CompTIA Security+ - Seachest.net

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page i

CompTIA Security+ Second Edition Diane Barrett, Kalani K. Hausman, and Martin Weiss

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page ii

CompTIA Security+ Exam Cram, Second Edition Copyright © 2009 by Pearson Education, Inc. All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. ISBN-13: 978-0-7897-3804-2 ISBN-10: 0-7897-3804-x Library of Congress Cataloging-in-Publication Data Barrett, Diane. CompTIA security+ exam cram / Diane Barrett, Kalani K. Hausman, and Martin Weiss. — 2nd ed. p. cm. ISBN 978-0-7897-3804-2 (pbk. w/cd) 1. Electronic data processing personnel—Certification. 2. Computer networks— Examinations—Study guides. 3. Computer technicians—Certification—Study guides. I. Hausman, Kalani Kirk. II. Weiss, Martin. III. Title. QA76.3.B3644 2009 004.6—dc22 2008045337 Printed in the United States on America First Printing: November 2008

Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Que Publishing cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Windows is a registered trademark of Microsoft Corporation.

Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The authors and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the CD or programs accompanying it.

Bulk Sales Que Publishing offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales outside of the U.S., please contact International Sales [email protected]

Associate Publisher David Dusthimer Executive Editor Betsy Brown Development Editor Dayna Isley Technical Editors Pawan Bhardwaj Christopher Crayton Managing Editor Patrick Kanouse Project Editor Seth Kerney Copy Editor Keith Cline Indexer Joy Dean Lee Proofreader Language Logistics, LLC Publishing Coordinator Vanessa Evans Book Designer Gary Adair Page Layout Bronkella Publishing

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page iii

Contents at a Glance Introduction Self-Assessment Part I: System Security CHAPTER 1

System Threats and Risks

27

CHAPTER 2

Online Vulnerabilities

49

Part II: Infrastructure Security CHAPTER 3

Infrastructure Basics

CHAPTER 4

Infrastructure Security and Controls

73 109

Part III: Access Control CHAPTER 5

Access Control and Authentication Basics

141

CHAPTER 6

Securing Communications

169

Part IV: Assessments and Audits CHAPTER 7

Intrusion Detection and Security Baselines

193

CHAPTER 8

Auditing

217

Part V: Cryptography CHAPTER 9 CHAPTER 10

Cryptography Basics

251

Cryptography Deployment

275

Part VI: Organizational Security CHAPTER 11

Organizational Security

305

CHAPTER 12

Organizational Controls

331

Part VII: Practice Exams and Answers Practice Exam 1

365

Practice Exam 1 Answer Key

389

Practice Exam 2

411

Practice Exam 2 Answer Key

439

Part VIII: Appendix What’s on the CD-ROM

467

Glossary

471

Index

493

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page iv

Table of Contents Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 The CompTIA Certification Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Taking a Certification Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Tracking Certification Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 About This Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Chapter Format and Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Exam Topics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Self-Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 CompTIA Certification in the Real World. . . . . . . . . . . . . . . . . . . . . . . . 11 The Ideal CompTIA Certification Candidate . . . . . . . . . . . . . . . . 12 Put Yourself to the Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 How to Prepare for an Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Studying for the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Testing Your Exam Readiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Dealing with Test Anxiety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Day of the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Part I: System Security Chapter 1: System Threats and Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Systems Security Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Privilege Escalation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Trojans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Adware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page v

