on this book.informit. Conduct periodic audits of system security settings. Explain and implement protocols. Implement PKI and certificate management.

This page intentionally left blank .

Increasing numbers of people are attaining CompTIA certifications. however. they are by no means impossible to meet.com/examcram for more certification resources. at Que Publishing. You can get all the real-world motivation you need from knowing that many others have gone before. on the CompTIA Website. especially with the changes that have been made to the CompTIA certifications to support Windows. involves some expense.informit. you can take and pass all the certification tests involved in obtaining the credentials. . CompTIA Certification in the Real World In the next section. we describe the ideal CompTIA certified candidate. In fact. Before you tackle this self-assessment. we’ve designed the Exam Cram series to make it as easy for you as possible to prepare for these exams. You might also want to check out the CompTIA Web page. http://www. Visit http://www. so you will be able to follow in their footsteps. and requires real effort. Exam SY0-201 Security+). you need to be keenly aware that getting through the process takes time. If you’re willing to tackle the process seriously and do what it takes to obtain the necessary experience and knowledge. However. knowing full well that only a few real candidates meet that ideal.com/. our description of those ideal candidates might seem downright scary. let’s talk about concerns you might face when pursuing a CompTIA certification credential on security and what an ideal CompTIA certification candidate might look like. In fact. But take heart: Although the requirements to obtain the advanced CompTIA certification might seem formidable. It should also help you to understand what you need to know to master the main topic of this book (namely.Self-Assessment We include a self-assessment in this Exam Cram book to help you evaluate your readiness to tackle CompTIA certifications.CompTIA.

con- cepts.12 Self-Assessment The Ideal CompTIA Certification Candidate To give you an idea of what an ideal CompTIA certification candidate is like. Academic or professional training in networking with a particular emphasis on TCP/IP.” to quote straight from the CompTIA Web page on general Security+ exam information. so the more hands-on experience you have. among others. access control. upgrade. the better. The official CompTIA verbiage for this requirement reads “two years on-the-job networking experience. configuration. here are some relevant statistics about the background and experience such an individual might have: NOTE Don’t worry if you don’t meet these qualifications or even come very close. Where you fall short is just where you have more work to do.” . Academic or professional training in information security theory. and using common TCP/IP-based networking services such as Web (HTTP) and wireless services. Understand systems security concepts. This includes everything from “systems security. configuring. and troubleshooting experience. You also need to understand concepts related to implementing OS hardening practices and procedures to achieve workstation and server security. This must include installation.” and “assessments and audits. . . with an emphasis on security. along with carrying out . Some of the more advanced exams require you to solve real-world case studies and security-related issues. to the details involved in installing. Two or more years of professional networking experience. NOTE All certifications require some hands-on experience. This includes everything from networking media and transmission techniques through network operating systems. including experience with various networking media. including differentiating among various systems security threats and explaining the security risks pertaining to system hardware and peripherals. and operations. and applications. . services. The CompTIA Network+ certification is also recommended.” to “cryptography” and “organizational security. network infrastructure.

including incident response. and remote access. . Other relevant concepts include performance monitoring and establishing and maintaining security baselines for networks. including key algorithms. and applications. legal consider- ations.13 CompTIA Certification in the Real World the appropriate procedures to establish application security. most meet fewer than half of these requirements—at least. Recognize the concepts related to forensics investigations. You also need to understand environmental controls and social engineering concerns. and security matters. including access and authentication methods. and what’s involved in formulating and maintaining organizational policies and procedures. . this all boils down to a bachelor’s degree in computer science with a strong focus on security topics. Learn the roles that tools and security settings play in assessments and audits. including differentiating between the different ports and protocols. VPN. installation. You also need to explain the vulnerabilities and mitigations associated with network devices and transmission media and be able to apply the appropriate network tools to facilitate security. . We believe that fewer than half of all certification candidates meet these requirements. In addition. plus two years of experience working in a position involving network design. . disaster recovery. Understand access control topics. Candidates must also understand how to properly implement security applications and explain the purpose and application of virtualization technology. in fact. along with physical measures. . their respective threats. and mitigation techniques. Understand a broad range of topics related to network infrastructure. Understand the basics of cryptography. Know the concepts and best practices related to organizational security. Fundamentally. servers. maintenance. you will be required to identify environmental controls and discuss user securityawareness training. You need to be able to identify common access control models and apply appropriate security controls to all resources. is required. and what’s involved in managing keys and digital certificates. and protecting the organization from damage (understanding malice may originate both externally and internally). and that. . when they begin the certification process. configuration. public key infrastructures. But because . security standards and protocols. Knowledge of authentication components such as biometrics.

you can survive it. Only you can decide where you really belong in the broad spectrum of aspiring candidates. If you are not. There are no right or wrong answers—only steps along the path to certification. you might need to review some additional resources to get you to raise your knowledge for the types of questions that you will encounter on CompTIA certification exams: 1. 2004). Hands-on experience with security products and technologies is an essential ingredient for certification success. . Depending on your answers to these questions. Be absolutely honest in your answers. 7th Edition. such as Operating System Concepts. you’ll end up wasting money on exams that you’re not yet ready to take. If you are rusty. Two points should be clear from the outset. Consider some basic reading in this area. We strongly recommend a good general operating systems book. especially if you heed what this self-assessment can tell you about what you already know and what you need to learn. Even a modest background in computer science will be helpful.14 Self-Assessment so many other IT professionals who already have been certified in security topics have survived this ordeal. This self-assessment is designed to show you what you already know and to identify the topics that you need to review. Put Yourself to the Test The following questions and observations are designed to help you figure out how much work you must do to pursue CompTIA certification and the types of resources you can consult on your quest. Have you ever taken any computer-related classes? 2. similar titles at your favorite online bookstore. especially virtual memory. Educational Background The following questions concern your level of technical computer experience and training. Peter Baer Galvin. however: . and Greg Gagne (John Wiley & Sons. brush up on basic operating system concepts. Have you taken any classes on computer operating systems? You will need to be able to handle various architecture and system component discussions that come up throughout the Security+ materials. . and general computer security topics. access controls. If this title doesn’t appeal to you. buffer overflows. check out reviews for other. by Abraham Silberschatz. too.

The two best general information security books that we know of are Computer Security Fundamentals by Chuck Easttom (Prentice Hall. especially the topics mentioned explicitly in the Security+ exam objectives (download them from http://certification. consult the recommended reading for both topics. and TCP/IP. Have you done any reading on operating systems or networks? Review the requirements stated in the first paragraphs after questions 2 and 3. You might want to read one or two books in this topic area. If you are rusty. and technologies that appear on the Security+ exam. A strong networking background will help you prepare for the Security+ exam in too many important ways to recount them all here. If you are not sure whether you are completely knowledgeable about these topics.15 CompTIA Certification in the Real World 3. . brush up on basic security concepts and terminology. and Computer Security. 2005) and Computer Networks and Internets. by Douglas E.org/security/security_update. read one of the general information security references mentioned in the following paragraph. 2006). 4th Edition. concepts. 2005). consider also TCP/IP Clearly Explained. especially networking media. The two best general books that we know of are Computer Networking Illuminated. 2008). 5. 5th Edition.comptia. Comer (Prentice Hall. 2nd Edition by Dieter Gollmann (John Wiley & Sons. or Guide to TCP/IP. the OSI reference model. basic networking technologies. 4. When it comes to TCP/IP. 3rd Edition.aspx). 2002). Have you taken any security concepts or information security classes? You will probably be able to handle the primary focus on information security terminology. Have you taken any networking concepts or technologies classes? You will probably be able to handle the numerous mentions of networking terminology. concepts. by Ed Tittel and Laura Chappell (Course Technology. by Pete Loshin (Morgan Kaufmann. You might want to read one or two books in this topic area. and technologies that drive the Security+ exam. If you are rusty. brush up on basic networking concepts and terminology. transmission types. 2006). If you do not meet those requirements. by Diane Barrett and Todd King (Jones and Bartlett.

and services for Microsoft MCP Exam 70-293.microsoft. especially with Windows 2003 Server and XP Professional. configured. TIP You can download objectives. Have you done any reading on general security concepts or information security? Review the requirements stated in the paragraphs after question 5.16 Self-Assessment 6. and using the various Microsoft and Linux or UNIX services.mspx. about which you will be asked repeatedly on the Security+ exam. TCP/IP. too. plus have implemented the security features for Microsoft Exam 70-298. and with some relatively recent version of Linux or UNIX in both server and workstation configurations. such coverage stresses concepts and principles much more than exact installation or configuration details. Do the same for TCP/IP and any other software components on which you will also be tested. utilities. You should also study the TCP/IP interfaces. which will help you prepare for the Security+ exam. and the Internet Security and Accelerator (ISA) Server. There is simply no substitute for time spent installing. protocols. it is a vendor-neutral exam. and other data about Microsoft exams from the Training and Certification page at http://www.com/learning/default. Click the Find an Exam link to obtain specific exam info. configuring. That said. consult the recommended reading for those topics. after all. A strong information security background is essential when preparing for the Security+ exam. and worked with the following operating systems: . practice exams. Hands-On Experience An important key to success on the Security+ exam lies in obtaining hands-on experience. If you haven’t worked with Windows 2003 Server. Microsoft MCP Exam 70291 can also shed light on the Microsoft slant on information security. Windows 2003 Server? Make sure you understand basic concepts as covered in Microsoft MCP Exam 70-290. If you do not meet those requirements. Have you installed. Then learn the operating system. obtain one or two machines and a copy of Windows 2003 Server. . and configuration settings.

Windows Vista? Consider obtaining a copy of Windows Vista and learn how to install. You can purchase soft cover resource kits from Microsoft Press (search at http://www. . or you can work straight from CompTIA’s exam objectives if you prefer. and maintain it. TIP Microsoft offers resource kits for various topics. Windows XP Professional? You might want to obtain a copy of Windows XP Professional and learn how to install.com/learning/books/default.microsoft. You also should study the TCP/IP interfaces. operation. Carefully read each page of this book while working with your copy of Windows Vista. Linux is open source. .com/en-us/default. we recommend that you obtain two computers. configure. which means you can get it for free (if you don’t mind building your own installations without software assistance) or for less than $100 (if you prefer to get a self-installing version of the software with documentation). and maintain it. You might have to scrounge to come up with the necessary software. and related configuration tools to make sure you can put Security+ concepts and terms into an operational context. this shouldn’t be too great a financial hardship. by Derek Melber and Dan Baltar). utilities. but they also appear on TechNet (http://technet. Pick up a well-written book to guide your activities and studies (such as MCSE Windows XP Professional Exam Cram 2.17 CompTIA Certification in the Real World . configure. . With decent Windows 2003. and related services. specific security utilities. but if you scour the Microsoft Website.aspx). mspx). and set up a two-node network on which to practice. Some version of Linux or UNIX configured as a server? Be sure you understand basic concepts behind Linux or UNIX installation.and UNIX/Linux-capable computers selling for less than $500 these days. In fact. Some version of Linux or UNIX configured as a workstation or desktop machine? . and review the CompTIA exam objectives. you can usually find low-cost options to obtain evaluation copies of most of the software you will need. and maintenance. each with a network interface. configuration.microsoft.

Linux. and other data about CompTIA exams from the Training and Certification page at http://www.org/trainingandeducation/default. With this tool.org/trainingandeducation/default.mspx. you can find out more information from the Virtual PC 2007 Website at http://www. If you have the funds. a lot of RAM (at least 1GB). Within a virtual-machine environment. you can get more information from its website at http://www.com/ windows/products/winfamily/virtualpc/default.18 Self-Assessment Make sure you understand the concepts involved in installing.microsoft.com. and maintaining a Linux or UNIX desktop and to client-side security settings. some preparation for the Security+ certification exam is essential. aspx. and utilities. including beta versions. Visit http://www. consider taking a class. tools.aspx for more details. and so on.vmware. from Windows 95. Here again. Click the CompTIA Certification Programs link to obtain specific exam information. and managing Linux or UNIX desktop machines. or if your employer will pay your way. configuring. VMware software is published by VMware. Inc. XP. Before you even think about taking any CompTIA exam. Windows Server 2003. make sure you’ve spent enough time studying security principles and practices. CompTIA maintains a list of pointers to Security+ training venues on its website. pay special attention to installing. Virtual PC is published by Microsoft. practice exams. or Vista to Windows Server 2003. and a dual-core processor or better—check out the available VMware and Virtual PC virtual-machine software products. on a single computer you can have several different operating systems running simultaneously in different windows. You can run everything from DOS to Linux. These software programs create an emulated computer environment within separate windows that are hosted by your computer’s main operating system—Windows Vista. Windows XP.comptia..comptia. This time will help you in the exam—and in real life! TIP Whether you attend a formal class on a specific topic to get ready for an exam or use written materials to study on your own. without worrying about “blowing up” your main production computer and without having to buy an additional PC. Use One Computer to Simulate Multiple Machines If you own a powerful enough computer—one that has plenty of available disk space. . NOTE You can download objectives. configuring. you can “play” with the latest operating systems.

and self-assessment exams on the CompTIA Training and Certification site. These companies aim to help you prepare to pass Exam SY0-201 (and several others). . online references.com/examcram. The Prepare for Exam link offers samples of the new question types on the CompTIA certification track series of exams. Windows Vista. online partners. Windows Vista. CompTIA Learning Alliance (CLA). and Network+. Studying for the Exam Although many websites describe what to study for a particular exam. . There’s no shortage of material available about security. . and dis- cussion groups on InformIT.19 How to Prepare for an Exam How to Prepare for an Exam Preparing for any CompTIA certification test. practice tests. and CompTIA titles. This required and recommended material represents a comprehensive collection of sources and resources for security and related topics. Windows XP. . Windows XP.aspx. at http://certification. practice tests. Find the materials. requires that you obtain and study materials designed to provide comprehensive information about the product and its capabilities that will appear on the specific exam for which you are preparing. and third-party training companies (such as New Horizons and Global Knowledge) all offer classroom training on Windows Server 2003. download them. Several publishers—including Que Publishing—offer Windows Server 2003.informit.org/security/prepare. We anticipate that you’ll find this book belongs in this company. . The exam preparation advice. The exam preparation materials. The study process can be broken down into various stages. and use them. The “Suggested Readings and Resources” sections at the end of each chapter in this book identify sources for further discussion. comptia. The following list of materials can help you study and prepare: . critical to all of these stages is the ability to concentrate. at http://www. Although this type of training tends to be pricey. including Exam SY0-201. few sites cover how you should study for an exam. most who are lucky enough to attend find this training worthwhile. However.

Because the answers are already there. you need to understand and visualize the exam process as a whole. close your eyes. Some people need to have a little white noise in the background to study. If you do choose to have music. it is the unplanned breaks caused by distractions that do not allow you to concentrate on what you need to learn. So always examine all the options and then think and choose the right answer. Of course. the best place to start is to take the list of exam objectives and study each objective carefully for its scope. Therefore. schedule the time to study. keep the volume low and listen to music without lyrics. In a multiple-choice exam. you do have one advantage: The answer or answers are already there. Make sure that your study area is well lit. But do not study on a full stomach. Do not study on an empty stomach. Take a minute or two. keeping these objectives in mind. Then organize your study. Do not study with the TV on. This process will help prepare you to deal with practical problems in the real testing environment and perhaps to even deal with questions that you might not have expected. It is easy for the TV or another person to attract your attention (and thus break your concentration). you have to be exact and differentiate between similar answers.20 Self-Assessment To be able to concentrate. In addition. Natural light is best for fighting fatigue. either because a full stomach tends to make people drowsy. with multiple-choice questions. clear your mind of distractions. After you find a place to study. When you prepare for an exam. Although you should plan for study breaks. Keep a glass of water nearby to sip on. One common mistake is to select the first obvious-looking answer without checking the other options. and empty your mind. and you just have to choose the correct ones. you can use your knowledge and logic to eliminate incorrect answers. As mentioned previously. and do not have other people in the room. And find a comfortable position and use ergonomically appropriate furniture. you will more easily be able to focus on the questions and possible answers and not miss key points. . you must remove all distractions. Opinions differ as to whether it is better to study with or without music playing. Make sure that you are well rested so that you don’t doze off. you first need to create an environment conducive to studying or seek out one that is (such as a library). a peaceful study area without distractions will help you prepare. Doing so will help you narrow your focus to specific topics or subtopics. Before you begin to study.

Self Test Software—http://www. TIP CompTIA also maintains a list of pointers to Security+ training venues on its website. Visit http://www. CompTIA certification exams have their own style and idiosyncrasies.21 How to Prepare for an Exam Testing Your Exam Readiness Whether you attend a formal class on a specific topic to prepare for an exam or use written material for self-study. The opportunity to interact with an instructor and fellow students can make all the difference. consider taking a class if you have tackled self-study materials. you should still invest in some low-cost practice exams from commercial vendors. the better your chances will be to score well on the exams: Have you taken a Security+ practice exam? If you scored 90% or better. .com/ . and failed anyway. TestKing—http://www.org/certification/Security/get_training. investigate the following practice test resources. If you still don’t hit a score of at least 90% after these tests. The next question deals with your personal test-taking experience. We have included two practice exams in this book. this list is by no means exhaustive. PrepLogic—http://www.comptia.com . if you can afford that privilege. some preparation for the Security+ certification exam is essential. Transcender—http://www.” Even if you can’t afford to spend much at all.com . keep at it until you break that barrier. taken the test.) . The more acclimated you become to the CompTIA testing environment. you are probably ready to tackle the real thing. At $250 a try (the price is lower if you or your employer belong to CompTIA). (Feel free to use your favorite search engine to look for more. If you don’t score well on the first test.preplogic. For information about Security+ classes.asp for more information. you want to do everything you can to pass on your first attempt.com For any given subject.transcender. pass or fail. you can study more and then tackle the second test.testking. If your score isn’t above that threshold.selftestsoftware. use your favorite search engine with a string such as “Security+ class” or “Security+ training.

Anxiety reduction begins with the preparation process. personal commitments. don’t compare yourself to peers. visit http://www. (The passing score on Security+ is 85% or higher. that is why we recommend shooting for 90%.cramsession. there is no better way than to take a good-quality practice exam and pass with a score of 85% or better. Always give yourself plenty of time to prepare. the less stress you will experience. As you’re getting ready for the Security+ exam. Dealing with Test Anxiety A certification exam costs money and requires preparation time and failing an exam can be a blow to your self-confidence. But again. exam anxiety is more than just a nuisance. you should not be nervous about any topic area. This is why most people feel a certain amount of anxiety before taking a certification exam. In addition. study material. access to study material. make goals and make every effort to meet those goals.) In addition to the general exam-readiness information in this section. and look for pointers to exam resources. and so on). Ensure that you know the material. don’t place yourself under unreasonable deadlines. exam anxiety is a debilitating condition that negatively affects their performance on exams. you can do several things to prepare for the Security+ exam. The time required will vary from student to student and depends on a number of factors (reading speed. to leave some margin for the impact of stress when taking the real thing. and related tips. For some people. obtain all the free and low-price practice tests you can find and get to work.22 Self-Assessment If you haven’t taken a Security+ practice exam. . When we are preparing ourselves.com. Certain levels of stress can actually help you to raise your level of performance when taking an exam. You can sign up for “Question of the Day” services for this exam. No hard-and-fast rule specifies how long it takes to prepare for an exam. The better prepared you are. just to leave room for the “weirdness factor” that sometimes depresses performance on exams when taking the real thing. Procrastination and making excuses can be just as bad. Keep at it until you can break the passing threshold comfortably. we shoot for better than 90%. especially if doing so has a negative effect on your confidence. This anxiety can help you focus and think clearly through a problem. For these people. however. join relevant ongoing discussion groups. TIP When assessing your test readiness.

you won’t need any last-minute cramming. practice exams are a great way to avoid fear that might otherwise arise at the test center. Arrive between 15 and 30 minutes early for the certification exam so that you can . not as a way to try to memorize key concepts. meditate. Take a bottle of water or some hard candy with you to combat dry mouth. Practice exams are best used near the end of the exam preparation. Pray. Instead. Day of the Exam Before you take an exam. try mild foods (such as toast or crackers). be sure you understand the question and all answers (right and wrong). or breathe deeply . Most testing rooms feature a wall with a large picture window. Typically. If you know the material. Practice physical relaxation techniques .23 Day of the Exam For many students. . don’t plan on studying the day of your exam. confirm that you know where it is. Scan glossary terms and quick access tables before taking the exam (to get the intellectual juices flowing and to build a little confidence) . So long as you do so. end your studying the evening before the exam. Arrive at the testing center early. In addition. excessive stimulants aren’t conducive to reducing stress. study on a regular basis for at least a few weeks before the exam. set time limits to complete the practice exams. Be sure to dress comfortably. Be sure to use them as an assessment of your current knowledge. the testing room is furnished with anywhere from one to six computers. The exam coordinator will have preloaded the appropriate CompTIA certification exam—for this book. Of course. and each workstation is separated from the others by dividers designed to keep others from seeing what’s happening on someone else’s computer screen. Keep your caffeine and nicotine consumption to a minimum. If you have never been to the testing center before. eat something light. And finally. get a full good night’s rest before the exam. If your stomach is upset. even if you have no appetite. Visit the washroom But don’t arrive too early. Plain saltine crackers are great for settling a cranky stomach. You might even consider taking a test drive. When reviewing practice exam questions. This layout permits the exam coordinator to monitor the room.

We suggest that you immediately write down on that sheet of paper all the information you’ve memorized for the test. TIP Always remember that the testing center’s test coordinator is there to assist you in case you encounter some unusual problems. an erasable plastic sheet and an erasable pen. All exams are completely closed-book. If you need some assistance not related to the content of the exam itself.) All CompTIA certification exams are computer-generated. We suggest that you take the orientation test before taking your first exam. record this information. you are not permitted to take anything with you into the testing area. Taking the exam is quite an adventure. You usually receive a blank sheet of paper and a pen or. (This time is indicated on the exam by an onscreen timer clock. notify one of the test coordinators—after all. and controls. such as a malfunctioning test computer. behavior. this information appears on the tear-out sheet (Cram Sheet) inside the front cover of each book. Often. but also to require you to evaluate myriad circumstances and requirements. they are there to make your exam-taking experience as pleasant as possible. In fact. however. so you can check the time remaining whenever you like. You are given some time to compose yourself. you are asked to select more than one answer to a question. and predicaments. All CompTIA certification exams are timed. In Exam Cram books. all of which are technically correct. All questions are multiple choice. in some cases. Likewise. . and it involves real thinking and concentration. you might be asked to choose the best or most effective solution to a problem from a range of choices.24 Self-Assessment that’s Exam SY0-201 Security+—and you are permitted to start as soon as you’re seated in front of the computer. you probably don’t need to do so if you’ve taken an orientation test before. Because all the certification exams are more or less identical in layout. and take a sample orientation exam before you begin the real thing. the questions are constructed not only to check your mastery of basic facts and figures about security concepts. puzzles. This book shows you what to expect and how to deal with the potential problems. Although this format might sound quite simple.

PART I System Security Chapter 1 System Threats and Risks Chapter 2 Online Vulnerabilities .

This page intentionally left blank .

CHAPTER ONE 1 System Threats and Risks Terms you need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Privilege escalation Viruses Worm Trojan Spyware Spam Rootkits Botnets Logic bomb BIOS Removable storage Techniques you need to master: ✓ Understanding and identifying common system security threats ✓ Recognizing when an attack is happening and taking proper steps to end it ✓ Learning to identify which types of attacks you might be subject to and how to implement proper security to protect your environment ✓ Recognizing malicious code and knowing how to respond appropriately ✓ Understanding security risks that threaten system hardware and peripherals ✓ Learning the concepts of network attached storage .

however. and logic bombs. This section explores those threats and risks to help you understand everyday potential dangers. but also other resources and computers. spam. Software exploitation takes advantage of a program’s flawed code. Privilege Escalation Programming errors can result in system compromise. which then crashes the system and leaves it in a state where arbitrary code can be executed or an intruder can function as an administrator. Perhaps the most popular method of privilege escalation is a buffer overflow attack. and peripherals. part of your responsibility is to recognize malicious code and know how to respond appropriately. In today’s network environment. hardware.28 Chapter 1: System Threats and Risks Securing your resources is a challenge in any working environment. or malware. Before you can begin to look at securing the environment. viruses. they have many points of entry. Trojans. rootkits. including privilege escalation. Poor application design might allow the input of 100 characters into a field . The Security+ exam requires that you understand that minimizing system threats and risks can thwart many would-be attackers and that you understand the different types of attacks that can happen. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storagespace allocation that has been reserved in memory for that application or service. It has become common for resources to be subject to myriad attacks through software. spyware. The target is not only the information stored on local computers. leaving an intruder many points of access. botnets. you must understand the threats and risks associated with the environment. the components must be divided into separate elements so that the security process becomes easier to manage. adware. worms. This section covers the various types of malicious code you might encounter. Systems Security Threats Because networks today have become so complex and mobile. With so many ways of getting into the network. malicious code. These various points can all be vulnerable. allowing someone to gain unauthorized privileges. As a security professional. has become a serious problem. This is known as privilege escalation.

crashing the client system. In the case of buffer overflows.000 servers. A buffer overflow can result in the following: . “Online Vulnerabilities. The premise behind this vulnerability is that the handshake process during an SSL server connection can be made to cause a buffer overflow when a client uses a malformed key. Flaws such as buffer overflows that cause execution stack overwriting in the Java Virtual Machine (JVM). In the fall of 2002. two possible types of privilege escalation exist: a programming error that allows a user to gain additional privilege after successful authentication and a user gaining privilege with no authentication. Services running on Internet-connected computers present an opportunity for compromise using privilege escalation.” . . The worm exploited a flaw in Secure Sockets Layer (SSL) on Linuxbased web servers. . The originator can execute arbitrary code. often at a privileged level. the Linux Slapper worm infected about 7. In this situation. Patching operating systems and applications is discussed in Chapter 5. otherwise. the application doesn’t know how to handle the extra data and becomes unstable. Because no check is in place to screen out bad requests. good quality assurance and secure programming practices could thwart this type of attack. “Access Control and Authentication Basics. The overflow portion of the input data must be discarded or somehow handled by the application.” Back doors and other types of privilege escalation that are not specifically buffer overflow-related are discussed in Chapter 2. The JVM is the client-side environment supporting Java applets. A programming error could allow an attacker to obtain special privilege. Improperly created applets can potentially generate a buffer overflow condition. it could create undesirable results. The following are examples of these types of buffer overflow issues: . Overwriting of data or memory storage. A denial of service due to overloading the input buffer’s ability to cope with the additional data. Some services require special privilege for their operation.29 Systems Security Threats linked to a variable only capable of holding 50 characters. . the most effective way to prevent an attacker from exploiting software is to keep the manufacturer’s latest patches and service packs applied and to monitor the Web for newly discovered vulnerabilities. the extra data overwrites some portions of memory used by other applications and causes failures and crashes. Currently. As a result.

. and continues to spread. the virus sent copies of the same email to everybody listed in the user’s address book. Multipartite—This type of virus is a hybrid of boot and program viruses. Many viruses can replicate themselves across networks and bypass security systems. Love Bug—The virus originated in an email titled “I love you. It first attacks a boot sector then attacks system files or vice versa. There are several types of viruses: . Macro—This type of virus is inserted into a Microsoft Office document and emailed to unsuspecting users. Here are a few of the most popular viruses: . They infect other machines only if an infected object is accessed and the code is launched by a user on that machine. including MP3s. .” When the attachment was launched. . and JPGs). attachment and deleted files. It replicates when an infected file is executed or launched. It then attaches to other files. The virus came as a (Visual Basic Scripting Edition. Even a simple virus is dangerous because it can use all available resources and bring the system to a halt. such as running a program. the virus loads into memory. adds its code to the application’s code. VBScript. Polymorphic—This type of virus can change form each time it is executed. Program—This type of virus infects executable program files and becomes active in memory. Boot sector—This type of virus is placed into the first sector of the hard drive so that when the computer boots. MP2s. It is designed to attach itself to other code and replicate. such as temporarily removing itself from an infected file or masking a file’s size. Viruses are malicious programs that spread copies of themselves throughout a single machine. Stealth—This type of virus uses techniques to avoid detection.30 Chapter 1: System Threats and Risks Viruses A virus is a program or piece of code that runs on your computer without your knowledge. . EXAM ALERT Viruses have to be executed by some type of action. . It also sent usernames and passwords to the . It was developed to avoid detection by antivirus software.

Morris—This famous worm took advantage of a Sendmail vulnerability and shut down the entire Internet in 1988. It is based on an older virus called Stoned. . Worms Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. It infected about 15 million computers and crashed servers around the world. This process repeats with no user intervention. Since 2000. the virus sends email to the first 50 addresses in the victim’s email address book and attaches itself to each message. . This threat affects only web servers running Microsoft Windows 2000. Badtrans—This mass-mailing worm attempts to send itself using Microsoft Outlook by replying to unread email messages. If it finds connectivity.31 Systems Security Threats virus author. . Melissa—Melissa first appeared in March 1999. the worm then tries to replicate from one system to the next. . . Its name is admin spelled backward. Code Red—A buffer overflow exploit is used to spread this worm. It also drops a remote access Trojan horse. including mass mail- ing. and several Microsoft vulnerabilities. It is a macro virus. which are discussed in the following section. Michelangelo—Michelangelo is a master boot record virus. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. embedded in a Microsoft Word document. When the recipient receives the Word document as an attachment to an email message and opens the document. After the worm is running on a system. it checks for Internet connectivity. the majority of viruses released are actually worms. Nimda—This worm infects using several methods. Examples of worms include the following: . network share propagation. The Michelangelo virus erases the contents of the infected drive on March 6 (its namesake’s birthday) of the current year. .

Basically.32 Chapter 1: System Threats and Risks Worms propagate by using email. which is part of how botnets are controlled. as discussed later in this chapter. file sharing (P2P). Trojans do not replicate themselves like viruses.W32. or changing your computer configuration without appropriately obtaining prior consent. . . . without any user interaction. so its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. The Trojan is typically hidden. Examples of Trojan horses include the following: . Trojan. instant messaging. Spyware Undesirable code sometimes arrives with commercial software distributions. spyware is software that communicates information from a user’s system to another party without notifying the user. collecting personal information. Code hidden inside the application can attack your system directly or allow the system to be compromised by the code’s originator. Spyware is associated with behaviors such as advertising. Acid Rain—This is an old DOS Trojan that. and IRC channels. except that it replicates by itself. renames folders. and creates many empty folders. Mocmex—This Trojan is found in digital photo frames and collects online game passwords. Trojans can perform actions without the user’s knowledge or consent. where the code is then executed. Trojans Trojans are programs disguised as useful applications. deletes system files. EXAM ALERT A worm is similar to a virus or Trojan. when run.Nuker—This Trojan was designed to function as a denial-of- service (DoS) attack against a workstation connected to the Internet. Packet worms spread as network packets and directly infiltrate the RAM of the victim machine. such as collecting and sending data or causing the computer to malfunction. Trojans can download other Trojans. but they can be just as destructive.

State. will no longer be private. . In this case. From those lists. and cheap medications. The browser home page changes. . and in some instances include the keystrokes typed. and you might not be able to reset it. Web pages are automatically added to your favorites list. they capture addresses or use the mailing list as a direct target for their attacks. The information is then sent to the originator. This logged information is then sent to the originator. These programs scan your machine. account numbers. and just as with antivirus software. and international laws regulate spam.33 Systems Security Threats Like a Trojan. and other private information. Spam Just like junk mail clogs our regular mailbox. spyware sends information out across the Internet to some unknown entity. especially when browsing the Internet. Email spam targets individual users with direct mail messages. Many spyware eliminator programs are available. Clicking a link does nothing or goes to an unexpected website. and can include keystrokes typed. EXAM ALERT Spyware monitors user activity on the system. The information. Email spam lists are often created by scanning newsgroup postings. It takes a long time for the Windows desktop to come up. . Spammers use automated tools to subscribe to as many mailing lists as possible. Spam is a term that refers to the sending of unsolicited commercial email. including passwords. or searching the Web for addresses. you should keep spyware eliminator programs updated and regularly run scans. spam clogs our email box. often for products such as “get rich quick” schemes. federal. Spam costs the sender little to send because the actual costs are paid for by the carriers rather than by the sender. Most spam is commercial advertising. The system is slow. . stealing Internet mailing lists. spyware monitors user activity on the system. physical enhancements. Here are some indications that a computer may contain spyware: . . similarly to how antivirus software scans for viruses. however.

or adware. Companies offer to place banner ads in their products for other companies. It is best to filter it before it gets to the users. It reports data to the company. keeping your personal email address private. this novel concept presents some issues for users.) . such as your general surfing habits and which sites you have visited. These companies also install tracking software on your system. delete it. When sending email messages to a number of people. is another form of spyware. Approximately 75% of the email organizations receive is spam. use software that filters spam. follow this advice: . Do not respond to spam messages and do not click any links within the message (even to “unsubscribe”). Never make a purchase from an unsolicited email. It is an online way for advertisers to make a sale. Be careful about giving out your email address on websites and news- groups. the fact remains that you have software on your PC that is sending information about you and your surfing habits to a remote location. a portion of the revenue from banner sales goes to the company that places the ad. Do not use the preview function of your email software because if you do the email message will automatically show as read. When dealing with spam. In addition. Use more than one email address.34 Chapter 1: System Threats and Risks CAUTION Requesting to be removed from junk email lists often results in more spam because it verifies that you have a legitimate. . . . Adware Advertising-supported software. . If you do not know the sender of an unsolicited email message. In exchange for the ad. which keeps in contact with the company through your Internet connection. use the blind car- bon copy (BCC) field to hide their email addresses. . . (Don’t be curious and open it. However. And although the company might state that they will not collect sensitive or identifying data from your system. working email address.

After a rootkit has been installed. Many rootkits run in the background. and checking for newly installed programs. These newer rootkits can intercept system calls passed to the kernel and can filter out queries generated by the rootkit software.35 Systems Security Threats U. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges. Rootkits have also been known to use encryption to protect outbound communications and piggyback on commonly used ports to communicate without interrupting other applications that use that port. if the adware gathers information about users. or create a back door on the system. Root or privileged access could also allow the compromise of other machines on the network. Even though legitimate adware is not illegal. it must inform them. Attackers are creating more sophisticated programs that update themselves. Rootkits Rootkits were first documented in the early 1990s. it allows the attacker to gain root or privileged access to the computer. Today. you can usually easily spot them by looking for memory processes. traditional antivirus software can’t always detect the malicious programs. EXAM ALERT Rootkits can be included as part of software package.S. In addition. this technology can send more than just banner statistics. A rootkit may consist of programs that view traffic and keystrokes. . certain privacy issues arise. such as administrative rights. If a rootkit has been installed. Adware is legitimate only when users are informed up front that they will receive ads. users have little or no control over what data is being collected and dispersed. although legitimate adware discloses the nature of data collected and transmitted. Remember. For instance. which makes them that much harder to detect. Kernel rootkits modify the kernel component of an operating system. Therefore. monitoring outbound communications. alter existing files to escape detection. rootkits are more widely used and are increasingly difficult to detect on networks. These “tricks” invalidate the usual detection methods because they make the rootkits invisible to administrators and to detection tools. A rootkit is usually installed on a computer by first obtaining user-level access. federal law prohibits secretly installing software that forces consumers to receive pop-ups that disrupt their computer use. installed by way of an unpatched vulnerability or by the user downloading and installing it.

Storm remained the largest. Botnets A bot. A botnet is a large number of computers that forward transmissions to other computers on the Internet. most active botnet on the Internet. A bot provides a spam or virus originator with the venue to propagate. A small program is left on the machine for future activation. such as RootkitRevealer. This problem shows no sign of easing. It is estimated that on typical day 40% of the computers connected to the Internet are bots. A system is usually compromised by a virus or other malicious code that gives the attacker access. or to do other malicious acts. This is because bots are hidden and usually go undetected unless you are specifically looking for certain activity. you can prevent rootkit functioning. Many computers compromised in this way are unprotected home computers (although many computers in the corporate world are bots. When a system is infected. When the botnet is probed too much. as well). Fourteen months later. So if you use security tools that can prevent programs from installing global hooks and stop process injection. it .36 Chapter 1: System Threats and Risks Many vendors offer applications that can detect rootkits. Bots are systems that outside sources can control. short for robot. 2007. You might also hear a botnet referred to as a zombie army. For example. Botnets have flooded the Internet. the only definitive way to get rid of a rootkit is to completely format the computer’s hard drive and reinstall the operating system. The bot master can then unleash the effects of the army by sending a single command to all the compromised machines. rootkit functionality requires full administrator rights. Removing rootkits can be a bit complex because you have to remove the rootkit itself and the malware that the rootkit is using. rootkits change the Windows operating system itself. In addition. distribute spam. Most rootkits use global hooks for stealth activity. Often. It contained a link to a news story about a deadly storm. Storm was the first to make wide use of peer-to-peer communications. The computers that form a botnet can be programmed to conduct a distributed denial-of-service (DDoS) attack. Storm has a self-defense mechanism. is an automated computer program that needs no user interaction. you can avoid rootkit infection by running Windows from an account with lesser privileges. Storm started out as an email that began circulating on January 19. Such a change might cause the system to function improperly. A bot can be created through a port that has been left open or an unpatched vulnerability. Therefore. A computer can be part of a botnet even though it appears to be operating normally.

The actions of the logic bomb coincided with stock transactions by Mr.000 systems deleted critical files and prevented backups from occurring. The main issue with botnets is that they are securely hidden. . making use of social engineering. or lost business. Duronio was a disgruntled computer programmer who planted a logic bomb in the computer systems of UBS. ex-employees have been prosecuted for their role in this type of destruction. For a virus to be considered a logic bomb. Duronio. This allows the botnet masters to perform tasks. A programmer might create a logic bomb to delete all his code from the server on a future date. one of the most high-profile cases of a modern-day logic bomb was the case of Roger Duronio. and that doesn’t include the downtime. A collection of botnets. UBS estimated the repair costs at $3. and Zbot installed a program that allowed it to see the next time the user successfully accessed the account. Botnets can be particularly tricky and sophisticated.1 million. last year stole millions from banks in four nations. It is malicious in intent and usually planted by a disgruntled employee. an investment bank. The logic bomb that he planted on about 1.1 EXAM ALERT A logic bomb is also referred to as slag code.1 million. most likely after he has left the company. so securities and mail fraud charges were added to the computer crime charges. Zbot then automatically completed cash transfers to other accounts while the victims did their online banking. He was found guilty of leaving a logic bomb on the systems and of securities fraud. and commit crimes while remaining undetected. Logic Bombs A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. the user of the software must be unaware of the payload. For example. This was a ruse. He was sentenced to more than eight years in jail and fined $3. lost data. known as Zbot. The scammers enticed bank customers to click a link to download an updated digital certificate. Attackers can increase the depth and impact of their crimes by using multiple computers because each computer in a botnet can be programmed to execute the same command. gather information. In several cases recently.37 Systems Security Threats reacts automatically and starts a denial-of-service (DoS) attack against the probing entity.

. System hardware and peripherals can pose just as many threats. especially when formulating security policies. Only open attachments sent to you by people you know. Install firewalls or intrusion-prevention systems on client machines. BIOS There are ample documented procedures for securing operating systems. . but significantly less is available on how to secure some of the integrated components of a system. Because the . Perform backups on a daily basis. code evaluation will not guarantee a logic bomb won’t be inserted after the programming has been completed. Do not use any type of removable media from another user without first scanning the disk. Taking the time to evaluate the environment as a whole can save you many headaches down the road. these are not the only threats that exist. it is a good idea to evaluate the code to keep logic bombs from being inserted. . Even though this is a preventive measure.38 Chapter 1: System Threats and Risks During software development. This section examines the hardware risks you should be aware of. Antivirus software doesn’t do a company any good if it is not updated often. Security Threats to System Hardware and Peripherals The preceding section discussed issues that arise from threats such as privilege escalations and malware. Many viruses infect user address books. Protecting Against Malicious Code You can take several steps to protect your network from malicious code: . However. . . So even if you know who the attachment is from. such as the Basic Input/Output System (BIOS). Install antivirus software and update the files on a regular basis. Subscribe to newsgroups and check antivirus websites on a regular basis. be sure to scan it before you open it.

there are Internet instructions and a helpful YouTube video showing how to create your own dongle. you might not realize that it can be compromised and allow an attacker full control over a machine. there is no way to protect the system from compromise.39 Security Threats to System Hardware and Peripherals BIOS performs a basic function. Because this method of access has become so public. BIOS manufacturers have become more secretive about any backdoors they may now use. and then it will not boot. This scenario results from an error in the BIOS code. USB device. In addition. However. An attack at any time during an operating session can leave the computer unable to reboot. Boot order determines whether the operating system will be loaded from CD-ROM. hard disk. The nature of the coding error means that it is difficult to identify and might leave the computer inoperable for an extended period of time. Known vulnerabilities . extract password information for a . lists of known backdoor passwords are available on the Internet. Bypassing access control System access to the BIOS configuration utility is controlled by a password. the laptop may have a hardware dongle or special loopback device to bypass the password. EXAM ALERT The BIOS passwords of laptops are a bit different in that the passwords are usually flashed into firmware. they are simple. The BIOS can be compromised in several ways: . or the network. the configuration of the computer cannot be changed without inputting the password. Again. many BIOS manufacturers build in backdoor passwords. Another BIOS vulnerability is that the BIOS holds the boot order. An attacker could boot the system from a device that contains software to change the administrative password. such as the name of the BIOS manufacturer. A vulnerability in the BIOS can allow local users to cause a DoS and the system not to boot. Often. If an attacker gains physical access to the machine and changes the boot order. After the password is set. Any computer using this version of the BIOS can be configured so that the bootable partition is defined below the first slot in the master boot record (MBR) partition table. BIOS password . Depending on the manufacturer.

overloading the keyboard buffer. for instance). removable storage devices present a concern when it comes to corporate security and protecting proprietary information. high-capacity. Such a policy can eliminate the issues that arise from the problems presented here. or install a backdoor or Trojan. Therefore. Mobile employees can leave hardware behind and take only software with them. BIOS access control can be bypassed by cracking the BIOS password. many computers share the same BIOS password. If an attacker manages to gain physical access. even employees with good intentions might misplace or have a removable storage device stolen. Although the passwords are stored in hashed values. On almost all systems. the BIOS password information is stored in the CMOS RAM. Organizations have the option of not allowing removable media. However. a large portion of the network could be compromised. Keep in mind that one compromised system can be used as a catalyst for further attacks on several other systems or the entire network. . In most companies. the hashes used leave a bit to be desired. and deleting the contents of the CMOS RAM. Most organizations do not have a policy for BIOS passwords. programs created for this specific purpose can usually crack the password in a short period of time. However. In addition. It is quite simple for a disgruntled employee to misuse data (take data and sell it.40 Chapter 1: System Threats and Risks later attack. These small. Organizations are exploring the possibilities of running environments on smaller devices to eliminate the need for specialized systems. the real issue is access to the information. Entire environments can now be carried on devices such as a USB drive or iPod. the 8GB micro drives and 32GB thumb drives currently available can carry entire virtualized environments on them. All these technological changes present new challenges to the traditional methods of securing systems. Technological advances in virtualization and storage essentially make removable media a PC that can be carried in a pocket. USB Devices When floppy disks were the only form of removable storage. Of course. Information for bypassing the BIOS password is readily available on the Internet. policies regarding the use of removable media were unnecessary. directly access data on the hard disk. other than scanning the floppy disks for viruses. and that password is seldom changed. if the information is readily available. running operating systems and applications this way leaves little trace on the host system.

it also presents other risks. “Infrastructure Security and Controls. To provide convenience and redundancy. Group Policy can be used to disable the capacity for unauthorized users to use any USB storage devices. For many organizations. and client data can be a severe detriment to business. Considering that there are more cell phones than computers in today’s environment. and most corporate workers have PDAs. losing a cell phone or a PDA loaded with contacts. the impact of a cell phone virus could prove devastating. USB cables and client software can be used to sync PDAs and cell phones to a user’s desktop computer. The Cabir smart phone worm attempted to spread between Symbian-based mobile phones by jumping from one Bluetooth-enabled phone to another Bluetooth-enabled phone when both phones were left in the “discoverable” mode. theft or loss. The first cell phone virus appeared in 2004. the more vulnerable the device. It is estimated that at least eight million cell phones are lost or stolen every year in the United States. . These devices have associated risks. whereas Bluetooth viruses spread by people’s mobility patterns and population distribution. The Cabir virus has since been found in about 15 different variations. If they are allowed. Group Policy is discussed further in Chapter 4. Another layer of protection can be applied by encrypting and properly securing sensitive corporate information. Although it might be difficult to guard against the use of removable storage devices or enforce a policy related to removable storage. strict policies must dictate who can use them and how. “Cryptography Basics. The difference in method of infection is that SMS viruses spread based on people’s social connections. of course.000 virus incidents per day. Although this might prevent lost data. According to a report from an Ireland-based cell phone security company. The more capabilities a device has. New security threats targeting cell phones and other mobile devices could quickly become bigger than anything the industry has seen so far. in mid-2008 the security company tracked 100. There are also enterprise-level product suites. The first is. it is not impossible.41 Security Threats to System Hardware and Peripherals Organizations must decide whether removable devices will be allowed. email.” Handheld Devices Just about everyone carries a cell phone.” and encryption is explored in great depth in Chapter 9.2 The use of operating systems and Bluetooth technology on handheld devices will enable viruses to spread either through short message service (SMS) or by sending Bluetooth requests when cell phones are physically close enough (as demonstrated by the Cabir worm).

Intrusion-prevention technologies are also a key part of the defense against threats from mobile devices. A better approach is to combine security policies with purchasing and issuing removable storage devices as necessary and then allowing the approved devices. Vendors have begun introducing customer-side security features. Security polices should also dictate that sensitive data be encrypted before it is released to any outside agencies. such as a contracting or outside insurance firm. Network-Attached Storage Data storage has become a vital part of the IT enterprise environment. especially the small passport types.42 Chapter 1: System Threats and Risks Other security threats are also surfacing as customers use cell phones to provide more and more of the functions that computers currently do. An organization should consider implementing controls that ensure all portable devices and removable media are encrypted and accounted for. such as a backup tape or CD. Removable Storage Removable storage is today what floppy disks were 10 years ago. afford users the convenience to carry files for both their work environment and their home environment on one device. Removable hard drives. while blocking all unauthorized devices. even though they contain a remarkable amount of data. Although some organizations choose to implement measures such as placing a USB lock on ports and prohibiting the use of CDs. these devices have a large amount of storage space. Of course. so they lend themselves to data theft and information leakage. This convenience provides an opportunity for viruses and other malware to spread between networks and physical locations as they share files in both environments and with other users. Data management solutions include network-attached storage (NAS) and storage . Cell phone hacking and spyware are becoming more common. one of the best defenses against these threats is a clearly defined security policy. is often the fault of third parties. In addition to malware infections. Preventing unauthorized use of removable storage and portable devices is critical to running a secure environment and meeting compliance requirements. Handheld devices are rarely password protected. The loss of a storage device. The security policy should require encryption of all data on portable computers and removable storage. such as a cellular firewall and software solutions with antivirus and antispam protection for wireless mobile devices. this approach is proving inadequate in organizations where data security is paramount.

Additional considerations when dealing with large data repositories should include encryption. Subscribing to newsgroups and checking security websites daily ensures that you keep up with the latest attacks and exploits. This information will help arm you to protect all the areas of the organization that may be vulnerable. used to supply data storage services to other devices on the network. .43 Security Threats to System Hardware and Peripherals area network (SAN) technologies. A good antivirus solution is essential to protect the integrity of stored data and to prevent malware from spreading to other parts of the network through the storage system. authentication devices. EXAM ALERT You should know the difference between the various types of storage and the security issues they present. An organization now needs to protect terabytes of data on NAS. they fail to protect that same data when it reaches its final resting spot on storage subsystems. A SAN is a centrally located virtual disk storage system separate from network traffic and shared by servers. In addition.” Although many organizations protect data in motion using encryption. A NAS unit is a self-contained device connected to a network. and key management. some security appliances sit on a SAN or are connected to NAS to protect data considered “at rest. secure logging.

Spyware 2. Trojan C. Virus ❍ D. only after a user executes the application that it is buried in. Spyware B. Botnet ❍ D. Buffer overflow B. Which of the following is the most common method used to obtain privilege escalation? ❍ ❍ ❍ A. Which of the following is a correct definition of a Trojan? ❍ ❍ ❍ A. Which of the following is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system? ❍ ❍ ❍ A. Buffer overflow B. B. Trojan C. Which of the following is a program or piece of code that runs on your computer without your knowledge and is designed to attach itself to other code and replicate? ❍ ❍ ❍ A. Adware . It buries itself in the operating system software and infects other systems 4. Rootkit C. It collects personal information or changes your computer configuration without appropriately obtaining prior consent.44 Chapter 1: System Threats and Risks Exam Prep Questions 1. ❍ D. Spyware 3. C. It needs no user intervention to replicate. It sends messages to a computer with an IP address indicating that the message is coming from a trusted host. Virus ❍ D.

Cracking the BIOS password B. System not to boot C. Code Red is considered a _________.45 Exam Prep Questions 5.) ❍ ❍ ❍ A. BIOS access control can be bypassed by which of the following methods? (Select all correct answers. Hard drive failure B. Trojan horse 7. Removable storage ❍ D. Cell phone C. 2008. ❍ ❍ ❍ A. Which of the following attacks has been used in your code? ❍ ❍ ❍ A. Worm ❍ D. A vulnerability in the BIOS can allow local users to cause which of the following? (Choose two answers. You have hidden code inside the utility that will install itself and cause the infected system to erase the hard drive’s contents on April 1. System to lock up ❍ D. Deleting the contents of the CMOS RAM ❍ D. Trojan 6. Virus B. Overloading the keyboard buffer C. You have created a utility for defragmenting hard drives.) ❍ ❍ ❍ A. Denial of service 8. Virus B. Deleting the contents of the MBR . USB device B. Logic bomb C. Network-attached storage 9. Which of the following is a self-contained device connected to a network. Spoofing C. Logic bomb ❍ D. used to supply data storage services to other devices on the network? ❍ ❍ ❍ A.

Which of the following is associated with behaviors such as collecting personal information or changing your computer configuration. or changing your computer configuration without appropriately obtaining prior consent. The Trojan is typically hidden. The Trojan is typically hidden. Answer B is incorrect because Trojans are programs disguised as useful applications. Rootkit C. but they can be just as destructive. but they can be just as destructive. spyware is software that communicates information from a user’s system to another party without notifying the user. Code hidden inside the application can attack your system directly or allow the system to be compromised by the code’s originator. Code hidden inside the application can attack your system directly or allow the system to be compromised by the code’s originator. Answer C is incorrect because a virus is program or piece of code designed to attach itself to other code and replicate.46 Chapter 1: System Threats and Risks 10. It is designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. A. collecting personal information. Answer D is incorrect because spyware is associated with behaviors such as advertising. Trojans do not replicate themselves like viruses. Buffer overflows cause disruption of service and lost data. Trojans do not replicate themselves like viruses. Trojan Answers to Exam Prep Questions 1. collecting personal information. Botnet ❍ D. It replicates when an infected file is executed or launched. Answer D is incorrect because spyware is associated with behaviors such as advertising. Answer B is incorrect because Trojans are programs disguised as useful applications. without appropriately obtaining prior consent? ❍ ❍ ❍ A. spyware is software that communicates information from a user’s system to another party without notifying the user. or changing your computer configuration without appropriately obtaining prior consent. Buffer overflows cause disruption of service and lost data. A program or piece of code that runs on your computer without your knowledge is a virus. . so its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Basically. This condition occurs when the data presented to an application or service exceeds the storage space allocation that has been reserved in memory for that application or service. Spyware B. so its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Perhaps the most popular method of privilege escalation is a buffer overflow attack. This condition occurs when the data presented to an application or service exceeds the storage space allocation that has been reserved in memory for that application or service. 2. Basically. C. Answer A is incorrect.

Answers A. A vulnerability in the BIOS can allow local users to cause a denial of service and the system not to boot. such as administrative rights. 6. B. 5. BIOS access control can be bypassed by cracking the BIOS password.47 Answers to Exam Prep Questions 3. or Trojan. This threat affects only web servers running Microsoft Windows 2000. A bot provides the spam or virus originator with the venue to propagate. Answer C is incorrect because system lockup implies that the machine was already booted and is associated more with attacks that happen after the machine is up and running. spyware is software that communicates information from a user’s system to another party without notifying the user. 4. such as your surfing habits and which sites you have visited. small-capacity devices. collecting personal information. A. B. B. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code when it is executed. D. Code Red. Adware is a form of advertising that installs additional tracking software on your system. and C are all incorrect because they are removable. Answer A is incorrect because a hard drive failure has to do with the hard disk itself and nothing to do with the BIOS. D. logic bomb. and D are incorrect because Code Red is not a virus. Answers A and D are incorrect because a specified time element is involved. which keeps in contact with the company through your Internet connection. Answer B is incorrect because spoofing involves modifying the source address of traffic or the source of information. C. Basically. 7. You may also hear a botnet referred to as a zombie army. Answers A. A buffer overflow exploit is used to spread this worm. Answer C is incorrect because it describes spyware. Answer B is incorrect because it describes IP spoofing. D. C. . It reports data to the company. Answer D is incorrect because the MBR is part of the hard disk configuration and has nothing to do with the BIOS. A botnet is a large number of computers that forward transmissions to other computers on the Internet. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges. or changing your computer configuration without appropriately obtaining prior consent. Answer C is incorrect. Answer A is incorrect because it describes a worm. Answer D is incorrect. B. B. Worms are similar in function and behavior to a virus with the exception that worms are selfreplicating. Answer A is incorrect because spyware is associated with behaviors such as advertising. A logic bomb is a virus or Trojan horse that is built to go off when a certain event occurs or after a certain period of time passes. used to supply data storage services to other devices on the network. 8. C. Many computers compromised in this way are unprotected home computers. 9. A NAS unit is a self-contained device connected to a network. and deleting the contents of the CMOS RAM. overloading the keyboard buffer.

virusbtn.thepittsburghchannel. or changing your computer configuration without appropriately obtaining prior consent. McClure. Mark. 2. as we’ve recently learned). and George Kurtz. 2005. Hacking Exposed. . “Call 4 Action: Cell Phone Virus Threat Grows. Ed. Raby. Answer B is incorrect. CERT Coordination Center (CERT/CC): http://www. 2004.” July 2008 (http://www. Tittle.48 Chapter 1: System Threats and Risks 10.com 4. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code when it is executed.tgdaily. 3. collecting personal information. Many computers compromised in this way are unprotected home computers (although many computers in the corporate world are bots. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges. The Pittsburgh Channel.sans. A. Viruses. A bot provides the spam or virus originator with the venue to propagate. “IT administrator gets 8 years for cyber sabotage. PC Magazine Fighting Spyware. Answer D is incorrect.cert.html). Spyware is associated with behaviors such as advertising. You might also hear a botnet referred to as a zombie army. December 2006 (http://www. Virus Bulletin website: http://www.com/call4action/ 17016797/detail.com/content/view/ 30487/118/). John Wiley & Sons.” TG Daily. Joel Scambray. such as administrative rights.org/top20/ 5. A botnet is a large number of computers that forward transmissions to other computers on the Internet. McGraw-Hill Osborne Media. 5th Edition. Stuart. too. Suggested Reading and Resources 1. 2. and Malware. Answer C is incorrect.org References 1. SANS Top 20 Security Risks: http://www.

CHAPTER TWO 2 Online Vulnerabilities Terms you need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Java JavaScript ActiveX Cookies Cross-site scripting SMTP relay Lightweight Directory Access Protocol (LDAP) Wireless Application Protocol (WAP) Wireless local area network (WLAN) Wi-Fi Wired Equivalent Privacy (WEP) Back doors Techniques you need to master: ✓ Understanding the common vulnerabilities present in web-based technologies ✓ Knowing the common vulnerabilities of LDAP services ✓ Recognizing the more common considerations in performing a site survey .

Applets execute when the client machine’s browser loads the hosting web page. Web Vulnerabilities One primary area of network security involves the use of a public web server. Java Vulnerabilities Unlike many languages. Mac OS. Java code is compiled from intermediate bytecode within a platform’s Java Virtual Machine (JVM). allowing the same Java application to run properly on a Linux. . Unlike the server-side compilation Java language created by Sun Microsystems.50 Chapter 2: Online Vulnerabilities A common saying about the only truly secure computer is that it is one left in its box and connected to nothing. and common gateway interface (CGI) scripting exploits and buffer overflows used to run undesirable code on the server. note that many of these are also vulnerabilities affecting HTML-enabled clients of other types. may present many security risks to the client. it is true that the moment a computer is connected to a network. Because Java is a precompiled language. Java’s capability to operate on many different computer platforms has made it a popular option for web delivery of application content. including those identified in Table 2. you will examine vulnerabilities common to many standard technologies that may be exposed by connecting to the Internet. a Java-based mini-program. JavaScript code is transferred to the client’s browser. Although this might be an oversimplification. Web security includes client-side vulnerabilities presented by ActiveX or JavaScript code running within the client’s browser. Java and JavaScript Many websites use a scripting language created originally by the Netscape Corporation and now known as JavaScript. In this chapter. server-side vulnerabilities such as Perl. including many modern email clients. the requirements for securing against unwanted intrusion multiply. Active Server Page (ASP). where it is interpreted and used to control the manipulate many browser settings.1. called an applet. or Windows platform. TIP Although this section focuses on web-based vulnerabilities. and other forms of web-related security vulnerabilities such as those involving the transfer of cookies or unsigned applets.

or deleted. crashing the client system. that new vulnerabilities are regularly discovered. even after the applet is closed. Because it must be compiled and executed within the client’s environment. It is possible to create applets that continue running within the JVM.2 Vulnerability File access Some Identified Vulnerabilities of JavaScript Description JavaScript code may be used on unsecured systems to access any file on the client computer that the current user may access. manipulated. remember. Table 2.51 Web Vulnerabilities TABLE 2. These files may then be sent elsewhere.2 identifies the most common vulnerabilities. JavaScript is interpreted within the client’s browser environment. and information entered in web forms.1 Vulnerability Some Identified Vulnerabilities of the Java Language Description The client-side environment supporting Java applets is referred to as the Java Virtual Machine. Unexpected redirection JavaScript Vulnerabilities Unlike precompiled Java applets. Properly designed JavaScript code can be used to read the URLs within a browser’s cache. JavaScript vulnerabilities must be addressed based on the operating system and browser version in use on each client. Resource monopolization Improperly designed Java applets can easily consume all available system resources on the client system. site cookies. Buffer overflow in the JVM Ability to execute instructions Early versions of the JVM could be used to issue commands to the client system. allowing the code to mine the user’s browsing habits. preferences. Cache access File upload Email exposure . It is possible to create JavaScript coding that will cause access of a web page to upload files from the client’s system without the user’s knowledge or input. however. Early browser versions allowed JavaScript to send email as if sent by the user. allowing manipulation of the file system and data files at will. Early JVM versions allowed Java applets to redirect the browser and create connections to other hosts without user interaction. The name of the file must be known for this to occur. TABLE 2. email settings. Improperly created applets can potentially generate a buffer overflow condition.

If a user configures his browser to allow execution of unsigned ActiveX controls. ActiveX Controls Microsoft developed a precompiled application technology that can be embedded in a web page in the same way as Java applets. the Netscape Corporation created a technology using temporary files stored in the client’s browser cache to maintain settings across multiple pages. while JavaScript is a client-side interpreted language that mainly poses privacy-related vulnerability issues. ActiveX controls may be digitally signed using an Authenticode signature. servers. ActiveX controls are restricted based on whether they are signed. which is verified by its issuing certificate authority (CA). where browser configuration settings control the possible behavior of the applet. . all machines should be kept up-to-date with new version releases. These small files are known as cookies and may be used to maintain data such as user settings between visits to the same site on multiple days. This technology is referred to as ActiveX. and its controls share many of the same vulnerabilities present in embedded Java applets. Unlike Java applets. Scripting language vulnerabilities may be addressed in this manner. or to track user browsing habits such as those used by sites hosting DoubleClick banner advertisements. TIP To avoid vulnerabilities exposed by earlier forms of Java and ActiveX development. controls from any source performing any action may be enacted by visiting a website hosting the control embedded within the HTML page. Cookies To overcome the limitations of a stateful connection when scaled to global website deployments. ActiveX controls do not have restrictions on which forms of action they may enact.52 Chapter 2: Online Vulnerabilities EXAM ALERT Remember that Java is a compiled language that can lead to the execution of arbitrary commands or direct manipulation of data. or sites. and by turning off or increasing the client’s browser security settings to prevent automatic code execution.

EXAM ALERT Although cookies generally provide benefits to the end users. client browsers may also be configured to block third-party cookies. If cookies are accessed across many sites. where each page access might be handled by a separate physical server. These cookies are also useful to provide custom user configuration settings on subsequent entries to web portals whose content is presented in a dynamic manner. they may be used to track the user’s browsing habits and present the user with targeted advertising or content. along with many user details that could possibly include sensitive information identifying the user or allowing access to secured sites. Session Values Cookies may also be used to store session settings across multiple actual connections to a web server. Cookies may be used to track information such as the name and IP address of the client system and the operating system and browser client being used. preventing the use of session variables to maintain details from one page to another. TIP Clients should regularly clear their browser cookie cache to avoid exposing long-term browsing habits in this way. The danger to maintaining session information is that sites may access cookies stored in the browser’s cache that may contain details on the user’s e-commerce shopping habits. . although many online commerce sites require this functionality for their operation. This proves helpful when connecting to a distributed server farm. spyware would be most likely to use a tracking cookie. whereas a session cookie stays around only for that particular visit to a website. along with any specific settings set within the cookie by the host website. This is useful in electronic commerce sites where a shopping cart application might add items from multiple pages to a total invoice before being transferred to a billing application. Where possible. Additional information includes the name of the target and previous URLs. Many users believe this is a violation of their privacy.53 Web Vulnerabilities Privacy Issues Many sites require that browsing clients be configured to accept cookies to store information such as configuration settings or shopping-cart data for electronic commerce sites. A tracking cookie is a particular type of permanent cookie that sticks around.

. Because any process that can execute functionality on the server has inherent access rights. Data input should always include a default value and character limita- tions to avoid buffer overflow exploitation. These exploits may allow the identification of configuration details of the server that may be helpful to later unauthorized access attempts. improperly formed CGI scripts could be used to execute arbitrary commands on the server. such as the directory structure and any running applications and daemons. . . a process often referred to as profiling. Many standard scripts are installed in default web server installations. Poorly written CGI scripts may leak information about the server. CGI wrapper scripts should be used when possible to perform pre- execution checks on input. These are in known folder locations and often contain sample code that is not designed for security and may include well-known exploits. and even create unauthorized user accounts on the server that could later be used to gain greater control over the server. often written in the Perl language. It is possible for poorly written CGI scripts to pass user input data directly to the shell environment. . which could allow a properly formatted input value to execute arbitrary commands on the web server. Most exploits can be grouped into two general categories: . CGI scripts used to process user input data may be exploited to execute unwanted commands on the server. CGI script creation requires many considerations for security.54 Chapter 2: Online Vulnerabilities Common Gateway Interface Vulnerabilities A server-side interpretation option includes the use of common gateway interface (CGI) script. including the following: . change server configuration settings. CGI scripts may leak information about the server. or restrict process access within the file system. . . change the ownership of the process. generally utilizing user input values. Because these scripts are interpreted on the server system. they are highly subject to exploitation in many ways.

and other browser-based secure and anonymous-access resources available via the HTTP and HTTPS protocols presents an “anytime/anywhere” approach to enterprise network resource availability. browser traffic is easily identifiable by an attacker who may elect to hijack legitimate user credentials and session data for unauthorized access to secured resources. Web 2. an attacker can cause an unknowing browser user to conduct unauthorized access activities. capturing plain-text data transport on the proxy system even though the user recieves all appropriate responses for a secured connection. . TIP As mentioned earlier in this chapter. The global nature of the Internet allows attackers to place web-based traps in countries of convenience. When possible.55 Web Vulnerabilities Browser Threats The evolution of web network applications. XXS vulnerabilities can be used to hijack the user’s session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. . and addon updates will help to reduce the threat posed by many browser-based attack forms.0 interactive interfaces. Browser-based vulnerabilities you should know for the exam include the following: . Session hijacking—Because browsers access resources on a remote server using a predefined port (80 for HTTP or 443 for HTTPS). Add-in vulnerabilities—Active content within websites offers an attractive attack space for aggressors. Other . Cross-site scripting (XXS)—By placing malicious executable code on a web- site. and provide logging of successful attacks back to the attacker without the user being aware of their participation. maintaining operating system. an attacker who crafts a web proxy with SSL can allow a user to connect securely to this proxy system and then establish a secured link from the proxy to the user’s intended resource. application. where law enforcement efforts are complicated by international legal variance. Although Secure Sockets Layer (SSL) traffic is encrypted between endpoints. restricting automatic code execution of JavaScript or ActiveX controls and cookie generation can also strengthen the client’s browser security stance. As more applications are migrated into the browser. attackers have an increasingly large attack surface area for interception and interaction with user input and for directed attacks against web-based resources. expose confidential data. who may craft special “drivers” required for content access that are in fact Trojans or other forms of malware.

These services negotiate connections directly between clients. However. many services have evolved to a more decentralized architecture of resource availability better suited to the global Internet. without requiring access to a single central server. and Windows Live Messenger enable users to rapidly check availability and communicate both synchronously and asynchronously with peers. . These applications have increased in sophistication to include video and audio teleconferencing.56 Chapter 2: Online Vulnerabilities attackers craft malware to take advantage of unpatched add-ins to directly inject code or gain access to a user’s system when a vulnerable browser is directed to an infected website. family members. allowing users to transport files between remote clients without passing through a central server for access. and . middle processing tiers. an attacker can inject code into adjacent memory space to allow execution of arbitrary code on the web server. Instant Messaging Enterprise and personal instant messaging (IM) clients such as AOL. and server or source computers) architecture as their older enterprise-based applications. look for answers that relate to input validation. bypassing traffic analysis and access control restrictions. application designers can reduce the threat posed by maliciously crafted URL references and redirected web content. many web browser applications offer an attacker a mechanism for providing input in the form of a crafted uniform resource locator (URL) value. The common BitTorrent file-sharing application is an example of this type of resource-sharing peer-to-peer (P2P) solution. and co-workers. file-sharing. Buffer overflows—Like desktop and system-based applications. This presents difficulties for access restriction because any two clients may negotiate connections using random ports and protocols. EXAM ALERT When presented with a question that relates to mitigating the danger of buffer overflows or XSS attacks. Peer-to-Peer Networking Internet-based services often make use of the same client-server or n-tier (three or more layers including client. Yahoo! Messenger. By extending the input values beyond the memory space limitations of the expected input values. By restricting the data that can be input.

Spammers search for unprotected SMTP relay services running on public servers. Others focus on capturing IM traffic and cached logs of past conversations. including SSL encapsulated. although modern 128-bit keys are considered to be beyond a reasonable level of encryption. the possible exploitation of Simple Mail Transport Protocol (SMTP) relay agents to send out large numbers of spam email messages is included because many web servers include a local SMTP service used by server-side processes to perform Mailto functions needed within the website. . The filetransfer and desktop-sharing capabilities of many clients present challenges against unauthorized data sharing. which may then be used to resend SMTP messages to obscure their true source. SSL/TLS Transport Layer Security (TLS). Do not confuse HTTPS with the less commonly used Secure Hypertext Transport Protocol (S-HTTP) that operates over port 80 along with regular HTTP traffic. Protocol Vulnerabilities Many protocols contain common vulnerabilities that may be manipulated to allow unauthorized access.509 digital certificates and operate over port 443. including SSL connections and Lightweight Directory Access Protocol (LDAP). EXAM ALERT HTTPS (HTTP over SSL) and SSL use X. Simple Mail Transport Protocol Relay Although not specifically a web-related problem. in an attempt to obtain useful or harmful information.57 Protocol Vulnerabilities desktop/application-sharing capabilities in addition to the basic textual chat functions from early server operator communications clients. Attackers develop viral malware capable of spreading through contacts listings within IM clients. data transfer may be exploited in many ways. The encapsulated data stream could potentially be compromised through cryptographic identification of the key. while creative attackers make use of the audio and video capabilities to directly “tap” unwary IM users.

Malformed certificates may be used to exploit the parsing libraries used by SSL agents. . Improperly formatted requests may be used to create an effective denial- of-service (DoS) attack against the LDAP server. . and commercial products such as Microsoft Active Directory.500 Directory Access Protocol and communicates on port 389. SSL certificates may also be used to establish links vulnerable to packet sniffing by using compromised self-signed or expired certificates. and other mechanisms intended to provide weak or compromised SSL certificates. Other exploits include the use of small key sizes. Configuring client browsers to raise an alert when blocking content provided through self-signed certificates can help to reduce this threat. including the following: . outdated certificate revocation lists. allowing the compromise of security details and possible code execution on the compromised system. preventing it from responding to normal requests. Format string vulnerabilities may result in unauthorized access to enact commands on the LDAP server or impair its normal operation. . Service Location Protocol (SLP). Variations of LDAP share many common vulnerabilities. Many forms of buffer overrun may also be used during the SSL handshake process. LDAP Lightweight Directory Access Protocol provides access to directory services. Buffer overflow vulnerabilities may be used to enact arbitrary commands on the LDAP server. including the Directory Service Markup Language (DSML). including that used by the Microsoft Active Directory. NOTE LDAP uses an object-oriented access model defined by the Directory Enabled Networking (DEN) standard. Its widespread use influences many other directory systems. to compromise the secured connection. where client and server exchange details of the shared encryption keys to be used. along with code execution and system compromise possibilities. which is based on the Common Information Model (CIM) standard. LDAP was created as a “lightweight” alternative to earlier implements of the X.58 Chapter 2: Online Vulnerabilities SSL connections are also particularly vulnerable during the handshake process.

FTP passes the username and password in an unencrypted (plain-text) form.59 File Transfer Protocol Vulnerabilities File Transfer Protocol Vulnerabilities Another common publicly exposed service involves the File Transfer Protocol (FTP) defined within the TCP/IP suite. which may then be used for unauthorized access to the server. Do not confuse it with FTPS (FTP over SSL). Either may be used within a modern enterprise network. EXAM ALERT A more secure version of FTP (S/FTP) has been developed that includes SSL encapsulation. This version is referred to as FTP over SSH and uses the Secure Shell (SSH) TCP port 22. Here. allowing packet sniffing of the network traffic to read these values. The problem with this form of access is that any user may download (and potentially upload) any file desired. This might result in a server’s available file storage and network access bandwidth being rapidly consumed for purposes other than those intended by the server’s administrator. FTP servers include many potential security issues. FTP servers provide user access to upload or download files between client systems and a networked FTP server. and so an option is provided to allow anonymous access. or the newest version of Linux. illegal file content could be placed on the server for download. If unauthorized file upload is allowed along with download. it is unnecessary and even undesirable to require every possible user to first obtain an account and password to access the download area. including anonymous file access and unencrypted authentication. . Anonymous access (also known as “blind” FTP) is a popular method to provide general access to publicly available downloads such as a mirror site that contains a new open-access license (OAL) software distribution. without the knowledge of the system’s administrator. which uses TCP port 21. Anonymous Access Many FTP servers include the ability for anonymous access in their default installation configuration. Unencrypted Authentication Even when user authentication is required.

IM. Mobile equipment may make use of many different communications standards. including the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C). Wireless Application Environment (WAE)—Specifies the framework used to develop applications for mobile devices. newsgroups. and personal digital assistants (PDAs). to develop the next official standard. and PDAs . including long-range mobile communications using the Wireless Application Protocol (WAP) or i-Mode standards. However.0. and other types of data. including cell phones. text pagers. and wireless local area network (WLAN) communications using the 802.11 wireless fidelity (Wi-Fi) or Bluetooth standards. the same certificate vulnerabilities discussed earlier in this chapter apply here. WAP and i-Mode Wireless technologies such as mobile data cell phones include the ability to present web content in textual format using the Compact Wireless Application Protocol (CWAP) utilized over Japan’s i-Mode standard. Both standards also enable users to access email. NOTE The Wireless Application Protocol (WAP) Forum is working with many standards organizations.60 Chapter 2: Online Vulnerabilities Secure variations of the FTP protocol ensure that data cannot be intercepted during transfer and allow the use of more secure transfer of user access credentials during FTP logon. Wireless Network Vulnerabilities Many new technological solutions being embraced by the mobile workforce include mobile data connected equipment such as cell phones. Wireless Session Layer (WSL)—Equivalent to the session layer of the Open Systems Interconnection (OSI) model . which extended the original specification to include additional XHTML details supporting wireless devices. too. such as the following: . The current version is WAP 2. data pagers. The WAP standard includes several other standard specifications. or the Wireless Markup Language (WML) supported by the WAP standard.

Wireless Transport Layer (WTL)—Equivalent to the transport layer of the OSI model . optimized for low-bandwidth communications with possible lengthy delay between packet transmission and receipt.11j variation developed for the Japanese market.11 specifications are evolving through the extension of the original Institute of Electrical and Electronics Engineers (IEEE) 802. college campuses.and for 802. and the developing 802. To avoid data collisions. This specification details a method of data encryption and authentication that may be used to establish a more secured wireless connection. NOTE The typical bandwidth of 802.4GHz unregulated range of frequencies made popular by many vendors producing Wi-Fi network equipment. . only initiating a signal when there is no traffic. apartment complexes. WLANs New technologies using radio frequency transmissions are beginning to replace wired office networks and provide network support for mobile Bluetooth. which is referred to as latency. Popular coffee chains.11n specification provides up to 248Mbps. Wired Equivalent Privacy Specifications for the Wired Equivalent Privacy (WEP) standard are detailed within the 802.11a and 802. The 802. and home users are taking advantage of the rapid proliferation of 802.61 Wireless Network Vulnerabilities .11 specifications extend the carrier sense multiple access with collision avoidance (CSMA/CA) method of connectivity specified within the Ethernet protocol to provide wireless network access. CSMA/CA protocols require the device to sense whether the carrier is already busy and to wait a random amount of time to check again.11b (Wi-Fi) specification. Wireless Transport Layer Security (WTLS)—Specifies a WTL security standard based on the TLS standard. The 802.1x-enabled devices.11b (Wi-Fi) connections is 11Mbps.11b technology using the 2.11 specifications to include additional capabilities such as multiple-input multiple-output (MIMO) and variations for specific regions such as the 802. the 802.11g specifications extend connectivity up to 54Mbps.

Site Surveys To optimize network layout within each unique location. motors. and local laws and regulations related to the proposed net- work solution. The WPA includes many of the functions of the 802. The later WPA2 standard was certified to include the full 802. Federal. 802.11i protocol but relies on the Rivest Cipher 4 (RCA4).11i-2004 amendment to the 802. and other types of equipment that . Wi-Fi Protected Access The Wi-Fi Protected Access (WPA and later WPA2) standards were developed by the Wi-Fi Alliance to replace the WEP protocol while the 802. .11i standard supercede WEP. A site survey should include a physical and electronic review of the desired physical and logical structure of the network. Potential sources of radio frequency (RF) interference.11 specification is a set of standards for securing wireless netwrk communications.11i standard after its final approval. and several other factors. fans. including the following: .11i The 802. This is particularly important in distributed wireless network configurations spanning multiple buildings or open natural areas. state. a site survey is necessary before implementing any WLAN solution. which is considered vulnerable to keystream attacks. selection of possible technologies.11i standard was being developed. but recommendations for a more secure wireless network may also include the use of IPsec and virtual private network (VPN) connectivity to tunnel data communications through a secured connection.62 Chapter 2: Online Vulnerabilities EXAM ALERT Recent developments in the field of cryptography have revealed the WEP encryption method to be less secure than originally intended and vulnerable to cryptographic analysis of network traffic. More advanced protocols such as WPA and the 802. replacing the earlier vulnerable WEP standard with an Advanced Encryption Standard (AES) block cipher and allows for origin authentication to help protect against rogue WAP man-in-themiddle attacks. where imposing structures and tree growth may affect network access in key areas. including local broadcast systems.

Commonly available packages used to conduct site surveys include AirSnort. you can use a wireless-enabled device with a GPS location sensor to establish the boundaries of existing network connectivity. Legal and organizational mandates may preclude the use of promiscuous-mode network traffic analysis. Network Device and Transmission Media Vulnerabilities Wired and wireless networking relies on a system of underlying devices responsible for coordinating the transport and security of networked data. This includes an analysis of potential channel overlap between wireless access point (WAP) hardware. NOTE When conducting a site survey. where routers then determine the proper network connections to transfer data packets to identified endpoint network segments. Data transported over this medium is available to anyone with the proper equipment. access control. and network equipment that must function over the proposed wireless network solution. with myriad dedicated transport systems available for encryption. Switches and hubs allow distribtion of data packets to individual endpoints. Available locations for WAP hardware installation and physical network integration connectivity. . and so must be secured through encryption and encapsulation mechanisms not subject to public compromise. Namespace services facilitate translation from human-readable addresses to their numeric equivalents. Any special requirements of users. NetStumbler.63 Network Device and Transmission Media Vulnerabilities generate RF interference. applications. which may potentially be detected and compromised without the knowledge of the network administrator. . Whether a point-to-point (ad hoc or wireless bridge) or multipoint wire- less solution is required. All wireless networks share several common security vulnerabilities related to their use of RF broadcasts. . point-to-multipoint connectivity will be required to support multiple wireless clients from each WAP connected to the physical network. and other functions necessary to internetwork communications. . and Kismet. In most solutions.

Turning off SSID broadcast should be considered a “best . and similar details. Turning off this broadcast can reduce the vulnerability of a broadcast packet sniffer readily identifying a WAP. such as Oracle’s Scott/Tiger and IBM’s qsecofr/qsecofr. they present an avenue for network attack.64 Chapter 2: Online Vulnerabilities You should be familiar with vulnerabilities associated with these network devices. lacking in complexity (complexity here meaning a mixture of character case. software designers put in shortcut entry points to allow rapid code evaluation and testing. numbers. Default accounts—Many networking devices and services are initially installed with a default set of user credentials. pet names. and symbols). . Default identification broadcast—Wireless networks often announce their service set identifier (SSID) to allow mobile devices to discover available WAPs. . family names. Other back doors may be inserted by the application designers purposefully. which can be significantly weakened as a security measure if a “weak” password is selected. derived from a common word found in the dictionary. . The most common form of authentication and user access control is the username/password combination. or derived from easily guessible personal information such as birthdays. Privilege escalation—This vulnerability represents the accidental or inten- tional access to resources not intended for access by the user. such entry points can present the means for an attacker to gain unauthorized access later. presenting later threats to the network if applications are never reviewed by another application designer before deployment. . Automated and social engineering assaults on passwords are easier when a password is short. but is not truly secure because the SSID is broadcast in plain text whenever a client connects to the network. Back doors—Back doors are application code functions created intention- ally or unintentionally that enable unauthorized access to networked resources. An example of the latter is if User A can read User B’s email without specific authorization. Unless these credentials are removed and replaced with unique strong logon credentials. If not removed before application deployment. Many times during application development. Weak passwords—Any resource exposed on a network may be attacked to gain unauthorized access. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts. or to access features of an application reserved for other users. including the following: .

Hubs and supervisory ports—Certain types of networking equipment pro- vide attackers with access to inspect network traffic for interception of user credentials.65 Network Device and Transmission Media Vulnerabilities practice. . network resources are much more vulnerable to DoS attacks. Switches provide this isolation in more updated networks. where an attacking botnet of tens of thousands of zombied client systems can be used to consume all available connections to a business website. Physical access control to areas where network media is exposed is critical to protecting against unauthorized taps. Before the development of network switches. instead of attempting to directly access the resources through unauthorized means. hubs were commonly used to distribute data packets to endpoint ports. the attacker effectively prevents authorized availability. Many fringe service industries. Hubs do not provide data isolation between endpoint ports. Physical access control to the networking closet is critical to protect switched networks against this form of attack. whereupon the attack is ended and service is restored. such as online casinos. By blocking access to a website or network resource. Denial of service (DoS)—Unlike resources located on the local system. . and other forms of sensitive transmitted data. . This type of attack is often used for Internet extortion schemes. These attacks attempt to block access to resources by overwhelming network availability. Vampire taps—Data traffic over coaxial network cabling can be intercept- ed and inspected by an attacker through the use of a vampire tap. The business is contacted with an account to which an amount of money should be sent. and restricting access to a known list of Wi-Fi MAC addresses where possible. allowing interception of data traffic without a detectable presence on the network. but an exposed supervisory port can be exploited by an attacker for the same purposes. . allowing any node to observe data traffic to and from all other nodes on the same device. security encryption traffic. selecting channels not already in use in the area. are regularly targeted with this type of attack. which pierces the cable at an arbitrary point and allows direct connection to the data transport wiring.” along with conducting the site survey. requiring WPA2 (or newer) encryption. Similar technologies can be applied to modern fiber-optic media.

JavaScript C.5MBps ❍ D. B.11b communications? ❍ ❍ ❍ ❍ ❍ A. ❍ D. Which of the following is a common bandwidth for 802. They cannot be blacklisted. They can access internal mailing lists. Providing details regarding the network settings in use by the client. Maintaining password and logon information for easy return to visited ❍ E. Cookies E. such as its IP address . Storing a listing of items within a shopping cart application secured sites ❍ D. Storing credit card and user identification data C. C. 19. They provide faster network access. Which of the following are client-side web technologies? (Select all that apply. 100Mbps 3. Why do spammers value unsecured SMTP relay servers? ❍ ❍ ❍ A. Which of the following are good uses for cookies? (Select two correct answers. Java applets 2. Maintaining user portal settings between sessions B. CGI scripts ❍ D. 10Mbps E. 64Kbps C.66 Chapter 2: Online Vulnerabilities Exam Prep Questions 1.) ❍ ❍ ❍ A. 1. They can be used to hide the origin of a message. 4. 11Mbps F.2Kbps B. ActiveX controls B.) ❍ ❍ ❍ ❍ A.

❍ D. causing the client’s browser to attempt to access a secured banking site in another city. B. IETF C. Cache mining . Execution of arbitrary commands C. Buffer overflow 8. Samples may not include proper security. Which of the following are potential exploits for CGI scripts? (Select all that apply. This is an example of what type of attack? ❍ ❍ ❍ A. C.) ❍ ❍ ❍ ❍ A. Which of the following are potential vulnerabilities of the FTP service? (Select two correct answers. WAP ❍ D. 6. E. Buffer overflow B. Wi-Fi 7. Arbitrary commands may be executed on the server. Anonymous access ❍ D.) ❍ ❍ ❍ ❍ A. Session hijacking ❍ D. Bluetooth B. Which of the following is a WLAN technology that uses the Ethernet protocols? ❍ ❍ ❍ ❍ A. Executing arbitrary commands on the client.67 Exam Prep Questions 5. Buffer overflows may occur. Man-in-the-middle C. An attacker places code within a web page that executes when a client’s browser opens the web page. Cross-site scripting B. Providing information on processes running on the server. Unencrypted credentials E. i-Mode E.

hiding the true origin of the mail messages. The 802. HTTPS B. Answers A and B are incorrect because they specify common modem bandwidth limits. B. WPA E. Java applets allow access to cache information. D. C. Which of the following statements about Java and JavaScript is true? ❍ ❍ ❍ ❍ A. JavaScript can provide access to files of known name and path. B.68 Chapter 2: Online Vulnerabilities 9. Java applets can be used to execute arbitrary instructions on the server. Answer D is incorrect because an SMTP server used to relay spam can easily be blacklisted.11b WLAN specification allows up to 11Mbps wireless connectivity. JavaScript code can continue running even after the applet is closed. E. ❍ D. 2. Cookies might also be considered a server-side technology because the web server may access them and store information within cookies. JavaScript interpreted code. A. E. Answer A is incorrect because the targeted server might have a much more limited network connection that the spammer—the key is hiding the source of the messages. requiring effort to reopen normal transfer with major providers after this situation has been identified. cookies. however. Answers to Exam Prep Questions 1. Which encryption standard is currently considered the best for Wi-Fi connections? ❍ ❍ ❍ ❍ A. WAP C. WPA2 10. Java applets can be used to send email as the user. they reside in the client system’s browser cache. WEP ❍ D. and answer C is incorrect because 1. . Answer C is incorrect because anonymous SMTP relay does not require access to an SMTP server beyond receipt and retransmission. Answers D and F are incorrect because 10Mbps and 100Mbps are common wired LAN data transfer rates. Spammers use SMTP relay agents that are not properly secured to relay their SMTP email messages. E. and Java applets. Answer C is incorrect because CGI scripts are stored and interpreted on the web server.5MBps is a common speed for cable modem and T1 connectivity. B. 3. Client-side web technologies include ActiveX controls.

7. . Answer A is incorrect because the HTTPS protocol allows for secure HTTP connectivity between the client’s browser and a target web server. E. Answer B is incorrect because CGI scripts do not run on the client system. Answer B is incorrect because the Internet Engineering Task Force (IETF) is a standards organization and not a communications protocol. FTP servers may be exposed to anonymous access and transfer logon credentials in clear form. 8. or password and logon details could be exploited to allow others to use this information by mining the client’s cache. Cookies are well-suited for maintaining user portal settings between sessions and storing a list of items within a shopping cart application. CGI scripts may be exploited to leak information including details about running server processes and daemons. samples included in some default installations are not intended for security and include well-known exploits. Answers B and D are incorrect because cookies that store user identification data. C. C. The WPA2 standard implements the 802. Answer C is incorrect because the WEP standard was proven to be unsecure and has been replaced by the newer WPA standards. and buffer overflows may allow arbitrary commands to be executed on the server. A. The 802. altering.11b (Wi-Fi) standard uses the CSMA/CA connectivity methods commonly found in Ethernet connectivity. 6. Answers A and B are incorrect because the FTP service is not known for common vulnerabilities that may be exploited using buffer overflows to execute arbitrary commands on the server. A. rather than to store information that the server can obtain for itself.11i-2004. When a website redirects the client’s browser to attack yet another site. A. Answer B is incorrect because a man-in-the-middle attack involves intercepting data transmission between two sites and examining. E. D. implementing the full 802. Answer E is incorrect because cookies are used to store session information between pages or servers. 9. credit card information. pagers. Answer D is incorrect because the early WPA standard has been superseded by the WPA2 standard. 5. or replacing valid data without alerting either endpoint. Answer C is incorrect because a session hijack occurs when an attacker causes the client’s browser to establish a secure connection to a compromised web server acting as a proxy or redirecting traffic to a secure target site. and PDAs and are not used to specify WLAN standards. Answer B is incorrect because a WAP refers to a wireless access point.11i-2004 protocols and is currently the highest standard for Wi-Fi communication security. Answers C and D are incorrect because both WAP and i-Mode are standards used by mobile devices such as cell phones. such as the IP address used by the client.69 Answers to Exam Prep Questions 4. C. which is the wireless network hardware that functions in the place of a wired switch. E. Answer A is incorrect because Bluetooth is based on a different transmission protocol. Answer E is incorrect because the FTP service does not provide access to the browser’s cache. this is referred to as cross-site scripting. and is unrelated to the networking medium in use. Answer D is incorrect because a buffer overflow occurs when data input exceeds the memory space allocated and injects unanticipated data or programmatic code into executable memory. exposing traffic as it passes through the compromised system. D.

not JavaScript. IEEE Standards Association: http://standards. and allow access to cache information.ieee. Answers A. 2. The World Wide Web Security FAQ: http://www. and E are incorrect because JavaScript. Additional Reading and Resources 1. The CERT Guide to System and Network Security Practices. Addison-Wesley Professional.org/ . not Java.sans. can be used to execute arbitrary instructions on the server. An early exploit of JavaScript allowed access to files located on the client’s system if the name and path were known.org/Security/Faq/ 3. Allen. send email as the user. SANS Information Security Reading Room: http://www. can continue running even after the applet has been closed. Julia H. D.org/ 4. 2001.w3. C. Answer B is incorrect because Java.70 Chapter 2: Online Vulnerabilities 10.

PART II Infrastructure Security Chapter 3 Infrastructure Basics Chapter 4 Infrastructure Security and Controls .

This page intentionally left blank .

✓ Apply the appropriate network tools to facilitate network security. ✓ Distinguish between network design elements and components. their respective threats.CHAPTER THREE 3 Infrastructure Basics Terms you need to understand: ✓ TCP/IP hijacking ✓ Spoofing ✓ Man-in-the-middle ✓ Replay ✓ DoS ✓ DNS kiting and DNS poisoning ✓ ARP poisoning ✓ DMZ ✓ VLAN ✓ NAT ✓ NAC ✓ NIDS ✓ HIDS ✓ NIPS ✓ Protocol analyzers Techniques you need to master: ✓ Differentiate between the different ports and protocols. and mitigation techniques. ✓ Determine the appropriate use of network security tools to facilitate network security. ✓ Explain the strengths and vulnerabilities of various security zones and devices. .

The port numbers are divided into three ranges: .” and some are discussed in this chapter. many of these ports are not secured and as a result are used for exploitation. . Registered ports—The registered ports are those from 1. and tools that can protect the infrastructure. It is imperative that you understand how to eliminate nonessential services and protocols.535 TCP and UDP ports on which a computer can communicate. Well-known ports—The well-known ports are those from 0 through 1. especially if the network has been in existence for some period of time and some services are no longer needed or have been forgotten. Systat. . and Chargen. Often. In addition to being able to explain these concepts.151. protocols. To stop many would-be attackers.023. Dynamic/private ports—The dynamic/private ports are those from 49. For those that are not discussed.74 Chapter 3: Infrastructure Basics The network infrastructure is subject to myriad internal and external attacks through services. Port and Protocol Threats and Mitigation Techniques There are 65. you must understand the different types of attacks that can happen.024 through 49. along with how to implement a network design.152 through 65. Some of these were discussed in Chapter 2. components. “Online Vulnerabilities. All of these ports and services have vulnerabilities associated with them. you can find more detailed information in the “Suggested Reading and Resources” section at the end of this chapter.535. and open ports. This chapter discusses the concepts of identifying and mitigating network infrastructure threats and alerts you to the most common attacks. . Table 3.1 lists some of the most commonly used ports and the services and protocols that use them. such as Echo. you will begin to understand how network design and components can be used as a tool to protect and mitigate all types of threats and to protect computers and network infrastructure.