Logic Bombs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Protecting Against Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . 38 Security Threats to System Hardware and Peripherals. . . . . . . . . . . . . . 38 BIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 USB Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Handheld Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Removable Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Network-Attached Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Suggested Reading and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Chapter 2: Online Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Web Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Java and JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 ActiveX Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Cookies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Common Gateway Interface Vulnerabilities . . . . . . . . . . . . . . . . . . 54 Browser Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Peer-to-Peer Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Simple Mail Transport Protocol Relay . . . . . . . . . . . . . . . . . . . . . . 57 Protocol Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 File Transfer Protocol Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Anonymous Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Unencrypted Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Wireless Network Vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 WAP and i-Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Wired Equivalent Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Wi-Fi Protected Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page vi

vi

CompTIA Security+ Exam Cram

802.11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Site Surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Network Device and Transmission Media Vulnerabilities . . . . . . . . . . . 63 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Additional Reading and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Part II: Infrastructure Security Chapter 3: Infrastructure Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Port and Protocol Threats and Mitigation Techniques. . . . . . . . . . . . . . 74 Antiquated and Older Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 TCP/IP Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Null Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Man in the Middle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Distributed DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 DNS Kiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 DNS Poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 ARP Poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Network Design Elements and Components . . . . . . . . . . . . . . . . . . . . . 88 Demilitarized Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Intranet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Extranet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Virtual Local Area Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Network Interconnections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Telephony. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Network Security Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 NIDS and HIDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Network Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . 99 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page vii

vii

Contents

Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Internet Content Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Protocol Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Chapter 4: Infrastructure Security and Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Implementing Security Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Personal Software Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Pop-Up Blockers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Virtualization Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Applying Network Tools to Facilitate Security . . . . . . . . . . . . . . . . . . . 116 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Proxy Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Internet Content Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Protocol Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Logical Access Control Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Security Groups and Roles with Appropriate Rights and Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Security Controls for File and Print Resources . . . . . . . . . . . . . . 121 Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Group Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Password Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Logical Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Physical Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Risk and Return on Investment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Identifying Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Asset Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Risk and Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Calculating Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Calculating ROI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page viii

viii

CompTIA Security+ Exam Cram

Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Part III: Access Control Chapter 5: Access Control and Authentication Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Mandatory Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Discretionary Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Access Control Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Mutual Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Challenge-Handshake Authentication Protocol . . . . . . . . . . . . . 150 Terminal Access Controller Access Control System Plus . . . . . 151 Remote Authentication Dial-In User Service . . . . . . . . . . . . . . . 151 IEEE 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Username and Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Multifactor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Identity Proofing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Operating System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Nonessential Services and Protocols . . . . . . . . . . . . . . . . . . . . . . . 156 Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Physical Access Security Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Physical Barriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Other Deterrents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page ix

ix

Contents

Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Chapter 6: Securing Communications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Remote Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 802.1x Wireless Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 VPN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Dial-Up User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Secure Shell Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Remote Desktop Protocol (RDP). . . . . . . . . . . . . . . . . . . . . . . . . . 178 Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Electronic Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Secure Multipurpose Internet Mail Extension . . . . . . . . . . . . . . . 181 Pretty Good Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Undesirable Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Web Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Hypertext Transport Protocol over Secure Sockets Layer . . . . . 184 Secure Sockets Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Transport Layer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Suggested Reading and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Part IV: Assessments and Audits Chapter 7: Intrusion Detection and Security Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Methods of Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Intrusion-Detection Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Honeypots and Honeynets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Incident Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Security Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page x

x

CompTIA Security+ Exam Cram

Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Chapter 8: Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Using Monitoring Tools to Detect Security-Related Anomalies . . . . . 218 Performance Benchmarking and Baselining . . . . . . . . . . . . . . . . 220 Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 System Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Protocol Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Monitoring Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Behavior-Based Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Anomaly-Based Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Signature-Based Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Logging Procedures and Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Performance Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Access Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Firewall Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Antivirus Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Periodic Audits of System Security Settings . . . . . . . . . . . . . . . . . . . . . . 236 User Access and Rights Review . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Storage and Retention Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Group Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Additional Reading and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page xi

xi

Contents

Part V: Cryptography Chapter 9: Cryptography Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Symmetric Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Asymmetric Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 CIA Triad. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Confidentiality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Nonrepudiation and Digital Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . 259 Whole Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Trusted Platform Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Hashing Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Cryptographic Hash Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Windows Authentication Hashing Algorithms. . . . . . . . . . . . . . . 264 Symmetric Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Asymmetric Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Suggested Readings and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Chapter 10: Cryptography Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 PKI Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 PKIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Public Key Cryptography Standards . . . . . . . . . . . . . . . . . . . . . . . 278 X.509 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 PKI Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Registration Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Certificate Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page xii