138. the manufacturer should have these services listed in the documentation. . TABLE 3.75 Port and Protocol Threats and Mitigation Techniques EXAM ALERT Know the difference between the various types of attacks and the ports they are executed on. the configuration process should start with installing only the services necessary for the server to function. If ports are opened for manufacturer-installed tools.812 Ideally. The next sections cover port and protocol threats and mitigation techniques. 139 161/162 443 445 1.1 includes a combination of protocols that currently are in use and antiquated protocols that might still be in use on a network.1 Port 7 11 15 19 20 21 22 23 25 49 53 80 110 111 Commonly Used Ports Service/Protocol Echo Systat Netstat Chargen FTP-Data FTP SSH Telnet SMTP TACACS DNS HTTP POP3 Portmap NetBIOS SNMP HTTPS SMB RADIUS 137. Every operating system requires different services for it to operate properly. Table 3. These protocols may be configured open by default when an operating system is installed or by the machine manufacturer.

SNMPv2 uses Message Digest Version 5 (MD5) for authentication. Many of the vulnerabilities associated with SNMP stem from using SNMPv1. and devices such as uninterruptible power supplies (UPSs). For example. vulnerabilities are still being reported with current SNMP components. Protocols such as Simple Network Management Protocol (SNMP) and domain name service (DNS) that were developed a long time ago and have been widely deployed can pose security risks. The only security measure it has in place is its community name. However. which is similar to a password. which in turn collects the information and forwards it to the management station. but the port used 10 years ago was somehow left open. SNMP agent .76 Chapter 3: Infrastructure Basics Antiquated and Older Protocols Notice in Table 3. computer equipment. Although these vulnerabilities were discovered in 2002. you might still find some old implementations of Eudora mail that use the Finger protocol. . but some devices are likely to still be using SNMPv1 or SNMPv2. SNMP network management station The device loads the agent. The SNMP management infrastructure consists of three components: . SNMP managed node . Although these may be older. The transmissions can also be encrypted. You can also run local or online port scans. or worse. was widely used during the early days of Internet. the mail clients have long since been upgraded. Finger. SNMP is used for monitoring the health of network equipment. Network management stations collect a massive amount of critical network information and are likely targets of intruders because SNMPv1 is not secure. SNMPv3 is the current standard. SNMP is an application layer protocol whose purpose is to collect statistics from TCP/IP devices. and today’s sites no longer offer the service. this is “public” and many times is not changed. too. which uses port 79. thus leaving the information wide open to intruders. The quickest way to tell which ports are open and which services are running is to do a Netstat on the machine. A recent Gentoo Linux Security Advisory noted that multiple vulnerabilities in Net-SNMP allow for authentication bypass and execution of arbitrary code in Perl applications using Net-SNMP. you might find that these protocols and the ports they use are still accessible. By default.1 that there are older protocols such as Chargen and Telnet. Older protocols that are still in use may leave the network vulnerable.

While the authenticated connection is in session. This provides a chance for an attacker to hijack the session. making password guessing attacks a bit easier. You might even consider using a separate management subnet and protecting it using a router with an access list. Forcing a user to reauthenticate before allowing transactions to occur could help prevent this type of attack. Session hijacking can also occur when a session timeout is programmed to be a long period of time. In this instance. cookies are commonly used to authenticate and track users. while the rogue machine still communicates with the server. Make sure network management stations are secure physically and secure on the network.77 Port and Protocol Threats and Mitigation Techniques SNMP can help malicious users learn a lot about your system. The more unique the . At any point. By doing so. The result is that the client gets kicked off the session. The attacker intercepts the source-side packets and replaces them with new packets that are sent to the destination. Telnet type plain-text connections create the ideal situation for TCP hijacking. an attacker may be able to hijack the session by loading a modified cookie in the session page. an attacker watches the data being passed in the TCP session. During web sessions. The best way to protect the network infrastructure from attacks aimed at antiquated or unused ports and protocols is to remove any unnecessary protocols and create access control lists to allow traffic on necessary ports only. EXAM ALERT TCP/IP hijacking commonly happens during Telnet and web sessions where security is lacking or when session timeouts aren’t configured properly. it should be turned off. TCP/IP Hijacking Hijacking is the term used when an attacker takes control of a session between the server and a client. SNMP is often overlooked when checking for vulnerabilities because it uses User Datagram Protocol (UDP) ports 161 and 162. Protection mechanisms include the use of unique initial sequence numbers (ISNs) and web session cookies. the attacker can take control of the user’s session. This is why TCP/IP hijacking is also called session hijacking. Unless this service is required. This starts as a man-in-the-middle attack and then adds a reset request to the client. you eliminate the possibility of unused and antiquated protocols being exploited and minimize the threat of an attack.

However. Null sessions are a possible security risk because the connection is not really authenticated.1). Additional preventative measures for this type of attack include use of encrypted session keys and Secure Sockets Layer (SSL) encryption. The best example of this is file and print sharing services on Windows machines. These null sessions were created to allow unauthenticated hosts to obtain browse lists from Windows NT servers and to use network file and print sharing services. Null Sessions A null session is a connection without specifying a username or password. By default. the set of credentials used for authentication defaults to anonymous access when null credentials are given. The services communicate by using an interprocess communication share. the harder it is to break and hijack. You have likely seen this on Windows machines (see Figure 3. A program or service using the system user account logs on with null credentials. FIGURE 3. and in some web-based programs. or IPC$.78 Chapter 3: Infrastructure Basics cookie. A hacker or worm can exploit this vulnerability and potentially access sensitive data on the system. .1 A Windows IPC$ share. Windows XP and Windows Server 2003 standalone servers are not vulnerable to null session attacks. backward compatibility with Windows 2000 and NT open up vulnerability to null session attacks.

Changing the value to 2 is the most restrictive. Key—HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\LSA .79 Port and Protocol Threats and Mitigation Techniques On a vulnerable machine. this setting may conflict with some applications that rely on null sessions. You can use commands such as net view to view a list of shared resources on the target machine. escalate privileges. some tools sidestep this measure. verify that ports 139 and 445 are closed. many possibilities exist. Type—DWORD . Changing this value to 1. and execute attacks. a null session can be established by using the net use command to map a connection using a blank username and password: net use \\ip_address\ipc$ “” “/user:” After a null session connection has been established. You also can use application programming interfaces (APIs) and remote procedure calls (RPCs) to enumerate information. which is more restrictive. This is accomplished by modifying the source address of traffic or source of information. However. Keep in mind that even though you can change the Registry settings to try to prevent this type of attack. keeps a null session from seeing user accounts and admin shares. EXAM ALERT The most effective way to reduce null session vulnerability is by disabling NetBIOS over TCP/IP. even if you have disabled the Guest account. Value—1 The key default value is 0. If security is a major concern. . After you have this. you might have to consider not allowing any null sessions on your public and private networks. This disables null session without explicit permissions. Spoofing Spoofing is a method of providing false identity information to gain unauthorized access. You could also control null session access by editing the Registry on Windowsbased computers to restrict anonymous access: . Value—RestrictAnonymous .

These forms of attacks are often used to get additional information from network users to complete a more aggressive attack. a spammer or a computer virus can forge the email packet information in an email so that it appears the email is coming from a trusted host. In email spoofing. If you leave your email address at some Internet site or exchange email with other people. Man in the Middle The man-in-the-middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other. Because TCP is a connection-oriented protocol. then the server sends an acknowledgment and synchronization (SYN-ACK) to the client. a three-way handshake takes place when establishing a connection and when closing a session. FTP data is sent in clear text. the attacker initiates the man-in-the-middle attack. The data can be intercepted by an attacker. When establishing a session. Services such as email. In blind spoofing. Web spoofing happens when an attacker creates a convincing but false copy of an entire website. the client sends a SYN request. During this process. completing the connection. In informed spoofing. from one of your friends. Web. a spoofer may be able to use your email address as the sender address to send spam. the attacker can participate in a session and can monitor the bidirectional communications. and then the client sends an ACK (also referred to as SYN-ACK-ACK). This will help prevent these types of attacks from taking place. However. The data could then be viewed and altered before sending it on to the receiver. You should set up a filter that denies traffic originating from the Internet that shows an internal network address. The false site looks just like the real one: It has all the same pages and links. This type of attack is possible because of the nature of the three-way TCP handshake process using SYN and ACK packets. and file transfer can also be spoofed.80 Chapter 3: Infrastructure Basics EXAM ALERT Spoofing seeks to bypass IP address filters by setting up a connection from a client and sourcing the packets with an IP address that is allowed through the filter. File-transfer spoofing involves the FTP service. or even from your own email address. The use of IPsec can secure transmissions between critical servers and clients. Using the signing capabilities of certificates on servers and clients allows web and email services to be more secure. The attacker . the attacker sends only data and only makes assumptions of responses. the attacker controls the false site so that all network traffic between the victim’s browser and the site goes through the attacker.

nonrepeating serial numbers. DNS access should be restricted to read-only for everyone except the administrator. The best way to prevent these types of attacks is to use encryption and secure protocols. the area should be locked. Be sure that access to wiring closets and switches is restricted. the packets are placed back on the network. if possible. If the attack is attempted on an internal network. TCP sequence numbers. the services and resources that allow a system to be inserted into a session should be protected. Replay In a replay attack. physical access to the network will be required. These types of attacks are . such as deposits or transfers. After you have secured the physical environment. Denial of Service The purpose of a denial-of-service (DoS) attack is to disrupt the resources or services that a user would expect to have access to. The attacker can also choose to alter the data or merely eavesdrop and pass it along. packets are captured by using sniffers. and speed. This attack is common in Telnet and wireless technologies. DNS can be compromised and used to redirect the initial request for service. providing an opportunity to execute a man-in-the-middle attack.81 Port and Protocol Threats and Mitigation Techniques uses a program that appears to be the server to the client and appears to be the client to the server. T-Sight. It is also generally difficult to implement because of physical routing issues. Protecting yourself against replay attacks involves some type of time stamp associated with the packets or time-valued. EXAM ALERT A man-in-the-middle attack takes place when a computer intercepts traffic and either eavesdrops on the traffic or alters it. After the pertinent information is extracted. Secure protocols such as IPsec prevent replays of data traffic in addition to providing authentication and data encryption. Because the hacker has to be able to sniff both sides of the connection simultaneously. programs such as Juggernaut. This type of attack can be used to replay bank transactions or other similar types of data transfer in the hopes of replicating or changing activities. and Hunt have been developed to help make the man-in-the-middle attack easier.

The attacker spoofs a TCP/IP SYN packet to the victim system with the same source and destination IP address and . . A variation of this type of attack is the ping of death. Ping flood—This attack attempts to block service or reduce activity on a host by sending ping requests directly to the victim. UNIX. and Cisco IOS with respect to their TCP/IP stacks. Here are some examples of DoS attacks: . Because the TCP stack waits before resetting the port. which is the command-line tool used to invoke this function.1 lists the most commonly exploited ports. making it impossible to service connection requests from valid users. The premise is to make your system so busy processing the new connections that it cannot process legitimate service requests.82 Chapter 3: Infrastructure Basics executed by manipulating protocols and can happen without the need to be validated by the network. a character generator attack can be run. whereas malicious users use them to cause connectivity issues. In this attack. . When connected to port 19. The difference is that it uses UDP rather than ICMP. Administrators use them to test connectivity and troubleshoot problems on the network. The source system sends a flood of synchronization (SYN) requests and never sends the final acknowledgment (ACK). the attacker sends ping packets to the broadcast address of the network. It is more commonly known as ping. These UDP packets are directed to port 7 (Echo) or port 19 (Chargen). Macintosh OS. Fraggle—This attack is similar to a Smurf attack. . SYN flood—This attack takes advantage of the TCP three-way hand- shake. in which the packet size is too large and the system doesn’t know how to handle the packets. Smurf/smurfing—This attack is based on the Internet Control Message Protocol (ICMP) echo reply function. The attacker sends spoofed UDP packets to broadcast addresses as in the Smurf attack. Table 3. replacing the original source address in the ping packets with the source address of the victim. Many of the tools used to produce DoS attacks are readily available on the Internet. the attack overflows the destination computer’s connection buffer. thus causing a flood of traffic to be sent to the unsuspecting network device. Land—This attack exploits a behavior in the operating systems of several versions of Windows. An attack typically involves flooding a listening port on your machine with packets. thus creating half-open TCP sessions. .

Boink—This is a Bonk attack that targets multiple ports rather than just port 53. DoS attacks come in many shapes and sizes. A typical DDoS is shown in Figure 3. . the system will most likely crash or reboot. The Teardrop attack sends fragmented UDP packets to the victim with odd offset values in subsequent packets. referred to as a distributed DoS (DDoS) attack. and the system crashes. Because some operating systems cannot gracefully handle the error. such as UDP or SYN floods on a particular target. The target machine then attempts to reassemble the packet. the fragments overwrite each other. In simple terms. causing confusion. and zombies run software. he can initiate an attack against a victim from a wide variety of hosts. the packet is too big to be reassembled. The first step to protecting yourself from an attack is to understand the nature of different types of attacks in the preceding list. .The attack modifies the fragment offset in the packet. The attacks come in the form of the standard DoS attacks. Teardrop—This form of attack targets a known behavior of UDP in the TCP/IP stack of some operating systems.2. Bonk—This attack affects mostly Windows 95 and NT machines by sending corrupt UDP packets to DNS port 53. Because of the offset modification.83 Port and Protocol Threats and Mitigation Techniques the same source and destination ports. . . EXAM ALERT When an attacker has enough systems compromised with the installed zombie software. Masters are computers that run the client software. When the operating system attempts to rebuild the original packets from the fragments. The software running on the zombies can launch multiple types of attacks. the attacker distributes zombie software that allows the attacker partial or full control of the infected computer system. but the effects are multiplied by the total number of zombie machines under the control of the attacker. Distributed DoS Another form of attack is a simple expansion of a DoS attack. This confuses the system as it tries to respond to the packet. which in turn create a large number of zombies or recruits. The attacker creates masters.

reduce the amount of time before the reset of an unfinished TCP connection. . You should also set up another filter that denies traffic originating from the Internet that shows an internal network address. Internal DDoS attacks allow disgruntled or malicious users to disrupt services without any outside influence. Although DDoS attacks generally come from outside the network to deny services. you can set up filters on external routers to drop packets involved in these types of attacks. the impact of DDoS attacks mounted from inside the network must also be considered. TIP In the case of a DDoS attack. but this is a small price to pay for network protection. Applying the manufacturer’s latest operating system patches or fixes can also help prevent attacks. If the operating system allows it. your best weapon is to get in touch quickly with your upstream Internet service provider (ISP) and see whether it can divert traffic or block the traffic at a higher level.2 A DDoS attack. To help protect your network. When you do this. Subscribing to newsgroups and checking security websites daily ensures that you keep up with the latest attacks and exploits. the loss of ping and some services and utilities for testing network connectivity will be incurred.84 Chapter 3: Infrastructure Basics Attacker Master Master Master Zombie Zombie Zombie Zombie Zombie Zombie Victim FIGURE 3. Doing so makes it harder to keep resources unavailable for extended periods of time.

DNS Poisoning DNS poisoning enables a perpetrator to redirect traffic by changing the IP record for a specific domain. it will not be successfully re-registering. Besides automatically registering domain names and placing advertising. DNS kiting can be eliminated if registrars such as the Internet Corporation for Assigned Names and Numbers (ICANN) stop the AGP practice.85 Port and Protocol Threats and Mitigation Techniques DNS Kiting A newly registered domain name can be deleted or dropped with full refund of the registration fee during an initial five-day window called the add grace period (AGP). In this instance. EXAM ALERT Kited domains present several issues. tie up domain names that legitimate businesses may want to use. It has also been suggested that if the ICANN portion of the registration fee were nonrefundable. DNS kiting can be done on a large scale. This process is continued constantly. This is called domain tasting. resulting in the domain being registered without actually paying for it. or refuse to issue repeated refunds to the same client. The amount of revenue generated by an individual kited domain is very small. They force search engines to return less-relevant results. domain kiters can track the amount of revenue generated. and capitalize on slight variations of personal or business website addresses. populated with advertisements. the practice would stop. DNS kiting refers to the practice of taking advantage of this AGP to monopolize domain names without ever paying for them. The AGP is used as a cost-benefit period to determine whether traffic generated by the domain name can offset the registration cost. It is used to test the profitability of domain names. thus permitting the attacker to send legitimate traffic anywhere he chooses. there is no cost. However. This not only sends a requestor to a different website but also . The drawback for domain kiters is the chance that when the domain name is dropped at the end of the AGP. and automation allows the registration of multiple domains. limit how many domains a client can register per day. hundreds or thousands of domain names are registered. and then canceled just before the five-day grace period. How domain kiting works is that a domain name is deleted during the five-day AGP and immediately re-registered for another five-day period.

Be sure the DNS server is not open-recursive. For example. DNS servers share information. especially because Web 2. Therefore. Disable recursive access for other networks to resolve names that are not in your zone files. You can also use different servers for authoritative and recursive lookups and require that caches discard information except from the com servers and the root servers. education works best. the attacker queries your DNS server to resolve the host hacking. If the IP address is not known locally.biz. and all future requests by that computer will be redirected to the fake IP address. Domain name servers can be used for DDoS attacks. DNS poisoning may also be referred to as DNS cache poisoning because it affects the information that is cached.86 Chapter 3: Infrastructure Basics caches this information for a short period. the attacker can make it appear that your DNS server is being used for these malicious activities. This method of poisoning could also allow for cross-site scripting exploits. The DNS server resolves the name and stores this information in its cache. All an attacker has to do is delegate a false name to the domain server along with a providing a false address for the server. an attacker creates a hostname hack. To minimize the effects of DNS poisoning. DNS poisoning can result in many different implications. From the user perspective.hacking. . Malware can be downloaded to an unsuspecting user’s computer from the rogue site. distributing the attack’s effect to the server users. If the attacker conducts malicious activity. Microsoft Vista’s User Account Control (UAC) notifies the user that a program is attempting to change the system’s DNS settings. A flaw in the resolution algorithm allows the poisoning of DNS records on a server. Until the zone expiration. the request is sent to a DNS server. thus preventing the DNS cache from being poisoned. operating system vendors are adding more protection. without checking where it originates. It is now possible for me to set your DNS server as the authoritative server for my zone with the domain registrar. any further requests for hacking. but recursive servers maintain information in cache. This could be used to build an effective botnet. All Internet page requests start with a DNS query.biz do not result in lookups but are answered by the server from its cache.biz. There are two types of DNS servers: authoritative and recursive.0 capabilities allow content to be pulled from multiple websites at the same time. it is becoming more difficult to spot a problem by watching the address bar on the Internet browser. This means a caching or recursive server can answer queries for resource records even if it can’t resolve the request directly. However. After that. check the DNS setup if you are hosting your own DNS. An openrecursive DNS server responds any lookup request.

which operates at Layer 2 (data link layer) of the Open Systems Interconnect (OSI) model. However. ARP poisoning can lead to attacks such as DoS. ARP is a lower-layer protocol that is simple and consists of requests and replies without validation. the attacker deceives a device on your network. associates MAC addresses to IP addresses. There are also Reverse ARP (RARP) requests and RARP replies. When you use a protocol analyzer to look at traffic. When the table becomes full. DoS and man-in-the-middle attacks were discussed earlier in this chapter. they can broadcast a fake or spoofed ARP reply to an entire network and poison all computers.87 Port and Protocol Threats and Mitigation Techniques ARP Poisoning All network cards have a unique 48-bit address that is hard-coded into the network card. The host device searches its ARP table to see whether there is a MAC address corresponding to the destination host IP address. the switch can be forced into a hublike state that will broadcast all network traffic to every device in the network. This is known as ARP poisoning. Put simply. Devices maintain an ARP table that contains a cache of the IP addresses and MAC addresses the device has already correlated. this simplicity also leads to a lack of security. but only the device that has the corresponding information relies. the requesting devices believe that the incoming ARP replies are from the correct devices. In addition. This type of attack is successful because of the nature of the way all switches and bridges work. as ARP requests are sent. EXAM ALERT Because ARP does not require any type of validation. When there is no matching entry. it broadcasts an ARP request to the entire network. The amount of space allocated to store source addresses of packets is very limited. Address Resolution Protocol (ARP). poisoning its table associations of other devices. . The broadcast is seen by all systems. For network communications to occur. This can allow a perpetrator to trick a device into thinking any IP is related to any MAC address. This type of entry is known as an unsolicited entry because the information was not explicitly requested. As a result. MAC flooding is an attack directed at network switches. However. you see an ARP request and an ARP reply. which are the two basic parts of ARP communication. man-in-the-middle attacks. this hardware address must be associated with an IP address. devices can accept ARP replies before even requesting them. the device can no longer learn new information and becomes flooded. and MAC flooding.

The principle behind port stealing is that an attacker sends numerous packets with the source IP address of the victim and the destination MAC address of the attacker. leaving the network traffic susceptible to sniffing. With this objective in mind. you must define procedures to defend your network and users against harm and loss. intranets. Port stealing is a man-in-the-middle attack that exploits the binding between the port and the MAC address. This attack applies to broadcast networks built from switches. To mitigate ARP poisoning on a small network. . Both internal and external users may have limited access to the servers in the DMZ. A lesser vulnerability of ARP is port stealing. use equipment that offers port security. a network design and the included components play an important role in implementing the overall security of the organization. and the Internet. you can use static or script-based mapping for IP addresses and ARP tables.3 depicts a DMZ. and perimeter network boundaries that distinguish between private networks. Macof floods the network with random MAC addresses. VLANS. By doing so. so an intruder needs either physical access to your network or control of a device on your local network. This section discusses these elements and will help you tell them apart and understand their function in the security of the network. Nonintelligent switches do not check the sender’s identity. you can deploy monitoring tools or an intrusion detection system (IDS) to alert you when suspect activity occurs. Figure 3. In addition. thereby allowing this condition to happen. An overall security solution includes design elements and components such as firewalls. ARP traffic operates at Layer 2 (data link layer) of the OSI model and is broadcast on local subnets. you can permit only one MAC address for each physical port on the switch. Switches may then get stuck in open-repeating mode. For large networks.88 Chapter 3: Infrastructure Basics An example of this is a tool called Macof. Network Design Elements and Components As you create a network security policy. ARP poisoning is limited to attacks that are local-based. Demilitarized Zone A demilitarized zone (DMZ) is a small network between the internal network and the Internet that provides a layer of security and privacy.

web and mail servers are placed in the DMZ. Because these devices are exposed to the Internet. This configuration allows outside access. . Often. yet prevents external users from directly accessing a server that holds internal organizational data.3 A DMZ. TABLE 3. Table 3. it is important that they are hardened and patches are kept current.2 Port 21 22 25 53 80 110 443 Commonly Used Ports on Servers in the DMZ Service FTP SSH SMTP DNS HTTP POP3 HTTPS The DMZ is an area that allows external users to access information that the organization deems necessary but will not compromise any internal organizational information.89 Network Design Elements and Components Internet Router DMZ Email Server Web Server Firewall Internal Server FIGURE 3.2 lists the most common services and ports that are run on servers inside the DMZ.

A VLAN is basically a software . “Securing Communications. This creates a boundary and. isolated LANs on one switch. creates multiple. The 802. This type of arrangement is commonly used for business-to-business relationships. in essence. You learn more about private IP addresses in the “NAT” section. Virtual Local Area Network The purpose of a virtual local area network (VLAN) is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. a router is required if data is to be passed from one VLAN to another. EXAM ALERT The purpose of a VLAN is to logically group network nodes regardless of their physical location.1Q standard defines a mechanism that encapsulates the frames with headers. care must be taken to ensure that VPNs and firewalls are configured properly and that security policies are strictly enforced. VLAN-aware network devices look for these tags in frames and make appropriate forwarding decisions. Although web servers are used. it should be through a virtual private network (VPN) for security reasons. Because an extranet can provide liability for a company. If the intranet can be accessed from public networks.90 Chapter 3: Infrastructure Basics Intranet An intranet is a portion of the internal network that uses web-based technologies. This is possible because the IP addresses of the servers are reserved for private. VLANs provide a way to limit broadcast traffic in a switched network. Frame tagging is the technology used for VLANs. Because switches operate on Layer 2 (data link layer) of the OSI model. later in this chapter. which then tags them with a VLAN ID. they don’t necessarily have to be accessible to the outside world. internal use. The information is stored on web servers and accessed using browsers. VPNs are described in greater detail in Chapter 6.” Extranet An extranet is the public portion of the company’s IT infrastructure that allows resources to be used by authorized partners and resellers that have proper authorization and authentication.

It allows multiple computers to connect to the Internet using one IP address. This takes skill and knowledge on the part of an attacker.0. The most notable benefit of using a VLAN is that it can span multiple switches. they can be grouped by department or function. Valid host IDs are from 192. For more information about frame tagging and VLANs.168. but it is possible. Because VLANs allow users to be grouped.0 network. Network Address Translation Network Address Translation (NAT) acts as a liaison between an internal network and the Internet.1 to 10.0.31. Class B—172.1 to 192.0. Special ranges in each IP address class are used specifically for private addressing. An important security aspect of NAT is that it hides the internal network from the outside world. the internal network uses a private IP address. .0 through 172. Because users on the same VLAN don’t have to be associated by physical location. Here are the private address ranges: . Valid host IDs are from 172. Class A—10.31. A VLAN is a software solution and cannot take the place of a well subnetted or routed network. Moving and adding users is simplified. . changes are made to the software configuration in the switch.0. . .254. .254.0.168. It does not provide the same level of security as a router. Class C—192.255. In this situation. Valid host IDs are from 10.0.16.16.0.254. Here are the benefits that VLANs provide: .91 Network Design Elements and Components solution that allows creating unique tag identifiers to be assigned to different ports on the switch. Users can be grouped by department rather than physical location.255.0 networks. applying security policies becomes easier.0.0 network. see the “Suggested Reading and Resources” section at the end of the chapter. Keep in mind that use of a VLAN is not an absolute safeguard against security infringements. These addresses are considered nonroutable on the Internet.0.255. It is possible to make frames hop from one VLAN to another.255.168. No matter where a user physically moves.1 through 172.

The most common reason networks are subnetted is to control network traffic. you will have to subnet the network or use a custom subnet mask to accommodate all the hosts.254. NOTE Keep in mind that NAT and IPsec may not work well together. NAT can also be used for address translation between multiple protocols.92 Chapter 3: Infrastructure Basics For smaller companies.0.255. . When your computers are on separate physical networks. Splitting one network into two or more and using routers to connect each subnet together means that broadcasts can be limited to each subnet. often networks are subnetted to improve network security. Subnetting allows you to arrange hosts into the different logical groups that isolate each subnet into its own mini network. which improves security and provides for more interoperability in heterogeneous networks. you can divide your network into subnets that enable you to use one block of addresses on multiple physical networks. This might not be possible because IPsec information is encrypted.000 clients. Subnet divisions can be based on business goals and security policy objectives. If an incident happens and you notice it quickly. NAT has to replace the headers of the incoming packet with its own headers before sending the packet. For example. TIP Another address range to keep in mind when designing IP address space is Automatic Private IP Addressing (APIPA). In the event that no Dynamic Host Configuration Protocol (DHCP) server is available at the time that the client issues a DHCP lease request.254. Subnetting Subnetting can be done for several reasons. you can usually contain the issue to that particular subnet. If you have a Class C address and 1. NAT can be used in the form of Windows Internet Connection Sharing (ICS). not just performance. such as a dial-up modem. perhaps you use contract workers and want to keep them separated from the organizational employees. Often. the client is automatically configured with an address from the 169. organizations with branches use subnets to keep each branch separate.1 through 169.254 range. where all machines share one Internet connection. However.

com. IPv6 is designed to replace IPv4. Network addresses with the first byte between 192 and 223 are Class C and can have about 250 hosts. or router. In IPv6. For example. One such website is Learntosubnet. IPv6 addresses are represented in hexadecimal. the address 127. using addresses in this range causes the protocol software to return data without sending traffic across a network. Network addresses with the first byte between 1 and 126 are Class A and can have about 17 million hosts each. the following information will help you review or learn about the different classes. C. B. Addresses are 128 bits rather than the 32 bits used in IPv4. a wide variety of information is available. Network addresses with the first byte between 128 and 191 are Class B and can have about 65. subnet masks.1 is used for TCP/IP loopback testing.org/. EXAM ALERT Watch for scenarios or examples such as Figure 3. and default gateway. Should you need additional review on IP addressing and subnetting. . default gateway address.0 network is in technically in the Class A area. .0. visit http://www.4 asking you to identify a correct/incorrect subnet mask. and E. For more information about IPv6. .0. Network addresses with the first byte between 224 and 239 are Class D and are used for multicasting. Figure 3. internal addresses are called unique local addresses (ULA). . Notice the IP addresses. Notice that the 127 network address is missing.0. and the address 127. IP address space is divided into five classes: A.0. Although the 127.000 hosts each. .2 is used by most DNS black lists for testing purposes.4 shows an internal network with two different subnets. D. Network addresses with the first byte between 240 and 255 are Class E and are used as experimental addresses.0.0. Addresses starting with fe80: are called link-local addresses and are routable only in the local link area. blocks of addresses are set aside in IPv6 for private addresses.ipv6. Just as in IPv4. The first byte of the address determines which class an address belongs to: .93 Network Design Elements and Components IP Classes In case you are unclear about IP classes.

255. These risks include compromise of all connected systems and any network connected to those systems.1 IP address: 192.255.4 A segmented network.168.x networks in routing tables. along with exposure of data the systems handle.0 and 192.0 Subnet 192.0 Default Gateway: 192.168.1.15 Subnet mask: 255.15 Subnet mask: 255.2.168.168.x and 192.168.255. This situation may come into play when an organization establishes network interconnections with partners.168.1 FIGURE 3.168.2. acquisition. These are not valid IP addresses for a network router and are used to identify the 192. Although this type of interconnection increases functionality and reduces costs. it can result in security risks. Organizational policies should require an interconnection agreement for any system or network that shares information with another external system or network. With interconnected networks.1. This might be in the form of an extranet or actual connection between the involved organizations as in a merger.25 Subnet mask: 255. connections between interconnecting networks should be secured.25 Subnet mask: 255.2. or joint project. The partnering organizations have little to no control over the management of the other party’s .168.1.255.168.168.0 identified next to the router. Network Interconnections Besides securing ports and protocols from outside attacks.2. Organizations need to carefully evaluate risk-management procedures and ensure that the interconnection is properly designed.168.1 Subnet 192.1.94 Chapter 3: Infrastructure Basics IP address: 192.2.168.255.2. Notice the subnets 192. Business partners can include government agencies and commercial organizations.0 Default Gateway: 192.1 IP address: 192.2.255.168.255.255.168.0 IP address: 192.0 Default Gateway: 192.1.1.1.0 Default Gateway: 192. the potential for damage greatly increases because one compromised system on one network can easily spread to other networks.

. Policy decision point (PDP)—This is the system that assigns a policy based on the assessment. firewall. you can decide whether to limit access to network resources. . The four ways NAC systems can be integrated into the network are . This device may be a switch. usually between the access and the dis- tribution switches . if the user’s computer patches are not up-to-date. NAC offers a number of business benefits. or router. Out-of-band—Intervenes and performs an assessment as hosts come online and then grants appropriate access . Access requestor (AR)—This is the device that requests access. It is based on assessment and enforcement. Inline—An appliance in the line. so without careful planning and assessment. NAC offers a method of enforcement that helps ensure computers are properly configured. Network Access Control One the most effective ways to protect the network from malicious hosts is to use network access control (NAC). The basic components of NAC products are . Host based—Relies on an installed host agent to assess and enforce access policy In addition to providing the ability to enforce security policy. Any host machine that doesn’t comply with your defined policy could be relegated to remediation server. contain noncompliant users. Switch based—Similar to inline NAC except enforcement occurs on the switch itself . National Institute of Standards and Technology (NIST) Special Publication (SP) 800-47.95 Network Design Elements and Components system. or put on a guest VLAN. The premise behind NAC is to secure the environment by examining the user’s machine and based on the results grant (or not grant) access accordingly. Security Guide for Interconnecting Information Technology Systems. The assess- ment of the device can be self-performed or delegated to another system. For example. Policy enforcement point (PEP)—This is the device that enforces the policy. and mitigate threats. . and no desktop firewall software is installed. both parties can be harmed. The PDP determines what access should be granted and may be the NAC’s product-management system. provides guidance for any organization that is considering interconnecting with a government agency or other organization.

but it can also be used as an alternative for VoIP. there are voice-specific attacks and threats. Many times. A VoIP system might be composed of many different components. or other data. and operational cost management. Man-in-the-middle attacks between the SIP phone and . These attacks include DoS and buffer overflows. For years PBX-type systems have been targeted by hackers. Often. and breach of data privacy. To protect your network. including VoIP phones. a better security posture. make sure the PBX is in a secure area. there are also PBX servers. Telecom/PBX The telecommunications (telecom) system and Private Branch Exchange (PBX) are a vital part of an organization’s infrastructure. videoconferencing. Telephony includes transmission of voice.96 Chapter 3: Infrastructure Basics The business benefits include compliance. PBX servers. Voice over Internet Protocol VoIP uses the Internet to transmit voice data. Session Initiation Protocol (SIP) is commonly used in instant messaging. Besides the standard block. mainly to get free long-distance service. VoIP PBX servers are susceptible to the same type of exploits as other network servers. Telephony The transmission of data through equipment in a telecommunications environment is known as telephony. any default passwords have been changed. desktop systems.323 and IAX protocols can be vulnerable to sniffing during authentication. and only authorized maintenance is done. they use communications equipment that is susceptible to attack and therefore must be secured.323 and Inter Asterisk eXchange (IAX) are specifications and protcols for audio/video. H. The vulnerabilities that phone networks are subject to include social engineering. fax. This allows an attacker to obtain passwords that may be used to compromise the voice network. Using SIP can leave VoIP networks open to unauthorized transport of data. H. However. They enable VoIP connections between servers and enable client/server communication. and gateways. with DoS being the most prevalent. these components are neglected because they are not really network components. and document sharing. where the PBX board plugs into the server and is configured through software on the computer. long-distance toll fraud. In addition. This section describes the components that need to be considered when securing the environment. Many companies have moved to Voice over IP (VoIP) to integrate computer telephony. hackers can gain access to the phone system via social engineering because this device is usually serviced through a remote maintenance port.

However. Although these devices are not prone to war-dialing attacks. Implementing the following solutions can help mitigate the risks and vulnerabilities associated with VoIP: . or playback calls. Encryption . The modems on network computers or servers are usually configured to take incoming calls. access can be gained in a lot of areas. thus allowing attackers an easy path into the network. Therefore. For example. they do present a certain amount of danger by maintaining an always-on connection. The use of encryption and firewall solutions will help keep the environment safe from attacks. rerouted. Be sure employees have not set up modems at their workstations with remote-control software installed. They are gradually being replaced by high-speed cable and Digital Subscriber Line (DSL) solutions. They act more like routers than modems. war-dialing attacks take advantage of this situation. and VoIP security is built upon many layers of traditional data security. . a hacker has ample time to get into the machine and the network. Authentication . . some companies still use modems for employees to dial into the network and work from home. You can resolve this problem area in several ways: . which are faster than dial-up access.97 Network Design Elements and Components SIP proxy allow the audio to be manipulated. Cable and DSL modems are popular these days. Make sure authentication is required using strong passwords. War-dialing is the process by which an automated software application is used to dial numbers in a given range to determine whether any of the numbers are serviced by modems that accept dial-in requests. This attack can be set to target connected modems that are set to receive calls without any authentication. causing dropped. Set the callback features to have the modem call the user back at a preset number. Leaving modems open for incoming calls with little to no authentication for users dialing in can be a clear security vulnerability in the network. Nonrepudiation Modems Modems are used via the phone line to dial in to a server or computer. Data validation . If you leave the connection on all the time. Many components comprise a VoIP network. .

As the names suggest. They can be placed internally or between firewalls. IDSs can be located anywhere on the network. network-based IDSs (NIDSs) look at the information exchanged between machines. NIDSs and HIDSs should be used together to ensure a truly secure environment. and respond to the intrusion. This section introduces security concepts as they apply to the physical security devices used to form the protection found on most networks. HIDSs monitor communications on a host-by-host basis and try to filter malicious data. whereas IDSs can identify unauthorized activity. The two basic types of IDSs are network-based and host-based. Here are some basics: . To secure devices. They are best at detecting DoS attacks and unauthorized user access. Our networks and environments are becoming increasingly more complex.98 Chapter 3: Infrastructure Basics Network Security Tools The easiest way to keep a computer safe is by physically isolating it from outside contact. you must understand the basic security concepts of network security tools. Intrusion-detection systems are designed to analyze data. Securing the devices on the network is imperative to protecting the environment. EXAM ALERT NIDSs try to locate packets not allowed on the network that the firewall missed. The way most companies do business today makes this virtually impossible. not just on the boundary between private and public networks. These types of IDSs are good at detecting unauthorized file modifications and user activity. . NIDS and HIDS IDS stands for intrusion-detection system. identify attacks. all with . and host-based IDSs (HIDSs) look at information that originates on the individual machines. HIDSs collect and analyze data that originates on the local machine or a computer hosting a service. NIDSs monitor the packet flow and try to locate packets that may have gotten through the firewall and are not allowed for one reason or another. They are different from firewalls in that firewalls control the information that gets in and out of the network. Many different types of IDSs are available. IDSs are also designed to catch attacks in progress within the network. NIDSs tend to be more distributed.

NIPS are designed to sit inline with traffic flows and prevent attacks in real time. They proactively protect machines against damage from attacks that signature-based technologies cannot detect because most NIPS solutions can look at application layer protocols such HTTP. it doesn’t cause a complete network outage. It sits between the systems that need to be protected and the rest of the network. FTP. All things considered. “Intrusion Detection and Security Baselines. a firewall is an excellent investment because most small companies don’t have a full-time technology staff. It can be composed of hardware. and SMTP. A firewall is the first line of defense for the network. Intrusion-detection software is reactive.5 shows a network with a firewall in place. like many other network-protection devices. especially for large companies where a compromised firewall may spell disaster in the form of bad publicity or a lawsuit. the attack has usually occurred and has damaged the network or desktop. not only for the company. Chapter 7. By the time an alert has been issued. scanning for configuration weaknesses and detecting attacks after they occur. An inline NIPS works like a Layer 2 bridge. NIPSs can be either hardware. For smaller companies. keep in mind that the sensors must be physically inline to function properly. so make sure they meet the needs of your company before committing to using them. Network Intrusion Prevention System Network intrusion-prevention systems (NIPSs) are sometimes considered to be an extension of IDSs. a firewall is an important part of your defense. but also for the companies it does business with. How firewalls are configured is important. instead. software. When implementing a NIPS. it acts like a patch cable. A good way to prevent this issue is to use fail-open technology. This means that if the device fails.” covers IDSs in more detail. Figure 3. “Intrusion Detection and Security Baselines. and an intrusion could easily put them out of business. or a combination of both. NIPS are explained in greater detail in Chapter 7.99 Network Security Tools different capabilities. .or software-based. but you should not rely on it exclusively for network protection. Intrusion prevention differs from intrusion detection in that it actually prevents attacks instead of only detecting the occurrence of an attack. This adds single points of failure to the network.” Firewalls A firewall is a component placed on computers and networks to help eliminate undesired access by the outside world.

Circuit-level gateway . regardless of communication pattern within the session.5 A network with a firewall. or protocols. There are three main types of firewalls: . Packets can be filtered based on IP addresses. Stateful-inspection firewall The following sections describe each type in detail. Even though they are the simplest and least secure. . Application-level gateway . Packet-filtering firewall . they are a good first line of defense. They operate at the network layer (Layer 3) of the OSI model. Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network. ports. This leaves the system open to DoS attacks. including two types of proxies: . Proxy-service firewall.100 Chapter 3: Infrastructure Basics Internet Computer Firewall Server Computer Computer FIGURE 3. Packet-Filtering Firewall A packet-filtering firewall is typically a router. which is why they are sometimes used before other types of firewalls to perform the first filtering pass. Their main advantage is speed.

Circuit-level gateway—Operates at the OSI session layer (Layer 5) by monitoring the TCP packet flow to determine whether the session requested is a legitimate one. it increases the attack surface and is more complicated to maintain. Proxy Servers A proxy server operates on the same principle as a proxy–level firewall in that it is a go-between for the network and the Internet. Here are the two basic types of proxies: . DoS attacks are detected and prevented in circuit-level architecture where a security device discards suspicious requests. This firewall relies on algorithms to process application layer data. They hide the internal addresses from the outside world and don’t allow the computers on the network to directly access the Internet. Application-level gateway—All traffic is examined to check for OSI appli- cation layer (Layer 7) protocols that are allowed. These include network. Proxy servers are used for . It receives all packets and replaces the IP address on the packets going out with its own address and then changes the address of the packets coming in to the destination address. administrators should consider other elements when designing a firewall solution. but because it has more security controls and features. logging. it can protect against IP spoofing. and authentication policies.101 Network Security Tools Proxy Service Firewall Proxy service firewalls are go-betweens for the network and the Internet. and Hypertext Transfer Protocol (HTTP). remote-access. Stateful-Inspection Firewall A stateful-inspection firewall is a combination of all types of firewalls. . Simple Mail Transfer Protocol (SMTP). it adds overhead to the transmissions but is more secure than packet filtering. This type of firewall has a set of rules that the packets must pass to get in or out. Because the filtering is application-specific. It has better security controls than packet filtering. Other Firewall Considerations In addition to the core firewall components. and intrusion notification. Examples of this type of traffic are File Transfer Protocol (FTP). Firewalls can also provide access control. Because it knows the connection status.

This type of software can filter content from various types of Internet activity and applications. This information can later be reviewed. date. This might include a violation stamp with user. such as a web or email server. a capture of the violating screen is stored on the server with pertinent information relating to the violation. An example of such software is Vista’s Parental Controls. it passes through filtering requirements and checks its local cache for previously downloaded web pages. capturing. For example. Using a predetermined database of specific terminology can help the organization focus on content that violates policy. social. Content filtering requires an agent on each workstation to inspect the content being accessed. may be configured to isolate it from an organization’s network and to report attack attempts to the network administrator. the content will not be filtered. Content filtering will report only on violations identified in the specified applications listed for the filtering application. If a match occurs. the data can be addressed in one of several ways. and traffic to the Internet is substantially reduced. and application. logging. response times for web pages are faster. Internet Content Filters Internet content filters use a collection of terms. and phrases that are compared to content from browsers and applications. or peer-to peer networks. or blocking the content and closing the application. Internet content filtering works by analyzing data against a database contained in the software. Content-filtering applications allow those words that are used in medical context to pass through the filter without reporting a viola- . such as instant messaging. Such an isolated server is referred to as a bastion host. TIP An exposed server that provides public access to a critical service. email. In other words. Because web pages are stored locally. and office documents. It also provides better utilization of bandwidth because it stores all your results from requests for a period of time. if the application will filter only Microsoft Office documents and a user chooses to use open Office. named for the isolated towers that were used to provide castles advanced notice of pending assault. a sexually explicit database may contain words that are used in the medical industry. The web cache can also be used to block content from websites that you don’t want employees to access. time. and caching. This type of server can be used to rearrange web content to work for mobile devices. If the content data violates the preset policy. such as pornography. When the proxy server receives a request for an Internet service.102 Chapter 3: Infrastructure Basics security. including filtering. words.

You can also filter specific port numbers and types of traffic so that you can keep an eye on indicators that may cause you problems. it provides proper documentation for forensic investigations and litigation purposes. Many protocol analyzers can be run on multiple platforms and do live traffic captures and offline analysis. Protocol Analyzers Protocol analyzers help you troubleshoot network issues by gathering packetlevel information across the network. content monitoring does not require daily updates to keep the database effective and current. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information. and unnecessary traffic. On the downside. Content filtering is integrated at the operating system level so that it can monitor events such as opening files via Windows Explorer. a protocol analyzer can tell you whether unnecessary protocols are running on the network. They prove useful in many other areas of network management. For example.103 Network Security Tools tion. if the network is running slowly. the terminology must be input and defined in the database. content filtering needs to be “trained. Because content filtering uses screen captures of each violation with time-stamped data. such as monitoring the network for unexpected. This same principle enables an organization to monitor for unauthorized transfer of confidential information.” For example. Protocol analyzers can do more than just look at packets. to filter nonpornographic material. Software USB protocol analyzers are also available for the development of USB devices and analysis of USB traffic. These applications capture packets and decode the information into readable data for analysis. . Unlike antivirus and antispyware applications. unwanted.

Which of the following types of firewall should you choose? ❍ ❍ ❍ A.) ❍ ❍ ❍ A. Your company is in the process of setting up a management system on your network. You want to use NAT on your network. 443 2.16. You have to allow this traffic through the router. 110 B.x C. Circuit-level gateway C. and you have received a Class C address from your ISP.x. 172. Application-level gateway ❍ D. 172.x.x ❍ D. Proxy gateway B. Which UDP ports do you have to open? (Choose two correct answers. SOCKS proxy 4. You have to allow email traffic in the DMZ segment.x . Your company is in the process of setting up a DMZ segment. 25 ❍ D. 161 B. 162 3. 138 ❍ D.168.x.31. What range of addresses should you use on the internal network? ❍ ❍ ❍ A. You want to implement a proxy firewall technology that can distinguish between FTP commands.x.x B.) ❍ ❍ ❍ A. 192. and you want to use SNMP. Which TCP ports do you have to open? (Choose two correct answers. 10. 139 C.104 Chapter 3: Infrastructure Basics Exam Prep Questions 1. 139 C.x.

You are setting up a switched network and want to group users by department. Which of the following devices would you use? (Choose two correct answers. Which technology would you implement? ❍ ❍ ❍ A. Spoofing B. DMZ B. You want to implement a solution that will monitor the internal network activity and incoming external traffic. What type of architecture should you implement? ❍ ❍ ❍ A. You are setting up a web server that needs to be accessed by both the employees and by external customers. VPN C. Null sessions C. A host-based IDS 8. ARP poisoning . NAT ❍ D. Services using an interprocess communication share such as network file and print sharing services leave the network susceptible to which of the following attacks? ❍ ❍ ❍ A. VLAN B. VPN 7. DMZ C. DNS kiting ❍ D. A network-based IDS C.105 Exam Prep Questions 5. A router B. You have recently had some security breaches in the network. You suspect it may be a small group of employees.) ❍ ❍ ❍ A. NAT 6. A firewall ❍ D. VLAN ❍ D.

1 to 10. Your network is under attack.255. it is not a particularly busy time of the day. Traffic patterns indicate that an unauthorized service is relaying information to a source outside the network.106 Chapter 3: Infrastructure Basics 9. 2.31.255. What type of attack is likely being executed against your network? ❍ ❍ ❍ A. You’re the security administrator for a bank. Denial of service 10. POP3 delivers mail only. Spoofing B. 4.0.255. Answer B is incorrect because a circuit-level gateway’s decisions are based on source and destination addresses. C.0. A. D. Denial of service Answers to Exam Prep Questions 1. D. valid host IDs are from 192.254.0.168. Port 110 is used for POP3 incoming mail. The users are complaining about the network being slow. DNS kiting ❍ D. Replay ❍ D. Answer A is incorrect because it is a Class A address. Answer B is incorrect because UDP uses port 139 for network sharing. valid host IDs are from 172. therefore. Answer C is incorrect because port 138 is used to allow NetBIOS traffic for name resolution. and SMTP transfers mail between servers.254. Answers B and C are incorrect because they are both Class B addresses.1 through 172. A. Port 443 is used by HTTPS.168. and port 25 is used for SMTP outgoing mail. What type of attack is being executed against you? ❍ ❍ ❍ A. . 3. In A Class C network. Man-in-the-middle C. UDP ports 161 and 162 are used by SNMP.254. Answer B is incorrect because UDP uses port 139 for network sharing. Valid host IDs are from 10.16. You capture network packets and discover that hundreds of ICMP packets have been sent to the host.0. answer D is incorrect. Spoofing B.255. Answer D is incorrect because SOCKS proxy is an example of a circuit-level gateway. However. C. An application-level gateway understands services and protocols. Answer A is too generic to be a proper answer. Man-in-the-middle C.1 to 192.

an attacker intercepts traffic between two endpoints and retransmits or replays it later. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. D. therefore. Answer C is incorrect because domain kiting refers to the practice of taking advantage of this AGP period to monopolize domain names without even paying for them. 10. Answer D is incorrect because ARP poisoning allows a perpetrator to trick a device into thinking any IP is related to any MAC address. . therefore. answer D is incorrect. answer C is incorrect. 6. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. A null session is a connection without specifying a user name or password. 7. Null sessions are a possible security risk because the connection is not really authenticated. B.107 Answers to Exam Prep Questions 5. Because you want to monitor both types of traffic. D. Answer A is incorrect. Because the purpose of a DoS attack is to deny use of resources or services to legitimate users. The purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Host-based intrusion-detection systems monitor communications on a host-by-host basis and try to filter malicious data. The purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Answer B is incorrect because a virtual private network (VPN) is a network connection that allows you access via a secure tunnel created through an Internet connection. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. Answer C is incorrect because domain kiting refers to the practice of taking advantage of this AGP period to monopolize domain names without even paying for them. 8. B. A man-in-the-middle attack is commonly used to gather information in transit between two hosts. Answer D is incorrect because NAT acts as a liaison between an internal network and the Internet. 9. Answer A is incorrect because a DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. In a replay. answer C is incorrect. B. Answer D is incorrect because a VPN is a network connection that allows you access via a secure tunnel created through an Internet connection. C. Answer B is incorrect because a man-in-the middle attack is commonly used to gather information in transit between two hosts. the IDSs should be used together. A DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer A is incorrect because a router forwards information to its destination on the network or the Internet. A firewall protects computers and networks from undesired access by the outside world. Answer C is incorrect because NAT acts as a liaison between an internal network and the Internet. Network-based intrusion-detection systems monitor the packet flow and try to locate packets that are not allowed for one reason or another and may have gotten through the firewall. These types of IDSs are good at detecting unauthorized file modifications and user activity. B. A ping flood is a DoS attack that attempts to block service or reduce activity on a host by sending ping requests directly to the victim using ICMP.

Davis. Shinder. 7. Joan Hash. Tim. McGraw- Hill Osborne Media.gov/publications/ nistpubs/800-47/sp800-47.org/rfc/ rfc1853 .pdf 3. Grance. Second Edition.co. Harris. CCNA Official Exam Certification Library (CCNA Exam 640-802). IP in IP Tunneling: http://www. National Institute of Standards and Technology. Guidelines on Securing Public Web Servers. Security Guide for Interconnecting Information Technology Systems: http://csrc.pdf 5. 4. David. Fourth Edition.nist.ietf. Simpson. Thomas W. RFC 2853. W. and Karen Korow-Diks. What is a VLAN? How to Setup a VLAN on a Cisco Switch: http://www. Shon. 6. nist. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-47. Elsevier. 2007. 2008. 2007.gov/publications/nistpubs/800-44-ver2/SP800-44v2. The Best Damn Firewall Book Period. Cisco Press. Jonathan Smith. Third Edition.il/csc_setup_a_vlan_on_a_cisco_switch.petri.108 Chapter 3: Infrastructure Basics Additional Reading and Resources 1. Special Publication 800-44 Version 2: http://csrc. CISSP All-in-One Exam Guide.htm 2. Wendell. Odom. Steven Peck.

✓ Implement the appropriate security groups. rights and permissions. roles. ✓ Define logical internal access control methods. . ✓ Apply the appropriate network tools to facilitate network security.CHAPTER FOUR 4 Infrastructure Security and Controls Terms you need to understand: ✓ Antivirus ✓ Antispam ✓ Pop-up blockers ✓ Virtualization technology ✓ Security groups ✓ Access control lists ✓ Group policies ✓ Logical tokens ✓ Probability ✓ Risk Techniques you need to master: ✓ Differentiate between the different types of security applications that can be applied on the internal network. ✓ Explain how to calculate risk and return on investment.

roles. However. such as personal firewalls and antivirus software. This chapter discusses how to implement security applications to help mitigate risk and how to use security groups. Personal Software Firewalls Desktops and laptops need to have layered security just like servers. and rootkits. The first one addresses the physical components such as hardware. Like most other solutions. You can choose to use the OS vendor firewall or to install a separate one. rights and permissions in accordance with industry best practices. which in today’s environment may not be enough to ward off malware. many organizations stop this protection at antivirus software. One of the most common ways to protect desktops and laptops is to use a personal firewall. and some methods to mitigate exploitation. and most operating systems now come with them readily available. The latter covers software that can help protect the internal network components. firewalls close off systems to scanning and entry by blocking ports or nontrusted services and applications. typical with cable modems. this chapter covers how you can use physical security as a tool to mitigate threats and protect computers and network infrastructure. Some users might find this . Network security goes beyond just knowing the risks and vulnerabilities. Firewalls can consist of hardware. Always-connected computers. or a combination of both. its vulnerabilities. firewalls have strengths and weaknesses. Typically. and physical security designs. The second one deals with using protocols and software to protect data. Many software firewalls are available. they require proper configuration. To mitigate threats and risks. This is especially true for the telecommuter’s machine. This discussion focuses on software firewalls that you can implement into the user environment. you must also know how to assess your environment and protect it. However. two areas need to be covered. you learned about the basic components of the network infrastructure. In addition. a software firewall asks whether it should permit the communication. The potential for hackers to access data through a user’s machine has grown substantially as hacking tools have become more sophisticated and difficult to detect. the first time a program tries to access the Internet. software.110 Chapter 4: Infrastructure Security and Controls In the preceding chapter. By design. Implementing Security Applications When dealing with security issues. network components. phishing. give attackers plenty of time to discover and exploit system vulnerabilities.

The most common method used in an antivirus program is scanning.111 Implementing Security Applications annoying and disable the firewall or not understand what the software is asking and allow all communications. it might also detect legitimate files. it is reported. so that you protect against malware that “phones home. Antivirus software actually works backward.” Without this type of protection. but software firewalls installed on user systems can help make the computing environment safer. the antivirus software can look for specific characteristic of the virus. Remember that for a virus to be successful. Interception software detects viruslike behavior and then pops up a warning to the user. Then. In the past. EXAM ALERT Monitoring outbound connections is important. the boot sector. When the virus software detects the signature. it isolates the file. No system is foolproof. A false positive occurs when the software classifies an action as a possible intrusion when it is actually a nonthreatening action. Another caveat is that some firewalls monitor only for incoming connections and not outgoing. because the software looks only at file changes. the antivirus software quarantines it or permanently deletes it. . Antivirus software is used to scan for malicious code in email and downloaded files. and then antivirus vendors reverse-engineer the code to find a solution.” explains this concept in more detail. and on the hard disk for identifiable virus code. the environment is not properly protected. Chapter 7. Scanning identifies virus code based on a unique string of characters known as a signature. “Intrusion Detection and Security Baselines. Virus writers release a virus. Scanning searches files in memory. depending on the software settings. However. it must replicate its code. Remember that even a good firewall cannot protect you if you do not exercise a proper level of caution and think before you download. Antivirus Another necessary software program for protecting the user environment is antivirus software. After the virus has been analyzed. antivirus engines used a heuristic engine for detecting virus structures or integrity checking as a method of file comparison.

but only if it’s kept updated and the user practices safe computing habits such as not opening unfamiliar documents or programs. The main component of antispam software is heuristic filtering. The software reads the contents of each message and compares the words in that message against the words in typical spam messages. this is called a centralized solution. When the software and updates are installed on a central server and pushed out to the client machines. In the event a machine does become infected. This score is then used to determine whether the message meets the acceptable level set.3 percent of all email was spam during the first quarter of 2008. and reduces productivity. it uses bandwidth. The most common methods are at the email server or the email client. and often users do not take the necessary precautions. Despite all this. Most antivirus software connects to the vendor website to check the software database for updates and then automatically downloads and installs them as they become available. The best defense against virus infection is user education.112 Chapter 4: Infrastructure Security and Controls EXAM ALERT Heuristic scanning looks for instructions or commands that are not typically found in application programs. When the updates are left up to the individual users. this discussion focuses on the client-side implementation. As with the previous discussions in this section. Each rule assigns a numeric score to the probability of the message being spam. you should set the machine to automatically scan at least once a week. Although spam may merely seem to be an annoyance. antivirus software cannot protect against brand new viruses. Users sometimes disable antivirus software because it may interfere with programs that are currently installed on the machine. the first step is to remove it from the network so that it cannot damage other machines. You can install antispam software in various ways. Most antivirus software used today is fairly effective. Be sure to guard against this type of incident. Antivirus software vendors update their virus signatures on a regular basis. If many of the . The issue with these methods is that they are susceptible to false positives and cannot identify new viruses until the database is updated. Heuristic filtering has a predefined rule set that compares incoming email information against the rule set. the most common being unwanted commercial email. Antispam software can add another layer of defense to the infrastructure. Spam is defined several ways. you have a decentralized environment. takes up storage space. Besides setting your antivirus software for automatic updates. Antispam Sophos Research reports that 92.

but it may also filter legitimate email as spam. many are an annoyance. the message may get filtered even if the address is on the approved list. An email address added to the blocked list is always considered spam. Additional settings can be used in the rule set. and the browsers included with some operating systems such as Windows XP can block pop-up blockers. Pop-Up Blockers A common method for Internet advertising is using a window that pops up in the middle of your screen to display a message when you click a link or button on a Website. Hover ads are Dynamic Hypertext Markup Language (DHTML) pop-ups. Other factors may affect the ability to receive email on white lists. It simply tracks and compares the words used. These types of ads often are not seen until the current window is closed. various downloadable pop-up blocking software is available. it’s marked as spam. For example. putting the addresses of your relatives or friends in your white list allows you to receive any type of content from them. Most online toolbars come with pop-up blockers. Keep in mind that you can adjust the settings on pop-up blockers to meet the organizational policy or to best protect the user environment. A pop-under ad opens a new browser window under the active window. . This is also known as a white list. NOTE It is important to understand that the software can’t assign meaning to the words examined. Although some pop-ups are helpful. There are several variations of pop-up windows. In general. thus causing false positives.113 Implementing Security Applications same words from the rule set are in the message being examined. if attachments are not allowed and the email has an attachment. more spam will be filtered. They are essentially “floating pop-ups” in a web page. and others can contain inappropriate content or entice the user to download malware. Specific spam filtering levels can be set on the user’s email account. For example. This is also known as a black list. If the setting is high. Using white lists allows more flexibility in the type of email you receive. an email address added to the approved list is never considered spam. have settings that you can adjust. Pop-up blockers. just like many of the other defensive software discussed so far. You might want to try setting the software to medium so that it will block most automatic pop-ups but still allow functionality.

For virtualization to occur. technologies such as Flash bypass the pop-up blocker. Currently. therefore. A hypervisor or virtual machine monitor (VMM) is a virtualization platform that provides more than one operating system to run on a host computer at the same time. A Type 2 or hosted hypervisor is software that runs within an operating system environment. The guest OS is not aware it is being virtualized and requires no modification. many implementations of virtual environments are available to run on just about everything from servers and routers to USB thumb drives. a hypervisor is used.114 Chapter 4: Infrastructure Security and Controls Several caveats apply to using pop-up blockers. Forensic analysts often use virtual environments to examine environments that may . There are helpful pop-ups. Virtualization Technology With more emphasis being placed on going green and power becoming more expensive. and the guest operating system runs at the third level above the hardware. The hypervisor controls how access to a computer’s processors and memory is shared. Some pop-up blockers may delete the information already entered by reloading the page. Hardware vendors are rapidly embracing virtualization and developing new features to simplify virtualization techniques. Field help for fill-in forms is often in the form of a pop-up. virtualization offers cost benefits by decreasing the number of physical machines required within an environment. On many Internet browsers. Some web-based programmed application installers use a pop-up to install software. the ability to run multiple operating environments allows a machine to support applications and services for an operating environment other than the primary environment. The hypervisor runs as an application or shell on another already running operating system. causing users unnecessary grief. You can also circumvent pop-up blockers in various ways. One well-equipped server can host several virtual servers. If all pop-ups are blocked. This applies to both servers and desktops. Virtual environments are used for cost-cutting measures as well. On the client side. Virtual environments can be used to improve security by allowing unstable applications to be used in an isolated environment and providing better disaster recovery solutions. This reduces the need for power and equipment. This technique allows full guest systems to be run in a relatively efficient manner. holding down the Ctrl key while clicking a link will allow it to bypass the pop-up filter. Most pop-up blockers block only the JavaScript. the user may not be able to install applications or programs. The guest operating system runs at the second level above the hardware. A Type 1 native or bare-metal hypervisor is software that runs directly on a hardware platform.

For example. The use of virtualization is growing in the individual-use market and in the corporate environment. including virtual environments. EXAM ALERT Virtualized environments. an intruder can gain control of all the guest operating systems. Security policy should address virtual environments. the security of the host machine and the virtual machine must be considered. This puts a lot of data at risk. . machines should be segmented by the sensitivity of the information they contain. VMware’s NAT service had a buffer-overflow vulnerability that allowed remote attackers to execute malicious code by exploiting the virtual machine itself. In addition. but also any virtualization infrastructure. This can allow an intruder who compromises a virtual machine to compromise the host machine. To secure a virtualized environment. Users can now load a virtualized environment using a portable USB storage device or network-attached storage. Any technology software without a defined business need should not be allowed on systems. The security concerns of virtual environments begin with the guest operating system. as must the investigative issues in using such environments. a few years ago. Preconfigured virtual appliances are available for operating systems. too. leaving the original system intact. and applications. Vulnerabilities also come into play. A policy should be in place that specifies that hardware is not shared for test environments and sensitive data. If a virtual machine is compromised. most virtual machines run with very high privileges. can provide access to not only the network.115 Virtualization Technology contain malware or as a method of viewing the environment the same way the criminal did. You should be cognizant of share files among guest and host operating systems. if compromised. networking components. This applies to all systems. Other areas that present issues for a virtualized environment and need special consideration are deploying financial applications on virtualized shared hosting and secure storage on storage-area network (SAN) technologies. Another way to secure a virtualized environment is to use standard locked-down images. However. because hardware is shared. Virtual machine environments need to be patched just like host environments and are susceptible to the same issues as a host operating system. These advances give the organization more control over the environment because virtual machines can be pushed out to the desktops or given to mobile workers.

The main objective for the placement of firewalls is to allow only traffic that the organization deems necessary and provide notification of suspicious behavior. it did not discuss the placement. Network compromises now carry an increased threat with the spread of botnets. The placement of a packetfiltering firewall is between the Internet and the protected network. It filters all traffic entering or leaving the network. which were discussed in Chapter 1. and perimeter network boundaries that distinguish between private networks. .” described the design elements and components such as firewalls. at a minimum. Firewalls In any environment. VLANS. there are three basic types of firewalls: .” This means an entire corporate network can be used for spam relay. Stateful inspection—Suited for main perimeter security. As you read through this section. Packet filtering—Best suited for simple networks or used to protect a net- work that is used mainly for Internet access. Most organizations deploy. Stateful inspection firewalls can thwart port scanning by closing off ports until a connection to the specific port is requested. . and the Internet. It is important to not only know how to use the proper elements in design but also how to position and apply these tools to facilitate security.116 Chapter 4: Infrastructure Security and Controls Applying Network Tools to Facilitate Security Chapter 3. The first firewall is . As you learned in Chapter 3. Knowing the difference between these types of firewalls and the proper placement of each is important to securing the infrastructure. you might need to review the descriptions of each firewall type in the preceding chapter. intranets. phishing systems and launching distributed denial-of-service (DDoS) attacks. Proxy service—Allows organizations to offer services securely to Internet users. “System Threats and Risks. The primary function of a firewall is to mitigate threats by monitoring all traffic entering or leaving a network. All servers hosting public services are placed in the demilitarized zone (DMZ) with the proxy firewall between the DMZ and the internal network. two firewalls. This section discusses just that. threats to network integrity come from both external and internal sources. Although Chapter 3 discussed the types and uses of various firewall technologies. “Infrastructure Basics.

When deploying multiple firewalls. All initial necessary connections are located on the DMZ machines. Proxy Servers Proxy servers are used for a variety of reasons. even though its database resides inside the company intranet.1 shows an example. this creates a virtual bridge that can counteract a firewall. a RADIUS server may be running in the DMZ for improved performance and enhanced security. Because most storage environments span multiple networks. If the organization is using the proxy server for both Internet connectivity and Web content caching. you might experience network latency. Another factor to think about is the use of a storage-area network (SAN) or network-area storage (NAS) behind a firewall. Proxy servers can be placed between the private network and the Internet for Internet connectivity or internally for Web content caching. DMZ Internet Router Web Server Email Server Firewall RADIUS Server Firewall Database Server FIGURE 4. Figure 4. providing a channel into the storage environment if a system is compromised in the DMZ.117 Applying Network Tools to Facilitate Security placed in front of the DMZ to allow requests destined for servers in the DMZ or to route requests to an authentication proxy. the proxy server should be placed between the internal . If you do. check the placement of the firewalls and possibly reconsider the topology to be sure you get the most out of the firewalls. Most organizations have many firewalls with the level of protection stronger nearest to the outside edge of the environment. For example. so the placement will depend on the usage.1 A network with two firewalls. EXAM ALERT Watch for scenarios that ask you to select the proper firewall placement based on organizational need. The second firewall is placed between the DMZ and the internal network to allow outbound requests.

preserve the confidentiality of data. In addition. you must specify two or more network interfaces for the proxy server. This design allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router. Internet Content Filters Network Internet content filters can be hardware or software. This section covers the most common methods used for logical access control. Logical access controls are used in addition to physical security controls to limit access to data. In some proxy server designs. Logical controls are important to infrastructure security because these controls are part of assessing your environment and protecting it to mitigate threats and risks. To provide Internet connectivity. and the more access someone has. The analyzer is placed to capture traffic between the host and the monitored device. and maintain the availability of information. The device monitors every packet of traffic that passes over a network. the analyzer can be placed outside the direct link with the use of an optical splitter. with access for users who are requesting the Web content. the proxy server is placed in parallel with IP routers. This design helps ensure the integrity of information. Logical Access Control Methods In this section.118 Chapter 4: Infrastructure Security and Controls network and the Internet. “Access Control and Authentication . Other configurations include being deployed behind a firewall or in a DMZ. Insider threats are very real. the bigger the threat he or she can become. we focus on the logical methods of access control. Hardware appliances are usually connected to the same network segment as the users they will monitor. with public addresses behind a packet-filtering router. Every proxy server in your network must have at least one network interface. regulations. Many network solutions combine both. it helps the organization conform to laws. Chapter 5. and standards. Protocol Analyzers Protocol analyzers can be placed in-line or in between the devices from which you want to capture the traffic. If you are analyzing SAN traffic. Proxy servers with a single network interface can provide Web content caching and IP gateway services. These appliances use access control filtering software on the dedicated filtering appliance.

A group contains users who share a common need for access to a particular resource. permissions are assigned to groups. Even though it might sound strange that the network should be protected from its own users. It can contain basic information such as name. In this type of access. It can also contain more specific information. permissions are uniquely assigned to each account. password. Security Groups and Roles with Appropriate Rights and Privileges When dealing with user access. plus it does not work well in large environments. and user accounts become members of the groups. A user account holds information about the specific user. which are then inherited by the group’s members. This is called group-based access control. a home phone number. there are two models for assignment of permissions and rights: user-based and group-based. Groups are created to make the sharing of resources more manageable. the internal user has the greatest access to data and the opportunity to either deliberately sabotage it or accidentally delete it. The access level that users are given directly affects the level of network protection you have. Access control over large numbers of user accounts can be more easily accomplished by managing the access permissions on each group. In this section. Even though the connotations may differ with each operating system. a fine line often exists between enough access and too much access. This type of policy is time-consuming and difficult for administrators to handle.119 Logical Access Control Methods Basics. we look at how to manage user access by using groups and group policies. One example of this is a peer-to-peer network or a workgroup where access is granted based on individual needs. Each user account has access based on the combined permissions inherited from its group memberships. and the level of permission the user has. all of these terms still refer to the access that a user or group account is granted.” focuses on access control mechanisms and methods for secure network authentication. User-based privilege management is usually used for specific parts of the network or specific resources. When working with logical controls. This access type is also found in government and military situations and in private companies where patented processes and trademark products require protection. These groups often reflect . Within a user-based model. such as the department the user works in. and the days and hours the user is allowed to log on to specific workstations.

You should also know which accounts. groups may be nested. Certain groups are installed by default. are installed with blank passwords. or it can complicate troubleshooting when you don’t know what was set up or why. you should know what these groups are and know which accounts are installed by default. or local groups. if any. Although user rights can apply to individual user accounts. Users can be placed in universal. You will find that making groups and assigning users to these groups will make the administration process much easier. The user rights assignment is twofold: It can grant specific privileges and it can grant log-on rights to users and groups in your computing environment. However. The security settings in many of the newer operating systems do not allow blank passwords. thereby making the system more secure. you can determine which are really needed and which can be disabled. The assignment of user rights is through security options that apply to user accounts. such as the right to back up files and directories. Active Directory Services provides flexibility by allowing two types of groups: security groups and distribution groups. Log-on rights control who and how users log on to the computer. By knowing which accounts are installed by default. such as the right to log on to a system locally. the administrative account should be used only for the purpose of administering the server. In dealing with individual accounts. and management. The last item that warrants mentioning is that in enterprise networks. Distribution groups are assigned to a user list for applications or non-security-related functions. they are best administered by using group accounts.120 Chapter 4: Infrastructure Security and Controls divisions or departments of the company. development. Group nesting can simplify permission assignment if you know how to use it. . there might still be accounts in older operating systems that have a blank password. such as human resources. sales. User rights are applied to security groups to determine what members of that group can do within the scope of a Windows domain or forest. For example. In Windows 2003. global. a distribution group can be used by Microsoft Exchange to distribute mail. whereas privileges allow users to perform system tasks. An individual using the administrative account can put a company’s entire business in jeopardy. access control can be accomplished more efficiently and effectively by fewer administrators and with less overhead. EXAM ALERT By using groups. Security groups are used to assign rights and permissions to groups for resource access. Granting users this type of access is a disaster waiting to happen. As an administrator.

However. if the groups the user is assigned to have liberal access and another group has no access. you effectively disable Windows SMB file and print sharing. CIFS is a newer implementation of SMB that allows file and print sharing. group permissions are cumulative. keep in mind that as Microsoft operating systems are installed. except where the no access permission is involved. unbind NetBIOS from TCP/IP. remember a few key items. . 139. . If a user has difficulty accessing information after he or she has been added to a new group. and 445. Run intrusion testing tools. the first item you may want to check for is conflicting permissions. No matter what OS you are working with. Filter traffic on UDP/TCP ports 137. the user will have the more liberal access. Here are some recommendations for securing file and print sharing: . EXAM ALERT When assigning user permissions. Locking down these shares is imperative because unprotected network shares are always easy targets and rank high in the list of top security exploits. the result will be no access. Finally. there are two areas to look at: Server Message Block (SMB) file-sharing protocol and Common Internet File System (CIFS). User education and mandatory settings can go a long way toward making sure that file sharing is not enabled unless needed. if you are giving a user full access in one group and no access in another group. There are no exceptions. so if a user belongs to two groups and one has more liberal access. Security Controls for File and Print Resources Print and file sharing increases the risk of intruders being able to access any of the files on a computer’s hard drive. Install proper firewalls. If it isn’t. Use an antivirus product that searches for CIFS worms. a number of hidden shares are created .121 Logical Access Control Methods When working with groups. Depending on your operating systems in use. Determine whether file and print sharing is really needed. the result is no access. 138. By doing so. .

Every operating system object created has a security attribute that matches it to an ACL. delete. For purposes of this discussion. the object owner or the system administrator creates the ACL for an object. A DACL identifies who or what is allowed access to the object. everyone is granted full access. If the object does not have a DACL. Implementation of access management is based on one of two models: centralized or decentralized. These are descriptors that contain the name of a user. and execute a file. Both the group-based and role-based methods of access control have a centralized database of accounts and roles or groups to which the accounts are assigned. we limit the definition to operating system objects. Decentralized security management is less secure but more scalable. This database is usually maintained on a central server that is contacted by the server providing the resource when a user’s ACL must be verified for access. and employees at different locations are made responsible for managing privileges within their administrative areas. the system denies all access.122 Chapter 4: Infrastructure Security and Controls by default. Access Control Lists In its broadest sense. The most common privileges are read. Each ACE specifies the types of access attempts that cause the system to generate a record in the security event log. For example. write to. each ACL has one or more access control entries (ACEs). Responsibilities are delegated. The access privileges are stated in a string of bits called an access mask. an access control list (ACL) is the underlying data associated with a network resource that defines the access permissions. this can be relegated by domain. Decentralized management is less secure because more people are involved in the process and there is a greater possibility for errors. . The drawback to the centralized model is scalability. Generally. ACLs can apply to routers and other devices. An SACL enables administrators to log attempts to access the object. however. in Microsoft Active Directory. or role. In Microsoft operating systems. ACLs can be broken down further into discretionary access control lists (DACLs) and system access control lists (SACLs). it becomes more and more difficult to keep up with the tasks of assigning and managing network resource access and privileges. group. The ACL has an entry for each system user that defines the access privileges to that object. Any intruder would be aware of this and can map to them if given the chance. DACL use and SACL use are specific to Microsoft operating systems and are based on ACEs. If the object’s DACL has no ACEs. As the company and network grow.

The Group Policy object (GPO) is used to apply Group Policy to users and computers. or job function. Because Group Policy is so powerful. GPOs can be associated with or linked to sites. GPOs linked to sites . This can include installing software and updates or controlling what appears on the desktop based on the user’s job function and level of experience. For example. EXAM ALERT An excessive number of group policies can create longer logon times. How companies use Group Policy depends on the level of client management required. It is important that you understand policy application order and the effect that it can have on the resulting security policy of a computer. GPOs are processed in the following order: 1. Group Policy can be applied at multiple levels in Active Directory. Group Policy enables you to set consistent common security standards for a certain group of computers and enforce common computer and user configurations. A GPO is a virtual storage location for Group Policy settings. and if conflicting policies are implemented. location. or organizational units. To allow this wide range of administration. Group policies are applied in a specific order or hierarchy. various levels of administrative roles can be appointed. modifying. In a minimally managed environment where users have more control over the environment. a group policy is inherited and cumulative. domains. you can use Group Policy to restrict the use of USB devices in a group of computers. and linking policies. Group Policy will be used minimally. The local GPO 2. In a highly managed environment where users cannot configure their own computers or install software. These include creating. you might have a difficult time tracking down why one of them isn’t working as it should. It also simplifies computer configuration by distributing applications and restricting the distribution of applications that may have limited licenses. which are stored in the Group Policy container or template.123 Logical Access Control Methods Group Policies After you create groups. Group Policy is versatile and can be used with Active Directory to define standards for the whole organization or for the members of a single workgroup. there will be considerable control over users and computers with Group Policy. Group Policy can be used for ease of administration in managing the environment of users. By default.

Lock user accounts out after three to five failed logon attempts. duration. history. Group Policy can be tricky to configure after you put numerous policies in place.124 Chapter 4: Infrastructure Security and Controls 3. domain. Now let’s talk about the exceptions. “Organizational Controls. . Strong passwords can be derived from events or things the user knows and are discussed in Chapter 12. Loopback is an advanced setting that provides alternatives to the default method of obtaining the ordered list of GPOs. . Password Policy Because passwords are one of the best methods of acquiring access. password length. only the local policy is applied. Block Inheritance can be set at the site. Consider the following when setting password policies: . Passwords are one of the first pieces of information entered by a user. proper planning and policies should be determined. know the order of application and the exceptions. . Group policies get applied from the bottom up.” Make users aware of these requirements and the reasons for them. When setting up user accounts. if the policy is marked No Override. . If the computer is a workgroup member rather than a domain member. meaning none of its policy settings can be overridden. Any policy except for the local one can be set to No Override. The default order of processing has the following exceptions: . This policy stops programs from deciphering the passwords on locked accounts. . GPOs linked to organizational units The order of GPO processing is important because a policy applied later overwrites a policy applied earlier. and special characters. As you can see. So if there is a conflict. To troubleshoot Group Policy appropriately. Make the password length at least eight characters and require the use of uppercase and lowercase letters. GPOs linked to domains 4. numbers. it cannot be blocked. Group Policy changes can be audited. the policy higher up in the list will prevail. or organizational unit level so that policies are not inherited. however. and complexity requirements are all important to the security of the network. and thus you can track any changes made and confirm their validity.

Table 4. keep in mind that you can have only one domain account policy. Require users to change passwords every 60 to 90 days. Certain operating systems have settings that do not allow users to reuse a password for a certain length of time or number of password changes. depending on how secure the environment needs to be. When configuring these settings. . and you need to understand the difference between them. . you will most likely have domains. Sometimes a company may want a list of server administrative passwords. This way you can be sure that any legal ramifications are covered.125 Logical Access Control Methods . The three areas that can be configured are password. and Kerberos policies. This list might end up in the wrong hands if not properly secured.1 lists the default settings for Windows 2003 SP1. Domains have their own password policy in addition to the local password policy. . Domain Password Policy Password policies help secure the network and define the responsibilities of users who have been given access to company resources. show a statement to the effect that network access is grant- ed under certain conditions and that all activities may be monitored. Never store passwords in an unsecure location. This reduces the likeliness of a successful password attack. If you are using Windows servers on your network. Set the server to not allow users to use the same password over and over again. The effectiveness of these policies depends on how and where they are applied. Domain password policies affect all users in the domain. Upon logon. . the greater the chance that they will write them down. You should have all users read and sign security policies as part of their employment process. Domain password policies control the complexity and lifetime settings for passwords so that they become more complex and secure. These are two different policies. The policy is applied at the root of the domain and becomes the policy for any system that is a member of the domain in Windows Server 2003 and earlier server versions. Remember that the more frequently users are required to change passwords. account lockout.

1 should be configured to conform to the organization’s security policy. the default settings should suffice. for a certain period of time. In most environments. TIP In Windows Server 2008. it is necessary to restrict logon hours for maintenance purposes. If you do need to change them. The account lockout policy can be used to secure the system against attacks by disabling the account after a certain number of attempts. setting the change frequency and password complexity too strictly can cause user frustration. Time-of-Day Restrictions and Account Expiration Besides password restrictions. all domain users can log on at any time. By default. For example. remember that they are applied at the domain level. at .126 Chapter 4: Infrastructure Security and Controls TABLE 4. The Kerberos policy settings are used for authentication services. leading to passwords being written down. Also. logon hours can be restricted in many operating systems.1 Option Default Password Policy Settings Default Setting 24 passwords remembered Possible Values and Recommended Values 0 to 24 Set to 24 to limit password reuse Enforce Password History Maximum Password Age Minimum Password Age 42 days 1 days 0 to 999 Set to either 30 or 60 days 0 to 998 Set to 2 days. you can specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain. to disallow immediately changes Minimum Password Length Passwords Must Meet Complexity Requirements Store Password Using Reversible Encryption 7 characters Enabled Disabled 0 to 14 Set to at least 8 Set to Enabled Set to Disabled All the settings in Table 4. Many times.

but once logged off. Or if databases get re-indexed on a nightly basis. you might have to confirm that no one is on them. Logical Tokens This section focuses on logical tokens. In a Microsoft Windows environment. it can no longer be used to log on to any service. The logon schedule is enforced by the Kerberos Group Policy setting Enforce User Logon Restrictions. Temporary or contract workers should have user accounts that are valid only for a certain amount of time. therefore. You can also assign time-of-day restrictions to ensure that employees use computers only during specified hours. these comprise the access token. whether users are forced to log off when their logon hours expire is determined by the Automatically Log Off Users setting. as part of the authentication process. . computers. Because of a system limitation. so the effect of the restrictions will differ if the user is currently logged on when the restriction time begins. which is enabled by default in Windows Server 2003. This setting is useful for organizations where users require supervision. A user’s access token includes SIDs of all groups to which the user is a member. or where employees are mainly temporary or shift workers. In a Microsoft environment. Logon hours can be restricted by days of the week. you might want to be sure that everyone is off of the system. The account expires attribute specifies when an account expires. groups. the user cannot log back on. This is also a good way to be sure that a hacker isn’t logging on with stolen passwords. Physical tokens are discussed in Chapter 5.024 SIDs. such as users. This setting may be used under the same conditions as mentioned previously for the timeof-day restrictions. Limiting the time an account is active for such employees should be part of the policies and procedures. hours of the day. where security certification requires it. a SID is issued to every security principal when it is created.M. In other environments.127 Logical Access Control Methods 11:00 P. A security identifier (SID) is a unique value that identifies a security principal. the backup is run. Statistics show that a large number of temporary accounts are never disabled. When a user logs on and authentication succeeds. This way when the account expires. Each OS is different. An access token is created whenever a user logs on to a computer. or an attempt is made to access a resource. In addition. the logon process returns a SID for the user and a list of SIDs for the user’s security groups. user accounts should be audited on a regular basis. An access token contains information about the identity and privileges associated with the security principal. the user may be allowed to stay logged on. or both. the field that contains the SIDs of the principal’s group memberships in the access token can contain a maximum of 1. or domain controllers. each evening.

but to justify the cost. As with all facets of security. if security mechanisms are left in poor or nonfunctional condition. identify which groups are allowed to enter different areas. Before funding a project. security vulnerabilities must be presented in terms of dollars and cents. This brings us to the next topic: the investment of time and money and the return on investment and calculation of risk. a formal business case analysis should be performed. This will compromise the entire system and make the original investment of time and money worthless. employees will bypass the security to get their jobs done. you can make informed decisions about a solution’s cost-effectiveness. and cracked windows will let a potential intruder know that you are not maintaining your security systems. IT is a cost center.024 SIDs in the principal’s access token. Identifying Risk Risk is the possibility of loss or danger. threats. To protect the infrastructure. and virtualized environments do not generate revenue. the local security authority (LSA) cannot create an access token for the principal during the logon attempt. physical security must be maintained. The timing of training should be coordinated so that training and physical deployment finish at about the same time. Risk analysis helps align security objectives with . intrusion-detection systems. Risk management is the process of identifying and reducing risk to a level that is comfortable and then implementing controls to maintain that level. firewalls. If this happens. and vulnerabilities. Risk and Return on Investment You have already learned about a variety of software and hardware solutions that will make the infrastructure safer. As you deploy the new security systems. Physical Control When evaluating the physical security of the infrastructure. include training on how to use the systems. and determine the method of authentication to be used. Chapter 5 discusses physical access in greater detail. If maintenance is overlooked. you must know how to calculate the return on investment. the security team should coordinate the security setup of the facility and surrounding areas. By identifying assets. Broken locks. loose doorknobs. the principal cannot log on or access resources. Items such as antivirus software. In addition.128 Chapter 4: Infrastructure Security and Controls If there are more than 1. the system will begin to fall apart.

and the resulting risk would be the effects of a virus infection. Sales demographics. Its worth to the competition . The amount it generates in profit After assets have been identified and valued. customer data. for a cost/benefit comparison. it is important to properly document all available resources. an appropriate dollar amount can be spent to help protect those assets from loss. trade secrets. To calculate costs and return on investment. Its value to the organization . Here. the threats to your network. a virus is a threat. your vulnerabilities. Risk analysis identifies risks.” explains the options available when dealing with risk. The replacement cost . and even payroll information could be considered sensitive resources within an organization. The annual cost of prevention against threats is compared to the expected cost of loss. Maintenance costs .129 Risk and Return on Investment business objectives. or even a business procedure (such as a distribution strategy or marketing scheme). the vulnerability would be not having antivirus software. . When evaluating assets. a logical object (such as a website or financial report). For example. we deal with how to calculate risk and return on investment. and what risks result. A resource can refer to a physical item (such as a server or piece of networking equipment). you must first identify your assets. you need to determine the threat level of exposure that each resource creates and plan your network defenses accordingly. and identifies ways to reduce the risk without the cost of the prevention outweighing the risk. Chapter 7. The original cost . it is important to determine what resources are present that may need securing. Because security resources will always be limited in some manner. estimates the impact of potential threats. consider the following factors: . Risk comes in a variety of forms. All risks have loss potential. “Intrusion Detection and Security Baselines. Then. Asset Identification Before you can determine which resources are most in need of protection.

Authentication schemes . including facility-related issues such as power or plumbing failures When examining threat assessment. including worms and Trojan horses . To gauge the probability of an event occurring as accurately as possible. Data or services requiring special backup or automatic failover support NOTE Risk assessment should include planning against both external and internal threats. Viral agents. you can use a combination of estimation and . such as the following: . Isolated services that may provide a single point of failure or avenue of compromise . Direct access attempts . During a risk assessment. Released or dissatisfied employees . Methods of access . Threats may include the following: . Automated cracking agents . Audit policies . Denial-of-service (DoS) attacks or overloaded capacity on critical services . An insider familiar with an organization’s procedures can pose a very dangerous risk to network security. During the process of risk assessment. it is necessary to review many areas. Hiring and release procedures . it is important to identify potential threats and document standard response policies for each. Hardware or software failure. the likelihood that the threats you’ve identified might actually occur is considered. you must determine the assets’ order or importance and which assets pose significant security risks.130 Chapter 4: Infrastructure Security and Controls Risk and Threat Assessment After assets have been identified.

In the DoS example. use this formula: Risk = Threat × Vulnerability To help you understand this.131 Risk and Return on Investment historical data. let’s say that if a DoS were successful. let’s look at an example using DoS attacks.000 × 25 percent).000 (SLE = $100. This information will help you calculate the single loss expectancy (SLE) and the annual loss expectancy (ALE). Firewall logs indicate that the organization was hit hard one time per month by a DoS attack in each of the past six months. it is necessary to review potential vulnerabilities and take actions to protect each asset based on its relative worth and level of exposure. and depreciation. Vulnerabilities After you have identified all sensitive assets and performed a detailed risk assessment. Because of the constant discovery of new vulnerabilities. it is vital to include a review of newly discovered vulnerabilities as part of your standard operating procedures. The daily sales from the website are $100. Evaluations should include an assessment of the relative risk to an organization’s operations. NOTE Online resources such as those provided by the SANS Institute and the BUGTRAQ lists are good examples of the resources available to network administrators responsible for watching for new vulnerabilities. so the SLE would be $25. . Calculating Risk To calculate risk. Most risk analyses use a fiscal year to set a time limit of probability and confine proposed expenditures. SLE equals asset value multiplied by the threat exposure factor or probability. and the relative popularity and complexity of the potential form of attack. budget. 25 percent of business would be lost. The formula looks like this: Asset value × Probability = SLE The exposure factor or probability is the percentage of loss that a realized threat could have on a certain asset.000. the ease of defense or recovery. We can use this historical data to estimate that it’s likely we will be hit 12 times per year.

The cumulative loss expectancy (CLE) model calculates risk based on single systems.132 Chapter 4: Infrastructure Security and Controls The possibility of certain threats is greater than that of others.000 × . If we spent more than that.5 = $12. Other risk models for calculating risk include the cumulative loss expectancy (CLE) and Iowa risk model. Going back to the example. you can calculate the ALE. When the probability that a DoS attack will occur is 50%. Historical data presents the best method of estimating these possibilities. Risk is calculated by multiplying potential loss by the probability of an incident happening and dividing the result by the total expense: RROI = Potential loss × (Probability without expense – Probability with expense) / Total expense . The formulas present too many unknowns. our ALE is 12. we might not be prudent because the cost would outweigh the risk. This gives you the probability of an event happening over a single year’s time. malicious code outbreak. Because there are so many vulnerabilities to consider and so many different technologies available. After you calculate the SLE.500.500). ($25. nor have they tracked the cost associated with them. This is done by calculating the product of the SLE and the value of the asset. It takes into account all the threats that are likely to happen to this system over the next year. such as natural disasters. Many organizations don’t know how many actual security incidents have occurred. and backup failure.000 and the ARO is .5. if the SLE is estimated at $25. sabotage. Calculating ROI Return on investment is the ratio of money realized or unrealized on an investment relative to the amount of money invested.5. the ARO is 0. ALE equals the SLE times the ARO (annualized rate of occurrence): SLE × ARO = ALE The ARO is the estimated possibility of a specific threat taking place in a oneyear time frame. One method that may be helpful in this area is called reduced risk on investment (RROI). This method enables you to rank security investments based on the amount of risk they reduce. calculating the ROI for security spending can prove difficult. The Iowa risk model determines risk based on criticality and vulnerability.

ROI is calculated using the following formula: ROI = Loss prevented – Cost of solution If the result of this formula is a negative number. alternative security investments can be based on their projected business value.133 Risk and Return on Investment By using this formula. . It can be equated to loss prevention in that attacks can be prevented. you spent more than the loss prevented. Another approach is to look at security as loss prevention.

Capability to isolate applications ❍ D. Return on investment B. Risk C.) ❍ ❍ ❍ A.) ❍ ❍ ❍ A. Calculates risk based on criticality and vulnerability C. Which of the following ports do you have to secure? (Select all correct answers. Risk management 3. The estimated possibility of a specific threat taking place in a one-year time 2. Which of the following are the best reasons for the use of virtualized environments? (Choose two correct answers. Risk analysis ❍ D. 162 .134 Chapter 4: Infrastructure Security and Controls Exam Prep Questions 1. 138 ❍ D. Which of the following best describes the formula for calculating single loss expectancy? ❍ ❍ ❍ A. Reduced threat risk C. 161 B. Potential loss × (Probability without expense – Probability with expense) / Total expense. Reduced need for equipment B. 139 C. Asset value multiplied by the threat exposure factor or probability frame ❍ D. Your company is in the process of locking down CIFS and SMB file and print sharing. Which of the following is the process of identifying and reducing risk to a level that is comfortable and then implementing controls to maintain that level? ❍ ❍ ❍ A. B. Capability to store environments on USB devices 4.

Load balancing ❍ D. Lock user accounts out after one to two failed logon attempts again ❍ D. Which of the following are uses for proxy servers? (Choose all correct answers. Group-based access control B. Intrusion detection B. Integrity checking B.) ❍ ❍ ❍ A. Mandatory access control C. Its salvage value 7. A peer-to-peer network or a workgroup where access is granted based on individual needs is an example of which type of access control? ❍ ❍ ❍ A. and special characters B. The replacement cost B. Require users to change passwords every 60 to 90 days C. Set the server to not allow users to use the same password over and over 6. Its value to the organization ❍ D. Heuristics ❍ D. Web content caching 8.) ❍ ❍ ❍ A. User-based access control . Role-based access control ❍ D. numbers. Metrics 9. Internet connectivity C. Make the password length at least eight characters and require the use of uppercase and lowercase letters.135 Exam Prep Questions 5. Which of the following are recommended password account policies? (Select all correct answers.) ❍ ❍ ❍ A. Scanning C. When evaluating assets which of the following factors must be considered? (Choose three. Which of the following is the most common method used in an antivirus program? ❍ ❍ ❍ A. Its worth to the competition C.

136

Chapter 4: Infrastructure Security and Controls 10. Which of the following groups is the most appropriate for email distribution lists?

❍ ❍ ❍

A. Only distribution groups. B. Only security groups. C. Neither one; you must use a mail application group.

❍ D. Both security and distribution groups.

Answers to Exam Prep Questions
1. C. SLE equals asset value multiplied by the threat exposure factor or probability. Answer A is incorrect because it describes reduced risk on investment (RROI). Answer B is incorrect because it describes the Iowa risk model. Answer D is incorrect because it describes annualized rate of occurrence. 2. D. Risk management is the process of identifying and reducing risk to a level that is comfortable and then implementing controls to maintain that level. Answer A is incorrect because return on investment is the ratio of money realized or unrealized on an investment relative to the amount of money invested. Answer B is incorrect because risk is the possibility of loss or danger. Answer C is incorrect because risk analysis helps align security objectives with business objectives. 3. A, C. Virtual environments can be used to improve security by allowing unstable applications to be used in an isolated environment and by providing better disaster recovery solutions. Virtual environments are used for cost-cutting measures as well. One wellequipped server can host several virtual servers. This reduces the need for power and equipment. Forensic analysts often use virtual environments to examine environments that might contain malware, or as a method of viewing the environment in the same way as the criminal. Answer B is incorrect because virtualized environments, if compromised, can provide access to not only the network, but also to any virtualization infrastructure. This puts a lot of data at risk. Answer D is incorrect because the capability to store environments on USB devices puts data at risk. 4. B, C. SMB and CIFS use UDP/TCP ports 137, 138, 139, and 445. Answers A and D are incorrect because 161 and 162 are used by SNMP. 5. A, B, and D. Good password policies include making the password length at least 8 characters; requiring the use of uppercase and lowercase letters, numbers, and special characters; requiring users to change passwords every 60 to 90 days; and setting the server to not allow users to use the same password over and over again. Answer C is incorrect because locking user accounts out after one to two failed logon attempts will cause undue stress on the help desk. 6. A, B, and C. When evaluating assets, you must consider their replacement cost, their worth to the competition, and their value to the organization. Answer D is incorrect because an asset’s salvage value is not factored in.

137

Additional Reading and Resources 7. B, C, and D. Proxy servers can be placed between the private network and the Internet for Internet connectivity or internally for Web content caching. If the organization is using the proxy server for both Internet connectivity and Web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the Web content. In some proxy server designs, the proxy server is placed in parallel with IP routers. This allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router. Answer A is incorrect because proxy servers are not used for intrusion detection. 8. B. The most common method used in an antivirus program is scanning. Answers A and C are incorrect because in the past antivirus engines used a heuristic engine for detecting virus structures or integrity checking as a method of file comparison. The issue with these methods is that they are susceptible to false positives and cannot identify new viruses until the database is updated. Answer D is incorrect because metrics are associated with network monitoring tools. 9. D. Within a user-based model, permissions are uniquely assigned to each account. Answer B incorrect because in the past antivirus engines used a heuristic engine for detecting virus structures or integrity checking as a method of file comparison. The issue with these methods is that they are susceptible to false positives and cannot identify new viruses until the database is updated. Answer D is incorrect because in group-based access control permissions are assigned to groups. 10. A. Distribution groups are assigned to a user list for applications or non-security-related functions. For example, a distribution group can be used by Microsoft Exchange to distribute mail. Answers B and D are incorrect because the most appropriate use of security groups is to assign rights and permissions to groups for resource access. Answer C is incorrect because you do not need to use a mail application group.

Additional Reading and Resources
1. Bragg, Roberta. CISSP Training Guide. Que, 2002. 2. Firewall architectures: http://www.invir.com/int-sec-firearc.html 3. Microsoft Server 2003 Security Guide: http://www.microsoft.com/

downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655521ea6c7b4db&DisplayLang=en
4. National Institute of Standards and Technology (NIST) Firewall Guide

and Policy Recommendations: http://csrc.nist.gov/publications/nistpubs/ 800-41/sp800-41.pdf

138

Chapter 4: Infrastructure Security and Controls 5. Odom, Wendell. CCENT/CCNA ICND1 Official Exam Certification Guide

(CCENT Exam 640-822 and CCNA Exam 640-802), 2nd Edition. Cisco Press, 2007.
6. Odom, Wendell. CCNA ICND2 Official Exam Certification Guide (CCNA

Exams 640-816 and 640-802), 2nd Edition. Cisco Press, 2007.
7. Security tools: http://www.securitymetrics.com/securitytools.adp 8. SANS InfoSec Reading Room - Physical Security: http://www.sans.org/

reading_room/whitepapers/physcial/

PART III

Access Control
Chapter 5 Access Control and Authentication Basics Chapter 6 Securing Communications

This page intentionally left blank

CHAPTER FIVE

5

Access Control and Authentication Basics
Terms you need to understand:
✓ Mandatory access control (MAC) ✓ Discretionary access control (DAC) ✓ Role-based access control (RBAC) ✓ Kerberos authentication ✓ Challenge-Handshake Authentication Protocol (CHAP) ✓ Certificates ✓ Tokens ✓ Biometrics ✓ Multifactor authentication ✓ Identity proofing ✓ Mantraps ✓ Video surveillance

Techniques you need to master:
✓ Be able to recognize the forms of access control (MAC/DAC/RBAC). ✓ Understand the process of authentication and the various forms of authentication available. ✓ Be able to recognize asymmetric and symmetric encryption methods. ✓ Explain the strengths and vulnerabilities of various physical security zones and devices.

142

Chapter 5: Access Control and Authentication Basics

The concept of security within the network environment includes aspects drawn from all operating systems, application software packages, hardware solutions, and networking configurations present within the network to be secured, and from within any network-sharing connectivity directly or indirectly with the network to be secured. For the Security+ exam, you need to develop the broadest set of skills possible, gaining experience from the most specific to the most general of security concepts. Awareness of emerging threats is essential to testing success. This chapter and Chapter 6, “Securing Communications,” provide an overview of general concepts you should familiarize yourself with. This chapter focuses on access control mechanisms and methods for secure network authentication and physical access. A general knowledge of network terminology will aid in understanding these concepts. As a prospective security professional, you should also take every opportunity you may find to expand your skill base beyond these. The practice of a security professional is never an end unto itself, but rather a never-ending path threaded through constant change and ever-evolving possibility.

Access Control
This section examines the methods for controlling access to network resources. Planning for access control may affect the methods used in the authentication process examined later in this chapter. For example, if there will be a need only for anonymous access to a public read-only HTML document, the simple access control mandates eliminate the need for a complex authentication process. Access control generally refers to the process of making resources available to accounts that should have access, while limiting that access to only what is required. The forms of access control you need to know include the following:
. Mandatory access control (MAC) . Discretionary access control (DAC) . Role-based access control (RBAC)

We discuss these types of access control and access control best practices in the following sections. These methods and best practices are based on security criteria set by various efforts. Trusted Computer System Evaluation (TCSEC) and Information Technology Security Evaluation Criteria (ITSEC) are major security criteria efforts. The Common Criteria is based on both TCSEC and ITSEC.

143

Access Control

CAUTION
The Trusted Computer System Evaluation Criteria (TCSEC) specification used by many government networks explicitly specifies only the MAC and DAC forms of access control. Because of the color of the original printed manual’s cover (DoD 5200.28-STD), the TCSEC may be referred to as the “orange book.” The TCSEC is the first book in the DoDpublished Rainbow series of security criteria, released in 1983. The TCSEC specification identifies levels of security based on the minimum level of access control used in a network environment. The four divisions of access control are D – Minimal, C – Discretionary, B – Mandatory, and A – Verified. Category “A” is the highest level, essentially encompassing all elements of Category B, in addition to formal design and verification techniques. You should be aware that individual categories are subdivided based on the complexity of implementation. Category C (Discretionary Access Control) separates basic separation of user data and controlling access to resources (C1 – Discretionary Security Protection) from environments using data segmentation, authenticated logons, and access audit controls (C2 – Controlled Access Protection).

Mandatory Access Control
The most basic form of access control involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. This type of access control is called mandatory access control (MAC, also referred to as multilevel access control) and is often used within governmental systems where resources and access may be granted based on categorical assignment such as classified, secret, or top secret. Mandatory access control applies to all resources within the network and does not allow users to extend access rights by proxy.

NOTE
Note that in the Security+ exam the acronym MAC can refer both to mandatory access control and to the Media Access Control sublayer of the data link layer in the OSI model. When the question involves access control, MAC applies to mandatory controls over access rather than Layer 2 networking.

Discretionary Access Control
A slightly more complex system of access control involves the restriction of access for each resource in a discretionary manner. DAC scenarios allow individual resources to be made available or secured from access individually. Access

144

Chapter 5: Access Control and Authentication Basics

rights are configured at the discretion of accounts with authority over each resource, including the ability to extend administrative rights through the same mechanism. In DAC a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects.

Role-Based Access Control
In an RBAC scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. This solution provides the greatest level of scalability within large enterprise scenarios, where the explicit granting of rights to each individual account could rapidly overwhelm administrative staff, and the potential for accidental grant of unauthorized permissions increases. RBAC combines direct access aspects of MAC and varying access rights based on role membership. Delegation of administration over rights granted through RBAC is itself managed by specialized administration roles, rather than though ownership or direct control over the individual resources as in DAC solutions.

EXAM ALERT
The exam may include an alternative use for the RBAC acronym that refers to rulebased access controls. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. The most common form of rule-based access control involves testing against an access control list (ACL) that details systems and accounts with access rights and the limits of its access for the resource. ACLs are used within operating systems such as Novell NetWare, Microsoft Windows, DEC OpenVMS, and most UNIX and Linux packages. Exam items dealing with conditional testing for access (for example, time-of-day controls) are examining rule-based access control. Items involving assignment of rights to groups for inheritance by group member accounts are focused on role-based access control.

Access Control Best Practices
Along with the previously mentioned “less-is-more” stance for access control, a number of other best practices exist. You should be familiar with the following:
. Implicit deny—An access control practice wherein resource availability is

restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. This practice is used commonly in Cisco networks, where most ACLs have a default setting of

145

Access Control

“implicit deny.” This ensures that when access is not explicitly granted, it is automatically denied by default.
. Least privilege—An access control practice wherein a logon is provided

only the bare minimum access to resources required to perform its tasks. Whenever confronted by a solution involving the determination of proper levels of access, remember the phrase “less is more.” This is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks.
. Separation of duties—An access control practice involving both the separa-

tion of logons, such as day-to-day and admin accounts both assigned to the same network admin, and the separation of roles, such as security assignment and compliance audit procedures. Separation of account functionality protects the network by ensuring that an inadvertent malware execution during normal daily operations cannot then attack the network with full administrative privileges. Separation of role duties ensures that validation is maintained apart from execution, protecting the network against fraudulent actions or incomplete execution of security mandates. The User Access Control (UAC) technology used by the Microsoft Vista operating system ensures that software applications cannot perform privileged access without additional authorization from the user. Within the Microsoft environment, lesser accounts may perform privileged processes using the “run as” option to specify the explicit use of a privileged account.
. Expiration—An access control practice to expire passwords on a regular

basis, protecting against brute-force password guessing attacks, and to expire accounts not used after a certain period of time. Unused accounts often retain weak passwords used in initial assignment and may be more susceptible to password-guessing routines.
. Job rotation—As an extension of the separation of duties, rotating admin-

istrative users between roles both improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. This is also the reason that users with administrative access may be required take vacations, allowing other administrators to review standard operating practices in place.

146

Chapter 5: Access Control and Authentication Basics

Authentication
Before authorization may occur for anything other than anonymous access to wholly public resources, the identity of the account attempting to access a resource must first be determined. This process is known as authentication. The most well-known form of authentication is the use of a logon account identifier and password combination to access controlled resources. Access is not possible without both parts required for account authentication, so a level of protection is provided.

CAUTION
The shortcoming of any authentication system is that if the keys used may be easily falsified, access rights may be granted to an unauthorized access attempt. Null or easily guessed passwords are one of the most widespread examples of the potential for this weakness.

The relative strength of an authentication system involves the difficulty involved in falsifying or circumventing its process. Anonymous or open access represents the weakest possible form of authentication, whereas the requirement for both a logon identifier and password combination may be considered the most basic of actual account verification. The highest levels of authentication may involve not only account logon, but also if the logon is occurring from specific network addresses or whether a security token such as an access smart card is present.

EXAM ALERT
The exam may contrast identification (the presentation of a unique identity) with authentication, which is the mechanism by which the unique identity is associated with a security principal (a specific user or service). Identification presents credentials, authentication associates those credentials with a security principal, and then access control provides a set of resources available to the authenticated identity.

In theory, the strongest security would be offered by identifying biometric keys unique to a particular user’s person or physical body, such as fingerprints and retinal or iris patterns, combined with other authentication methods involving access passwords or token-based security requiring the possession of a physical smart card key.

security over data during the authentication exchange. depending on what is required to authorize access: something you know. or console terminal may also factor in limiting access to authorized users. time-of-day restrictions. the differences in authentication requirements for access to a high-security solution such as the Federal Reserve’s banking network as opposed to those needed to access an unprivileged local account in a public kiosk. authentication might be as simple as an automatic anonymous guest logon shared by all visitors. You may also use these access methods with even more complex forms of authentication. Each mechanism for authentication provides different levels of identification. Obviously. and password-form access methods may be mandatory. the use of a combination of biometric. If a network is physically or logically accessible to external parties that might seek to sniff (capture and examine) data being transacted between systems. token-based. to establish authentication for rightful access. We will now examine several forms of authentication you should be familiar with for the exam. . the needs for authentication are going to be relative to the value assigned to a particular resource’s security. time-of-day restrictions on logon. something you have. Kerberos Authentication The most basic aspects of authentication within a completely isolated network include only the need to determine the identity of an account. something you are. and redundant-path comparison. or something you do. synchronized shifting-key hardware encryption devices. In the first scenario. Location-specific logons from a particular GPS coordinate. such as the use of dedicated lines of communication. Consider. the problem arises as to how to keep the authentication keys themselves safe. and suitability to different access methods such as wireless or dial-up network access.147 Authentication TIP Authentication can be generally broken into four basic forms. In the second scenario. You would use these to ensure that each account attempting to make a transaction is properly identified. Additional authentication layers required for access increase both the administrative overhead necessary for management and the difficulty users will have trying to access needed resources. for example.

which accepts or rejects this access. are sent in plain-text form. 1101 0011 0110 1001 1011 1100… Source File + Encryption Key 1010 0001 1011 0011 1010 0101… 1000 0001 0010 0001 1010 0100… Encrypted File 1000 0001 0010 0001 1010 0100… The Internet + Encrypted File Decrypted with Key 1010 0001 1011 0011 1010 0101… 1101 0011 0110 1001 1011 1100… Source File FIGURE 5. A symmetric key means that both the client and server must agree to use a single key in both the encryption and decryption processes (see Figure 5. although it falls back to TCP for large Kerberos tickets.1 Example of a symmetric-key encrypted data transfer. Kerberos clients send UDP and TCP packets on port 88 and receive replies from the Kerberos servers. The logon identifier and password. Port 88 is the standard port for Kerberos 5.1).148 Chapter 5: Access Control and Authentication Basics Here is an example: A basic File Transfer Protocol (FTP) access session involves the client sending a logon identifier and a password to the FTP server. . An unauthorized party. To avoid sending the actual logon information across an unsecured network. might use this information later to gain access to the server. by default. readable by any agent with access to the data as it is transmitted from the client to the server. You may also find references to ports 749 and 750 used by earlier versions of Kerberos. pretending to be the authorized user. one solution is the symmetric-key authentication protocol known as Kerberos (created by the Athena project at MIT). Kerberos is primarily a UDP protocol.

contacts the server. the key will have changed before he or she can reasonably be able to break the key using cryptographic algorithms. a client sends its authentication details not to the target server. When both agree that the other is the proper account and that the keys are within their valid lifetime. communication occurs. 4. 9. 6. This server then generates a time-stamped key encrypted with the ser- vice’s key and returns both to the client. This information is sent back to the client in the form of a Ticket- Granting Ticket (TGT).149 Authentication In Kerberos authentication. The short lifespan of a ticket ensures that if someone attempts to intercept the encrypted data to try to break its keys. The client first contacts a certification authority (CA). such as the need to use a standard time base for all systems involved. An important advantage of time-stamped credentials is that they help prevent spoofing and replay attacks. eight hours) using the client’s key and a randomly generated key that includes the identification of the target service. The service uses its key to decrypt the ticket and verify that the time stamps match and the ticket remains valid. The service contacts the KDC and receives a time-stamped session keyed ticket that it returns to the client. and offers the encrypted ticket to the service. as follows: 1. . These also create some drawbacks. The CA creates a time-stamped session key with a limited duration (by default. 2. 3. 7. The handshaking between the client and the KDC and between the service and the KDC provides verification that the current session is valid. The client then decrypts the keyed ticket using its key. 8. The strengths of Kerberos authentication come from its time-synchronized connections and the use of registered client and service keys within the KDC. 5. and difficulties that can result if the KDC is unavailable or the cached client and service credentials were accessed directly from the granting servers. The client then submits the TGT to a Ticket-Granting Server (TGS). The client then uses its key to decrypt its ticket. but rather to a Key Distribution Center (KDC). without requiring the transmission of logons or passwords between client and service.

generated from the challenge code returned with the first response code. the transmission continues. Challenge-Handshake Authentication Protocol The Challenge-Handshake Authentication Protocol (CHAP) can be used to provide on-demand authentication within an ongoing data transmission. CHAP uses a one-way hashing function that first involves a service requesting a CHAP response from the client. SPAP was designed by Shiva and is an older. where an unauthorized party intercepts communications between two systems and pretends to be each to the other. Occasionally. it notifies the originating system. The client creates a hashed value that is derived using the message digest (MD5) hashing algorithm and sends this value to the service. This process is repeated at random intervals during a session of data transaction. sending both back to the originating system. modifying other data. which also calculates the expected value itself. and both systems consider themselves mutually authenticated. CHAP is an improvement over Password Authentication Protocol (PAP). (Chapter 3. “Infrastructure Basics. in which both client and server verify that the computer with which they are communicating is the proper system. The server. After the second system has verified its returned response code.CHAP functions over Point-to-Point Protocol (PPP) connections.) In mutual authentication. PAP is a basic form of authentication during which the username and password are transmitted unencrypted. compares these two values. you might find Shiva Password Authentication Protocol (SPAP) implemented. The receiving system generates a response code using the original challenge code and creates a challenge code of its own. The originating system verifies the response code as a value and returns its own response code to the second system. This process helps to prevent man-in-the-middle attacks. two-way reversible . PPP can handle both synchronous and asynchronous connections. referred to as the authenticator. If they match. passing some data intact. providing service at the second layer of the OSI model: the data-link layer.150 Chapter 5: Access Control and Authentication Basics Mutual Authentication Kerberos 5 includes support for a process known as mutual authentication. one system creates a challenge code based on a random number and then sends this code to the other system. PPP is a protocol for communicating between two points using a serial interface. or inserting entirely new sets of values to accomplish desired tasks.” covers man-in-the-middle attacks in more detail.

A computer running Windows XP Professional. port-based access control can be used to provide authentication and access control but is often paired with a RADIUS . and network routing hardware. relies on a central server to provide access over network resources. which provides authentication. IEEE 802. This form of authentication is more secure than plaintext but less secure than CHAP or MS-CHAP. Developed originally for use in dial-up connectivity over telephonic modems. but relies on Transmission Control Protocol (TCP) rather than RADIUS’s User Datagram Protocol (UDP) transport developed originally for modem-based connectivity access control. EXAM ALERT Remember that CHAP functions over Point-to-Point Protocol (PPP) connections. There are also two forms of CHAP that are Microsoft-specific (MS-CHAP and MS-CHAPv2) that you should be able to recognize. including services. file storage. accounting. uses SPAP.1x The IEEE 802. you might still find RADIUS servers in larger enterprises where logons must span resources located in multiple logon realms. when connecting to a Shiva LAN Rover. TACACS+ is similar to Remote Authentication Dial-In User Service (RADIUS).1x standard for wireless. Terminal Access Controller Access Control System Plus The Terminal Access Controller Access Control System Plus (TACACS+) remote-access control system.151 Authentication encryption protocol that encrypts the password data sent between client and server. and access control. which in turn provides credentials for access to resources within an extended enterprise. TACACS+ is a replacement for the older TACACS and is not backward compatible with the legacy TACACS standard made popular over Telnet connectivity originally developed for UNIX systems. as does a Shiva client that connects to a server running Routing and Remote Access. Remote Authentication Dial-In User Service The RADIUS remote-access control system provides authentication and access control within an enterprise network using UDP transport to a central network access server.

In public key encryption. Certificates One of the most rigorous forms of authentication involves the use of digital certificates within a public key infrastructure (PKI) to establish encrypted communication streams through unsecured networks. Public key systems use an asymmetric cryptographic process in which the encryption and decryption keys are not the same as in a symmetric cryptographic process like that used in Kerberos authentication. a vendor specializing in the issuance of X. NOTE Public key encryption is the basis for many commonly encountered data encryption solutions. and the private key is used to decrypt the results. the user is authenticated for a connection. One of the most commonly used certification and registration authorities is VeriSign.152 Chapter 5: Access Control and Authentication Basics service to facilitate enterprisewide access management. The client then decrypts the data using its private key that only the client has. The public key is used to encrypt a message. If both match values are stored within a locally stored table. additional transport security is often used in conjunction with 802. A registration authority (RA) provides authentication to the CA of the validity of a client’s certificate request. and these keys are returned to the client in the form of digital certificates. HTTPS on port 443).509 compliant keys used to establish Secure Sockets Layer (SSL) connections (most often seen in secured website forms. Internet Protocol Security (IPsec) is another common protocol used in conjunction with IEEE 802. including the use of the X. The public key is given to those who need to encrypt data and send it to the client.1x to provide this functionality. Because of the broadcast nature of wireless connectivity. Username and Password The most commonform of authentication combines a username and a password or pass-phrase.509 certificates for secure website connections.1x authentication to secure communications between the mobile device and the secured network. a public and private key are generated by a CA. Password strength is a measure of the dif- .

making decryption simple. such as a birthday. which may either be a physical device or a one-time password issued to the user. and other forms of specific unique biophysical qualities. Other values may be used. Under this scenario. Tokens include solutions such as a chip-integrated smart card or a digital token such as RSA Security’s SecurID tokens. nickname. . money. users must be authenticated within a widely distributed scheme where transactions against a central server storing large and complex biometric values might be difficult. too. access is denied. Digital tokens are typically used only one time so that they cannot be captured and reused later by an unauthorized party. or a common word such as God. Chapter 4 includes details on logical tokens that you should be familiar with. which are compared to values stored within a local table to provide authentication only if the biometric values match. name of a pet or relative. retinal patterns. iris patterns. Table 5. such a fingerprints. Another alternative is to store biometric data on smart card tokens. New systems are becoming available to allow authentication users by their body measurements (biometrics). A weak password might be very short or only use alphanumeric characters. love. but because these may change based on illness or exertion.” Make sure that you are familiar with the details presented there. Password policy is discussed in greater detail in Chapter 4. Without the proper token.1 describes the most common biometrics methods.153 Authentication ficulty involved in guessing or breaking the password through cryptographic techniques or library-based automated testing of alternative values. such as voice-pattern recognition or high-resolution cardiac patterns. Because the token is unique and granted only to the user. Tokens One of the best methods of authentication involves the use of a token. they can be somewhat less dependable. facial blood-vessel patterns. A weak password can also be one that is easily guessed by someone profiling the user. it is harder to pretend to be (spoof) the properly authorized user. address. or password. Biometrics The most unique quality of a user is his or her unique physical characteristics. “Infrastructure Security and Controls. bone structure.

Matches an individual’s electronic signature to a database by comparing electronic signals created by the speed and manner in which a document is signed. Identifies an individual by using the blood-vessel pattern at the back of the eyeball. Identifies a user based on the profile and characteristics of his face. and forehead size. The difficulty involved in gaining unauthorized access increases as more types of authentication are used. so a solution should be reasonable based on the sensitivity of data being secured.1. In false rejection. Be sure you are familiar with the methods and descriptions in the Table 5. Identifies an individual by using the colored part of the eye that surrounds the pupil. the system fails to recognize an authorized person and rejects that person as unauthorized. Voiceprint Facial geometry Iris profile Retina scan Signature Identifies a person by having her speak into a microphone to measure speech patterns. EXAM ALERT The exam may include questions on the various biometric technologies. who might also be asked to enter a valid password. This includes bone structure. . Multifactor Authentication The best possible authentication solution combines multiple other methods. The false acceptance rate (FAR) is a measure of the likelihood that the access system will wrongly accept an access attempt—in other words. allow access to an unauthorized user. One example of a multifactor solution is the use of a smart card token that stores biometric values that are compared to those of the user. Hand/palm geometry Uses a person’s palm or hand profile. Biometric devices are susceptible to false acceptance and false rejection rates.154 Chapter 5: Access Control and Authentication Basics TABLE 5. Administrative overhead and cost of support also increase with the complexity of the authentication scheme. The false rejection rate (FRR) is the percentage of identification instances in which false rejection occurs.1 Method Fingerprint Biometric Technologies Description Scans and matches a thumbprint or fingerprint to a reference file. which includes the length and width of the hand and fingers. chin shape. although the difficulty for users wanting to authenticate themselves is also increased similarly.

What you know (logon. or what you do (handwriting analysis. This technique can include integrated biometrics or online database validation. A username/passcode combination is only a single-factor authentication scheme. and one-time password (OTP) devices. A poorly identity-proofed smart card provides less identity assurance than an effectively identity-proofed password. each of which may require a different mechanism for authentication and access control.155 Authentication EXAM ALERT Remember that multifactor authentication involves the use of two or more different forms of authentication. Identity proofing is the main component of authentication life cycle management. In the SOA network environment. a single sign-on (SSO) capable of granting access to all services is desirable. and access control functions “behind the scenes” out of sight of the consuming user or service. PIN). Identity Proofing Identity proofing is an organizational process that binds users to authentication methods. . what you have (keycard. Identity proofing is especially important in emergency access (for example. SSO solutions may use a central directory service. the client-facing proxy application provides a standard mechanism for interacting with each service. authentication. The first link in the chain of trust is established when a person is issued a credential establishing identity or privileges. voice recognition) constitute different forms. handling specialized logon. It must provide a firm assurance that persons are who they say they are. SecureID number generator). Two of the same type (such as a password and logon ID) do not provide multifactor authentication. what you are (biometrics). Identity proofing comes in a variety of forms. To reduce user support and authentication complexity. such as Microsoft Active Directory or Novell eDirectory service. Single Sign-On Distributed enterprise networks often include many different resources. biometrics. whereas a smart card/PIN combination is a two-factor solution. Authenticators include smart cards. when users forget their hardware token). or may sequester services behind a series of proxy applications as in the service-oriented architecture (SOA) approach. Identity proofing gives the organization assurance that the user performing an authentication is the legitimate user. password.

. A “soft” system is one that is installed with default configurations or unnecessary services. Many services have known vulnerabilities that require specific action to make them more secure. Default configurations also allow for unauthorized access and exploitation. managed through automated deployment tools or by manual update procedures carried out by a system user. or ones that might just impair system function by causing additional processing overhead. These provide many potential avenues for unauthorized access to a system or network. hardening a system refers to reducing its security exposure and strengthening its defenses against unauthorized access attempts and other forms of malicious attention. Common default-configuration exploits include both services such as anonymous-access FTP servers and network protocols such as the Simple Network Management Protocol (SNMP). so the process of hardening reflects attention to security thresholds. Others may exploit vendor-supplied default logon/password combinations. Regular maintenance is required to meet emerging security threats. you might be tempted to keep all services enabled to cover all requirements. such as the Oracle Db default admin: scott/tiger. EXAM ALERT When presented with a scenario on the exam. it might cause the installation of unnecessary services or protocols. Nonessential Services and Protocols Systems installed in default configurations often include many unnecessary services that are configured automatically. Patch Management Many vendors provide regular updates for installed products. There is no such thing as a “completely safe” system.156 Chapter 5: Access Control and Authentication Basics Operating System Hardening In security terms. CAUTION A denial-of-service (DoS) attack against an unneeded Web service is one example of how a nonessential service could potentially cause problems for an otherwise functional system. Be wary of this option. or one that is not maintained to include emerging security updates.

Service packs are the least common type of update. Mandatory settings. . including all prior service packs. standard application suites. a file format used to distribute Linux applications and update packages) by hand or through fully automated “call home for updates” options like those found in many commercial operating systems and applications. Hotfixes—Typically. Security Settings To establish effective security baselines. . and patches. Patches—Like hotfixes. Because of the emergence of blended-threat malware. . and initial setup configuration details all factor into the security stance of an enterprise network. hotfixes. Service packs—Major revisions of functionality or service operation in an installed application. Patches are generally used to add new functionality. patches are usually focused updates that affect installed applications. Types of updates you should be familiar with include the following: . Security templates—Sets of configurations that reflect a particular role or standard established through industry standards or within an . Service packs are usually cumulative. often requiring extensive testing to ensure against service failure in integrated network environments before application. update existing code operation. all major operating systems and application solutions must be considered in system hardening plans. Types of configuration settings you should be familiar with include the following: . which may influence the level. or to extend existing application capabilities.157 Operating System Hardening whether applying an updated RPM (Redhat Package Manager. Automated reverseengineering of newly released patches has significantly reduced the time from an update’s initial release until its first exploits are seen in the wild. Group policies—Collections of configuration settings applied to a system based on computer or user group membership. down from months to hours before unpatched applications can be targeted. These are the most common type of update. and extent of access provided. which targets multiple vulnerabilities within a single attack. enterprise network security management requires a measure of commonality between systems. small and specific-purpose updates that alter the behavior of installed applications in a limited manner. type.

or industry representatives. Speaking from experience. Examples include a “minimum-access” configuration template assigned to limited-access kiosk systems. Unless the mandated security baseline is met. how will you deal with the consequences when the water heater springs a leak? How soon will your network be back up and running? If your building is in a flood zone and the most important equipment is in the lowest spot in the building. such as in the coat closet by the receptionist’s desk in the lobby. such as the PCI requirements established by the credit card industry for businesses collecting and transacting credit information. in the room with the copy machine. established as a baseline measure of security. Physical Access Security Methods When planning security for network scenarios. this equipment ends up in the oddest places. you must consider events such as natural and man-made disasters. assigned to fulfill a particular purpose.158 Chapter 5: Access Control and Authentication Basics organization. and patch panels are placed as a matter of convenience because of space restrictions. Many times. many organizations overlook physical security. which has a lengthy set of requirements for information technology specified in the Health Insurance Portability and Accountability Act (HIPAA) security standards. Manmade disasters can be as simple as a clumsy technician spilling his soda into the most important piece of equipment you have. these types of scenarios are overlooked until it is too late. regulatory bodies. If you have space constraints and put the servers in a room with the water heater. Security baselines are often established by governmental mandate. the servers. Securing physical access and ensuring that access requires proper authentication is necessary to avoid accidental exposure of sensitive data to attackers performing physical profiling of a target organization. whereas a “high-security” template could be assigned to systems requiring more stringent logon and access control mechanisms. or in a storage room with a backdoor exit that’s unlocked most of the time. In many smaller organizations. routers. . This can cause security issues. . penalties and fines could be assessed. you need to be prepared when heavy rains come. Configuration baselines—Many industries must meet specific criteria. When planning physical security. An example of this is the health-care industry.

Physical security controls parallel the data controls. Given the ability to reboot a system and load software from a floppy disk. where users are closely monitored and very restricted. which means you need to place systems in such a way that you don’t allow an attacker with a telescope or binoculars to spy on typed passwords.159 Physical Access Security Methods EXAM ALERT Be familiar with physical security descriptions indicating potential security flaws. When planning for access control. and allows them access based on their group membership. You also need to consider areas covered by wireless device transmissions. Physical access to a system creates many avenues for a breach in security. you pay attention not only to direct physical contact with hosts and network hardware but also to line-of-sight access. The security department coordinates the secure setup of the facility and surrounding areas. and access to different locations is allowed with the same key or swipe card. Even the location of systems in low-traffic. groups of people who have common access needs are predetermined. When physical security is considered. users cannot modify entry methods or let others in. Many tools may be used to extract password and account information that can then be used to access secured network resources. Because they are being monitored by security personnel and devices. say she is there to do some work on the server. Watch for descriptions that include physical details or organizational processes. Unsecured equipment is also vulnerable to social engineering attacks. the most obvious element to control is physical access to systems and resources. weak physical controls can also amplify the effects of natural and man-made disasters. public. identifies the groups allowed to enter various areas. Your goal is to allow only trusted use of these resources via positive identification that the entity accessing the systems is someone or something that has permission to do so based on the security model you have chosen. attackers may be able to access data or implant Trojan horses and other applications intended to weaken or compromise network security. It is much easier for an attacker to walk into a reception area. In role-based access methods for physical control. Discretionary physical control to a building or room is delegated to parties responsible for that building or room. . for several reasons. Users in this model generally have some security training and are often allowed to grant access to others by serving as an escort or by issuing a guest badge. which may be detected at far greater distances than are useful for two-way network connectivity. or unmonitored areas may pose security risks. Mandatory physical access controls are commonly found in government facilities and military installations. and get access to that server in the closet in the front lobby than to get into a physically secured area with a guest sign-in and sign-out sheet. As mentioned earlier.

a system left logged in when the administrator is away from her desk. This area is referred to as no-man’s land. In addition. The purpose of this area is to eliminate the possibility of an intruder hiding in the bushes or behind another building. limited-access zones. many modems and network hardware solutions use raw. You can have the most secure lock on the door with biometric devices for identification. Frosted or painted glass can be used to eliminate direct visual observation of user actions. but if the walls don’t go up all the way and ceiling tiles can be removed to access rooms with sensitive equipment in them. or a paper with sensitive data on it thrown in the garbage could undo many layers of protection. and many other considerations may be involved in access control planning. surveillance cameras. motion detectors. attaching the system to fixed. and raised floors do not provide unauthorized avenues for physical access. someone can easily walk off with equipment and sensitive data. and system operation. to prevent circumvention to improve ease of normal access. Facilities Because a physical security plan should start with examining the perimeter of the building. users must be educated about each measure taken. transmitted data to illuminate activity indicator lights. nonmovable furniture using locking cables or restraints. Intruders often piggyback their way into a building.160 Chapter 5: Access Control and Authentication Basics This section covers physical access control. this section discusses the various methods used to secure your facilities from the outside of the building. drop ceilings. network switching. A single propped-open door. and locking the case itself to prevent the removal of key components. Physical Barriers Access might be controlled by physically securing a system within a locked room or cabinet. Direct observation of these may enable an attacker to remotely eavesdrop on transmitted data using a telescope. In addition. including barriers. Buildings that house sensitive information and systems usually have an area of cleared land surrounding them. token-based and biometric access requirements for restricted areas. meaning they wait for someone with proper access to enter the building and then . facilities. Other secured-area considerations include ensuring that air ducts. and very high-security scenarios may mandate the use of electromagnetic shielding to prevent remote monitoring of emissions generated by video monitors. and environments. Social engineering and user education are also covered. Security guards. Nonstandard case screws are also available to add another layer of security for publicly accessible terminals.

Mantraps—A mantrap is a holding area between two entry points that gives security personnel time to view a person before allowing him into the internal building. It is imperative that they are trained properly. Windows should have locking mechanisms. but steel- reinforced wooden doors work. A fence keeps out unwanted vehicles and people. Another physical barrier is a moat. and building security alarms should monitor the open/closed position of all windows that could pose an entry risk. Locks—Locks must be easy to operate yet deter intruders. . They are often used in combination with other measures. They can be based on light. Another common deterrent is a fence or similar device that surrounds the entire building. Other Deterrents You can implement the following additional security measures to help deter unauthorized access: . the moat must be well maintained. these intruders may never be questioned or escorted out. A cipher lock . Moats surround part or all of a facility and are excellent physical barriers because they have a low profile and are not as obtrusive as fencing. One final note: If the fence isn’t maintained or the area around it isn’t well lit. the fence can easily be compromised. Another factor to consider is the material the fence is made of. the consideration is the depth and width. Security guards and dogs—Security guards and dogs can be great deter- rents to intruders. It is much easier to remove wooden slats or cut a chain-link fence with bolt cutters than it is to drill through concrete or block. External and internal motion detectors—Motion detectors can alert security personnel of intruders or suspicious activity on the company’s premises. Besides the normal key locks. Having a clear area in the main facility can keep this from happening. or the employee. The higher the fence. Depending on the company policy. the harder it is to get over. several different types can be considered. infrared.161 Physical Access Security Methods enter behind before the door closes. or ultrasonic technology. . they are less likely to have unauthorized access attempts. the time of day. External lighting and cameras—If areas are brightly lit and have cameras. . too. In this instance. sound. One factor to consider in fencing is the height. . External doors and windows—Steel doors are the best deterrent. . These devices must be properly configured because they are extremely sensitive and can issue false alarms if set too stringently. As with all physical barriers.

IP video surveillance uses TCP/IP for recording and monitoring. The evacuation process could be a part of the disaster recovery plan. A swipe card lock requires a card to be inserted into the lock. many hotels use these. A wireless lock is opened by a receiver mechanism that reads the card when it is held close to the receiver. Door access systems—Door access systems include biometric access. Which departments will exit through which doors . . Disability Discrimination Act (DDA) door entry systems. You don’t want intruders plundering the building while employees are running haphazardly all over the place. What equipment will be shut down and by whom . and coded access systems. “Organizational Security.162 Chapter 5: Access Control and Authentication Basics has a punch-code entry system. A map of the internal building and all exit areas . Physical Security During Building Evacuations Because a physical security plan should start with an examination of the perimeter of the building. and cost. Be sure you are familiar with the methods previously listed. Biometrics—Physical security can also integrate biometric methods into a door-lock mechanism. See Table 5. The factors to consider are strength. Who will do a final inspection of each area and make sure it is secure .” and should include some of the following items: . The type of access used will depend on the amount of security needed. remember that each method has its own degree of error ratios. . but not broadcast. The picture is viewed or recorded.1 for a review of these technologies. When using biometrics. it might also be wise to discuss what happens when an evacuation is necessary. prox- imity access. It was originally developed as a means of security for banks. . and modular door entry systems. Video surveillance—Closed-circuit television (CCTV) is the most com- mon method of surveillance. described in Chapter 11. material. Biometrics can use a variety of methods. EXAM ALERT The exam may include questions about the various physical-barrier techniques. and some methods may seem invasive to the users and may not be accepted gracefully.

Who will notify the proper authorities or agencies of the incident Make sure that all users understand how these plans function and practice orderly evacuation procedures so that an emergency situation does not leave critical systems unguarded or unsecured. will go and how far away from the building they will be located .163 Physical Access Security Methods . Smoke from a cigarette or a purposefully set flame could create an opportunity for an attacker to gain access to highly secure areas if evacuation planning does not include security considerations. once evacuated. . Where each department.

Role-based access control ❍ D. Model in which permissions are uniquely assigned to each account C. Access must be granted first. Specifies the types of access attempts that cause the system to generate a record in the security event log B. Where you logon C. Something you are 4. what is the order of operation? ❍ ❍ ❍ A. and then authentication occurs. You are the network administrator responsible for selecting the access control method that will be used for a new kiosk system to be used in a local museum.164 Chapter 5: Access Control and Authentication Basics Exam Prep Questions 1. Which of the following criteria is not a common criterion to authenticate a valid access request? ❍ ❍ ❍ ❍ A. but visitors should have access only to those items on current display. A user’s access rights are determined by the method of authentication . When reviewing user access to a service or resource. Authentication occurs first. Which of the following best describes identity proofing? ❍ ❍ ❍ A. Authentication and access control occur separately at the same time. Something you do E. Controls how access to a computer’s processors and memory is shared 3. Organizational process that binds users to authentication methods ❍ D.) ❍ ❍ ❍ A. Discretionary access control B. Something you have B. What you know ❍ D. Which forms of access control are most appropriate to this requirement? (Choose two correct answers. Rule-based access control 2. Mandatory access control C. and then access is determined. C. B. ❍ D. The museum’s donors want to have full access to information about all items. used.

Which of the following is an example of the use of an asymmetric encryption method? ❍ ❍ ❍ ❍ A. Biometric authentication B. Which of the following are biometric authentication types? (Choose all that apply. Kerberos authentication ❍ D. Public key infrastructure (PKI) 8. Iris identification 7. What form of access control is best for this scenario? ❍ ❍ ❍ A. Fingerprint ❍ D. Smart card E.165 Exam Prep Questions 5. Members of the board of directors must always be granted access. Public key infrastructure (PKI) 6. Mutual authentication E. Role-based access control ❍ D.) ❍ ❍ ❍ ❍ ❍ A. Which type of authentication involves comparison of two values calculated using the message digest (MD5) hashing algorithm? ❍ ❍ ❍ ❍ A. Discretionary access control B. Username and password E. Visitors should be allowed access only during normal business hours. whereas other staff members should be granted access to the parking garage only when spaces are available. One-use passcode B. Mandatory access control C. Rule-based access control . Challenge-Handshake Authentication Protocol (CHAP) C. Voice recognition C. You are the network administrator responsible for selecting the access control method that will be used for a new parking garage. Facial recognition F. Biometric authentication B. Kerberos authentication ❍ D. Many different keys may be used to perform user authentication. Challenge-Handshake Authentication Protocol (CHAP) C.

) ❍ ❍ ❍ A. A mandatory access control solution involving labels such as DONOR and DISPLAY would suffice for the user access assignment. Public key infrastructure (PKI) 11. RFID B. B. Challenge-Handshake Authentication Protocol (CHAP) C. Sound Answers to Exam Prep Questions 1. Username and password E. You are presented with an authentication scheme in which Computer A calculates a code it sends to Computer B. Kerberos authentication ❍ D. External motion detectors can use which of the following technologies? (Select all correct answers. Infrared C. Biometric authentication B.166 Chapter 5: Access Control and Authentication Basics 9. A role-based access control solution involving the roles of User and Donor would also be appropriate. C. Public key infrastructure (PKI) 10. Mutual authentication E. and then Computer A returns a calculated code to computer B based on its transmitted code. Computer B returns a calculated code based on the one from Computer B and one of its own. Biometric authentication B. What type of authentication is this? ❍ ❍ ❍ ❍ A. Ultrasonic ❍ D. Which of the following might be used in multifactor authentication? (Choose all correct answers) ❍ ❍ ❍ ❍ A. Challenge-Handshake Authentication Protocol (CHAP) C. Answer A is incorrect because the complexity of assigning by-user access rights over each item’s files would involve a large amount of administrative overhead. . Answer D is incorrect because the complexity of the requirement is not great enough to involve detailed conditional testing. Kerberos authentication ❍ D.

A rule-based access control solution would allow detailed conditional testing of the user’s account type and the time of day and day of the week to allow or deny access. Answer A is incorrect because biometric identification relies on biological patterns and not encrypted values. . These are all biometric authentication types. a user must first be authenticated. 3. Answer D is incorrect because the processes of authentication and access rights determination are not explicitly dependent on one another. Answers C and D are incorrect because Kerberos and mutual authentication schemes involve time-stamped ticket-based key or time-based random code exchange rather than an MD5 calculated value. Answer A is incorrect because security tokens (something you have) are commonly used for authentication. Answer E is incorrect because a PKI solution involves the use of digital certificates rather than a calculated hashed value. Answer B is incorrect because in a user-based model permissions are uniquely assigned to each account. A PKI solution involves an asymmetric encryption scheme in which a public key is used to encrypt data and a separate private key is used to decrypt the data. 5. The Challenge-Handshake Authentication Protocol uses two compared values created using the MD5 hashing algorithm. E. B. B. Before access rights can be determined.167 Answers to Exam Prep Questions 2. Answers B and C are incorrect because both CHAP and Kerberos authentication involve the use of symmetric encryption schemes. 8. C. Answer C is also incorrect because role-based access control involves testing against role-assigned access rights. B. Answers A and C are incorrect because authentication must precede access rights determination to avoid granting an unauthorized account access rights. E. 7. Answers D and E are also incorrect because both something you do (such as handwriting analysis) and something you are (biometrics) represent authentication mechanisms that interact directly with the requesting user’s person. Answer A is incorrect because access control entries specify the types of access attempts that cause the system to generate a record in the security event log. Answers A and D are incorrect because they are token authentication types. D. 4. the location does not provide authentication for the account requesting access. Answer D is incorrect because the username and password are simply available values and do not involve encryption. B. rather than by other qualities such as a test for normal working hours. C. 6. and F. Answer D is incorrect because a hypervisor controls how access to a computer’s processors and memory is shared. Identity proofing gives the organization assurance that the user performing an authentication is the legitimate user. in which the same key values are used to calculate or encrypt and decrypt data by both client and service. Although rules-based access controls may restrict access to a particular address or terminal. Answer C is incorrect because logon/password combinations (something you know) represent the most common single-factor authentication mechanism. Answer A is incorrect because biometric authentication relies on biological patterns rather than calculated values. Answers A and B are incorrect because both solutions do not allow for conditional testing.

B. B. Information Security Management Handbook. D. Addison-Wesley. Additional Reading and Resources 1. or ultrasonic technology. Julia H. Allen. SANS Top Twenty 2007 Security Risks: http://www. Answer A is incorrect because biometric authentication involves comparisons against stored biological values. both computers exchange calculated values and verify a returned code based on these. The CERT Guide to System and Network Security Practices. Multifactor authentication just refers to solutions including more than a single type of authentication. Answer A is incorrect because radio-frequency identification (RFID) is an automatic identification method. Tipton. C. Auerbach Publications. and D. Krause.org/top20/ . Micki and Harold F. 11. External motion detectors can be based on light. A. 2. and E. sound.sans. C.168 Chapter 5: Access Control and Authentication Basics 9. 10. In mutual authentication. Any combination of authentication methods may be used in a multifactor solution. 3. 2001. 2007. Answer B is incorrect because CHAP is service demanded and does not provide verification back to the client that the service is also authentic. infrared. Answers C and E are incorrect because Kerberos and PKI authentication involve the exchange and comparison of keys or certificates issued by a third agent (the certificate authority) rather than by direct negotiation between the two systems. Sixth Edition. D.

CHAPTER SIX 6 Securing Communications Terms you need to understand: ✓ VPN ✓ L2TP ✓ PPTP ✓ RADIUS ✓ IPsec ✓ SSH ✓ OSI model ✓ PGP ✓ S/MIME ✓ HTTPS ✓ S-HTTP ✓ SSL ✓ TLS Techniques you need to master: ✓ Understand the use of encapsulating protocols in the creation of a virtual private network (VPN) over a public network. ✓ Be able to identify the use of HTTP and HTTPS protocol connections over ports 80 and 443. respectively. . ✓ Recognize the use of Internet Protocol Security (IPsec) to create a secured encapsulation of client and server data.

Secure terminal connections using the Secure Shell (SSH) interface . internetworking communications such as email and web-based connectivity. Virtual private network (VPN) connections using the Layer 2 Tunneling Protocol (L2TP) or Point-to-Point Tunneling Protocol (PPTP) connections .1x-compliant wireless networking equipment or perhaps allowing a mobile sales force the ability to be authenticated as they dial in to a central office using telephony carriers.170 Chapter 6: Securing Communications The hallmark of modern computer use involves network connectivity over many local area network (LAN) and wide area network (WAN) protocols. In this chapter. including the following: . This section focuses on several specific areas of concern related to remote access. Packet-level authentication of VPN connections using the IPsec standard . and issues surrounding the transfer of data across distributed public networks.1x wireless networking . including encapsulation and authentication mechanisms. Remote access might include a wireless fidelity (Wi-Fi) link supporting a small office/home office (SOHO) network using modern 802. Dial-up authentication using the Remote Authentication Dial-In User Service (RADIUS) or the Terminal Access Controller Access Control System (TACACS and TACACS+) . although the most universally available addressing scheme involves the TCP/IP-based global network commonly referred to as the Internet. 802. you learn about the security-related issues surrounding communications through modern network technologies. A wide variety of solutions for connectivity are available. This connectivity creates the need for many security considerations. Remote Access The first area of focus within the arena of communications security involves enabling remote or mobile clients to connect to necessary resources.

with particular attention to similar acronyms such as PPP (Point-to-Point Protocol used by L2TP) and PPTP (Point-toPoint Tunneling Protocol. When a client attempts to make an 802.1x transmissions generate detectable radio-frequen- cy signals in all directions.1x Wireless Networking The IEEE 802. 802. Data emanation—802. broadcast using radio waves. Persons wishing to “sniff” the data transmitted over the network may use many solutions to increase the distance over which detection is possible. but transport encryption mechanisms suffer from the fact that a . is susceptible to several security concerns: . Focused receipt of the omnidirectional wireless broadcasts can be accomplished at a much greater range than is used for two-way network connectivity. which is an alternative to L2TP connectivity).1x-compliant connection. Additional forms of encryption may be implemented. they remain detectable at extended range. The one-way initiating authentication process. the client attempts to contact a wireless access point (AP). . including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures. Make sure that you are very comfortable with the common acronyms.1x specification establishes standards for wireless network connectivity.171 Remote Access EXAM ALERT The exam will contain many acronyms specifying security terminology. data transacted over an 802. Weak encryption—Without the use of a mandated encryption standard. Although intervening material and walls may affect the functional distance at which these transmissions may be used for normal network connectivity.1x wireless link may be passed in clear form. such as the Wired Equivalent Privacy (WEP) and the Advanced Encryption Standard (AES). serving as a waveguide for a standard wireless antenna. The AP authenticates the client through a basic challenge-response method and then provides passthrough to a wired network or serves as a bridge to a secondary wireless AP. NOTE A common means to detect wireless transmissions at an extended range involves the use of a metal-lined tube (often a Pringles potato chip can).

curbs. and even generated against city maps for the convenience of others looking for open access links to the Internet. the service set identifier (SSID) used to identify the wireless network. allowing the hijacker to follow all data transactions with the ability to modify. it is possible for a hijacker to act as an access point to the client. such as laptops. and as a client to the true network access point. and any known WEP keys. A popular pastime involves driving around with a laptop system configured to listen for open 802. it is easy for a hijacker to wait until the authentication cycle is completed and then generate a signal to the client that causes the client to think it has been disconnected from the access point. while at the same time beginning to transact data traffic pretending to be the original client. New standards that involve time-changing encryption keys may help with this. .172 Chapter 6: Securing Communications determined listener can obtain enough traffic data to calculate the encoding key in use. attackers can use this form of . cell phones. A modification of Depression era symbols is being used to mark buildings. insert. which is known as war driving. the attacker can cause a wireless client to preferentially connect to their own stronger nearby connection using the wireless device’s standard roaming handoff mechanism. graphed. Bluejacking/Bluesnarfing—Mobile devices equipped for Bluetooth short- range wireless connectivity. Session hijacking—Because the authentication mechanism is one way. . Many websites provide central repositories for identified networks to be collected. are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as Bluejacking. or delete packets at will. Man-in-the-middle attacks—Because the request for connection by the client is an omnidirectional open broadcast.1x APs announcing their SSID broadcasts. By implementing a rogue AP with stronger signal strength than more remote permanent installations. This so-called war chalking uses a set of symbols and shorthand details to provide specifics needed to connect using the AP. . such as the Temporal Key Integrity Protocol (TKIP) and Wi-Fi Protected Access (WPA/WPA2) standards. War driving/chalking—Coordinated efforts are underway aimed at identi- fication of existing wireless networks. mobile wireless connectivity may be subjected to this type of attack— particularly when a mobile client moves between locations and must negotiate successive WAP connections in transit. . Unless a secondary authentication and access control mechanism is employed. and PDAs. Although typically benign. and other landmarks indicating the presence of an available AP and its connection details.

security updates. This technology allows a secure. These checks can examine service pack versions. leading users to follow obvious prompts and establish an open Bluetooth connection to the attacker’s device. such as IronKey and TrueCrypt. VPN connections provide a mechanism for the creation of a secured tunnel through a public network such as the Internet. and whether the antivirus program is running with the most recent virus definition files. which then encapsulates data packets to prevent sniffing over the public network. . which is a more aggressive attack referred to as Bluesnarfing. This provides a secured channel for the authentication of dial-in users connecting to RAS servers located within the semiprivate DMZ. A VPN quarantine ensures that computers connecting to the network using the VPN are subject to preconnection and postconnection checks. without incurring the cost of expensive dedicated leased circuits. it is necessary to make sure that any USB devices these employees use are encrypted. Additionally. or deletion. one popular way to secure the data involves the use of a virtual private network (VPN) connection. such as using the IP Security (IPsec) protocol over the VPN connection. There are many solutions that use AES encryption. authenticated connection between a remote user and the internal private network of an organization. Some VPN solutions can provide additional checks that ensure users connecting from home have virus software and patches properly installed. VPN connections may be used to create secured connections between remote offices to allow replication traffic and other forms of intersite communication to occur. without placing authentication servers directly in the DMZ. the user’s data becomes available for unauthorized access. Additional security may be gained through the use of encryption protocols and authentication methods.173 Remote Access attack to generate messages that appear to be from the device itself. and can be isolated until the computer meets the required security policy. Once paired with the attacker’s device. NOTE VPN connections are also often used to connect remote-access service (RAS) servers located within an organization’s demilitarized zone (DMZ) through a secure conduit to a RADIUS server located within an organization’s private network. modification. VPN Connections When data must pass across a public or unsecured network. This is especially important because it is often difficult to be sure telecommuters and road warriors conform to security policies by keeping virus software and patches up to date and properly configuring firewalls.

including Microsoft. which creates a secured “tunnel” through which other data can be transferred. L2TP connections are created by first allowing a client to connect to an L2TP access concentrator. where the frames may then be processed as if generated locally. encapsulating protocol (PPTP or L2TP). in RFC 2637 is the Point-to-Point Tunneling Protocol (PPTP). although many organizations still maintain the use of RAS servers to provide direct connectivity for remote users or administrators and to provide failover fault-tolerant communication means in the event of WAN connectivity . Proposed by Cisco and its partners (RFC 2661). which then functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet. the use of an acoustic modulator/demodulator (modem) over normal telephony lines remains a common means of remote connectivity. which then tunnels individual PPP frames through a public network to the network access server (NAS). Connections made between remote users and sites may be made using this encapsulation protocol. PPTP Connections One common VPN encapsulation protocol initially proposed by a group of companies. L2TP protocol is rapidly replacing PPTP as the standard encapsulation protocol used for VPN connections. and the passenger protocol (original data). Client systems equipped with a modem can connect using normal dial-up acoustic connections to a properly equipped RAS server.174 Chapter 6: Securing Communications The VPN tunneling process includes three protocols: carrier protocol (IP). Dial-Up User Access Although broadband solutions such as cable-modems and Digital Subscriber Line (DSL) connections are becoming more available. Layer 2 Tunneling Protocol Connections The Layer 2 Tunneling Protocol (L2TP) is an extension of the earlier PPTP and Layer 2 Forwarding (L2F) standards. Most Internet service providers (ISPs) offer this type of network connectivity for their users. EXAM ALERT Remember that the L2TP protocol is gaining widespread acknowledgment as the successor to the older PPTP-based VPN connection. We now examine the encapsulating protocol options PPTP and L2TP.

Terminal Access Controller Access Control System An early authentication mechanism used by UNIX-based RAS servers to forward dial-up user logon and password values to an authentication server is the Terminal Access Controller Access Control System (TACACS) protocol. A RADIUS server functions to authenticate dial-in users using a symmetric-key (private key) method and provides authorization settings through a stored user profile. NOTE Remember that in RADIUS-based authentication. instead. including the Remote Authentication Dial-In User Service (RADIUS) and TACACS+ protocols. passing dial-in user access information to the RADIUS server. Demand-dial solutions involving the use of modem technology may even provide on-demand intersite connectivity for replication or communications. adding authentication and authorization capabilities similar to the RADIUS authentication method. not the system initiating the dial-up connection to the RAS server. and LDAP protocols. One important difference between these two is that the TACACS+ protocol relies on TCP connectivity. including the TACACS. The TACACS+ protocol is an extension of the earlier TACACS form. The TACACS+ protocol is a Cisco proprietary enhancement to . without requiring a continuous form of connection between the remote sites. it provided an encryption protocol used to send the logon information to a separate authentication service. Remote Authentication Dial-In User Service and TACACS+ Modern solutions provide for both user authentication and authorization. often through a VPN connection between the two systems. whereas RADIUS uses the User Datagram Protocol (UDP). TACACS did not provide authentication itself. Authentication is managed through a client/server configuration in which the RAS server functions as a client of the RADIUS server. the RAS server is the RADIUS client. This section reviews several options for authentication and access control within the dial-up network environment. RADIUS. TACACS+.175 Remote Access loss.

RADIUS combines authentication and authorization. TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. EXAM ALERT RADIUS encrypts only the password in the access-request packet that is sent to the RADIUS server. TACACS+ encrypts the entire packet body. . Lightweight Directory Access Protocol (LDAP) allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory. from the client to the server. TACACS+ allows control of the authorization of router commands on a per-user or per-group basis. but will leave the TACACS+ header intact. . such as the Microsoft Active Directory. although additional LDAP variations exist in commercial directory services. Other differences between RADUIS and TACACS+ include the following: . TACACS+ does have weaknesses.25 PAD connections. as it is vulnerable to birthday attacks and packet sniffing. RADIUS does not allow users to control which commands can or can’t be executed on a router. TACACS+ uses the AAA architecture. Lightweight Directory Access Protocol Often used within extended enterprise networks. . Novell Asynchronous Services Interface (NASI).176 Chapter 6: Securing Communications improve upon TACACS and extended TACACS (XTACACS). . RADIUS does not support the AppleTalk Remote Access (ARA) proto- col. TACACS+ offers multiprotocol support. . RADIUS encrypts only the password in the access-request packet. . The remainder of the packet is unencrypted. As of this writing. which separates AAA. NetBIOS Frame Protocol Control protocol. . . the Internet Engineering Task Force (IETF) has established the third official version of LDAP. or X.

ssh.to 448-bit secret key. SSH provides a large number of available options that you should be at least somewhat familiar with. SSH provides an authenticated and encrypted data stream. The designation of an entry is its Distinguished Name (DN) assembled from a Relative Distinguished Name (RDN) that reflects specific attributes of the entity in combination with the entry’s parent DN to create the hierarchical directory tree. The SSH suite encapsulates three secure utilities: slogin. International Data Encryption Algorithm (IDEA)—The default encryption algorithm used by SSH. Most forms of this algorithm cannot be used in products meant for export from the United States. . which allows a user to remotely connect to a remote server and interact with the system as if directly connected .177 Remote Access EXAM ALERT Remember that LDAP is a TCP/IP-based protocol connecting by default to TCP port 389. SSH uses the asymmetric (public key) Rivest-Shamir-Adleman (RSA) cryptography method to provide both connection and authentication. servers. The three utilities within the SSH suite provide the following functionality: . which are defined in the directory’s schema. Data encryption is accomplished using one of the following algorithms: . and user accounts. Like Telnet. derived from the earlier non-secure UNIX utilities rlogin. SSH provides a command-line connection through which an administrator may input commands on a remote server. Each entry may have multiple attributes. and rcp. . Data Encryption Standard (DES)—A symmetric key encryption algorithm using a random key selected from a large number of shared keys. which uses a 128-bit symmetric key block cipher. the Secure Shell (SSH) utility establishes a session between the client and host computers using an authenticated and encrypted connection. Blowfish—A symmetric (private key) encryption algorithm using a vari- able 32. and scp. services. as opposed to the clear-text communications of a Telnet session. Secure Shell Connections As a more secure replacement for the common command-line terminal utility Telnet. Secure Login (slogin)—A secure version of the UNIX Remote Login (rlogin) service. querying a hierarchical tree-structured directory that includes directory entries for elements such as printers. rsh.

applications. including the Secure Shell for Windows Server. Two client applications that use terminal services are Remote Assistance and Remote Desktop. RPD is an extension of the ITU T. as well as encrypt client mouse and keyboard data. as well as control it remotely just as if it were on the local machine. Remote Desktop and Remote Administration clients. the IPsec functions within the network layer. provide a secure version of the File Transfer Protocol (SFTP) along with the other common SSH utilities. . Internet Protocol Security The Internet Protocol Security (IPsec) authentication and encapsulation standard is widely used to establish secure VPN communications. Remote Desktop Protocol (RDP) The Microsoft Remote Desktop Protocol (RDP) evolved from Terminal Services. which allows transfer of files in a manner similar to the File Transfer Protocol (FTP) NOTE Some versions of SSH. The server functionality is provided by the Terminal Server component. The RDP allows a user to log on to a remote system and access the desktop. RDP allows for separate virtual channels to carry device communication and present data from the server. This is similar to the environment provided by Citrix for remote access to applications. It handles Remote Assistance. Secure Copy (scp)—A secure version of the UNIX Remote Copy (rcp) util- ity. RDP uses RSA Security’s RC4 cipher and uses TCP port 3389 by default. Unlike most security systems that function within the application layer of the Open Systems Interconnection (OSI) model. It provides remote display and input capabilities over network connections for Windows-based applications running on a server. Secure Shell (ssh)—A secure version of the UNIX Remote Shell (rsh) environment interface protocol .120 family of protocols supporting various types of network topologies and LAN protocols. and data on the system.178 Chapter 6: Securing Communications .

The layers of the OSI model are as follows: 7. and network switches operate at the data link layer. Authentication Header (AH)—This provides authentication of the data’s sender. IPsec provides authentication services and encapsulation of data through support of the Internet Key Exchange (IKE) protocol. For example. you should also look at these texts. Application layer 6. you should know that hubs operate at the physical layer of the OSI model. Physical layer You should be very familiar with the OSI model. the individual packets of data are ordered and reassembled by passing back through the layers of operation of the OSI model until the original data is reproduced at the application layer on the receiving system. The values of such fields cannot be protected by AH. At the other end of a data transfer. Session layer 4. bridges. some IP header fields might change in transit. and when the packet arrives at the receiver. Transport layer 3. RFC2402 states that AH provides authentication for as much of the IP header as possible. Network layer 2. Data link layer (subdivided into the logical-link control (LLC) and Media Access Control [MAC] sublayers) 1. the value of these fields might not be predictable by the sender.179 Remote Access EXAM ALERT The OSI model is a logically structured model that encompasses the translation of data entered at the application layer through increasingly more abstracted layers of data. along with integrity and nonrepudiation. and Layer 3 switches and routers operate at the network layer. and the common protocols and network hardware that function within each level. The Network+ Exam Cram and Exam Prep books cover the OSI model in much greater detail. resulting in the actual binary bits passed at the physical layer. IPsec Services The asymmetric key standard defining IPsec provides two primary security services: . . Intelligent hubs. as well as for upper-level protocol data. Presentation layer 5. However. If you will be working extensively with network protocols and hardware. Thus the protection provided to the IP header by AH is somewhat piecemeal.

IPsec inserts ESP or AH (or both) as protocol headers into an IP datagram that immediately follows an IP header. symmetric key solutions such as the International Data Encryption Algorithm (IDEA) and Digital Encryption Standard (DES). The protocol field of the IP header will be 50 for ESP. and hashing algorithms such as the Message Digest 5 (MD5) and Secure Hash Algorithm (SHA). the use of confidentiality without integrity/authentication (either in ESP or separately in AH) might subject traffic to certain forms of active attacks that could undermine the confidentiality service. EXAM ALERT Make sure that you are familiar with common key exchange protocols and standard encryption algorithms.” includes additional detail on encryption standards. . Confidentiality may be selected independently of all other services. including asymmetric key solutions such as the Diffie-Hellman Key Agreement and Rivest-Shamir-Adleman (RSA) standards. “Cryptography Basics. However. ESP is used to provide confidentiality. which is a key management standard used to allow specification of separate key protocols to be used during data encryption. Make sure to review these technologies when studying that chapter’s content. an anti-replay service (a form of partial sequence integrity). IKE functions within the Internet Security Association and Key Management Protocol (ISAKMP). and limited traffic-flow confidentiality. Protocols 51 and 50 are the well-known port numbers assigned to the Authentication Header and Encapsulating Security Payload components of the IPsec protocol. or 51 for AH.180 Chapter 6: Securing Communications . Encapsulating Security Payload (ESP)—This supports authentication of the data’s sender and encryption of the data being transferred along with confidentiality and integrity protection. you must configure an IP filter to let protocol 51 traffic pass. If IPsec is configured to do authentication rather than encryption. data origin authentication. Internet Key Exchange Protocol IPsec supports the Internet Key Exchange (IKE) protocol. Chapter 9. which defines the payloads used to exchange key and authentication data appended to each packet. connectionless integrity. The set of services provided depends on options selected at the time of security association establishment and on the placement of the implementation. If IPsec uses nested AH and ESP. an IP filter can be configured to let only protocol 51 (AH) traffic pass.

NOTE We do not focus on potentially hazardous payloads here. audio and video files. the speed and accessibility of this technology also carry several security considerations. undesired and often unsolicited email messages can require a significant amount of time to review and discard. “System Threats and Risks.181 Electronic Mail Electronic Mail One of the most fundamental changes brought by the global interconnectivity of networked computers is electronic mail (email). worms. business partners. Public transfer of sensitive information could potentially expose this information to undesired recipients. email messages are becoming an increasingly pervasive method of communications between individuals. Trojan horses. this section touches on some of the undesirable elements of email. Originally used to send messages between systems operators on the early Bitnet and other pre-Internet networks.” This section reviews mechanisms for securing email transmissions using the S/MIME protocol and the PGP third-party application. makes email a valuable tool. and other forms of viral programming agents transmit themselves using email as their carrier. and to facilitate financial transactions and electronic commerce. The global nature of email distribution and the speed of delivery (often only seconds separate transmission and receipt. In addition. beyond mentioning that many viruses. . Embedding data within an electronic mail message allows a simple method for the transmission and receipt of images. and many other types of non-ASCII text. including spam and hoaxes. even between users on separate continents). However. and email messages may contain any number of hazardous programmatic file attachments directed at unsuspecting users. Email has been used successfully as evidence in several court trials and forms the fundamental method of communication within many organizations. A detailed discussion of viral programming agents was covered in Chapter 1. application programs. Secure Multipurpose Internet Mail Extension The Multipurpose Internet Mail Extension (MIME) protocol extended the capability of the original Simple Mail Transfer Protocol (SMTP) to allow the inclusion of nontextual data within an electronic mail message.

the volume of messages that a user may receive rapidly becomes too great to easily manage. Most email clients enable users to configure automatic rule. Via email. Email messages that match the sender’s address can be discarded before they are received by an organization’s clients. Undesired or unsolicited email has gained the nickname spam. These electronic junk mail messages can rapidly overtax the capacity of email servers and require a large amount of user time to review each item and respond or discard each. or any other manner of information. The PGP application must be purchased and is available for individual and corporate use. This recipient can use this calculated hash value to verify that the received email has not been tampered with. Undesirable Email The strength of email involves its ability to be rapidly transmitted to one or many recipients. These blacklists register known spam senders. the Secure Multipurpose Internet Mail Extension (S/MIME) standard was developed. Many solutions attempt to stem the rising tide of spam messages flowing into users’ inboxes. Modern versions of Netscape and Internet Explorer include S/MIME support in their role as email clients. notice of service. Spam With the entire world only a single click of the Send button away. derived from the name of an amalgamated meat product by the same name.182 Chapter 6: Securing Communications To provide a secure method of transmission. Zimmerman in 1991. whether with a possible item for sale. derived from the Pretty Good Privacy (PGP) application program developed by Phillip R. request for donation. generally without per-item charges. which can handle many types of spam . such as blacklist subscriptions. which requires a stamp for each item. S/MIME uses the RivestShamir-Adleman asymmetric encryption scheme to encrypt email transmissions over public networks. who rapidly receive the directed message. One useful feature of the PGP program is the ability to include a digital signature and thus validate an email to its recipient. Pretty Good Privacy An alternative to the use of S/MIME is the proposed PGP/MIME standard. small organizations can rapidly reach a tremendously large potential base of consumers. This program is used to encrypt and decrypt email messages using either the Rivest-Shamir-Adleman or the Diffie-Hellman asymmetric encryption schemes. as would be the case for surface mail.

Because the IM client application may not integrate strongly with the operating system. who might inadvertently put the wrong words or phrases within the body of an important message. discarding items from particular senders or items that contain certain words or phrases. hoaxes. offer to send the user great sums of money if the user will just provide all their identity and financial information to the source. IM solutions pose many of the same vulnerabilities as email. which specifies only an eight-character filename and a three-character file extension (often written as 8.3 naming). it is . ICQ. The subjective nature of any type of email filtering can be problematic to implement. and AOL Instant Messenger.183 Instant Messaging automatically. Because some file-sharing systems advertise only the platform-independent short name form of a file’s name. Chapter 1 discussed spam in greater detail. Other file-sharing solutions using both client/server and peer-to-peer network connectivity are also included in this category. everything from urban myths to detailed instructions that may result in loss of functionality or later security vulnerability. They might instruct users to delete certain files to ensure their security against a new virus. and unwanted viral programs.000 cookie recipe that the sender will be glad to make available for only a fraction of the price. while actually only rendering the system more susceptible to later viral agents. Instant Messaging One alternative to the asynchronous communications of email is instant messaging (IM) software solutions. such as the Windows Live Messenger. Hoaxes may warn of pending legislation. or may even tell of a $1. These and many more hoax items circulate in a growing thread of tales and ideas. such as the Napster and Gnutella products. file-transfer capabilities can be used to transmit viral agents that bypass some forms of antivirus protection. These products link to a central server when they are opened and provide a continuously available means of communications with other users of the same system. Hoaxes Another form of problematic email includes those messages that include incorrect or misleading information. These hoax messages may warn of emerging threats that do not exist. in that they are readily accessible to a broad audience and may receive a high volume of spam. which have been the subject of much legislation recently. particularly when it is critical that messages be received from clients or vendors.

Web Connectivity The Internet enables users to connect to many millions of sources of information. 128-bit encryption keys are possible and have become the accepted level of secure connectivity for online banking and electronic commerce transactions. . because many IM clients transmit data in plain text. Here. HTTPS was originally created by the Netscape Corporation and used a 40-bit RC4 stream encryption algorithm to establish a secured connection encapsulating data transferred between the client and web server. and other functionality through what has come to be known as the World Wide Web (or simply. Open file shares inadvertently advertised by file-sharing systems can generate a tremendous load on the network bandwidth as others connect to the shared system and potentially expose many forms of sensitive information. although it can also support the use of X. membership information. Hypertext Transport Protocol over Secure Sockets Layer Basic Web connectivity using HTTP occurs over TCP port 80. An alternative to this involves the use of Secure Sockets Layer (SSL) transport protocols operating on port 443. providing no security against interception of transacted data sent in clear text. products. we focus only on the protocols used to secure basic communications with a web server. which uses the Hypertext Transport Protocol (HTTP) on TCP port 80. HTTP over SSL calls on port 443 using HTTPS as the URL port designator (https://servername/).184 Chapter 6: Securing Communications possible for improperly named executable files to be received and automatically processed by the IM software (and then perform unexpected and often undesirable actions). which creates an encrypted pipe through which HTTP traffic can be conducted securely. the Web). vendor/client communications. Chapter 2. and even distributed business logic transactions can all occur using the basic connectivity of the Web.” examined the vulnerabilities of many webbased technologies. “Online Vulnerabilities. Business transactions. services. To differentiate a call to port 80 (http://servername/). Now. In addition. user conversations along with any sensitive information they may transfer can be sniffed and later used for nefarious purposes.509 digital certificates to allow the user to authenticate the sender.

TLS also provides confidentiality and data integrity. SSL communicates using an asymmetric key with cipher strength of 40 or 128 bits. the client and server exchange the specifications for the cipher that will be used for that session. SSL establishes a stateful connection negotiated by a handshaking procedure between client and server.185 Web Connectivity EXAM ALERT An alternative to HTTPS is the Secure Hypertext Transport Protocol (S-HTTP) developed to support connectivity for banking transactions and other secure Web communications. or without encryption altogether if desired for authentication only. Secure Sockets Layer Secure Sockets Layer (SSL) protocol communications occur between the HTTP (application) and TCP (transport) layers of Internet communications. TLS Record Protocol—This protocol allows the client and server to com- municate using some form of encryption algorithm (or without encryption if desired). and RSA2 encryption. Netscape and Microsoft) and so remains less common than the HTTPS standard. but not entirely interoperable. RC2. along with CHAP authentication. which provides encryption using stronger encryption methods. 3DES. TLS Handshake Protocol—This protocol allows the client and server to authenticate one another and exchange encryption keys to be used during the session. . Transport Layer Security Another asymmetric key encapsulation currently considered the successor to SSL transport is the Transport Layer Security (TLS) protocol based on Netscape’s Secure Sockets Layer 3. but was not adopted by the early web browser developers (for example. such as the Data Encryption Standard (DES). . S-HTTP supports DES. During this handshake. TLS has two layers of operation: . NOTE SSL and TLS transport are similar.0 (SSL3) transport protocol.

International Data Encryption Algorithm B. Blowfish C. Rivest-Shiva-Aldeman . Session layer ❍ D. Network layer F. Which of the following encryption protocols are used in Secure Shell connections? (Select all that apply. Message Digest 3. Application layer B. Physical layer 2. Between which two layers of the OSI model does the Secure Sockets Layer (SSL) protocol function? ❍ ❍ ❍ ❍ ❍ A. The dial-up client 4.) ❍ ❍ ❍ ❍ A. International Data Encryption Algorithm B. Blowfish C. The authentication server ❍ D.186 Chapter 6: Securing Communications Exam Prep Questions 1. The RADIUS server B. Digital Encryption Standard E. which of the following systems would be considered the RADIUS client? ❍ ❍ ❍ A. Presentation layer C. Which of the following encryption methods are available when using Pretty Good Privacy? (Select all that apply. Data link layer ❍ G. In a RADIUS authentication scenario.) ❍ ❍ ❍ ❍ A. Diffie-Hellman ❍ D. The RAS server C. Digital Encryption Standard E. Transport layer E. Rivest Cipher 4 ❍ D.

scp 7. The dial-in user’s computer B. slogin C. rlogin B. 80 C. 21 B. All of the above . You have decided to use the Terminal Access Controller Access Control System (TACACS) standard for dial-up authentication.187 Exam Prep Questions 5. ssh E.250 6. The RADIUS server ❍ D. rsh ❍ D. The virtual private network 8. 443 ❍ D. Which of the following capabilities will be provided by this service? ❍ ❍ ❍ A. The client’s Internet service provider E. rcp F. User authentication B. Encrypted forwarding ❍ D. Which of the Secure Shell utilities is used to establish a secured command-line connection to a remote server? ❍ ❍ ❍ ❍ ❍ A. which of the following is the RADIUS client? ❍ ❍ ❍ ❍ A. Authorization C. Which standard port will be used to establish a web connection using the 40-bit RC4 encryption protocol? ❍ ❍ ❍ A. The RAS server C. When using RADIUS to authenticate a dial-in user. 8.

SHA E. Which of the following are asymmetric encryption standards? (Choose two correct answers. D. Viruses ❍ D.188 Chapter 6: Securing Communications 9. Hoaxes C. and G are incorrect because the data has been abstracted beyond the level at which SSL operates. Which of the following are possible dangers of using instant messaging clients? (Select all that apply. Diffie-Hellman F. A. Spam B.) ❍ ❍ ❍ ❍ ❍ A. F. Application layer B. At which layer of the OSI model does the Internet Protocol Security protocol function? ❍ ❍ ❍ ❍ ❍ A.) ❍ ❍ ❍ ❍ A. MD5 C. DES Answers to Exam Prep Questions 1. IDEA B. Presentation layer C. Physical layer 10. Answers E. Data link layer ❍ G. Transport layer E. File sharing E. Network layer F. SSL connections occur between the application and transport layers. RSA ❍ D. Session layer ❍ D. Answers B and C are incorrect because the Secure Sockets Layer transport effectively fills the same role as these OSI model layers. . File execution 11.

and answer F is incorrect because the scp utility is used for secure file copying. 8. 6. Answer A is incorrect because port 21 is used for FTP connections. C. The RAS server is considered the RADIUS client. E. C. Answers A. B. and DES encryption methods. C. 9. and D are incorrect because these protocols are not available within PGP. Answer D is incorrect because a client dialing in to an RAS server would not be connecting through a separate ISP. Answer A is incorrect because the RADIUS server does not directly provide remote dial-up functionality of the RAS server. rsh. which is not directly contacted by the dial-up client. and D. Answer E is incorrect because the MD5 hashing algorithm is not used by Secure Shell connectivity. A. B. 7. B. E. Answers A. authenticating dial-up connection requests against the RADIUS server. IPsec validation and encryption function at the network layer of the OSI model. Answer D is incorrect because port 8250 is not designated to a particular TCP/IP protocol. Answer B is incorrect because port 80 is used for unsecure plain-text HTTP communications. 5. Answer E is incorrect because a VPN connection establishes a secured tunnel between two systems and is not involved in RADIUS authentication. and rcp do not use secured connections. Answers F and G are incorrect because they define a more abstracted level of data manipulation than is managed by the IPsec standard. . B. 3. Answer C is incorrect because the RC4 protocol is used by the SSL protocol. The RAS server functions as the RADIUS client authenticating dial-in user attempts against the RADIUS server. SSH connections can make use of the IDEA. Answer D is incorrect because the ssh utility is used to establish a secured environment link to a remote server. Answer D is incorrect because the dial-up client is a client of the RAS server. Answers A. Answer A is incorrect because the dial-in user does not directly contact the RADIUS server. B. C. and D are incorrect because IPsec functions at a lower level of the OSI model. and E are incorrect because rlogin.189 Answers to Exam Prep Questions 2. PGP can make use of either the Diffie-Hellman or RSA public key encryption methods. A connection using the HTTP protocol over SSL (HTTPS) will be made using the RC4 cipher and will be made using port 443. rather than of the RADIUS server. rather than the extended TACACS+ protocol that adds authentication and authorization to the earlier protocol’s functionality. C. Blowfish. Answer A is incorrect because TACACS cannot provide authentication by itself. Answer C is incorrect because the RADIUS server would not be its own client. TACACS forwards logon information to an authentication server through an encrypted connection. Answer C is incorrect because the RADIUS server provides authentication response to the RAS server as its client. Answer D is incorrect because the question specifies the original TACACS protocol. The slogin SSH utility provides secured command-line connections to a remote server. B. Answer B is incorrect because the original TACACS protocol does not provide authorization support. 4.

org/read- ing_room/ . The Diffie-Hellman and Rivest-Shamir-Adleman encryption standards specify public key (asymmetric) encryption methods. Answers A and F are incorrect because the Digital Encryption Standard and International Data Encryption Algorithm standards specify private key (symmetric) encryption methods. Julia H. 2.sans. A. including the receipt of spam and hoax messages. 2001. C. Answers B and D are incorrect because the Message Digest 5 and Secure Hash Algorithm standards are hashing algorithms. Addison-Wesley. C.190 Chapter 6: Securing Communications 10. B. Suggested Reading and Resources 1. SANS Information Security Reading Room: http://www. IM solutions have many potential security problems. Allen. possible execution of files and viruses bypassing operating system protections. 11. and E. E. The CERT Guide to System and Network Security Practices. D. and possible exposure of file shares to public access.

PART IV Assessments and Audits Chapter 7 Intrusion Detection and Security Baselines Chapter 8 Auditing .

This page intentionally left blank .

and application hardening. ✓ Recognize common considerations in planning for operating system. network. ✓ Understand the purpose behind establishing security baselines.CHAPTER SEVEN 7 Intrusion Detection and Security Baselines Terms you need to understand: ✓ Intrusion ✓ Misuse ✓ Knowledge-based detection ✓ Behavior-based IDS ✓ Network-based IDS ✓ Host-based IDS ✓ Honeypot ✓ Deflection ✓ Attack signature ✓ Countermeasures ✓ Baseline ✓ Hardening Techniques you need to master: ✓ Understand the use of host-based and network-based IDS solutions and how they may be used together to secure a network. .

and raising an alert. Intrusion detection requires a detailed understanding of all operational aspects of the network.194 Chapter 7: Intrusion Detection and Security Baselines To secure a network. Both passive and active forms of IDS exist: . Intrusion Detection An intrusion includes any unauthorized resource access attempt within a secured network. These software and hardware agents monitor network traffic for patterns that may indicate an attempt at intrusion. along with a means to identify variations and bring these changes to the attention of the proper responsible parties. log the event. it is more likely that a human administrator will monitor alerts and notifications generated by intrusion-detection systems (IDSs). The sections that follow examine some common mechanisms for intrusion detection. or may monitor server-side logs for improper activity or unauthorized access. it is important to identify the normal operating parameters and be able to identify atypical variations from this baseline operational level. Both active and passive IDSs must first identify an intrusion before altering the network configuration (in an active system). called an attack signature. whereas misuse is typically used to refer to unauthorized access by internal parties. An active IDS solution acts to terminate or deny an intrustion attempt by changing firewall or IPsec policy settings automatically before logging the event and raising an alert for human operators. Although it is possible for human monitoring to identify real-time intrusion events within small tightly controlled networks. The first step toward minimizing the potential damage that may result from unauthorized access attempts is the detection and identification of an unauthorized intrusion. EXAM ALERT Intrusion generally refers to unauthorized access by outside parties. you examine several forms of intrusion-detection solutions and review the requirements for establishing reasonable baseline standards. A passive IDS solution is intended to detect an instrusion. In this chapter. . . logging the event. and potentially raise some form of alert.

Knowledge-based IDS is closely tied to the technologies in use within a particular network. knowledge-based systems may be unable to provide support for all potential avenues of attack created by the changes. Details of individual network transactions can be identified by examining the transacted data packets (also called “sniffing” the packets). a known attack pattern is almost always a good sign of a danger to the network. detailed planning may be made beforehand for countering and recovering from the attack. As new technologies are integrated. including the following: . Knowledge-based detection relies on the identification of known attack signatures and events that should never occur within a network.1 illustrates data evaluation using a human-readable packet-sniffing application. Because the signature identifies a known method of attack. Knowledge-based detection of internal misuse is difficult because most misuse involves an improper use of a normal form of access or priviledge. or incorrect access and use of network resources. or evolutionary changes are made to the network environment. As new exploits are identified. During this time. Identification of known attack signatures allows for few false alarms. Knowledge-based IDSs may also monitor for patterns of access that have been established as never being appropriate within the monitored network. Knowledge-based IDS has several limitations. unauthorized.195 Intrusion Detection Methods of Intrusion Detection Intrusion detection may be managed by two basic methods: knowledge-based and behavior-based detection. Maintenance of the knowledge library to include newly identified signa- tures can become a complex and time-consuming task. Figure 7. An example of this might include communications directed at common ports used by services such as FTP or web servers running on workstation systems. . Behavior-based detection involves the use of established patterns of use and baseline operation to identify variations that may identify unauthorized access attempts. Knowledge-Based IDS The most common form of IDS detection involves knowledge-based (also termed signature-based) identification of improper. knowledge-based IDSs cannot identify attacks of the new type. . . it will take some time before an identified signature for the attack can be prepared and distributed. .

Behavior-based IDSs provide the following advantages over knowledge-based IDSs: . Through the detection of anomalies from normal patterns of operation. Because this method detects anomalies. such as the access of protected files during off-hours . so that variations can be identified. More flexible as network evolution occurs . Behavior-Based IDS One of the most common methods to detect a compromised workstation involves a user noticing an unusual pattern of behavior. Highly secure environments might use complex patterns of behavior analysis. such as a continually operating hard drive or a significantly slowed level of performance. Better able to identify new forms of vulnerability .1 An example of packet-level identification of port and protocol access using the Ethereal packet sniffer. it is also called statistical anomaly detection. in some cases learning individual patterns of use common to each user profile. Can be used to identify internal misuse by recognizing actions outside of normal access patterns or authorized events occurring outside of normal profile usage.196 Chapter 7: Intrusion Detection and Security Baselines FIGURE 7. it becomes possible to identify new threats that may bypass knowledge-based IDSs.

. identify potential risks. behaviorbased detection has several limitations. Port signatures—Used to identify traffic directed to ports of common services not running on the identified host or on ports used by wellknown exploits such as the Blade Runner and SubSeven Trojan horse services . intrusion detection relies on the ability to monitor activity. based on the security requirements mandated by business requirements. creating a potential area for later exploitation. Because behavior profiles must be periodically updated. Network-Based IDS Network-based IDS (NIDS) solutions monitor all network traffic to identify signatures within the network packets that may indicate an attack. High incidence of false alarms. such as the code transmitted by Code Red infected systems . Behavior profiles must be regularly updated to include changes in tech- nology. Monitoring might be performed on the network itself or on a host system. behavior-based intrusion detection might not identify threats during the update cycle and might even identify an ongoing attack pattern as part of the normal pattern of use.197 Intrusion Detection Although more flexible than knowledge-based intrusion detection. Because anything falling outside of the established behavior profile is considered a potential sign of attack. network configuration. including the following: . and alert the appropriate responsible parties. including the following: . Header signatures—Used to detect the presence of conflicting or inappro- priate packet headers. such as the SYN packets that might indicate a flood attack . and changes to business practices that may affect the normal order of operations. String signatures—Used to identify text strings that are used in common attacks. . any action that varies from the norm may generate an alert. In systems that maintain detailed user access profiles. Intrusion-Detection Sources Whether knowledge-based or behavior-based. even a simple promotion within the business structure might require administrative action to update the use profile of the user involved.

the number of systems required remains small. Peer-to-peer networking clients commonly use this technique to bypass firewall restrictions. Description Because many forms of network connectivity occur over encrypted communications. TABLE 7. IDS systems placed outside of a firewall or within a demilitarized zone (DMZ) can also identify patterns of failed attempts and successful intrusions. such as denial-of-service (DoS) attacks that target the host’s ability to connect to a network. allowing alerts to be generated while the attack is underway. it is necessary to have a NIC and network driver that support promiscuous mode. NIDS solutions analyze network traffic as it occurs. TIP During normal operation. NIDS solutions may not be able to identify intrusion attempts hidden by the encryption. Pre-host detection Real-time detection Environment independent Weakness Encrypted transit Nonstandard endpoint use Many applications can make use of commonly open ports to transfer alternative protocol traffic. This also makes it harder for attackers to cover their tracks because network monitoring can capture not only the packets detailing the access attempt. they are more adaptable to a wide variety of network and technology configurations. NIDS examination of packets based on port routing can provide false negatives in this case. a network interface card (NIC) will register packets directed to its address only.1 details some of the strengths and weaknesses of NIDS solutions.1 Strength Low cost of ownership Strengths and Weaknesses of NIDS Solutions Description Because a single NIDS system can be used to monitor traffic passing through the entire network. Table 7. not just on individual machines or the boundary between private and public networks. Because NIDS solutions analyze raw data packets. but also those that detail attackers’ attempts to remove evidence of the attack. NIDS solutions can be used to detect attacks that cannot be easily identified by the host. . To capture raw packets directed at any host within a network. while providing network coverage.198 Chapter 7: Intrusion Detection and Security Baselines NIDS solutions are designed to catch attacks in progress within the network.

When planning. HIDS solutions involve processes running on a host and monitoring event and applications logs. When deploying a NIDS. many times. If a sensor is placed before the firewall. A host intrusion-detection system (HIDS) can help as a line of defense against this type of threat. such as those between a database and a web user application. Host-Based IDS Users often bring in outside devices that can easily affect the environment. this is the port of entry for malware. based on learned or established allowable use.1 Weakness Locally blind Continued Description Intrusion attempts initiated from another service on the same network host never pass through the network and so can remain undetected by NIDS solutions. Some HIDS solutions involve the deployment of individual client applications on each host. port access. The APIDS examines traffic between service endpoints to ensure protocol traffic occurs correctly. you should consider the priority of each sensor and deploy accordingly within your budgetary or bandwidth constraints. In addition. Table 7. . which relay their findings to a central IDS server responsible for compiling the data to identify distributed trends. Viral contagions spreading across multiple file shares on the same file server might be an example of this type of transaction.199 Intrusion Detection TABLE 7.2 details some of the strengths and weaknesses of HIDS solutions. and other running processes to identify signatures or behaviors that indicate an attack or unauthorized access attempt. Sensor placement should then be based on this determination. it tends to generate a lot of useless events that will have to be sorted through. you must decide how many sensors you need and where to place them. This solution typically monitors middleware transactions. TIP A specialized form of network intrusion detection is identified as the application protocolbased intrusion-detection system (APIDS). Evaluate the organization’s business model and determine the importance of each server. one of the greatest threats to an organization is from trusted insiders.