xii

CompTIA Security+ Exam Cram

Certificate Practice Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Trust Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Key Management and the Certificate Life Cycle. . . . . . . . . . . . . . . . . . 286 Centralized Versus Decentralized. . . . . . . . . . . . . . . . . . . . . . . . . . 287 Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Key Escrow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Expiration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Status Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Suspension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 M of N Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Renewal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Destruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Key Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Multiple Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Protocols and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 SSL and TLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Point-to-Point Tunneling Protocol . . . . . . . . . . . . . . . . . . . . . . . . 293 Layer 2 Tunneling Protocol and IP Security . . . . . . . . . . . . . . . . 294 Secure/Multipurpose Internet Mail Extensions . . . . . . . . . . . . . 294 Pretty Good Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Suggested Readings and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Part VI: Organizational Security Chapter 11: Organizational Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Disaster Recovery and Redundancy Planning . . . . . . . . . . . . . . . . . . . . 306 Redundant Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Utilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Redundant Equipment and Connections . . . . . . . . . . . . . . . . . . . 313 Service Level Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page xiii

xiii

Contents

Backup Techniques and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Backup Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 System Restoration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Suggested Readings and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 Chapter 12: Organizational Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Incident Response Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Chain of Custody . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 First Responders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Damage and Loss Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Reporting and Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Applicable Legislation and Organizational Policies . . . . . . . . . . . . . . . 336 Secure Disposal of Computers and Media . . . . . . . . . . . . . . . . . . 337 Acceptable Use Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Password Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Classification of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Separation of Duties and Mandatory Vacations . . . . . . . . . . . . . . 342 Personally Identifiable Information . . . . . . . . . . . . . . . . . . . . . . . . 343 Due Care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Due Diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Due Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Service Level Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Security-Related Human Resources Policy . . . . . . . . . . . . . . . . . 346 User Education and Awareness Training. . . . . . . . . . . . . . . . . . . . 346 The Importance of Environmental Controls . . . . . . . . . . . . . . . . . . . . . 347 Fire Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 HVAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Shielding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 The Risks of Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Hoaxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page xiv

xiv

CompTIA Security+ Exam Cram

Shoulder Surfing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Dumpster Diving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 User Education and Awareness Training. . . . . . . . . . . . . . . . . . . . 356 Exam Prep Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Answers to Exam Prep Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Recommended Reading and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Part VII: Practice Exams and Answers Practice Exam 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Practice Exam 1 Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Answers at a Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Answers with Explanations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Practice Exam 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Practice Exam 2 Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Answers at a Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Answers with Explanations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Appendix: What’s on the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Multiple Test Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Study Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Certification Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Custom Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Attention to Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Installing the CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Creating a Shortcut to the MeasureUp Practice Tests . . . . . . . . . . . . . 469 Technical Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page xv

About the Authors Diane Barrett is a professor in the Network Security and Computer Forensics programs at the University of Advancing Technology. She has authored several security and forensic books. Diane belongs to the local chapters of several security user groups, including HTCIA and InfraGard. She was also a volunteer for ISSA’s (Information Systems Audit and Control Association) Generally Accepted Information Security Principles (GAISP) in the Ethical Practices Working Group. She holds about 15 industry certifications, including CISSP, ISSMP, and Security+. Diane received her master’s of science degree in computer technology, with a specialization in information security, from Capella University. Kalani K. Hausman, CISSP, CISA, CISM, GHSC, is an author, teacher, and information technology implementer with more than 20 years’ experience specializing in IT governance, enterprise architecture, regulatory compliance, and enterprise security management. His experience includes medium to large-scale globally deployed networks in governmental, higher-education, health-care, and corporate settings. He is active within the FBI InfraGard, Information Systems Audit and Control Association (ISACA) and ISSA and is currently employed as the Assistant Commandant for IT at Texas A&M University. Martin Weiss is a manager of information security gurus at RSA, The Security Division of EMC, helping organizations accelerate their business by solving their most complex and sensitive security challenges. He is also on the board of directors for the Connecticut chapter of ISSA and has authored several other books. He holds several certifications, including Security+, CISSP, MCSE: Security, and RSA CSE. Marty received his MBA from the Isenberg School of Management at the University of Massachusetts and currently lives in New England with his wife and three sons. Marty can be reached at [email protected]