Within large switched networks. bypassing the NIDS. processing of the attack has already occurred before application processing of the input begins.200 Chapter 7: Intrusion Detection and Security Baselines TABLE 7. Low number of false positives Auditing change monitoring Non-network attack detection Encrypted communication monitoring Cost savings by directed monitoring Single-point monitoring Weakness Witness after the fact Vulnerable logging Resource impact . HIDS solutions can monitor individual processes on each host. NIDS solutions may be inadvertently or purposefully bypassed by using a secondary access route. in effect doubling the impact on system availability. HIDS technologies rely on the same resources they are monitoring. including changes to the auditing process itself. host-based solutions require no additional hardware and may be deployed on just those systems that require intrusion detection. both success and failure events may be monitored and alerts generated only after a proper threshold has been achieved. including access from the keyboard. which must monitor all data traffic across the monitored network. Description Host-based intrusion detection occurs after data is received and processed by the target host. HIDS solutions are not limited to a particular communications path for detection. In the event of buffer overflow and other types of injected attack. Unlike NIDS systems. Some attacks make use of encrypted or encapsulated data communications. Successful compromise of a targeted system can allow attackers to remove intrusion logs stored on the same system. During resource-intensive attacks such as a DoS attempt. HIDS solutions can be used to monitor events on standalone systems. or to block alerting attempts by HIDS applications hosted on the compromised system. HIDS solutions can amplify the attack’s effects by generating additional resource consumption for each access attempt.2 Strength Strengths and Weaknesses of HIDS Description Because HIDS solutions analyze logged events.

When attackers access a honeypot system. while the honeypot distracts the attacker from valid network resources. Subversion error—Occurs when the intrusion-detection system is modi- fied by an intruder to cause false negatives or fooling the system over time by executing small individual steps that by themselves don’t mean much. In most network deployment scenarios. for example. A network intrusion-prevention system (NIPS) is intended to provide direct protection against identified attacks. In addition. HIDS and NIDS solutions. To plan the use of intrusion-detection systems for infrastructure protection.201 Intrusion Detection EXAM ALERT The exam may present two different acronyms in intrusion-detection questions: NIDS and NIPS. . but when combined can amount to an attack. Honeypots and Honeynets Honeypots are often used to identify the level of aggressive attention directed at a network and to study and learn from an attacker’s common methods of attack. you need to be aware that the cost of implementation can depend on the size of your network and the number of individual computers to be monitored. and sometimes the system might incorrectly flag legitimate requests as security breaches or fail to detect something it should. Honeypots are systems configured to simulate one or more services within an organization’s network and left exposed to network access. their activities are logged and monitored by other processes. . the systems will require signature updates. and the hardening of services and systems to exclude known vulnerabilities will together form a unified solution to many developing security requirements. These types of errors can be categorized as follows: . . A NIPS solution might be configured to automatically drop connections from a range of IP addresses during a DoS attack. so that the attacker’s actions and methods may be later reviewed in detail. a layered approach is required to provide protection against all forms of attack. False negative error—Occurs when the intrusion-detection system allows an intrusive action to pass as nonintrusive behavior. False positive error—Occurs when the intrusion-detection system detects a legitimate action as a possible intrusion. A network intrusion-detection system (NIDS) examines data traffic to identify unauthorized access attempts and generates alerts. User training.

ICE agents may automatically lock down a network or increase access security to critical resources in the event of an alert. forensics analysis of affected systems can yield information that identifies the attacker. . it is important to have previously established. Honeynets make use of specialized software agents to create normal-seeming network traffic. Honeynets are collections of honeypot systems interconnected to create functional-appearing networks that may be used to study an attacker’s behavior within the network. . to study the attacker’s methods. including the following: . while preventing access to secured resources. This information may then be used to direct the attention of the proper authorities to the source of the attack. padded cells and honeynets are examples of deflection solutions. where harm cannot be done. allowing them to assume they have been successful. Incident Handling When IDS solutions alert responsible parties to a successful or ongoing attack attempt. however. the attacker may then be transparently transferred to a padded cell host. Padded cells take a different approach. Deflection—Redirecting or misdirecting an attacker to secured segmented areas.202 Chapter 7: Intrusion Detection and Security Baselines Honeypots might be simple targets exposed for identification of vulnerability exposure. Several forms of response can be derived from analysis and identification of attack attempts. Countermeasures—Intrusion-countermeasure equipment (ICE) may be used in some scenarios to provide automatic response in the event of intrustion detection. Detection—After identification of an attack. . Instead of trying to attract attackers with tempting data. or might interact with the attacker to extend access time and allow tracking and logging of an attacker’s activities to build better attack profile data. false positives could create problems for legitimate users in such a scenario. and to provide early warning of attack attempts that may later be waged against the more secured portions of the network. documented plans for incident response. Honeypots. When an IDS detects an attacker. Honeynets and honeypots may be used to distract attackers from valid network content. This is a seamless transfer to a simulated environment.

a risk assessment must be conducted to identify existing risks and potential mitigation mechanisms. Security Baselines To identify atypical behavior. enumeration of the risk factors associated with each. It is necessary to have some mechanism for measuring vulnerability to determine whether a baseline has been met or if a new security measure has been effective. and the requirements for each. you must first identify what identifies typical behavior of both network and application processes. Accepted—Some risks cannot be addressed within a reasonable time or cost constraint and may be accepted. beyond those developed by regulatory bodies outside of the business entity. once identified. Before any baseline can be established. A risk. Later analysis of successful intrusions should be used to harden systems against later attempts that use the same methodology. Baselines must be regularly updated as networks and deployed technology changes. Security monitoring during baselining is important because an ongoing attack during the baselining process could be registered as the normal level of activity. The sections that follow examine mechanisms for identifying vulnerabilities and hardening vulnerable systems revealed during this process. . can be dealt with in several ways: . Vulnerability Assessment Metrics for security baselines and hardening efforts rely on identification of vulnerability and risk within the extended network enterprise. Planning should include access restrictions and attempts to make the network appear less desirable to potential attackers. Analysis—Collection and analysis of log files allows the identification of the type and methods of attack used and may provide details useful in identifying the attacker for law enforcement. Dealing with Risk An enterprise relies on the identification of key assets and resources.203 Security Baselines . The measure of normal activity is known as a baseline. along with proper documentation as to the reasons why the risk is acceptable.

A response on port 80. this is termed a port scan.204 Chapter 7: Intrusion Detection and Security Baselines . This information can be used to identify simple . Port scanners are useful in creating an inventory of services hosted on networked systems. Mitigated—Most risks fall into this response area. and network hardware present within a network segement. Transferred—A risk may be transferred. you should be familiar with some of the more common tools used to conduct vulnerability assessments. where the application of additional effort may reduce the risk to a level documented as acceptable. Port scanners—This software utility will scan a single machine or a range of IP addresses. which only test for the availability of services. . Eliminated—Some risks can be eliminated through a change in the tech- nology. . testing for the presence of known vulnerabilities in software configuration and accessible services. the risk of “war dialing” attacks can be eliminated by removing legacy dial-up telephony modem devices. a switch super- visory port. For the exam. whereas a scan across multiple hosts is referred to as a port sweep. Individual protocols. For example. . specific endpoints. . vulnerability scanners may check for the particular version or patch level of a service to determine its level of vulnerability. or mechanism of employment. policy. When applied to test ports on a single system. Identifying Vulnerability Many risks to enterprise networks relate to vulnerabilities present in system and service configurations and to network and user logon weaknesses. may reveal the operation of an HTTP host. or in line with network connectivity to allow the analysis of network communications. Unlike port scanners. which is often referred to as a packet sniffer. or sequential access attempts may be identified using this utility. checking for a response on service ports. Protocol analyzers—This software utility is used on a hub. devices. . such as when the risk of equip- ment loss is covered by a full-replacement insurance policy. for example. Network mappers—Another software utility used to conduct network assessments over a range of IP addresses. including the following: . Vulnerability scanners—This software utility will scan a range of IP addresses. the network mapper compiles a listing of all systems.

rather than the password itself. These are.S. This is a bad practice because it generates false intrusion data. Password crackers should provide only the relative strength of a password. and may cause some disruption to network operations as a result of the actual penetration efforts conducted. CAUTION Some systems administrators may perform amateur pen tests against networks in an attempt to prove a particular vulnerability exists or to evaluate the overall security exposure of a network. Some tools use passive OS fingerprinting. allowing tools to be developed to test for identified vulnerabilities in the OVAL repository. . to avoid weakening logon responsibility under evidentiary discovery actions. Password crackers—This software utility allows direct testing of user logon password strength by conducting a brute-force password test using dictionary terms. OVAL is intended as an international language for representing vulnerability information using an XML schema for expression. Penetration Testing In some cases. vulnerability may be discussed using the Open Vulnerability Assessment Language (OVAL) sponsored by the Department of Homeland Security’s National Cyber Security Division (NCSD). specialized lexicons. “friendly” attacks against a network to test the security measures put into place. Penetration tests can also mask legitimate attacks by generating false data in IDS systems.205 Security Baselines points of failure. and may be a violation of privacy laws. A passive attack attempts to passively monitor data being sent between two parties. regulatory mandates. or mandatory complexity guidelines. to conduct a network inventory. Such attacks are referred to a penetration tests or simply pen tests. governmental agencies. and does not insert data into the data stream. may weaken the network’s security level. vulnerability assessments may be complemented by directed efforts to exploit vulnerabilities in an attempt to gain access to networked resources. and to create graphical details suitable for reporting on network configurations. in essence. concealing aggression that is otherwise unrelated to the offically sanctioned penetration test. NOTE Within U. or business entity guidelines. .

Operating System Hardening Hardening of the operating system includes planning against both accidental and directed attacks. Failure to update applications on a regular basis or to update auditing can result in an unsecure solution that provides an attacker access to additional resources throughout an organization’s network. to address newly identified exploits and apply security patches. It is also imperative to include regular update reviews for all deployed operating systems. Some systems may be hardened to include specific levels of access. it is important to harden all technologies against as many possible avenues of attack as possible. whereas most File Allocation Table (FAT)-based file systems allow only share-level access control. and Web servers. including domain architecture and user logon access planning . and service packs. Network—Security of the network through hardware implementations such as firewall and NAT devices and logical security involving access control over distributed resources . gaining the C2 security rating required by many government deployment scenarios. often ones for which patches and hotfixes are already available but not yet applied.206 Chapter 7: Intrusion Detection and Security Baselines Hardening When establishing operational baselines. For example. the Microsoft New Technology File System (NTFS) allows file-level access control. such as the use of fault-tolerant hardware and software solutions. IP Security (IPsec) and public key infrastructure (PKI) implementations must also be properly configured and updated to maintain key and ticket stores.” the Trusted Computer System Evaluation Criteria (TCSEC) rating of C2 indicates . “Access Control and Authentication Basics. The three basic areas of hardening are . hotfixes. Dynamic Host Configuration Protocol (DHCP). including encrypted file support and secured file system selection that allows the proper level of access control. Operating system—Security of the operating system. Application—Security of applications and services such as domain name system (DNS). and user client-side applications and integration suites The following sections describe each area of hardening in greater detail. (Mentioned in Chapter 5. In addition. Many automated attacks make use of common vulnerabilities. it is important to implement an effective system for filelevel security.

and the institution of account lockout and password policies to guarantee strong passwords that can resist brute-force attacks. Make sure to understand the principle of least privilege addressed in Chapter 5. This process is a part of the site survey that should be performed for any network. Wireless networks also create significant avenues for unsecure access to a secured network. and disabling unnecessary protocol support and services.207 Security Baselines a discretionary access control environment with additional requirements such as individual logon accounts and access logging. IPX/SPX.11-compliant wireless PDA may have inadvertently bypassed all security surrounding an organization’s network. NOTE A popular pastime for potential attackers is war driving. Mapping avenues of access is critical in hardening a network. or other forms of unused network communications protocols. Routing hardware must also be maintained in a current state by regularly reviewing applied firmware updates and applying those that are required for the network configuration and hardware solutions in use. default configurations and passwords must be changed in network hardware such as routers and managed network devices. File-level security and access control mechanisms serve to isolate access attempts within the operating system environment. updates to security hardware and software. changing default administrator account names and default passwords. In homogenous networks. Firewall and Network Address Translation (NAT) software and hardware solutions will provide the first layer of defense against unauthorized access attempts. As with operating system hardening. .) Operating system hardening includes configuring log files and auditing. especially those that involve public areas where a simple connection through a workstation might link the protected internal network directly to a public broadband connection. which refers to driving around with a Wi-Fi device configured in promiscuous mode to identify open wireless access points in public areas or target locations. A user who configures a PC card on his workstation to allow synchronization of their 802. it might be possible to terminate support for AppleTalk. Ensuring updates to system firmware also helps to address emergent hardware-related vulnerabilities. Network Hardening Network hardening involves access restrictions to network shares and services.

Access control may be accomplished at the operating system or application level. resource access may be made to authorized parties while also limiting potential avenues of unauthorized access. to ensure that submitted URL values are not used to exploit unpatched buffer overruns or to initiate other forms of common exploits. and common services installed by default should also be reviewed and changed or disabled as required. require regular updates to provide protection against newly emerging threats. Many applications. Many web servers may also be integrated with security addins provided to restrict those URLs that may be meaningfully submitted. including Trojan horses and other forms of viral software. Network hardening practices also include configuring network devices and firewalls to exclude unsecure protocols. Microsoft’s URLScan for the Internet Information Services (IIS) web service is one such filtering add-in. By properly configuring access control lists. while anonymous access may be required for other pages. such as those found in Windows and Novell networks. Application Hardening Each application and service that may be installed within a network must also be considered when planning security for an organization. such as antivirus software. standard passwords. User authentication is also of key importance. resource access and restrictions may be assigned to groups.208 Chapter 7: Intrusion Detection and Security Baselines If a centralized access control system is used. such as raw Telnet sessions that transfer logon and session details in plain-text format. Default application administration accounts. with many sites including a requirement for regular update of Secure Sockets Layer (SSL) certifications for secured communications. Email is often used to transport executable agents. Web Services Access restrictions to Internet and intranet web services may be required to ensure proper authentication for nonpublic sites. Applications must be maintained in an updated state through the regular review of hotfixes. Regular log review is critical for web servers. Email servers may require transport through firewall solutions to allow remote Post Office Protocol 3 (POP3) or Internet Message Access Protocol (IMAP) access or may require integration with VPN solutions to provide secure connections for remote users. and users granted membership to those groups. patches. especially when email and calendaring solutions allow delegated review and manipulation. and service packs. Inadequate hardware may be attacked through mail bombs and other types of attack meant to . filtering out any that do not meet the defined criteria. Email Services Email servers require network access to transfer Simple Mail Transfer Protocol (SMTP) traffic.

Heavily loaded servers may be attacked to perform a DoS. including attempts at DoS attacks intended to prevent proper name resolution for key corporate holdings. Network file shares are not secure until you remove default access permissions. . Technologies that allow dynamic updates must also include access control and authentication to ensure that registrations are valid. Access control through proper restriction of file and share permissions is necessary. or manipulated in many other ways. DNS Services DNS servers responsible for name resolution may be subject to many forms of attack. Email service hardening also includes preventing SMTP relay from being used by spammers and limiting attachment and total storage per user to prevent denial-of-service attacks using large file attachments. Unauthorized parties may also use FTP servers that allow anonymous access to share files of questionable or undesirable content. Access control for newsgroups may be somewhat more complex. coupled with access auditing and user authentication schemes to ensure proper access. FTP Services File Transfer Protocol (FTP) servers are used to provide file upload and download to users. Because of limitations in the protocol. Planning to harden DNS server solutions should include redundant hardware and software solutions and regular backups to protect against loss of name registrations. unless an encapsulation scheme is used between the client and host systems. Unauthorized zone transfers should also be restricted to prevent DNS poisoning attacks. with moderated groups allowing public anonymous submission (and authenticated access required for post approval). modified. NNTP Services Network News Transfer Protocol (NNTP) servers providing user access to newsgroup posts raise many of the same security considerations risks as email servers. deleted.209 Security Baselines overwhelm the server’s ability to transact mail messages. File and Print Services User file-storage solutions often come under attack when unauthorized access attempts provide avenues for manipulation. and detailed user account information in public newsgroup posting stores like those of the AOL and MSN communities may be exploited in many ways. the logon and password details are passed in clear text and may be subject to interception by packet sniffing. Files may be corrupted. whether through anonymous or authenticated connection. while also consuming network bandwidth and server processing resources.

such as DNS servers. Hardening efforts must also address security of the storage and backup of storage area networks (SANs). and database stores. Data Repositories Data repositories of any type might require specialized security considerations. Role-based access control may be used to improve security. DHCP Services Dynamic Host Configuration Protocol (DHCP) servers share many of the same security problems associated with other network services. email. attackers may also configure their own DHCP servers within a subnet. taking control of the network settings of clients and obtaining leases from these rogue servers. Planning for DHCP security must include regular review of networks for unauthorized DHCP servers. based on the bandwidth and processing resources required to prevent DoS attacks. and the elimination of unneeded connection libraries and character sets may help to alleviate common exploits. including possible security breaches in the event that unauthorized parties access cached print jobs. removal of default password and administration accounts such as the SQL default sa account and security of replication traffic to prevent exposure of access credentials to packet sniffing. or any other manner of printed materials. Scope address pools may also be overcome if lease duration is insufficient. . Security planning for these solutions may also include placing user access authenticating servers close to the file servers to decrease delays created by authentication traffic. This can be worsened by the use of DHCP proxy systems relaying lease requests from widely deployed subnets. and directory services such as Microsoft Active Directory and Novell eDirectory. and network-connected printers require authentication of access to prevent attackers from generating printed memos. Take care to include data repositories beyond the obvious file. network access server (NAS) configurations. and data stores within secured and partially secured zones such as an organization’s DMZ may require the use of secured VPN connections or the establishment of highly secured bastion hosts. DoS attacks may be used to disrupt normal methods of business. Print servers also pose several risks. invoices. and short lease duration may increase request traffic. DHCP servers may be overwhelmed by lease requests if bandwidth and processing resources are insufficient.210 Chapter 7: Intrusion Detection and Security Baselines Distributed file system and encrypted file system solutions may require bandwidth planning and proper user authentication to allow even basic access. Placement of authentication. name resolution. If the operating system in use does not support DHCP server authentication.

Which of the following IDS forms are relatively platform independent? (Select two correct answers. Knowledge-based IDS B. Behavior-based IDS C. Host-based IDS 3. Behavior-based IDS C. Network-based IDS ❍ D. Network-based 4. Network-based IDS ❍ D.) ❍ ❍ ❍ A. Network-based IDS ❍ D. Application protocol-based C. Behavior-based ❍ D. Which of the following IDS forms uses known attack signatures to identify unauthorized access attempts? ❍ ❍ ❍ A.211 Exam Prep Questions Exam Prep Questions 1. Knowledge-based IDS B. Host-based B. Host-based IDS . Behavior-based IDS C. Knowledge-based IDS B. Which of the following IDS solutions could enhance the attack’s effect? ❍ ❍ ❍ A. A denial-of-service attack is being waged against the company’s web server using a large external botnet. Host-based IDS 2. Which of the following IDS forms is subject to common false-positive attack indications? ❍ ❍ ❍ A.

) ❍ ❍ ❍ A. Which of the following types of IDS is this solution? ❍ ❍ ❍ A. When this custom service detects an attack.212 Chapter 7: Intrusion-Detection and Security Baselines 5. You have installed a custom monitoring service on the web server that reviews web service logs to watch for the URLs used by the Code Red worm to propagate itself. it raises an alert via email. Which of the following describes a host configured to expose a specific service to a public network. Acquiring insurance to cover the costs of potential lost data is an example of which risk-management strategy? ❍ ❍ ❍ A. Knowledge-based IDS B. Bastion ❍ D. Transferring the risk . Honeynet C. while hardening all other resource access to restrict access within an organization’s secure network? ❍ ❍ ❍ A. Knowledge-based IDS B. Which of the following types of IDS is this solution? (Select two correct answers. Eliminating the risk C. Network-based IDS ❍ D. Mitigating the risk ❍ D. Network-based IDS ❍ D. Behavior-based IDS C. Behavior-based IDS C. Honeypot B. Host-based IDS 6. Accepting the risk B. Host-based IDS 7. You have deployed a packet-monitoring system to sniff packets passing through an organization’s DMZ. War driving 8.

NNTP servers E.) ❍ ❍ ❍ ❍ A. Because host-based IDS solutions use the same resources that are being attacked. Answers C and D are incorrect because either might include knowledge-based or behavior-based IDS solutions. Answer C is incorrect because any of the solutions may be behavior-based. . 3. DNS servers ❍ D. You have configured your web server to use Windows partitions and the Microsoft System Update Service (SUS) to regularly apply new hotfixes and patches. Behavior-based IDS solutions measure patterns of access against known security baselines. As a result.213 Answers to Exam Prep Questions 9. 2. Answer B is incorrect because behavior-based IDS solutions measure access patterns against known baselines to identify attacks. Operating system ❍ D. residing in the middleware layer to monitor protocol use between service elements. and so neither is the best answer here. Baseline C. and so neither is the best answer here. Which of the following servers may be overcome by a denial-of-service type of attack? (Select all that apply. Answer A is incorrect because knowledge-based IDS solutions use known attack signatures to identify attacks and so are not often subject to false positives. Answer D is incorrect because a NIDS solution would not impact the service or resource performance of the separate host under attack. Answer B is incorrect because an application protocolbased detection system would generally operate away from the web server itself. Answers C and D are incorrect because either might include knowledge-based or behavior-based IDS solutions. and it is likely that the successful identification of a DoS attack would be behavior-based. DNS servers Answers to Exam Prep Questions 1. Network 10. Which of the follow forms of hardening is specified in this solution? ❍ ❍ ❍ A. A. A. Application B. Web servers B. B. any variation from the previous baseline may be detected as a possible attack. FTP servers C. they can enhance denial-of-service attempts by consuming additional resources for each identified intrusion event. Knowledge-based IDS solutions use known attack signatures to identify network attacks.

this problem can be compounded. This is a common NIDS solution. Selecting a secure file system such as NTFS and regularly applying operating system updates are examples of operating system hardening. Answer A is incorrect because the risk has not simply been accepted. C. Answer B is incorrect because a baseline establishes the normal operating levels of a network and is not itself hardened. C. 7. Answer B is incorrect because no baselining is required for this solution. both can evolve to meet changes in network technologies in use. and host-based IDS solutions involve client agents running on the monitored hosts. B. Answers A and B are incorrect because honeypots and honeynets are used to distract attackers or to monitor their access methods. attempting to detect open wireless access points. 10. Answers A and D are incorrect because knowledge-based IDS solutions must be able to identify known attack signatures directed at the protected technologies. A. C. and so neither is the best answer here. Answer A is incorrect because application hardening involves the security of user applications and services. . B. Answer C is incorrect because the agent does not attempt to capture packet data. 6. where packet data is monitored for unauthorized access patterns. C. and so both are strongly affected by changes to the protected technologies. 9. D.214 Chapter 7: Intrusion-Detection and Security Baselines 4. Answer B is incorrect because the risk remains. C. A bastion host exposes a service or port while protecting against other forms of exploit. When multiple services are loaded onto a single system. D. This solution describes a host-based solution identifying a known attack signature. All of these services may be overcome by a DoS attack if the attacker can overload the available processing and bandwidth resources available to each. 5. Behavior-based IDS solutions and network-based solutions operate on patterns of access and data packet transfer to identify attacks. Answer D is incorrect because a HIDS solution would use client agents operating on the monitored hosts rather than sniffing the network traffic. Answers A and B are incorrect because the proposed solution might make use of either knowledge-based or behavior-based IDS. Answer C is incorrect because the level of risk remains the same. and E. As a result. it only reviews the web service logs on the local system. only the costs have been addressed by this solution. A. 8. Obtaining insurance to cover the cost of a potential exposure is an example of transferring an identified risk without reduction. Answer D is incorrect because network hardening involves the security of network access. Answer D is incorrect because war driving refers to driving around with a wireless card in promiscuous mode. D.

Andy and Debi Ashenden.html 5.html .cert. 2.215 Additional Reading and Resources Additional Reading and Resources 1.gov/oval. SANS Information Security Reading Room: http://www. Risk Management for Computer Security: Protecting Your Network and Information Assets. The World Wide Web Security FAQ: http://www. Lincoln D. and John N.org/ reading_room/ 4. CERT Incident Reporting Guidelines: http://www.w3.us-cert. Jones. 2005. Butterworth-Heinemann.sans. Stewart. US-CERT OVAL: http://www.org/tech_tips/ incident_reporting.org/Security/Faq/ 3. Stein.

This page intentionally left blank .

✓ Conduct periodic audits of system security settings. .CHAPTER EIGHT 8 Auditing Terms you need to understand: ✓ Performance monitoring ✓ System monitoring ✓ Performance baseline ✓ Behavior-based monitoring ✓ Signature-based monitoring ✓ Anomaly-based monitoring ✓ Application logging ✓ System logging ✓ Auditing ✓ Storage policy ✓ Retention policy ✓ Group policies Techniques you need to master: ✓ Use monitoring tools on systems and networks and detect security-related anomalies. ✓ Execute proper logging procedures and evaluate the results. ✓ Compare and contrast various types of monitoring methodologies.

It is a good troubleshooting tool to tell whether a route is available to a host. whereas others may monitor little or nothing. a process. proper logging procedures. you have the capability to audit a vast amount of data. This section focuses solely on software utilities. How much you audit depends on how much information the organization wants to store or what retention policies are in place. Netstat—Netstat displays all the ports on which the computer is listen- ing. It can also be used to display the routing table and interface statistics. This is a good tool to use to find out where a packet is getting hung up. and the periodic audits of system security settings. or a service is available. The discussion examines various monitoring methodologies. Ping—Packet Internet Grouper (ping) is a utility that tests network con- nectivity by sending an Internet Control Message Protocol (ICMP) echo request to a host. The more common network diagnostic tools used for this purpose include the following: . with different policies and requirements. . Monitoring can be as simple or complex as you want to make it. . Because every organization is different. Using Monitoring Tools to Detect Security-Related Anomalies Most organizations use monitoring and diagnostic tools to help manage their networks. The most basic level of system monitoring tells whether connectivity. Diagnostic tools can be actual tools. As a security professional. such as cable testers and loopback connectors.218 Chapter 8: Auditing Auditing is done to protect the validity and reliability of organizational information and systems. It queries the DNS server to check whether the correct information is in the zone database. . Many organizations monitor an extensive amount of information. Nslookup—This is a command-line utility used to troubleshoot a domain name system (DNS) server database. third-party software programs. Tracert/traceroute—This utility traces the route a packet takes and records the hops along the way. no “one size fits all” rules will ensure all security bases are covered. or built-in operating system tools. Auditing can create a large repository of information that has to be filtered through. . This chapter covers the use of monitoring tools on systems and networks to detect security-related anomalies. results evaluation.

The source address of the ICMP error message is the first router address. subnet mask. Traceroute uses an ICMP echo request packet to find the path. It also shows the Time To Live (TTL) value and the amount of time it takes for a packet to make the complete trip. This is useful in verifying that the TCP/IP configuration is correct if connectivity issues arise. EXAM ALERT Know the different utilities that you can use to troubleshoot networks and what they are used for. you will receive a request timeout even though the host is available. When the first router sees the packet with TTL 1. whereas Ifconfig is used on UNIX/Linux machines. This is an excellent tool to use to determine whether the port on a host computer is working properly. It sends an echo reply with the TTL value set to 1. If the connections are good and the target computer is up. One caveat with using ICMP: It can be manipulated by malicious users. the echo message return packet will be received. it sends an ICMP Time Exceeded message back to the source address. the command can display the IP address. it decreases it by 1 to 0 and discards the packet. .” so some administrators block ICMP traffic. Ipconfig/Ifconfig—Ipconfig is used to display the TCP/IP settings on a Windows machine. or it can be used to display and control TCP/IP information and interfaces. in milliseconds (ms). three packets are sent at each TTL. DNS. The computer that sent the packet then waits for a return packet. A small packet containing an ICMP echo message is sent through the network to a particular IP address. “Infrastructure Basics. Depending on which command you are using. It is one of the most useful network tools available because it tests the most basic function of an IP network. ICMP is a protocol meant to be used as an aid for other protocols and system administrators to test for connectivity and search for configuration errors in a network. and MAC information. also known as round-trip time (RTT). Most implementations of traceroute . and the RTT is measured for each one.219 Using Monitoring Tools to Detect Security-Related Anomalies . As a result. as specified in Chapter 3. Ping uses the ICMP echo function and is the lowest-level test of whether a remote host is alive. Telnet—Telnet is a terminal emulation program used to access remote routers and systems. Generally. Now the source knows the address of the first router. Windows Internet Naming Service (WINS). default gateway. If that is the case.

and intrusion-detection systems are also used in network monitoring. pathping then sends pings periodically to all the routers over a given time period and computes statistics based on the number packets returned from each hop. An initial baseline should be done for both network and application processes so that you can tell whether you have a hardware or software issue. During burn-in. a benchmark also can be used to burn in a new piece of hardware or a new application. When the traceroute is complete. Consequently. pathping pings each router 100 times. These tools were discussed in the Chapter 7. vulnerability scanners.” If these tools are used on the network. because they contain information of great value to an intruder. you should allow a burn-in period. “Intrusion Detection and Security Baselines. Port scanners. This measure of normal activity is known as a baseline. This is especially helpful in identifying routers that cause delays or other latency problems on a connection between two IP hosts. The pathping command uses traceroute to identify which routers are on the path. you will often catch problems that might arise only after extended use or that might not turn up unless the system is under a heavy load. When performing a burn-in. but this can be extended up to 254 routers. Performance Benchmarking and Baselining Benchmarking determines how much of a load the server can handle by comparing two or more systems or components of a system. Baselines must be updated on a regular basis and certainly when the network has changed or new technology has been deployed. Without having a baseline . When a server is set up. a default query requires 25 seconds per router hop. be sure the information they gather is protected.220 Chapter 8: Auditing keep working until they have gone 30 hops. By default. However. or a new version may cause performance issues. EXAM ALERT It is essential to identify typical behavior to identify abnormal behavior. with a single ping every 0.25 seconds. too. Pathping is a Windows route-tracing tool that combines features of the ping and tracert commands with additional information. the server is placed under a heavy stress level for long periods of time to see whether any part of the system fails. Sometimes applications have memory leaks. The most common use of a benchmark is to measure performance.

Taking a baseline on a day when there is little activity may later cause alarm when there is probably no reason. Here are some of the parameters that should be monitored: . Performance Monitoring As your network changes. After the baseline has been created. it is important to harden all technologies against as many avenues of attack as possible. and you can purchase many third-party programs that will also do the job. The Microsoft Performance console is used for tracking and viewing the utilization of operating system resources. Nagios. Event Viewer. You can view information that you have tracked in charts. You can use many tools to monitor the performance on the network. and reports. you may spend a long time trying to figure out what the problem is. and services. Other operating systems have comparable programs that you can use. processor.1 shows a sample Performance console screen. Figure 8. Security monitoring during baselining is important because an ongoing attack during the baselining process could be registered as the normal level of activity. which is a popular Linux-based enterprise monitoring application. you can then use tools to monitor the performance. and it can monitor more than one server at a time. and other services. applications. and Task Manager are tools designed for Windows operating systems. Performance console. applications. On the open source side. It can also send alerts to an assigned administrator or user when the performance exceeds a predetermined threshold level. To be sure the network is secure when establishing baselines. The console consists of two snap-ins: the System Monitor and the Performance Logs and Alerts. Be sure that you do the baseline during normal business hours under normal conditions. and the network to detect security-related anomalies. alerts. memory. the machine operating system. You will find that often it is necessary to make adjustments and possibly change the topology or structure of the network. Network Monitor.221 Using Monitoring Tools to Detect Security-Related Anomalies on applications. The Performance console keeps track of set counters for system objects. The major areas of concern should be the network itself. you must monitor and improve its performance. logs. The next few sections describe tools that you can use to monitor the performance of systems. works with text configuration files that store information about hosts and services. This tool is used to monitor the physical disks. The Performance console keeps track of set counters for system objects. taking a baseline when there is a denial-of-service (DoS) attack going on will cause you not to pay attention when you should. conversely. network.

Protocols—Some protocols tend to grab more processor power.222 Chapter 8: Auditing FIGURE 8. The methodology to perform system monitoring depends on the operating system on the desktop or . . . Random access memory (RAM)—Microsoft operating systems are memory intensive. . CPU—Track the utilization rate to help determine which programs or processes have excessive time usage. causing other protocols to drop packets. it is important to monitor the memory. Logical and physical disks—Monitor for excessive disk usage. Also sometimes applications have memory leaks that affect performance. System Monitoring System monitoring is the next method of monitoring. therefore.1 Performance console. Keep in mind that if memory is insufficient. . Only monitor what you need and as necessary. Keep in mind that performance monitoring is resource-intensive. excessive disk usage will occur as the system swaps information in and out of the pagefile.

such as error. Event Viewer enables you to view certain events that occur on the system. The event ID is the easiest way to research the event in the Microsoft Knowledge Base. one for security information. You can configure settings such as the size of the file and the filtering of events. warning. It is important to be sure that you have the log file size set properly. you must enable auditing. Figure 8. Event logging is used for troubleshooting or for notifying administrators of unusual circumstances. such as MSSQL Server The Windows event number The description of the event Of these fields. it is important to note the Event ID and the Description Text fields. For security events to be monitored. . the Event Viewer records events in the system event log. You can use the application log to tell how well an application is running. and one for applications. that the size is monitored. such as a Windows event log The name of the event. By doing so.1 Field Name Type Time Computer Provider Type Provider Name Source Event ID Description Windows Events Field Description The type of the event. Consider carefully where you store log files to make sure that intruders don’t have access them. EXAM ALERT The security log records security events and is available for view only to administrators. The system log shows events that occur on the individual system. Unlike the security log. and that the logs are periodically archived and cleared.1 lists the fields and definitions of Windows events. Table 8. you eliminate the ability for intruders to cover their tracks. such as Application or Security The application that logged the event. and the description text usually explains what happened in simple language.2 shows the system event log for a system. TABLE 8.223 Using Monitoring Tools to Detect Security-Related Anomalies server. Event Viewer maintains three log files: one for system processes. the application and system logs are available to all users to view. In Microsoft operating systems. or information The date and time of the local computer at which the event occurred The computer on which the event occurred The type of event that generated the event.

In addition. such as iStat nano for Macintosh systems. hard drive space. These programs can monitor the entire network and include devices such as modems. fan speeds. be aware of the vulnerabilities this protocol has. uptime. third-party programs are available that provide network health monitoring. you install agents on the machines and then monitor the agents from a central location. temperatures. switches.2 Event Viewer. iStat nano is a system monitor widget that enables you to view statistics about the system. “Infrastructure Basics. such as CPU usage.224 Chapter 8: Auditing FIGURE 8. To monitor the health of all systems. routers. battery usage. If you choose to use SNMP. memory usage. Simple Network Management Protocol (SNMP) is an application layer protocol whose purpose is to collect statistics from TCP/IP devices.” . The vulnerabilities of SNMP are discussed in Chapter 3. There are also built-in and downloadable tools in other operating systems. and the top five processes. For example. bandwidth usage. and hubs. printers.

It includes parsers for the Internet Security Associate and Key Management Protocol (ISAKMP) Internet Key Exchange (IKE). you can view the information. and data. Network Monitor cannot parse encrypted portions of IPsec-secured ESP traffic when the encryption is provided by software. It can. The purpose of the discussion in this chapter is to show how you can use them to detect security-related anomalies. When the packets have been captured. Authentication Header (AH).225 Using Monitoring Tools to Detect Security-Related Anomalies Protocol Analyzers Some operating systems have built-in protocol analyzers. Some of the basic information recorded is the source address. Sun Solaris has a popular utility called iostat that provides good information about I/O performance. and Encapsulating Security Payload (ESP) protocols. however. In addition. Novell’s comparable network-monitoring tool is called LANalyzer. many administrators use the tools that come with the core operating system. such as ps and vmstat. In the UNIX environment. . headers. destination address. Network Monitor is used in conjunction with Microsoft System Management Server (SMS) so that it can capture data across routers and resolve IP addresses from names. Protocol analyzers were introduced in Chapter 3. Figure 8. process the packets if they are being encrypted and decrypted by IPsec-aware network adapters because the packets are already decrypted by the time they reach Network Monitor’s parsers. you can access the Performance console from within Network Monitor.3 shows the information output by the Microsoft Network Monitor. EXAM ALERT A protocol analyzer is used to capture network traffic and generate statistics for creating reports. Network Monitor detects other installed instances of Network Monitor and identifies the machine name and user account that it is running under. Other third-party programs such as Wireshark can also be used for network monitoring. Network Monitor can be used to view IPsec communication. Often. Windows Server operating systems come with a protocol analyzer called Network Monitor.

something possibly intrusive is occurring on the system. The network layer—The network-level profile consists of the assembly and transport of data packets. . When changes to this profile occur. To do this. Monitoring Methodologies When implementing a monitoring methodology. you should have some fundamental knowledge of what levels of the system are to be monitored.3 Network Monitor. It is here that mali- cious software such as rootkits operate. you need to be able to distinguish the difference between the various methods and compare the effects of implementing each method. when enormous packets are produced.226 Chapter 8: Auditing FIGURE 8. Monitoring for detection of abnormalities or intrusion should be established at five different levels: . Potentially dangerous activity is denoted by an unusual increase or decrease in packets. . or when the send or receive process takes unusual steps. The kernel—The kernel level is the execution profile.

This information is then used as a model of normal or valid behavior.2 shows the advantages and . The following sections cover the most common ways to monitor the various levels and their activity. the behavior-based scanning tool will detect this abnormal behavior and mark it as such. including behavior-based. all attacks can be detected. Behavior-Based Monitoring Behavior-based intrusion detection monitoring was discussed in Chapter 7. The file system—At the file system level. Changes in the normal application behavior warrants further investigation for a compromise. . . each user generates a standard profile repre- senting the normal activities that are routine for that person. each user creates certain patterns that can be represented in a profile. This model is then compared with current activity. because this method is based solely on behavior. signature-based. So for example. Based on this logic.227 Monitoring Methodologies Attacks at this level would include DoS and other malformed packet attacks. . The end application—All applications generate a normal profile of behav- ior. The premise of behaviorbased monitoring is that an intrusion can be detected by variations from expected system or user behavior. This section serves as a review and provides additional information about this type of monitoring. Changes in these profiles may indicate something amiss. if you install a program that doesn’t contain a known signature and causes your email program to begin sending out emails to everyone in your address book. However. However. This is because each user accesses different files in different locations with different frequencies. there is a lot variation among users. it can generate false positives. such as a compromised account or malfeasance. The shell—At the shell level. EXAM ALERT Behavior-based scanning works by looking at the way certain executable files make your computer behave. Table 8. and anomalybased monitoring.

Anomaly-based monitoring is useful for detecting these types of attacks: . Protocol and port exploitation .2 Advantages Can identify malware before its added to signature files Can monitor for malware activities Can learn about malware based on previous detection Not dependent on OS-specific mechanisms Advantages and Disadvantages of Behavior-Based Monitoring Disadvantages Tends to trigger false alarms Slow file checking Tends to be more costly Needs retraining (when behavior changes) Anomaly-Based Monitoring Anomaly detection. For example. or the system can learn behavior while processing network traffic. properly detecting their presence is highly important compared to other events. ranging from video surveillance and security systems to intrusion detection and fraudulent transactions. stores normal system behavior profiles and triggers an alarm when some type of unusual behavior occurs. normal behavior can be programmed based on offline research. a subset of behavior-based monitoring. TABLE 8. The classifications of anomaly detection techniques include statistical methods. Although their occurrence should be minimal. . Variants of existing attacks in new environments Detection of anomalies is used in many security domains. Anomalybased monitoring uses different types of measures depending on what is being protected and what is being monitored. the anomaly-based method provides early notification of potential intrusions. This type of monitoring falls under behavior-based monitoring. and model-based approaches. Anomalies are by definition events out the ordinary. Normal network failures . under the profiling method.228 Chapter 8: Auditing disadvantages of behavior-based monitoring. Because it detects any traffic behavior that is new or unusual. rule-based methods. Behavior-based intrusion detection is sometimes referred to as statistical-based intrusion detection. distance-based methods. profiling methods. New exploits or buffer overflow attacks . DoS attacks based on payloads or volume .

3 lists the advantages and disadvantages of signature-based monitoring. The signatures are identified through careful analysis of the byte sequence from captured attack traffic.229 Logging Procedures and Evaluation Signature-Based Monitoring Almost every program has some identifiable text inside its code. Logs take up disk space and use system resources. Nearly all signature-based product vendors provide rules for their products with variable numbers of signatures. Based excessively on passive monitoring. In some products. This identifiable text is its signature. TABLE 8. They also have to be read.3 Advantages Accurate detection because of prior detection Low number of false positives Detailed text logs Uses few system resources Advantages and Disadvantages of Signature-Based Monitoring Disadvantages Polymorphic viruses make signature scanning nearly obsolete for critical systems. Signature-based systems have an advantage because of their simplicity and their ability to operate online in real time. be sure you choose carefully. these signatures are in the form of rules or rule sets. application. and it will take a long time to weed through the log files to determine . such as Snort. Table 8. Rule sets need constant updating. The log files themselves are documentation. if you log too much. Logging Procedures and Evaluation Logging is the process of collecting data to be used for monitoring and auditing purposes. The problem is that they can detect only known attacks with identified signatures. Inability to detect new and previously unidentified attacks. the system will bog down. The rules are developed as new vulnerabilities are discovered and documented. When choosing what to log. A signature-based monitoring method is sometimes considered a part of the misuse-detection category. and server type to make this a checklist or monitoring function. EXAM ALERT A signature-based monitoring method looks for specific byte sequences or signatures known to appear in attack traffic. but how do you set up a log properly? Standards should be developed for each platform.

before you can configure logging. If you don’t know what normal behavior is. technical. Application Security Application security and logging have become a major focus of security as we move to a more web-based world and exploits such as cross-site scripting and SQL injections are an everyday occurrence.230 Chapter 8: Auditing what is important. it is essential to identify what is typical behavior for your network. Regulatory compliance issues make it necessary to have sound procedures in place for logging and retention of secured data. Centralized logging solutions can be based on a variety of standards such as the UNIX syslog or Linux syslog-ng format. you may think someone is trying to attack your network. and documentation should state proper methods for archiving and reviewing logs. A common storage location for all logs should be mandated. Should you choose to use manual analysis. application servers store a wide variety of data from web pages to critical data and sensitive information. Standards should also be implemented for the types of events you want to log based on business. such as comma-separated value (CSV). consider creating the logs in a format that can readily be parsed. When you have a baseline of activity as described in prior sections. it is hard to identify what is abnormal behavior. Baselining gives you a point of reference when something on the network goes awry. Doing so will allow for more flexibility when importing the information into applications for analysis. you can configure logging. NOTE When implementing an application logging strategy. If you don’t know that this is a normal part of Microsoft operating system communication. and regulatory requirements and the threats the organization faces. UDP ports 137 and 138 and TCP port 139 are used for NetBIOS activity. For example. Web-based applications and application servers contain a wealth of valuable data. look for a solution that uses standard protocols and formats so that analysis is simpler. This next section covers some the main areas of logging and evaluation procedures. However. . Internally. Logging procedures and evaluation are an important part of keeping your network safe.

and servers in a common format . Plan the selection of the fields that will be logged carefully to limit the size of the logs. They can be used to assess content. . and this section discusses those options. The IIS logs may include information about site visitors and their viewing habits. you can enable logging for individual web and FTP sites. logs should be stored on a nonsystem striped or striped/mirrored disk volume. clients. If these objects are written by different developers. There are a couple of options available for DNS: Microsoft DNS and Berkeley Internet Name Domain (BIND). The extended log file format is designed to meet the following needs: . you may also have to know how to correlate events when examining output. After you enable logging on a web or FTP site. or investigate attacks. there is a good chance that the syntax in the logs will also vary. Most web servers offer the option to store log files in either the common log format or a proprietary format. DNS resolves IP addresses to domain names. Besides logging the IIS service.231 Logging Procedures and Evaluation Because SQL injections are a large concern for organizations. Logging HTTP requests may expose attempts—successful or unsuccessful—to exploit a buffer overflow. Each has logging features. Many organizations choose to host their own DNS server as opposed to paying for third-party hosting. So. we will look at an example of the need for consistent logging in finding SQL injection attempts. these fields will map to different objects. Allow summary data to be expressed Internet Information Services (IIS) logs information specific to the events and processes of the service. If an attacker is trying to perform SQL injection and executes it on a variety of different fields. DNS Domain name system (DNS) is called the “heartbeat” of the Internet. The common log file format is supported by the majority of analysis tools. Provide robust handling of character escaping issues . all traffic to the site including virtual directories is written to the corresponding file for each site. Allow exchange of demographic data . Support needs of proxies. Permit control over the data recorded . not only do you need to read the logs. To improve server performance. identify bottlenecks.

Nslookup has two modes: noninteractive and interactive. This should be the first place you look when troubleshooting DNS-related issues. including config. Null channels—All messages logged to the null channel will be discarded. For troubleshooting DNS without logging.log file in the %systemroot%\system32\dns folder on the server. DNS logging may cause performance degradation on the server. The Event Viewer DNS server log file provides information about errors and other information relating to the DNS service. where each message type is sent. Channels enable you to filter by message severity. You can create your own file channels in addition to the default channels provided. and xfer-out.232 Chapter 8: Auditing BIND offers several logging options. For each channel. Microsoft DNS provides a couple of options for identifying DNS events. Syslog channels—Messages logged to this channel are sent to the job log. you can log all DNS-related information. . xfer-in. Additional logging information can be found in the BIND documentation. You can specify what message categories should be logged to each channel. queries. Here are channel types: . lame-servers. Noninteractive mode is used for looking up a single piece of data. The options include specifying which types of messages are logged. Configuring DNS debug logging can be done from the command line using DNSCmd. a corresponding event message is written to this log. This includes zone transfers. and resource record updates. Messages are grouped into categories. you can specify the severity level for which messages are logged. For example. DNS queries. update. db. DNS logging logs selected DNS event information in a dns. and they should be deleted on a regular basis. File channels—Messages logged to file channels are sent to a file. By enabling DNS debug logging. .conf file. . Interactive mode is used when you are running multiple queries one after another. use Nslookup. The logging system is configured using the logging statement in the /etc/named. In BIND 8 and 9. the DNS server logs messages to output channels. There are many categories. It should be used only for troubleshooting purposes. Channels are where logging data is sent. Log files can become large.exe or from the GUI. when the DNS server starts or stops. and the severity of each message type to log. The DNS server log contains events logged by the DNS Server service. All DNS server log file contents are cleared when the DNS server is stopped and started. All messages of the severity you select and any levels above it in the list are logged. such as one DNS record.

and one for the action to be taken when a log message matches. Employ strict access controls on all logging servers. This section explores some tools directly related to the performance of the system itself.conf. In UNIX.conf: one for providing the information to be logged. when using UNIX/Linux you should centralize logs files by copying them from the system to a log server. Encrypt the log files when allowed. Best practices for system logging include the following: . Remember that if you log everything. you know they have been altered. syslogd. we discussed performance monitoring and the tools used for monitoring. you end up with too much useless data consuming system resources. without having to reboot the machine. it processes the log entry. The standard method of specifying a logging source is by facility and level. . it gives you an instant history view of CPU and memory usage and can be extremely useful in determining where further investigation is warranted. When it finds a matching entry. Log multiple systems to increase reliability.” The Event Viewer records events in the system event log. . This also provides you with a backup of the logs. Task Manager is a tool that you can use to end processes or applications that get hung up or cause the operating system to become unstable. programs send log entries to the system logging daemon. . All these tools create log files that need to be reviewed. Use a host that is dedicated to logging. Monitor the capacity of log partitions and storage. .or Linux-based systems. As with other operating systems. Performance Logging Earlier in the chapter. There are two columns in /etc/syslog. . enabling you to trace when and where the intrusion occurred. . Although Task Manger does not actually log performance. Syslogd compares each submission to the entries in /etc/syslog. This way if the logs on the system don’t match the logs on the syslog server. Store log files on a standalone computer.233 Logging Procedures and Evaluation System Logging The types of log files found in Microsoft operating systems were discussed previously in the section “System Monitoring.

modifying. the Microsoft Performance console keeps track of set counters for system objects. EXAM ALERT Log what’s really essential. It is also important to set the proper size of the security log based on the number of events that you generate. using services such as remote access or Terminal Services. This means data collection occurs regardless of whether any user is logged on to the computer being monitored. and using devices such as printers. . but it also has a second component specifically related to performance logging called Performance Logs and Alerts. log files. Authentication and accounting logging is particularly useful for troubleshooting remote-access policy issues. and audit files. and network access. or deleting files. You can use several tools to track what is happening on the network. A VPN server running Windows Server 2003 with Windows accounting enabled supports the logging of information for remoteaccess and site-to-site VPN connections in local logging files. deletion. local. These tools include Windows events. logging on or off the network. In addition to the built-in methods to log access. The counter data collected can be viewed during collection and after collection has stopped because logging runs as a service. and modification of user accounts.234 Chapter 8: Auditing As you learned earlier in the chapter. The logged data can be viewed using System Monitor. other programs are available to log and monitor network access such as the Microsoft System Center Configuration Manager 2007 and third-party tools such as McAfee’s Network Access Control. Some of the activities that can be logged include reading. This logging is separate from the events recorded in the system event log. or it can be exported in a variety of formats for later analysis and report generation. Authentication and accounting logging information is used to track remote-access usage and authentication attempts. The Performance Logs and Alerts snap-in enables you to collect performance data automatically from local or remote computers. creation. Access Logging An important step in protecting the environment is logging remote. which we discussed earlier in the chapter. Countless examples of intruders being present in a system for a long period of time demonstrate the need to pay particular attention to logging network access.

Netsh command-line utility Firewall Logging Firewall logs contain entries about the packets that had been handled by the packet filter. If your RADIUS server is also running Internet Authentication Service (IAS). If you are simply using a router and depending on a Microsoft Internet Security and Acceleration (ISA) server for filtering activity. you must first enable either Windows Authentication or Windows Accounting. authentication and accounting information is logged in log files stored on the IAS server. Suspicious signatures—These can indicate activity by worms or malicious code. Local authentication and accounting logging . RRAS supports the following types of logging: . by default only dropped packets are logged. However. if you enable this option. . In ISA server. Repeated traffic to particular ports—This can indicate a DoS or distributed DoS (DDoS) attack. The log files are saved in a format that any database program can read. Blocked attempts—A large number of blocked attempts can indicate an intrusion attempt. the packet filter logs can become quite large depending on the amount of traffic that the ISA server handles. The log files are stored in the %SystemRoot%\WINDOWS\System32\LogFiles folder. too. If you want to log all the packets that are dropped and enabled by the firewall. Event logging . You configure accounting or authentication logging and log file settings from the properties of the Local File method within the Remote Access Logging folder in the Routing and Remote Access (RRAS) snap-in. fields that you do not . All firewall manufacturers have some type of logging capability.235 Logging Procedures and Evaluation To configure authentication and accounting logging. RADIUS-based authentication and accounting logging . . when you configure firewall logging or web proxy logging to use the MSDE database format or the SQL database format. The following are some events you want to take a closer look at: . so the log files can either be exported or accessed directly for analysis. the option is available in the IP packet filters.

Without proper planning and policies. If you are using older operating systems such as Windows NT with Windows 98 clients. This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts. generate dynamic statistics. and update history.dll and then examine the Netlogon. which is an application layer filter that examines HTTP commands and data. you probably will quickly fill your log files and hard drives with useless or unused information. can process almost any log. It can process log files in Symantec Antivirus Log Format. Mac OS. You can define filter criteria to query log files to display specific data that may help troubleshoot common web connectivity issues. import them into a SQL database. Sawmill. account lockouts can be difficult to track. In the event you are having issues with accounts being locked out such as in a brute-force attack. OpenBSD. and others. ISA server contains an HTTP filter. Linux. other UNIX. quarantined viruses. One reason for this is that the bad password attempts are recorded only on the domain controller that processed the logon attempt. Periodic Audits of System Security Settings How much you should audit depends on how much information you want to store. Keep in mind that auditing should be a clear-cut plan built around goals and policies.log files. Solaris. For example.dll on the primary domain controller (PDC). A relatively easy way to track bad password attempts in a domain is to install the checked build of Netlogon. This significantly improves the security of your web servers. usually contains a folder within the application for logging events such as updates. This can be done on any platform. FreeBSD. It also enables you to control the specifics of ISA server client Internet access. Antivirus Logging Antivirus software. just like other software applications. which is well suited to web server logs. you should install the Netlogon. including Window.236 Chapter 8: Auditing configure may appear in the log file. The HTTP filter screens all HTTP traffic that passes through the ISA server computer and only allows compliant requests to pass through. . Third-party programs are also available for centralizing log file. and generate dynamically filtered reports. by helping ensure that they respond only to valid requests.

the more frequently you need to check the logs. Here are some items to consider when you are ready to implement an audit policy: . Take time to view the logs. and personnel files. financial applications. Auditing can easily add an additional 25% load on a server. or deleting files . User Access and Rights Review After you have established the proper access control scheme. Logging on or off the network . you also need to monitor the logs that are generated. log files will be generated. Auditing should include both privilege and usage. If the policy incorporates auditing large amounts of data. it is important to monitor changes in access rights. After you have auditing turned on. Each operating system will have its own method for tracking and logging access. Identify potential resources at risk within your networking environment. Reading. These resources might typically include sensitive files. Auditing of access use and rights changes should be implemented to prevent unauthorized or unintentional access or escalation of privileges. . After the resources are identified. After enabling auditing.237 Periodic Audits of System Security Settings TIP The more quickly you fill up your log files. otherwise. modifying. Some of the user activities that can be audited include the following: . . Auditing user privileges is generally a two-step process that involves turning auditing on within the operating system and then specifying the resources to be audited. be sure that the hardware has the additional space needed and processing power and memory. important security events may get deleted unnoticed. set up the audit policy through the operating system tools. which might allow a guest or restricted user account access to sensitive or protected resources.

.238 Chapter 8: Auditing . Failure events allow you to identify unauthorized access attempts. FIGURE 8. The roles of the computers will also determine which events or processes you need to audit and log. Table 8.4 lists some of the best practices for auditing events recommended by Microsoft.4 An example of a Windows audit policy configured for the monitoring of privilege use and account management. successful events can reveal an accidental or intentional escalation of access rights. whereas auditing a desktop computer might include auditing directory services access. it is important to monitor successful and failed access attempts. auditing a developer’s computer might include auditing process tracking. Using devices such as printers Figure 8. TIP When configuring an audit policy. turn on the audit object access. turn on the audit directory service access. To audit objects on a domain controller. the reason why you would audit them. To audit objects on a member server or a workstation. For example.4 provides an example of an auditing policy configured to log privilege use and account management. Using services such as remote access or terminal services . and additional information about the auditing of the event.

Do not audit the use of user rights unless it is strictly necessary for your environment. DHCP servers running Windows . outweighs the benefits. should have certain events audited. or Exchange server. The following user rights are never audited mainly because they are used by processes. Audit success events in the A logged event indicates Auditing failed events increases policy change event category someone has changed the resource use. Audit success events in the Used to verify when users log Auditing failed events increases account logon event on to or log off from the resource use.239 Periodic Audits of System Security Settings TABLE 8. Auditing failed events increases resource use. and information gained tends to be relatively high. which usually outweighs the benefits. failure events in this category. Bypass traverse checking . DHCP. controllers. the assignment of them is . Generate security audits . SQL. properties and group properties. it is advisable to purchase or write an event-analysis tool that can filter only the user rights of interest to you. such as a DNS. Replace a process-level token In addition to auditing events on domain controllers and user computers. If you must audit the use of user rights. attempting to gain access to the computer or network. Debug programs . Audit success events in the Used to verify changes that account management event are made to account category. Audit success events in the Records when each user logs The possibility of a DoS attack logon event category. Local Security Authority (LSA). which usually category on domain domain. you should enable audit logging for DHCP servers on your network and check the log files for an unusually high number of lease requests from clients. Event to Audit Audit success and failure Unusual activity may events in the system events indicate that an intruder is category. on to or logs off from a increases with the auditing of computer. which usually on domain controllers. Create a token object . For example. outweighs the benefits. servers that perform specific roles.4 Auditing Best Practices Reason Additional Information The number of audits that are generated when this setting is enabled is relatively low. However.

the military levels of data classification. A minimum and maximum size for the total amount of disk space that is available for audit log files created by the DHCP service.240 Chapter 8: Auditing Server 2003 include several logging features and server parameters that provide enhanced auditing capabilities. such as specifying the following: . By default. handle. the DHCP audit logs are located in the %windir%\System32\Dhcp directory. the suggested path is MSSQL$Instance\audit. . and destroy it. Sensitive . Take. audit failure produces an entry in the Microsoft Windows event log and the SQL Server error log.” Their documentation would include directions on handling and storing the following types of data: . Confidential . The important point to remember here is to document your security . . Data and information classification levels are discussed further in Chapter 12. It is strongly recommended that during SQL Server setup you create a new directory to contain your audit files. The directory path in which the DHCP server stores audit log files. Storage and Retention Policies Retention and storage documentation should outline the standards for storing each classification level of data. CAUTION Turning on all audit counters for all objects could significantly impact server performance. The suggested path is \mssql\audit. for example. In SQL Server. Unclassified . If you are running SQL Server on a named instance. store. A disk-checking interval that determines how many times the DHCP server writes audit log events to the log file before checking for available disk space on the server. “Organizational Controls. Top secret Documentation for data should include how to classify. Secret .

the department may be compelled during the discovery phase of the suit to produce all documents related to that individual’s work performance. and which types of actions are audited. voice mail. There may be a reason to make new classifications as business goals change. physical records. laptops. Log files. changes to the Federal Rules of Civil Procedure (FRCP) have implications for data retention policies. but make sure this gets into your documentation. The FRCP changes establish that electronic data is now clearly subject to discovery. there has been some level of debate over what a “document” is. Over the past several years. change and adjust that documentation when and as needed (with emphasis on when and as needed). It goes further to say that all data is subject to discovery regardless of storage format or location: Email. security evaluations. PDAs. instant messaging. Depending on the relative level of data sensitivity. retention and disposal requirements may become extensive and detailed. if an organization is sued by a former employee for wrongful termination. use Group Policy to enable auditing and then use security settings in Windows Explorer to specify which files to audit and which type of file access events to audit. This used to mean the personnel records and copies of any written correspondence (memos. Laws may also affect the retention and storage of data. letters. Organizations may face issues relating to the discovery. This is an ongoing. and other operational documentation should be managed within an organization’s retention and disposal policies. The organization should have a legal hold policy in place. log files. have a policy. an entry is written to the Event Viewer security log whenever the file or folder is accessed in a certain way. have an understanding of statutory and regulatory document retention requirements. Then. and requirements for disposal. and production of “electronically stored information. You specify which files and folders to audit. term of retention. understand the varying statues of limitations. ever-changing process. and so on) concerning the performance of that employee. given that most records now reside in electronic format. Group Policies To set auditing on a file or folder. These should include specifications for access authorization. This governs the conduct and procedure of all civil actions in federal district courts. whose actions to audit. and have a records-retention and destruction schedule. and so on all fall under this. in the United States. When you audit a file or folder. preservation. . and audit logs.241 Periodic Audits of System Security Settings objectives. For example.” For example.

a computer. the settings that will actually be applied to an object will be a combination of all the settings that can affect the object. a group of users. You can use the Resultant Set of Policy (RSoP) tool to determine the effective settings on the computer that you are working from or any other computer in a Windows Server 2003 Active Directory domain. If you want to be able to script Group Policy object (GPO) troubleshooting of multiple computers. You cannot use RSoP for any computers other than the one from which you are currently working if you are not on a Windows Server 2003 domain. refer to the resources at the end of the chapter. with one exception. The gpresult command is simple to use and provides many additional switches for specific functionality. or a group of computers. This being the case.242 Chapter 8: Auditing In Group Policy. If you need a refresher on how Group Policy is applied. in effect. You can use gpresult to perform almost all the actions that are available in RSoP Logging Mode. Settings that conflict will be applied in order of precedence. “snowball.” and therefore settings might be applied to an object from many different policies. you might want to use the gpresult command-line tool. . You can determine significant information about group policies by just entering gpresult on a command line. All the settings that do not conflict will. This means that the domain must contain at least one domain controller running Windows Server 2003. The RSoP tool has two main modes: Planning mode and Logging mode. You cannot determine policy precedence information with the gpresult tool. you need a tool that will enable you to quickly determine which settings will apply to a user.

open a DOS prompt. B. Risk-based . You’re not exactly sure where the problem lies. No one seems to be able to contact intranet hosts using DNS names. No one seems to be receiving any mail. You suspect that there are problems with your DNS server. Ipconfig ❍ D. Why is it important to audit both failed events and successful events? ❍ ❍ ❍ A. the intranet can be contacted by IP address. C. Netstat B. Because they will reveal unauthorized access attempts. Ipconfig ❍ D. It’s not. User-based B. Both have to be activated.243 Exam Prep Questions Exam Prep Questions 1.) ❍ ❍ ❍ A. Tracert C. You go to a workstation. open a DOS prompt. Nslookup 3. You only need to audit failed events. Because you can’t just audit one. You are having problems with your email server. Nslookup 2. Group-based C. 4. You go to a workstation. You’re not exactly sure where the problem lies. Tracert C. In which of the following models would you require a centralized database of user accounts? (Choose the two best answers. Role-based ❍ D. and enter which of the following commands? ❍ ❍ ❍ A. and enter which of the following commands? ❍ ❍ ❍ A. ❍ D. Netstat B. It’s not. You only need to audit successful events. However.

Can identify malware before it’s added to signature files B. Auditing must be enabled. SNMP ❍ D. agents are installed on the machines.) ❍ ❍ ❍ A. This is available for view only to administrators. and then the agents are monitored from a central location. Which of the following is a reason why the security events cannot be viewed? (Choose the two best answers. ❍ D. An employee calls to report that she cannot view the security events in event viewer. Vetting 6. Can monitor for malware activities ❍ D. Can learn about malware based on previous detection . SMTP C. The log is set to overwrite events daily. Task Manager 8.244 Chapter 8: Auditing 5. C. Which of the following are advantages of behavior-based monitoring? (Choose all correct answers. Tendency to trigger false alarms C. You are the network administrator responsible for overseeing the help desk.) ❍ ❍ ❍ A. Logging B. 7. To monitor the health of all systems. This is an implementation of which of the following? ❍ ❍ ❍ A. B. Event Viewer B. What is the name given to the activity that involves collecting information that will later be used for monitoring and review purposes? ❍ ❍ ❍ A. Auditing C. The user already cleared the events. Inspecting ❍ D.

Applications ❍ D. Answer C is incorrect because Ipconfig is used to display the TCP/IP settings on a Windows machine. B. B. Answer C is incorrect because you can audit either successful or failed events if you choose. Answer D is not a valid model and is therefore incorrect. 2. Netstat displays all the ports on which the computer is listening. C. It is equally important to audit both failed and successful events because both may reveal unauthorized access or an unexpected escalation of access rights. Tracert traces the route a packet takes and records the hops along the way. Which of the following are performance parameters that should be monitored? (Choose all correct answers. Protocol and port exploitation B. RAM B. 4. answer A is incorrect. . B.245 Answers to Exam Prep Questions 9. Answer B is incorrect. Answer D is also incorrect because Nslookup is a command-line utility used to troubleshoot a domain name system (DNS) database. This is a good tool to use to find out where a packet is getting hung up. Answers A and D are incorrect because it is important to audit both types of events. Netstat displays all the ports on which the computer is listening. CPU C. New exploits or buffer overflow attacks C. Tracert traces the route a packet takes and records the hops along the way. Answer C is incorrect because Ipconfig is used to display the TCP/IP settings on a Windows machine. Nslookup is a command-line utility used to troubleshoot a DNS database. Both group-based and role-based access control models require a centralized database of user accounts and groups or roles through which permissions may be inherited. Logical disks Answers to Exam Prep Questions 1. therefore. Normal network failures ❍ D. 3. D.) ❍ ❍ ❍ A. therefore. Anomaly-based monitoring is useful for detecting which types of attacks? (Choose all correct answers.) ❍ ❍ ❍ A. This is a good tool to use to find out where a packet is getting hung up. Answer A is incorrect because a user-based access control scenario is used within a peer-to-peer network. DoS attacks based on payloads or volume 10. answer A is incorrect.

8. A. answer B is incorrect. Logging is the process of collecting data to be used for monitoring and reviewing purposes. it is important to monitor the memory. they do affect the performance of other three parameters: CPU. A. Vetting is the process of thorough examination or evaluation. excessive disk usage will occur as the system swaps memory into and out of disk. and inspection is not the process of collecting the data. Anomaly-based monitoring is useful for detecting these types of attacks: protocol and port exploitation. therefore. the log files are frequently inspected. . B. B. Answer D is also incorrect because if this were the case. therefore. auditing must be enabled. Answer B is incorrect because SMTP is a mail protocol. Keep in mind that if memory is insufficient. Behavior-based monitoring advantages include: It can identify malware before its added to signature files. answer C is incorrect. memory. Simple Network Management Protocol (SNMP) is an application layer protocol whose purpose is to collect statistics from TCP/IP devices by installing agents on the machines. and D. Typically. A. Answer A is incorrect because Event Viewer monitors individual systems. answer D is incorrect. 6. Answer C is incorrect because applications are not performance parameters. and then the agents are monitored from a central location. 7. C. C. therefore. Also sometimes applications have memory leaks that affect performance. Answer D is also incorrect because Task Manager monitors individual systems. and logical disk. DoS attacks based on payloads or volume. Logical and physical disks—Monitor for excessive disk usage. 9. therefore. A. The security log records security events and is available for view only by administrators. Auditing is the process of verification that normally involves going through log files.246 Chapter 8: Auditing 5. C. For security events to be monitored. monitor for malware activities. 10. Answer B is incorrect because it is a disadvantage. and D. A. and learn about malware based on previous detection. and variants of existing attacks in new environments. CPU—Track the utilization rate to help determine which programs or processes have excessive time usage. new exploits or buffer overflow attacks. B. there would be some events available for view. normal network failures. However. and D. Answer C is incorrect because this cannot be done by the user. Performance parameters that should be monitored include the following: Random access memory (RAM)—Microsoft operating systems are memory intensive.

2001. John D. Que.com/en-us/ windowsserver/grouppolicy/default. Que. NIST Audit Policies for Nessus 3: http:// blog. Bragg. nist. 2002 2. and John B. de Zafra. Mark (ed. Dorothea E. Tenable Network Security. Tressler. Pitcher. 2003. Auditing Security Events Best Practices: http:// technet2.tenablesecurity. Maximum Security. Hackers Beware. CISSP Training Guide. Anonymous.gov/publications/nistpubs/800-16/800-16.). Pearson Education. Wilson.247 Additional Reading and Resources Additional Reading and Resources 1. Fourth Edition. Ippolito. Eric.mspx?mfr=true 7.pdf 6. Sadie I. Microsoft Technet.aspx .html 5. 3. Cole.com/WindowsServer/en/library/5658fae8-985f-48ccb1bf-bd47dc2109161033. 4.microsoft.com/2007/04/nist_audit_poli.microsoft. How to Use NIST SP 800-16 “Information Technology Security Training Requirements”: http://csrc. Roberta. Windows Server Group Policy: http://technet.

This page intentionally left blank .

PART V Cryptography Chapter 9 Cryptography Basics Chapter 10 Deploying Cryptography .

This page intentionally left blank .

CHAPTER NINE 9 Cryptography Basics Terms you need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Cryptography Algorithm Key management Steganography Symmetric key Asymmetric key Confidentiality Integrity Availability Digital signatures Hashing Private key Public key Whole disk encryption Trusted platform module (TPM) One-time pad (OTP) Techniques you need to master: ✓ Identifying key terms and understanding general cryptography concepts ✓ Identifying and understanding encryption algorithms and how they can be used to help improve security ✓ Identifying and understanding hashing algorithms and how they can be used to help improve security ✓ Understanding the concepts of using cryptography in a secure environment .

Because of the sensitive nature behind the uses of cryptography. Cryptography dates back to the ancient Assyrians and Egyptians. most of these depend upon well known. and generally speaking one should be skeptical of any vendor using a proprietary non-proven algorithm. the systems of cryptography were manually performed. The cryptography that is the focus of this chapter and the exam is modern cryptography. which provides the ingredients needed and step-by-step instructions. Recently. however. proven technologies is crucial. One practical way to secure this data is to use cryptography in the form of encryption algorithms applied to data that is passed around networks and to data at rest. which began with the advent of the computer. Practically speaking. but during the twentieth century. There has been increasing concern about the security of data. can undermine any encryption algorithm. . Back-doors and flaws for example. machine and mechanical cryptography was born. which is often considered to be both an art and a science.252 Chapter 9: Cryptography Basics A cryptosystem or cipher system provides a method for protecting information by disguising (encrypting) it into a format that can be read only by authorized systems or individuals. While various vendors might have their own encryption solutions. In the beginning. This chapter discusses the concepts of cryptography and many popular encryption methods and their applications. In addition to being able to explain these fundamental cryptography concepts. This combined with more sophisticated attacks and a growing economy around computer-related fraud and data theft makes the need to protect the data itself even more important than in the past. which continues to rapidly grow across information systems and traverse and reside in many different locations. The use and creation of such systems is called cryptography. the use of wellknown. you will begin to understand how cryptography can be used as a tool to protect and authenticate all types of information and to protect the computers and networks in information security systems. which is why proven algorithms such as those discussed in this chapter should always be considered. an algorithm is the mathematical procedure or sequence of steps taken to perform the encryption and decryption. an algorithm can be thought of as a cooking recipe. modern cryptography has become increasingly important and ubiquitous. NOTE As related to cryptography. time-tested algorithms.

. and to exchange secured messages you send messages back and forth in a secured lockbox. which rely on a different. symmetric key cryptography systems use symmetric key algorithms. it is impossible to guarantee that a secure connection has commenced. you have a friend located thousands of miles away from you. We address this issue later when we discuss asymmetric keys in the following section. which introduces additional challenges around logistics and ensuring that the key was not compromised in the process.253 Encryption Algorithms Encryption Algorithms Encryption takes plain text data and converts it into an unreadable format (ciphertext) by using an algorithm (cipher). for example. but mathematically related key pair. These systems use the same key to encrypt and decrypt a message. the two parties must first somehow exchange the key securely. There are two fundamental types of encryption algorithms: symmetric key and asymmetric key. Although this works. Now imagine a system in which more than two parties are involved. In this scenario. If the key is compromised at any point. and the importance of key management. Symmetric Keys Symmetric key cryptography is an encryption system that uses a common shared key between the sender and receiver. how did you securely deliver the key to your friend? Somehow the key must have be communicated or delivered to your friend. every party participating in communications must have the exact same key on the other end to compare the information. This section describes symmetric keys. The primary advantage to such a system is it is easier to implement than an asymmetric system and is typically fast. NOTE Discussions about cryptography use the term key. However. Assume. you both have a copy of the key to the lockbox. These keys can also be thought of as a password or table. A cryptography key describes a string of bits used to encrypt and decrypt data. for example). asymmetric keys. which is analogous to the traditional metal object used with a physical locking device. which can be converted back to the easily readable plain text only by those in possession of the appropriate keys (or password. Asymmetric key cryptography systems use asymmetric key algorithms. As you might have guessed.

In addition. the method is used often today mainly because of its simplicity and easy deployment. a public key infrastructure (PKI) is often used. such as email or centralized servers that host a pseudo address book of published public encryption keys. private key algorithms. PKI is discussed in greater detail in Chapter 10. A PKI uses trusted third parties that certify or provide proof of key ownership. “Cryptography Deployment. however. The private key is maintained on the host system or application.” Figure 9. . Public Key Private Key aglkjd laskd adlkjf Plaintext !@#% !@$% (*&^ Ciphertext aglkjd laskd adlkjf Plaintext FIGURE 9. Often. the public encryption key is made available in a number of fashions. Even given the possible risks involved with symmetric key encryption.1 An example of asymmetric encryption. To address this. The symmetric key algorithm uses the same private key for both operations of encryption and decryption.254 Chapter 9: Cryptography Basics NOTE Symmetric key algorithms are often referred to as secret key algorithms. Asymmetric Keys The asymmetric encryption algorithm has two keys: a public one and a private one. and shared secret algorithms. EXAM ALERT A symmetric key is a single cryptographic key used with a secret key (symmetric) algorithm. The public key is made available to whoever is going to encrypt the data sent to the holder of the private key. is ensuring authenticity of the public key. One of the challenges.1 illustrates the asymmetric encryption process. it is generally considered a strong encryption method as long as the source and destination that house the key information are kept secure.

. just the target user can read the information held within. we’ll use the secure exchange of an email. Symmetric encryption works fine over the Internet. When someone wants to send a secure email to another. too.255 Encryption Algorithms NOTE Asymmetric algorithms are often referred to as public key algorithms because of their use of the public key as the focal point for the algorithm. NOTE Some general rules for asymmetric algorithms include the following: . Because the message can be unencrypted only with the private key. if a message is encrypted with the private key. The public key can never decrypt a message that it was used to encrypt with. for this system to work well. This is analogous to an asymmetric system in which the open slot is the public key. In addition. he or she obtains the target user’s public encryption key and encrypts the message using this key. asymmetric key systems are also used to verify digital signatures. Private keys should never be able to be determined through the public key (if it is designed properly). If you are concerned about the security of your mail. This is primarily because the public key is all that needs to be distributed. which provide assurance that communications have not been altered and that the communication arrived from an authorized source. Imagine a postal mailbox that allows the letter carrier to insert your mail via an open slot. . Each key should be able to decrypt a message made with the other. Because nothing harmful can be done with the public key. . everyone should have access to everyone else’s public keys. the public key should be able to decrypt it. As an example of asymmetric encryption. For instance. but only you have the key to get the mail out. it is useful over unsecured networks where data can pass through many hands and is vulnerable to interception and abuse. this is much easier than ensuring every letter carrier has a copy of your mailbox key! The letter carrier is also thankful he or she isn’t required to carry hundreds of different keys to complete mail-delivery duties. but the limitations on providing the key securely to everyone that requires it can be difficult. Public key encryption has proven useful on networks such as the Internet. Ideally.

storage. Sending an encrypted message requires you to encrypt the message with the recipient’s public key. it is just hidden. For example.” Steganography is a method for hiding messages so that unintended recipients aren’t even aware of any message. revocation. left in the door lock itself. while encryption of sensitive data has seen an increase in use. which does not seek to hide the fact a message exists. under the doormat. Steganography seeks to hide the presence of a message. is the historical use of writing a secret message on the scalp of one’s bald head. only recently has the importance key management plays in any encryption strategy been understood. generation. whereas the purpose of cryptography is to transform a message from its readable plain text into an unreadable form known as ciphertext. Steganography Steganography is a word of Greek origin meaning “hidden writing. ultimately to be shaved again upon arrival at the intended recipient. including registration. or worse. Key Management Even data encrypted with the most powerful encryption algorithm is still highly vulnerable if proper management of the keys is not addressed. and destruction. Compare this to cryptography. Over the past several years. rotation. Proper management of the keys is vital to the effectiveness of cryptosystems. And just like your house door.256 Chapter 9: Cryptography Basics EXAM ALERT In an asymmetric key system. writing a letter using plain text but in invisible ink is an example of the use of steganography. each user has a pair of keys: a private key and a public key. The content is not scrambled in any way. albeit a bit cumbersome. and then allowing the hair to grow back. distribution. The management of keys is really a life cycle and involves various tasks. use. EXAM ALERT Steganography is not cryptography. but the two are related and often used in conjunction with one another. which in turn gets decrypted by the recipient with his or her private key. Analogous to a door lock. but rather to just make it unreadable by anyone other than the intended recipients. even the best dead-bolt is no match for the burglar who finds the key in the flowerpot. keys provide the mechanism necessary to perform the lock and unlock. . Another interesting example.

Later. Confidentiality A key benefit that derives from encryption is the promise of confidentiality. and availability (also known as the CIA triad). and availability of data and information systems. integrity. As a result. This adds an additional layer of security by not even allowing attackers to attempt to crack encryption into a readable form. the most important thing to most people is keeping the information secret and not letting anyone know you are sending the data. In fact. This section discusses each of these in detail. steganography has been used by many printers. you must consider how grave the impact might be on confidentiality. steganography is useless if someone other than the intended recipient knows where to look. Analysis of security risk exposure first considers the likelihood of a particular threat being realized against a vulnerability. steganography is best used when combined with encryption. CIA Triad For many years. . this chapter touches upon some ideas that augment the CIA triad. integrity. Integrity pertains to preventing unauthorized modifications of information or systems. EXAM ALERT Confidentiality is concerned with the unauthorized disclosure of sensitive information.257 CIA Triad Of course. Next. the ability of encryption to provide confidentiality is important to today’s companies and to individuals in countries that restrict free speech and monitor the messages and email sent and received over the Internet. using tiny dots that reveal serial numbers and time stamps. In addition. Availability is about maintaining continuous operations and preventing service disruptions. steganography is not just the stuff of child’s play or far-fetched spy movies. information security has maintained three core principles: confidentiality. Like any open environment where sensitive information is shared. steganography recently entered into mainstream media with various reports since the terrorist attacks of 9/11: that terrorists may have and are using this practice to secretly hide messages. if they don’t even know the message exists in the first place. Modern uses are various. It is not unheard of to have large corporations hire people to spy on and try to capture sensitive data being transmitted on competitors’ networks to try to gain an edge. Therefore. including hiding messages in digital media and digital watermarking. In fact. Confidentiality describes the act of limiting disclosure of private information.

which was gaining popularity and exposure in the media. Integrity is the assurance that data and information can be modified only by those authorized to do so. In addition. Integrity Ensuring that the data you send arrives at its intended destination unmodified is one of those things you take for granted in most cases. integrity can be provided using encryption if you have a secure algorithm. In many cases. the public’s right to use encryption (and PGP in particular) won out. Eventually.) Part of the government’s argument against PGP was that it could not control the information people were sending. In addition to restricting the information an individual can access. the government might record and monitor the information the individual posts. consider one of the other major benefits of encryption: integrity. contractors that deal with the U. Like confidentiality. The government tried to force the software to be taken down and made unavailable to public consumption. therefore. publicly available. If you have sensitive data or you need to assure the recipient that the data being delivered is actually from you. For example. strong encryption isn’t popular with these types of governments unless it’s for their own use. (PGP is the email program that uses encryption and is available to anyone who wants to download it within North America. Pretty Good Privacy (PGP) In the early 1990s. the U.S. the recipient may not be able to open or decrypt the data. corporations and organizations around the world require integrity when transferring data over unsecured networks. government tried to suppress the use of Pretty Good Privacy (PGP). it can be decrypted. Encryption enables people to take some control away from the government. The recipient can either discard the data or request another copy or confirmation directly from the sender. it might have been modified. If the key has been changed or the data modified. the data might not be from whom it purports to be. government (particularly with the military) have . On the one hand. In the case of digital signatures (which you will learn about shortly). you can also provide verification that the data is from you. Integrity can take many forms. criminals could use encryption and seemingly be able to hide their online activities and data from the prying eyes of the government.258 Chapter 9: Cryptography Basics In some countries. depending on the encryption algorithm used. If the digital signature on the data being sent cannot be unencrypted.S. When the data arrives at its destination. access to the Internet is limited by the government.

a minimum level of overall security compliance relates not only to encryption but also to specific security practices. a method of accountability that makes it impossible to refute the origin of data. it also addresses guaranteed service and system performance levels. Keep in mind that availability not only refers to ensuring acceptable uptime. you can increase both the confidentiality and integrity of your data. Availability Availability refers to the accessibility of information and information systems when they are needed. . however. By selecting the right encryption algorithm or the right combination of algorithms and digital signature schemes. Nonrepudiation and Digital Signatures Nonrepudiation is intended to provide. It guarantees that the sender cannot later deny being the sender and that the recipient cannot deny receiving the data. The most sound security practices mean little if the systems aren’t available. Proof of submission—The client gets proof that the data (or authentication in this case) has been sent.259 Nonrepudiation and Digital Signatures to run a minimum level of encryption before they are even allowed to do any kind of work. through encryption. In many cases. Proof of delivery—The client gets proof that the data (or authentication in this case) has been received. This restriction exists because of the sensitive nature of the information transmitted. Proof of origin—The host gets proof that the client is the originator of particular data or authentication request from a particular time and location. for instance). For some contractors. . The following list outlines four of the key elements that nonrepudiation services provide on a typical client/server connection: . . any denial of service can contribute to significant monetary losses and perhaps even endanger lives (hospital information systems. does not factor in the possible compromise of the workstation or system used to create the private key and the encrypted digital signature. This definition. Organizations increasingly rely on information systems. and so the availability of these systems becomes increasingly important.

Finally. and either the packet is not unencrypted or is dropped altogether. the receiver knows that the packet differs from what it is supposed to be. do not confuse digital signatures with encryption. Although digital signatures and encryption use related concepts. their intentions and operations differ significantly. Earlier in this chapter. The point of this verification is to prevent or alert the recipient to any data tampering. The digital signature contains the digital signature of the certificate authority (CA) that issued the certificate for verification. you read that digital signatures provide integrity and authentication. the difference is that with nonrepudiation.260 Chapter 9: Cryptography Basics . The digital signature acts as an electronic signature used to authenticate the identity of the sender and to ensure the integrity of the original content (that it hasn’t been changed). digital signatures provide nonrepudiation with proof of origin. often appended to the end of an email. such as the sender’s name and telephone number or digitally created image. and therefore any party can deny sending a message by claiming the other party originated the message. CAUTION Do not confuse a digital signature with a digital certificate (discussed in the next chapter). Nonrepudiation is unique to asymmetric systems because the private (secret) key is not shared. proof can be demonstrated to a third party. This works based on the encryption algorithm . If this mark differs. Proof of receipt—The client gets proof that the data (or authentication in this case) has been received correctly. it can only bear the original mark of the sender. Although authentication and nonrepudiation may appear to be similar. In addition. Ideally. both parties involved share the secret key. if a packet of data is digitally signed. This provides unforgeable proof that the sender did indeed generate the message. In addition. Remember that in a symmetric system. Digital signatures can easily be transported and are designed so that they cannot be copied by anyone else. A sender of a message signs a message using his or her private key. It can simply be used to assure the receiver of the sender’s identity and that the message’s integrity was maintained. This ensures that something signed cannot be repudiated. do not confuse a digital signature with the block of identification information. Digital signatures attempt to guarantee the identity of the person sending the data from one point to another. A digital signature does not have to accompany an encrypted message.

or folder-level encryption. This encrypted hash is your digital signature for the message. A match of the hashes proves that the message is valid. Your stockbroker receives the message. 7. 5. the signature). It is not unusual for end users to sacrifice security for convenience. You type the email. In addition. For example. Using his software. You use your private key to encrypt the hash. the fact that the entire disk is encrypted could present management challenges. Unlike selective file encryption. For example. he makes a hash of the received message. and unlike file. Using software built in to your email client. The stockbroker uses your public key to decrypt the message hash. If you cannot determine what the original data was in the encrypted data (in this case. 4. Nevertheless. Whole Disk Encryption Often called full disk encryption (FDE). whole disk encryption has gained popularity in recent years to help mitigate the risks associated with lost or stolen laptops and accompanying disclosure laws. 6. 2. loss of the decryption keys could render the data unrecoverable. including not being able to effectively control who has unauthorized access to sensitive data. You send the message to your stockbroker. . You need to ensure the integrity of the message and assure the stockbroker that the message is really from you. although whole disk encryption might make it easier for an organization to deal with a stolen or otherwise lost laptop.or software-based. which might require the end user to take responsibility for encrypting files. Whole disk encryption can either be hardware. suppose you need to digitally sign a document sent to your stockbroker. whole disk encryption is meant to encrypt the entire contents of the drive (even temporary files and memory). 3.261 Whole Disk Encryption principles discussed previously. key management becomes increasingly important. especially when they do not fully understand the associated risks. The exchange looks like this: 1. it becomes much harder to fake the data and actually get it past the receiver as legitimate data. you obtain a hash (which you can think of as digital fingerprint) of the message. encrypting the contents of the entire drive takes the onus off individual users. along with the benefits of whole disk encryption come certain tradeoffs.

software license enforcement. Most vendors typically offer different options. Thus. TPM refers to a secure cryptoprocessor used to authenticate hardware devices such as PC or laptop. TPM is composed of various components. TPM provides for the secure storage of keys. the user attempting to log on must provide authentication before the actual operating system boots. secure remote access. You should be familiar with some key TPM concepts. . The idea behind TPM is to allow any encryption-enabled application to take advantage of the chip. the encryption key is decrypted only after another key is input into this preboot environment. . Storage root key (SRK)—A 2048-bit asymmetric key pair generated within a TPM and used to provide encrypted storage. and . At the most basic level. whole disk encryption. That is. TPM can be used to ensure that a system is authenticated and to ensure that the system is has not been altered or breached. . digital rights management (DRM). Therefore. and digital certificates. secure transmission of data. and is hardware-based. it has many possible applications. Attestation—Vouching for the accuracy of the system. which means the information can be read only by the same system in a particular described state. Sealed storage—Protects information by binding it to the system. passwords. Smart card or smart card–enabled USB token along with a PIN (which provides two-factor functionality and can often be the same token or smart card currently used for access elsewhere) . you should also use a preboot authentication mechanism. including the following: . Endorsement key (EK)—A 2048-bit asymmetric key pair created at the time of manufacturing and which cannot be changed. In addition.262 Chapter 9: Cryptography Basics To effectively use whole disk encryption products. A Trusted Platform Module to store the decryption key (discussed more in the next section) Trusted Platform Module The Trusted Computing Group is responsible for the Trusted Platform Module (TPM) specification. such as the following: . such as network access control (NAC). typically attached to the circuit board of the system. Username and password (typically the least secure) .

EXAM ALERT A message authentication code (MAC) is a bit of a misnomer. Suppose you want to send an email to a friend. which is derived by applying a message or file combined with a secret key to a cryptographic algorithm. You would first use software that generates a hash value of the message to accompany the email. you cannot recreate the document from the hash. The resulting MAC value can ensure the integrity of the data as well as its authenticity. a MAC also provides for data integrity. concerns arise about several issues. but is able to resist forgery and is not open to man-in-the-middle attacks. including DRM. as the name suggests. Interestingly. Although you can create a hash from a document. (Any change in the original message produces a change in the hash.) A Message Authentication Code (MAC) is similar to a hash function. The MAC is a small piece of data known as an authentication tag. a password or email) of any length and producing a fixed-length string for output. critics of TPM argue that this security architecture puts too much control into the hands of those who design the related systems and software. Hash functions work by taking a string (for example. Keep in mind that hashing is one way. hashing algorithms are not encryption methods but offer additional system security via a “signature” for data confirming the original content. . Remember that in addition to providing authentication services. On the other hand. The two hashes are then compared. the following example should help clear things up. loss of anonymity. After receiving the email. the recipient’s software decrypts the message and the hash and then produces another hash from the received email. and interoperability. loss of end-user control. In other words. Hashing Concepts A hash is a generated summary from a mathematical rule or algorithm and is used commonly as a “digital fingerprint” to verify the integrity of files and messages and to ensure message integrity and provide authentication verification.263 Hashing Concepts credential protection. and then encrypt both the hash and the message. part of what makes TPM effective is the TPM module is given a unique ID and master key that even the owner of the system neither controls nor has knowledge of. A MAC can be thought of as an encrypted hash—combining a encryption key and a hashing algorithm. and a match indicates that the message was not tampered with. So. and you also want to ensure that during transit it cannot be read or altered. as one in possession of the secret key can subsequently detect whether there are any changes from the original. If this all sounds confusing.

SHA-1 is quickly being embraced by those outside of the U.S. Be able to identify both the SHA and MD series as hashing algorithms. Both SHA and the MD series are similar in design. The most commonly used is MD5. Secure Hash Algorithm (SHA. however. it will be in the range of 20% to 30% slower to process than the MD family of algorithms. Message Digest Series Algorithm (MD2. Both MD4 and MD5 produce a 128-bit hash. which features a redeveloped cipher that makes it stronger than the MD4 algorithm while still featuring a 128-bit hash. you should be familiar with the following two common hash algorithms: . but also resource-intensive. Inc. SHA-1 can generate a 160-bit hash from any variable-length string of data. This security breach spurred the development of MD5. SHA-1)—Hash algorithms pioneered by the National Security Agency and widely used in the U. EXAM ALERT Hashing within security systems is used to ensure the integrity of transmitted messages (that is. also called the Unicode hash). government. Recently. to be certain they have not been altered) and for password verification. making it very secure. simple.264 Chapter 9: Cryptography Basics Cryptographic Hash Functions Numerous hash functions exist. government. MD5)—A series of encryp- tion algorithms created by Ronald Rivest (founder of RSA Data Security. .S. however. The Message Digest Algorithm has been refined over the years (and hence the version numbers). and many published algorithms are known to be unsecure. and secure. however. keep in mind that because of the higher bit strength of the SHA-1 algorithm. Although MD5 is the more common hashing algorithm. which is faster than the others. . the hash used in MD4 has been successfully broken. MD4. you also should be aware the LAN Manager hash (LM hash or LANMan hash) and the NT LAN Manager hash (NTLM hash. Windows Authentication Hashing Algorithms In addition to the hashing algorithms just mentioned. a contest was announced to design a hash function (SHA-3) to replace the aging SHA-1. The MD series generates a hash of up to 128-bit strength out of any length of data.) designed to be fast.

Symmetric Encryption Algorithms Earlier in this chapter. . you were introduced to the concept of symmetric key encryption. The more commonly used algorithms include the following: . in which a common shared key or identical key is used between the sender and the receiver.1 use the NTLM hash. NTLM hashing makes use of the MD4 hashing algorithm and is used on more recent versions of the Windows operating system. it is disabled by default. However. Although Windows Vista still includes support. one at a time. the scope of the characters set is greatly reduced. the LM hash algorithm was still commonly used by Microsoft operating systems before Windows Vista.) The two primary weaknesses of LM hash are as follows: . It is recommended that this be disabled if it is not required. TIP Although the latest versions of Windows since NT 3. all lowercase characters are converted to uppercase characters. The NTLM hash is an improvement over the LM hash.265 Symmetric Encryption Algorithms LM hash is based on DES encryption (discussed in the next section). A stream cipher. as the name implies. Windows still makes use of the LM hash for compatibility with earlier systems (Windows Me and earlier operating systems). As a result. Before the password is hashed. but it is not considered effective (and is technically not truly a hashing algorithm) because of design implementation weaknesses. and each half of the password can be cracked separately. A block cipher encrypts the message in chunks. Data Encryption Standard (DES)—DES was adopted for use by the National Institute of Standards and Technology (NIST) in 1977. Microsoft later introduced the NTLM hashing method in early versions of Windows NT. All passwords longer than seven characters are broken down into two chunks. Myriad symmetric key algorithms are in use today. DES is . encrypts the message bit by bit. As a result of weaknesses within the LM hash. from which each piece is hashed separately. Symmetric algorithms can be classified as either block ciphers or stream ciphers. (It’s quite easy to crack an LM hash using your average computer system and one of the many cracking tools available.

1 compares the algorithms just mentioned (and some lesser-known ones). . . it was later renamed and refined to the Improved Proposed Encryption Standard (IPES). notice the differences between the various types of RC algorithms. and RC6) are all similarly designed. it is limited in use because of its relatively short key-length limit. and then the final key is applied to the data. IDEA is capable of encrypting 64-bit blocks of data at a time and uses a 128-bit-strength encryption key. Triple Data Encryption Standard (3DES)—3DES. AES is similar to DES in that it can create keys from 128 bits to 256 bits in length and can perform the encryption and decryption of up to 128-bit chunks of data (in comparison to the 64-bit chunks of the original DES). Advanced Encryption Standard (AES)—Also called Rinjdael. In its final form. . RC6)—As far as widely available commer- cial applications go. in addition. RC5. yet each version has its own take on cipher design. RC5. Table 9. as well as its own capabilities. it was ultimately named IDEA in 1992.266 Chapter 9: Cryptography Basics a block cipher that uses a 56-bit key and 8 bits of parity on each 64-bit chunk of data. IDEA went through several variations before arriving at its final acronym. Although it is considered a strong algorithm. research. RC4. also known as Triple- DES. The RC series (RC2. . Similar to 3DES. and RC6 are block ciphers. Rivest Cipher (RC2. the data is passed through three layers. dramatically improves upon the DES by using the DES algorithm three times with three distinct keys. The data is then encrypted with the keys through multiple encryption rounds. whereas RC4 is a stream cipher. NIST chose this block cipher to be the successor to DES. such as generating random keys based on the data and the bit strength being used. like DES. In addition. making it a flexible and secure symmetric encryption algorithm. Blowfish can also perform encryption with any length encryption key up to 448 bits. International Data Encryption Algorithm (IDEA)—Originally created around 1990. RC4. RC2. The use of IDEA has been limited primarily because of software patents on the algorithm. . and education. RC5. This provides total bit strength of 168 bits. which many believe hinder development. Originally called the Proposed Encryption Standard (PES). the Rivest Cipher (RC) encryption algorithms are the most commonly implemented ciphers for encryption security. 3DES superseded DES in the late 1990s. After even more refinement. each with a specific task. Blowfish Encryption Algorithm—Blowfish is a block cipher that can encrypt using any size chunk of data. .

one type of cipher has perhaps earned the distinction of being completely unbreakable: one-time pad (OTP). the OTP currently has the tradeoff of requiring a key as long as the message.1 Algorithm DES A Comparison of Symmetric Key Algorithms Cipher Type Block Block Block Block Block Block Stream Block Block Block Block Block Block Key Length 56 bits 168 bits 128–256 bits 1–448 bits 128 bits 1–2048 bits 1–2048 bits 128–256 bits 128–256 bits 128–256 bits 128–256 bits 128–256 bits 128–256 bits Triple-DES (3DES) AES (Rinjdael) Blowfish IDEA RC2 RC4 RC5 RC6 CAST MARS Serpent Twofish EXAM ALERT Be sure you understand the differences between various symmetric key algorithms. Without the key. Note that these are symmetric. and be sure to differentiate between stream ciphers and block ciphers. An Unbreakable Algorithm? Throughout history. there are as many bits in the key as in the plain text to be encrypted. used only once. Unfortunately. as the name suggests. and not asymmetric. even via a brute-force attack in search of the entire key space. an attacker cannot crack the ciphertext. thus creating significant storage and transmission costs. Within an OTP. However.267 Symmetric Encryption Algorithms TABLE 9. they are all breakable. with no portion of the key ever being reused. the common theme among “unbreakable” algorithms is that through practice or theory. and this key is to be random and. .

keep in mind that some have unique features. they can be used for encryption and decryption (thus solving the issue of key distribution). Popular asymmetric encryption algorithms include the following: . including built-in digital signatures (which you will learn more about later). but few have gained the widespread acceptance of symmetric algorithms. . Diffie-Hellman key exchange—The Diffie-Hellman key exchange (also called exponential key agreement) is an early key exchange design whereby two parties. El Gamal took to task the design requirements of . . in 1985 Dr. The RSA key length may be of any length. In fact. asymmetric algorithms require much more resources than symmetric algorithms. Also because of the additional overhead generated by using two keys for encryption/decryption. Shamir. El Gamal encryption algorithm—As an extension to the Diffie-Hellman design.268 Chapter 9: Cryptography Basics Asymmetric Encryption Algorithms Various asymmetric algorithms have been designed. While reading this section about the asymmetric algorithms. PGP was originally designed to provide for the encryption/decryption of email and for digitally signing emails. and Adleman encryption algorithm (RSA)—RSA. In addition. can agree upon a secret key that is known only to them. Some systems incorporate a mixed approach. PGP is an example of such a system. PGP and other similar hybrid encryption systems such as the GNU Privacy Guard (GnuPG or GPG) program follow the OpenPGP format and use a combination of public key and private key encryption. is a well-known cryptography system used for encryption and digital signatures. The keys are passed in a way that they are not compromised. using both asymmetric and symmetric encryption to take advantage of the benefits that each provides. asymmetric algorithms are used at the beginning of a process to securely distribute symmetric keys. From that point on. and the algorithm works by multiplying two large prime numbers. it derives a set of numbers: one for the public key and the other for the private key. after the private keys have been securely exchanged. Rivest. using encryption algorithms to verify that the data is arriving at its intended recipient. named after the three men who developed it. through other operations in the algorithm. without prior arrangement. the RSA algorithm is considered by many the standard for encryption and the core technology that secures most business conducted on the Internet. For example.

112-bit symmetric key strength = 1792-bit asymmetric key strength .269 Asymmetric Encryption Algorithms using encryption to develop digital signatures. however. This release allows anyone to create products incorporating their own implementation of the algorithm without being subject to license and patent enforcement. therefore. symmetric encryption may often suffice. 128bit strength is considered adequate. equal in strength to a 1024-bit RSA encryption key. One of the key benefits of ECC encryption algorithms is that they have a compact design because of the advanced mathematics involved in ECC. For most environments today. NOTE In 2000. in actuality. Throughout this section on different encryption algorithms. you have learned how each type of symmetric and asymmetric algorithm performs. El Gamal designed a complete public key encryption algorithm using some of the key exchange elements from Diffie-Hellman and incorporating encryption on those keys. a dramatic difference exists in the strength and consequently the overall size of asymmetric encryption keys. For instance. The following list reveals why symmetric algorithms are favored for most applications and why asymmetric algorithms are widely considered very secure but often too complex and resource-intensive for every environment: . (now known as RSA. 64-bit symmetric key strength = 512-bit asymmetric key strength . If you want to simplify how you distribute keys. One thing you haven’t seen yet is how bit strengths compare to each other when looking at asymmetric and symmetric algorithms in general. . asymmetric encryption may be the better choice. The Security Division of EMC) released the RSA algorithm into the public domain. Elliptic curve cryptography (ECC)—Elliptic curve techniques use a method in which elliptic curves are used to calculate simple but very difficult to break encryption keys for use in general-purpose encryption. . Instead of focusing just on the key design. The resultant encrypted keys reinforced the security and authenticity of public key encryption design and helped lead to later advances in asymmetric encryption technology. an ECC encryption key of 160-bit strength is. RSA Security Inc. 128-bit symmetric key strength = 2304-bit asymmetric key strength As you can see.

there has been the proliferation of wireless local area networks (WLANs). However. based on the standards defined in IEEE 802. whereas more recent protocols such as Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP).11 wireless networks is Wired Equivalent Privacy (WEP). although still widely used. the WEP algorithm. One of the earlier algorithms used to secure 802.270 Chapter 9: Cryptography Basics Wireless In recent years. which uses the RC4 cipher for confidentiality. TKIP uses the RC4 algorithm and does not require an upgrade to existing hardware. Temporal Key Integrity Protocol (TKIP) is the security protocol designed to replace WEP and is also known by its later iterations of Wi-Fi Protected Access (WPA) or even WPA2. Similar to WEP. do require an upgrade.11. is no longer considered secure and has been replaced. which use the AES algorithm. .

Rijndael B. All of the above E. Symmetric encryption algorithm C. What type of algorithm does the MD series of encryption algorithms use? ❍ ❍ ❍ ❍ A. CAST 4. Block cipher ❍ D. None of the above 2. what type of algorithm is this? ❍ ❍ ❍ ❍ A. None of the above 3. Hashing algorithm ❍ D. Digital signature C. Elliptic curve C. RC6 ❍ D. Asymmetric encryption algorithm ❍ D.271 Exam Prep Questions Exam Prep Questions 1. Elliptic curve B. Twofish E. 3DES C. The National Institute of Standards and Technology (NIST) put out a call to have a new algorithm replace the aging DES as the standard encryption algorithm. Symmetric encryption algorithm B. Paired algorithm . Which type of algorithm generates a key pair (a public key and a private key) that is then used to encrypt and decrypt data and messages sent and received? ❍ ❍ ❍ A. All of the above E. Which algorithm was eventually selected as the Advanced Encryption Standard? ❍ ❍ ❍ ❍ A. Asymmetric encryption algorithm B. when data is broken into a single unit of varying sizes (depending on the algorithm) and the encryption is applied to those chunks of data. In encryption.

Use the private key to encrypt and only the public key to decrypt B. AES 7. It is hardware-based. Rijndael B. C. all lowercase characters in the password are convert- 9. LM hash uses the MD4 hashing algorithm. LM hash is based on DES encryption. When encrypting and decrypting an email using an asymmetric encryption algorithm. CAST ❍ D. RC6 ❍ D. Before being hashed. Elliptic curve B. It is software-based. AES 6. you __________.272 Chapter 9: Cryptography Basics 5. It uses an AES key created at the time of manufacturing. which can easily be broken. Passwords longer than seven characters are broken down into two chunks. Which of the following are primary weaknesses of LM hash? (Choose two answers. Both A and B. Which of the following algorithms are examples of an asymmetric encryption algorithm? (Choose two answers. . ❍ D. 3DES C. Use a secret key to perform both encrypt and decrypt operations C. Diffie-Hellman C. B.) ❍ ❍ ❍ A. Can use the public key to either encrypt or decrypt ❍ D. ed to uppercase characters. RSA E.) ❍ ❍ ❍ A. ❍ D.) ❍ ❍ ❍ ❍ A. Which of the following algorithms are examples of a symmetric encryption algorithm? (Choose three answers. C. Use the private key to decrypt data encrypted with the public key 8. ❍ ❍ ❍ A. Which one of the following is true of Trusted Platform Module? ❍ ❍ ❍ A. B.

which is the method that the algorithm uses to encrypt data. Answers D and E are both incorrect choices. 3. and so it is incorrect. WPA Answers to Exam Prep Questions 1. and so it is considered an asymmetric encryption algorithm. Although RC6 and Twofish competed for selection. 5. Although the elliptic curve algorithm is typically a type of algorithm incorporated into other algorithms. 6. and E are incorrect. Answer D is not a type of algorithm.273 Answers to Exam Prep Questions 10. A. 3DES ❍ D. 4. RSA B. C. C. Which of the following is a type of cipher that has earned the distinction of being unbreakable? ❍ ❍ ❍ A. 2. 3DES and CAST did not participate. Answer B is incorrect because symmetric algorithms use a single key. just like the RSA algorithm. Although many symmetric algorithms use a block cipher. Because Rijndael and AES are now one in the same. therefore. CAST. answer A is incorrect because a block cipher is a more precise and accurate term for the given question. Answer B is incorrect because Diffie-Hellman uses public and private keys. Answers D and E are both incorrect. D. C. . C. Although many different types of algorithms use public and private keys to apply their encryption algorithms in their own various ways. and so answer B is incorrect. Answer A is incorrect because this is an algorithm that uses a public and private key pair and is not associated with MD encryption. A digital signature is not an encryption algorithm. Answer A is incorrect because this is only a type of asymmetric encryption algorithm. Answers B. Although the Message Digest algorithms are classified globally as a symmetric key encryption algorithm. and AES are symmetric encryption algorithms. OTP C. answers B. both elliptic curve and RSA are types of asymmetric encryption algorithms. In this case. and D. algorithms that perform this way are called asymmetric encryption algorithms (or public key encryption). it falls into the asymmetric family of algorithms because of its use of public and private keys. A. the correct answer is hashing algorithm. C. Rijndael was the winner of the new AES standard. the type of encryption is called a block cipher. A. Answer B is incorrect because this describes a public key encryption algorithm. they were not chosen. they both can be called symmetric encryption algorithms. C. D. When data that is going to be encrypted is broken into chunks of data and then encrypted. RC6 is symmetric. and E are incorrect because 3DES. too.

not the encryption method. Saving Privacy in the Digital Age. C. Answer C is incorrect because NTLM hashing makes use of the MD4 hashing algorithm 9. that the key is truly random. RSA. The one type of cipher that has earned the distinction of being completely unbreakable is the one-time pad (OTP). 6. bibliographies. Steven. and is kept secret. The CISSP Prep Guide: Mastering the Ten Domains of Computer Security. D. Answer B is incorrect because this describes symmetric encryption. Answer B is incorrect because it is the implementation that is weak.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (http://www.rsa. the OTP currently has the tradeoff of requiring a key as long as the message (and thus creates significant storage and transmission costs). Answer A is incorrect because the public key would be used to encrypt and the private key to decrypt. D. Answer B is incorrect because TPM uses an asymmetric RSA key pair created at the time of manufacturing. 2001. Penguin Books.ietf. W3C XML Encryption Working Group: http://www. Jeff. Answer D provides the only valid statement to complete the sentence. A. Crypto link farm (security books. Answers A. 10.org/rfc/rfc2527. journals.auckland. Tyson. 8. John Wiley & Sons.htm 2. Suggested Readings and Resources 1. and publica- tions listings): http://www. Krutz. 8. Unfortunately.com/ encryption. Ford.ac.nz/~pgut001/links/books. The Security Division of EMC: http://www. Chokhani. and Russell Dean Vines. . Levy.274 Chapter 9: Cryptography Basics 7. Second. and W.cs. S. before the password is hashed. National Institute of Standards and Technology: http://www. B.w3. RFC 2527.com/ 3. How Encryption Works: http://www. is used only once. A. This assumes. The two primary weaknesses of LM hash are that first all passwords longer than seven characters are broken down into two chunks.html 7.howstuffworks. Ronald L.org/ Encryption/2001/e 4. and D are all incorrect choices. Internet X. 2002. however. all lowercase characters are converted to uppercase characters. TPM is hardware-based and typically attached to the circuit board of a system.gov 5. from which each piece is hashed separately.txt). Answer C is incorrect because the public key cannot decrypt the same data it encrypted.nist. Answers C and D are both incorrect. Crypto: How the Code Rebels Beat the Government.

509 certificates (PKIX) Public Key Cryptography Standards (PKCS) Secure Sockets Layer (SSL) Transport Layer Security (TLS) Internet Security Associate and Key Management Protocol (ISAKMP) Certificate Management Protocol (CMP) XML Key Management Specification (XKMS) Secure/Multipurpose Internet Mail Extensions (S/MIME) Pretty Good Privacy (PGP) Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) Internet Protocol Security (IPsec) Certificate Enrollment Protocol (CEP) Wired Equivalent Privacy (WEP) Key management Certificate life cycle Techniques you need to master: ✓ Understanding the basic security features and operational concepts involved with digital certificates ✓ Recognizing and understanding the essential standards and protocols associated with a PKI ✓ Recognizing and understanding the applications and uses associated with a PKI ✓ Understanding the concepts involved in key management and the digital certificate life cycle .509 Public key infrastructure based on X.CHAPTER TEN 10 Cryptography Deployment Terms you need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Public key infrastructure (PKI) Certificate authority (CA) X.

For example. systems. PKI provides confidentiality. suppose the password to get into the clubhouse is “open sesame. Integrity verification . Transaction authorization . . Recall that symmetric key cryptography requires a key to be shared.” At some point in time.” you learned the basic concepts of public and private keys. Identity authentication . A public key infrastructure (PKI) makes use of both types of keys and provides the foundation for binding keys to an identity via a certificate authority (CA). including access control. “Cryptography Basics. digital certificates. or secret information in advance. PKI protects information by providing the following: . it is not necessary to exchange the password. Nonrepudiation support EXAM ALERT A public key infrastructure is a vast collection of varying technologies and policies for the creation and use of digital certificates. key. This is useful where involved parties have no prior contact or where it is neither feasible nor secure to exchange a secure key. With PKI.276 Chapter 10: Cryptography Deployment In Chapter 9. and much more. thus providing the system for the secure exchange of data over a network through the use of an asymmetric key system. this key or password needs to be communicated to other participating parties before it can be implemented. and organizations that have been verified as authentic and trustworthy. and tools and systems used to bring it all together. Privacy assurance . integrity. PKI encompasses certificate authorities. secure email. resources from Web browsers. PKI is widely used to provide the secure infrastructure for applications and networks. Access authorization . These certificates identify individuals. This system for the most part consists of digital certificates and the CAs that issue the certificates. and authentication by overcoming this challenge.

Next. are discussed later in this chapter. therefore. a common language or protocol must exist. Profiles of X. that digital certificates may be issued by different trusted authorities. These standards and protocols are necessary to allow for interoperability among security products offered by different vendors. PKIX The PKIX Working Group of the Internet Engineering Task Force (IETF) is developing Internet standards for PKI based on X.1 illustrates this relationship between standards that apply to PKI at the foundation to the standards that rely on PKI and finally to the applications supported by those standards. and validation services . we look at some specific PKI standards. Operational protocols .509 certificates with the following focus: . data-certification.277 PKI Standards PKI Standards PKI is composed of several standards and protocols. Time-stamping. Certificate policies and certificate practice statements (CPSs) . such as secure remote access and secure email.509 FIGURE 10.509 version 3 public key certificates and X.509 version 2 certificate revocation lists (CRLs) . Figure 10.1 Standards that define PKI up to the applications supported by standards that may rely on PKI. Keep in mind. Standards that rely on a PKI that provide services. Email Groupware Online Banking VPN Online Shopping S/MIME SSL TLS IPsec PPTP PKIX PKCS X. PKI management protocols . for instance.

. the Public Key Cryptography Standards (PKCS) are the de facto cryptographic message standards developed and published by RSA Laboratories. . . . PKCS #4 no longer exists and has been integrated into PKCS #1. and PKCS #10. with a secret key that has been derived from a password. . however. now part of RSA. . PKCS #7 Cryptographic Message Syntax Standard describes the syntax for data streams such as digital signatures that may have cryptography applied to them. and an optional set of attributes. 2 of the documents have been incorporated into another. PKCS #8 Private-Key Information Syntax Standard describes syntax for private key information. PKCS #5 Password-Based Cryptography Standard provides recommenda- tions for encrypting a data string. PKCS #10 Certification Request Syntax Standard describes the syntax for a certification request to include a distinguished name. . There were recently 15 documents in the PKCS specification library. PKCS #3 Diffie-Hellman Key Agreement Standard describes a method for using the Diffie-Hellman key agreement. PKCS #1 RSA Cryptography Standard provides recommendations for the implementation of public key cryptography based on the RSA algorithm. PKCS #7. such as a private key. . . PKCS #9 Selected Attribute Types defines certain attribute types of use in PKCS #6. a public key. PKCS #9. .278 Chapter 10: Cryptography Deployment Public Key Cryptography Standards Whereas PKIX describes the development of Internet standards for X. PKCS #2 no longer exists and has been integrated into PKCS #1. This includes the private key of a public key cryptographic algorithm.509based PKI. . These documents are as follows: . PKCS provides a basic and widely accepted framework for the development of PKI solutions. PKCS #11 Cryptographic Token Interface Standard defines an application programming interface (API) named Cryptoki for devices holding cryptographic information. PKCS #6 Extended-Certificate Syntax Standard provides a method for cer- tifying additional information about a given entity beyond just the public key by describing the syntax of a certificate’s attributes. The Security Division of EMC.

X. digital certificate.509 It was stated earlier that PKIX is an IETF working group established to create standards for X. .509 was first published as part of the ITU’s X. it is worth reiterating some of these fields in more detail. As of this writing. and they are always accessible from RSA’s Website (http://www. As of this writing. PKCS #15 Cryptographic Token Information Format Standard establishes a standard for the format of cryptographic information on cryptographic tokens. for example. Lightweight Directory Access Protocol (LDAP).2).509 standard additionally defines the format of required data for digital certificates. as changes in cryptography occur. computers. which include those required to be compliant to the X. In addition. PKCS #13 Elliptic Curve Cryptography Standard addresses elliptic curve cryptography as related to PKI. X.279 PKI Standards . . Although X.509 defines a framework for authentication services by a directory. X. PKCS #14 Pseudo Random Number Generation addresses pseudo random number generation (PRNG). These include the following: .509 PKI. X. PKCS #13 is still under development. some have started to move within the control of standards organizations (for example. however.509 has become the Internet’s PKI standard for digital certificates.com/rsalabs/). The preceding chapter briefly introduced you to the contents of a digital certificate. IETF).500 is similar to a telephone book in that it is a database of names. PKCS #14 is still under development. The X. which produces a sequence of bits that has a random-looking distribution.500 directory service standard. NOTE X. and printers. .509 standard (see Figure 10. Each of the preceding standards documents may be revised and amended periodically.500 has not become an accepted standard.rsa. X. and attribute information. This directory may include people.509 is an International Telecommunications Union (ITU) recommendation and is implemented as a de facto standard. like its slimmer cousin. PKCS #12 Personal Information Exchange Syntax Standard specifies a for- mat for storing and transporting a user’s private key.

Subject Public Key Information—This includes the public key of the entity named in the certificate. as well as a cryptographic algorithm identifier and optional key parameters associated with the key. Issuer—This identifies the directory name of the entity signing the cer- tificate.509 standard for which the certificate is compliant. C=US). Validity Period—This identifies the time frame for which the private key is valid.500 standard for globally unique naming and is often called the distinguished name (DN) (for example. if the private key has not been compromised. . O=RSA. This period is indicated with both a start and an end time and may be of any duration. CN=John MacNeil. . . which is typically a CA.2 Details of a digital certificate. Serial Number—The CA that creates the certificate is responsible for assigning a unique serial number. . Version—This identifies the version of the X. FIGURE 10. OU=Sales Division. . This name uses the X.280 Chapter 10: Cryptography Deployment . Signature Algorithm Identifier—This identifies the cryptographic algo- rithm used by the CA to sign the certificate. . . but it is often set to one year. Subject Name—This is the name of the entity that is identified in the public key associated with the certificate.

281

PKI Components

Currently, there are three versions of X.509. Version 1 has been around since 1988, and although it is the most generic it is also ubiquitous. Version 2, which is not widely used, introduced the idea of unique identifiers for the issuing entity and the subject. Version 3, introduced in 1996, supports an optional Extension field to provide for more informational fields, and thus an extension can be defined by an entity and included in the certificate.

PKI Components
To begin to understand the applications and deployment of PKI, you should understand the various pieces that make up a PKI, including the following:
. Certificate authority (CA) . Registration authority (RA) . Certificates . Certificate policies . Certificate practice statement (CPS) . Revocation . Trust model

Certificate Authorities
Certificate authorities are trusted entities and are an important concept within PKI. Aside from the third-party CAs, such as Entrust and VeriSign, an organization may establish its own CA, typically to be used only within the organization. The CA’s job is to issue certificates, to verify the holder of a digital certificate, and to ensure that holders of certificates are who they claim to be. A common analogy used is to compare a CA to a passport-issuing authority. To obtain a passport, you need the assistance of another (for example, a customs office) to verify your identity. Passports are trusted because the issuing authority is trusted. You have learned about various components and terms that make up PKI, such as digital signatures, public key encryption, confidentiality, integrity, authentication, access control, and nonrepudiation. In the following sections, you learn more about the digital certificates and trust hierarchies involved in PKI.

282

Chapter 10: Cryptography Deployment

Registration Authorities
Registration authorities provides authentication to the CA as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. A user, for example, contacts an RA, which in turn verifies the user’s identity before issuing the request of the CA to go ahead with issuance of a digital certificate.

Certificates
A digital certificate is a digitally signed block of data that allows public key cryptography to be used for identification purposes. CAs issue these certificates, which are signed using the CA’s private key. Most certificates are based on the X.509 standard and contain the following information:
. Name of the CA . CA’s digital signature . Serial number . Issued date . Period of validity . Version . Subject or owner . Subject or owner’s public key

NOTE
Although most certificates follow the X.509 version 3 hierarchical PKI standard, the PGP key system uses its own certificate format.

The most common application of digital certificates that you have likely used involves websites. Websites that ask for personal information, especially credit card information, use digital certificates (not necessarily all do; however, they should). The traffic from your computer to the website is secured via a protocol called Secure Sockets Layer (SSL), and the Web server uses a digital certificate for the secure exchange of information. This is easily identified by a small padlock located in the bottom status bar of most browsers. By clicking this icon, you can view the digital certificate and its details.

283

PKI Components

Certificate Policies
A certificate policy indicates specific uses applied to a digital certificate and other technical details. Not all certificates are created equal. Digital certificates are issued often following different practices and procedures and are issued for different purposes. Therefore, the certificate policy provides the rules that indicate the purpose and use of an assigned digital certificate. For example, one certificate may have a policy indicating its use for electronic data interchange to conduct e-commerce, whereas another may be issued to only digitally sign documents. You need to remember that a certificate policy identifies the purpose for which the certificate can be used, but you should also be able to identify the other types of information that can be included within a certificate policy, including the following:
. Legal issues often used to protect the CA . Mechanisms for how users will be authenticated by the CA . Key management requirements . Instructions for what to do if the private key is compromised . Lifetime of the certificate . Certificate enrollment and renewal . Rules regarding exporting the private key . Private and public key minimum lengths

Certificate Practice Statements
A certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates. The information within a CPS provides for the general practices followed by the CA in issuing certificates and customer-related information about certificates, responsibilities, and problem management. It is important to understand that these statements are described in the context of operating procedures and systems architecture, as opposed to certificate policies, discussed previously, which indicate the rules that apply to an issued certificate. A CPS includes the following items:
. Identification of the CA . Types of certificates issued and applicable certificate policies

284

Chapter 10: Cryptography Deployment . Operating procedures for issuing, renewing, and revoking certificates . Technical and physical security controls used by the CA

EXAM ALERT
The focus of a certificate policy is on the certificate, whereas the focus of a CPS is on the CA and the way that the CA issues certificates.

Revocation
Just as digital certificates are issued, they can also be revoked. Revoking a certificate invalidates a certificate before its expiration date. Revocation typically occurs because the certificate is considered no longer trustworthy. For example, if a certificate holder’s private key is compromised, the certificate is likely to be revoked. Other reasons for revocation include fraudulently obtained certificates or a change in the holder’s status, which may indicate less trustworthiness. One component of a PKI is a mechanism for distributing certificate revocation information, called certificate revocation lists (CRLs). A CRL is used when verification of digital certificate takes place to ensure the validity of a digital certificate.

NOTE
A newer mechanism for identifying revoked certificates is the Online Certificate Status Protocol (OCSP). A limitation of CRLs is that they must be constantly updated; otherwise, certificates might be accepted despite the fact they were recently revoked. The OSCP, however, checks certificate status in real time, instead of relying on the end user to have a current copy of the CRL.

You learn more about revocation as part of the certification life cycle later in this chapter.

Trust Models
Certificate authorities within a PKI follow several models or architectures. The simplest model consists of a single CA. In the single-CA architecture, only one CA exists to issue and maintain certificates. Although this model might benefit

285

PKI Components

smaller organizations because of its administrative simplicity, it has the potential to present many problems. For example, if the CA fails, no other CA can quickly take its place. Another problem can arise if the private key of the CA becomes compromised; in this scenario, all the issued certificates from that CA would then be invalid. A new CA would have to be created, which, in turn, would need to reissue all the certificates. A more common model, and one that reduces the risks inherent with a single CA, is the hierarchical CA model. In this model, an initial root CA exists at the top of the hierarchy, and subordinate CAs reside beneath the root. The subordinate CAs provide redundancy and load balancing should any of the other CAs fail or be taken offline.

NOTE
You may hear PKI referred to as a trust hierarchy.

A root CA differs from subordinate CAs in that the root CA is usually offline. Remember, if the root CA is compromised, the entire architecture is compromised. If a subordinate CA is compromised, however, the root CA can revoke the subordinate CA. An alternative to this hierarchical model is the cross-certification model, often referred to as a web of trust. In this model, CAs are considered peers to each other. Such configuration, for example, may exist at a small company that started with a single CA. Then, as the company grew, it continued to implement other single-CA models and then decided that each division of the company needed to communicate with the others and ensure secure exchange of information across the company. To enable this, each of the CAs established a peer-topeer trust relationship with the others. As you might imagine, such a configuration could become difficult to manage over time.

EXAM ALERT
The root CA should be taken offline to reduce the risk of key compromise, and the root CA should be made available only to create and revoke certificates for subordinate CAs. A compromised root CA compromises the entire system.

A solution to the complexity of a large cross-certification model is to implement what is known as a bridge CA model. Remember that in the cross-certification model each CA must trust the others. By implementing bridging, however, you can have a single CA, known as the bridge CA, be the central point of trust.

286

Chapter 10: Cryptography Deployment

Key Management and the Certificate Life Cycle
We previously discussed the management structure for digital certificates and the standards and protocols available to use them. In this section, we discuss the management structure for the keys themselves. This review includes the critical elements that must be taken into account to properly protect and account for the private key material, which is the most important element of a PKI solution. Being able to manage digital certificates and key pairs used is critical to any PKI solution. One management method involves the use of a life cycle for digital certificates and their keys. The life cycle is typically based on two documents discussed earlier: the certificate policy and the CPS. The life cycle refers to those events required to create, use, and destroy public keys and the digital certificates with which they are associated. The certificate life cycle comprises the following events:
. Key generation—A generator creates a public key pair. Although the CA

may generate the key pair, the requesting entity may also generate the pair and provide the public key upon the submission of identity.
. Identity submission—The requesting entity submits its identify informa-

tion to the CA.
. Registration—The CA registers the request for a certificate and ensures

the accuracy of the identity submission.
. Certification—If the identity is validated, the CA creates a certificate and

then digitally signs the certificate with its own digital signature.
. Distribution—The CA distributes or publishes the digital certificate. . Usage—The entity receiving the certificate is authorized to use the cer-

tificate only for its intended use.
. Revocation and expiration—The certificate will typically expire and must

be withdrawn. Alternatively, the certificate might need to be revoked for various reasons before expiration (for example, if the owner’s private key becomes compromised).
. Renewal—A certificate can be renewed if requested, as long as a new key

pair is generated.
. Recovery—Recovery might become necessary if a certifying key is com-

promised but the certificate holder is still considered valid and trusted.

287

Key Management and the Certificate Life Cycle . Archiving—This involves the recording and storing of certificates and

their uses. The preceding list offers a broad view of the certificate life cycle. The following sections delve into more detail about important topics you should understand about key management and the digital certificate life cycle.

Centralized Versus Decentralized
There are alternative methods for creating and managing cryptographic keys and digital certificates. These operations may either be centralized or decentralized depending on the organization’s security policy. Centralized key management allows the issuing authority to have complete control over the process. Although this provides for a high level of control, many do not like the idea of a centralized system having a copy of the private key. Whereas the benefit of central control may be seen as an advantage, a centralized system also has disadvantages (for instance, additional required infrastructure, a need to positively authenticate the end entity before transmitting the private key, and the need for a secure channel to transmit the private key). Decentralized key management allows the requesting entity to generate the key pair and only submit the public key to the CA. Although the CA can still take on the role of distributing and publishing the digital certificate, it can no longer store the private key. Therefore, the entity must maintain complete control over the private key, which is considered one of the most sensitive aspects of a PKI solution. In this scenario, the CA has the additional burden of ensuring that the keys were generated properly and that all key-pair generation policies were followed.

Storage
After the key pairs are generated and a digital certificate has been issued by the CA, both keys must be stored appropriately to ensure their integrity is maintained. However, the key use must still be easy and efficient. The methods used to store the keys may be hardware- or software-based. Hardware storage is typically associated with higher levels of security and assurance than software because hardware can have specialized components and physical encasements to protect the integrity of the data stored within. In addition to being more secure, hardware devices are more efficient because they

288

Chapter 10: Cryptography Deployment

provide dedicated resources to PKI functions. Naturally, however, hardware solutions often have a higher cost than software solutions. Although software solutions do not have the same level of security as their hardware counterparts, the ability to easily distribute the storage solutions provides for easier administration, transportability, and lower costs. Because the private key is so sensitive, it requires a higher level of protection than the public key. As a result, special care needs to be taken to protect private keys, especially the root key for a CA. Remember that if the private key is compromised, the public key and associated certificate is also compromised and should no longer be valid. If the CA’s root key becomes compromised, all active keys generated using the CA are compromised and should therefore be revoked and reissued. As a result of this need for increased security over the private keys, hardware solutions are often used to protect private keys. Even a private key in the possession of an end user should be carefully guarded. At a minimum, this key is protected via a password. An additional safeguard is to provide an additional layer of security by storing the private key on a portable device such as a smart card (thus requiring both possession of the card and knowledge of the password).

Key Escrow
Key escrow occurs when a CA or other entity maintains a copy of the private key associated with the public key signed by the CA. This scenario allows the CA or escrow agent to have access to all information encrypted using the public key from a user’s certificate and to create digital signatures on behalf of the user. Therefore, key escrow is a sensitive topic within the PKI community because harmful results may occur if the private key is misused. Because of this issue, key escrow is not a favored PKI solution. Despite the concerns of the general public about escrow for private use, key escrow is often considered a good idea in corporate PKI environments. In most cases, an employee of an organization is bound by the information security policies of that organization (which usually mandate that the organization has a right to access all intellectual property generated by a user and to any data that an employee generates). In addition, key escrow enables an organization to overcome the large problem of forgotten passwords. Rather than revoke and reissue new keys, an organization can generate a new certificate using the private key stored in escrow.

289

Key Management and the Certificate Life Cycle

Expiration
When digital certificates are issued, they receive an expiration date. This validity period is indicated in a specific field within the certificate. Many certificates are set to expire after one year; however, the time period may be shorter or longer depending on specific needs. Open a certificate from within your browser while visiting a secured site (in most web browsers, select the padlock icon from the browser’s status bar) and notice the “Valid to” and “Valid from” fields within the certificate (see Figure 10.3).

FIGURE 10.3 General information for a digital certificate, including validity period.

In the late 1990s, certificate expiration dates in older web browsers became an issue as the year 2000 approached. VeriSign’s root certificate, which is embedded into web browsers, had an expiration date of December 31, 1999. When the certificate expired, if the browsers weren’t updated, they were unable to correctly verify certificates issued or signed by VeriSign. As a result, many certificates are given expiration dates much further out up to over 20 years in many cases.

Revocation
As you learned earlier in this chapter, once a certificate is no longer valid, certificate revocation occurs. There are many reasons why this may occur—for

290

Chapter 10: Cryptography Deployment

example, a private key may become compromised, the private key is lost, or the identifying credentials are no longer valid. Revoking a certificate is just not enough, however. The community that trusts these certificates must be notified that the certificates are no longer valid. This is accomplished via a certificate revocation list (CRL) or the Online Certificate Status Protocol (OCSP).

Status Checking
Both OSCP and CRLs are used to verify the status of a certificate. Three basic status levels exist in most PKI solutions: valid, suspended, and revoked. The status of a certificate can be checked by going to the CA that issued the certificate or to an agreed upon directory server that maintains a database indicating the status level for the set of certificates. In most cases, however, the application (such as a web browser) will have a function available that initiates a check for certificates.

Suspension
Certificate suspension occurs when a certificate is under investigation to determine whether it should be revoked. This mechanism allows a certificate to stay in place, but it is not valid for any type of use. Like the status checking that occurs with revoked certificates, users and systems are notified of suspended certificates in the same way. The primary difference is that new credentials will not need to be retrieved; it is only necessary to be notified that current credentials have had a change in status and are temporarily not valid for use.

Recovery
Key recovery is the process of restoring a key pair from a backup and re-creating a digital certificate using the recovered keys. Unlike in the case of a key compromise, this should be done only if the key pair becomes corrupted but they are still considered valid and trusted. Although it is beneficial to back up an individual user’s key pair, it is even more important to back up the CA’s keys in a secure location for business continuity and recovery purposes.

M of N Control
M of N control as it relates to PKI refers to the concept of backing up the public and private key across multiple systems. This multiple backup provides a protective measure to ensure that no one individual can re-create his or her key pair

291

Key Management and the Certificate Life Cycle

from the backup. The backup process involves a mathematical function to distribute that data across a number of systems. A typical setup includes multiple personnel with unique job functions, and from different parts of the organization, to discourage collusion for the purpose of recovering keys without proper authority.

Renewal
As mentioned previously, every certificate is issued with an expiration date. When the certificate expires, a new certificate needs to be reissued. So long as the certificate holder’s needs or identity information has not changed, the process is relatively simple. After the issuing CA validates the entity’s identity, a new certificate can be generated based on the current public key.

Destruction
Destruction of a key pair and certificate typically occurs when the materials are no longer valid. Care should be taken when destroying a key pair. If the key pair to be destroyed is used for digital signatures, the private key portion should be destroyed first to prevent future signing activities with the key. If the materials were used for privacy purposes only, however, it might be necessary to archive a copy of the private key. You might need it later to decrypt archived data that was encrypted using the key. In addition, a digital certificate associated with keys that are no longer valid should be added to the CRL regardless of whether the key is actually destroyed or archived.

Key Usage
Digital certificates and key pairs can be used for various purposes, including privacy and authentication. The security policy of the organization that is using the key or the CA will define the purposes and capabilities for the certificates issued. To achieve privacy, a user will require the public key of the individual or entity he or she wants to communicate with securely. This public key is used to encrypt the data that is transmitted, and the corresponding private key is used on the other end to decrypt the message. Authentication is achieved by digitally signing the message being transmitted. To digitally sign a message, the signing entity requires access to the private key. In short, the key usage extension of the certificate specifies how the private key can be used—either to enable the exchange of sensitive information or to create

and the Record Protocol provides connection security. three common examples of where PKI is used are secure remote access or virtual private networks (VPNs). the key usage extension can specify that an entity can use the key for both the exchange of sensitive information and for signature purposes. and might have another restricted to ordering equipment worth no more than a specific dollar amount. dual or multiple key pairs might be used to support distinct and separate services. and another just for encrypting messages. accessing secure websites. you have learned a fair amount about the standards for PKI deployment. For example. Another example is the reorder associate who has one key pair to be used for signing and sending encrypted messages. TLS consists of two additional protocols: the TLS Record Protocol and the TLS Handshake Protocol. The three basic phases of SSL and TLS are as follows: 1. the decision is based on the strongest cipher and hash function supported by both systems. Multiple key pairs require multiple certificates because the X. But we still need to cover many other protocols and associated applications. we explore these applications and specifically the protocols that facilitate the use of each application.and server-side authentication and for encrypted connection between the two. For example. .292 Chapter 10: Cryptography Deployment digital signatures. Both essentially serve the same purpose (with TLS being the successor to SSL). The Handshake Protocol allows the client and server to authenticate to one another. Both provide for client. Usually. an individual in a corporate environment may require one key pair just for signing. SSL and TLS Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the most widely used cryptographic protocols for managing secure communication between a client and server over the Web. Multiple Key Pairs In some circumstances.509 certificate format does not support multiple keys Protocols and Applications Thus far. and securing email. In this section. Peer negotiation to decide which public key algorithm and key exchange to use. In addition.

3. Key exchange and authentication occurs. EXAM ALERT HTTPS simply combines HTTP with SSL or TLS. If the site will be used internally only (that is. TLS can provide security to many other protocols. While this certainly can provide for a more secure environment. can also be deployed in a dual sided scenario in which not only is the server authenticated using a certificate. . The default port for unencrypted HTTP traffic is port 80. It can. Web servers are generally ready to begin accepting HTTP traffic to serve up Web pages. like HTTP. commonly known as Hypertext Transfer Protocol over SSL (HTTPS). a certificate signed by an in-house CA generally suffices. is used as part of the uniform resource identifier (URI) specified in the address bar of web browsers (https://). however. for instance. HTTPS. the certificate is usually signed by a trusted thirdparty CA. providing for easier firewall traversal compared to traditional IPsec VPNs.293 Protocols and Applications 2. Symmetric cipher encryption and message authentication occur. whereas the client is verified perhaps by only a username and password. an intranet). which also includes the fact that a unique client side certificate now needs to be created and managed for every client rather than just a single server. For example. SSL and TLS are best known for protecting HTTP (Hypertext Transfer Protocol) Web traffic and transactions. which includes the public encryption key. when conducting an online banking transaction one can be assured they are at the legitimate site by verifying the server side certificate. When a Web server will be serving content outside of the organization (that is. Both parties can generate keys for encryption and decryption during the session as a result of the asymmetric cryptography transaction that occurred in step 2. only the server is being authenticated as valid with a verifiable certificate. A digital certificate is exchanged. but the client side is as well. an additional layer is provided for encryption and authentication. In most cases the use of SSL and TLS is single sided—that is. When we use HTTPS rather than just plain HTTP. which we discuss shortly. additional overhead is created. but to deploy HTTPS the Web server must have a certificate signed by a CA. Certificates however. runs by default over port 443. HTTPS traffic typically occurs over port 443. Aside from its use with HTTP for Web servers. and whereas HTTP traffic is usually over port 80. which is used to generate a session key. The secure version. provide the capability to tunnel the connection forming a VPN. HTTPS. which is a secure HTTP connection. for example. public-facing sites).

The AH protocol provides data integrity. and (optionally) antireplay capabilities for packets. ESP provides for confidentiality of the data being transmitted and also includes authentication capabilities. but PPTP does not require a PKI and in fact was developed before the existence of PKI standards. IPsec is a set of protocols widely implemented to support VPNs. For example. It provides for the secure exchange of packets at the IP layer. IKE specifically provides authentication for IPsec peers and negotiates IPsec keys and security associations. organizations have been able to leverage IPsec to exchange private information over public networks such as the Internet. and Internet Key Exchange (IKE). L2TP is often combined with IPsec (Internet Protocol Security). Therefore. Layer 2 Tunneling Protocol and IP Security Layer 2 Tunneling Protocol (L2TP) is an encapsulated tunneling protocol often used to support the creation of VPNs. It is important to understand that L2TP typically provides support along with other protocols. PPTP has the advantage of being easier and often a more viable option to deploy but typically only in situations that don’t require the greater security provided by PKI environments. PPTP connections can be authenticated using certificate-based technology (for example. although PPTP is still widely supported across many systems. L2TP by itself does not provide for authentication or strong authentication. IPsec can achieve this higher level of assurance for data transport through the use of multiple protocols.294 Chapter 10: Cryptography Deployment Point-to-Point Tunneling Protocol The Point-to-Point Tunneling Protocol (PPTP) is an older method used for providing secured connections over public networks or VPNs. authentication. IKE functions within the Internet Security Association and Key Management Protocol (ISAKMP). . Combining these technologies with a PKI provides for high level of security and access control whereby certificates can be distributed to individual systems to provide authentication. which defines the payloads used to exchange key and authentication data appended to each packet. including Authentication Header (AH). To meet these needs. IKE provides for additional features and ease of configuration. EAP-TLS). Encapsulated Secure Payload (ESP).

Another useful feature of the PGP program is that it can include a digital signature that validates that the email has not been tampered with (thus assuring the recipient of the email’s integrity). Secure/Multipurpose Internet Mail Extensions (S/MIME) is a specification that provides email privacy using encryption and authentication via digital signatures.295 Protocols and Applications Secure/Multipurpose Internet Mail Extensions The global nature of email distribution and the speed of delivery make email a valuable tool. As mentioned earlier. data encryption is accomplished using one of several available symmetric encryption algorithms. and S/MIME was subsequently developed to provide a secure method of transmission. SSH uses the asymmetric RSA cryptography algorithm to provide both connection and authentication. S/MIME supports various encryption algorithms and is integrated into many email products (thus allowing for easy interoperability among different clients). Secure Shell Secure Shell (SSH) provides an authenticated and encrypted session between the client and host computers using public key cryptography. S/MIME requires the use of digital certificates signed by a CA. Public transfer of sensitive information may potentially expose this information to undesired recipients. PGP/MIME derives from the Pretty Good Privacy application developed by Phillip R. PKCS describes various public key standards. However. Basically. . it encrypts and decrypts email messages using asymmetric encryptions schemes such as RSA. and S/MIME was originally derived as a result of specifically combining MIME with the PKCS #7: Cryptographic Message Syntax. MIME extends the original Simple Mail Transfer Protocol (SMTP) to allow the inclusion of nontextual data within an email message. Similar to SSL/TLS. In addition. SSH provides a more secure replacement for the common command-line terminal utility Telnet. It is a newer and more secure version of the popular Multipurpose Internet Mail Extensions (MIME). the speed and accessibility of the technology also carry several security considerations. Pretty Good Privacy Chapter 9 briefly covered Pretty Good Privacy (PGP) and its history of providing for confidentiality. Zimmerman in 1991 and is an alternative to S/MIME.

296 Chapter 10: Cryptography Deployment The SSH suite encapsulates three secure utilities—slogin. include a secure version of FTP (SFTP). The three utilities within the SSH suite provide the following functionalities: . Secure Shell (ssh)—A secure version of the UNIX Remote Shell (rsh) environment interface protocol. which allows a user to connect to a remote server and interact with the system as if directly connected. SSH provides an authenticated and encrypted data stream. rsh. Like Telnet. . and scp—derived from the earlier nonsecure UNIX utilities rlogin. and rcp. which allows for the transfer of files in a manner similar to FTP. ssh. including the Secure Shell for Windows Server. along with other common SSH utilities. . . SSH provides a command-line connection through which an administrator may input commands on a remote server. Secure Login (slogin)—A secure version of the UNIX Remote Login (rlogin) service. as opposed to the clear-text communications of a Telnet session. Secure Copy (scp)—A secure version of the UNIX Remote Copy (rcp) util- ity. NOTE Some versions of SSH.

Digital signature of the issuing CA 2. Sans-Privacy Protocol C. Creation of the CRL ❍ D.) ❍ ❍ ❍ A. Certificate policy C. Expired domain names . Certificate revocation list ❍ D.297 Exam Prep Questions Exam Prep Questions 1. HTTPS C. Encapsulated Security Payload B. Creation of the private and public key B. PGP ❍ D. the user is responsible for which one of the following functions? ❍ ❍ ❍ A. Revocation of the digital certificate 5.) ❍ ❍ ❍ A. User’s public key B. In a decentralized key management system. Authentication Header ❍ D. Information about the user ❍ D. Virtual private network 4. Which of the following are included within a digital certificate? (Select three correct answers. S/MIME B. What part of the IPsec protocol provides authentication and integrity but not privacy? ❍ ❍ ❍ A. Creation of the digital certificate C. Which of the following are associated with the secure exchange of email? (Select two correct answers. To check the validity of a digital certificate. User’s private key C. which one of the following would be used? ❍ ❍ ❍ A. M of N 3. Corporate security policy B.

PKIX B. Version 2 C. PKCS #11 B. TLS . What is the acronym for the de facto cryptographic message standards developed by RSA Laboratories? ❍ ❍ ❍ A. ISAKMP C. Which of the fields included within a digital certificate identifies the directory name of the entity signing the certificate? ❍ ❍ ❍ A. PKCS ❍ D. X. PKCS #2 8. Which of the following protocols are used to manage secure communication between a client and a server over the Web? (Select two correct answers.298 Chapter 10: Cryptography Deployment 6. Which one of the following defines APIs for devices such as smart cards that will contain cryptographic information? ❍ ❍ ❍ A. Both A and C 7. PKCS #4 ❍ D. Version 1 B. Subject Public Key Information 9.) ❍ ❍ ❍ A. Subject Name ❍ D. Signature Algorithm Identifier B. PGP ❍ D.509 C.509 supports an optional Extension field? ❍ ❍ ❍ A. SSL B. Which version of X. Answers B and C 10. Version 3 ❍ D. PKCS #13 C. Issuer C.

Which of the following is not true regarding expiration dates of certificates? ❍ ❍ ❍ A. 13. OSCP B. Which of the following are typically associated with virtual private networks (VPNs)? (Select two correct answers. Which of the following is not a certificate trust model for the arranging of certificate authorities? ❍ ❍ ❍ A. Public key exchange (PKE) C. Sub-CA architecture C. CRL C. Which one of the following best identifies the system of digital certificates and certification authorities used in public key technology? ❍ ❍ ❍ A. Certificates may be issued for 20 years. Certificate practice system (CPS) B. Which of the following are used to verify the status of a certificate? (Select two correct answers. Certificates must always have an expiration date. ISAKMP C.) ❍ ❍ ❍ A.) ❍ ❍ ❍ A. Certificates are issued only at yearly intervals. ❍ D. C. B. Single-CA architecture ❍ D. Bridge CA architecture B.299 Exam Prep Questions 11. ACL 14. PGP 12. Certificate practice statement (CPS) ❍ D. IPsec B. Certificates may be issued for a week. Hierarchical CA architecture . S/MIME ❍ D. Public key infrastructure (PKI) 15. OSPF ❍ D.

C. CRL. answers A. and D are incorrect. B. and the revocation of the certificate. D. C. an expired domain name has no bearing on the validity of a digital certificate. Certificate revocation list B. answer A is incorrect. It does not use encryption to scramble the data. Finally. A. therefore. therefore. 4. therefore. . therefore. answer B is incorrect. HTTPS is used on the Web for HTTP over SSL. Certificate policy C. therefore. answer B is incorrect. so it cannot provide privacy. A corporate security policy would not provide current information on the validity of issued certificates. Information about the user. therefore.509based digital certificates. answers B. 2. Certificate practice statement Answers to Exam Prep Questions 1. therefore. When a certificate authority revokes a certificate. Digital signature ❍ D. answer D is incorrect. answer B is incorrect. notice of the revocation is distributed via what? ❍ ❍ ❍ A. a division of the RSA Security Corporation.300 Chapter 10: Cryptography Deployment 16. such as creation of the certificate. A certificate revocation list (CRL) provides a detailed list of certificates that are no longer valid. Encapsulate Security Payload (ESP) provides for confidentiality of the data being transmitted and also includes authentication capabilities. C. 3. C. A. Answer B does not exist. PKIX describes the development of Internet standards for X. answer D is incorrect. and so it is incorrect. therefore. A virtual private network makes use of the IPsec protocol and is used to secure communications over public networks. C. A certificate policy does not provide information on invalid issued certificates. C. therefore. The Authentication Header (AH) provides authentication so that the receiver can be confident of the source the data. The Public Key Cryptography Standards (PKCS) are the de facto cryptographic message standards developed and maintained by RSA Laboratories. either. and D are incorrect. Both S/MIME and PGP are used for the secure transmission of email messages. answer D is incorrect. 5. M of N control provides assurance that no one individual acting alone can perform an entire operation. 6. The other functions. In a decentralized key system. answer A is incorrect. the end user generates his or her own key pair. A user’s private key should never be contained within the digital certificate and should remain under tight control. A. are still handled by the certificate authority. therefore. the user’s public key. and the digital signature of the issuing CA are all included within a digital certificate.

A CPS is a document created and published by a CA that provides for the general practices followed by the CA. PKI represents the system of digital certificates and certificate authorities. which was introduced in 1996. A. A. C. Version 2 did introduce the idea of unique identifiers. and C are incorrect. supports and optional Extension field used to provide for more informational fields. B. answer A is incorrect. therefore. therefore. and deletion of security associations in VPNs. modification. answer C is incorrect. B. 12. Answer C is incorrect because Pretty Good Privacy is used for the encryption of email. including a cryptographic algorithm identifier. This date is mandatory. therefore. Answer B is incorrect because PKCS #13 is the Elliptic Curve Cryptography Standard. and ISAKMP defines a common framework for the creation. answers C and D are incorrect. 10. therefore. answer D is incorrect. 8. negotiation. 13. The Online Certificate Status Protocol (OCSP) and the certificate revocation list (CRL) are used to verify the status of digital certificates. D.301 Answers to Exam Prep Questions 7. the Cryptographic Token Interface Standards. answer C is incorrect. answers A. therefore. which is usually a certificate authority. C. OSPF is a routing protocol. Version 1 is the most generic and did not yet incorporate this feature. answer D is incorrect. 9. PKCS #11. therefore. The Issuer field identifies the name of the entity signing the certificate. A. therefore.509. and it is considered the successor to SSL. Both answers C and D are incorrect because PKCS #2 and PKCS #4 no longer exist and have been integrated into PKCS #1. IPsec provides for the secure exchange of packets at the IP layer. defines an API named Cryptoki for devices holding cryptographic information. B. RSA Cryptography Standard. A. and D are incorrect. 11. therefore. . D. S/MIME and PGP are used for secure mail transfer. 14. Answers A. B. Both IPsec and ISAKMP are used in the creation of VPNs. answer A is incorrect. Answer B is incorrect because ISAKMP is a protocol common to virtual private networks. Answers A and B are fictitious terms. but not the optional Extension field. Digital certificates contain a field indicating the date to which the certificate is valid. The Subject Name is the name of the end entity identified in the public key associated with the certificate. The Subject Public Key Information field includes the public key of the entity named in the certificate. The Signature Algorithm Identifier identifies the cryptographic algorithm used by the CA to sign the certificate. Version 3 of X. And an ACL is used to define access control. Secure Sockets Layer is the most widely used protocol for managing secure communication between clients and servers on the Web. B. the Transport Layer Security protocol is similar. and the validity period can vary from a short period of time up to a number of years. therefore. answers B and D are incorrect.

509 PKIX Working Group: http://www.asp?id=2124 . Ronald L. John Wiley & Sons. Suggested Readings and Resources 1. C.org/ html. Crypto: How the Code Rebels Beat the Government. Certificate revocation lists are used to identify revoked certificates. 2001. A. it usually makes more sense to implement a bridge architecture over this type of model. The CISSP Prep Guide: Mastering the Ten Domains of Computer Security. and D. Saving Privacy in the Digital Age. and Russell Dean Vines. International Telecommunications Union: http://www. RSA Public Key Cryptography Standards: http://www.ietf.html 3. 2001.itu. Steven.302 Chapter 10: Cryptography Deployment 15.com/ rsalabs/node. Answer C is incorrect because a digital signature is an electronic signature used for identity authentication. called cross-certification. which provides certificate status in real time. John Wiley & Sons.charters/pkix-charter. Krutz.asp?type=products&lang=e&parent=T-REC-X 4. IETF PKI X. all represent legitimate trust models. 16. Answers A. Russ and Tim Polk. Planning for PKI. however. 2001. Penguin Books. B. however.int/rec/ recommendation. Sub-CA architecture does not represent a valid trust model. they are being replaced by the Online Certificate Status Protocol (OSCP).rsa. 6. Levy. 5. 2. Another common model also exists. Housely. however. Answers B and D are both incorrect because these terms relate to the policies and practices of certificates and the issuing authorities.

PART VI Organizational Security Chapter 11 Organizational Security Chapter 12 Organizational Controls .

This page intentionally left blank .

CHAPTER ELEVEN 11 Organizational Security Terms you need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ Redundancy planning Single point of failure Redundant array of independent (or inexpensive) disks (RAID) Uninterruptible power supply (UPS) Disaster recovery Backup techniques Restoration Techniques you need to master: ✓ Knowing the common areas of concern when planning for redundant site services ✓ Understanding how to plan and conduct disaster exercises ✓ Recognizing backup techniques and restoration processes .

and failover systems. This chapter examines the issues surrounding redundancy planning. but organizational security must also be considered when planning an organization’s data security. Critical systems such as servers and Internet availability will require redundant hardware. downtime is not an option.306 Chapter 11: Organizational Security Network security and system hardening provide the strongest possible levels of security against directed attacks. disaster recovery. Failure to recover from a disaster may destroy an organization. Common hardware failures and even accidental deletions may require some form of recovery capability. an order (a priority) of recovery must be established. or terrorist attack). Organizational security encompasses identifying the critical business needs and the resources associated with those needs. whether it’s as simple as a redundant array of independent (or inexpensive) disks (RAID) storage system or as complex as a complete duplicate data center. flood. Impact and risk assessment—To plan recovery appropriately. data replication. Redundancy planning requires that you prioritize the data and systems that need to be recovered first. . EXAM ALERT Be familiar with redundancy descriptions indicating potential flaws. for every organization! Natural disasters and terrorist activity can bypass even the most rigorous physical security measures. disaster recovery is an important part of overall organization security planning. However. Disaster recovery plan—A disaster recovery plan is a written document that defines how the organization will recover from a disaster and how to . Disaster recovery involves many aspects. and restoration policies. Then plan backup methods. Disaster Recovery and Redundancy Planning For many organizations. backup. Watch for descriptions that include physical details or organizational processes. In addition. Too many organizations realize the criticality of disaster recovery planning only after a catastrophic event (such as a hurricane. companies must determine the scope and criticality of its services and data. Critical business functions must be designed to continue operating in the event of hardware or other component failure. Make sure you have redundancy for critical systems. including the following: .

The estimated time to complete the steps in the disaster recovery plan and get the business back to normal . Telecommunications restoration . They should also include instructions for situations in which it may be necessary to bypass the normal chain of command to minimize damage or the effects of a disaster. and users. customers. and the training required for managers. including how to contact key employees. and recovery.307 Disaster Recovery and Redundancy Planning restore business with minimum delay. Equipment that will be put in place for operations to continue . Service level agreements (SLAs)—SLAs are contracts with Internet service providers (ISPs). how data backup and restoration procedures work. Disaster recovery and redundancy require organizations to consider how best to deal with the following issues: . for instance. The procedures must include contact methods. A detailed disaster recovery should address various processes. Replacement software . Detailed responsibilities and procedures to follow during disaster recovery events should be in place. The contact method for employees and clients . The document also explains how to evaluate risks. Data restoration . . Internet connectivity to continue business operations . Disaster recovery policies—These policies detail responsibilities and proce- dures to follow during disaster recovery events. Alternative locations for business operations . data security. facilities managers. and the press. . including backup. Physical security at current and alternative sites . and other types of suppliers that detail minimum levels of support that must be provided (including in the event of failure or disaster). utilities. administrators. Plans must also be established in case it is necessary to bypass normal access for any reason (perhaps. The order in which the recovery process should proceed . to avoid potential sources of failure). Power in the event of a complete loss of city power . vendors.

including dedicated administrative connections that may be required for recovery. . After all. and the damage assessed. A hard copy of the plan must be available (and key elements of that plan should be removable. the company can begin the recovery process. Business continuity planning should identify required services. warm and cold sites) should be included in this planning consideration. Clustering—To provide load balancing to avoid functionality loss because of directed attacks meant to prevent valid access. Business continuity planning is a more comprehensive approach to provide guidance so that the organization can continue making sales and collecting revenue. As with disaster recovery planning. and utilities agreements for alternative sites (that is. such as network access and utility agreements. disaster recovery planning must include a detailed analysis of underlying business practices and support requirements. Individual servers may also be configured to allow for the continued function of key services even in the case of hardware failure. a disaster recovery plan does not do you any good if it is locked in someone’s desk drawer and that desk is in a building that has been evacuated. Facilities—Continuity planning should include considerations for recov- ery in the event that existing hardware and facilities are rendered inaccessible or unrecoverable. . . This is called business continuity planning. it covers natural and man-made disasters. Business continuity planning may address the following: . Fault tolerance—Cross-site replication may be included for high-availabil- ity solutions requiring high levels of fault tolerance. continuity planning may include clustering solutions that allow multiple nodes to perform support while transparently acting as a single host to the user. Many of . Common fault-tolerant solutions include RAID solutions. and arrange for automatic failover of critical services to redundant offsite systems. which maintain duplicated data across multiple disks so that the loss of one disk will not cause the loss of data.308 Chapter 11: Organizational Security After a “disaster” or other failure situation has been evaluated. Highavailability clustering may also be used to ensure that automatic failover will occur in the event that hardware failure renders the primary node unable to provide normal service. such as a vendors list or team member phone numbers). Beyond backup and restoration of data. network requirements. Hardware configuration details. Network connectivity—In the event that a disaster is widespread or target- ed at an ISP or key routing hardware point. an organization’s continuity plan should include options for alternative network access.

the hot site is affected. too. usually within a minimal period of time after the loss of a facility. A good example of this is a flood. Hot sites are the most expensive to operate and are mostly found in businesses that operate in real time. and cold sites can provide a means for recovery should an event render the original building unusable. This type of site is similar to the original site in that it is equipped with all necessary hardware. In the event of a catastrophe. A business recovery plan. These are discussed individually in the sections that follow. Hot. and begin working. and operational. business resumption plan. such as electrical facilities. warm. These sites allow the company to continue normal business operations. The business can be resumed without significant delay. Redundant Sites In the beginning stages of the organizational security plan. . the organization must decide how it will operate and how it will recover from any unfortunate incidents that affect its ability to conduct business. log on. 24 hours a day. all people need to do is drive to the site. and Internet connectivity fully installed. and contingency plan are also considered part of business continuity planning. these catastrophes result from unforeseen circumstances. for whom any downtime might mean financial ruin. network. configured. The following sections describe several critical aspects of organizational security and disaster and business continuity planning.309 Disaster Recovery and Redundancy Planning these solutions may also support the hot-swapping of failed drives and redundant power supplies so that replacement hardware may be installed without ever taking the server offline. Redundancy planning encompasses the effects of both natural and man-made catastrophes. The hot site should be located far enough from the original facility to avoid the disaster striking both facilities. Often. A torrential flood can sink and wash away buildings and damage various other property. Hot Site A hot site is a location that is already running and available 7 days a week. software. Data is regularly backed up or replicated to the hot site so that it can be made fully operational in a minimal amount of time in the event of a disaster at the original site. The range of a flood depends on the category and other factors as wind and the amount of rain that follows. If the hot site is within this range.

If the organization chooses this type of facility. As part of redundancy and recovery planning. and network jacks. the data is replicated elsewhere for easy retrieval. Cold sites are less costly in the short term. . This “something” might include setting up systems so that you can access the data or taking special equipment over to the warm site for data retrieval. Therefore. the site can serve multiple clients simultaneously. or otherwise negotiated. and space are about the only facilities provided in a cold site contract. in a large-scale incident. the facility could very well become overextended. The site may have computers and other resources. it will require additional time to secure equipment. an organization can contract annually with a company that offers redundancy services (for a monthly. These sites are merely a prearranged request to use facilities if needed. However. install applications. The site is generally configured with power. Daily fees and other incidental fees might apply. In a warm site. and activate resources or that it will contract with a third party for these services. Choosing a Recovery Site Solution The type of recovery site an organization chooses will depend on the criticality of recovery and budget allocations. The same distance factors should be considered when planning a cold site as when planning a hot site. However. Electricity. the organization is responsible for providing and installing all the necessary equipment. bathrooms. you still have to do something to be able to access the data. and contract services such as Internet connectivity. phone. install operating systems and applications. Cold Site A cold site is the weakest of the recovery plan options but also the cheapest. equipment purchased after such an event may be more expensive or difficult to obtain. When contracting services from a provider. but they are not configured and ready to go.310 Chapter 11: Organizational Security Warm Site A warm site is a scaled-down version of a hot site. the organization should carefully read the contract. Hot sites are traditionally more expensive. In addition. Because the warm site is generally office space or warehouse space. It is assumed that the organization itself will configure the devices. but they can be used for operations and recovery testing before an actual catastrophic event occurs. The time and cost for getting a warm site operational is somewhere between a hot and a cold site. service charge).

diesel. Backup Power Generator Backup power refers to a power supply that runs in the event of a primary power outage. Utilities When planning for redundancy. If power is not properly conditioned. the generator starts supplying power immediately. issues to consider include the following: .311 Disaster Recovery and Redundancy Planning EXAM ALERT Be familiar with the various types of site descriptions. your business itself could be in jeopardy. Uptime—How long the unit will run on one tank of fuel . daisy-chained devices do not get enough power. it can still suffer power loss. One source of backup power is a gas-powered generator. Fuel source—Gasoline. One of the most obvious is when power strips are daisy-chained. If power is out for several days or weeks. Most generators can be tied in to the existing electrical grid so that if power is lost. and natural gas generators. Watch for scenarios that require you to choose a hot. Be aware that power issues can quickly burn out equipment. it can have devastating . warm. At the other end of the spectrum. Transfer switch—Automatic or manual Determine how big a generator you need by adding up the wattages required by devices you want turned on at one time. daisy chaining of devices will occasionally trip the circuit breakers or start a fire. or natural gas . When selecting a generator. How unit is started—Battery or manually with a pull-cord . Often. propane. The generator can be used for rolling blackouts. The most common way to overcome this problem is to supply your own power when an emergency scenario calls for it. or electrical problems. they are louder and have a shorter lifespan than diesel. keep in mind that even though the physical building may be spared destruction in a catastrophic event. Power output—Rated in watts or kilowatts . propane. However. Gasoline-run generators are the least expensive. emergency blackouts. Uninterruptible Power Supply Power problems will occur in various ways. or cold site solution.

. Rolling blackouts occur when the utility company turns off the power in a specific area. . a battery-powered inverter turns on to continue supplying power. always connect your sensitive electronic equipment to power conditioners. when line power is available. In this type of sys- tem. radio transmitters. . generators. the computer is always running off of battery power. load switching. Standby power supply (SPS)—This is also referred to as an “offline” UPS. Continuous UPS—This is also called an “online” UPS. and a UPS (uninterruptible power supply. Surges—These are short-term increases in voltage commonly caused by large electrical load changes and from utility power-line switching. Three different types of devices are classified as UPSs: . To protect your environment from such damaging fluctuations in power. as necessary. . Blackouts—These are caused by faults on the utility provider’s system and results in a complete loss of power. A UPS is a power supply that sits between the wall power and the computer. the UPS takes over and powers the computer so that you can take action to not lose data (such as saving your work or shutting down your servers). This transformer maintains a constant output voltage even with a varying input voltage and provides good protection against line noise. noise can be caused by lightning. and the battery .312 Chapter 11: Organizational Security effects on equipment. Noise—Also referred to as electromagnetic interference (EMI) and radio frequency interference (RFI). In the event of power failure at the wall. Hybrid or ferroresonant UPS systems—This device conditions power using a ferroresonant transformer. Brownouts—These are short-term decreases in voltage levels that most often occur when motors are started or are triggered by faults on the utility provider’s system. The transformer also maintains output on its secondary briefly when a total outage occurs. which provides the best protection of all). surge protectors. and industrial equipment. In this type of supply. Spikes—These are instantaneous and dramatic increases in voltage that result from lightning strikes or when electrical loads are switched on or off. The following list describes some of the power variations that can occur: . . After a power failure. power usually derives directly from the power line until power fails. . They can destroy electronic circuitry and corrupt stored data. Batteries are charged.

or a UPS. the ISP may supply both the Internet and the phone services. After identifying the single points of failure. In some cases. if the majority of your business is telephone-based. There is no switchover time.313 Disaster Recovery and Redundancy Planning is continuously being recharged. it is a good idea to have some redundancy in the event the Internet connection goes down. The planning of every server setup should consider how to salvage the data should a component fail. surge protectors. Remember that the purpose of having a UPS is to have enough time to properly shut down equipment before damage is caused. Pay special attention to items such as the Internet connection. and these supplies generally provide the best isolation from power-line problems. start with a good map of everything the organization uses to operate. In other words. CAUTION Never plug a printer into a UPS. For example. The decision about how to store and protect data will be determined by how the organization uses its data. The point here is to be aware of where your organization is vulnerable and understand what the risk is. perform a risk analysis. compare the consequences if the device fails to the cost of redundancy. To determine the number of single points of failure in the organization. and proprietary business equipment. Printers use large amounts of power and will drain the battery quickly. switches. so that you can devise an appropriate backup plan. However. routers. UPS equipment. RAID Perhaps the biggest asset an organization has is its data. You cannot eliminate all risk associated with power problems just by connecting your sensitive electronic equipment to power conditioners. This section examines data-redundancy options. you can certainly minimize (if not entirely prevent) the damage such problems may cause. A single point of failure is any piece of equipment that can bring your operation down if it stops working. Of course. However. if all your business is web-based. you can use RAID. you might look for redundancy in the phone system as opposed to the ISP. and clustering to accomplish this. But neglecting single points of failure can prove disastrous. . Redundant Equipment and Connections The main goal of preventing and effectively dealing with any type of disruption is to ensure availability.

RAID Level 1—Mirroring and duplexing. this offers little additional protection. To solve this problem. The two major goals when implementing disk arrays are data striping for better performance and redundancy for better reliability. A typical setup requires 10 data disks and 4 ECC disks. RAID organizes multiple disks into a large. . With this method. See Figure 11. a redundant disk array can retain data for a much longer time than an unprotected single disk. you can use redundancy in the form of error-correcting codes to tolerate disk failures. Mirroring uses one controller. requires a minimum of two disks and offers 100% redundancy because all data is written to both disks. disk usage is 50% as the other 50% is for redundancy. In RAID 2. This solution.1 for an illustration. There are many types of RAID. if you have three hard drives. whereas duplexing uses one controller for each disk. In RAID 1. RAID 2 requires the use of extra disks to store an error-correcting code. . RAID 0 imple- ments a striped disk array. RAID Level 2—Hamming Code Error Correcting Code (ECC). Because all modern disk drives incorporate ECC. and each block is written to a separate disk drive. In other words. the data is broken into blocks. This requires a minimum of two disks to implement. The controller required is complex. Disk arrays are created to stripe data across multiple disks and access them in parallel. Uniform load balancing across all the disks Large disk arrays are highly vulnerable to disk failures. a system can stay up and running when a disk fails and during the time the replacement disk is being installed and data restored. No commercial implementations exist today.2 for an illustration. each bit of a data word is written to a disk. and expensive. high-performance logical disk. RAID Level 0—Striped disk array without fault tolerance. which allows the following: . specialized. See Figure 11. The difference between mirroring and duplexing is the number of controllers. .314 Chapter 11: Organizational Security The most common approach to data availability and redundancy is called RAID. called mirroring or duplexing. With multiple disks and a RAID scheme. Higher data transfer rates on large data accesses . and the performance is not very good. Some of the more common ones are as follows: . Higher I/O rates on small data accesses . you can configure them to look like one large drive.

.2 RAID Level 1. data is interleaved bit-wise over the data disks. RAID 1 Disk 1 Disk 2 Block 1 Block 1 Block 2 Block 2 Block 3 Block 3 Block 4 Block 4 FIGURE 11. RAID Level 3—Parallel transfer with parity. In RAID 3. In a parallel transfer with parity. .315 Disaster Recovery and Redundancy Planning RAID 0 Disk 1 Disk 2 Disk 3 Disk 4 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Block 7 Block 8 Block 9 Block 10 Block 11 Block 12 Block 13 Block 14 Block 15 Block 16 FIGURE 11. the data block is striped and written on the data disks. and a single parity disk is added to tolerate any single disk failure.1 RAID Level 0. This requires a minimum of three drives to implement.

.3 RAID Level 5. RAID Level 5—Independent data disks with distributed parity blocks. Because it writes both the data and the parity over all the disks. RAID 10 requires a minimum of four disks to implement. . it has the best small read.316 Chapter 11: Organizational Security . This method uses ReedSolomon codes to protect against up to two disk failures using the bare minimum of two redundant disk arrays. . and the parity is striped. RAID 4 requires a minimum of three drives to implement. each entire block of the data. See Figure 11. This is an extension of RAID 5 and allows for additional fault tolerance by using two-dimensional parity. large write performance of any redundancy disk array. RAID 5 requires a minimum of three disks. and then data is striped across multiple disks for maximum performance. Entire blocks are written onto a data disk. RAID Level 6—Independent data disks with two independent parity schemes. RAID Level 4—Independent data disks with shared parity disk. RAID 0 Disk 1 Disk 2 Disk 3 Disk 4 Block 1 Block 2 Block 3 Parity 1-3 Block 4 Block 5 Parity 4-6 Block 6 Block 7 Parity 7-9 Block 8 Block 9 Parity 10-12 Block 10 Block 11 Block 12 FIGURE 11. . Disks are mirrored in pairs for redundancy and improved performance.3 for an illustration. This solution is a striped array that has RAID 1 arrays. RAID Level 10—High reliability combined with high performance. RAID 4 is similar to RAID 3 except that data is interleaved across disks of arbitrary size rather than in bits. In RAID 5.

RAID 50 is more fault tolerant than RAID 5 but has twice the parity overhead and requires a minimum of six drives to implement. In addition to hardware RAID. RAID 7 is a proprietary solution that is a registered trademark of Storage Computer Corporation. process-oriented. and 0+1.” Servers It might be necessary to set up redundant servers so that the business can still function in the event of hardware or software failure. server redundancy is implemented. Software RAID can be used when the expense of additional drives is not included in the budget or if the organization is using older servers. Regular tape backups allow you to recover from data loss that result from errors unrelated to disk failure (such as human. We discuss the different types and methods of backups later in this chapter in the section “Backup Techniques and Practices. RAID 0+1 requires a minimum of four drives. This means multiple servers are used to perform the same task.317 Disaster Recovery and Redundancy Planning EXAM ALERT Know the different levels of RAID and the number of disks required to implement each one. For example. a simple equipment failure might result in days of downtime as the problem is repaired. This takes a minimum of five drives. two for striping and two to mirror the first striped set. Another point to remember is that even though you set up the server for redundancy. Software RAID operates on a partition-by-partition basis and tends be slightly more complicated to run. Not all operating systems support all versions of RAID. RAID 53 is an implementation of a striped array that has RAID 3 segment arrays. if you have a web-based business with more than one server hosting your site. choose a level of RAID that is supported by the operating system. If a single server hosts vital applications. but it requires more CPU cycles and power to run. RAID 0+1 is a mirrored array that has RAID 0 segments. 1. For example. software RAID can be used. real-time operating system residing on an embedded array controller microprocessor. RAID does not protect you from multiple disk failures. and software errors). When choosing a method of redundancy. three for RAID 3 and two for striping. There are several additional levels of RAID: 7. 53. To ensure availability and reliability. when . and 5. This RAID has a fully implemented. hardware. Microsoft Windows servers support RAID levels 0. you must still back up your data. Software RAID can provide more flexibility. 50.

The organization can continue to do business without any interruptions. confirm whether the vendor you are using provides high availability and reliability. mission-critical businesses demand 100% uptime 24 hours a day 7 days a week. This provides a highly available website. This clustering increases availability by ensuring that if a server is out of commission because of failure or planned downtime. In today’s world.318 Chapter 11: Organizational Security one of the servers crashes. CAUTION If you do not host your own website. With a redundant ISP. and many businesses would not be able to function without redundancy. it can also relieve network traffic congestion and provide network isolation for applications. Organization must consider this factor when formulating a disaster recovery plan. This proves especially useful when traffic volume is high. a backup ISP could be standing by in the event of an outage at the main ISP. As organizations become global. dealing with natural disasters will become more common. Organizations may look to ISP redundancy to prevent application perform- . In load balancing. Solutions such as wireless ISPs used in conjunction with VoIP to quickly restore phone and data services are looked at more closely. is load balancing. Redundancy can take several forms. another server in the cluster takes over the workload. the requests can be redirected to another server. traffic is switched over to the redundant ISP. In addition. The most notable advantage of server redundancy. telephone and Internet communications may be out of service for a while when a disaster strikes. and virtualization. ISPs Along with power and equipment loss. Another way to increase availability is server clustering. Should this happen. Although using multiple ISPs is mostly considered for disaster recovery purposes. Availability is vital. A server cluster is the combination of two or more servers so that they appear as one. perhaps. It prevents one server from being overloaded while another sits idle. the system load is spread over all available servers. failback. some manufacturers provide redundant power supplies in mission-critical servers. such as automatic failover. Relying on a single Internet connection for critical business functions could prove disastrous to your business.

There’s no point in having your equipment in the hands of a company that is struggling to get back on its feet after a disaster or merger. This setup is more expensive because it requires more hardware and cabling. explore using different ISPs for better network traffic performance. . for total redundancy. One of the best ways to ensure the availability of replacement parts is through service level agreements (SLAs). This type of topology can also be found in enterprisewide networks. opening a computer yourself and replacing the parts will void a warranty if the warranty has not expired. for disaster recovery. businesses that transfer large files can use multiple ISPs to segregate voice and file transfer traffic to a specific ISP. Service Level Agreements In the event of a disaster. and to ensure a quality level of service. you might need to consider redundant connections between branches or sites. especially if the organization decides against SLAs for computer equipment. More and more organizations are implementing technologies such as VoIP. With redundant connections. you might need two network cards in computers connected to different switches or hubs. For example. When planning deployment. an organization might also need to restore equipment (in addition to data). CAUTION It is important to understand all equipment warranties. to create fault tolerance. These are signed contracts between the organization and the vendors with which they commonly deal. backups. restoration. A single device or cable failure will not affect the performance because the devices are connected by more than one means. and hardware maintenance. Should a disaster destroy your existing systems. SLAs are covered in greater detail in the next chapter. all devices are connected to each other more than once. Internally.319 Disaster Recovery and Redundancy Planning ance failure and supplier diversity. SLAs can be for services such as access to the Internet. the SLA can also help you guarantee the availability of computer parts or even entire computer systems. Connections In disaster recovery planning. Also confirm that critical suppliers have strict disaster recovery plans. Often. with routers being connected to other routers for fault tolerance.

event logs. such as when a file is created.999% 99. including user file and email storage. loss of data through accidents or directed attack could severely impair business processes.99% 99. Without a regular backup process. In the event of a total loss of data. and security principal details such as user logons. or renamed. passwords. database stores. and copy. The following sections cover the types of backups you can use and different backup schemes.320 Chapter 11: Organizational Security When evaluating SLAs. Disaster recovery plans should identify the type and regularity of the backup process. The backup procedures in use may also affect what is recovered following a disaster. the expected uptime and maximum allowed downtime on a yearly basis are considered. restoration from a complete backup will be faster than other methods. Here is an example: 99. A full backup copies all selected files and resets the archive bit. 24 hours a day. A full backup is a complete backup of all data and is the most time-intensive and resource-intensive form of backup. incremental. Backup Types The different types of backups you can use are full. differential. . Uptime is based on 365 days a year.3 minutes downtime/year 53 minutes downtime/year 8. An archive bit is a file attribute used to track incremental changes to files for the purpose of backup. requiring the largest amount of data storage. and group membership assignments.7 hours downtime/year 87 hours downtime/year Backup Techniques and Practices Fundamental to any disaster recovery plan is the need to provide for regular backups of key information.9% 99% 53. TIP Any backup and recovery plan must include regular testing of the restoration process to ensure that backup media and procedures are adequate to restore lost functionality. moved. The operating system sets the archive bit any time changes occur.

A differential backup includes all data that has changed since the last full backup. For example. a full backup may be decided on because it can be done with one tape. How long the data needs to be kept before being overwritten—If used in a development arena where data is constantly changing. the loss of a tape with a copy backup is the same as losing a tape with a full backup. Theft of a differential tape is more risky than an incremental tape because larger chunks of sequential data may be stored on the tape the further away it is from the last full backup. If an incremental tape is stolen. the incremental backup method may work best. . a company should look at the following factors: . .321 Backup Techniques and Practices This method enables you to restore using just one tape. From a security perspective. four tapes are needed—the full from Friday and the incremental tapes from Monday. if the server dies on Thursday. if the server dies on Thursday. it might not be of value to the offender. An incremental backup is incomplete for full recovery without a valid full backup and all incremental backups since the last full backup. . but it still represents risk to the company. Theft poses the most risk. Incremental backups require the smallest amount of data storage and require the least amount of backup time. depending on the regularity of normal backups and the number of changes that occur during the period between full backups. However. a differential backup method may be the best choice. A copy backup is similar to a full backup in that it copies all selected files. but they can take the most time during restoration. For example. if files are restored regularly. How fast the data needs to be restored—If large amounts of data are backed up. because all data is on one tape. because it doesn’t reset the archive bit. and it resets the archive bit. Tuesday. Schemes When choosing a backup strategy. however. How often it needs to restore files—As a matter of convenience. and Wednesday. it doesn’t reset the archive bit. An incremental backup includes all data that has changed since the last incremental backup. This form of backup is incomplete for full recovery without a valid full backup. two tapes are needed—the full from Friday and the differential from Wednesday. Differential backups require a variable amount of storage. regardless of whether or when the last differential backup was made.

and environmentally controlled storage vaults. This is a recursive method where every tape is associated with a disk in the puzzle. a swift way of getting it back up and running again is available. and the disk movement to a different peg corresponds with a backup to a tape. Friday backups are full backups. If the drive is imaged.322 Chapter 11: Organizational Security After the backups are complete. instead of spending money on a complex backup system to back up all the developers’ data.” is used to perform full backups on the last day of each month. “grandfather. All tape-rotation schemes can protect your data.” is used to perform full backups. It provides a data history of up to two weeks. These are highly secure facilities that may include secure transportation services. Ten-tape rotation is a simpler and more cost-effective method for small businesses. In addition to these backup strategies. A second set.” represents daily backups. it ensures that if a machine has a hard drive failure. they must be clearly marked or labeled so that they can be properly safeguarded. . The basic method is to define three sets of backups. The final set of three tapes. For example. organizations employ tape rotation and retention policies. . but each one has different cost considerations. Grandfather-father-son backup refers to the most common rotation scheme for rotating backup media. chain-ofcustody control for tapes in transit. Vendors offer a wide range of offsite tape vaulting services. The various methods of tape rotation include the following: . . “father. it may be less expensive and more efficient to buy another hard drive for each developer and have him back up his data that way. in a development office. it might be more beneficial to copy or image a hard drive for backup purposes. “son. The first set. Monday through Thursday backups are incremental. In some instances. The Tower of Hanoi is more difficult to implement and manage but costs less than the grandfather-father-son scheme. Another option available for backups is offsite tape storage with trusted third parties. Tower of Hanoi is based on the mathematics of the Tower of Hanoi puz- zle. where there might be large amounts of data that changes constantly.

Upon discovery. This planning should explain any needed configuration details that may be required to restore access and network function. 11. Because all equipment is under warranty. The IT manager will then find another machine with similar hardware to replace the damaged server. unplugged from the network. The assigned technician will then restore the data. 3. and placed in the vendor-assigned work area. When the technician has determined that the machine is ready to be placed online. 5. is as follows: 1. These may include items that can either be general or specific. 10. If the machine is a vital part of the business. The IT manager assesses the damage to determine whether the machine can survive on the UPS. The IT manager will assign a technician to contact the vendor for instructions and a date when a replacement part can be expected. a first responder is to notify the on-duty IT manager. no cases should be opened without the consent of the proper vendor. 4. if possible. what data must be protected before the machine shuts down. The procedure for restoring a server hardware failure. for how long? If it cannot. the manager should be paged or reached via cell phone. the IT manager will evaluate it to confirm it meets the procedure specifications. If not on the premises. 2. for example. 7. The damaged machine will be shut down properly. 8. 6. . A determination will be made by the IT manager as to whether the organization can survive without the machine until the replacement part is received. 9. The replacement machine will be configured by an assigned technician to ensure it meets the specifications listed in the IT department’s server configuration manual. the IT manager must then notify the head of the department affected by the situation and give an assessment of how and when it will be remedied.323 System Restoration System Restoration Disaster recovery planning should include detailed system restoration procedures. If it can. The most recent backup will be checked out of the tape library by the IT manager.

Secure recovery services are another method of offsite storage and security that organizations may consider. Therefore. The data should be protected by at least a password. Therefore. and then the appropriate department head can be notified that the situation has been remedied. Imagine having to perform a restore for an organization that stores its backup tapes unlabeled in a plastic bin in the server room. any key rootlevel account passwords and critical procedures should be properly documented so that another equally trained individual can manage the restoration process. When the backups are complete. Also a restoration plan should include contingency planning to recover systems and data even in the event of administration personnel loss or lack of availability. you discover that the tapes are not marked. backup scheduling. Recovery planning documentation and backup media contain many details that an attacker can exploit when seeking access to an organization’s network or data. The rotation is supposed to be on a two-week basis. and preferably encryption. flood.324 Chapter 11: Organizational Security 12. This plan should include procedures on what to do if a disgruntled employee changes an administrative password before leaving. and backup media must include protections against unauthorized access or potential damage. is it a good practice to keep backup tapes in the same room with the servers? What happens if there is a fire? How backup media is handled is just as important as how it is marked. You certainly don’t want to store CDs in a place where they can easily be scratched or store tapes in an area that reaches 110 degrees Fahrenheit during the day. nor are they in any particular order. Normal backups should include all data that cannot be easily reproduced. Statistics show that more damage to a network comes from inside than outside. In military environments. Connectivity must be verified. planning documentation. they must be clearly labeled so that they can be properly safeguarded. How much time will you spend just trying to find the proper tape? Also. a common practice is to have removable storage media locked in a proper safe or container at the end of the day. and other forms of environmental hazards that might impact the main facility. When you go to get the needed tape. . The IT manager puts the replacement server in place. You should ensure that you also have offsite copies of your backups where they are protected from unauthorized access as well as fire.

RAID 1 C. mother. and can become operational with minimal delay? ❍ ❍ ❍ A. has up-to-date data. RAID 5 2. RAID 2 ❍ D. such as daily. Which of the following backup strategies uses three sets of backups. Continuous power supply . Mirror site 4. daughter 3. Grandmother. RAID 3 E. son B. Tower of Pisa ❍ D. Grandfather. weekly. Ferroresonant power supply ❍ D. RAID 0 B. Hot site ❍ D. Which of the following levels of RAID do Windows servers support? (Choose all that apply. Tower of Hanoi C.) ❍ ❍ ❍ ❍ ❍ A. weekly. Standby power supply C. Warm site C. Which of the following is a type of site similar to the original site in that it has all the equipment fully configured.325 Exam Prep Questions Exam Prep Questions 1. with backup sets rotated on a daily. and monthly. father. and monthly basis? ❍ ❍ ❍ A. Which of the following is a type of uninterruptible power supply where power usually derives directly from the power line. Cold site B. until the power fails? ❍ ❍ ❍ A. RAID 4 F. Hybrid power supply B.

Procedures for what to do if a disgruntled employee changes an administrative password before leaving C. Incremental 8. Single points of failure risks administration personnel loss ❍ D. Disaster recovery policies ❍ D. B.326 Chapter 11: Organizational Security 5. Impact and risk assessment B. Which type of backup requires the least amount of time to restore in the event of a total loss? ❍ ❍ ❍ A. C. Differential ❍ D. Daily C. Backup generator procedures B. Which of the following aspects of disaster recovery planning details how fast an ISP must have a new Frame Relay connection configured to an alternative site? ❍ ❍ ❍ A. systems. A DRP plans for automatic failover of critical services to redundant offsite . Disaster recovery plan C. A DRP attempts to manage risks associated with theft of equipment. Which of the following statements best describes a disaster recovery plan (DRP)? ❍ ❍ ❍ A. Contingency planning to recover systems and data even in the event of 6. Service level agreement 7. A DRP reduces the impact of a hurricane on a facility. Full B. A DRP is an immediate action plan used to bring a business back on line immediately after a disaster has struck. ❍ D. A system restoration plan should include which of the following? (Select the two best answers) ❍ ❍ ❍ A.

The various methods of tape rotation include the grandfather. F. weekly.m. 3.m. Answers C. If a drive failure causes a total loss of data at 8:00 a. Full backups are performed weekly on Sunday at 1:00 a. Windows servers support striped disk arrays without fault tolerance. what is the minimum number of backup files that must be used to restore the lost data? ❍ ❍ ❍ ❍ A. .) ❍ ❍ ❍ A. Tower of Hanoi. Five Answers to Exam Prep Questions 1. and 10-tape rotation schemes. Answer D is incorrect because a mirror site is an exact copy of another Internet site. and independent data disks with distributed parity blocks. Four E. C. such as hardware and furnishings. Backup procedures ❍ D. RAID B. A. Originally designed for tape backup. mirroring and duplexing. One B. A.m. but it is more complex to understand. Grandfather-father-son backup refers to the most common rotation scheme for rotating backup media. Restoring data 10.. D.327 Answers to Exam Prep Questions 9. and monthly. Redundancy planning includes which of the following? (Choose the two best answers. It is a “smart” way of archiving an effective number of backups and provides the ability to go back over time. Answer B is incorrect. it works well for any hierarchical backup strategy. B. and incremental backups are done on weekdays at 1:00 a. Answer A is incorrect because a cold site does not provide any equipment. The Tower of Hanoi is based on the mathematics of the Tower of Hanoi puzzle. UPS placement C. Answer C is incorrect. such as daily. Answer B is incorrect because a warm site is not similar to the original site. with what is essentially a recursive method. Two C. A hot site is similar to the original site in that it has all the equipment needed for the organization to continue operations. The basic method is to define three sets of backups. and E are incorrect because some implementations of RAID are not used in Microsoft operating systems. on Tuesday morning. Three ❍ D. 2. Answer D is incorrect because the method does not exist.

Answer A is incorrect because a hybrid device conditions power using a ferroresonant transformer. 10. RAID and UPS placement are both part of redundancy planning. C. B. Answers B and C are incorrect because although the disaster recovery plan and its policies may include details of the service level agreement’s implementation. B. and incremental backups all require a full backup and additional backup files to restore from a total loss of data. Answers B.328 Chapter 11: Organizational Security 4. 9. C. In a standby power supply. and D are incorrect because daily. followed by Monday’s incremental backup. power usually derives directly from the power line until power fails. This transformer maintains a constant output voltage even with a varying input voltage and provides good protection against line noise. Answer D is incorrect because it describes a business continuity plan. Answer A is incorrect because it describes physical disasters. Answer C is incorrect because this device conditions power using a ferroresonant transformer. Service level agreements establish the contracted requirements for service through utilities. whereas a differential backup on Tuesday morning would be required so that only two backup files would be needed. 6. neither is the best answer in this case. 7. This will recover all data as of 1:00 a. Answers A and B are incorrect because a full backup Tuesday morning would be required to allow a single-file recovery of all data. Sunday’s full backup must be installed. B. Tuesday morning. A DRP is an immediate action plan to be implemented after a disaster. and the battery is continuously being recharged.m. and finally Tuesday morning’s incremental backup. and ISPs. so it may be used to directly restore all data and settings as of the time of the last backup. A. a battery-powered inverter turns on to continue supplying power. B. Answers D and E are incorrect because no files from before the last full backup would be required. D. . differential. A. Answer D is incorrect because in this type of system the computer is always running off of battery power. Answers C and D are incorrect because backup procedures and restoring data are part of disaster recovery processes. Answers A and C are incorrect because they are part of disaster recovery planning. After a power failure. Answer A is incorrect because risk assessment is used to identify areas that must be addressed in disaster recovery provisions. A restoration plan should include contingency planning to recover systems and data even in the event of administration personnel loss or lack of availability. This plan should include procedures that address what to do if a disgruntled employee changes an administrative password before leaving. This transformer maintains a constant output voltage even with a varying input voltage and provides good protection against line noise. 8. facility management. A full backup includes a copy of all data. D. 5. Answer C is incorrect because it describes loss prevention.

and David Abarca. Implementation. April.html 5. 2006. CERT incident reporting guidelines: http://www. 2.org/tech_tips/ incident_reporting.acnc. Design. 2006. Disaster Recovery: Principles and Practices.com/raid.html 4. Schmidt.sans. RAID tutorial: http://www. SANS Information Security Reading Room: http://www.329 Suggested Readings and Resources Suggested Readings and Resources 1. 3. Springer. High Availability and Disaster Recovery: Concepts. Wells.org/ reading_room/?ref=3701 . Timothy Walker.cert. Prentice Hall. Charlyne Walker. Klaus.

This page intentionally left blank .

✓ Understand how social engineering may be used to obtain unauthorized access. ✓ Know the importance of environmental controls. ✓ Understand applicable legislation and organizational policies. .CHAPTER TWELVE 12 Organizational Controls Terms you need to understand: ✓ Forensics ✓ Chain of custody ✓ Acceptable use ✓ Change management ✓ Personally identifiable information (PII) ✓ Due care ✓ Service level agreements (SLAs) ✓ Security policies ✓ Social engineering ✓ Dumpster diving Techniques you need to master: ✓ Understand the implications of incident response and forensic analysis of data.

security procedures. The National Institute of Standards and Technology (NIST) has issued a report on incident response guidelines that can help an organization spell out their own internal procedures. This chapter looks at incident response. which is a specific group of technical and security investigators that respond to and investigate security incidents.332 Chapter 12: Organizational Controls After planning for disaster and recovery procedures as discussed in Chapter 11. and its presence may make the difference between being able to recover quickly and ruining a business and damaging customer relations. The components of an incidence response plan should include preparation. Customers need to see that the company has enough expertise to deal with the problem. This is referenced in the “Suggested Reading and Resources” section at the end of the chapter. and many other security-related factors require extensive planning and documentation. Incident Response Procedures Incidents do happen from time to time in most organizations no matter how strict security policies and procedures are. Although only 12% of the exam is based on the organizational security domain. It is important to realize that proper incident handling is just as vital as the planning stage. additional resources are detailed at the end of the chapter. and procedures. forensics investigations. change-management procedures. Although many organizations have an Incident Response Team (IRT). first responders will need to handle the scene and the response. and security policies. It also covers environmental controls and user security awareness training. roles. this process requires a vast . Incident response procedures should define how to maintain business continuity while defending against further attacks. Forensics When a potential security breach must be reviewed. Systems should be secured to prevent as many incidents as possible and monitored to detect security breaches as they occur. In the event there is no IRT. Incident response guidelines. Therefore. forensics analysis. rules. Similar to other forms of forensics. and protecting the organization from malice that can cause both external and internal damages. this is a growing area of security planning. the digital forensics process comes into play. “Organizational Security. Incident response documentation should include the identification of required forensic and data-gathering procedures and proper reporting and recovery procedures for each type of security-related incident.” it is necessary to plan for incident response. many do not.

333 Forensics knowledge of computer hardware. including documentation of how the evidence was collected. which is the documentation of all transfers of evidence from one person to another. as . process. and even international laws affecting the process of evidence collection and retention. and legal issues involved in forensics analysis. network. and media to protect the chain of custody over the evidence. especially in cases involving attacks that may be waged from widely distributed systems located in many separate regions. regional. If you are asked to testify regarding data that has been recovered or preserved. and reason for transfer and the signatures of both parties involved in the transfer. The corporate world focuses more on prevention and detection. showing the date. processed. whereas law enforcement focuses on investigation and prosecution. It is crucial that you do not attempt to perform these tasks without detailed training in the hardware. Therefore. Identify the evidence . Ensure that the evidence is acceptable in a court of law Each state has its own laws that govern how cases can be prosecuted. The information provided in this chapter allows an entering professional to recognize that precise actions must be taken during an investigation. it is critical that you. software. national. and analyzed. Computer forensics review involves the application of investigative and analytical techniques to acquire and protect potential legal evidence. NOTE The practice of forensics analysis is a detailed and exacting one. evidence must be properly collected. and preserve the evidence for future analysis. software. Extract. In other words. it tells how the evidence made it from the crime scene to the courtroom. and interpret the evidence . For cases to be prosecuted. and preserved. preserved. Chain of Custody Forensics analysis involves establishing a clear chain of custody over the evidence. avoid accidental invalidation or destruction of evidence. time. Determine how to preserve the evidence . a professional within this field needs a detailed understanding of the local. The major concepts behind computer forensics are to .

can state with certainty that the evidence could not have been accessed or modified during your custodial term. The entire work area is a potential crime scene. including the detailed logging of investigative access and the scope of the investigation.334 Chapter 12: Organizational Controls the investigating security administrator. not just the computer itself. NOTE The Fourth Amendment guards against unreasonable search and seizure. voice-mail messages. System administrators and network security should be aware of and understand the basic legal issues governing their actions in any matter that involves examination and investigation of employee workspaces and environments. However. eminent domain. Definition of the scope is crucial to ensure that accidental privacy violations or unrelated exposure will not contaminate the evidence trail. and due process. they need to be aware of how reasonable expectation of privacy affects the ability to examine employees and their working environment. it must be secured in such a manner that you. This requires careful collection and preservation of all evidence. as the investigating official. many system administrators and network security personnel are not. self-incrimination. . or handwritten notes. be able to prove that no other individuals or agents could have tampered with or modified the evidence. The Fifth Amendment deals with double jeopardy. After data is collected. The work area should be secured and protected to maintain the integrity of the area. The success of data recovery and potential prosecution depends on the actions of the individual who initially discovers a computer incident. While police officers are trained to have a good understanding of the limits of the Fourth and Fifth Amendments and applicable laws. most corporations do not. Due process extends to all persons and corporate entities. Although law enforcement might need a search warrant to look or evidence. There might be evidence such as removable media. First Responders First responders are the first ones to arrive at the incident scene. Under no circumstances should you touch the computer or should anyone be allowed to remove any items from the scene. How the evidence scene is handled can severely affect the ability of the organization to prosecute if need be.

Although it seems that just viewing the files or directories on a system would not change the original media. and the steps the organization should take to prevent future incidents.4. After the incident is appropriately handled. the organization can act to mitigate the impact of the incident by containing it and eventually restoring operations back to normal. the organization may issue a report that details the cause of the incident. The response team may send out recommendations for recovery. containment.2 addresses cooperation. Damage and Loss Control When the response team has determined that an incident occurred. priority. Depending on the severity of the incident and the organizational policy. and threat of the incident. Reporting and Disclosure Request For Comments (RFC) 2350. the next step in incident analysis involves taking a comprehensive look at the incident activity to determine the scope. It should also note whether the team will be expected to operate through another internal team or directly with outside affected parties such as vendors. the cost of the incident. can be helpful in formulating organizational best practices for reporting and disclosure. and prevention to systems and network administrators at sites who then complete the response steps. merely browsing a file can change it. . incident response functions can take many forms.335 Forensics NOTE If you are an untrained first responder. A clear statement of the policies and procedures helps all the parties involved understand how best to report incidents and what support to expect afterward. Section 3. The reporting and disclosure policy should make clear who the incident response team’s report will go to in each circumstance. interaction. The follow-up response can involve sharing information and lessons learned with other response teams and other appropriate organizations and sites. It is important to accurately determine the cause of each incident so that it can be fully contained and the exploited vulnerabilities can be mitigated to prevent similar incidents from occurring in the future. This will aid with researching possible response and mitigation strategies. The team may perform the remediation actions themselves. and disclosure of information. touch nothing and contact someone trained in these matters for help. In keeping with the severity of the incident. Expectations for Computer Security Incident Response.

organizations formed in the United States are also bound by the following laws that relate to protection and proper disclosure of data: .R. Current and pending legislation will affecting the formulation of those polices. Because of adverse publicity. However. many organizations choose to quietly fix a breach without reporting or disclosing.336 Chapter 12: Organizational Controls The guidelines for reporting organizational security breaches may not be straightforward. Applicable Legislation and Organizational Policies To ensure that proper incident response planning is managed and maintained. H. usually in writing. Federal bills regarding data breach notification currently in process include . actions being taken. S. The information reported may include the scope of the incident. legal and ethical responsibilities now require organizations to be more diligent in this area. and went into effect in July 2003. security incidents must be reported by the chief information officer (CIO) and the board members need to be notified. as determined by the chief information security officer (CISO). 495—Personal Data Privacy and Security Act of 2007 Besides state and federal data-breach notification. and those that lack management support may prove to be unenforceable. Currently. In most cases. Policies of which the users have no knowledge are rarely effective. 1386. impact. . Health Insurance Portability and Accountability Act (HIPAA) of 1996 sets national standards for protecting health information.B.R. companies must immediately disclose a data breach to customers. it is important to establish clear and detailed security policies that are ratified by an organization’s management and brought to the attention of its users. and actions taken to prevent a further occurrence. S. 836—Cyber-Security Enhancement & Consumer Data Protection Act . 239—Notification of Risk to Personal Data Act . 958—Data Accountability and Trust Act . Subsequent updates to the board may occur until the incident is closed. In many cases. 38 states have passed laws requiring companies to notify consumers whose personal information has been compromised. H. Board notification usually occurs as soon as the incident is known. The first data breach notification law in the United States was California’s S. This bill was enacted in August 2002.

The point is.337 Applicable Legislation and Organizational Policies . Supreme Court made changes to the Federal Rules of Civil Procedure that make requests for electronic data a standard part of the discovery process during civil lawsuits. If an organization resides in an area that is not subject to a specific notification law. including independent verification that the relevant security risks have been mitigated. Secure Disposal of Computers and Media ISO 17799. Your company email server has an open relay on it allowing it to be used for spamming purposes. they should adhere to common law liability and treat each incident on a caseby-case basis. A spammer sends email about the price of gasoline in Europe to 500. Different countries mandate different customer notification approaches. Standards dictate that equipment owned/used by the organization should be disposed of only in accordance with approved procedures. 2006. and spam. Sarbanes-Oxley (SOX) governs financial and accounting disclosure infor- mation. organizations need to have a record-retention policy. For example. This proves fatal to the company.S. You should check the state laws concerning privacy. Being aware of this is especially important in a global economy. donation. Therefore. it is imperative to know legal ramifications if there is an incident. your Internet service provider (ISP) puts you on the spammers list. You have also been reported for spamming. . The U. disposal. has established standards for dealing with the proper disposal of obsolete hardware. The changes took effect December 1. or resale. particularly sections 7 and 8. Notification of affected customers should be a part of an organization’s incident response plan. This policy addresses issues that should be considered when disposing of old computer hardware. the fine per incident is $10 per mail. Gramm-Leach-Bliley Act (GLB) establishes privacy rules for the finan- cial industry. and you must fix the open relay before you can send any email. This topic is covered in further detail in the “Security-Related Human Resources Policy” section later in this chapter. First. either for recycle. liability. This could put a company out of business even if you have insurance because there’s a good chance the insurance company will not cover this type of incident. The most prominent example of a security risk involved is . assume your state has an antispam law.000 people.

The following methods are acceptable to use for media sanitation: . Breaches of health and safety requirements. Inadequate disposal planning results in severe business loss. a wide range of scenarios need to be considered. Overwriting—This method is applicable to magnetic storage devices. When implementing a policy on the secure disposal of outdated equipment. such as hard drives. Disposal of old equipment that is necessary to read archived data. Stories about this exact problem surface on almost a daily basis. . removable media disposal is just as important. . might require very extensive preparations before they may be discarded. . There is a proper way to handle removable media when either the data should be overwritten or is no longer useful or pertinent to the organization. Some resources. Besides properly disposing of old hardware. . such as the following: . . . TIP An organization’s information sensitivity policy will define requirements for the classification and security of data and hardware resources based on their relative level of sensitivity. Remnants of legacy data from old systems may still be accessible. Destruction—The process of physically destroying the media and the information stored on it. Degaussing—This method uses an electrical device to reduce the magnet- ic flux density of the storage media to zero. Declassification—A formal process of assessing the risk involved in dis- carding particular information. .338 Chapter 12: Organizational Controls that the hard disk inside the computer has not been completely or properly wiped. Theft of equipment in use during cleanup of unwanted equipment. . . Sanitization—The process of removing the contents from the media as fully as possible. making it extremely difficult to restore.

An acceptable use policy should contain these main components: . including length. strength. It is important to provide users the least possible access rights while allowing them to fulfill legitimate actions.” Although the organization may have password policies in place. history. A weak password might be very short or only use alphanumeric characters. Password Complexity The organization’s password policy specifies password requirements. Clear. Detailed standards of behavior . allowing users to create their own passwords produces an unsecure environment because users typically choose passwords that contain easy-to-remember words. if the passwords are too difficult to remember. Disclaimer of liability The organization should be sure the acceptable use policy complies with current state and federal legislation and does not create unnecessary business risk to the company by employee misuse of resources. Privacy statement . show a statement to the effect that network access is granted under certain conditions and that all activities may be monitored. and any number of easy-to-find places. Upon logon. and required rate of change. On the other end of the spectrum. Outline of acceptable and not acceptable uses . keyboards. Password policies were discussed in detail in Chapter 4. “Infrastructure Security and Controls. Detailed enforcement guidelines and standards . This includes email and instant messaging usage for personal purposes. Consent forms . This way you can be sure that any legal ramifications are covered. specific language . limitations on access times. users will write them down and post them on monitors.339 Applicable Legislation and Organizational Policies Acceptable Use Policies An organization’s acceptable use policy must provide details that specify what users may do with their network access. and the storage space available to each user. containing information easily guessed by someone profiling .

The name of the authority who approved the changes . What the immediate effect of the change will be . using the password ThisisDiane@sTempPa33w0rd creates a longer string than most programs can crack. 2009. We are often in a hurry to make changes and say we will do the documentation later—most of the time. or password. Specific details. Many companies are lacking in this area. users can use a phrase that has more than 13 characters so that password-cracking utilities will not be able to crack it. What the long-term effect of the change will be .340 Chapter 12: Organizational Controls the user. let’s say that the password must be nine characters long and must be a combination of letters. Now you have a complex password that is easy for the user to remember. address. The phrase “Going to Fiji on August 8. nickname. such as the files being replaced. For example. and so on . The date and time the change will occur . Change documentation should include the following: . A list of the departments that will be involved in performing the changes and the names of their supervisors . and special characters. Alternatively. such as a birthday. Organizational policies should include training to educate users to create stronger passwords from events or things the user knows. numbers. It eliminates misunderstandings and serves as a trail if something goes wrong down the road. with his spouse named Joan. the machines or operating systems affected. love. name of a pet or relative. You should have all users read and sign security policies as part of their employment process and provide periodic training. that doesn’t happen. the configuration being changed. You should realize that documentation is critical. For example. Change Management All configuration changes should be documented. Strong password policies help protect the network from hackers and define the responsibilities of users who have been given access to company resources. or a common word such as God. 2009 with Joan” can become gtF8809@J. The user is going to Fiji on August 8. money.

and should never become public. Class 3: Confidential information—Should this data become public. The next example adds an additional class: . It is recommended to limit the number of information classification levels in your organization. A system of classification should be easy to administer. documented. The organization should have a strict policy in place for violations that could result in disciplinary proceedings against the offending individual. and uniformly applied throughout the organization.341 Applicable Legislation and Organizational Policies After the change has occurred. the following should be added to the documentation: . Class 1: Public information—Data available in the public domain. and approved. . Classification of Information ISO 17799 can help an organization establish information classification criteria. Following are two different options. It is essential to classify information according to its value and level of sensitivity so that the appropriate level of security can be used. Recommendations and notes on the event After the change has been requested. Class 4: Secret information—This data is critical to the company. Top secret—Highly sensitive internal documents and data. it could influence the organization’s operational effectiveness and cause financial loss. The first divides information into four classifications: . should be accessed by very few. Any known workarounds if issues have occurred . you should then send out notification to the users so that they will know what to expect when the change has been implemented. . the conse- quences are not critical. Organizational information that is not public should not be disclosed to anyone who is not authorized to access it. This is the highest security level possible. . Specific problems and issues that occurred during the process . . Class 2: Internal information—Should this data become public. effective.

Most governments and other organizations implement some type of a balance of power through a separation of duties. All too often. whether it is in politics or network administration.342 Chapter 12: Organizational Controls . Public documents—Information in the public domain. Proprietary—Internal information that defines the way in which the organization operates. avoid having one individual who has complete control of a transaction or process from beginning to end and implement policies such as job rotation. For security purposes. Users should be required to take mandatory vacations as part of the organization’s security policy. mandatory vacations. The important thing to remember here is to document how your data classifications correlate to your security objectives. Separation of Duties and Mandatory Vacations Too much power can lead to corruption. This is a restricted but normal security level. Security should be high. This part of the policy outlines the manner in which a user is associated with necessary information and system resources. Security should be very high. Highly confidential—Information that is considered critical to the organi- zation’s ongoing operations. The idea of separation of duties hinges on the concept that multiple people conspiring to corrupt a system is less likely than a single person corrupting it. Data classifications can also help when submitting discoverable information subject to the Federal Rules of Civil Procedure should the organization be involved in a lawsuit. all the participants in the process would have to agree to compromise the system. Often. you will find this in financial institutions. where to violate the security controls. There must be other employees who can do the job of each employee so that corruption does . top secret documents end up on unsecured family computers. . . Without this separation. they should be adhered to and closely monitored. . This is a minimal security level. and cross-training. When classifications are established. Internal use only—Information that is unlikely to result in financial loss or serious damage to the organization. all areas of control and compliance may be left in the hands of a single individual. It is important to include a separation of duties when planning for security policy compliance.

343

Applicable Legislation and Organizational Policies

not occur. It is imperative that all employees are adequately cross-trained and only have the level of access necessary to perform normal duties.

Personally Identifiable Information
Privacy-sensitive information is referred to as personally identifiable information (PII). This is any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. Examples of PII are name, address, phone number, fax number, email address, financial profiles, Social Security number, and credit card information. To be considered PII, information must be specifically associated with an individual person. Information provided either anonymously or not associated with its owner before collection is not considered PII. Unique information such as a personal profile, unique identifier, biometric information, and IP address that is associated with PII can also be considered PII. The California Online Privacy Protection Act of 2003 (OPPA), which became effective on July 1, 2004, requires owners of commercial websites or online services to post a privacy policy. OPPA requires that each operator of a commercial website conspicuously post a privacy policy on its website. The privacy policy itself must contain the following features:
. A list of the categories of PII the operator collects . A list of the categories of third parties with whom the operator may

share such PII
. A description of the process by which the consumer can review and

request changes to his or her PII collected by the operator
. A description of the process by which the operator notifies consumers of

material changes to the operator’s privacy policy
. The effective date of the privacy policy

Other federal and state laws may apply to PII. In addition, other countries have laws as to what information can be collected and stored by organizations. As with most of the information in this chapter, it is imperative that you know the regulations that govern the digital terrain in which your organization operates. The organization then has an obligation to be sure proper policies and procedures are in place.

344

Chapter 12: Organizational Controls

Due Care
An organization may be negligent in its duties if it fails to take common and necessary precautions to avoid a security threat. It also may be negligent if its actions contribute to an environment that allows a security threat to happen. For example, if an employee hacks into a vendor’s network, the company can be held liable for lack of due care. Due care is the knowledge and actions that a reasonable and prudent person would possess or act upon. Because of this, it is important to establish clear lines of responsibility and expectations for users and administrators. Due care is based on best practices and what a prudent organization would do in a similar case. In other words, it involves doing the right thing and acting responsibly. Your security policy must specify how your organization operates within applicable laws and regulations to ensure data privacy. This is especially important in industries that now have to comply with legislation. Users and administrators must be made aware of privacy issues and the consequences of unintentional disclosure of private data that may arise over web, email, and instant messaging traffic within the organization’s network. All employees should be familiar with and exercise due care when dealing with organizational assets.

Due Diligence
Due diligence can have several connotations that relate to technology. Generally, due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party. In this context, it may be used in connection with a due diligence investigation of a vendor, outsourcing agency, venture capital investment, or a partnering entity. This entails the request for various kinds of documents from the company to be used in connection with a legal due diligence investigation. Due diligence is a way of preventing unnecessary harm to either party involved in the transaction. Due diligence can also be used internally. This is the process of investigation, such as an examination of operations and management and the verification of material facts. This is basically an investigation or audit to confirm all material facts. Many times, due diligence is done to assess the viability of the organization or to ensure that they have adequate controls and procedures in place so that they know the vendors and customers with whom they are dealing. This is particularly important in the banking industry. Adequate due diligence on new and existing customers is a key part of controls and oversight. Without due diligence, banks can become subject to reputation, operation, and legal risks, result-

345

Applicable Legislation and Organizational Policies

ing in significant financial cost. Again, it is important to know the market in which you operate and what is expected of the organization.

Due Process
Due process is the concept that laws and legal proceedings must be fair. The U.S. Constitution guarantees that before depriving a citizen of life, liberty, or property, government must follow fair procedures. Other countries may have similar laws in effect. As an organization, policies and procedures must comply with the basic rights of the individual. How this affects the organization depends on the type of employer. In the United States, most private-sector employees are governed by the employmentat-will doctrine. This means that both an employer and an employee have the privilege to end a working relationship without prior notice or explanation. All federal, state, and local government employees are protected by the Fifth and Fourteenth Amendments. These prohibit the government from depriving any person of life, liberty, or property without due process of law. Government employees’ services cannot be terminated under circumstances that violate the U.S. Constitution or the constitution of the state in which they work. They have the right to due process in cases of arbitrary dismissals not linked to job performance. Before termination, a government employer has to offer a reasonable explanation to the employee and provide a proper channel for the employee to answer those charges. If the charges are going to impede future job prospects, the employee has the right to a name-clearing hearing.

Service Level Agreements
Service level agreements (SLAs) are part of every organization. The purpose of a SLA is to establish a cooperative partnership, bring both sides together, and map out each party’s responsibilities. SLAs can help you determine what you will provide to your client, what is beyond your responsibility, and who should be contacted when something goes wrong. SLAs spell out the processes, service expectations, and service metrics. The organization should make sure that the affected staff is aware of the terms of each SLA. Failure to comply can result in a violation of the SLA and potential nullification of any vendor warranties or liabilities. When SLAs are established, change, monitoring, and testing procedures should be in place. Changes to a SLA should be handled under agreed change-control procedures.

346

Chapter 12: Organizational Controls

Security-Related Human Resources Policy
Human resources (HR) policies and practices should reduce the risk of theft, fraud, or misuse of information facilities by employees, contractors, and thirdparty users. The primary legal and HR representatives should review all policies, especially privacy issues, legal issues, and HR enforcement language. Legal and HR review of policies is required in many, if not most, organizations. Security planning must include procedures for the creation and authorization of accounts for newly hired personnel and the planned removal of privileges following employment termination. When termination involves power users with high-level access rights or knowledge of service administrator passwords, it is critical to institute password and security updates to exclude known avenues of access while also increasing security monitoring for possible reprisals against the organization. The hiring process should also include provisions for making new employees aware of acceptable use and disposal policies and the sanctions that may be enacted if violations occur. An organization should also institute a formal code of ethics to which all employees should subscribe, particularly power users with broad administrative rights.

User Education and Awareness Training
One of the most powerful tools available to a security administrator is the body of network users, who may notice and draw attention to unusual access methods or unexpected changes. This same body of users also creates the greatest number of potential security holes because each user may be unaware of newly emerging vulnerabilities, threats, or required standards of action and access that must be followed. Like a chain, a network is only as secure as its weakest link— and users present a wide variety of bad habits, a vast range of knowledge, and varying intent in access.

TIP
When planning for user notification of new threats, such as a virus or an email-distributed agent of mischief, it is crucial that your solution includes a means of communication other than that affected by the potential threat. For example, it will do little good to warn users of a new email bomb via email if the bomb has already affected your avenue of distribution.

User education is mandatory to ensure that users are made aware of expectations, options, and requirements related to secure access within an organization’s

347

The Importance of Environmental Controls

network. Education may include many different forms of communication, including the following:
. New employees and contract agents should be provided education in

security requirements as a part of the hiring process.
. Reminders and security-awareness newsletters, emails, and flyers should

be provided to raise general security awareness.
. General security policies must be defined, documented, and distributed

to employees.
. Regular focus group sessions and on-the-job training should be provided

for users regarding changes to the user interface, application suites, and general policies.
. General online security-related resources should be made available to

users through a simple, concise, and easily navigable interface. Although all the previously mentioned practices are part of a security-awareness training program, security training during employee orientation combined with yearly seminars is the best choice, as these are active methods of raising security awareness. Email and posters are passive and tend to be less effective.

CAUTION
It is important to locate a suitable upper-level sponsor for security initiatives to ensure that published security training and other requirements are applied to all users equally. Hackers, crackers, and other agents seeking unauthorized access often search for highly placed users within an organization who have exempted themselves from standard security policies.

The Importance of Environmental Controls
The location of everything from the actual building to wireless antennas affects security. When picking a location for a building, an organization should investigate the type of neighborhood, population, crime rate, and emergency response times. This will help in the planning of the physical barriers needed, such as fencing, lighting, and security personnel. An organization must also analyze the potential dangers from natural disasters and plan to reduce their impact when possible.

348

Chapter 12: Organizational Controls

When protecting computers, wiring closets, and other devices from physical damage due to either natural or manmade disasters, you must select their locations carefully. Proper placement of the equipment should cost a company little money upfront yet provide significant protection from possible loss of data due to flooding, fire, or theft.

Fire Suppression
Fire is a danger common to all business environments and one that must be planned for well in advance of any possible occurrence. The first step in a fire safety program is fire prevention. The best way to prevent fires is to train employees to recognize dangerous situations and report these situations immediately. Knowing where a fire extinguisher is and how to use it can stop a small fire from becoming a major catastrophe. Many of the newer motion- and ultrasonic-detection systems also include heat and smoke detection for fire prevention. These systems alert the monitoring station of smoke or a rapid increase in temperature. If a fire does break out somewhere within the facility, a proper fire-suppression system can avert major damage. Keep in mind that laws and ordinances apply to the deployment and monitoring of a fire-suppression system. It is your responsibility to ensure that these codes are properly met. In addition, the organization should have safe evacuation procedures and periodic fire drills to protect its most important investment: human life. Fire requires three main components to exist: heat, oxygen, and fuel. Eliminate any of these components and the fire goes out. A common way to fight fire is with water. Water attempts to take away oxygen and heat. A wet-pipe fire-suppression system is the one that most people think of when discussing an indoor sprinkler system. The term wet is used to describe the state of the pipe during normal operations. The pipe in the wet-pipe system has water under pressure in it at all times. The pipes are interconnected and have sprinkler heads attached at regularly spaced intervals. The sprinkler heads have a stopper held in place with a bonding agent designed to melt at an appropriate temperature. After the stopper melts, it opens the valve and allows water to flow from the sprinkler head and extinguish the fire. Keep in mind that electronic equipment and water don’t get along well. Fires that start outside electrical areas are well served by water-based sprinkler systems. Also keep in mind that all these systems should have both manual activation and manual shutoff capabilities. You want to be able to turn off a sprinkler system to prevent potential water damage. Most systems are designed to activate only one head at a time. This works effectively to put out fires in the early stages.

349

The Importance of Environmental Controls

Dry-pipe systems work in exactly the same fashion as wet-pipe systems, except that the pipes are filled with pressurized air rather than water. The stoppers work on the same principle. When the stopper melts, the air pressure is released, and a valve in the system opens. One of the reasons for using a dry-pipe system is that when the outside temperature drops below freezing, any water in the pipes will freeze, causing them to burst. Another reason for justifying a dry-pipe system is the delay associated between the system activation and the actual water deployment. Because some laws require a sprinkler system even in areas of the building that house electrical equipment, there is enough of a delay that it is feasible for someone to manually deactivate the system before water starts to flow. In such a case, a company could deploy a dry-pipe system and a chemical system together. The delay in the dry-pipe system can be used to deploy the chemical system first and avoid serious damage to the running equipment from a waterbased sprinkler system.

EXAM ALERT
Know the difference between the different types of fire-suppression systems.

For Class A fires (trash, wood, and paper), water will decrease the fire’s temperature and extinguish its flames. Foam is usually used to extinguish Class B fires, which are fueled by flammable liquids, gases, and greases. Liquid foam mixes with air while passing through the hose and the foam. Class C fires (energized electrical equipment, electrical fires, and burning wires) are put out using extinguishers based on carbon dioxide or halon. Halon was once used as a reliable, effective, and safe fire protection tool, but in 1987 an international agreement known as the Montreal Protocol mandated the phaseout of halons in developed countries by the year 2000 and in less-developed countries by 2010, due to emissions concerns. Therefore, carbon dioxide extinguishers have replaced halon extinguishers. They don’t leave a harmful residue, making them a good choice for an electrical fire on a computer or other electronic devices. Class D fires are fires that involve combustible metals such as magnesium, titanium, and sodium. The two types of extinguishing agents for Class D fires are sodium chloride and a copper-based dry powder.

350

Chapter 12: Organizational Controls

HVAC
Cooling requirements of computer data centers and server rooms need to be taken into consideration when doing facilities planning. The amount of heat generated by some of this equipment is extreme and highly variable. Depending on the size of the space, age, and type of equipment the room contains, energy consumption typically ranges from 20 to 100 watts per square foot. Newer servers, although smaller and more powerful, may consume more energy. Therefore, some high-end facilities with state-of-the-art technology may require up to 400 watts per square foot. These spaces consume many times more energy than office facilities of equivalent size and must be planned for accordingly. Smaller, more powerful IT equipment is considerably hotter than older systems, making heat management a major challenge. When monitoring the HVAC system, keep in mind that overcooling causes condensation on equipment, and too dry leads to excessive static. The area should be monitored for hot spots and cold spots. This is where one exchange is frigid cold under vent and still hot elsewhere. Water or drain pipes above facilities also raises a concern about upper-floor drains clogging, too. One solution is to use rubberized floors above the data center or server room. Above all else, timely A/C maintenance is required. As mentioned previously, overcooling causes condensation on equipment, and too dry leads to excessive static. In addition to temperature monitoring, humidity should be monitored. Humidity is a measurement of moisture content in the air. A high level of humidity can cause components to rust and degrade electrical resistance or thermal conductivity. A low level of humidity can subject components to electrostatic discharge (ESD), causing damage; at extremely low levels, components may be affected by the air itself. The American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) recommends optimal humidity levels in the 40% to 55% range.

Shielding
One risk that is often overlooked is electronic and electromagnetic emissions. Electrical equipment generally gives off electrical signals. Monitors, printers, fax machines, and even keyboards use electricity. These electronic signals are said to “leak” from computer and electronic equipment. Shielding seeks to reduce this output. The shielding can be local, cover an entire room, or cover a whole building, depending on the perceived threat. We’re going to look at two types of shielding: TEMPEST and Faraday cages.

351

The Importance of Environmental Controls

TEMPEST is a code word developed by the U.S. government in the 1950s. It is an acronym built from the Transient Electromagnetic Pulse Emanation Standard. It describes standards used to limit or block electromagnetic emanation (radiation) from electronic equipment. TEMPEST has since grown in its definition to include the study of this radiation. Individual pieces of equipment are protected through extra shielding that helps prevent electrical signals from emanating. This extra shielding is a metallic sheath surrounding connection wires for mouse, keyboard, and video monitor connectors. It can also be a completely shielded case for the motherboard, CPU, hard drive, and video display system. This protection prevents the transfer of signals through the air or nearby conductors, such as copper pipes, electrical wires, and phone wires. You are most likely to find TEMPEST equipment in government, military, and corporate environments that process government/military classified information. Because this can be costly to implement, protecting an area within a building makes more sense than protecting individual pieces of equipment. A more efficient way to protect a large quantity of equipment from electronic eavesdropping is to place the equipment into a well-grounded metal box called a Faraday cage, which is named after its inventor, Dr. Michael Faraday. The box can be small enough for a cell phone or can encompass an entire building. The idea behind the cage is to protect its contents from electromagnetic fields. Figure 12.1 shows an example of a Faraday cage.
Contents completely enclosed

FIGURE 12.1 Configuration of a Faraday cage that completely encloses the contents.

The cage surrounds an object with interconnected and well-grounded metal. The metal used is typically a copper mesh that is attached to the walls and covered with plaster or drywall. The wire mesh acts as a net for stray electric signals, either inside or outside the box.

352

Chapter 12: Organizational Controls

Shielding also should be taken into consideration when choosing cable types and the placement of cable. Coaxial cable was the first type of cable used to network computers. Coaxial cables are made of a thick copper core with an outer metallic shield to reduce interference. Coaxial cables have no physical transmission security and are very simple to tap without being noticed or interrupting regular transmissions. The electric signal, conducted by a single core wire, can easily be tapped by piercing the sheath. It would then be possible to eavesdrop on the conversations of all hosts attached to the segment because coaxial cabling implements broadband transmission technology and assumes many hosts are connected to the same wire. Another security concern of coaxial cable is reliability. Because no focal point is involved, a faulty cable can bring the whole network down. Missing terminators or improperly functioning transceivers can cause poor network performance and transmission errors. Twisted-pair cable is used in most of today’s network topologies. Twisted-pair cabling is either unshielded (UTP) or shielded (STP). UTP is popular because it is inexpensive and easy to install. UTP consists of eight wires twisted into four pairs. The design cancels much of the overflow and interference from one wire to the next, but UTP is subject to interference from outside electromagnetic sources, and is prone to radio frequency interference (RFI) and electromagnetic interference (EMI) as well as crosstalk. STP is different from UTP in that it has shielding surrounding the cable’s wires. Some STP has shielding around the individual wires, which helps prevent crosstalk. STP is more resistant to EMI and is considered a bit more secure because the shielding makes wire tapping more difficult. Both UTP and STP are possible to tap, although it is physically a little trickier than tapping coaxial cable because of the physical structure of STP and UTP cable. With UTP and STP, a more inherent danger lies in the fact that it is easy to add devices to the network via open ports on unsecured hubs and switches. These devices should be secured from unauthorized access, and cables should be clearly marked so a visual inspection can let you know whether something is awry. Also, software programs that can help detect unauthorized devices are available. The plenum is the space between the ceiling and the floor of a building’s next level. It is commonly used to run network cables, which must be of plenumgrade. Plenum cable is a grade that complies with fire codes. The outer casing is more fire-resistant than regular twisted-pair cable. Fiber was designed for transmissions at higher speeds over longer distances. It uses light pulses for signal transmission, making it immune to RFI, EMI, and eavesdropping. Fiber-optic wire has a plastic or glass center, surrounded by

353

The Risks of Social Engineering

another layer of plastic or glass with a protective outer coating. On the downside, fiber is still quite expensive compared to more traditional cabling, it is more difficult to install, and fixing breaks can be costly. As far as security is concerned, fiber cabling eliminates the signal tapping that is possible with coaxial cabling. It is impossible to tap fiber without interrupting the service and using specially constructed equipment. This makes it more difficult to eavesdrop or steal service.

The Risks of Social Engineering
One area of security planning that is often considered the most difficult to adequately secure is the legitimate user. Social engineering is a process by which an attacker may extract useful information from users who are often just tricked into helping the attacker. It is extremely successful because it relies on human emotions. Common examples of social engineering attacks include the following:
. An attacker calls a valid user pretending to be a guest, temp agent, or

new user asking for assistance in accessing the network or details involving the business processes of the organization.
. An attacker contacts a legitimate user, posing as a technical aide attempt-

ing to update some type of information, and asks for identifying user details that may then be used to gain access.
. An attacker poses as a network administrator, directing the legitimate

user to reset his password to a specific value so that an imaginary update may be applied.
. An attacker provides the user with a “helpful” program or agent, through

email, a website, or other means of distribution. This program may require the user to enter logon details or personal information useful to the attacker, or it may install other programs that compromise the system’s security. Another form of social engineering has come to be known as reverse social engineering. Here, an attacker provides information to the legitimate user that causes the user to believe the attacker is an authorized technical assistant. This may be accomplished by obtaining an IT support badge or logo-bearing shirt that validates the attacker’s legitimacy, by inserting the attacker’s contact information for technical support in a secretary’s Rolodex, or by making himself known for his technical skills by helping people around the office.

. and potentially being left alone with an authorized account logged on to the network. users should not be able to directly access email attachments from within the email application. As scam artists become more sophisticated. . They look similar to the vendor’s website. the best defense is user education. your account will be closed—These mes- sages have an urgent tone so that you’ll respond without thinking. Phishing Phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication. the server side. Ideally. If you don’t respond within 48 hours. The messages often include official-looking logos from real organizations and other identifying information taken directly from legitimate websites. but when examined more closely are fraudulent. However. usually an email. and the enterprise level. For best protection. In the majority of cases. who may be perceived as busy with more important matters. but they are not. Here is a list of the most common ones: . so do their phishing email messages.354 Chapter 12: Organizational Controls Many users would rather ask assistance of a known nontechnical person who they know to be skilled in computer support rather than contact a legitimate technical staff person. gaining the confidence of the legitimate user while being able to observe operational and network configuration details and logon information. . we require that you update your account—This is a bulk email message. An attacker who can plan and cause a minor problem will then be able to easily correct this problem. Dear Valued Customer as part of our continuing commitment to providing excellent service. . Click the link below to gain access to your account—The links that you are urged to click appear to be legitimate. Phishing attacks rely on a mix of technical deceit and social engineering practices. proper security technologies and techniques must be deployed at the client side. the phisher must persuade the victim to intentionally perform a series of actions that will provide access to confidential information. Verify your account—Businesses do not ask you to send personal informa- tion through email.

conventions. and extract sensitive information from it without ever contacting anyone in the organization. they are often thrown in the wastebasket. called dumpster diving. Although they present issues such as loss of functionality or security vulnerabilities. Shoulder Surfing Shoulder surfing uses direct observation techniques. Many organizations do not allow employees to send mass emails for this reason. “Securing Communications. or polices should spell out what is acceptable. Equipment sometimes is put in the garbage because city laws do not require special disposal. In any organization. The immediate solution to prevent shoulder surfing is to shield paperwork or your keypad from view by using your body or cupping your hand. It gets its name from looking over someone’s shoulder to get information. what ends up in the garbage can be a goldmine for an intruder. the potential that an intruder can gain access to this type of information is huge. What happens when employees are leaving the organization? They clean out their desks. Dumpster Diving As humans. Shoulder surfing is an effective way to get information in crowded places such as airports. Instead of shredding documents or walking them to the recycle bin. . they scavenge discarded equipment and documents. This results in lost productivity and an undue burden on the organization’s resources. Organizational security awareness and training programs should alert employees to this type of situation and instruct them to not respond. Depending on how long the employees have been there. Biometrics and gaze-based password entry makes gleaning password information difficult for the unaided observer while retaining the simplicity and ease of use for the user.355 The Risks of Social Engineering Hoaxes Hoaxes were described in Chapter 6. they also use system resources and consume users’ time. especially if many employees respond. Shoulder surfing can also be done longdistance with the aid of binoculars or other vision-enhancing devices. Because intruders know this. or supermarkets because it’s relatively easy to stand next to someone and watch as the person enters a PIN or a password. we naturally seek the path of least resistance.” in the “Undesirable Email” section.

What to say to a sales representative who is at a customer site doing a demonstration and has forgotten the website password . CDs . What procedure should be followed when a vendor comes into the building to work on the servers . if not impossible. What items can and cannot go in the trash or recycle bin and what paperwork must be shredded . to predict. This should be an ongoing process. How to react to someone who has piggybacked into the building . Old QA or testing analysis . What to do when an administrator calls and asks for a user’s password . It is prudent to have a policy in place that requires shredding of all documents and security erasure of all types of storage media before they may be discarded. Training manuals . How to address someone who has her hands full and asks for help get- ting into a secure area . User Education and Awareness Training Users must be trained to avoid falling victim to social engineering attacks. Some guidelines for information to be included in user training may consist of the following points: . Hard drives .356 Chapter 12: Organizational Controls Other potential sources of information that are commonly thrown in the garbage include the following: . What to say to a vice president who has forgotten his password and needs it right away . Employee manuals . Old company directories . Floppy disks . Human behavior is difficult. Printed emails Proper disposal of data and equipment should be part of the organization’s security policy.

. and how this can affect the reputation or credibility of the company.357 The Risks of Social Engineering As new methods of social engineering come out. Management training should focus on the ramifications of social engineering. The scope of the training should be done so that management has a different type of training than the users. and firm and clear security policies are important when you’re attempting to minimize vulnerabilities created by social engineering. the financial damage that can happen. training. so must new training methods. such as the liability of the company when a breach happens. regular reminders. EXAM ALERT Planning.

TEMPEST B. Background check consent forms . Reverse social engineering B. Privacy statement ❍ D. Degausser C. What is this an example of? ❍ ❍ ❍ A. Social engineering C. Faraday cage ❍ D. Which of the following is a well-grounded metal structure used to protect a large quantity of equipment from electronic eavesdropping? ❍ ❍ ❍ A. Sonar 3. Which of the following would be defined in an acceptable use policy? (Choose the three best answers. Separation of duties 2. Due care ❍ D. Separation of duties ❍ D. Inverse social engineering 4. Which of the following security policies would identify that a user may be fined for using email to run a personal business? ❍ ❍ ❍ A.358 Chapter 12: Organizational Controls Exam Prep Questions 1. Acceptable use B. Detailed standards of behavior B. Detailed enforcement guidelines and standards C. An attacker offers her business card as an IT solution provider and then later causes a user’s computer to appear to fail.) ❍ ❍ ❍ A. Due diligence C.

Due process . 7. B. Due diligence C. Acceptable use B. Remnants of legacy data from old systems may still be accessible. Chain of custody ❍ D. whereas a wet-pipe system uses water. B. preserved. A wet-pipe system uses wet chemicals that deploy after the pipe loses air 6. Inadequate disposal planning results in severe business loss. Which of the following tells how the evidence made it from the crime scene to the courtroom.) ❍ ❍ ❍ A. Which of the following security policies would require users to take mandatory vacations? ❍ ❍ ❍ A. Incident response B. Breaches of health and safety requirements. C. whereas in a dry-pipe system water is used but is held back by a valve until a certain temperature is reached. Due care ❍ D. A dry-pipe system uses air to suppress fire. which of the following needs to be considered? (Choose all that apply. A dry-pipe system uses dry chemicals. whereas a wet-pipe system uses wet chemicals. ❍ D. including documentation of how the evidence was collected. Due diligence C.359 Exam Prep Questions 5. Separation of duties 8. A wet-pipe system has water in the pipe at all times. C. whereas a dry-pipe system uses dry chemicals that deploy before the pipe loses air pressure. What is the difference between a wet-pipe and a dry-pipe fire-suppression system? ❍ ❍ ❍ A. When implementing a policy on the secure disposal of outdated equipment. pressure. and analyzed? ❍ ❍ ❍ A. ❍ D. Disposal of old equipment that is necessary to read archived data.

C. 2. A. and D are incorrect because they detail individual policies that may detail sanctions if violated. Which of the following best describes the objective of a service-level agreement (SLA)? ❍ ❍ ❍ A. Answers B.360 Chapter 12: Organizational Controls 9. Contracts with suppliers that detail levels of support that must be provided Answers to Exam Prep Questions 1. Reverse social engineering involves an attacker convincing the user that she is a legitimate IT authority. Answer B is incorrect because social engineering is when an intruder tricks a user into giving him private information. Answer D is incorrect because sonar is underwater sound propagation. A. . An attacker unplugs a user’s network connection and then offers to help try ❍ E.) ❍ ❍ ❍ A. An attacker waits until legitimate users have left and sneaks into the server room through the raised floor. place the equipment into a well-grounded metal box called a Faraday cage. but they would not be used to define the use of company resources. C. An attacker obtains an IT office T-shirt from a local thrift store and takes a user’s computer for service. Guidelines for reporting organizational security breaches B. An attacker configures a packet sniffer to monitor user logon credentials. An attacker sets off a fire alarm so that he can access a secured area when the legitimate employees are evacuated. Answer A is incorrect because TEMPEST describes standards used to limit or block electromagnetic emanation (radiation) from electronic equipment. 10. 3. causing the user to solicit her assistance. to correct the problem. C. Answer D is incorrect because it is a bogus answer. Investigative and analytical techniques to acquire and protect potential legal evidence ❍ D. To protect a large quantity of equipment from electronic eavesdropping. Which of the following are examples of social engineering? (Choose the two best answers. Answer C is incorrect because separation of duties is when two users are assigned a part of a task that both of them need to complete. ❍ D. B. Answer B is incorrect because a degausser is an electrical device used to reduce the magnetic flux density of the storage media to zero. Requests for electronic data during federal lawsuits C.

361 Recommended Reading and Resources 4.pdf 3.nist. First Responders Guide to Computer Forensics: www.org/iso/support/faqs/faqs_widely_used_standards/widely_ used_standards_other/information_security.org/archive/ pdf/FRGCF_v1. Answer B is incorrect because it describes processes for compliance. Answer A is incorrect because packet sniffing is a form of a network security threat.htm . C. Answer D is incorrect because it describes employee rights. An acceptable use policy should contain these components: detailed standards of behavior. C.org/print.org/tech_tips/incident_ reporting. and D. Social engineering attacks involve tricking a user into providing the attacker with access rights or operational details.iso. detailed enforcement guidelines and standards. ISO 17799: Code of Practice for Information Security Management: http://www. Answers B and C are incorrect because they involve physical access control risks rather than social engineering.php?plugin:content. Answer C is incorrect because it describes the forensics process. and a privacy statement. and D are incorrect. and C.html 2. and other types of suppliers that detail minimum levels of support that must be provided in the event of failure or disaster. answers A. Answer A is incorrect because it describes an incident response plan. preserved.cert. B. Chain of custody tells how the evidence made it from the crime scene to the courtroom. utilities. C. In dry-pipe systems. All these scenarios should be considered when formulating a policy on the secure disposal of outdated equipment.cert. E. but they would not be used to define that too much power can lead to corruption. CERT Incident Reporting Guidelines: www. and C are incorrect because they detail individual policies that may detail sanctions if violated. 6. D. Answers A. including documentation of how the evidence was collected. Answer D is incorrect because background check consent forms are part of the employment process and have nothing to do with acceptable use. A wet-pipe system constantly has water in it. Recommended Reading and Resources 1. SLAs are contracts with ISPs. and analyzed. 9. 10. B. B. D. water is used but is held back by a valve until a certain temperature is reached.42 4. 5. Answer A is incorrect because it describes how an organization responds to an incident. Therefore. D. NIST SP 800-61 Computer Security Incident Handling Guide: http:// www. A.3. Answer B is incorrect because it describes the discovery process. B. 7. A. 8. facilities managers.

This page intentionally left blank

PART VII

Practice Exams and Answers
Practice Exam 1 Practice Exam 1 Answer Key Practice Exam 2 Practice Exam 2 Answer Key

This page intentionally left blank

Practice Exam 1
The 100 multiple-choice questions provided here help you determine how prepared you are for the actual exam and which topics you need to review further. Write down your answers on a separate sheet of paper so that you can take this exam again if necessary. Compare your answers against the answer key that follows this exam. 1. Which of the following are architectural models for the arranging of certificate authorities? (Select all correct answers.)

❍ ❍ ❍

A. Bridge CA architecture B. Sub CA architecture C. Single CA architecture

❍ D. Hierarchical CA architecture
2. Your company is in the process of setting up a DMZ segment. You have to allow secure web traffic in the DMZ segment. Which TCP port do you have to open?

❍ ❍ ❍

A. 110 B. 139 C. 25

❍ D. 443
3. You are in sales and you receive an email telling you about an easy way to make money. The email instructs you to open the attached letter of intent, read it carefully, and then reply to the email. Which of the following should you do?

❍ ❍ ❍

A. Open the letter of intent, read it, and reply to the email. B. Forward this great offer to your friends and co-workers. C. Notify your system administrator of the email.

❍ D. Delete the email and reboot your computer.

366

Practice Exam 1 4. You have an FTP server that needs to be accessed by both employees and external customers. What type of architecture should be implemented?

❍ ❍ ❍

A. Bastion host B. Screened subnet C. Screened host

❍ D. Bastion subnet
5. The main fan in your server died on Wednesday morning. It will be at least two days before it can be replaced. You decide to use another server instead, but need to restore the data from the dead one. You have been doing differential backups, and the last full backup was performed on Friday evening. The backup doesn’t run on weekends. How many backup tapes will you need to restore the data?

❍ ❍ ❍

A. Two B. Four C. One

❍ D. Three
6. You are planning to set up a network for remote users to use their own Internet connections to connect to shared folders on the network. Which technology would you implement?

❍ ❍ ❍

A. DMZ B. VPN C. VLAN

❍ D. NAT
7. What type of algorithm is SHA-1?

❍ ❍ ❍

A. Asymmetric encryption algorithm B. Digital signature C. Hashing algorithm

❍ D. Certificate authority

367

Practice Exam 1 8. Which of the following is an effective way to get information in crowded places such as airports, conventions, or supermarkets?

❍ ❍ ❍

A. Social engineering B. Shoulder surfing C. Reverse social engineering

❍ D. Phishing
9. Which of the following are not methods for minimizing a threat to a web server? (Choose the two best answers.)

❍ ❍ ❍

A. Disable all non-web services. B. Ensure Telnet is running. C. Disable nonessential services.

❍ D. Enable logging.
10. Trusted Platform Module (TPM) provides for which of the following? (Select two correct answers.)

❍ ❍ ❍

A. Secure storage of keys B. Secure software-based authentication C. Secure storage of passwords

❍ D. Secure network data transfers
11. Separation of duties is designed to guard against which of the following?

❍ ❍ ❍

A. Social engineering B. Viruses C. Fraud

❍ D. Nonrepudiation
12. Which of the following describes a network of systems designed to lure an attacker away from another critical system?

❍ ❍ ❍

A. Bastion host B. Honeynet C. Vulnerability system

❍ D. Intrusion-detection system

368

Practice Exam 1 13. Which of the following best describes false acceptance?

❍ A. The system recognizes an unauthorized person and accepts that person. ❍ B. The system detects a legitimate action as a possible intrusion. ❍ C. The system allows an intrusive action to pass as nonintrusive behavior. ❍ D. The system fails to recognize an authorized person and rejects that person.
14. Which of the following attacks is most likely to be successful, even if all devices are properly secured and configured?

❍ A. Trojan horse ❍ B. Mantrap ❍ C. Social engineering ❍ D. All the options are correct
15. When using CHAP, when can the challenge/response mechanism happen?

❍ A. Only at the beginning of the connection ❍ B. At the beginning and the end of the connection ❍ C. Only at the end of the connection ❍ D. At any time during the connection
16. With discretionary access control (DAC), how are access rights to resources determined?

❍ A. Roles ❍ B. Rules ❍ C. Owner discretion ❍ D. Security label
17. Which of the following best describes the difference between AH and ESP?

❍ A. ESP provides authentication, integrity, and nonrepudiation. AH provides
authentication, encryption, confidentiality, and integrity protection.

❍ B. AH provides authentication only. ESP provides encryption only. ❍ C. AH provides authentication, integrity, and nonrepudiation. ESP provides
authentication, encryption, confidentiality, and integrity protection.

❍ D. ESP provides authentication only. AH provides encryption only.

369

Practice Exam 1 18. What is a potential concern to weaker encryption algorithms as time goes on? (Choose the best answer.)

❍ ❍ ❍

A. Performance of the algorithm will worsen over time. B. Keys generated by users will start to repeat on other users’ systems. C. Hackers using distributed computing may be able to finally crack an algorithm.

❍ D. All options are correct.
19. Which of the following types of programs can be used to determine whether network resources are locked down correctly?

❍ ❍ ❍

A. Password sniffers B. Port scanners C. Keystroke loggers

❍ D. Cookies
20. You are the network administrator for a small company that has recently been the victim of several attacks. Upon rebuild of the server, which of the following should be the first step?

❍ ❍ ❍

A. Nonrepudiation B. Hardening C. Auditing

❍ D. Hashing
21. Which one of the following types of servers would be the target for an attack where a malicious individual attempts to change information by connecting to port 53?

❍ ❍ ❍

A. FTP server B. File server C. Web server

❍ D. DNS server

370

Practice Exam 1 22. Ensuring that all data is sequenced, time-stamped, and numbered is a characteristic of which of the following?

❍ ❍ ❍

A. Data authentication B. Data integrity C. Data availability

❍ D. Data confidentiality
23. Which of the following programs can be used for vulnerability scanning to check the security of your servers? (Choose the two best answers.)

❍ ❍ ❍

A. John the Ripper B. SATAN C. L0phtCrack

❍ D. SAINT
24. Which of the following describes a type of algorithm where data is broken into several units of varying sizes (dependent on algorithm) and encryption is applied to those chunks of data?

❍ ❍ ❍

A. Symmetric encryption algorithm B. Elliptic curve C. Block cipher

❍ D. All the options are correct.
25. You are the administrator at a large university. You have received a Class A address from your ISP, and NAT is being used on your network. What range of addresses should you use on your internal network?

❍ ❍ ❍

A. 10.x.x.x B. 172.16.x.x C. 172.31.x.x

❍ D. 192.168.x.x

371

Practice Exam 1 26. As the network administrator, you are implementing a policy for passwords. What is the best option for creating user passwords?

❍ ❍ ❍

A. Uppercase and lowercase letters combined with numbers and symbols B. A randomly generated password C. A word that is familiar to the user with a number attached to the end

❍ D. The user’s last name spelled backward
27. Which of the following is true of digital signatures? (Choose the two best answers.)

❍ ❍ ❍

A. They use the skipjack algorithm. B. They can be automatically time-stamped. C. They allow the sender to repudiate that the message was sent.

❍ D. They cannot be imitated by someone else.
28. Which of the following are parts of Kerberos authentication? (Choose the two best answers.)

❍ ❍ ❍

A. Authentication service B. Time-based induction C. Ticket-granting service

❍ D. TEMPEST
29. Which of the following must be provided for proper smart card authentication? (Choose the two best answers.)

❍ ❍ ❍

A. Something you have B. Something you know C. Something you are

❍ D. Something you do
30. Which of the following types of attacks can result from the length of variables not being properly checked in the code of a program?

❍ ❍ ❍

A. Buffer overflow B. Replay C. Spoofing

❍ D. Denial of service

372

Practice Exam 1 31. Which of the following is a method of backup tape rotation based on a mathematical puzzle?

❍ ❍ ❍

A. Grandfather B. Tower of Hanoi C. Tower of Pisa

❍ D. Grandmother
32. Mocmex is considered to be which of the following?

❍ ❍ ❍

A. Virus B. Logic bomb C. Worm

❍ D. Trojan
33. Which of the following are methods used for securing email messages? (Choose the two best answers.)

❍ ❍ ❍

A. POP3 B. S/MIME C. PGP

❍ D. SMTP
34. User groups that are built around business units and then have privileges assigned to these groups instead of individual users is an example of which type of management?

❍ ❍ ❍

A. Role-based privilege management B. User-based privilege management C. Group-based privilege management

❍ D. Individual-based privilege management
35. Which of the following statements is true about SSL?

❍ ❍ ❍

A. SSL provides security for both the connection and the data after it is received. B. SSL only provides security for the connection, not the data after it is received. C. SSL only provides security for the data once it is received, not the connection. is received.

❍ D. SSL does not provide security for either the connection or the data after it

❍ D. C. Which of the following statements about Java and JavaScript is true? ❍ ❍ ❍ ❍ A. Netstat B. When the users try to open the website. Rijndael B. Nslookup 40. The facility is equipped with some resources. The facility and equipment are already set up and ready to occupy. Task-based C. and type which command to find out what the problem is? ❍ ❍ ❍ A. which is a characteristic of a hot site? ❍ ❍ ❍ A. Discretionary-based 39. Ipconfig ❍ D. and electricity only. C. The RBAC model can use which of the following types of access? (Choose the three best answers.) ❍ ❍ ❍ A. E. AES 38. The facility is equipped with plumbing. Which of the following algorithms is not an example of a symmetric encryption algorithm? ❍ ❍ ❍ A. Java applets allow access to cache information. but not computers. B. Java applets can be used to send email as the user. Role-based B. 37. Tracert C. flooring. Java applets can be used to execute arbitrary instructions on the server.373 Practice Exam 1 36. JavaScript can provide access to files of a known name and path. B. they receive an error saying that the site is not found. ❍ D. Diffie-Hellman C. open a DOS prompt. Lattice-based ❍ D. You are having problems with access to the company website. Of the following. . You go to one of the machines. JavaScript code can continue running even after the applet is closed. The facility resources are shared by mutual agreement. RC6 ❍ D.

389 C. Social engineering 45. Sniffing B. OSPF ❍ D.374 Practice Exam 1 41. War dialing ❍ D. War driving C. Which of the following statements best describes nonrepudiation? ❍ ❍ ❍ A. OCSP B. Which of the following is the process of systematically looking for unprotected modems? ❍ ❍ ❍ A. LDAP connects by default to which of the following TCP ports? ❍ ❍ ❍ A.) ❍ ❍ ❍ A. 139 B. The owner/creator ❍ D. 443 43. A means of proving that a transaction occurred C. CRL C. A method of hiding data in another message ❍ D. the category of a resource can be changed by whom? ❍ ❍ ❍ A. ACL 44. All users . 110 ❍ D. Administrators only C. All managers B. A drive technology used for redundancy and performance improvement 42. Which of the following are not used to verify the status of a certificate? (Select two correct answers. A set of mathematical rules used in encryption B. Under mandatory access control.

NetStat Performance Monitor 49. Firewall . Which protocol is used to enable remote-access servers to communicate with a central server to authenticate and authorize access to resources? ❍ ❍ ❍ A. Which of the following is a hardware or software solution used to protect a network from unauthorized access? ❍ ❍ ❍ A. 8080 C. Kerberos B. 139 ❍ D. Intrusion-detection system B. 25 B. Digital certificate C.) ❍ ❍ ❍ A. Which of the following ports would be used to remotely access a system? ❍ ❍ ❍ A. Protocol analyzer C. IPsec C. RADIUS ❍ D. Honeypot ❍ D. PPTP 48. Port scanner B. Which of the following are common tools used to conduct vulnerability assessments? (Select all correct answers.375 Practice Exam 1 46. 3389 47. Network mapper ❍ D.

They should be stored and protected on a machine that has been hardened. Linked 53. They should be stored in one location. Unauthorized access has been detected on the network. They must be modifiable. Man in the middle C. with some succeeding. tion. Cross-certified B. not that it is absolutely harmless. Later.) ❍ ❍ ❍ A. All the options are correct. you find out she received an email from the network administrator asking her to supply her password so that he could make changes to her profile. ❍ D. Hierarchical C. B. if possible. Malicious users are known to have attempted obtaining legitimate certificates to sign harmful code. C. Which of the following is not true regarding log files? ❍ ❍ ❍ A. Scripts may be used to employ signed code that comes preinstalled and signed with the operating system.376 Practice Exam 1 50. A CA with multiple subordinate CAs would use which of the following PKI trust models? ❍ ❍ ❍ A. What types of attacks have been executed? (Choose two correct answers. Social engineering 51. . and there should be no record of the modifica- 52. Spoofing B. C. ❍ D. Which of the following are reasons why it is unsafe to allow signed code to run on your systems? ❍ ❍ ❍ A. The fact that the code is signed guarantees only that the code belongs to a certain entity. Replay ❍ D. Someone had been logging in as one of the administrative assistants during off hours. Bridge ❍ D. Log information traveling on the network must be encrypted. B.

A dry-pipe system uses dry chemicals. whereas in a dry-pipe system. Authentication B. Which of the following PKI functions do SSL/TLS protocols currently support? (Choose the two best answers. it sends an email alert. It is not a particularly busy time of the day. What type of attack is likely being executed against your network? ❍ ❍ ❍ A. Attribute certificates . A wet-pipe system has water in the pipe at all times. Spoofing B. Host-based IDS 55. Which of the following types of IDS solutions are you using? (Select two correct answers. Man in the middle C.) ❍ ❍ ❍ A. Knowledge-based IDS B. Worm 57. pressure. Encryption ❍ D.) ❍ ❍ ❍ A. A wet-pipe system uses wet chemicals that deploy after the pipe loses air 56. Behavior-based IDS C. Network-based IDS ❍ D. whereas a wet-pipe system uses wet chemicals. water is used but is held back by a valve until a certain temperature is reached. ❍ D. You’re the security administrator for a credit union.377 Practice Exam 1 54. Certificate revocation lists C. C. You have installed a custom monitoring service that reviews logs to watch for the URLs used by the Nimda worm to propagate itself. Which of the following is true about fire-suppression systems? ❍ ❍ ❍ A. B. Denial of service ❍ D. A dry-pipe system uses air to suppress fire. You capture network packets and discover that there have been hundreds of ICMP packets being sent to the host. When the service detects an attack. whereas a dry-pipe system uses dry chemicals that deploy before the pipe loses air pressure. whereas a wet-pipe system uses water. The users are complaining about the network being slow.

Certificates may be issued for a week. Which of the following techniques can be implemented to help protect against this type of attack? ❍ ❍ ❍ A. 61. It ensures that all members of the user community are given the same privileges as long as they do not have administrator or root access to systems. It assumes that job functions will be rotated frequently. Have users present proper identification before being granted a password. Which of the following best describes a behavior-based IDS? ❍ ❍ ❍ A. B. Relies on the identification of known attack signatures web user application ❍ D. ❍ D. Which of the following is true regarding expiration dates of certificates? (Select all correct answers. such as those between a database and a . B.) ❍ ❍ ❍ A. Monitors middleware transactions. C.378 Practice Exam 1 58. 59. You have found that someone has been running a program to crack passwords. C. It requires that a user be given no more privilege than necessary to perform a job. It is a control enforced through written security policies. Increase the value of the password history to 8. Require password resets every 60 days. B. Certificates are only issued at yearly intervals. ❍ ❍ ❍ D. C. ❍ D. This has been successful enough that many of the users’ passwords have been compromised. You suspect that several user files have been altered. Certificates must always have an expiration date. Identifies signatures within the network packets C. Lock the account after three unsuccessful password entry attempts. Detects anomalies from normal patterns of operation B. Certificates may be issued for 20 years. 60. Which of the following is true in regard to the principle of least privilege? ❍ A.

S/MIME B. VPN C. SSL/TLS ❍ D. Chain of custody ❍ D. Which technology would you recommend? ❍ ❍ ❍ A.) ❍ ❍ ❍ ❍ A. and analyzed? ❍ ❍ ❍ A. Which of the following describes the process of documenting how evidence was collected. Due diligence C. Which configuration will you deploy? ❍ ❍ ❍ A. preserved. You need to provide your users with the capability to log on once and retrieve any resource to which they have been granted access. Encryption B. Multifactor C. You are configuring a security policy for your company. Biometric ❍ D. regardless of where the resource is stored. Availability . Incident response B. You are a consultant for a company that wants to secure its web services and provide a guarantee to its online customers that all credit card information is securely transferred. SSH 65. Which of the following components make up the security triad? (Choose the three best answers. Role-based access control (RBAC) B. Authorization E. Integrity ❍ D. Due process 64. Confidentiality C. Single sign-on (SSO) 63.379 Practice Exam 1 62.

areas. B.380 Practice Exam 1 66. Trust model 67. Physical security attempts to control the impact of natural disasters on facilities and equipment. They store the IP address of your computer. DNS zone transfers B. SMTP relay is a common exploit used among hackers for what purpose? ❍ ❍ ❍ A. ❍ D.) ❍ ❍ ❍ A.) ❍ ❍ ❍ A. ❍ D. . Which of the following is used to check the validity of a digital certificate? ❍ ❍ ❍ A. Physical security attempts to control internal employee access into secure 68. C. Certificate revocation list C. CGI scripts can present vulnerabilities in which of the following ways? (Choose the two best answers. Which of the following statements are true when discussing physical security? (Select all correct answers. Certificate policy B. B. Man-in-the-middle attacks 69. Port scanning ❍ D. They can be used to relay email. Physical security attempts to control access to data from Internet users. Spamming C. Physical security attempts to control unwanted access to specified areas of a building. They may expose system information. They can be tricked into executing commands. Corporate security policy ❍ D. C.

Which of the following statements best describes the difference between authentication and identification? ❍ ❍ ❍ A. B. Authentication is a means to verify who you are. Mutual authentication ❍ D. Authentication is the same as identification. tion is a means to verify who you are.381 Practice Exam 1 70. B. This technique of using more than one type of authentication is known as which of the following? ❍ ❍ ❍ A. What should you do upon finding out an employee is terminated? ❍ ❍ ❍ A. C. RC6 ❍ D. whereas identification is what you are authorized to perform. ❍ D. Your company has decided to deploy a hardware token system along with usernames and passwords. Parallel authentication B. Do nothing until the employee has cleaned out her desk and you get writ- 73. ten notification. Rijndael B. Authentication is what you are authorized to perform. CAST 72. Authentication is the byproduct of identification. C. Disable the user account and delete the user’s home directory. ❍ D. 3DES C. Maintain the user account and have the data kept for a specified period of time. Disable the user account and have the data kept for a specified period of time. whereas identifica- . Factored authentication C. Which of the following algorithms is now known as the Advanced Encryption Standard? ❍ ❍ ❍ ❍ A. Multifactor authentication 71. Twofish E.

The type of browser you are using C. The public key is used to either encrypt or decrypt. Which ports would need to accessible? (Choose two correct answers.) ❍ ❍ ❍ A. The organization requires a segmented. Which of the following technologies satisfies this requirement? ❍ ❍ ❍ A. VLAN ❍ D. Only the private key is used to encrypt. Which of the following best describes the process of encrypting and decrypting data using an asymmetric encryption algorithm? ❍ ❍ ❍ A. and only the public key is used to decrypt.) ❍ ❍ ❍ A. Which of the following pieces of information are used by a cookie? (Select all correct answers. 161 B. 138 ❍ D. DMZ B. The operating system you are running B. C. Only the public key is used to encrypt. The private key is used to decrypt data encrypted with the public key. switched network to separate users based on roles. B. 75. Your company is in the process of setting up an application that tracks open shares on your network. The name and IP address of your computer 76. 139 C. Your network login and password ❍ D. ❍ D. VPN C.382 Practice Exam 1 74. 162 . NAT 77. and only the private key is used to decrypt.

slogin C.383 Practice Exam 1 78. Which of the following best describes the relationship between centralized and decentralized security? ❍ ❍ ❍ A. It is vulnerable to sniffing and eavesdropping. ❍ D. rlogin B. but centralized 80. Accepting the risk . Authentication credentials are sent in clear text. Centralized is more secure but less scalable. Which of the following utilities would you use? ❍ ❍ ❍ ❍ A.) ❍ ❍ ❍ A. ❍ D. Mitigating the risk C. Which of the following best describes FTP communications? (Choose the two best answers. You are establishing a secured command-line connection to a remote server. Authentication credentials are encrypted. Which of the following components are methods of addressing risk? (Choose the three best answers. 79. Centralized security is more scalable and less secure than decentralized. whereas decentralized security is less secure but more scalable. C. B. C. Transferring the risk B. Vetting the risk ❍ D. B. scp 81. Decentralized security is more scalable and more secure than centralized. rcp E.) ❍ ❍ ❍ A. Centralized and decentralized have about the same security. is more scalable. It is very secure and not vulnerable to either sniffing or eavesdropping. rsh ❍ D.

Which of the following is an exposed device used as the foundation for firewall software? ❍ ❍ ❍ A. The likelihood of a particular event happening given an asset and a threat ❍ D. Man in the middle C. Measures the cost of a threat attacking your network 85.384 Practice Exam 1 82. Business continuity plan . Security plan C. Screened host ❍ D. Which of the following best describes an attack where traffic patterns indicate an unauthorized service is relaying information to a source outside the network? ❍ ❍ ❍ A. Spoofing B. Privilege escalation ❍ D. Bastion host B. Emergency response plan B. Which of the following best describes the process whereby a user is able to perform administrator functions by exploiting a known weakness in the operating system code? ❍ ❍ ❍ A. Replay ❍ D. Denial of service 86. Trojan horse C. Which of the following looks at the long-term actions taken by an organization after an incident? ❍ ❍ ❍ A. Screened subnet C. Bastion subnet 83. A weakness in the configuration of software or hardware that could allow a threat to damage the network B. Which of the following best describes a vulnerability? ❍ ❍ ❍ A. Disaster recovery plan ❍ D. Any agent that could do harm to your network or its components C. Single sign-on 84. Privilege management B.

Management C. Staff B. Anomaly analysis C. ❍ D. Which of the following is used to provide centralized management of computers through a remotely installed agent? ❍ ❍ ❍ A. Reload the patch and see whether the problems stop. SNMP C. B.385 Practice Exam 1 87. Who is ultimately responsible for setting the tone of the role of security in an organization? ❍ ❍ ❍ A.) ❍ ❍ ❍ A. Consultants ❍ D. and several of the servers stop functioning properly. Document the changes and troubleshoot. Which IDS methodology is most suitable for this purpose? ❍ ❍ ❍ A. 89. LDAP ❍ D. C. Your company is in the process of setting up an IDS system. Call the manufacturer and see whether there is a fix. L2TP . You want to scan for irregular header lengths and information in the TCP/IP packet. Roll back the changes. What should your first step be to return the servers to a functional state? (Choose the best answer. Pattern matching 90. Everyone 88. SMTP B. You download and install a newly released Microsoft server patch. Heuristic analysis B. Stateful inspection ❍ D.

. There are no security concerns with using DHCP. B. C. B. TACACS is an actual Internet standard. Which of the following statements best describes the behavior of a worm? ❍ ❍ ❍ A.) ❍ ❍ ❍ A. L2TP C. C.386 Practice Exam 1 91. Wireless Security Layer Transport (WSLT) 93. ❍ D. ❍ D. Wireless Transport Layer (WTL) C. Which of the following is the security layer of the Wireless Application Protocol (WAP)? ❍ ❍ ❍ A. A worm attacks only after it is triggered. A worm attempts to hide from antivirus software by garbling its code. Which of the following best describes the difference between TACACS and RADIUS? ❍ ❍ ❍ A. B. Which of the following are tunneling protocols used in VPN connections? (Select all correct answers. Clients might be redirected to an incorrect DNS address. The network is vulnerable to man-in-the-middle attacks. Wireless Security Layer (WSL) B. RADIUS is an authentication protocol. TACACS is an authentication protocol. PPTP B. A worm is self-replicating and needs no user interaction. CHAP ❍ D. 92. Anyone hooking up to the network can automatically receive a network address C.) ❍ ❍ ❍ A. RADIUS is an actual Internet standard. 95. What are the major security concerns with using DHCP? (Choose the two best answers. A worm attacks system files only. Wireless Transport Layer Security (WTLS) ❍ D. IPsec 94. ❍ D. RADIUS is not. TACACS is not. RADIUS is an encryption protocol. TACACS is an encryption protocol.

B. Uneducated users 98. An unprotected web server ❍ D. It uses a hierarchical structure.387 Practice Exam 1 96. It uses private key encryption. 99. Decentralized key management B. It uses public key encryption. In which of the following types of architecture is the user responsible for the creation of the private and public key? ❍ ❍ ❍ A. Which of the following methods is the best choice for this type of organization? ❍ ❍ ❍ A. Offsite. Revocation key management ❍ D. Site redundancy B. Management B. Cryptographic algorithm 100. You are the consultant for a small manufacturing company that wants to implement a backup solution. Which of the following is true of Pretty Good Privacy (PGP)? (Choose the two best answers. Centralized key management C. Hashing algorithm C. Onsite backup ❍ D.) ❍ ❍ ❍ A. Multilevel key management 97. secure recovery C. Which of the following is the type of algorithm used by MD5? ❍ ❍ ❍ A. A misconfigured firewall C. It uses a web of trust. Asymmetric encryption algorithm ❍ D. Block cipher algorithm B. C. Which of the following is the weakest link in a security policy? ❍ ❍ ❍ A. ❍ D. High-availability systems .

This page intentionally left blank .

B 7. and D 60. D 63. B 13. B 5. D 16. B. B and D 28. and C 49.Practice Exam 1 Answer Key Answers at a Glance 1. D 3. C 35. B 21. C 18. B 23. C 57. D 52. A and D 51. A 62. B 59. D 47. A 31. B 36. C 12. B 32. A 14. C. A 6. and C 39. and E 66. A. B. A. A and C 11. C 8. A and C 58. B 40. C 19. C. C 65. D 33. C and D 44. B and D 24. A. B and C 34. A and C 29. C 25. A and B 30. C 56. B . A 26. and D 2. D 54. B 42. C 37. B 38. C 61. D 50. C 64. A. B and D 10. A and D 55. C 41. C 48. B 43. B 46. C 17. C. B 20. B 9. C 4. B 53. D 22. C 15. A 27. C 45. B.

called cross-certification. B 69. answer C is incorrect. Question 2 Answer D is correct. and D 76. A. B 96. C. and D 82. Answers A. These answers all represent legitimate trust models. A 72. D 71. B 89. B 91. B. C 90. the best answer is to notify the system administrator. B 86. C 77. Port 443 is used by HTTPS. C. C 93. D 98. however. it usually makes more sense to implement a bridge architecture over this type of model. A.390 Practice Exam 1 Answer Key 67. B. . D 75. Question 3 Answer C is correct. A 95. B and C 78. C Answers with Explanations Question 1 Answers A. B. A. A 80. and D 94. therefore. A 97. Answer A is incorrect because Port 110 is used for POP3 incoming mail. B and C 70. C 84. and D 68. B 88. D 87. and D are correct. A 73. D 74. A and C 79. A 83. A and C 99. B. and although the policies may differ among organizations. Answer B is incorrect because it does not represent a valid trust model. A 85. Port 25 is used for SMTP outgoing mail. B. The email is likely a hoax. Answer B is incorrect because UDP uses port 139 for network sharing. B and C 92. Another common model also exists. given this scenario and the available choices. B 100. and D are all therefore incorrect. B 81.

answer A is incorrect. Answer D is incorrect because a certificate authority accepts or revokes certificates. Question 6 Answer B is correct. Answer C is incorrect because one tape would be enough only if full backups were done daily. Answer A is incorrect because this is an algorithm that uses a public and private key pair and is not associated with the SHA1. A screened subnet is an isolated subnet between the Internet and the internal network. Answer D is a fictitious term and is therefore incorrect. therefore. Answer C is incorrect because the purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Answer B is incorrect because a digital signature is not an encryption algorithm. Question 7 Answer C is correct. therefore. Answer D is incorrect because NAT acts as a liaison between an internal network and the Internet. A bastion host on the private network communicating directly with a border router is a screened host. too. Answer A is incorrect because a DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. A bastion host is the first line of security that a company allows to be addressed directly from the Internet. answer C incorrect. Question 5 Answer A is correct. Answer D is incorrect because three would be the number of tapes needed if the backup type were incremental. You will need the full backup from Friday and the differential tape from Tuesday.391 Practice Exam 1 Answer Key Question 4 Answer B is correct. SHA-1 is an updated version of Secure Hash Algorithm (SHA). A VPN is used to provide secure remote access services to the company’s employees and agents. which is used with DSA. . Answer B is incorrect because four tapes are too many for any type of backup because Wednesday’s backup has not been done yet.

Answer A is incorrect because social engineering relies on the faults in human behavior. Trusted Platform Module (TPM) provides for the secure storage of keys. Answer C is incorrect because reverse social engineering involves an attacker convincing the user that she is a legitimate IT authority. It gets its name from looking over someone’s shoulder to get information. . it is important to disable all nonessential services. Logging is important for secure operations and is invaluable when recovering from a security incident. TPM can be used to ensure that a system is authenticated and ensure that the system has not been altered or breached. and digital certificates. usually an email. therefore. Question 11 Answer C is correct. However. Answer A is incorrect because social engineering is when an intruder tricks a user into giving him private information. Having Telnet enabled presents security issues and is not a primary method for minimizing threat. passwords. no single individual be allowed to execute all transactions within the set. not network related. Answer A is incorrect because disabling all non-web services may provide a secure solution for minimizing threats. Separation of duties is considered valuable in deterring fraud because fraud can occur if an opportunity exists for collaboration between various job-related capabilities. and is hardware based. it is not a primary method for reducing threat. Answer D is incorrect because nonrepudiation means that neither a sender nor a receiver can deny sending or receiving a message. causing the user to solicit her assistance.392 Practice Exam 1 Answer Key Question 8 Answer B is correct. Answer B is incorrect because TPM is hardware-based. Question 10 Answers A and C are correct. Separation of duty requires that for particular sets of transactions. Question 9 Answers B and D are correct. Answer D is incorrect because phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication. Shoulder surfing uses direct observation techniques. typically attached to the circuit board of the system. Answer C is incorrect because each network service carries its own risks. In addition. Answer D is incorrect because TPM is system related. Answer B is incorrect because a virus is designed to attach itself to other code and replicate.

answer B is incorrect. The false acceptance rate (FAR) is a measure of the likelihood that the access system will wrongly accept an access attempt. social engineering attacks are usually the most successful. A bastion host is the first line of security that a company allows to be addressed directly from the Internet. therefore. and C incorrect. Answer C is incorrect because it is a made-up term. This makes answers A. Answer D is incorrect because an IDS is used for intrusion detection. Answer C is incorrect because it describes a false negative error. will allow the access attempt from an unauthorized user. that is. Answer B is incorrect because a mantrap is a physical barrier. because there is only one correct answer. Answer D is incorrect because it describes false rejection. Question 15 Answer D is correct. Usually. B. Answer A is incorrect because a Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it is executed. especially when the security technology is properly implemented and configured. Honeynets are collections of honeypot systems interconnected to create networks that appear to be functional and that may be used to study an attacker’s behavior within the network. . Question 13 Answer A is correct.393 Practice Exam 1 Answer Key Question 12 Answer B is correct. answer A is incorrect. A false positive error occurs when the intrusion-detection system detects a legitimate action as a possible intrusion. Question 14 Answer C is correct. In computer security systems. answer D is incorrect. therefore. these attacks rely on the faults in human beings. Challenge Handshake Authentication Protocol (CHAP) continues the challenge/response activity throughout the connection to be sure that the user holds the proper credentials to communicate with the authentication server. Finally.

Answer B is incorrect because the weakness in keys comes from a block cipher regularity in the encryption of secret keys. ESP provides authentication. confidentiality. integrity. confidentiality. As computers get faster. The keys will not repeat themselves on other machines. AH provides authentication. integrity. Answer A is incorrect because password sniffers monitor network traffic and record the packets sending passwords. and integrity protection. encryption. Question 17 Answer C is correct. this could become a concern for some older algorithms. and the weakness has nothing to do with performance. and D are incorrect because AH provides authentication. Answer D is incorrect because there is only one correct answer. Question 18 Answer C is correct. Discretionary access control (DAC) enables the owner of the resources to specify who can access those resources. and nonrepudiation. Answer B is incorrect because rules are mandatory access control.394 Practice Exam 1 Answer Key Question 16 Answer C is correct. increasing by 30% to 50% a year on average. With computer performance. Question 19 Answer B is correct. so does the ability for hackers to use distributed computing as a method of breaking encryption algorithms. Answers A. . Answer D is incorrect because cookies are small text files used to identify a web user and enhance the browsing experience. the use of resources is restricted to those associated with an authorized role. in some cases. Answer C is incorrect because a keystroke logger is able to capture passwords locally on the computer as they are typed and record them. Answer D is incorrect because security labels are also used in mandatory access control. Answer A is incorrect because roles are used to group access rights by role name. encryption. B. Answer A is incorrect because weak keys exhibit regularities. The number of open ports can help determine whether the network is locked down enough to deter malicious activity. and nonrepudiation. A port scanner is a program that searches for unsecured ports. ESP provides authentication. and integrity protection.

and numbered. therefore. Answer A is incorrect because FTP is a TCP service that runs on port 21 (or 20). answer C is incorrect. Question 22 Answer B is correct. DNS is the TCP/UDP service that runs on port 53. Answer C is incorrect because data availability ensures that no disruption in the process occurs. Answer B is incorrect because elliptic curve is a type of asymmetric encryption algorithm. Data integrity ensures that data is sequenced. Both SATAN and SAINT are vulnerability testing tools. Answers A and C are incorrect because John the Ripper and L0phtCrack are both used to crack passwords.395 Practice Exam 1 Answer Key Question 20 Answer B is correct. When data that is going to be encrypted is broken into chunks of data and then encrypted. Question 24 Answer C is correct. Answer D is an incorrect choice because only one answer is correct. therefore. System hardening is a process by which all unnecessary services are removed and all appropriate patches applied to make the system more secure. . Question 23 Answers B and D are correct. Answer C is incorrect because auditing is a process whereby events are traced in log files. answer A is incorrect because block cipher is a more precise and accurate term for the given question. Answer D is incorrect because hashing is an algorithm method. Answer D is incorrect because data confidentiality ensures that the data is available only to authorized users. Question 21 Answer D is correct. Sharing runs on UDP port 139. timestamped. answer B is incorrect. the type of encryption is called a block cipher. Answer A is incorrect because nonrepudiation means that neither a sender nor a receiver can deny sending or receiving a message. Although many symmetric algorithms use a block cipher. HTTP (web server) is a TCP service that runs on port 80. Answer A is incorrect because data authentication ensures that the data is properly identified.

31.255.0. This means the sender cannot deny that the message was sent. thereby increasing the risk of other people finding them.0.0. Answer C is incorrect because digital signatures allow for nonrepudiation. In a Class A network. A smart card provides for two-factor authentication. Question 26 Answer A is correct.254. National Security Agency (NSA). It will also take longer to crack using brute force.S. Question 29 Answers A and B are correct. In a Class C network.1 to 10. A combination of both uppercase and lowercase letters along with numbers and symbols will make guessing the password difficult. Digital signatures can also be automatically time-stamped. which is something he has. Answer D is incorrect because it is a Class C address. valid host IDs are from 172.0. Time-based induction is a virtual machine used in IDS.396 Practice Exam 1 Answer Key Question 25 Answer A is correct. The Key Distribution Center (KDC) used by Kerberos provides authentication services and ticket-distribution services. Answers B and C are incorrect because they are both Class B addresses.1 to 192. Answers C and D are incorrect because both can easily be guessed or cracked. Answer B is incorrect because randomly generated passwords are difficult if not impossible for users to remember. This causes them to be written down. A digital signature is applied to a message. Question 28 Answers A and C are correct.168. valid host IDs are from 192. valid host IDs are from 10. Answer D is incorrect because TEMPEST is the study and control of electrical signals. The user must enter something he knows (a user ID or PIN) to unlock the smart card.16. Question 27 Answers B and D are correct. Answer A is incorrect because digital signatures are based on an asymmetric scheme. therefore. which keeps it from being modified or imitated.255.254.255.255. A biometric technique based on distinct . Skipjack is a symmetric key algorithm designed by the U.1 through 172.254. answer B is incorrect.168.

and C are incorrect. it works well for any hierarchical backup strategy. therefore. Answer B is incorrect because grandfather-father-son backup refers to the most common rotation scheme for rotating backup media. Question 30 Answer A is correct. such as daily. is considered something you are. Question 31 Answers B is correct. leaving the machine in a state of vulnerability. Answer B is incorrect because a replay attacks records and replays previously sent valid messages. Answer C is incorrect because spoofing involves modifying the source address of traffic or the source of information. B. When the program does not know what to do with all this data. Answer D is incorrect because the purpose of a DoS attack is to deny the use of resources or services to legitimate users. The basic method is to define three sets of backups. with what is essentially a recursive method. as does S/MIME. Answers A and D are incorrect because these are both methods for sending unsecured email. The Tower of Hanoi is based on the mathematics of the Tower of Hanoi puzzle. weekly and monthly. such as a fingerprint scan.397 Practice Exam 1 Answer Key characteristics. answers A. but it is more complex to understand. Mocmex is a Trojan found in digital photo frames and collects online game passwords. Question 32 Answer D is correct. Answer D has nothing to do with authentication and is therefore incorrect. Because Mocmex is a Trojan. Question 33 Answers B and C are correct. PGP (Pretty Good Privacy) uses encryption to secure email messages. It is a “smart” way of archiving an effective number of backups and the ability to go back over time. Buffer overflows are a result of programming flaws that allow for too much data to be sent. answer C is incorrect. Answers C and D are incorrect because they are made-up methods that do not exist. Originally designed for tape backup. it crashes. .

Answer A is incorrect because a cold site requires the customer to provide and install all the equipment needed for operations. Question 35 Answer B is correct. or lattice-based access. Therefore. and D are incorrect. Question 36 Answer C is correct. Group-based privilege management focuses on business units such as marketing to assign and control users. The data is encrypted while it is being transmitted. too. C. Question 37 Answer B is correct. determined by the task assigned to the user. The RBAC model can use role-based access. A hot site is a facility and equipment that are already set up and ready to occupy. B.398 Practice Exam 1 Answer Key Question 34 Answer C is correct. Answer D is incorrect because users are directly assigned privilege based on job function or business need. Answer D is incorrect because it describes a warm site. not the data after it is received. answer D is incorrect. Question 38 Answers A. Secure Sockets Layer (SSL) provides security only for the connection. so it is considered an asymmetric encryption algorithm. they both can be called symmetric encryption algorithms. answers A and D are incorrect. task-based access. Diffie-Hellman uses public and private keys. it is no longer encrypted. and C are correct. Answer B is incorrect because users get to decide who has access to files used and the level of permissions that will be set. Answer C is incorrect because RC6 is symmetric. therefore. but when received by the computer. Discretionary-based access involves the explicit specification of access rights for accounts with regards to each particular resource. . answers A. determined by the sensitivity level assigned to the role. Because Rijndael and AES are now one in the same. determined by the role the user has. Answer B is incorrect because it describes a mutual agreement. Answer A is incorrect because functions such as server maintenance are role-based. therefore.

Lightweight Directory Access Protocol (LDAP) connects by default to TCP port 389. OSPF is a routing protocol. Answer B is incorrect because Java. Answer A is incorrect because Netstat displays all the ports on which the computer is listening. An early exploit of JavaScript allowed access to files located on the client’s system if the name and path were known. and an ACL is used to define access control. Answers A. Question 40 Answer C is correct. This is a good tool to use to find out where a packet is getting hung up. not Java. send email as the user. . Answer A is incorrect because it describes an algorithm. Question 43 Answers C and D are correct. Question 42 Answer B is correct. Answer D is incorrect because it describes RAID.399 Practice Exam 1 Answer Key Question 39 Question Answer B is correct. Answer A is incorrect because UDP uses port 139 for network sharing. Tracert traces the route a packet takes and records the hops along the way. Answer D is incorrect because Port 443 is used for HTTPS. Answer C is incorrect because Ipconfig is used to display the TCP/IP settings on a Windows machine. Nonrepudiation means that neither a sender nor a receiver can deny sending or receiving a message or data. Question 41 Answer B is correct. can be used to execute arbitrary instructions on the server. not JavaScript. can continue running even after the applet has been closed. and E are incorrect because JavaScript. Answer D is also incorrect because Nslookup is a command-line utility used to troubleshoot a domain name system (DNS) database. Answers A and B are incorrect because the Online Certificate Status Protocol and the certificate revocation list (CRL) are used to verify the status of digital certificates. Answer C is incorrect because it describes steganography. D. and allow access to cache information. Answer C is incorrect because Port 110 is used for POP3 incoming mail.

Answer B is incorrect because port 8080 is used for HTTP. PPTP is an Internet tunneling protocol. include port scanners. answer D is incorrect. NetStat Performance Monitor is used to monitor individual system components. War dialing is the process of systematically dialing a range of phone numbers hoping to gain unauthorized access to a network via unprotected dial-in modems. answer A is incorrect. C. Answer B is incorrect because war driving involves using wireless technology to connect to unprotected networks from outside the building. only administrators may change the category of a resource. Sniffing is the process of capturing packets traveling across the network. Question 48 Answers A. . Answer A is incorrect because SMTP uses port 25. Social engineering preys upon weaknesses in the human factor. Question 45 Answer B is correct. therefore. and no one may grant a right of access that is explicitly forbidden in the access control. not test for vulnerabilities. authorization. Answer B is incorrect because IPsec is used for the tunneling and transport of data. Answer A is incorrect because Kerberos is a network authentication protocol that uses secret key cryptography. Answer C is incorrect because port 139 is used for NetBIOS traffic. and configuration information between an access server and a shared authentication server. Remote Desktop Protocol uses port 3389.400 Practice Exam 1 Answer Key Question 44 Answer C is correct. B. protocol analyzers. and network mappers. and C are correct. vulnerability scanners. therefore. answers A. Some of the more common tools used to conduct vulnerability assessments. Answer D is incorrect. With mandatory access controls. Therefore. Question 46 Answer D is correct. therefore. and D are incorrect. Question 47 Answer C is correct. answer D is incorrect. Remote Authentication Dial In User Service (RADIUS) is a protocol for allowing authentication.

401 Practice Exam 1 Answer Key Question 49 Answer D is correct. and log files must not be modifiable without a record of the modification. This is because it allows the top CA to be the root CA and control trust throughout the PKI. . By replying to the request. logging information traveling on the network should be encrypted if possible. identify attacks. A PKI structure with a single CA and multiple subordinate CAs would benefit the most from a hierarchical structure. B. Question 53 Answer D is correct. Answer C is incorrect because a bridge is a central point for a cross-certified model. answers A. Question 52 Answer B is correct. All the statements are good reasons why it is unsafe to run signed code on your system. they trust certificates from other CAs. an attacker intercepts traffic between two endpoints and retransmits or replays it later. In this instance. Therefore. Answer A is incorrect because a cross-certified model is where CAs have a trust relationship with each other. A firewall is a hardware device or a software program used to prevent a network from unauthorized access. Answer A is incorrect because intrusion-detection systems are designed to analyze data. Many firewalls are also designed to prevent unauthorized traffic from leaving the network. and respond to the intrusion. the email was spoofed to make the user think it came from the administrator. Question 50 Answers A and D are correct. and C are incorrect. Answer D is incorrect because linked is not a PKI trust model. Answer B is incorrect because a man-in-the-middle attack is commonly used to gather information in transit between two hosts. Logs should be centralized for easy analysis and stored on a machine that has been hardened. answer C is incorrect. the user was tricked into supplying compromising information. which is a classic sign of social engineering. Spoofing involves modifying the source address of traffic or source of information. Answer C is incorrect because a honeypot is used as a decoy to lure malicious attacks. Answer B is also incorrect because a digital certificate electronically identifies an individual. therefore. Question 51 Answer D is correct. In a replay.

Answer A is incorrect because spoofing involves modifying the source address of traffic or the source of information. Therefore. Question 55 Answer C is correct. . Digital certificates contain a field indicating the date to which the certificate is valid. Question 56 Answer C is correct. answers A. water is used but is held back by a valve until a certain temperature is reached. Question 58 Answer B is correct. Answer B is incorrect because a man-in-the middle attack is commonly used to gather information in transit between two hosts. therefore. Question 59 Answers A. SSL/TLS does not support either certificate revocation lists (CRLs) or attribute certificates. A DoS attack attempts to block service or reduce activity on a host by sending requests directly to the victim. This makes answer B incorrect because it is not necessary that the certificates be issued yearly. and D are incorrect. Users should not be given privileges above those necessary to perform their job functions. Answer D is incorrect because a worm is a form of malicious code. This solution describes a host-based solution identifying a known attack signature. This date is mandatory and can be from a very short period of time up to a number of years. and D are correct. answers B and D are incorrect. C. Answer C is incorrect because the agent does not attempt to capture packet data.402 Practice Exam 1 Answer Key Question 54 Answers A and D are correct. Therefore. it just reviews the web service logs on the local system. In dry-pipe systems. B. and D are incorrect. A wet-pipe system constantly has water in it. SSL/TLS supports authentication and encryption. Question 57 Answers A and C are correct. answers A. Answer B is incorrect because no baselining is required for this solution. The other choices do not adequately and accurately describe the principle of least privilege. C.

Answer C is incorrect because it describes knowledge-based detection. Question 62 Answer D is correct. Answer D is incorrect because it describes employee rights. it does little to circumvent brute-force attacks. Question 63 Answer C is correct. Having an employee show proper identification does nothing to reduce brute-force attacks. . therefore. therefore. including documentation of how the evidence was collected. Answer B is incorrect because it describes network-based IDS (NIDS). and analyzed.403 Practice Exam 1 Answer Key Question 60 Answer C is correct. therefore. Increasing the value of the password history only prevents the user from using previously used passwords. By an account being locked after a few consecutive attempts. Answer A is incorrect because it describes an access control method. preserved. Answer B is incorrect because multifactor authentication uses two or more authentication techniques. Answer A is incorrect because it describes how an organization responds to an incident. answer B is incorrect. Answer D is incorrect because it describes application protocol-based intrusion detection. Behavior-based IDSs use the detection of anomalies from normal patterns of operation to identify new threats. The ability to log on once and gain access to all needed resources is referred to as single sign-on. however. answer D is incorrect. The use of password resets is an adequate mechanism in case a password has been compromised. the effectiveness of a brute-force attack is reduced. answer A is incorrect. Answer B is incorrect because it describes processes for compliance. Question 61 Answer A is correct. Chain of custody tells how the evidence made it from the crime scene to the courtroom. Answer C is incorrect because biometrics relate to authentication.

C. Answer A is incorrect because S/MIME is used to secure email communications. Answer D is incorrect because a man-in-the-middle attack is commonly used to gather information in transit between two hosts. he can send junk mail through your server. Answer B is incorrect because VPN is not used to secure public anonymous connections to web servers but instead is used to provide secure remote-access services to the company’s agents. Answers A and D are both incorrect because these terms relate to the polices and practices of certificates and the issuing authorities. Preventing Internet users from getting to data is data security.404 Practice Exam 1 Answer Key Question 64 Question Answer C is correct. therefore. Question 67 Answers B. Question 68 Answer B is correct. Natural disasters. If a hacker can exploit your system. unwanted access. Question 66 Answer B is correct. Answer C is incorrect because a corporate security policy is a set of rules and procedures that relate to how information is protected. SMTP relay is a process whereby port 25 is used to forward email. and E are correct. not mail. and availability make up the security triad. . Confidentiality. The certificate revocation list (CRL) provides a detailed list of all the certificates that are no longer valid for a CA. and D are correct. and user restrictions are all physical security issues. Question 65 Answers B. Answer C is incorrect because port scanning involves a utility being used to scan a machine for open ports that can be exploited. Answers A and D are incorrect because they are not associated with the security triad. Answer A is incorrect because a DNS zone transfer is when a DNS server transfers its database information to another DNS server. answer A is incorrect. integrity. not physical security. C. SSL/TLS is used to secure web communications and ensure that customer information is securely transferred. Answer D is incorrect because SSH is used to secure file transfers and terminal sessions. DNS servers are used for name resolution.

you use only the private key to decrypt data encrypted with the public key. 3DES and CAST did not participate. answer C is incorrect. Answer A is incorrect because SMTP is used for email relay. Multifactor authentication uses two or more factors for completing the authentication process. Question 70 Answer D is correct. Common Gateway Interface (CGI) is a standard that allows a web server to execute a separate program to output content. Question 73 Answer D is correct. too. Question 74 Answer D is correct.405 Practice Exam 1 Answer Key Question 69 Answers B and C are correct. When encrypting and decrypting data using an asymmetric encryption algorithm. you can use the other to decrypt the data. C. answers B and C are incorrect. therefore. CGI scripts can be tricked into executing commands and could also expose system information. A record of user logins with time and date stamps must be kept. answer A is incorrect. Because of this. Rijndael was the winner of the new AES standard. and D are incorrect because they are not actions you should take when you find out an employee has been terminated. C. Identification is a means to verify who you are. Answers A and B are both incorrect because in public key encryption. D and E are incorrect. answers B. therefore. therefore. . therefore. Question 72 Answer A is correct. Question 71 Answer A is correct. Answers A and B are fictitious terms and are therefore incorrect. Although RC6 and Twofish competed for selection. User accounts should be disabled and data kept for a specified period of time as soon as employment is terminated. Answer D is incorrect because cookies store the IP address of your computer. access. Mutual authentication is a process that authenticates both sides of A connection. Answer C is incorrect because the public key is not used to decrypt the same data it encrypted. Authentication is what you are authorized to perform. The two processes are not the same. Answers B. they were not chosen. or do. if one key is used to encrypt.

UDP ports 161 and 162 are used by SNMP. The slogin SSH utility provides secured command-line connections to a remote server. and D are incorrect. Cookies do not use the network login or password. your operating system. which makes it vulnerable to sniffing and eavesdropping. C. and rcp do not use secured connections. Answer A is incorrect because a DMZ is a small network between the internal network and the Internet that all provides a layer of security and privacy. and D are incorrect because rlogin. Answers B and D are incorrect because they do not accurately describe FTP. B. and port 138 is used to allow NetBIOS traffic for name resolution. Therefore. Question 77 Answers B and C are correct. This makes the model more secure but less scalable than decentralized security. . C. answers B. rsh. Question 78 Answers A and C are correct. Question 80 Answer B is correct. and D are correct.406 Practice Exam 1 Answer Key Question 75 Answers A. Answer D is incorrect because NAT acts as a liaison between an internal network and the Internet. and the URLs of the last pages you visited. Centralized security requires that a single group of administrators manages privileges and access. your browser type. FTP is vulnerable because the authentication credentials are sent in clear text. Answers A and D are incorrect. Answer E is incorrect because the scp utility is used for secure file copying. Cookies are used in web page viewing. Answer B is incorrect because a VPN is used to provide secure remote-access services to the company’s employees and agents. which is made up of teams of administrators trained to implement security for their area. Question 76 Answer C is correct. Answers A. UDP uses port 139 for network sharing. Cookies use the name and IP address of your machine. The purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Question 79 Answer A is correct. Answer C is incorrect.

an attacker intercepts traffic between two endpoints and retransmits or replays it later. therefore. A man-in-the-middle attack is commonly used to gather information in transit between two hosts. transferred. . Question 83 Answer C is correct. Vetting often refers to performing a background check on someone and has nothing to do with risk. Question 85 Answer B is correct. Answer C is incorrect because in a replay. Answer B is incorrect because it describes a threat. B. Answer C is incorrect because it describes a risk. Question 82 Answer A is correct. therefore. A vulnerability is a weakness in hardware or software. Bastion subnet is a fictitious term. Answer C is incorrect. therefore. answer B is incorrect.407 Practice Exam 1 Answer Key Question 81 Answers A. mitigated. therefore. or eliminated. Answer A is incorrect because privilege management has to do with programming functions. answer C incorrect. A screened subnet is an isolated subnet between the Internet and internal network. A bastion host is the first line of security that a company allows to be addressed directly from the Internet. Because the purpose of a DoS attack is to deny use of resources or services to legitimate users. answer D is incorrect. Risk can be accepted. A bastion host on the private network communicating directly with a border router is a screened host. answer D is incorrect. A Trojan horse is a program used to perform hidden functions. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. answer B is incorrect. and D are correct. Answer D is incorrect because it describes exposure factor. The process of elevating privilege or access is referred to as privilege escalation. answer D is incorrect. Question 84 Answer A is correct. The ability to log on once and gain access to all needed resources is referred to as single sign-on. therefore.

although they all play a part in security. Even though they are all options. Answers A. not disaster planning. Answer D is incorrect because L2TP is used for packet encapsulation. C. Rolling back changes should be the next step to recovering the servers and making them quickly available for users. Answer D is incorrect because pattern matching searches through thousands of patterns. Question 90 Answer B is correct. including popular. obscure. Answer C is incorrect because a DRP is an immediate action plan to be implemented following a disaster. the ultimate responsibility lies with management. Answers A. rather than looking for specific signatures. and D are incorrect because. Answer A is incorrect because heuristics is all about detecting virus-like behavior. and D are incorrect. Answer A is incorrect because emergency response can be a part of disaster recovery. Simple Network Management Protocol (SNMP) was developed specifically to manage devices. Stateful inspection will look for strings in the data portion of the TCP/IP packet stream on a continuous basis. Question 89 Answer C is correct. Answer B is incorrect because anomaly analysis is used to detect abnormal behavior patterns. and discontinued patterns.408 Practice Exam 1 Answer Key Question 86 Answer D is correct. Answer B is incorrect because it deals with the security of a company as a whole. A business continuity plan looks at the long-term actions taken by a company after a disaster has taken place. . C. It is management’s responsibility to set the tone for what type of role security plays in the organization. Answer C is incorrect because Lightweight Directory Access Protocol (LDAP) is a directory services protocol. Question 88 Answer B is correct. Answer A is incorrect because Simple Mail Transfer Protocol (SMTP) is a mail protocol used for outgoing mail service. answer B is the best choice. Question 87 Answer B is correct.

409 Practice Exam 1 Answer Key Question 91 Answers B and C are correct. therefore. not A DHCP issue. Wireless Transport Layer Security (WTLS) is the security layer for WAP applications. . and IPsec are the three main tunneling protocols used in VPN connections. TACACS is a client/server protocol that provides the same functionality as RADIUS. Because DHCP dynamically assigns IP addresses. Answer D is incorrect because it describes a self-garbling virus. answer C is incorrect. This is a media concern. except that RADIUS is an actual Internet standard. Answer D is incorrect because there are security concerns with using DHCP. L2TP. Question 93 Answers A. and disk drives. A worm can propagate via email. PPTP. Question 94 Answer A is correct. Question 92 Answer C is correct. Answer C is incorrect because CHAP is an authentication protocol that uses a challenge/response mechanism. Question 95 Answer B is correct. not a worm. Answers A and D are incorrect because both RADIUS and TACACS are authentication protocols. Answer A is incorrect because a man-in-the-middle attack is commonly used to gather information in transit between two hosts. anyone hooking up to the network can be automatically configured for network access. except that it replicates by itself without any user interaction. Even though answer B is part of the WAP. Answers A and D are incorrect because the Wireless Security Layer and Wireless Security Layer Transport don’t exist. therefore. TCP/IP. B. therefore. A worm is similar to a virus and Trojan horse. and D are correct. answer C is incorrect. answer B is incorrect. it is not the security layer.

and Rijndael). Question 99 Answer B is correct. Twofish. PGP uses a web of trust rather than the hierarchical structure. Answer D is incorrect because cryptographic algorithm is a bogus term. Answer B is incorrect because centralized key management allows the organization to have complete control over the creation. the correct answer is hashing algorithm. Question 100 Answer C is correct. not an asymmetric encryption algorithm (examples of this include RC6. Although the other answers are viable solutions. It also uses public key encryption. In a decentralized key-management scheme. and revocation of the electronic credentials that it issues.410 Practice Exam 1 Answer Key Question 96 Answer A is correct. onsite backup is the best choice for a small company. Onsite backup is the most common way for companies to protect their data. Answer A is incorrect because management is responsible for setting the security policies of a company. Answer C is incorrect because MD5 is a symmetric key algorithm. Based on this. Although the Message Digest (MD) series of algorithms is classified globally as a symmetric key encryption algorithm. Users who are uneducated about security policies are the weakest links. modification. . answers B and D are incorrect. Answers C and D are incorrect because they are nonexistent terms. and D are incorrect. Therefore. which is the method that the algorithm uses to encrypt data. the user will create both the private and public key and then submit the public key to the CA to allow it to apply its digital signature after it has authenticated the user. B. distribution. Question 97 Answer D is correct. Answers B and C are incorrect because they are a result of poor security policies. Question 98 Answers A and C are correct. answers A. Answer A in incorrect because a block cipher divides the message into blocks of bits.

Practice Exam 2 The 125 multiple-choice questions provided here help you determine how prepared you are for the actual exam and which topics you need to review further. Compare your answers against the answer key that follows this exam. Threat B. ❍ ❍ ❍ A. Vulnerability ❍ D. processing. as well as analyzing computer systems after an attack has taken place? ❍ ❍ ❍ A. What is the name given to the process of collecting. You are the security technician at your company and are directed to implement a virtual private network (VPN).) ❍ ❍ ❍ A. A _______ is an agent that could intentionally or unintentionally do harm to your computer systems and network. Write down your answers on a separate sheet of paper so that you can take this exam again if necessary. Which of the following would you not consider using because they are not tunneling protocols? (Check all correct answers. Both A and B 3. 3DES ❍ D. Risk C. L2TP C. Discovery B. 1. PPTP . Due process ❍ D. and storing evidence. Due care C. MD5 B. Forensics 2.

Authentication 5. Microsoft Passport ❍ D. S/MIME ❍ D. Transport ❍ D. L2TP B. Which one of the following is an encryption system used to protect email? ❍ ❍ ❍ A. MIME 8. In which two of the following modes can Authentication Header (AH) be applied? ❍ ❍ ❍ A. Tunnel B. Password . Digital certificate B. Hub B. L2F and PPP B. Layer 2 Tunneling Protocol (L2TP) merges the best features of what other two tunneling protocols? ❍ ❍ ❍ A. PPTP and L2F 7. Switch C. Bridge 6. Router ❍ D. PPP and PPTP C. Encrypt C.412 Practice Exam 2 4. Of the following. V L2F and IPsec ❍ D. PPTP C. which is a network device that works at the third layer of the OSI model and is responsible for forwarding packets between networks? ❍ ❍ ❍ A. Certificate authority C. Which one of the following is issued by a CA and can be used as a sort of electronic identification card? ❍ ❍ ❍ A.

Something you know ❍ D. Which one of the following access control mechanisms prevents disclosure of information by allowing the subject to assign security levels to objects? ❍ ❍ ❍ A. Authenticity C. LDAP B. DAC ❍ D. Teardrop ❍ D. DoS B. Which of the following two services are provided by Message Authentication Code (MAC)? ❍ ❍ ❍ A. Integrity B. MAC C. DDoS ❍ D. Availability ❍ D. Trojan Horse . Ping of death C. Something you have B.413 Practice Exam 2 9. Which of the following is a coordinated effort in which multiple machines attack a single victim or host with the intent to prevent legitimate service? ❍ ❍ ❍ A. DoS B. Social engineering 12. A password and a personal identification number (PIN) are examples of what? ❍ ❍ ❍ A. Masquerading C. Something you make C. RBAC 11. Which one of the following best describes the type of attack designed to bring a network to a halt by flooding the systems with useless traffic? ❍ ❍ ❍ A. Confidentiality 13. Something you are 10.

A worm attacks only after being triggered. B. A virus propagates itself and destroys data. Which one of the following best describes a worm or a virus? ❍ ❍ ❍ A. ❍ D. Bear trap 18. Which of the following serves the purpose of trying to lure a malicious attacker into a system? ❍ ❍ ❍ A. 17. Wired Equivalent Privacy B. Application gateway ❍ D.414 Practice Exam 2 14. Wireless Encryption Protocol C. Windows XP C. Which of the following describes a firewall technique that looks at each packet and accepts or rejects the packet based on defined rules? ❍ ❍ ❍ A. Pot of gold C. DMZ ❍ D. The acronym WEP is short for what? ❍ ❍ ❍ A. and a virus attacks only email. whereas a virus must be activated to replicate. Honeypot B. Proxy server 16. Wireless Encryption Privacy . A worm attacks system files. C. Firepot B. Firewall 15. Wired Equivalency Privacy ❍ D. Honeypot ❍ D. A worm is self-replicating. Circuit-level gateway B. Which of the following is a hardware or software system used to protect a network from unauthorized access? ❍ ❍ ❍ A. Packet filtering C.

Lowercase letters C. Which one of the following is not considered a physical security component? ❍ ❍ ❍ A. Which of the following is the study of measurable human characteristics? Examples include hand scanning. None of the above ❍ G. VPN tunnel B. QwErTy B. Of the following characteristics. CCTV 22. Geometrics B. Special characters E.415 Practice Exam 2 19. All of the above F. which one should be included in every password? ❍ ❍ ❍ ❍ ❍ A. Which one of the following is the best password? ❍ ❍ ❍ A. Economics32 C. ❍ ❍ ❍ A. Fence ❍ D. Telemetrics . A and B only 20. OliverMiles ❍ D. Photometrics ❍ D. Uppercase letters B. One4a11$ 21. iris profiling. and voiceprinting. Numbers ❍ D. fingerprinting. Biometrics C. Mantrap C.

which one of the following should you implement? ❍ ❍ ❍ A. X. 110 B. Public and private key pairs ❍ D. A pair of public keys E.25 B. X. 25 27. 21 C. X.416 Practice Exam 2 23. Public keys only B.200 ❍ D. Which of the following ports are used by an email client? (Check all correct answers. What is the widely used standard for defining digital certificates? ❍ ❍ ❍ A. A pair of private keys . 143 ❍ D. To filter incoming network traffic based on IP address. What is the name given to the system of digital certificates and certificate authorities used for public key cryptography over networks? ❍ ❍ ❍ A. Server 24. Private keys only C. Public Key Extranet (PKE) C. Public Key Infrastructure (PKI) 26. Firewall B.400 C. Public key encryption uses which of the following types of keys? ❍ ❍ ❍ ❍ A. Intranet C.509 25. Protocol Key Instructions (PKI) B.) ❍ ❍ ❍ A. Protocol Key Infrastructure (PKI) ❍ D. X. DoS ❍ D.

Integrity B. Confidentiality C. What does an administrator use to allow. C. Gargomel ❍ D. Bonk 29. Smurf C. PGP 31. Principal privileges 32. Access controls ❍ D. ❍ D.) ❍ ❍ ❍ A. restrict. Privacy ❍ D. Which one of the following is not an example of a denial-of-service attack? ❍ ❍ ❍ ❍ ❍ A. Separation of duties C. Access controls B. Teardrop E.417 Practice Exam 2 28. A user is prompted to change his password upon initial login. Which one of the following is not considered one of the three tenets of information security? ❍ ❍ ❍ A. Which of the following are examples of suspicious activity? (Check all correct answers. Principal of least privilege B. A log report that indicates multiple login failures on a single account. Fraggle B. B. Multiple connections that are in an a half-open state. Configuration properties C. Availability . Which one of the following is designed to keep a system of checks and balances within a given security structure? ❍ ❍ ❍ A. Control panel ❍ D. A user reporting that she is unable to print to the Finance printer. or deny access to a network or local resource? ❍ ❍ ❍ A. Ping of death F. 30.

DMZ 34. What type of attack attempts to use every possible key until the correct key is found? ❍ ❍ ❍ A. private network. Private key cryptography 35. Single sign-on ❍ D. Transport ❍ D. What is the name given to the process whereby a server authenticates a client and a client authenticates the server? ❍ ❍ ❍ A. At what layer does IPsec operate? ❍ ❍ ❍ A. Your manager wants you to implement a client/server system that allows your company’s remote access servers to talk with a central server to authenticate dial-in users and authorize their access. Reverse authentication B. Network 36.418 Practice Exam 2 33. RAS servers C. RADIUS B. Brute-force attack B. Dual-factor authentication . Mutual authentication ❍ D. Safe DMC C. PPTP 37. Denial-of-service attack C. Safe area ❍ D. Data link B. and typically contains devices accessible to the public network? ❍ ❍ ❍ A. Presentation C. Mirrored authentication C. What is the term given an area within a network that sits between a public network and an internal. Passive attack ❍ D. What type of systems should you research? ❍ ❍ ❍ A. Web content zone B.

11b ❍ D. Which of the following on a UNIX system is susceptible to an offline attack? ❍ ❍ ❍ A.509 40. Not broadcasting MAC addresses 42. LANs. 802. Value . Vulnerability B.11b B.11a. SSL B. 802. Broadcasting MAC addresses C.) ❍ ❍ ❍ A. X. Broadcasting the SSID B. Risk is made up of which of the following three components? (Choose three best answers. Threat C. Probability ❍ D. FTP ❍ D. etc/passwd B. 802.419 Practice Exam 2 38. WLAN C. WLANs. Which of the following are protocols for transmitting data securely over the Web? (Check all correct answers. IEEE. WEP is a security protocol for _______ and is defined in the _______ standard.) ❍ ❍ ❍ A. usr/home ❍ D. Not broadcasting the SSID ❍ D. S-HTTP C. usr/bin 39. ❍ ❍ ❍ A. TCP/IP 41. Which one of the following will help prevent the casual user from accessing your wireless network but does little to prevent access from more determined attackers? ❍ ❍ ❍ A. etc/shadow C.

The CISO wants to block the protocol that allows for the distribution. Spoofing inspection C. Authorization C. What should be used to prevent specific types of traffic from certain IP addresses and subnets from entering into the secured segment of your network? ❍ ❍ ❍ A. While performing regular security audits. Spoofing 45. VLAN ❍ D. What port number should you block at the firewall? ❍ ❍ ❍ A. 110 44. you suspect that your company is under attack and someone is attempting to use resources on your network. 25 ❍ D. NAT B. retrieval. Which of the following is a firewall architecture that monitors connections throughout the communication session and checks the validity of the IP packet stream? ❍ ❍ ❍ A. Replay B. Intrusion detection system 46. 119 B. which of the following may be occurring? ❍ ❍ ❍ A. Assuming an attack. and posting of news articles. Social engineering ❍ D. Stateful inspection ❍ D. 80 C. Static packet filter C. Your are the security technician for your company. Static inspection B. Nonstateful inspection . inquiry. The IP addresses in the log files belong to a trusted partner company.420 Practice Exam 2 43. however.

Makes attempts to verify the identify of the source of information. Yearly seminars . The unsubscribe option does not actually do anything. Does not insert data into the stream but instead monitors information being sent. Wiretapping ❍ D. They confirmed that they are a “live” email. Which one of the following is most likely the reason? ❍ ❍ ❍ A. B. Select the two best choices for achieving security awareness among your users in your organization? (Check all correct answers. Spam filters were automatically turned off when making the selection to unsubscribe. Inserts false packets into the data stream. 50. What is the name given to the government standard describing methods implemented to limit or block electromagnetic radiation from electronic equipment? ❍ ❍ ❍ A. TEMPEST 49. ❍ D. Electroleak C. The unsubscribe request was never received.) ❍ ❍ ❍ A. Security exhortations through posters ❍ D. ❍ D. Monthly emails C.421 Practice Exam 2 47. C. 48. EMR B. Users received a spam email from an unknown source and chose the option in the email to unsubscribe and are now getting more spam as a result. C. Which of the following describes a passive attack? ❍ ❍ ❍ A. Training during employee orientation B. B. Records and replays previously sent valid messages.

Spyware is most likely to use which one of the following types of cookies? ❍ ❍ ❍ A. 749 53. Which one of the following is a process whereby a user can enter a single username and password and have access across multiple domains. 21 ❍ D. $1. $1.) ❍ ❍ ❍ A.200 ❍ D. None of the above 52. Integrity C. Lightweight Directory Access Protocol (LDAP) ❍ D. eliminating the need to reauthenticate? ❍ ❍ ❍ A. Given this information. $132 .422 Practice Exam 2 51. What determines what a user can view and alter? ❍ ❍ ❍ A. These individuals each make $30 per hour. Transport C.320 B. Session B. 80 C. Your company suffers a security incident in which 11 of your employees are unable to work for 4 hours. 88 B. Tracking ❍ D. Authentication ❍ D. Access control 55. which of the following is the single loss expectancy for this event? ❍ ❍ ❍ A. Poisonous 54. Confidentiality B. Authentication B. $120 C. What ports does Kerberos use? (Check all correct answers. Single sign-on (SSO) C.

Carbon dioxide ❍ D. Three ❍ D. Ipconfig 57. Netstat B. Water C.423 Practice Exam 2 56. You suspect one of your servers may have succumbed to a SYN flood attack. One B. Blowfish ❍ D. Which one of the following tools might you consider using to help confirm your suspicions? ❍ ❍ ❍ A. HIDS look at information on the individual machines. B. ❍ D. Which one of the following is not true of NIDS and HIDS? ❍ ❍ ❍ A. An opening left in a program that allows additional. undocumented access to data is known as what? ❍ ❍ ❍ A. Demilitarized zone . Both HIDS and NIDS monitor operating system activity on specific machines. NIDS look at the information exchanged between machines. Both HIDS and NIDS gather and analyze data to identify possible threats. Algorithm C. Which of the following is the best choice for extinguishing a Class C fire? ❍ ❍ ❍ A. Back door B. Helium 58. Ping C. Two C. Tracert ❍ D. What is the required number of security associations in an IPsec encrypted session in each direction? ❍ ❍ ❍ A. Four 59. Dry powder B. 60. C.

What port will the attacker scan for? ❍ ❍ ❍ A. 25 C. 21 B. An attacker trying to exploit a web server will likely want to scan systems running web services. DAC ❍ D. Classifying the data C. MAC C. 80 ❍ D. 156 ❍ D. Which of the following IP protocols is used by ESP? ❍ ❍ ❍ A. Conduct background checks 65. Data aggregation C. Which of the following is a type of access control that provides access rights assigned to roles and then accounts assigned to these roles? ❍ ❍ ❍ A. 48 63. RBAC . ACL B. Your company has several systems that contain sensitive data. Information that is combined and results in a greater understanding is known as what? ❍ ❍ ❍ A. 50 B. Separation of duties B. Data composition 64. 110 62. Data retrieval ❍ D. 135 C. Enforce stronger passwords ❍ D. Data mining B.424 Practice Exam 2 61. What is a method of ensuring that individual system data cannot be combined with data across the other systems? ❍ ❍ ❍ A.

Synchronous only C. Elliptical curve encryption ❍ D. Of the following. RSA encryption 70. Point-to-Point Tunneling Protocol C. Secure Sockets Layer 2 B. PAP C. Synchronous and asynchronous B. All of the above 68. 2 C. and half-synchronous . At what layer of the OSI model does the Point-to-Point Protocol (PPP) provide services? ❍ ❍ ❍ A. Asymmetric encryption B. Symmetric encryption C. The Point-to-Point Protocol (PPP) can handle which of the following data communication methods? ❍ ❍ ❍ A.425 Practice Exam 2 66. Transport Layer Security ❍ D. 4 69. Which of the following standards ensures privacy between communicating applications and clients on the Web and has been designed to replace SSL? ❍ ❍ ❍ A. Synchronous. Internet Protocol Security 67. Asynchronous only ❍ D. MSCHAP-v2 ❍ D. Which of the following is the best choice for encrypting large amounts of data? ❍ ❍ ❍ A. CHAP B. asynchronous. 1 B. which one transmits log-on credentials as clear text? ❍ ❍ ❍ A. 3 ❍ D.

Vetting . Auditing C. B.426 Practice Exam 2 71. The email instructs you to be weary of any email containing a specific file and further instructs you to delete the specific file if found from your computer. Inspecting ❍ D. 75. Username ❍ D. Which of the following items should normally be shared among multiple users? ❍ ❍ ❍ A. Role identification number ❍ D. You are an accountant in Finance and you receive an email warning you of a devastating virus that is going around. Password B. Rule identification name 72. Notify your system administrator of the email. access may be granted or denied based on IP address. Rules C. None of the above 74. Logging B. Which of the following should you do? ❍ ❍ ❍ A. ACLU B. What is the name given to the activity that consists of collecting information that will be later used for monitoring and review purposes? ❍ ❍ ❍ A. AP ❍ D. With Role Based Access Control (RBAC). Forward the email to your friends and co-workers. ACL C. User home directory C. Search for and delete the file from your computer. C. how are access rights grouped? ❍ ❍ ❍ A. ❍ D. What name is given to this method? ❍ ❍ ❍ A. Within a router. Delete the email and reboot your computer. Role name B. Answers A and B 73.

Requiring that a user be given no more privilege than necessary to perform a job. Answers A and B 78. C.427 Practice Exam 2 76. ❍ D. C. B. which one of the following are potential dangers? ❍ ❍ ❍ A. You notice that one of the pages on one of your company’s web servers does not perform input validation. Increase the value of the password history control. Viruses C. Ensuring that all members of the user community are given the same privileges so long that they do not have administrator or root access to systems. Which one of the following best represents the principle of least privilege? ❍ ❍ A. XXS and buffer overflow 79. As a result. Corporate audits E. A control enforced through written security policies. Viruses and ISAPI filters B. B. Have users present proper identification before being granted a password. The enforcement of separation of duties is a valuable deterrent to which one of the following? ❍ ❍ ❍ ❍ A. Fraud ❍ D. . Require password resets every 90 days. An assumption that job functions will be rotated frequently. Viruses and worms C. Trojan horses B. Which of the following techniques will best help protect a system against a brute-force password attack? ❍ ❍ ❍ A. Lock the account after three unsuccessful password entry attempts. 77. XML and buffer overflow ❍ D. ❍ ❍ D.

) ❍ ❍ ❍ A. Size of the organization 82.428 Practice Exam 2 80. Value C. What provides the basis for the level of protection applied to information? (Check all correct answers. Risk of loss ❍ D. An intrusion detection system (IDS) detects an attacker and seamlessly transfers the attacker to a special host. B. Attackers are diverted to systems that they cannot damage. Remote-access host ❍ D. ❍ E. Labeling ❍ D.) ❍ ❍ ❍ A. Administrators are allotted time to decide how to respond to an attack. Ticketing 81. Honeypot B. What is this host called? ❍ ❍ ❍ A. Which of the following are advantages of honeypots and honeynets? (Check all correct answers. C. ❍ D. Byte host 83. Well-defined legal implications. Tokens B. Data classification B. Provides a structure that would require less security administrators. . Padded cell C. Which of the following should be used to help prevent against the mishandling of media? ❍ ❍ ❍ A. SSL C. Attackers’ actions can more easily be monitored and resulting steps taken to improve system security.

proprietary.429 Practice Exam 2 84. Standards C. 1024 through 49151 87. Company policies 88. Procedures 85. What is the IEEE standard for wireless LAN technology? ❍ ❍ ❍ A. Where is this statement most likely documented? ❍ ❍ ❍ A. Company standards B.11 C. 802. Your company does not allow users to use the Internet for personal reasons during work hours. Password Authentication Protocol (PAP) B.6 86. Microsoft Point-to-Point Encryption (MPPE) ❍ D. Guidelines ❍ D. Policies B. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) C. 0 through 1023 C. Which one of the following is an older. 0 through 49151 ❍ D. 802. Which of the following represent the pool of well-known ports? ❍ ❍ ❍ A. Company guidelines ❍ D. Which of the following is a formal set of statements that defines how systems or network resources can be used? ❍ ❍ ❍ A. two-way reversible encryption protocol? ❍ ❍ ❍ A. 802.1 ❍ D.2 B. Company procedures C. 802. 0 through 255 B. Shiva Password Authentication Protocol (SPAP) .

During a disaster C. Windows 2000. Nonrepudiation B. Incremental ❍ D. Daily C. Repudiation 93. When is the DRP created? ❍ ❍ ❍ A. Which of the following ports are assigned to NetBIOS services? (Check all correct answers. FAT ❍ D. A disaster recovery plan (DRP) is an agreed upon plan detailing how operations will be restored after a disaster. 138 C. Windows XP. and neither the sender nor receiver can deny either having sent or received the data. Differential 92. 140 91.430 Practice Exam 2 89. What is this called? ❍ ❍ ❍ A. 139 ❍ D. CDFS B. What type of backup is normally done once a day and clears the archive bit after the files have been backed up? ❍ ❍ ❍ A. and Windows Vista operating systems? ❍ ❍ ❍ A. Before a disaster ❍ D. What file system is preferred for use on all systems running Microsoft Windows NT. Copy B. NTFS 90. 137 B. Anytime . After a disaster B.) ❍ ❍ ❍ A. Nonrepetition ❍ D. NFS C. Repetition C. The sender of data is provided with proof of delivery.

Root C.) ❍ ❍ ❍ A. Wireshark C. Metasploit B. Multipartite 97. What is the name given to viruses that mutate and can appear differently.431 Practice Exam 2 94. Polymorphic ❍ D. Macro C. Polymorphic ❍ D. Network Monitor 96. which makes them more difficult to detect? ❍ ❍ ❍ A. Hardening C. The process of making an operating system more secure by closing known vulnerabilities and addressing security issues is known as which of the following? ❍ ❍ ❍ A. SATAN ❍ D. Group . Stealth B. A hacker attempting to break into a server running Microsoft Windows will most likely attempt to break into which account? ❍ ❍ ❍ A. All of the above 95. Hotfixing ❍ D. Handshaking B. What type of virus does not require programming knowledge and is found in electronic office documents? ❍ ❍ ❍ A. Stealth B. Supervisor B. Which of the following are examples of protocol analyzers? (Check all correct answers. Multipartite 98. Cavity C. Administrator ❍ D.

RAID 3 103. Which of the following is a UNIX-based command interface and protocol for accessing a remote computer securely? ❍ ❍ ❍ A. Which one of the following is not true about a web server? ❍ ❍ ❍ A. The browser client must specify the port if not using well-known port 80. What port is used for a DNS zone transfer? ❍ ❍ ❍ A. Fooling the system over time by executing small individual steps that when . Secure Hash Algorithm (SHA) C. What RAID level array configuration is composed of two drives that duplicate the data? ❍ ❍ ❍ A. Occurs when the intrusion-detection system allows an intrusive action to pass as nonintrusive behavior C.432 Practice Exam 2 99. Secure Socket Shell (SSH) ❍ D. RAID 0 B. 137 101. Occurs when the intrusion-detection system detects a legitimate action as a possible intrusion B. RAID 1 C. 102. Telnet 100. Which of the following best describes the term false positive? ❍ ❍ ❍ A. RAID 2 ❍ D. C. A commonly used alternate port for web servers is 8080. The default port for a web server is port 80. 135 ❍ D. A web server must always run on port 80. Occurs when the intrusion-detection system is modified by an intruder to make false negatives occur combined can amount to an attack ❍ D. ❍ D. Secure Electronic Transaction (SET) B. B. 53 B. 80 C.

Which of the following is a primary method for minimizing threat to a web server? ❍ ❍ ❍ A. The threats from which you are protecting against and their likelihood C. C. Cookies 105. Description of the physical areas where assets are located 107. Revocation C. ❍ D. Fraudulent practices statement (FPS) 108. A certificate authority discovers it has issued a digital certificate to the wrong person. Certificate practice statement (CPS) B. Trojan horses ❍ D. Passwords can be intercepted as they move through networks via which of the following? ❍ ❍ ❍ A. What needs to be completed? ❍ ❍ ❍ A. Disable all non-web services and enable Telnet for interactive logins.) ❍ ❍ ❍ A. Keyboard sniffers B. Enable logging. Class D 106. Ensure finger and echo are running. A fire involving computer equipment and other electronic appliances is likely to be considered what class of fire? ❍ ❍ ❍ A.433 Practice Exam 2 104. Private key compromise ❍ D. Description of the physical assets being protected B. B. Disable nonessential services. . A physical security plan should include which of the following? (Check all correct answers. Class A B. Password sniffers C. Location of a hard disk’s physical blocks ❍ D. Class C ❍ D. Class B C.

Database server B.434 Practice Exam 2 109. SQL injection attacks . Virus 110. File and print server C. In preventing which of the following are white lists and black lists most likely to be found? ❍ ❍ ❍ A. Botnet C. Spam B. TCSEC B. ITSEC 112. Which of the following is not a major security evaluation criteria effort? ❍ ❍ ❍ A. A collection of compromised computers running software installed by a Trojan horse or a worm is referred to as what? ❍ ❍ ❍ A. IPsec ❍ D. RBAC C. Herder ❍ D. DRP 111. The enforcement of minimum privileges for system users is achieved via which of the following? ❍ ❍ ❍ A. Web server ❍ D. IDS ❍ D. Which one of the following types of servers would be the target for an attack where a malicious individual would attempt to change information during a zone transfer? ❍ ❍ ❍ A. Zombie B. DNS server 113. Viruses C. Common Criteria C. DoD attacks ❍ D. IPsec B.

1. Which of the following ports would you monitor? (Select all correct answers. PGP 115.1 B. What is the space above a drop ceiling called? ❍ ❍ ❍ A. IDEA B. Unshielded twisted-pair (UTP) C.36.435 Practice Exam 2 114.168.18.) ❍ ❍ ❍ A. Which of the following is a type of cable in which the signals cannot be detected by electronic eavesdropping equipment? ❍ ❍ ❍ A.4 ❍ D.234 . 161 B. 162 ❍ D. Which one of the following is not a private IP address? ❍ ❍ ❍ A. Teflon 117.193. MD5 C. Raised floor B.44 C. Fire-retardant space C. Coaxial thicknet 116. 192.0. Fiber optic B. Shielded twisted-pair (STP) ❍ D. Plenum ❍ D.123. Which of the following is a hybrid cryptosystem? ❍ ❍ ❍ A.2. 10. 165. You are tracking SNMP traffic. 172. 139 C. 138 118. RSA ❍ D.

Buffer overflow B. Hashing C. A situation in which a program or process attempts to store more data in a temporary data storage area than it was intended to hold is known as a what? ❍ ❍ ❍ A. Which one of the following best describes a service level agreement (SLA)? ❍ ❍ ❍ A. Which of the following is used in many encryption algorithms and is the transformation of a string of characters into a shorter fixed-length value or key that represents the original string? ❍ ❍ ❍ A. which are characteristics of a cold site? ❍ ❍ ❍ A.436 Practice Exam 2 119. Which of the following is used to trap and ground stray electrical signals? ❍ ❍ ❍ A. Ciphertext . Of the following. A method of protecting a facility from disaster 122. EMR ❍ D. Faraday cage C. TEMPEST B. A method of procuring services after a disaster has struck B. Cipher block chaining B. Storage overrun 123. Company needs to bring its own equipment C. PKI ❍ D. Distributed denial of service ❍ D. A contract between a service provider and customer that specifies the measurable services the provider will furnish ❍ D. Denial of service C. A contract between a service provider and customer that specifies how the provider will ensure recovery in the event of a disaster C. Facility and equipment is already set up and ready to occupy ❍ D. Requires setup time B. A and B 120. None of the above 121.

Cracking C. Web server B. What is usually the first phase conducted before doing a site penetration? ❍ ❍ ❍ A. Packet filter C. Proxy server ❍ D. What type of server acts as an intermediary intercepting all requests to a target server to see whether it can fulfill the request itself? ❍ ❍ ❍ A. Social engineering ❍ D. Spoofing 125. Information gathering B. Firewall .437 Practice Exam 2 124.

This page intentionally left blank .

A 24. A 44. A 37. D 49. D 66. D 45. A 3. A and B 13. D 50. C and D 27. C 8. C 40. A 65. C 33. B 46. A and C 5. D 34. D 21. B 16. D 7. C 42. B and C 43. A 9. B 32. A. A and B 30. D 2. C . C 47. A. B 64. D 36.Practice Exam 2 Answer Key Answers at a Glance 1. D 26. C 62. A 31. A 56. D 55. D 17. C 29. A and D 51. A 35. A 22. A 18. A 57. B 52. A 19. C 28. C 11. E 20. A and B 41. A 48. D 15. A and C 4. A 60. C 58. A 63. C 54. D 25. B 23. C 14. A and D 53. C 10. A 59. A 39. C 38. A 12. C 6. A 61.

B 86. and evidence is being retrieved. A 71. B 73. C 117. A 116. B. A 123. Answers B and C are both incorrect. C 78. and C 91. and C 82. C 109. B 95. B 98. and D 107. B 102. A. A. C 122. B 69. C 106. B. D 79. the attack has already taken place. C 97. B 121. B. A 72. C 112. B 103. Forensics is the practice of using tools to investigate and establish facts. A 104. B 68. A 114. D 113. B 111.440 Practice Exam 2 Answer Key 67. A 125. B 87. A 101. B 70. A. . D 88. According to the question. B. D 115. A. D 89. B and D 96. B 83. and due process describes the course taken during court proceedings designed to safeguard the legal rights of individuals. B 119. C 94. B 124. C 81. B 110. D 120. C Answers with Explanations Question 1 Answer D is correct. A 93. C 75. Due care describes a process before an attack takes place. C 92. D 74. B 105. D 90. C 99. usually for evidence within a court of law. A 85. A and C 118. B 108. A 77. A 76. C 100. A 80. and therefore answer A is incorrect. and C 84.

S/MIME is the secure version of MIME and is used to protect email messages. Question 6 Answer D is correct. Answers A. Answer A is incorrect because a hub works at Layer 1. Answer D is incorrect because MIME is used for plain text (the unsecured version of S/MIME). Question 4 Answers A and C are correct. Answer C is incorrect because a vulnerability describes the susceptibility to attack. Answers B and D are both tunneling protocols used in virtual private networks and are therefore incorrect. A switch works at Layer 2. answer B is incorrect. A threat is something that could intentionally (such as a malicious hacker) or unintentionally (such as a tornado) do harm to your computer systems and network. The IPsec Authentication Header (AH) provides integrity and authentication only and can be used in tunnel mode and transport mode.441 Practice Exam 2 Answer Key Question 2 Answer A is correct. B. Question 3 Answers A and C are correct. therefore. Question 7 Answer C is correct. Answer D is therefore also incorrect. therefore. A router is a networking device that works at Layer 3 in the OSI model. A bridge operates on Layer 2 of the OSI model. Answers A and B are incorrect because L2TP and PPTP are tunneling protocols. Therefore. Answer B is incorrect because a risk describes the possibility of realizing a threat. and although AH provides authentication and integrity. Both MD5 and 3DES are cryptography algorithms. Both PPTP and L2F (Layer 2 Forward) are leveraged within L2TP. Question 5 Answer C is correct. answer D is incorrect. answer D does not describe one of the operating modes. . answer B is incorrect. and C are all incorrect because each answer contains a protocol that is not a tunneling protocol.

Therefore. Something you make is not associated with authentication. commonly used to conduct business over the Web. It ensures a message. they are incorrect because DoS more accurately describes “a type of attack. A DoS attack (or denial of service) is designed to bring down a network by flooding the system with an overabundance of useless traffic. Question 10 Answer C is correct. therefore. therefore. Answer B is incorrect because a CA is the issuer of these certificates used to establish identification. which are known by an individual. and role-based access control (RBAC) are common types of access control mechanisms used within computer systems. answers B and D are incorrect. therefore. Question 12 Answers A and B are correct. A password and a PIN are usually private alphanumeric codes. answers C and D are both incorrect choices. . Although answers B and C are both types of DoS attacks. answer B is incorrect. answer A is incorrect. LDAP is a directory protocol. Answer C is incorrect because this describes a Microsoft authentication service. answer A is incorrect. for example. Digital certificates are issued by certificate authorities (CAs) and serve as a virtual ID or passport. discretionary access control (DAC). answer D is incorrect. therefore. Question 9 Answer C is correct. Something you have describes an item such as a swipe card or token.442 Practice Exam 2 Answer Key Question 8 Answer A is correct. has not been altered and that only an individual knowing the secret key can produce the MAC. Question 11 Answer A is correct. Mandatory access control (MAC). A Message Authentication Code (MAC) provides both an integrity check and authenticity check. Availability and confidentiality are not functions provided by MAC. yet DAC is the only one that assigns security levels to objects and subjects.” Answer D is incorrect because social engineering describes the nontechnical means of obtaining information. Using an ATM card typically requires something you have (the card) and something you know (the PIN). therefore. Answer D is incorrect because something you are involves biometrics such as fingerprints and voiceprints. A password is a secret word or phrase used to gain access.

therefore. answer D is incorrect. answer A is incorrect. however. a DDoS is a coordinated effort among many computer systems. Answers B and D are incorrect answers and are not legitimate terms for testing purposes. a worm replicates itself. Answer B is incorrect because a worm can perform its functions without being triggered. Answers C and D do not employ stateful packet inspections and are both incorrect. A honeypot is used to serve as a decoy and lure a malicious attacker. Many firewalls are also designed to prevent unauthorized traffic from leaving the network. answer B is incorrect. it is not a legitimate term. Answer C is incorrect because a DMZ is an area between the Internet and the internal network. Many firewalls today employ stateful packet inspections and have replaced many packet-filtering firewalls. A Trojan horse is a program used to perform hidden functions. Question 16 Answer D is correct. and a virus must be activated to replicate. . Traditionally. therefore. Masquerading involves using someone else’s identity to access resources. and Answer D is a system used to manage logs. Answer B is also incorrect because Windows XP is a Microsoft operating system. Answer A is incorrect. therefore. A distributed denial of service (DDoS) is similar to a denialof-service (DoS) attack in that they both try to prevent legitimate access to services. A firewall is a hardware or software device used to protect a network from unauthorized access. Answer A is incorrect because a virus must be activated to propagate. therefore. Answer C is also an incorrect statement because worms and viruses are capable of much more Question 17 Answer A is correct. Answer A is used as a decoy and is incorrect.443 Practice Exam 2 Answer Key Question 13 Answer C is correct. Question 14 Answer D is correct. Question 15 Answer B is correct. Answer C describes a system used to manage encryption keys. A honeypot is used as a decoy to lure malicious attacks. answer C is incorrect.

Question 20 Answer D is correct. Answer C is incorrect because a person’s name should not be used. Question 22 Answer B is correct. and special characters. Choice D is a good password because it is eight characters long and makes use of mixed case. answer B is incorrect. numbers. therefore. fence. as well as numbers and special characters. Question 21 Answer A is correct. and D are incorrect. and CCTV are all components of physical security. A VPN tunnel is an example of data security—not physical security. . C. and it designed to provide for the same level of security as on a wired network. Answers B. Geometrics describes geometric qualities or properties.444 Practice Exam 2 Answer Key Question 18 Answer A is correct.11b standard. it would be better if it incorporated numbers within the password (not at the beginning or end) and if it were not a word found in the dictionary. and D are all incorrect. answer D is incorrect. therefore. answer A is incorrect. photometrics. Answer A is incorrect because it uses a familiar keyboard pattern. answers F and G are both incorrect. Telemetrics is the study and measurement of the transmission of data over certain mediums. therefore. therefore. is incorrect because this is the study and measurement of the properties of light. Wired Equivalent Privacy (WEP) is part of the 802. C. Question 19 Answer E is correct. Mantrap. A good password will make use of uppercase and lowercase letters. Answer C. answers B. Biometrics is the study of biological characteristics. Although answer B might make a good password. therefore.

And port 25 is used by SMTP outgoing mail protocol. And X. X. therefore. Answers A. and D are correct.445 Practice Exam 2 Answer Key Question 23 Answer A is correct. C.400 is a standard for transmitting email. Although a firewall may be called a firewall server.25 is a standard for connecting packet-switched networks. Port 110 is used by the POP3 incoming mail protocol. Public key encryption uses a public and private key pair. Public Key Infrastructure describes the trust hierarchy system for implementing a secure public key cryptography system over TCP/IP networks. Port 143 is used by the IMAP4 incoming mail protocol. Answer D is incorrect for the same reason as answer A. answer C is incorrect. Answer B is incorrect because this is the port used for FTP. and answer E is incorrect for the same reason as answer B. therefore. Answer B is incorrect because only a symmetric key cryptography system would use just private keys. A firewall is a hardware or software system designed to protect networks against threats. Answer D is incorrect because this is not nearly specific enough. Question 25 Answer D is correct. answer B is incorrect. Answer A is incorrect because X. and C are incorrect because these are bogus terms.509 is the defining standard upon which digital certificates are based. . Question 26 Answers A. B.200 deals with the top layer of the OSI model. Answer A is incorrect because there are no encryption technologies that use only public keys. Answer C is incorrect because this is a type of attack meant to disrupt service. Question 27 Answer C is correct. X. Answer B is incorrect because an intranet is a private network. and can be used to permit or deny traffic based on IP address. Question 24 Answer D is correct.

it’s is an invalid term. therefore. B. and Bonk are names of specific denial-of-service attacks. Question 30 Answer A is correct. Multiple connections in a half-open state are likely waiting for a SYN-ACK and may indicate a SYN flood attack. Answer D is incorrect because PGP is used for secure email. Question 29 Answers A and B are correct. Answer C is incorrect because access controls allows for the control of access to resources. A log report that shows multiple login failures for a single account should raise suspicion because this might be an attempt by an unauthorized person to gain access. The three tenets of information security are confidentiality. Access controls allow an administrator to allow. Question 32 Answer C is correct. Answers B and C are both incorrect because neither of these relates to administrative controls to administer the security on resources. Separation of duties and responsibilities is used to ensure a system of checks and balances. E. does not actually exist. answers A. . and F are incorrect. Teardrop. D. or deny access to resources. Privacy.446 Practice Exam 2 Answer Key Question 28 Answer C is correct. Question 31 Answer B is correct. although similar to confidentiality. restrict. Fraggle. is not considered one of the three. Two common access control methods are discretionary access control (DAC) and mandatory access control (MAC). A Gargomel attack. Answer D is incorrect. therefore. although cool sounding. Answer A is incorrect because the principal of least privilege is to ensure that users are granted only the minimum level of access required to perform their job functions. Smurf. integrity. and availability. Answers C and D are incorrect because these appear to be typical network problems or controls that have been implemented by an administrator. and D are incorrect. answers A. Ping of death. B.

Question 34 Answer A is correct. A demilitarized zone (DMZ) sits between a public network such as the Internet and an organizations internal network. . Mutual authentication describes the process whereby a client and server both authenticate each other. rather than the server just authenticating the client. of the OSI model. Both answers B and C are made-up terms and are therefore incorrect. and your manager wants a central server to communicate with these servers. and C are other layers within the OSI model but are not the layers at which IPsec operates. and D are invalid terms and are therefore incorrect. Answer D is incorrect because PPTP is a tunneling protocol. Answer B is incorrect because a Remote Access Server (RAS) is the system used to handle remote user access. the network layer. Answer C is incorrect because this describes an attempt to intercept data without altering it. IPsec operates at Layer 3. B. Answers A. Answers A. Question 37 Answer C is correct.447 Practice Exam 2 Answer Key Question 33 Answer D is correct. This central server authenticates the dial-in users and authorizes the user’s access. Remote Authentication Dial-In User Service (RADIUS) is a client/server system that facilitates the communication between remote access servers and a central server. whereas other security protocols such as SSL operate at higher layers. Question 35 Answer D is correct. Answer D is incorrect because this is the crypto system relying on secret keys. A web content zone is a security term used in Microsoft’s web browser. A brute-force attack attempts to use every key and relies on adequate processing power. answer A is incorrect. Question 36 Answer A is correct. B. Answer B is incorrect because a denial-of-service attack is an attempt to prevent legitimate service. therefore.

802. value may affect your decision whether to accept a risk. B. Not broadcasting the wireless SSID. however.448 Practice Exam 2 Answer Key Question 38 Answer A is correct. which is a file anyone can read and could as a result allow an attacker to obtain the hash of everyone’s password to mount on offline attack. however. wireless access points typically provide a mechanism to filter system access by MAC address. Answers B and D are incorrect because MAC addresses don’t get broadcasted. like disabling SSID broadcast. The IEEE (Institute of Electrical and Electronics Engineers) developed the 802. . Value is not a component of risk. although a common practice. keep the wireless access point from advertising the name of the network. and X. It does. and D are incorrect. Answers C and D are incorrect and do not reference password files. will not prevent a more determined attack on your wireless network. The etc/passwd file on a UNIX system is world-readable. however. Question 41 Answer C is correct. is the language of the Internet. answer B is incorrect. answers C and D are incorrect.11b standard. and it is defined in the 802. therefore. therefore. Rather. The Wired Equivalent Privacy (WEP) is a security protocol designed for wireless local area networks. Risk can be defined as the probability of a threat exploiting a vulnerability. Question 40 Answers A and B are correct. and C are correct. and S-HTTP creates a secure connection between the client and server.11a is an older specification. Question 39 Answer C is correct. File Transfer Protocol (FTP) is a simple and unsecured protocol for the transfer of files across the Internet. In contrast. and TCP/IP.509 is the standard for defining digital certificates. B.11 standards. the etc/shadow file makes the hashed password unreadable by unprivileged users. Answers A. this does not stop the more determined attack because one’s MAC address can be spoofed. Answer D is incorrect. SSL uses public key encryption to encrypt the data. Question 42 Answers A. Both Secure Sockets Layer (SSL) and Secure HTTP (S-HTTP) are protocols designed to transmit data securely across the Web. which is inherently unsecured.

The most likely answer is spoofing because this allows an attacker to misrepresent the source of the requests. Question 44 Answer D is correct. . therefore. Question 46 Answer C is correct. Answer C is incorrect because a VLAN is used to make computers on physically different network segments appear as if they are one physical segment. The Hypertext Transfer Protocol (Web) uses port 80. answer D is incorrect. Port 25 is for the Simple Mail Transfer Protocol (SMTP). static packet filtering provides a simple solution for the basic filtering of network traffic based on source. and protocol types. Answers C and D are also incorrect because these ports are used for the sending and receiving of mail. On a firewall. Answer B is incorrect because there is no such firewall architecture.449 Practice Exam 2 Answer Key Question 43 Answer A is correct. Answer A is incorrect because static packet filtering examines packets based on information in their headers. Answer B is incorrect because this is not a type of attack but is instead the granting of access rights based on authentication. As opposed to stateful inspection. answer B is incorrect. destination addresses. Stateful inspection (also called dynamic packet filtering) monitors the connection throughout the session and verifies the validity of IP packet streams. Question 45 Answer B is correct. The Network News Transfer Protocol (NNTP) provides access to newsgroups and uses TCP port 119. nonstateful inspection does not maintain the state of the packets. Answer A is incorrect because NAT is used to hide internal addresses. Answer A is incorrect because this type of attack records and replays previously sent valid messages. therefore. Answer C is incorrect because social engineering involves the nontechnical means of gaining information. and port 110 is for the Post Office Protocol (POP). Answer D is incorrect because an intrusion detection system is used to identify suspicious network activity.

therefore. Question 48 Answer D is correct. Answer C is incorrect because this is a protocol for directory access. TEMPEST originated with the U. answer D is incorrect. Answer D is incorrect. Security training during employee orientation. but rather means. Answer B is a bogus term. military and deals with the study of devices that emit electromagnetic radiation. therefore.450 Practice Exam 2 Answer Key Question 47 Answer A is correct. This is less likely to occur with email a user receives that he or she opted into in the first place. Question 50 Answer A and D are correct. therefore. and C are incorrect because these are less likely and not the best choices. Question 51 Answer B is correct. Often an option to opt out of further email does not unsubscribe users. An active attack does make attempts to insert false packets into the data stream. Authentication refers to the process of verifying the identity of a source and is not a type of attack. A reply attack records and replays previously sent valid messages. however. Answers A. answer B is incorrect. therefore. Question 49 Answer D is correct. Answer A is incorrect because authentication is simply the process of identification. Answer C is incorrect because wiretapping involves the secret monitoring of information being passed. Electromagnetic radiation or EMR is emitted from devices. B. A passive attack attempts to passively monitor data being sent between two parties and does not insert data into the data stream. . Email and posters are passive. answer B is incorrect. answers B and C are incorrect. “send me more spam” because it has been confirmed that the email address is not dormant.S. therefore. therefore. are the best choices as these are active methods of raising security awareness. as well as yearly seminars. answer A is incorrect. answer C is incorrect. Single sign-on provides the mechanism whereby a user needs to authenticate to a system just one time and can then access multiple systems without the need to reauthenticate or maintain separate usernames and passwords.

Multiplying the number of affected employees by their hourly wage means the company will be losing $330 an hour. Question 56 Answer A is correct. answer C is incorrect. Answers B and D are not types of cookies and are incorrect. Therefore. answers B. Tracert. A tracking cookie is a particular type of permanent cookie that stays around. answer A is incorrect. and D are incorrect. we must then multiply $330 by 4. answer B is incorrect. therefore. C. therefore. C. whereas a session cookie stays around only for the particular visit to a website. Port 749 is used for Kerberos administration. Answers B. Authentication verifies the identity of a user or system. which may indicate connections left in a half-opened state. By using the Netstat command. you can check the number of open connections that have received a SYN but not an ACK. Question 54 Answer D is correct. Because they are unable to work for 4 hours. Answers B and C are incorrect because port 80 is used for HTTP and port 21 is used for FTP. . therefore. Whereas cookies generally provide benefits to the end users. Integrity describes the reliability of the data in that it has not been altered. and Ipconfig are other useful utilities but will not show connection states as does Netstat.451 Practice Exam 2 Answer Key Question 52 Answers A and D are correct. spyware would be most likely to use a tracking cookie. Kerberos uses ports 88 and 749. Ping. Question 55 Answer A is correct. therefore. SLE can be solved by multiplying the asset value (AV) by the exposure factor (EF). Confidentiality ensures data remains private. answer A is incorrect. Question 53 Answer C is correct. and D are incorrect. Access control defines what a user can access and what the user can specifically view and alter.

Port 80 is used for web services. answer C is incorrect. carbon dioxide is better suited for computer and other electrical equipment because carbon dioxide does not leave a harmful residue. therefore. C. Water should never be used on a class C fire because of the risk of electrical shock. Answers B and D are also incorrect. answer A is incorrect. whereas the HIDS is concerned with only the system itself. Both carbon dioxide and dry chemicals can be used to extinguish a class C electrical fire. Port 25 is used for the Simple Mail Transfer Protocol (SMTP). A back door is an opening in a program. and D are accurate statements. therefore. therefore based on the question. Security associations (SAs) are created to help protect the traffic stream. and D are incorrect. therefore. Blowfish is a type of symmetric block cipher. C. Answers B. often left by a developer. answer A is incorrect. answer D is incorrect. Answer D is incorrect because a demilitarized zone is a zone within a network where publicly accessible servers are typically placed. they are incorrect answers. and helium is not an extinguishing agent. answer B is incorrect. that enables access through nontraditional means. Port 21 is used for the File Transfer Protocol (FTP). however. Port 110 is used for the Post Office Protocol (POP). answers B. Therefore. Question 58 Answer A is correct. Question 61 Answer C is correct. and two SAs are required—one in each direction. Answer B is incorrect because an algorithm refers to the steps to arrive at a result. therefore. Question 59 Answer A is correct. therefore.452 Practice Exam 2 Answer Key Question 57 Answer C is correct. . Question 60 Answer A is correct. A host-based intrusion-detection system (HIDS) and a network-based intrusion-detection system differ primarily in that a NIDS is concerned with monitoring the external interfaces. also known as Hypertext Transfer Protocol.

therefore. Answer B is a protocol used to create secure tunnels. Answers B. The other choices are invalid answers.453 Practice Exam 2 Answer Key Question 62 Answer A is correct. Question 65 Answer D is correct. and D are incorrect. C. Answers C and D are also incorrect because these are irrelevant to the process of piecing together separate pieces of data. Question 64 Answer A is correct. therefore. answer B is incorrect. as the name implies. Data aggregation is the process of combining separate pieces of data that by themselves might be of no use but when combined with other bits of data will provide a greater understanding. Answers B and C are also incorrect because these are other types of access control. TLS is based on SSL and provides security between web applications and their clients. Ensuring the separation of duties provides a countermeasure against such data collection. answer D is incorrect. and D are incorrect. answers A. . therefore. TLS was designed to be the successor to Secure Sockets Layer. Although the two are not interoperable. C. answer A is incorrect. Question 63 Answer B is correct. assigns access rights to roles. Individuals granted widespread authorization to data have a much easier chance to perform data aggregation. Classifying the data does not help against the risk that the information may be collected by authorized individuals. Role-based access control (RBAC). such as in a virtual private network. Internet Protocol Security (IPsec) is also used to create virtual private networks. answer B is incorrect. Encapsulating Security Payload (ESP) is IP protocol 50. therefore. therefore. Question 66 Answer C is correct. Answer A is incorrect because an access control list is a list of permissions attached to an object.

PPP can handle synchronous and asynchronous connections. Question 70 Answer A is correct. and D are incorrect. but it is does provide an effective and efficient means of sending a secret key from which to do symmetric encryption thereafter. Layer 3 (network). An access control list (ACL) coordinates access to resources based on a list of allowed or denied items such as users or network addresses. C. Access rights are grouped by the role name. . and D are incorrect. PPP. Answer A is incorrect because ACLU identifies a nonprofit organization that seeks to protect the basic civic liberties of Americans. answers A. and the use of resources is restricted to those associated with the authorized role. Question 69 Answer B is correct. Public key encryption is not usually used to encrypt large amounts of data. and D are incorrect ways of describing how access rights are grouped within RBAC. answers A. therefore. therefore. answer C is incorrect. Therefore. The Password Authentication Protocol (PAP) is a basic form of authentication during which the username and password are transmitted unencrypted. a protocol for communicating between two points using a serial interface. provides service at the second layer of the OSI model: the data link layer. answers B. Answers B. therefore. Answer D is also incorrect. which provides the best method for efficiently encrypting large amounts of data. Layer 1 (physical). therefore answers A. and Layer 4 (transport) are not the layers at which PPP provides its service. Question 72 Answer B is correct. Question 71 Answer A is correct. C. C. Question 68 Answer B is correct.454 Practice Exam 2 Answer Key Question 67 Answer B is correct. and D are incorrect. and D are incorrect. Both CHAP and MSCHAP-v2 support the secure transmission of usernames and passwords. An access point (AP) is often used in relation to a wireless access point (WAP). C. C.

the log files are frequently inspected. and although the policies might differ among organizations. answer C is incorrect. . Answers A. Users should not be given privileges above those necessary to perform their job function. answers A. and C are not the best choices. given this scenario and the available choices. Question 75 Answer A is correct. the best answer is to notify the system administrator. and D are incorrect. and usernames in most cases are unique to the individual users. The email is likely a hoax. The other choices do not adequately and accurately describe the principle of least privilege. Question 77 Answer C is correct. answer D is incorrect. The separation of duties is not a deterrent to Trojan horses. Auditing is the process of verification that normally involves going through log files. answers B. and inspection is not the process of collecting the data. therefore. therefore. it is a practice that generally should not be used. or corporate audits. Cross-site scripting (XXS) and buffer overflow are two potentially real dangers of not performing input validation within forms on a website. C. and D are incorrect. viruses. Question 78 Answer D is correct. B. Logging is the process of collecting data to be used for monitoring and auditing purposes. Typically. D. answer B is incorrect. The potential for fraudulent activity is greater when the opportunity exists for one who is able to execute all the transactions within a given set. Question 74 Answer C is correct. Vetting is the process of thorough examination or evaluation. therefore. therefore. Question 76 Answer A is correct. Passwords. Answers A. Although the use of shared usernames and passwords is common in many instances. B. and E are incorrect. home directories. B. therefore.455 Practice Exam 2 Answer Key Question 73 Answer D is correct.

Question 82 Answer B is correct. All three terms used for answers A. Proper labeling concerning the sensitivity of information should be placed on media such as tapes and disks to prevent the mishandling of the information. the attacker may then be transparently transferred to a padded cell host. ticketing. therefore. and the use of these systems will typically require more administrative resources. Tokens are a hardware device. and the level of risk or compromise of the data. answer A is incorrect. which is a simulated environment where harm cannot be done. All except answers D and E are advantages of honeypots and honeynets. Currently. therefore. C. . By locking an account after a few consecutive attempts. is also incorrect. B. answer B is incorrect. and C are correct. Protecting data against accidental or malicious events is based on the classification level of the data. Question 83 Answers A. therefore. Having an employee show proper identification does nothing to reduce brute-force attacks. Answer D. answer D is incorrect. therefore.456 Practice Exam 2 Answer Key Question 79 Answer A is correct. When an IDS detects an attacker. the legal implications of using such systems are not that well defined. and C are correct. answer B is incorrect. the data’s value. B. therefore. and D are incorrect because these are not related to intrusion-detection systems. SSL is a protocol for protecting documents on the Internet. Increasing the value of the password history only prevents the user from using previously used passwords. Question 80 Answer C is correct. The size of the organization has no bearing on the level of protection to be provided. answer D is incorrect. therefore. Password resets is an adequate mechanism to use in case a password has been compromised but does little to circumvent brute-force attacks. Question 81 Answers A. you can reduce the likelihood of a brute-force attack. answer C is incorrect.

answer D is incorrect. therefore. PAP is a basic authentication protocol that does not provide for encryption. therefore.151. Guidelines are similar to standards but serve as more of a suggestion. answer B is incorrect. answer C is incorrect. 802. Question 86 Answer B is correct.152 through 65.2 is the standard for the data link layer in the OSI reference model. Standards are a definition or format that is approved and must be used. C. Question 88 Answer D is correct. answer A is incorrect. answer B is incorrect.11 is the IEEE standard relating the family of specifications for wireless LAN technologies. 802. answer D is incorrect. Question 85 Answer B is correct. therefore. therefore. answer B is incorrect. 802. Question 87 Answer D is correct. therefore. therefore. therefore.1 is the standard related to network management. and D are incorrect.535. answer A is incorrect. Standards are a definition or format that is approved and must be used. 802. MPPE is used to encrypt data in PPP and PPTP dial-up connections and VPN connections. and dynamic or private ports are those from 49.024 through 49. A policy is the formal set of statements that define how systems are to be used. therefore. A policy is the formal set of statements that define how systems are to be used. therefore. answer A is incorrect. Procedures typically provide stepby-step instructions to follow. therefore. answer C is incorrect. Procedures typically provide step-by-step instructions to follow. Answer C is incorrect. Guidelines are similar to standards but serve as more of a suggestion. answers A. therefore. answer C is incorrect. SPAP was designed by Shiva and is an older. .457 Practice Exam 2 Answer Key Question 84 Answer A is correct. therefore. MS-CHAP uses a one-way encryption scheme for encryption.6 is the standard for metropolitan area networks (MANs). two-way reversible encryption protocol that encrypts the password data sent between client and server. The well-known ports are those from 0 through 1023. Registered ports are those from 1.

therefore. therefore. Question 92 Answer A is correct. answer D is incorrect. NFS (Network File System) is a client/server application. Nonrepudiation means that neither party can deny either having sent or received the data in question. answer A is incorrect. answer B is incorrect. CDFS (CD-ROM File System) is used to control the CD-ROM. B. Question 91 Answer C is correct. therefore. answers A. FAT (File Allocation Table) file systems are not recommended because they lack native file-level security support. An incremental backup backs up only files created or changed since the last normal or incremental backup and clears the archive bit. and C are correct. The NetBIOS name service uses port 137. A disaster recovery plan is an agreed-upon plan that details the restoration of operations in the event of a disaster. answer B is incorrect. answer A is incorrect. and it should already be in existence before a disaster strikes. but it does not clear the archive bit. answer C is incorrect. Both answers B and C are incorrect. such as auditing). therefore. Question 90 Answers A. Question 93 Answer C is correct. B. therefore. therefore. A daily backup copies all selected files that you have modified the day the backup is performed but does not clear the archive bit. and the NetBIOS session service uses port 139. and D are incorrect. therefore. therefore. The NetBIOS datagram service uses port 138. therefore. And repudiation is defined as the act of repudiation or refusal. NTFS (NT File System) is the preferred system because it supports file and folder permissions (among many other benefits. Port 140 is used by the EMFIS data service. A differential backup is similar to an incremental. answer D is incorrect. A copy backup backs up all selected files but doesn’t clear the archive bit. .458 Practice Exam 2 Answer Key Question 89 Answer D is correct. answer D is incorrect.

answer D is incorrect. answers A. C. therefore. require programming. On UNIX systems. answer A is incorrect. Stealth. therefore. answer B is incorrect. unlike macro viruses. therefore. however. Polymorphic viruses are designed to change part of their code after they infect a file in an attempt to invade detection. answer A is incorrect. A stealth virus tries to hide its existence by taking over portions of your system. therefore. Handshaking relates the agreement process before communication takes place. Third-party programs such as Wireshark can also be used for network monitoring. Question 98 Answer C is correct. A cavity virus attempts to install itself with a program. A hotfix is just a security patch that gets applied to an operating system. Hardening is the only correct answer. A multipartite virus uses multiple methods of infecting a system. Question 96 Answer C is correct. this account is named root. and multipartite viruses. Metasploit is a framework used for penetration testing and SATAN is a network security testing tool. B. and D are incorrect. therefore.459 Practice Exam 2 Answer Key Question 94 Answer B is correct. On Windows systems. Hardening refers to the process of securing an operating system. . answer C is incorrect. and D are incorrect. answers A. Question 95 Answers B and D are correct. therefore. the account with the greatest privileges is referred to as administrator. therefore. polymorphic. therefore. and are known to infect Microsoft Office documents such as those created with Microsoft Word. answers A and C are incorrect. and they are associated with infecting the operating system. Windows Server operating systems come with a protocol analyzer called Network Monitor. Question 97 Answer B is correct. and so answer D is incorrect. Macro viruses are easy to create and do not require programming knowledge. and supervisor is used in Novell NetWare environments.

C. Question 100 Answer A is correct. SSH provides for the secure access of remote computers and uses RSA public key cryptography. answer C is incorrect. which is similar to RAID 2. . answer A is incorrect. DNS uses port 53 for zone transfers. Question 103 Answer A is correct. Answers A. Question 101 Answer B is correct. Answer D. therefore. answer A is incorrect. therefore. is made up of two drives that are duplicates of each other. Answer B is incorrect because it describes a false negative error. The NetBIOS name service uses port 137. In most cases. but it is unsecured. RAID level 0. RAID 3. also known as RAID 1. A false positive error occurs when the intrusion-detection system detects a legitimate action as a possible intrusion. Answers C and D are incorrect because they describe subversion errors. Telnet is used to access computer remotely.460 Practice Exam 2 Answer Key Question 99 Answer C is correct. SET is a system for ensuring the security of financial transactions on the Web. and the port number does not need to be specified within the Uniform Resource Locator (URL). RAID 2 uses an error-correcting algorithm that employs disk striping. Although the assigned port for the Hypertext Transfer Protocol (Web) is port 80. web servers do run on port 80 because browsers use this port by default. therefore. therefore. answer B is incorrect. answers C and D are incorrect. it is not required. Port 8080 is an assigned alternative port for web servers but still requires this port be specified in the URL when used. answer D is incorrect. also known as disk striping. is also incorrect. and the NetBIOS datagram service uses port 138. Answer B is incorrect because SHA is a hashing algorithm used to create a condensed version of a message. The Hypertext Transfer Protocol (Web) uses port 80. does not provide any fault tolerance. and D are incorrect choices because these are all valid statements about web servers. therefore. Question 102 Answer B is correct. therefore. Disk mirroring.

B. A private key compromise is actually another reason to perform revocation of a certificate. Answer A is incorrect because a keyboard sniffer can capture passwords locally on the computer as they are typed and recorded. answer A is incorrect. Class A fires involve combustibles such as wood and paper. and D are correct. all the answers are correct and should be addressed in a physical security plan. Question 105 Answer C is correct. Question 107 Answer B is correct. therefore. answer C is incorrect. .461 Practice Exam 2 Answer Key Question 104 Answer B is correct. Answer D is incorrect because cookies are small text files used to identify a web user and enhance the browsing experience. Question 106 Answers A. A physical security plan should be a written plan that addresses your current physical security needs and future direction. Answer D is incorrect because this is a bogus term. Answer D is incorrect because a class D fire involves combustible metals such as magnesium. Answer B is incorrect because a class B fire involves flammables or combustible liquids. A class C fire involves energized electrical equipment and is usually suppressed with nonconducting agents. answer C is incorrect. Password sniffers monitor traffic and record the packets sending passwords. With the exception of answer C. answer A is incorrect. There are numerous reasons why a certificate might need to be revoked (including a certificate being issued to the incorrect person). therefore. A hard disk’s physical blocks pertain to the file system. A Trojan horse is a program that has a hidden function. A CPS is a published document from the CA describing their policies and procedures for issuing and revoking certificates. therefore. therefore.

462 Practice Exam 2 Answer Key Question 108 Answer C is correct. Zone transfers are associated with DNS servers. answer A is incorrect. however. authentication. or web server. . Role-based access control (RBAC) ensures the principal of least privilege by identifying the user’s job function and ensuring a minimum set of privileges required to perform that job. it is not a primary method for reducing threat. therefore. whereas a bot herder is the controller of the botnet. Each network services carries its own risks. Answer C is incorrect because an IDS is used for intrusion detection. Question 110 Answer B is correct. Question 109 Answer B is correct. file and print. Therefore. Zone transfers are not functions of a database. the hacker could identify all the hosts present within the network. Answer D is incorrect. and D are the three major security evaluation criteria efforts. Question 112 Answer D is correct. and answer D is incorrect because a DRP is a plan used in the event of disaster. and integrity. Although disabling all non-web services may provide a secure solution for minimizing threats. however. Question 111 Answer C is correct. and is not a primary method for minimizing threat. Trusted Computer System Evaluation (TCSEC) and Information Technology Security Evaluation Criteria (ITSEC) are major security criteria efforts. therefore. answer D is incorrect. and integrity. it is important to disable all nonessential services. IPsec. If a malicious hacker were to obtain a DNS zone file. answers A. IPsec is a set of protocols to enable encryption. answers A. authentication. therefore. having Telnet enabled for interactive logins presents security issues. B. Logging is important for secure operations and is invaluable when recovering from a security incident. B. A virus is a program that infects a computer without the knowledge of the user. Answers A and C are incorrect but are related to a botnet in that a zombie is one of many computer systems that make up a botnet. Answer B is incorrect because both these services are not recommended to be enabled on a web server. and the Common Criteria is based on both TCSEC and ITSEC. is a set of protocols to enable encryption. answer A is incorrect. therefore. therefore. and C are incorrect.

and D are incorrect choices. This makes fiber-optic cabling ideal for high-security networks. which must be of plenum-grade. is open space below a floor. Answers B and D are incorrect. therefore.463 Practice Exam 2 Answer Key Question 113 Answer A is correct. and C. Question 116 Answer C is correct. and RSA is an asymmetric cipher. Both UTP and STP are susceptible to eavesdropping. yet it is a better choice than UTP. Question 114 Answer D is correct. Telfon is often used to coat wiring placed in the plenum of a building. in fact. It is commonly used to run network cables. and port 138 is used to allow NetBIOS traffic for name resolution. Antispam software programs use black and white lists to control spam by refusing or allowing email that originates from these lists. therefore. UDP ports 161 and 162 are used by SNMP. but STP is less susceptible than UTP. Answer D is incorrect because Teflon is a trademarked product of the DuPont corporation. C. Answer D is incorrect because SQL injection attacks can be prevented with the use of a web vulnerability scanner. Pretty Good Privacy (PGP) is a hybrid cryptosystem that makes use of the incorrect choices. sometimes called a plenum floor. B. Answer C is incorrect because DoD attacks are prevented by filter-by-access control lists. A. Question 115 Answer A is correct. Question 117 Answers A and C are correct. Answer D is incorrect because coaxial thicknet is also susceptible to eavesdropping. The plenum is the space between the ceiling and the floor of a building’s next level. . answers B and C are incorrect. UDP uses port 139 for network sharing. This router does most of the packet filtering for the firewall. Answers B. and MD5 is a hash. there the plenum is of concern during a fire because there are actually little if any barriers to contain fire and smoke. Answer B is incorrect because antivirus software uses signatures. answer A is incorrect. Answer B is incorrect. IDEA is a symmetric encryption cipher. A raised floor. Signals within fiber-optic cables are not electrical in nature. and therefore they do not emit electromagnetic radiation to be detected.

255. but it is not the best answer.0. therefore. whereas a hot site is all ready to go.0 through 192.255.0 through 172.0.0.255.254. therefore. answers B and C are incorrect. answers A and C are incorrect. and D are incorrect. A Faraday cage is a solid or mesh metal box used to trap and ground stray electrical signals.0 through 10. preventing it from responding to legitimate traffic. A distributed denial of service is similar.168. Answer D is also incorrect. Although answer D sounds correct. 172. Answers A. .255 are reserved for automatic private IP addressing. Question 121 Answer C is correct. and D are incorrect.0. 169.31.168. The box completely surrounds the protected equipment and is well-grounded to dissipate stray signals from traveling to or from the cage. it is not. A buffer overflow occurs when a program or process attempts to store more data in a buffer than the buffer was intended to hold. and it specifies the services the provider will furnish to the customer. The Internet Numbers Authority (IANA) has reserved three blocks of IP addresses for private networks: 10. similar to hot site in that it provides office space.255. Question 120 Answer B is correct.16. Naturally. A denial of service is a type of attack in which too much traffic is sent to a host. but it is initiated through multiple hosts. Question 122 Answer A is correct. therefore.255.255.254. C. a cold site requires the customer to provide and install all the equipment needed for operations. An SLA is a written contract between a service provider and customer.255. and 192.0 through 169. TEMPEST is a government standard describing methods implemented to block or limit electromagnetic radiation (EMR) from electronic equipment. Answer B may describe a specific type of SLA. The overflow of data can flow over into other buffers overwriting or deleting data.0. a cold site is less expensive than a hot site. answers A. However. A cold site is a disaster recovery service.255. In addition.464 Practice Exam 2 Answer Key Question 118 Answer B is correct. B. Question 119 Answer D is correct.

therefore. Question 124 Answer A is correct. Question 125 Answer C is correct. therefore. Answer D is incorrect because ciphertext is synonymous with encrypted text.465 Practice Exam 2 Answer Key Question 123 Answer B is correct. Cipher block chaining is an operation in which a sequence of bits is encrypted as a single unit. answer A is incorrect. Spoofing is the electronic means of pretending to be someone else. Before attempting to break into a system. which is used in many encryption algorithms. which will maintain previously accessed information in its cache. . answer D is incorrect. PKI is comprised of various components making up the infrastructure to provide public and private key cryptography over networks. the hacker will first try to analyze and footprint as much information as possible. answer C is incorrect. Answer C is incorrect because social engineering is the nontechnical means of intrusion that often relies on tricking people into divulging security information. Hashing. A proxy server provides security and caching services by serving as the intermediary between the internal network and external resources. therefore. answer D is incorrect. However. answer B is incorrect. a firewall does not seek to fulfill requests as does a proxy server. Cracking describes malicious attacks on network resources. Answer B is incorrect because a packet filter is type of firewall in which each packet is examined and is either allowed or denied based on policy. is a smaller number achieved from a larger string of text. therefore. therefore. A firewall is similar to a proxy server in the security it provides.

This page intentionally left blank .

You can also modify the testing environment during the test by selecting the Options button. These tests are not timed. you receive automatic feedback on all correct and incorrect answers. and other test properties. Study Mode Tests administered in Study Mode enable you to request the correct answer(s) and the explanation for each question during the test. These tests do not allow you to request the answer(s) and/or explanation for each question until after the exam. the timer length. giving you yet another effective tool to assess your readiness for the exam.APPENDIX What’s on the CD-ROM The CD-ROM features an innovative practice test engine powered by MeasureUp™. In Study Mode. or Custom Modes. Multiple Test Modes MeasureUp practice tests can be used in Study. . You may also specify the objectives or missed questions you want to include in your test. The detailed answer explanations are a superb learning tool in their own right. Certification Mode Tests administered in Certification Mode closely simulate the actual testing environment you will encounter when taking a certification exam and are timed. You can modify the testing environment during the test by selecting the Options button. Certification.

Insert the CD into your CD-ROM drive. continue with step 3. go to step 6. select Run. In the Browse dialog box. Control Panel Regional Settings must be set to English (United States) . click MeasureUp Practice Questions to begin installation.exe. Windows 95. double-click Setup. NT4. from the Look In drop-down list. and other test properties. If the setup does not start automatically. If the setup starts automatical- ly. In the Run dialog box. On the Welcome screen. From the Start menu.468 Appendix: What’s on the CD-ROM Custom Mode Custom Mode enables you to specify your preferred testing environment. Click Browse to locate the MeasureUp CD. 6. PC only To install the CD-ROM. or XP . the timer length. 4. In the Browse dialog box. 5. You can also modify the testing environment during the test by selecting the Options button. Close all applications before beginning this installation. number of questions. 7MB disk space for the testing engine . 3. click OK to begin the installation. An average of 1MB disk space for each individual test . 2000. ME. 98. 2. follow these instructions: 1. Installing the CD System Requirements: . Attention to Exam Objectives MeasureUp practice tests are designed to appropriately balance the questions over each technical area covered by a specific exam. Use this mode to specify the objectives you want to include in your test. select the CD-ROM drive. All concepts from the actual exam are covered thoroughly to ensure you’re prepared for the exam. .

MeasureUp Practice Tests. Certification Preparation. 11. To select the default. complete the mandatory fields and click Create Profile. Browse to C:\Program Files\MeasureUp Practice Tests and select the MeasureUpCertification. I Want to Restart My Computer Now is selected. 13. On the Setup Type screen. you can name the program folder where your tests will be located. If you cannot locate MeasureUp Practice Tests through the Start menu. Follow the Certification Prep Wizard by clicking Next. follow these steps: 1.469 Creating a Shortcut to the MeasureUp Practice Tests 7. Programs.exe file. 14. 15. you cannot use the program until you restart your computer. On the MeasureUp Welcome Screen. see the section titled “Creating a Shortcut to the MeasureUp Practice Tests. select Typical Setup. 12. From the shortcut menu. click Yes. click Create User Profile. Click OK. Certification Preparation. Shortcut. 9. Creating a Shortcut to the MeasureUp Practice Tests To create a shortcut to the MeasureUp Practice Tests. In the Select Program Folder screen.exe or Localware. After restarting your computer. Select the practice test you want to access and click Start Test. Right-click on your Desktop. click Next to install the software to C:\Program Files\Certification Preparation.” later in this appendix. After the installation is complete. Click Finish. 17. 2. In the User Profile dialog box. choose Start. . 8. On the Choose Destination Location screen. select New. Click Next to continue. verify that Yes. simply click Next and the installation continues. 16. If you select No. I Will Restart My Computer Later. 4. 10. To agree to the Software License Agreement. 3.

.m. Additionally.m. Click Finish. If you would like to purchase additional MeasureUp products. EST. call 678-356-5050 or 800-649-1687 or visit www. 6.com. to 4:30 p. After you complete step 7. Rename the shortcut MeasureUp.measureup. . use the MeasureUp shortcut on your Desktop to access the MeasureUp products you ordered.com.com.470 Appendix: What’s on the CD-ROM 5. Click Next. Support hours of operation are 7:30 a. Technical Support If you encounter problems with the MeasureUp test engine on the CDROM. 7. please contact MeasureUp at (800) 649-1687 or email support@measureup.measureup. you can find Frequently Asked Questions (FAQ) in the “Support” area at www.

including email and instant messaging usage for personal purposes. ActiveX A Microsoft-developed a precompiled application technology that can be embedded in a web page in the same way as Java applets.Glossary A acceptable use An organization’s policy that provides specific detail about what users may do with their network access. write to. Address Resolution Protocol (ARP) poisoning This can allow a perpetrator to trick a device into thinking any IP is related to any MAC address. limitations on access times. and execute a file. delete. accounting The tracking of users’ access to resources primarily for auditing purposes. an access control list is the underlying data associated with a network resource that defines the access permissions. The most common privileges include the ability to read. they can broadcast a fake or spoofed ARP reply to an entire network and poison all computers. and the storage space available to each user. . In addition. access control list (ACL) In its broadest sense.

antivirus A software program used for protecting the user environment that scans for email and downloadable malicious code. applet Java-based mini-program that executes when the client machine’s browser loads the hosting web page.472 algorithm algorithm A set of sequenced steps that are repeatable. In encryption. Authentication Header (AH) A component of the IPsec protocol that provides integrity. . availability Ensures any necessary data is available when it is requested. Only the holder of the private key can decrypt data encrypted with the public key. respectively. B back door A method of gaining access to a system or resource that bypasses normal authentication or access control methods. and group membership assignments. attack signature A signature that identifies a known method of attack. passwords. including user files and email storage. authentication The process of identifying users. application logging Application logging has become a major focus of security as we move to a more Webbased world and exploits such as cross-site scripting and SQL injections are an everyday occurrence. and anti-replay capabilities. anomaly-based monitoring Anomaly-based monitoring. backup technique A defined method to provide for regular backups of key information. which means anyone who obtains a copy of the public key can send data to the private key holder in confidence. auditing The tracking of user access to resources. authorization The process of identifying what a given user is allowed to do. database stores. asymmetric key A pair of key values—one public and the other private—used to encrypt and decrypt data. asset A company or personal resource that has value. stores normal system behavior profiles and triggers an alarm when some type of unusual behavior occurs. event logs. primarily for security purposes. antispam A software program that can add another layer of defense to the infrastructure by filtering out undesirable email. the algorithm is used to define how the encryption is applied to data. a subset of behavior-based monitoring. authentication. and security principal details such as user logons.

such as a continually operating hard drive or a significantly slowed level of performance. voice. fingerprint. and maintains current information about digital certificates. behavior-based monitoring The use of established patterns of baseline operations to identify variations that may identify unauthorized access attempts.473 certificate authority (CA) baseline This measure of normal activity is used as a point to determine abnormal system and network behaviors. certificate authority (CA) A system that issues. botnet A large number of computers that forward transmissions to other computers on the Internet. certificate An electronic document that includes the user’s public key and the digital signature of the certificate authority (CA) that has authenticated her. You may also hear a botnet referred to a zombie army. block cipher Transforms a message from plain text (unencrypted form) to cipher text (encrypted form) one piece at a time. where the block size represents a standard chunk of data that is transformed in a single operation. the CA. A business continuity plan prepares for automatic failover of critical services to redundant offsite systems. behavior-based IDS A detection method that involves a user noticing an unusual pattern of behavior. Such authorities can be private (operated within a company or an organization for its own use) or public (operated on the Internet for general public access). BIOS Basic Input/Output System is the firmware code run by upon start of a system. The digital certificate can also contain information about the user. . designed for use when a complete loss of facilities occurs. and attributes that define what the user is allowed to do with systems she accesses using the digital certificate. distributes. and so on). C centralized key management Involves a Certificate Authority generating both public and private key pairs for a user and then distributing them to the user. biometrics Authentication based on some part of the human anatomy (retina. business continuity plan A plan that describes a long-term systems and services replacement and recovery strategy.

cipher A method for encrypting text. . and the signatures of both parties involved in the transfer. Chain of custody also refers to the process of tracking evidence from a crime scene to the courtroom. and document changes to policies. Many security certifications. certificate revocation list (CRL) A list generated by a CA that enumerates digital certificates that are no longer valid and the reasons they are no longer valid. Challenge Handshake Authentication Protocol (CHAP) A widely used authentication method in which a hashed version of a user’s password is transmitted during the authentication process. exchange. and reason for transfer. certificate policy A statement that governs the usage of digital certificates. including Security+. and software is used in an organization. revocation. certificate suspension The act of temporarily invalidating a certificate while its validity is being verified. code of ethics A formal list of rules governing personal and professional behavior that is adopted by a group of individuals or organizations. time. configurations. implement. These functions include certificate issuance. Certificate Management Protocol (CMP) A protocol used for advanced PKI management functions.474 Certificate Enrollment Protocol (CEP) Certificate Enrollment Protocol (CEP) A proprietary Cisco protocol that allows Cisco IOS–based routers to communicate with certificate authorities. certificate life cycle The period of time a certificate is valid. certificate practice statement (CPS) A document that defines the practices and procedures a CA uses to manage the digital certificates it issues. and key commission. change management This term indicates that a formal process to schedule. chain of custody The documentation of all transfers of evidence from one person to another. Issued certificates expire at the end of their lifetime and can be renewed. showing the date. the term cipher is also used to refer to an encrypted message (although the term cipher text is preferred). systems. certificate revocation The act of invalidating a digital certificate. invalidation. require their holders to adhere to a code of ethics that’s designed to foster ethical and legal behavior and discourage unethical or illegal behavior. track.

or sites. thereby erasing the content and making the media unreadable. cross-site scripting (XSS) Malicious executable code placed on a website that allows an attacker to hijack a user session to conduct unauthorized access activities. digital signatures. all other equipment. ready for use when enacting disaster recovery or business continuity plans. and configurations are supplied by the company enacting the plan. and heating installed. At a cold site. plumbing. expose confidential data. cookies Temporary files stored in the client’s browser cache to maintain settings across multiple pages. deflection Redirecting or misdirecting attackers to secured segmented areas.475 degaussing cold site A remote site that has electricity. firmware. countermeasures Methods used in some scenarios to provide automatic response in the event of intrustion detection. authentication techniques. cryptography A process that provides a method for protecting information by disguising (encrypting) it into a format that can be read only by authorized systems or individuals. decryption. allowing them to assume they have been successful while preventing access to secured resources. and provide logging of successful attacks back to the attacker. cross-certification When two or more CAs choose to trust each other and issue credentials on each other’s behalf. servers. or software that implements cryptographic functions such as encryption. cryptographic module Any combination of hardware. confidentiality Involves a rigorous set of controls and classifications associated with sensitive information to ensure that such information is neither intentionally nor unintentionally disclosed. systems. and random number generation. . degaussing A method of removing recorded magnetic fields from magnetic storage media by applying strong cyclic magnetic pulses. D decentralized key management Key management that occurs when a user generates a public and private key pair and then submits the public key to a certificate authority for validation and signature.

denial of service (DoS) A type of attack that denies legitimate users access to a server or services by consuming sufficient system resources or network bandwidth or by rendering a service unavailable. If a fire starts. DMZ See demilitarized zone. digital certificate See certificate. How domain kiting works is that a domain name is deleted during the five-day AGP and immediately reregistered for another fiveday period. . thus permitting the attacker to send legitimate traffic anywhere he chooses. digital signature A hash encrypted to a private key of the sender that proves user identity and authenticity of the message. a DMZ is an area in a network that allows limited and controlled access from the public Internet. disaster recovery Actions to be taken in case a business is hit with a natural or manmade disaster. This not only sends a requestor to a different website but also caches this information for a short period. Signatures do not encrypt the contents of an entire message. This is repeated until matches are found in the hash. Domain Name Service (DNS) poisoning DNS poisoning allows a perpetrator to redirect traffic by changing the IP record for a specific domain. A digital signature uses data to provide an electronic signature that authenticates the identity of the original sender of the message or data.476 demilitarized zone (DMZ) demilitarized zone (DMZ) Also called the neutral zone. dry-pipe fire suppression A sprinkler system with pressurized air in the pipes. distributing the attack’s effect to the server users. dictionary attack An attack in which software is used to compare hashed data. with the goal being to match the password exactly to determine the original password that was used as the basis of the hash. distributed denial of service (DDoS) A DDoS attack originates from multiple systems simultaneously thereby causing even more extreme consumption of bandwidth and other resources than a DoS attack. Domain Name Service (DNS) kiting DNS kiting refers to the practice of taking advantage of the Add Grace Period to monopolize domain names without even paying for them. This system is used in areas where wet-pipe systems might freeze. such as a password. a slight delay occurs as the pipes fill with water. discretionary access control (DAC) A distributed security method that allows users to set permissions on a per-object basis. to a word in a hashed dictionary.

or highly sensitive commercial environments). Used in the security field to describe the surrounding conditions of an area to be protected. software. as in an agency regulation. environment The physical conditions that affect and influence growth.477 Faraday cage due care Assurance that the necessary steps are followed to satisfy a specific requirement. controlled fashion. Encapsulating Security Payload (ESP) ESP can be used to provide confidentiality. Blowfish. and traffic flow confidentiality. DH. which can be an internal or external requirement. thereby eliminating signal leakage and the ability of external monitors or detectors to “read” network or computer activity. dumpster diving Scavenging discarded equipment and documents and extracting sensitive information from it without ever contacting anyone in the company. extranet A special internetwork architecture wherein a company’s or organization’s external partners and customers are granted access to some parts of its intranet and the services it provides in a secure. Examples include RSA. Extensible Markup Language (XML) A flexible markup language is based on standards from the World Wide Web Consortium XML and is used to provide widely accessible services and data to end users. connectionless integrity. and DSS/DSA. resources or exercising rights (such as moving from read permissions to write). data origin authentication. escalation The upward movement of privileges when using network F Faraday cage A metal enclosure used to conduct stray EMEs (electromagnetic emissions) to ground. and it is generally used only when security concerns are extremely high (as in national defense. or data that can be used to prove the identity and actions of an attacker. an anti-replay service. E elliptic curve cryptography (ECC) A method in which elliptic curve equations are used to calculate encryption keys for use in generalpurpose encryption. A Faraday cage can be very small or encompass an entire building. exchange data among applications. classified areas. IDEA. MD5. . evidence Any hardware. encryption algorithm A mathematical formula or method used to scramble information before it is transmitted over unsecure media. development. and capture and represent data in a large variety of custom and standard formats. and survival.

such systems often include deliberate lures or bait. firewall A hardware device or software application designed to filter incoming or outgoing traffic based on predefined rules and patterns. If computed and passed as part of an incoming message and then recomputed upon message receipt. and port addresses. and they can even apply state-based rules to block unwanted activities or transactions. and its security level is lowered on purpose. A honeypot usually has all its logging and tracing enabled. The Group Policy object (GPO) is used to apply a group policy to users and computers.478 Federal Information Processing Standard (FIPS) Federal Information Processing Standard (FIPS) A standard created by the U. It consists of four levels that escalate in their requirement for higher security levels. forensics As related to security. forensics is the process of analyzing and investigating a computer crime scene after an attack has occurred and of reconstructing the sequence of events and activities involved in such an attack. hashing A methodology used to calculate a short. in hopes of attracting would-be attackers who think there are valuable items to be attained on these systems. This secret value is recalculated independently on the receiving end and compared to the submitted value to verify the sender’s identity. honeypot A decoy system designed to attract hackers. secret value from a data set of any size (usually for an entire message or for individual transmission units). guideline Specific information about how standards should be implemented. Firewalls can filter traffic based on protocol uses. . Likewise.S. A guideline allows freedom of choice on how to achieve the behavior. such a hash value can be used to verify the received data when the two hash values match. G Group Policy Group Policy can be used for ease of administration in managing the environment of users in a Microsoft network. thus acting as a kind of flexible rule used to produce a desired behavior or action. H hash value The resultant output or data generated from an encryption hash when applied to a specific set of data. source or destination addresses. This can include installing software and updates or controlling what appears on the desktop. government for the evaluation of cryptographic modules. A guideline is generally not mandatory.

I identity proofing Identity proofing is an organizational process that binds users to authentication methods. identification. It typically has all the necessary hardware and software loaded.479 Internet Security Associate and Key Management Protocol (ISAKMP) host-based IDS (HIDS) Host-based intrusion-detection systems (HIDSs) monitor communications on a hostby-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity. and deletion of security associations. negotiation. Internet Protocol Security (IPsec) Used for encryption of TCP/IP traffic. modification. . incident Any violation or threatened violation of a security policy. A hypervisor or virtual machine monitor (VMM) is a virtualization platform that provides more than one operating system to run on a host computer at the same time. Internet Security Associate and Key Management Protocol (ISAKMP) Defines a common framework for the creation. Identity proofing gives the organization assurance that the user performing an authentication is the legitimate user. integrity checks rely on calculating hash or digest values before and after transmission to ensure nothing changed between the time the data was sent and the time it was received. hypervisor A hypervisor controls how access to a computer’s processors and memory is shared. and authentication. IP Security provides security extensions to IPv4. IPsec manages special relationships between pairs of machines. called security associations. incident response A clear action plan on what each response team member needs to do and when it has to be done in the event of an emergency or a security incident. and application files. Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) A protocol used in a secured connection encapsulating data transferred between the client and Web server that occurs on port 443. security association parameter negotiation. system. Internet Key Exchange (IKE) A method used in the IPsec protocol suite for public key exchange. hot site A site that is immediately available for continuing computer operations if an emergency arises. This is the main component of authentication life cycle management. integrity Involves a monitoring and management system that performs integrity checks and protects systems from unauthorized modifications to data. When applied to messages or data in transit. configured and is available 24/7.

a framework for creating virtual private networks that uses L2TP appears in RFC 2764. K Kerberos authentication Kerberos defines a set of authentication services and includes the Authentication Service (AS) Exchange protocol. and the Client/ Server (CS) Exchange protocol. L2TP permits a single logical connection to transport multiple protocols between a pair of hosts. or attempts to break into computers. intrusion-detection system (IDS) A sophisticated network-protection system designed to detect attacks in progress but not to prevent potential attacks from occurring (although many IDSs can trace attacks back to an apparent source. allow a secure connection to be established between them. knowledge-based detection Knowledge-based detection relies on the identification of known attack signatures and events that should never occur within a network. In most cases. LDAP is used as part of management or other applications or in browsers to access directory services information. some can even automatically notify all hosts through which attack traffic passes that they are forwarding such traffic). port scans. Lightweight Directory Access Protocol (LDAP) A TCP/IP protocol that allows client systems to access directory services and related data. intrusion Malicious activity such as denial-of-service attacks. key escrow Key escrow occurs when a CA or other entity maintains a copy of the private key associated with the public key signed by the CA. the Ticket-Granting Service (TGS) Exchange protocol. key exchange A technique in which a pair of keys is generated and then exchanged between two systems (typically a client and server) over a network connection to . L2TP is a member of the TCP/IP protocol suite and is defined in RFC 2661. L Layer 2 Tunneling Protocol (L2TP) A technology used with a VPN to establish a communication tunnel between communicating parties over unsecure media. key management The methods for creating and managing cryptographic keys and digital certificates.480 intranet intranet A portion of the information technology infrastructure that belongs to and is controlled by the company in question.

SecureID number generator). A message digest provides a profound integrity check because even a change to 1 bit in the target data also changes the resulting digest value. mandatory access control (MAC) A centralized security method that doesn’t allow users to change permissions on objects. message The content and format a sender chooses to use to communicate with some receiver across a network. some particular account logs in or some value the system tracks exceeds a certain threshold). This explains why digests are included so often in network transmissions. man in the middle An attack in which a hacker attempts to intercept data in a network stream and then inserts her own data into the communication with the goal of disrupting or taking over communications. what you have (keycard. Multifactor authentication Multifactor authentication involves the use of two or more different forms of authentication. PIN). This provides a protective measure to ensure that no one individual can recreate their key pair from the backup. an intranet. What you know (logon. misuse Misuse is typically used to refer to unauthorized access by internal parties.481 Multifactor authentication logic bomb A piece of software designed to do damage at a predetermined point in time or in response to some type of condition (for example. mantrap A two-door configuration in a building or office that can lock unwanted individuals in a secured area. The term itself is derived from the insertion of a third party—the proverbial “man in the middle”— between two parties engaged in communications. password. M M of N Control The process of backing up a private key material across multiple systems or devices. . “disk is 95% full”) or event (for example. message digest The output of an encryption hash that’s applied to some fixed-size chunk of data. logical tokens A method of access controls used in addition to physical security controls to limit access to data. an extranet. preventing them from entering other areas or even from exiting wherever it is they’re being held. or what you are (biometrics) constitute different forms. or the Internet.

grant access accordingly. network-based IPS (NIPS) A device or software program designed to sit inline with traffic flows and prevent attacks in real-time. OCSP was created as an alternative to certificate revocation lists (CRLs) and overcomes certain limitations of CRL. Online Certificate Status Protocol (OCSP) An Internet protocol defined by the IETF that is used to validate digital certificates issued by a CA. OSI model The Open Systems Interconnect model is a logically structured model that encompasses the translation of data entered at the application layer through increasingly more abstracted layers of data. Network Address Translation (NAT) TCP/IP protocol technology that maps internal IP addresses to one or more external IP addresses through a NAT server of some type. N network access control (NAC) NAC offers a method of enforcement that helps ensure computers are properly configured. best at detecting DoS attacks and unauthorized user access. They are . and as the name suggests. O One Time Pad (OTP) Within an OTP. there are as many bits in the key as there are in the plain text to be encrypted. NAT enables the conservation of public IP address space by mapping private IP addresses used in an internal LAN to one or more external public IP addresses to communicate with the external world. with no portion of the key ever being reused. network-based IDS (NIDS) Network-based IDSs monitor the packet flow and try to locate packets that may have gotten through the firewall and that are not allowed for one reason or another. resulting in the actual binary bits passed at the physical layer. NAT also provides address-hiding services thus adding both security and simplicity to network addressing. this key is to be random and used only once. The premise behind NAC is to secure the environment by examining the user’s machine and based on the results.482 mutual authentication mutual authentication A situation in which a client provides authentication information to establish identity and related access permissions with a server and in which a server also provides authentication information to the client to ensure that illicit servers cannot masquerade as genuine servers.

this crashes the system and leaves it in a state where arbitrary code can be executed or an intruder can function as an administrator. policy A broad statement of views and positions. The inherent weakness in this method is that such patterns must be known (and definitions in place) before they can be used to recognize attacks or exploits. or locate the person to whom such information pertains. Point-to-Point Tunneling Protocol (PPTP) A TCP/IP technology used to create virtual private networks (VPN) or remote-access links between sites or for remote access. procedure A procedure specifies how policies will be put into practice in an environment (that is. pop-up blocker A program used to block a common method for Internet advertising. A policy that states high-level intent with respect to a specific area of security is more properly called a security policy. contact. probability Used in risk assessment. this is the key used to unencrypt a message. it does not interfere with communications in progress. performance monitoring The act of using tools to monitor changes to system and network performance. Pretty Good Privacy (PGP) A shareware encryption technology for communications that utilizes both public and private encryption technologies to speed up encryption without compromising security. Usually. PPTP is generally regarded as less secure than L2TP and is used less frequently for that reason. privilege escalation A method of software exploitation that takes advantage of a program’s flawed code.483 procedure P passive detection A method of intrusion detection that has an IDS present in the network in a silent fashion. . pattern matching A network-analysis approach that compares each individual packet against a database of signatures. private key In encryption. it provides necessary how-to instructions). performance baseline See baseline. using a window that pops up in the middle of your screen to display a message when you click a link or button on a website. probability measures the likelihood or chance that a threat will actually exploit some vulnerability. personally identifiable information (PII) Privacy-sensitive information that identifies or can be used to identify. privilege management The process of controlling users and their capabilities on a network.

Public key infrastructures typically also include registration authorities to issue and validate requests for digital certificates. redundant array of inexpensive disks (RAID) A redundant array of inexpensive disks is an organization of multiple disks into a large. manage. Remote Authentication Dial-In User Services (RADIUS) An Internet protocol. all these elements make up a PKI.509 Certificates (PKIX) A working group of the Internet Engineering Task Force (IETF) focused on developing Internet standards for certificates. Public Key Infrastructure based on X. issue. high-performance logical disk to provide redundancy in the event of a disk failure. . Using a PBX eliminates the need to order numerous individual phone lines from a telephone company and permits PBX owners to offer advanced telephony features and functions to their users. Together. and revoke public keys. public key A key that is made available to whoever is going to encrypt the data sent to the holder of a private key.509 certificates used with public encryption algorithms to distribute. used for remote-access services. It conveys user authentication and configuration data between a centralized authentication server and a remote-access server (RADIUS client) to permit the remote access server to authenticate requests to use its network access ports. These applications capture packets and decode the information into readable data for analysis. R receiver The party that receives a message from its sender. replay An attack that involves capturing valid traffic from a network and then retransmitting that traffic at a later time to gain unauthorized access to systems and resources. a certificate-management system of some type. Public Key Cryptography Standards (PKCS) The de facto cryptographic message standards developed and published by RSA Laboratories. redundancy planning The process of planning for continuing service in the event of failure by providing more than one of the same components or services. public key infrastructure (PKI) A paradigm that encompasses certificate authorities and X. Public Branch Exchange (PBX) A telephone switch used on a company’s or organization’s premises to create a local telephone network. and a directory in which certificates are stored and can be accessed.484 protocol analyzer protocol analyzer Protocol analyzers help troubleshoot network issues by gathering packet level information across the network.

. access to resources may be granted or restricted based on conditional testing. When a rule-based method is in force. a tape backup administrator is usually permitted to back up all files on one or more systems. thumb drive. Each block of data is then run through an encryption algorithm that applies an encryption key to each block of data individually. Profiles are defined for specific roles within a company. and then users are assigned to such roles. S Secure Hypertext Transfer Protocol (S-HTTP) An alternative to HTTPS is the Secure Hypertext Transport Protocol developed to support connectivity for banking transactions and other secure Web communications. when they are suspected of being invalid or unwanted.485 Secure Hypertext Transfer Protocol (S-HTTP) removable storage This is a small. or when they cause problems. role A defined behavior for a user or group of users based on some specific activity or responsibilities. rootkit A piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system. retention policy Documentation of the amount of time an organization will retain information. Routers split broadcast domains. depending on the local security policies in effect. (For example. or cell phone.) role-based access control (RBAC) A security method that combines both MAC and DAC. risk The potential that a threat might exploit some vulnerability. removable device that can store information such as an iPod. RBAC uses profiles. that person might or might not be allowed to restore such files. rule-based access control (RBAC) A rule-based access control method is an extension of access control that includes stateful testing to determine whether a particular request for resource access may be granted. round A selection of encrypted data that is split into two or more blocks of data. high-capacity. rollback A process used to undo changes or transactions when they do not complete. This facilitates administration in a large group of users because when you modify a role and assign it new permissions. router A device that connects multiple network segments and routes packets between them. those settings are automatically conveyed to all users assigned to that role. rather than applying encryption to the entire selection of data in a single operation. restoration The process whereby data backups are restored into the production environment.

which is why the term SSL/TLS appears frequently. service level agreement (SLA) A contract between two companies or a company and individual that specifies. security baseline Defined in a company’s or organization’s security policy. It generally works with PKI to validate digital signatures and related digital certificates. SSL can also work with a secure transport layer protocol. Secure Shell (SSH) A protocol designed to support secure remote login. end-to-end encryption to ensure that client/server communications are confidential (encrypted) and meet integrity constraints (message digests). along with secure access to other services across an unsecure network. Secure Sockets Layer (SSL) An Internet protocol that uses connection-oriented. a security baseline is a specific set of security-related modifications to and patches and settings for systems and services in use that underpins technical implementation of security. any application protocol can work with SSL transparently.486 Secure/Multipurpose Internet Mail Extensions (S/MIME) Secure/Multipurpose Internet Mail Extensions (S/MIME) An Internet protocol governed by RFC 2633 and used to secure email communications through encryption and digital signatures for authentication. Supplying replacement equipment within 24 hours of loss of that equipment or related services is a simple example of an SLA. sender The party that originates a message. Because SSL is independent of the application layer. sequence number A counting mechanism in IPsec that increases incrementally each time a packet is transmitted in an IPsec communication path. and integrity (message digest functions). a level of service to be provided by one company to another. SSH includes a secure transport layer protocol that provides server authentication. See also Transport Layer Security. It protects the receiver from replay attacks. security groups A logical boundary that helps enforce security policies. confidentiality (encryption). by contract. along with a user-authentication protocol and a connection protocol that runs on top of the user-authentication protocol. . security policies Documentation of the goals and elements of an organization’s systems and resources. security association (SA) A method in IPsec that accounts for individual security settings for IPsec data transmission.

spam A term that refers to the sending of unsolicited commercial email. even when strong technical security measures can otherwise prevent such access. This type of monitoring method looks for specific byte sequences or signatures that are known to appear in attack traffic. varying and multiple types of data can be stored. Simple Network Management Protocol (SNMP) A UDP-based application layer Internet protocol used for network management. medical information. and even bank account data. Social engineering is a term that emphasizes the well-known fact that poorly or improperly trained individuals can be persuaded. social engineering The process of using human behavior to attack a network or gain access to resources that would otherwise be inaccessible. tricked. smart card A credit card–size device that contains an embedded chip. such as a driver’s license number. or other data that can lead to unauthorized system access. it can be a powerful tool in any competent hacker’s arsenal. Because such a device can typically read and interpret all unencrypted traffic on the cable segment to which it is attached. On this chip. . The concept behind the term is that users need to authenticate only once and can then access any resources available on a network. SNMP is governed by RFCs 2570 and 2574.487 spam signature-based monitoring A signature-based monitoring method is sometimes considered a part of the misuse-detection category. or other authentication data. passwords. SNMP implements configuration and event databases on managed nodes that can be configured to respond to interesting events by notifying network managers. or coerced into giving up passwords. Simple Mail Transport Protocol (SMTP) relay An exploitation of SMTP relay agents used to send out large numbers of spam messages. In converting management information between management consoles (managers) and managed nodes (agents). The signatures are identified through careful analysis of the byte sequence from captured attack traffic. phone numbers. sniffer A hardware device or software program used to capture and analyze network data in real time. single sign-on (SSO) The concept or process of using a single logon authority to grant users access to resources on a network regardless of what operating system or application is used to make or handle a request for access.

system logging The process of collecting system data to be used for monitoring and auditing purposes. This data is then passed across a network. and it deflects responses to attacks against some (usually innocent) third party or parties. Spoofing is used for many reasons in attacks: It foils easy identification of the true source. switch A hardware device that manages multiple. After that data arrives at the recipient device. file storage. In other contexts. access control. steganography Steganography is a word of Greek origin meaning hidden writing. it permits attackers to take advantage of existing trust relationships. which can be further described as both an art and a science for simply hiding messages so that unintended recipients wouldn’t even be aware of any message. standard This term is used in many ways. and so forth. This technique requires a secure way to share keys because both the sender and receiver use the same key (also called a shared secret because that key should be unknown to third parties). . including services. but can also provide greater aggregate bandwidth between pairs or groups of communicating devices because each switched link normally gets exclusive access to available bandwidth. it refers to best practices for specific platforms. implementations.488 spoofing spoofing A technique for generating network traffic that contains a different (and usually quite specific) source address from that of the machine actually generating the traffic. Switches split collision domains. simultaneous pairs of connections between communicating systems. OS versions. symmetric key A single encryption key that is generated and used to encrypt data. storage policy A policy defining the standards for storing each classification level of data. the same key used to encrypt that data is used to decrypt it. and network routing hardware. T Terminal Access Controller AccessControl System Plus (TACACS+) An authentication. and accounting standard that relies on a central server to provide access over network resources. a standard might simply describe a well-defined rule used to produce a desired behavior or action. spyware Software that communicates information from a user’s system to another party without notifying the user. In some contexts. system monitoring A method of monitoring used to analyze events that occur on individual systems. Some standards are mandatory and ensure uniform application of a technology across an organization.

with which the picture is viewed or recorded as a means of security. or remote-control software. U–V uninterruptible power supply (UPS) A power supply that sits between the wall power and the computer. By permitting logical aggregation of devices into virtual network segments. VLANs offer simplified user management and network resource access controls for switched networks. virtualization technology A technology developed to allow a guest operating system to run along with a host operating system while using one set of hardware. A Trojan horse is software hidden inside other software and is commonly used to infect systems with viruses. token This is a hardware.489 virtual local area network (VLAN) threat A danger to a computer network or system (for example. In the event of power failure at the wall. Trusted Platform Module (TPM) A secure cryptoprocessor used to authenticate hardware devices such as PC or laptop. video surveillance A surveillance method using closed-circuit television (CCTV). the UPS takes over and powers the computer so that you can take action before data loss occurs. worms. Transport Layer Security (TLS) An end-to-end encryption protocol originally specified in ISO Standard 10736 that provides security services as part of the transport layer in a protocol stack. .or software-based system used for authentication wherein two or more sets of matched devices or software generate matching random passwords with a high degree of complexity. a hacker or virus represents a threat). hijacking works by spoofing network traffic so that it appears to originate from a single computer. Transmission Control Protocol/Internet Protocol (TCP/IP) hijacking A process used to steal an ongoing TCP/IP session for the purposes of attacking a target computer. Trojan A form of malware that appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code when it is executed. when in actuality it originates elsewhere so that the other party in the communication doesn’t realize another computer has taken over an active communications session. Essentially. virtual local area network (VLAN) A software technology that allows for the grouping of network nodes connected to one or more network switches into a single logical network.

the pipes release water immediately and offer the fastest and most effective means of water-based fire suppression. This is achieved by using basic symmetric encryption to protect data sent over wireless connections so that sniffing of wireless transmissions doesn’t produce readable data and so that drive-by attackers cannot access a wireless LAN without additional effort and attacks. although some viruses also damage the systems on which they reside. such as the Internet. vulnerability A weakness in hardware or software that can be used to gain unauthorized or unwanted access to or information from a network or computer. WEP is designed to provide security equivalent to that found in regular wired networks. climate controls. Wireless Application Protocol (WAP) A long-range mobile equipment communications used by server-side processes to perform functions needed within the website. virus A piece of malicious code that spreads to other computers by design. W warm site A backup site that has some of the equipment and infrastructure necessary for a business to begin operating at that location. lighting. or they can lie dormant until a trigger in their code causes them to become active. Typically. private network links across some unsecure public network infrastructure. Wi-Fi Short term for Wireless Fidelity communication standard. but that site usually already includes . whole disk encryption Whole disk encryption can either be hardwareor software-based. The hidden code a virus executes is called its payload. VPNs are more secure than traditional remote access because they can be encrypted and because VPNs support tunneling (the hiding of numerous types of protocols and sessions within a single host-to-host connection).11 wireless networking. If a fire starts.490 virtual private network (VPN) virtual private network (VPN) A popular technology that supports reasonably secure. and Internet access points. and is meant to encrypt the entire contents of the drive. a ready-to-use networking infrastructure and also might include reliable power. This can include even temporary files and memory. Wired Equivalent Privacy (WEP) A security protocol used in IEEE 802. companies or organizations bring their own computer systems and hardware to a warm site. logical. wet-pipe fire suppression A sprinkler system with pressurized water in its pipes. Viruses can spread immediately upon reception or implement other unwanted actions.

or 128-bit symmetric keys.500 directory A standard that regulates global.509 digital certificate includes a party’s name and public key. WTLS also provides authentication. data integrity. X. worm A special type of virus designed primarily to reproduce and replicate itself on as many computer systems as possible. Wireless Transport Layer Security (WTLS) WTLS defines a security level for applications based on the Wireless Application Protocol (WAP). rather than by job role or other categorized information. X–Y–Z X. high-latency. it’s also known as a white pages directory (because lookup occurs by name. but it can also include organizational affiliation. As its acronym indicates. WTLS is based on transport layer security (TLS) but has been modified to work with the low-bandwidth. as in a yellow pages type of system).509 digital certificate wireless local area networks (WLANs) A networking technology that uses high-frequency radio waves rather than wires to communicate between nodes. distributed directory services databases. all based on encryption methods using shared 56. an X. Worms typically rely on access to operating system capabilities that are invisible to users.and security-related information. a worm does not normally alter files but rather remains resident in a computer’s memory. . and confidentiality mechanisms.491 X. and a host of other access. Among other things. and limitedprocessing capabilities found in many wireless networking implementations.509 digital certificate A digital certificate that uniquely identifies a potential communications party or participant. service or access restrictions.

This page intentionally left blank .

logical access controls. 120 logical tokens. 339 access control entries (ACEs). 127-128. 122 DACs (discretionary access controls). 122 access control lists (ACLs). 142-144 DACLs (discretionary access control lists). 142-144 RBACs (role-based access controls). 122 DACLs (discretionary access control lists). 146 best practices. remote access account expiration. 122 anonymous access. 120 . 119-121 distribution groups. See also authentication. 142-144 RBACs (rule-based access controls).Index A A/C maintenance. 123-124 group-based. 144 access controls. 122 ACLs (access control lists). 127 ACEs (access control entries). 122 Group Policy. 153 security groups. 144-145 DACs (discretionary access controls). 350 acceptable use policies.

142-144 flooding. 34-35 adware. 171 agents. 142 logical tokens. DNS kiting. See specific algorithms annual loss expectancy (ALE). 234-235 MACs (mandatory access controls). 142. 228 . 34-35 AES (Advanced Encryption Standard) symmetric key algorithms. 294 AirSnort. 122 DACs (discretionary access controls). 224 AGP (add grace period). 128 print and file sharing. 78 RBACs (role-based access controls). 194 ActiveX controls. 131-132 algorithms. 125-126 networks. 32 ACLs (access control lists). 63 ALE (annual loss expectancy). 124-125 system hardening. 153 logging. 144 RBACs (rule-based access controls). 95-96 passwords disadvantages. 127-128. 146 domains.494 access controls ITSEC (Information Technology Security Evaluation Criteria). 52. 88 advertising-supported software. 209-210 null sessions. 144 TCSEC (Trusted Computer System Evaluation Criteria). DNS kiting. 142-144 RBACs (role-based access controls). 131-132 annualized rate of occurrence (ARO). 126-127 user-based. 266 weak encryption. 87-88 port stealing. 206 time-of-day restrictions. ARP poisoning. 122 DACLs (discretionary access control lists). 123 group-based. 95 ACEs (access control entries). 142-144 RBACs (rule-based access controls). 120 active IDSs (intrusion-detection systems). 121-122. 58 Group Policy. 225. 119-121 access requestors (ARs) NACs (network access controls). IPsec (Internet Protocol Security). 87-88 NACs (network access controls). 62. 156 vulnerabilities. 179-180. 122 Acid Rain Trojan. 132 anomaly-based monitoring. 64 physical. 85 AH (Authentication Header) protocol. Windows. 55 add grace period (AGP). 142-143. 144 Active Directory. 85 Address Resolution Protocol (ARP) poisoning.

206-208 operating system hardening. 311 backup schemes. 268 bit strengths. 152. 199 application-level gateway proxy-service firewalls. null sessions. 31 baselines/baselining. 194 auditing system security. 206. IPsec (Internet Protocol Security) protocol. remote access Authentication Header (AH). 95 asset identification. 59 system hardening. 439-465 antispam software. Shamir. 389-410 exam 2. 240-241 user access and rights. 220-221 application hardening. 156 answers (practice exams) exam 1. See also access controls. 206. 146 FTP (File Transfer Protocol). 100-101 application security. 79 application hardening. 230 network hardening. 199 APIPA (Automatic Private IP Addressing). 208-210 logging procedures. 206-207 . 320 ARO (annualized rate of occurrence). 269 El Gamal asymmetric encryption algorithm. OSI (Open Systems Interconnection) model. 241-242 storage and retention. 112-113 antivirus logging. 180.495 baselines/baselining anonymous access. 208-210 application layer. 52 Automatic Private IP Addressing (APIPA). 92 awareness training policies. 230-231 archive bits. 356-357 B back doors. 346-347. 236-237 group policies. 253-255. 294 Authenticode signature. 87-88 port stealing. 268-269. 64 backup power generators. 92 APIs (application programming interfaces). 88 ARs (access requestors) NACs. 236 antivirus software. 269 key management. 239-240 authentication basics. and Adleman) asymmetric encryption algorithm. 260 ECC (Elliptic curve cryptography). 146-147. 179 application protocol-based intrusiondetection systems (APIDSs). 129 asymmetric key encryption algorithms. 132 ARP (Address Resolution Protocol) poisoning. 237-238 best practices. 295 attack signature. logical access controls. 177-178. 225. 111-112 APIDSs (application protocol-based intrusion-detection systems). 320-322 Badtrans worm. 256 RSA (Rivest. 179-180.

283-284 certificate life cycles. 65 bridge CA (certificate authority) model. 131 business continuity planning. 285 certificate life cycles. See anonymous FTP access blind spoofing. 172-173 Bluetooth connections. 220 biometrics. 62. 205 risk management. 283-287 hierarchical CA model.496 baselines/baselining OVAL (Open Vulnerability Assessment Language). 266 Bluejacking. 204-205 penetration testing. 30-31 bots/botnets. 55-56 buffer overflows browser security. 227-228 benchmarking. 56 CGI (common gateway interface) scripts. 97 . 308-309 C CA (certificate authority). 54 JVM (Java Virtual Machine). 260. 172 Bluetooth technology handheld device security. 172-173 Bluesnarfing. 282 certificate policies. 55 add-ins. 83 boot sector viruses. 285 browser security. 152. 41 Bonk DoS (denial-of-service) attacks. 36-37. 38-40 BitTorrent file-sharing application. 158 Basic Input/Output System (BIOS) security. 196-197 behavior-based monitoring. 51 LDAP (Lightweight Directory Access Protocol). 149 key management. 205 penetration testing. 286-287 CPS (certificate practice statement). 281 ActiveX controls. 177. 58 buffer overflow attacks. 284-285 Cabir worm. 102 behavior-based IDSs (intrusion-detection systems). 31 BUGTRAQ. 265-267 Blowfish Encryption Algorithm. 285 Kerberos authentication. 41 cable modem risks. 55 XXS (cross-site scripting). 282 single CA model. 55 session hijacking. 286-287 cross-certification CA model. 52 bridge CA model. 203-204 identifying vulnerabilities. 28-29. 285 digital certificates. 205 system hardening. 80 block ciphers. 153-154 BIOS (Basic Input/Output System) security. 287-292 registration authorities. 56 blind FTP. 60-61. 38-40 bastion hosts.

150 PPP (Point-to-Point Protocol). 54 chain of custody. 82 ports. 12-14 educational background. 121 . 58 Common Internet File System (CIFS). 349 CIA triad. 310-311 comma-separated value (CSV) format. 240-241 information policies. 42 cell phone security. 16-18 exam preparation. See also exams (practice) candidate qualifications. 54 Common Information Model (CIM) standard. 19-20 CGI (common gateway interface) scripts. commonly used. See CA (certificate authority) certificate policies. 270 CDs removable storage device security. 23-24 readiness assessment. 259 confidentiality. 61 CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol). 58 circuit-level gateway proxy-service firewalls. 31 cold sites. 132 coaxial cables. 74-76 Fraggle DoS (denial-of-service) attacks. 258-259 CIFS (Common Internet File System).497 Common Internet File System (CIFS) cable shielding. 340-341 SLAs (service level agreements). 23 exam day. 230 common gateway interface (CGI) scripts. 343 carrier sense multiple access with collision avoidance (CSMA/CA) connectivity. 151 Chargen protocol. 11. 284. 150 versions. 352 Code Red worm. 54 profiling. 41-42 centralized key management. 352 California Online Privacy Protection Act of 2003 (OPPA). 257 availability. 19 anxiety. 121 CIM (Common Information Model) standard. 54 profiling. 283-284 certificate life cycles. 290 certification (CompTIA). 286-287 certificate revocation lists (CRLs). 257-258 integrity. 341-342 CLE (cumulative loss expectancy). 75 chemical fire suppression systems. 287 certificate authority. 14-16 hands-on experience. 21-22 study tips. 283-287 certificate practice statement (CPS). 333-334 change management. 345 CHAP (Challenge-Handshake Authentication Protocol). 100-101 classifications of data auditing storage and retention.

60 Cyber-Security Enhancement & Consumer Data Protection Act. 77 privacy issues. 60 CompTIA certification. 270 countermeasures. 336 D DACLs (discretionary access control lists). 14-16 hands-on experience. 132 CWAP (Compact Wireless Application Protocol). 61 CSV (comma-separated value) format. 345 content filtering. 230 cumulative loss expectancy (CLE). 279 Cryptographic Token Interface Standard. 23-24 readiness assessment. 19 anxiety. 290 certificate status checks. 102-103 continuous UPSs (uninterruptible power supplies). 278 Cryptographic Token Information Format Standard. 53 tracking cookies. 321 Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). 312 cookies. 55-56 cryptographic hash algorithms. 21-22 study tips. 122 DACs (discretionary access controls). 256 CSMA/CA (carrier sense multiple access with collision avoidance) connectivity. 278 cryptography. 264 Cryptographic Message Syntax Standard. 285 cross-site scripting (XXS). 286-287 CRLs (certificate revocation lists). 284. 55 clearing caches. 202 CPS (certificate practice statement). 16-18 exam preparation. intrusions. 180. 53 session values. 333-334 damage and loss controls. 335-336 RFC (Request For Comments) 2350. 19-20 computer forensics. 142-144 .498 Compact Wireless Application Protocol (CWAP) Compact Wireless Application Protocol (CWAP). 335 configuration baselines. 334-335 reporting and disclosure policies. 53 hijacking. 12-14 educational background. 158 configuration change documentation. 283-284 certificate life cycles. 340-341 SLAs (service level agreements). 52. 23 exam day. 335 first responders. 290 cross-certification CA (certificate authority) model. 332-333 chain of custody. 53 copy backups. 11 candidate qualifications. 252 versus steganography.

58 Directory Service Markup Language (DSML). 338 default account vulnerabilities. 175-176 TACACS+ (Terminal Access Controller Access Control System Plus). 260 Digital Subscriber Line (DSL) risks. 336 DDoS (distributed denial-of-service) attacks. 290 registration authority (RA). 287-292 OCSP (Online Certificate Status Protocol) certificate revocation. 336 Data Encryption Standard (DES) symmetric key algorithms. 174 LDAP (Lightweight Directory Access Protocol). 64 default identification broadcast vulnerabilities. 180. 92 dial-up access. 83 vulnerabilities. 338 demilitarized zone (DMZ). 290 certificate status checks. 81-83. 170. 306-308 backups. 290 HTTPS versus S-HTTP. 152. 176-177 RADIUS (Remote Authentication Dial-In User Service). 177. 116-117 VPNs (virtual private networks). 58 denial of services (DoS) attacks. 260 X. 265-266 data link layer. 283-284 CRLs (certificate revocation lists). 284. 278-281 digital signatures. 156 ARP poisoning. 65 DES (Data Encryption Standard) symmetric key algorithms. 258-261 nonrepudiation.499 disaster recovery damage and loss controls. 278 digital certificates. 170. OSI (Open Systems Interconnection) model. 179 data-breach notification law. 58 disaster recovery. 86 decentralized key management. 335 Data Accountability and Trust Act. 57-58 versus digital signatures. 284. 265-266 DHCP (Dynamic Host Configuration Protocol). 290 certificate status checks. 152. 97 Directory Enabled Networking (DEN) standard. 101 zombies. 175-176 differential backups. 287 declassification of media. 57 key management. 260 versus digital certificates. 177. 282 SSL (Secure Sockets Layer). 286-287 certificate policies. 321 Diffie-Hellman Key Agreement Standard. 36. 83-84 DNS poisoning. 180. 87 circuit-level gateway proxyservice firewalls. 268. 64 degaussing media.509. 282 certificate life cycles. 88-89 firewall placement. 173 DEN (Directory Enabled Networking) standard. 162-163 . 320-322 physical access security.

62 802. 116-117 VPNs (virtual private networks). 231-232 man-in-the-middle attacks. 355-356 duplexing RAID. 83 dry-pipe fire suppression systems. 58 due care knowledge/actions. 335-336 discretionary access control lists (DACLs). 173 DN (Distinguished Name). 345 dumpster diving. 151 wireless networking. commonly used. 97 DSML (Directory Service Markup Language). 323-324 disclosure policies. 74 Fraggle DoS (denial-of-service) attacks. 122 discretionary access controls (DACs). 83-84 DNS poisoning. 81-83. 356-357 802. 334. 319-320 system restoration.500 disaster recovery policies. 209 Bonk attacks. 142-144 disk arrays. 85-86 ports. 81 poisoning. 83 DMZ (demilitarized zone). Roger. 269 ECC (Error Correcting Code) RAID. 86 distribution groups.11i WPA/WPA2 (Wi-Fi Protected Access). 87 circuit-level gateway proxyservice firewalls. 346-347. 65 attacks. 307. 307 SLAs (Service level agreements). 76 domain kiting. 75 risks. 314 Echo protocol. IEEE (Institute of Electrical and Electronics Engineers) standard. 313-317 Distinguished Name (DN). 89 kiting. commonly used. 177 DNS (domain name service) application hardening. 177 distributed denial-of-service (DDoS) attacks.1Q standard. 170-173 . 90 802. 60-61 802. 101 zombies. 82 ports. 85 logging procedures. 210 E ECC (Elliptic curve cryptography) asymmetric encryption algorithm. 37 Dynamic Host Configuration Protocol (DHCP). policies. 85 DoS (denial of services) vulnerabilities. 88-89 firewall placement. 314 Duronio. 344-345 due process laws. 75 education of users.1x. 156 ARP poisoning. 92 application hardening. 36. 349 DSL (Digital Subscriber Line) risks. 120 DMZ (demilitarized zone). 344 due diligence.11 wireless fidelity (Wi-Fi) standard.

411-437 Microsoft’s Exam link. 182-183 EMI (electromagnetic interference). 181 clients. RAID. 352 plenum. 314 ESD (electrostatic discharge). 181. 268 electromagnetic interference (EMI). 221 Group Policy. 225. 145 . See also certification (CompTIA) CompTIA Certification Programs link. 233 system monitoring. 171 whole disk encryption. 389-410 questions. 182 SMTP (Simple Mail Transfer Protocol). 179-180. 181 PGP/MIME (Pretty Good Privacy/Multipurpose Internet Mail Extension) protocol. shielding. 294 Event Viewer. 16 preparation. 352 twisted-pair cables.501 expiration access control El Gamal asymmetric encryption algorithm. 294 encryption nonrepudiation. 23 exam day. IPsec (Internet Protocol Security). 182 S/MIME (Secure Multipurpose Internet Mail Extension) protocol. 23-24 readiness assessment. 352 Encapsulated Secure Payload (ESP). 21-22 study tips. 179-180. 439-465 questions. 183 MIME (Multipurpose Internet Mail Extension) protocol. 365-387 exam 2 answers. 19 anxiety. 50-51 hoaxes. 279 email security. 350-351 coaxial cables. 262-263 Entrust CAs (certificate authorities). See email security electrostatic discharge (ESD). 352 electronic and electromagnetic emissions. 350 shielding electronic and electromagnetic emissions. 18 exam 1 answers. 350-353 Error Correcting Code (ECC). 269 Elliptic Curve Cryptography Standard. 223-224 exams (practice). 281 environmental security controls fire prevention/suppression. 352 electronic mail. 259-260 weak encryption. 350 ESP (Encapsulating Security Payload) protocol. 225. 19-20 expiration access control. 241-242 system logging. Hamming Code. 350 Elliptic curve cryptography (ECC) asymmetric encryption algorithm. 348-349 HVAC systems. 208-209 spam. 261-262 Trusted Platform Module.

345 Fraggle DoS (denial-of-service) attacks. 118 proxy-service. 76 F facial geometry biometric authentication. 99-100. 118 stateful-inspection. 261-262 Trusted Platform Module. 116 placement. 154 fire prevention/suppression. due process. See also personal firewalls extranets. 154 false acceptance rates (FAR). 59 application hardening. due process. 90 ports. 78 File Transfer Protocol (FTP) anonymous access. 113 forensics. 335 first responders. 101 authentication. 209-210 null sessions. 110. 206 file and print services/sharing. 334. 335-336 RFC (Request For Comments) 2350. 262-263 Federal Rules of Civil Procedure (FRCP) data retention policies. 116-118 application-level gateway. 100. 118 logging. 334-335 floating pop-ups.502 Extended-Certificate Syntax Standard Extended-Certificate Syntax Standard. 278 extranets. 116-117 protocol analyzers. 335 Fourteenth Amendment. 337 information classifications. 207. 206 FDE (full disk encryption). 59 DMZ (demilitarized zone). 80 system hardening. 154 false rejection rates (FRR). commonly used. 89 fingerprint biometric authentication. 100-101 software. 235-236 packet-filtering. 312 Fifth Amendment. 118 Internet content filters. 345 File Allocation Table (FAT)-based file systems. 75 spoofing. 100-101. 350-351 FAT (File Allocation Table)-based file systems. 154 Faraday cage shielding. 342 ferroresonant UPSs (uninterruptible power supplies). 332-333 chain of custody. 100-101 circuit-level gateway. 209 application-level gateway proxyservice firewalls. 121-122 application hardening. 333-334 damage and loss controls. 334. 82 . 116 first responders. 241 discovery processs and electronic data. 90 hardware. 334-335 reporting and disclosure policies. 348-349 firewalls. 156 Finger protocol.

123-124 gpresult command. 42-43 removable storage devices. 38-40 handheld devices. 337-338 hardware/peripherals system threats BIOS. 185 hardening application hardening. 41-42 network-attached storage. 157 Group Policy. 154 FTP (File Transfer Protocol) anonymous access.503 hardware/peripherals system threats frame tagging. 241-242 . 157-158 updates. 40-41 G GLB (Gramm-Leach-Bliley Act). 40-42 storage area network. 241 discovery processs and electronic data. 154 Handshake Protocol. 156 security settings. commonly used. TLS (Transport Layer Security). 337 GNU Privacy Guard (GnuPG). 59 full backups.323 specification. 123-124. 153 security groups. system hardening. 120 H H. 42-43 USB devices. 268 GnuPG (GNU Privacy Guard). 123-124 group-based access controls. 206. 75 spoofing. 320. 209 application-level gateway proxyservice firewalls. 208-210 network hardening. 80 system hardening. 90-91 FRCP (Federal Rules of Civil Procedure) data retention policies. 101 authentication. 342 FRR (false rejection rates). 337 information classifications. 89 ports. 59 application hardening. 242 Gramm-Leach-Bliley Act (GLB). 41-42 hand geometry biometric authentication. 262-263 Group Policy objects (GPOs). 119-121 distribution groups. 206-207 group policies. 110 hardware/media disposal policies. 75 FTPS (FTP over Secure Sockets Layer). 127-128. 157 nonessential services/protocols. 337 grandfather-father-son backups. 156-157 hardware personal firewalls. 206 system hardening. 261-262 Trusted Platform Module. 314 handheld device security. 268 GPOs (Group Policy objects). 120 logical tokens. 96 Hamming Code Error Correcting Code (ECC) RAID. 59 DMZ (demilitarized zone). 156 FTP-Data protocol. 322 full disk encryption (FDE). 322 group policies.

95 hot sites. 346 HTML-enabled client security. commonly used. 197 Health Insurance Portability and Accountability Act (HIPAA) of 1996. 201-202 host-based HIDSs (intrusion-detection systems). 75 HTTPS (HTTP over SSL/Hypertext Transfer Protocol over Secure Sockets Layer). 219 ping. man-in-the-middle attacks. 177. 199-201 host-based NACs (network access controls). NIDSs (networkbased intrusion-detection systems). 96 ICMP (Internet Control Message Protocol). commonly used. 199-201 hierarchical CA (certificate authority) model. 98-99. 311 hotfixes. 350 Hunt program. 309. 336 hoaxes. system hardening. 89 logging procedures. 231 ports. 81 HVAC systems. 336 heat/smoke detection systems. 285 hijacking. 101 DMZ (demilitarized zone). commonly used. 266 . 219 ICS (Internet Connection Sharing). 57. 77-78 802.504 hash algorithms hash algorithms. 92 IDEA (International Data Encryption Algorithm). 50 HTTP (Hypertext Transfer Protocol) application-level gateway proxyservice firewalls. 264 LAN Manager and NT LAN Manager. 235 IAX (Inter Asterisk eXchange) specification. 82 traceroute. 114-115 I IAS (Internet Authentication Service). 65 humidity monitoring. 348 HIDSs (host-based intrusion-detection systems). 172 HIPAA (Health Insurance Portability and Accountability Act) of 1996. 183. 355 honeypots/honeynets. IEEE (Institute of Electrical and Electronics Engineers) standard. 312 Hypertext Transfer Protocol (HTTP). 180. 350 hybrid UPSs (uninterruptible power supplies). 75 application-level gateway proxyservice firewalls. 89 logging procedures. 101 DMZ (demilitarized zone). 98-99. 293 DMZ (demilitarized zone).1x. 264-265 header signatures. ICMP (Internet Control Message Protocol) echoes. 263 cryptographic. 89 ports. 218 smurf/smurfing. 184. 180. 157 HR (human resources) policies. 231 ports. 185 hub vulnerabilities. 75 versus S-HTTP (Secure Hypertext Transport Protocol). 75 hypervisors.

88 behavior-based. 201-202 active and passive.1x specifications. 199-201 honeypots/honeynets. 95 instant messaging (IM). hijacking. 205 APIDSs (application protocolbased IDSs). 306 implicit deny access control. 201 versus NIPS (network intrusionprevention system). 98-99 incident handling. 279 Internet Authentication Service (IAS). 201-202 host-based (HIDSs).1x specifications. 194. 170-173 Inter Asterisk eXchange (IAX) specification. 195-196 network-based (NIDSs). DNS kiting. 155 IDSs (intrusion-detection systems). 85 .505 Internet Corporation for Assigned Names and Numbers (ICANN). 196-197 HIDSs (host-based IDSs). 92 Internet Control Message Protocol (ICMP) echoes. DNS kiting Identity proofing authentication. 208 iMode standard. 96 International Data Encryption Algorithm (IDEA). 277-279 WAP next standard research. 144 Incident Response Team (IRT). 60 IIS (Internet Information Services) logging procedures. 61. 201 IEEE (Institute of Electrical and Electronics Engineers) 802. 332 incremental backups. 80 initial sequence numbers (ISNs). 177. 231 IKE (Internet Key Exchange) protocol. 316 Information Technology Security Evaluation Criteria (ITSEC). 56-57. 202-203 knowledge-based. 183-184 Institute of Electrical and Electronics Engineers (IEEE) 802. 219 Internet Corporation for Assigned Names and Numbers (ICANN). 180. 151 wireless networking. 56-57. 98-99 NIDSs (network-based IDSs). 61. 266 International Telecommunications Union (ITU) X. 176 PKIX Working Group. 219 ping. 142 informed spoofing. 197-199. 180. 294 IM (instant messaging).509 certificates. 170-173 IETF (Internet Engineering Task Force) LDAP (Lightweight Directory Access Protocol). 82 traceroute. 194. 321-322 independent data disk RAID. 225. 218 smurf/smurfing. 77 inline NACs (network access controls). 235 Internet Connection Sharing (ICS). 60 impact/risk assessment. 199 ARP poisoning. 151 wireless networking. 183-184 IMAP (Internet Message Access Protocol).

88 behavior-based. 195-196 NIDS (network-based IDSs). 92 Network Monitor. 194. 92-94 IPv6. 178-179 replay attacks. 179-180 IKE (Internet Key Exchange). 81 spoofing. 180 NAT (Network Address Translation). 93 NAT (Network Address Translation). 179-180 IKE (Internet Key Exchange). 170. 180. 154 IronKey. 60 Internet Information Services (IIS) logging procedures. 176 PKIX Working Group. 173-174.506 Internet Engineering Task Force (IETF) Internet Engineering Task Force (IETF) LDAP (Lightweight Directory Access Protocol). 78 intranets. 225 OSI network layer. 92 Network Monitor. 90 intrusion-detection systems (IDSs). 80 VPNs (virtual private networks). 196-197 HIDS (host-based IDSs). 225. 332 . 206 AH and ESP services. 294 Internet Message Access Protocol (IMAP). 293-294 iris profile biometric authentication. 293-294 Internet Security and Accereration (ISA). 208 Internet Protocol (IP) remote access. 197-201 versus NIPS (network intrusionprevention system). 201 IP (Internet Protocol) remote access. 173-174. 201-202 incident handling. 225. 201-202 active and passive. 199 ARP poisoning. 219 IPsec (Internet Protocol Security). 202-203 knowledge-based. 78 Ipconfig/Ifconfig utilities. 92-94 IPC$ (interprocess communication share) null sessions. 199-201 honeypots/honeynets. 194. 235-236 Internet Security Association and Key Management Protocol (ISAKMP). 174 IP addresses classes. 80 VPNs (virtual private networks). 180 NAT (Network Address Translation). 277-279 WAP next standard research. 231 Internet Key Exchange (IKE) protocol. 174 Internet Protocol Security (IPsec). 206 AH and ESP services. 170. 225 OSI network layer. 178-179 replay attacks. 205 APIDSs (application protocolbased IDSs). 91-92 subnetting. 173 IRT (Incident Response Team). 294 interprocess communication share (IPC$) null sessions. 81 spoofing.

509 certificates. 50-51 versus ActiveX controls. 176-177 K KDC (Key Distribution Center). 290 key pair storage. 52 Java applets buffer overflow attacks. 52 versus JavaScript. 290 key escrow. DNS. 287 certificates M of N controls. 290 suspension. 342-343 Juggernaut program. 77 iStat nano. 85 knowledge-based IDSs (intrusiondetection systems). 29 JavaScript. 289 status checks. 291 keys for destruction. 29 L L2TP (Layer 2 Tunneling Protocol). 289 and renewal. 287-288 keys for authentication. 58. 264-265 LANalyzer. 148-149 Kerberos authentication. 291 multiple key pairs.507 LDAP (Lightweight Directory Access Protocol) ISA (Internet Security Associate and Accereration). 294 ISNs (initial sequence numbers). 279 key management. 81 JVM (Java Virtual Machine). 170-171. 288 key pair recovery. 170-171. 195-196 J Java. 294 remote access. 292 Kismet. 150 . 294 remote access. 82 Layer 2 Tunneling Protocol (L2TP). 224 ITSEC (Information Technology Security Evaluation Criteria). 174 LAN Manager (LM) hash algorithm). 63 kiting. 50-51 buffer overflow attacks. 145 job rotation/cross-training. 174 LDAP (Lightweight Directory Access Protocol). Novell. 55 versus Java. 225 Land DoS (denial-of-service) attacks. 291 keys for privacy. 291 revocaton. 225. 51. 142 ITU (International Telecommunications Union) X. 235-236 ISAKMP (Internet Security Associate and Key Management Protocol). 52 job rotation access control. 147-149 mutual authentication. hijacking. 256 centralized versus decentralized. 290 expiration. 50-51 buffer overflow attacks. 29 Java Virtual Machine (JVM).

127-128. 30-31 worms. 235-236 performance logging.508 logical access controls Learntosubnet. 125-126 networks. ARP poisoning.com. 122 time-of-day restrictions. 236 application security. 64 protection techniques. See also access controls. OSI (Open Systems Interconnection) model. 120 logical tokens. remote access account expiration. 122 ACLs (access control lists). 233 logic bombs. 32-33 Trojans. OSI (Open Systems Interconnection) model. 230-231 DNS. 153 passwords domains. 208-209 hoaxes. 30-31 MAC (Media Access Control) sublayer. 119-121 distribution groups. 127-128. 234-235 antivirus logging. 153 logical-link control (LLC) sublayer. 233-234 system logging. 336-337 Lightweight Directory Access Protocol (LDAP). 231-232 firewall logging. 38 rootkits. 182-183 spyware. 122 Group Policy. 121-122 SACLs (system access control lists). 65 email security. 179 flooding. 28 malware (malicious code). 179 logging procedures and evaluation. 35-36 spam. 93-94 least privilege access control. 183 logic bombs. 87-88 MACs (mandatory access controls). 124-125 print and file sharing. 58. 28 adware. 93 Linux Slapper worms. 37-38 logical access controls. 126-127 user-based. 123-124 group-based. 37-38 privilege escalation. 119-121 logical tokens. 143. 30 M macro viruses. 176-177 link-local addresses. 31-32. 29 LLC (logical-link control) layer. 34-35 bots/botnets. See malware. 229-230 access logging. 127 ACEs (access control entries). 122 DACLs (discretionary access control lists). 142-144 malicious code. 33-34. 145 legislation and security policies. 28-29. 36-37. 120 security groups. OSI (Open Systems Interconnection) submodel. 179 Love Bug virus. authentication. 32 viruses. 41 .

332 NCSD (National Cyber Security Division). 91-92. 75 NetBIOS over TCP/IP. See performance monitoring Montreal Protocol. 50 Netstat utility. MD4. 143. 205 net use/net view commands. 264 Michelangelo virus. 31 Message Digest Series Algorithms (MD2.1x. McAfee. 31 multifactor authentication. 61 Multipurpose Internet Mail Extension (MIME) protocol. 349 Morris worm. 181. 76. 52 JavaScript. 91-92. 63 Network Access Control. 76. 87 mandatory access controls (MACs). MD4.509 Network Address Translation (NAT) man-in-the-middle attacks. 180. 79 NetBIOS. 221 NAS (network-attached storage). 79 Netlogon. ARP poisoning. IEEE (Institute of Electrical and Electronics Engineers) standard. 295 MIMO (multiple-input multipleoutput). OSI (Open Systems Interconnection) model. 142-144 masters. 218 NetStumbler. 180. 337-338 Melissa virus. 234 network access controls (NACs). 264 Media Access Control (MAC) sublayer. 295 mutual authentication. See Active Directive MIME (Multipurpose Internet Mail Extension) protocol. 172 ARP poisoning. 61 mirroring RAID.dll/Netlogon. 207 .log files. 314 Mocmex Trojan. 30 multiple-input multiple-output (MIMO). 42-43 NAS (network-area storage) firewall placement. 179 flooding. 95-96 Network Address Translation (NAT). 95-96 Nagios enterprise monitoring. MD5). 80-81 802. 181. 87-88 media/hardware disposal policies. 95. See MACs ( (mandatory access controls) multipartite viruses. null sessions. 97 monitoring. 31 Microsoft Active Directory. 154-155 multilevel access controls. 236 Netscape Corporation cookies. 83 MD2. 117 NAT (Network Address Translation). 207 National Institute of Standards and Technology (NIST). 32 modem risks. 150 N NACs (network access controls). MD5 Message Digest Series Algorithms. 76.

116-118 gateways.California (OPPA). 197-201 Nimda worm. 118 proxy-service. 100-101. 201 New Technology File System (NTFS). 95.510 network firewalls network firewalls. 79 IPC$ (interprocess communication share). 221. 290 certificate status checks. 98-99. 336 nslookup utility. 264-265 NTFS (New Technology File System). 267 Online Privacy Protection Act of 2003. 100. 97 Notification of Risk to Personal Data Act. 206-208 network interface cards (NICs). 78 RPCs (remote procedure calls). 205 . 100-101 stateful-inspection. 259-260 digital signatures. 98-99. 99 versus NIDSs (network-based intrusion-detection systems). 201 NIST (National Institute of Standards and Technology). 31 NIPS (network intrusion-prevention system). 343 online UPSs (uninterruptible power supplies). 42-43 network-based intrusion-detection systems (NIDSs). 178-179 Network Monitor. 197-199 versus NIPS (network intrusionprevention system). 218 NT LAN Manager (NTLM) hash algorithm. 209 network-area storage (NAS) firewall placement. circuit-level. 118 packet-filtering. Microsoft Windows Server. 206 NICs (network interface cards). 260 VoIP (voice over Internet Protocol). 290 offsite tape storage backups. 100-101 gateways. OSI (Open Systems Interconnection) model. 117 network-attached storage (NAS). 116-117 protocol analyzers. 116 network hardening. 206 null sessions APIs (application programming interfaces). 116 placement. 198 network intrusion-prevention system (NIPS). 322 one-time pad (OTP) encryption algorithms. 99 versus NIDSs (network-based intrusion-detection systems). 332 nonrepudiation. 312 Open Systems Interconnection (OSI) model. application-level. 79 O OCSP (Online Certificate Status Protocol) certificate revocation. 201 network layer. 198 NIDSs (network-based intrusiondetection systems). 284. 225-226 Network News Transfer Protocol (NNTP). 78 print-sharing services (Windows). 99-100 Internet content filters. 178-179 Open Vulnerability Assessment Language (OVAL).

95 OVAL (Open Vulnerability Assessment Language). 323-324 security policies acceptable use. 307 SLAs (service level agreements). 346-347. 336-337 mandatory vacations. 306-308 physical access security. 345 social engineering risks. 343 orange book. 345 electronic and electromagnetic emissions. 342-343 due care knowledge/actions. 319 hot sites. 317-318 single points of failure. shielding. 310 UPSs (uninterruptible power supplies). 356-357 change documentation. 342-343 passwords.511 OVAL (Open Vulnerability Assessment Language) OpenPGP encryption algorithms. 306-309 backup power generators. 308-309 disaster recovery. See TCSEC organizational security backups. 356-357 OSI (Open Systems Interconnection) model. 348-349 hardware/media disposal. 346-347. 320-322 business continuity planning. 310-311 connections. 311-313 warm sites. 309-311 ISPs (Internet service providers). 350 incident response procedures. 342-343 SLAs (service level agreements). 162-163 policies. 353-356 user education. 318-319 RAID. 339-340 PII (personally identifiable information). 340-341 computer forensics. 318 servers. 350-353 fire prevention/suppression. 311 cold sites. 313 site selection. 332-336 cross-training. 332 information classification levels. 343 separation of duties. 307. 342-343 legislation. See system hardening OPPA (Online Privacy Protection Act of 2003). 339 awareness training. 341-342 job rotation. 337-338 HR (human resources). 310-311 system restoration. 267 out-of-band NACs (network access controls). 205 . 313-317 server clusters. California. 344 due diligence. 344-345 due process. 319-320 redundancy. 178-179 OTP (one-time pad) encryption algorithms. 268 operating system hardening. 346 HVAC systems.

Vista. 218-219 ping DoS (denial-of-service) attacks. 229-230 access logging. 154 PAP (Password Authentication Protocol). 56 Packet Internet Grouper (ping). 339-340 system hardening. 41-42 PDPs (policy decision points) NACs. 233 methodologies. 221-222 Performance Logs and Alerts. 64. 221-222 application security. 120 user-based controls. 218 pathping. 218 nslookup. 150 parallel transfer RAID. 82 packet sniffing. 116 palm geometry biometric authentication. 230 DNS. 56 penetration testing. 227-228 signature-based. 230-231 logging procedures and evaluation. 205 PEPs (policy enforcement points) NACs. 194. 234 performance monitoring. 234-235 antivirus logging. 205 Password Authentication Protocol (PAP). 146 pathping command. 96 PDA security. 82 ping flood DoS (denial-of-service) attacks. 150 Password-Based Cryptography Standard. 231-232 firewall logging. 195-196 packet-filtering firewalls. 95 peer-to-peer (P2P) networking. 219 Netstat. 278 passwords. 229 system security. 124-125 security policies.512 P2P (peer-to-peer) networking P–Q P2P (peer-to-peer) networking. 152-153 domains. 218-219 Perl language. 226-227 anomaly-based. Microsoft. 54 permissions and rights group-based controls. 220 ping (Packet Internet Grouper). 233-234 system logging. 120 security groups. 156 vulnerabilities. 102 passive IDSs (intrusion-detection systems). 236 baselines. 315 Parental Controls. 119-121 distribution groups. 220 PBX (Private Branch Exchange) systems. 220 Performance console. 100. 235-236 performance logging. 218-219 Telnet. 125-126 networks. 95 performance benchmarking. 228 behavior-based. 119-121 . 219 tracert/traceroute. 222-224 tools Ipconfig/Ifconfig. CGI scripts.

152. 110 software. 82 ping flood DoS (denial-of-service) attacks. 206 AH and ESP services. 182 phishing. See also PKCS. 336 personal firewalls hardware. 276. 286-287 digital certificates. 343 ping (Packet Internet Grouper). 80 VPNs (virtual private networks). 284. 279 personally identifiable information (PII). 218-219 ping DoS (denial-of-service) attacks. 128 evacuations. 92 Network Monitor. 285 cross-certification CA model. 158-162 access controls. 110-111 Personal Information Exchange Syntax Standard.513 PKI (public key infrastructure) Personal Data Privacy and Security Act of 2007. 290 certificate status checks. 75 versus S-HTTP (Secure Hypertext Transport Protocol). 82 PKCS (Public Key Cryptography Standards). 295 PGP/MIME (Pretty Good Privacy/Multipurpose Internet Mail Extension) protocol. 178-179 replay attacks. 185 IPsec (Internet Protocol Security). 293 DMZ (demilitarized zone). 260 X. 160 physical layer. 282. 278-279 PKI (public key infrastructure). 179-180 IKE (Internet Key Exchange). 254. 283-284 certificate life cycles. 162-163 facilities. 57. 290 CRLs (certificate revocation lists). 286-287 certificate policies. commonly used. 179 PII (personally identifiable information). 284. PKIX CA (certificate authority). 278-281 HTTPS (HTTP over SSL/Hypertext Transfer Protocol over Secure Sockets Layer). 283-287 certificate revocation. 284. 290 OCSP (Online Certificate Status Protocol).509. 285 single CA model. 160-161 physical barriers. 206. 281 bridge CA model. 180 NAT (Network Address Translation). 89 ports. 258. 225 OSI network layer. 81 spoofing. 282 certificate life cycles. 173-174. 354 physical access security. 293-294 . OSI (Open Systems Interconnection) model. 290 versus digital signatures. 284-285 CPS (certificate practice statement). 285 hierarchical CA model. 170. 343 PGP (Pretty Good Privacy).

352 Point-to-Point Protocol (PPP) CHAP (Challenge-Handshake Authentication Protocol). 174 registration authorities. 30 pop-up blockers. 95 policy enforcement points (PEPs) NACs. 113-114 POP3 (Post Office Protocol 3). 208 DMZ (demilitarized zone). 292-293 PKIX (public key infrastructure based on X. 95 polymorphic viruses. 197 port stealing. commonly used. 170. commonly used. 89 FTP over SSH (Secure Shell). 293 remote access. 75 remote access. 101 DMZ (demilitarized zone). 208 DMZ (demilitarized zone). 295 application-level gateway proxyservice firewalls. 170-171. 174 . 170-171. 178 SSL (Secure Sockets Layer). 178 ports. 171 PPTP (Point-to-Point Tunneling Protocol). 75 port signatures. 282 S/MIME (Secure/Multipurpose Internet Mail Extensions). NIDSs (networkbased intrusion-detection systems). commonly used. 177-178 versions. 295-296 DMZ (demilitarized zone). 85-86 policy decision points (PDPs) NACs.514 PKI (public key infrastructure) key management. 293 remote access. 287-292 L2TP (Layer 2 Tunneling Protocol). 150-151 remote access. 277-281 plenum. 87-88 DNS (domain name service). 182. ARP. 150-151 remote access. 294 remote access. 171 Point-to-Point Tunneling Protocol (PPTP). 75 PPP (Point-to-Point Protocol) CHAP (Challenge-Handshake Authentication Protocol). 89 ports. 174 PGP (Pretty Good Privacy). 75 Post Office Protocol 3 (POP3). commonly used. 208-209 ports. 294-295 SMTP (Simple Mail Transfer Protocol). 295 PPTP (Point-to-Point Tunneling Protocol). 57-58. 258. 59. 88 Portmap protocol. 292-293 browser security. 174 poisoning ARP (Address Resolution Protocol). 185.509 certificates). 181. 170-171. 75 SSH (Secure Shell). 170-171. 59 hijacking. 293 remote access. 282. 89 ports. 55 FTPS (FTP over SSL). 78 TLS (Transport Layer Security) standards. 277 TLS (Transport Layer Security). 89 email security.

16 preparation. 295 digital certificates. 282 certificate life cycles. 120 user-based controls. 23 exam day. 279 Public Key Cryptography Standards (PKCS). 118. 281 bridge CA model. 182 print and file services application hardening. OSI (Open Systems Interconnection) model. 23-24 readiness assessment. 179 Pretty Good Privacy (PGP). 18 exam 1 answers. 278 privilege escalation. 287-292 public key infrastructure (PKI). 389-410 questions. 28. 152. See also PKCS. 31 privileges group-based controls. 206. 19-20 presentation layer. 119-121 profiling. 19 anxiety. 254-255 key management. 276. 254. 64 buffer overflow attacks. 28-29. 284. 286-287 certificate policies. 96 private key encryption algorithms.515 public key infrastructure (PKI) practice exams CompTIA Certification Programs link. 278-279 public key encryption algorithms. 121-122. 290 . 100-101 circuit-level gateway. 209-210 null sessions. 285 cross-certification CA model. 439-465 questions. 365-387 exam 2 answers. 119-121 distribution groups. 313 Private Branch Exchange (PBX) systems. PKIX CA (certificate authority). Windows. 116-118 application-level gateway. 283-287 certificate revocation. 285 hierarchical CA model. 63 protocol analyzers. 103. 21-22 study tips. 411-437 Microsoft’s Exam link. 256. 256. 30 promiscuous-mode network traffic analysis. 78 printers. 286-287 digital certificates. 285 single CA model. 225 proxy servers. 54 program viruses. UNIX. 254-255. 100-101 ps tool. 287-292 Private-Key Information Syntax Standard. 282 Pretty Good Privacy/Multipurpose Internet Mail Extension (PGP/MIME) protocol. 260 key management. UPSs (uninterruptible power supplies). 225 Pseudo Random Number Generation. 120 security groups. 101-102 proxy-service firewalls. 284-285 CPS (certificate practice statement). 283-284 certificate life cycles. 258.

411-437 R RA (registration authority). 293-294 key management. 179-180 IKE (Internet Key Exchange). 260 X. 295-296 DMZ (demilitarized zone). 294-295 SMTP (Simple Mail Transfer Protocol). 294 remote access. 290 versus digital signatures. 180 NAT (Network Address Translation). 80 VPNs (virtual private networks). 89 email security. 365-387 exam 2. 173-174. 287-292 L2TP (Layer 2 Tunneling Protocol).509. 75 remote access. 293 remote access. 81 spoofing. 258. 78 TLS (Transport Layer Security) standards. 75 SSH (Secure Shell). 57-58. 206 AH and ESP services.516 public key infrastructure (PKI) certificate status checks. 55 FTPS (FTP over SSL). 178 SSL (Secure Sockets Layer). 170. 101 DMZ (demilitarized zone). 284. 59. 57. 208-209 ports. 185. 292-293 questions (practice exams) exam 1. 295 PPTP (Point-to-Point Tunneling Protocol). 170-171. 174 PGP (Pretty Good Privacy). 352 . 89 FTP over SSH (Secure Shell). 181. 178 ports. 174 registration authorities. 170-171. 89 ports. 277 TLS (Transport Layer Security). 282. 293 DMZ (demilitarized zone). 92 Network Monitor. commonly used. 290 CRLs (certificate revocation lists). 278-281 HTTPS (HTTP over SSL/Hypertext Transfer Protocol over Secure Sockets Layer). 295 application-level gateway proxyservice firewalls. commonly used. 290 OCSP (Online Certificate Status Protocol). 59 hijacking. 282 S/MIME (Secure/Multipurpose Internet Mail Extensions). 75 versus S-HTTP (Secure Hypertext Transport Protocol). 292-293 browser security. 185 IPsec (Internet Protocol Security). 152 radio frequency interference (RFI). 225 OSI network layer. 170. 182. 177-178 versions. 178-179 replay attacks. 284. commonly used.

206 AH and ESP services. 282 digital certificates. 309-311 ISPs (Internet service providers). 170-173 IP (Internet Protocol). 144 RBACs (rule-based access controls). 171 PPTP (Point-to-Point Tunneling Protocol). 170. 266 RCA4 (Rivest Cipher 4). 152 Relative Distinguished Name (RDN). TLS (Transport Layer Security). 310 UPSs (uninterruptible power supplies). 310-311 connections. 306-309 backup power generators. See also access controls. 178 SSH (Secure Shell). 311 cold sites. 313-317 server clusters. 170. IEEE (Institute of Electrical and Electronics Engineers) standard. 174 PPP (Point-to-Point Protocol). 173 RDP (Remote Desktop Protocol). 310-311 registration authority (RA). 170. 317-318 single points of failure. 178-179 replay attacks. 178 Record Protocol. remote access 802. 173 RBACs (role-based access controls). 177-178. 151 dial-up access. 92 Network Monitor. 295-296 . 318 servers. 185 record-retention policies. 75 RAID.517 remote access RADIUS (Remote Authentication DialIn User Service). 170-171. 179-180 IKE (Internet Key Exchange). 62 rcp utility. 295-296 RDN (Relative Distinguished Name). 144 RC (Rivest Cipher) symmetric key encryption algorithms.1x. 170-171. 225 OSI network layer. 173-174. 177-178). 313-317 RARP (Reverse Address Resolution Protocol). 87 RAS (remote-access service). 75 RAS (remote-access service). 318-319 RAID. 319 hot sites. 174 RADIUS (Remote Authentication Dial-In User Service). 151 dial-up access. 293-294 L2TP (Layer 2 Tunneling Protocol). 175-176 ports. 175-176 ports. commonly used. logical access controls. 311-313 warm sites. 337 redundancy. 174 IPsec (Internet Protocol Security). 180 NAT (Network Address Translation). 142. 80 VPNs (virtual private networks). 170. 81 spoofing. 313 site selection. authentication. 177 RDP (Remote Desktop Protocol). 177 remote access. commonly used.

75 versions. 142. Ronald. 335-336 Request For Comments (RFC) 2350. 35-36 Routing and Remote Access (RRAS). 352 rights and permissions. commonly used. 295 ROI (return on investment). 205 risk and threat assessment. 89 FTP over SSH (Secure Shell). 132-133 vulnerabilities. 178 L2TP (Layer 2 Tunneling Protocol). 131-132 ROI calculations. commonly used. 170 quarantines. 151. See privileges risk management. 79 RRAS (Routing and Remote Access). 170. 75 VPNs (virtual private networks) IPsec (Internet Protocol Security). 266 Rivest Cipher 4 (RCA4). 175-176 ports. 323-324 Resultant Set of Policy (RSoP) tool. 335 restoration plans. 59. 132-133 role-based access controls (RBACs). 204-205 penetration testing. null sessions. 62 Rivest. 144 root CA (certificate authority). 178 ports. 295 rlogin utility. null sessions. 235 RPCs (remote procedure calls). 132 . 40-42 replay attacks. 36 rootkits. 177-180. Shamir. 177. 235 RROI (reduced return on investment). 131 Rivest Cipher (RC) symmetric key encryption algorithms. 154 Reverse Address Resolution Protocol (RARP). 79 remote-access service (RAS). 170 PPTP (Point-to-Point Tunneling Protocol). 335 RFI (radio frequency interference). 151 dial-up access. 264 Rivest. 170. 173 Remote Authentication Dial-In User Service (RADIUS). 173 removable storage device security. 130-131 risk calculations. and Adleman (RSA) asymmetric encryption algorithm. 242 retina scan biometric authentication. 268-269. 178 remote procedure calls (RPCs). 175-176 ports. 203-204 asset identification.518 Rivest Cipher (RC) symmetric key encryption algorithms DMZ (demilitarized zone). 170. 87 reverse social engineering risks. commonly used. 285 RootkitRevealer. 353-354 RFC (Request For Comments) 2350. 128-129. 173-174. 129 identifying vulnerabilities. 75 Remote Desktop Protocol (RDP). 81 report of incident policies. 178 TACACS+ (Terminal Access Controller Access Control System Plus).

177-178 versions. 184-185. 59. 334 . 177-180. 206-210 logging procedures. 117 protocol analyzers. 57-58 SecurID tokens. 153 security baselines application hardening. 278 RSA Cryptography Standard. and Adleman) asymmetric encryption algorithm. 206-207 S S-HTTP (Secure Hypertext Transport Protocol) versus HTTPS (HTTP over SSL/Hypertext Transfer Protocol over Secure Sockets Layer). 185 S/FTP (FTP over Secure Shell). 78 HTTPS (HTTP over SSL/Hypertext Transfer Protocol over Secure Sockets Layer). 57 Secure Login (slogin) utility. 294-295 Secure Shell (SSH). 268-269. 295 RSA Certification Request Syntax Standard. 57. 182. antivirus logging. 180. 115 SANS Institute. 122 sanitization of media. 177-178. 131 Sarbanes-Oxley (SOX) legislation. 294-295 SACLs (system access control lists). 296 Secure Hash Algorithm (SHA. 177. 178. 29 TLS (Transport Layer Security). 296 search and seizure laws. 185. 59. 292-293 browser security.519 security baselines RSA (Rivest. SHA-1). 177-178. 118 virtualization. 59 hijacking. 296 S/MIME (Secure/Multipurpose Internet Mail Extensions). 264 Secure Hypertext Transport Protocol (S-HTTP) versus HTTPS (HTTP over SSL/Hypertext Transfer Protocol over Secure Sockets Layer). 230 network hardening. 170. Shamir. 338 SANs (storage-area networks). 182. 293 Linux Slapper worms. 282 FTPS (FTP over SSL). 42 firewalls placement. 57. 236 scp utility. 296 remote access. 144 secret key algorithms. 177-178. 206-208 operating system hardening. 178. 178 Secure Sockets Layer (SSL). RSA Security. 295-296 RSoP (Resultant Set of Policy) tool. 153 rsh utility. 337 Sawmill. 278 RSA Security’s SecurID tokens. See symmetric key encryption algorithms Secure Copy (scp) utility. 55 digital certificates. 295 Secure Multipurpose Internet Mail Extension (S/MIME) protocol. 295-296 FTP over SSH (Secure Shell). 242 rule-based access controls (RBACs).

commonly used. 201 Simple Mail Transfer Protocol (SMTP). 181. 179 SHA (Secure Hash Algorithm). 352 shielding electronic and electromagnetic emissions. 278 self-assessment for CompTIA certification educational background. 154 signature-based monitoring. commonly used. See logic bombs. NIDSs (network-based intrusion-detection systems). 37 . See symmetric key encryption algorithms shielded twisted-pair (STP) cables. 317-318 service level agreements (SLAs). 205 penetration testing. 127-128 signature biometric authentication. 205 risk management. 155 session hijacking. 58 service-oriented architecture (SOA) authentication. 157 Selected Attribute Types. 96 session layer. 158 security groups. 224 vulnerabilities. 121 ports. 307. 41 shoulder surfing. 203-204 identifying vulnerabilities. 345 Service Location Protocol (SLP). 96 slag code. 350-351 coaxial cables. 352 Shiva Password Authentication Protocol (SPAP). 101 DMZ (demilitarized zone). 155 SIP (Session Initiation Protocol). 120 security identifiers (SIDs). 208-209 ports. 150 short message service (SMS) handheld device security. 284-285 single loss expectancy (SLE). OSI (Open Systems Interconnection) model. 127-128 security templates. 55.520 security baselines OVAL (Open Vulnerability Assessment Language). 57. 205 system hardening. 75 Simple Network Management Protocol (SNMP). 156 system monitoring. 131-132 single points of failure. 197. 319-320. 264 shared secret key algorithms. 89 email security. 76 system hardening. 229 signatures. 313 single sign-on (SSO) authentication. 180. 76-77 single CA (certificate authority) model. 355 SIDs (security identifiers). 352 plenum. 204-205 penetration testing. 295 application-level gateway proxyservice firewalls. 75 server redundancy. 77 Session Initiation Protocol (SIP). 16-18 Server Message Blocks (SMBs). 14-16 hands-on experience. 352 twisted-pair cables.

178 ssh utility. 337 spam. 345 SLE (single loss expectancy). 231 SSH (Secure Shell). 57-58 SSO (single sign-on) authentication. 101 DMZ (demilitarized zone). 32-33 SQL injections. 178 ports. 82 SNMP (Simple Network Management Protocol). 196 . 293 Linux Slapper worms. 155 social engineering risks. 295-296 DMZ (demilitarized zone). 319-320. 354 shoulder surfing. Microsoft. commonly used. 75 smoke detection systems. commonly used. 155 standby power supplies (SPSs). 89 email security. 36 SPAP (Shiva Password Authentication Protocol). 29 SLAs (service level agreements). 208-209 ports. 295 application-level gateway proxyservice firewalls. 224 vulnerabilities. 156 system monitoring. 75 smurf/smurfing DoS (denial-of-service) attacks. 76-77 SOA (service-oriented architecture) authentication. 41 SMS (System Management Server). 292-293 browser security. 150 spoofing. 76 system hardening. 58 SMBs (Server Message Blocks). 312 Spyware. 79-80 SPSs (standby power supplies). 355 software personal firewalls. 170. 177-178 SSL (Secure Sockets Layer). 131-132 slogin utility. 355-356 hoaxes. 55 digital certificates. 116 statistical anomaly detection. 89 FTP over SSH (Secure Shell). 184-185. 100-101. 57. 356-357 dumpster diving. commonly used. 57. 355 phishing. 348 SMS (short message service) handheld device security. 282 FTPS (FTP over SSL). 29 TLS (Transport Layer Security). 182-183 antispam software. 75 remote access. 312 stateful-inspection firewalls. 112-113 botnets. 225 SMTP (Simple Mail Transfer Protocol). 185. 59 hijacking. 181. 33-34.521 statistical anomaly detection Slapper (Linux) worms. 78 HTTPS (HTTP over SSL/Hypertext Transfer Protocol over Secure Sockets Layer). 307. 110-111 SOX (Sarbanes-Oxley) legislation. 353-354 awareness training. 121 ports. 59. 177-178 versions. 177 SLP (Service Location Protocol).

42-43 removable storage devices. 240-241 user access and rights. 323-324 system security audits. 148 key management. 157-158 updates. 36 STP (shielded twisted-pair) cables. UNIX and Linux. 75 system access control lists (SACLs). 62. 42-43 firewalls placement. 50 switch-based NACs (network access controls). Java. 237-238 best practices. 285 Sun Microsystems.522 stealth viruses stealth viruses. 236 symmetric key encryption algorithms. 236-237 group policies. 206-207 nonessential services/protocols. 225 System Monitor. 92-94 subordinate CA (certificate authority). 197 striped disk array RAID. 38-40 handheld devices. 30 steam ciphers. 118 virtualization. 156-157 system hardware/peripherals threats BIOS. 256 Stoned virus. 234 system hardening. 62 steam or block ciphers. 266 SYN flood DoS (denial-of-service) attacks. 230 syslog-ng. 269 DES (Data Encryption Standard). 239-240 . 177-178. 40-41 system logging. 156 security settings. 221-222 system restoration. 122 System Center Configuration Manager 2007. 233 System Management Server (SMS). 352 string signatures. 317 storage-area networks (SANs). Linux. 256 RC (Rivest Cipher). 241-242 storage and retention. 41-42 network-attached storage. 177. 31 Storage Computer Corporation RAID. 230 syslogd. UNIX. 253-254 AES (Advanced Encryption Standard). 115 Storm botnet. Microsoft. 314 subnetting. 265-266 Kerberos authentication. Microsoft. 233 Systat protocol. 180. 256-257 versus cryptography. 265-267 steganography. 82 syslog. 95 Symantec Antivirus Log Format. 266 bit strengths. commonly used ports. 40-42 storage area network. 117 protocol analyzers. 265-267 3DES (Triple Data Encryption Standard). 266 RCA4 (Rivest Cipher 4). 42-43 USB devices.

172 TCSEC (Trusted Computer System Evaluation Criteria). 149 TGT (Ticket-Granting Ticket). 322 Terminal Access Controller Access Control System Plus (TACACS+). security. 77-78 DoS (denial-of-service) attacks. 149 time-of-day access restrictions.523 tracer/traceroute utilities T T-Sight program. 97 PBX (Private Branch Exchange) systems. 170. commonly used. 266 Ticket-Granting Server (TGS). 74-76. 293 Record Protocol. IEEE (Institute of Electrical and Electronics Engineers) standard. commonly used. 149 threat assessment. 81 TACACS+ (Terminal Access Controller Access Control System Plus). 175-176 ports. 151 dial-up access. 142-143. 126-127 TKIP (Temporal Key Integrity Protocol). man-in-themiddle attacks. 83 telecom systems. 221. See exams (practice) TGS (Ticket-Granting Server). 96-97 Telnet protocol. 292-293 SSL (Secure Sockets Layer). 270 weak encryption. 82-83 802. 350-351 templates. 292-293 HTTPS (HTTP over SSL/Hypertext Transfer Protocol over Secure Sockets Layer). 77 ports. 75 Task Manager. 233 TCP handshake process. 170.1x. 151 dial-up access. 96 telecom systems. 172 ten-tape rotation backups. 172 TLS (Transport Layer Security). 130-131 3DES (Triple Data Encryption Standard) symmetric key algorithms. 80-81 802. 293 Tower of Hanoi backups. IEEE (Institute of Electrical and Electronics Engineers) standard. 157 Temporal Key Integrity Protocol (TKIP). 75 tests. 75 TEMPEST (Transient Electromagnetic Pulse Emanation Standard) shielding. 96 modem risks. 218-219 . 270 weak encryption. commonly used. 57-58 VPNs (virtual private networks). 149 Ticket-Granting Ticket (TGT). 175-176 ports.1x. 322 TPM (Trusted Platform Module). 96 VoIP (voice over Internet Protocol). 185 Handshake Protocol. 219 hijacking. 206 Teardrop DoS (denial-of-service) attacks. 87 TCP ports. 96 telephony. 74-75 TCP/IP hijacking. 262-263 tracer/traceroute utilities. 172 ARP poisoning.

266 Trojan. 86. 356-357 user-based access controls. 285 cross-certification model. 262-263 twisted-pair cables. 82 Teardrop.524 tracking cookies tracking cookies. CA (certificate authority) bridge model. 311-313 USB devices encryption. 83 Fraggle. 103 USB device security.Nuker. 119-121 logical tokens. 145 UDP (User Datagram Protocol) ports. OSI (Open Systems Interconnection) model. 173 protocol analyzers. 74-75. 185 Handshake Protocol. 74-75. 83 ULA (unique local addresses). 83 user education policies. 311-313 unique local addresses (ULA). 57-58 VPNs (virtual private networks). 32 TrueCrypt. 127-128. See NT LAN Manager (NTLM) hash algorithm uninterruptible power supplies (UPSs). 352 U UAC (User Account Control). 293 Record Protocol. 82 Teardrop. Vista. 40-41 User Account Controls (UACs). 352 UPSs (uninterruptible power supplies). 292-293 HTTPS (HTTP over SSL/Hypertext Transfer Protocol over Secure Sockets Layer). 32 Trojans. 206 Trusted Platform Module (TPM). Vista. 153 . 346-347. 179 Triple Data Encryption Standard (3DES) symmetric key algorithms. 77 DoS (denial-of-service) attacks Bonk. 285 single model. 77 DoS (denial-of-service) attacks Bonk. 293 transport layer. 93 unshielded twisted-pair (UTP) cables. 32 versus viruses and worms. 145 User Datagram Protocol (UDP) ports. 86. 173 trust hierarchy. 292-293 SSL (Secure Sockets Layer). 350-351 Transport Layer Security (TLS).W32. See PKI (public key infrastructure) trust models. 93 Unicode hash. 83 Fraggle. 285 hierarchical model. 53 Transient Electromagnetic Pulse Emanation Standard (TEMPEST) shielding. 142-143. 284-285 Trusted Computer System Evaluation Criteria (TCSEC).

60-61 war chalking. 352 VLANs (virtual local area networks). 30 versus Trojans and worms. 207 warm sites. 289 digital certificates. 172. 294 PPTP (Point-to-Point Tunneling Protocol). 172 war driving. 65 Ve