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page xvi

Dedication To my husband, Bill, for having the fortitude to deal with all my technology. —Diane Barrett To my boys, Kobe, Maxwell, and Oliver. —Martin Weiss As always, my work is dedicated to Susan, Jonathan, and Cassandra, who inspire me daily. —Kalani K. Hausman

Acknowledgments Publishing a book takes the collaboration and teamwork of many individuals. Thanks to everyone involved in this process from Waterside Productions and Pearson Education (and thanks to those who purchase this book in their quest for certification). Betsy, thanks for keeping us all on track. To our editorial and technical reviewers, thank you for making sure that our work was sound and on target. Special thanks to my coauthors, Marty and Kirk: You made this project interesting and enjoyable. —Diane Barrett I would like to thank my agent, Carole McClendon, in addition to Betsy Brown and the Pearson editorial staff. Special thanks go to my coauthors: Martin Weiss and especially to Diane Barrett, who coordinated the compilation of this work. —Kalani K. Hausman First, thank you to the entire team that helped bring this book together. Diane, you specifically were a tremendous help. Thank you. Thanks as well to the many fine employees and customers I work with at RSA. Thank you Spike, Luke, and Moxie, for the moral support provided on those late nights. Finally, I’m thankful for the inspiration provided to me by my three boys (Kobe, Max, and Ollie) and, of course, my incredible wife, Kelly. —Martin Weiss

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page xvii

We Want to Hear from You! As the reader of this book, you are our most important critic and commentator. We value your opinion and want to know what we’re doing right, what we could do better, what areas you’d like to see us publish in, and any other words of wisdom you’re willing to pass our way. As the Associate Publisher for Que Publishing, I welcome your comments. You can email or write me directly to let me know what you did or didn’t like about this book—as well as what we can do to make our books better. Please note that I cannot help you with technical problems related to the topic of this book. We do have a User Services group, however, where I will forward specific technical questions related to the book. When you write, please be sure to include this book’s title and author as well as your name, email address, and phone number. I will carefully review your comments and share them with the author and editors who worked on the book. Email: [email protected] Mail:

Dave Dusthimer Associate Publisher Que Publishing 800 East 96th Street Indianapolis, IN 46240 USA

Reader Services Visit our website and register this book at http://www.informit.com/register for convenient access to any updates, downloads, or errata that might be available for this book.

00_078973804x_fm.qxd

10/30/08

9:11 PM

Page xviii

01_078973804x_intro.qxd

10/30/08

9:11 PM

Page 1

Introduction Welcome to CompTIA Security+ Exam Cram, Second Edition. Whether this book is your first or your fifteenth Exam Cram series book, you’ll find information here that will help ensure your success as you pursue knowledge, experience, and certification. This book aims to help you get ready to take and pass the CompTIA Security+ exam, number SY0-201. This introduction explains CompTIA’s certification programs in general and talks about how the Exam Cram series can help you prepare for CompTIA’s latest certification exams. Chapters 1 through 12 are designed to remind you of everything you need to know to pass the SY0-201 certification exam. The two practice exams at the end of this book should give you a reasonably accurate assessment of your knowledge; and, yes, we’ve provided the answers and their explanations for these practice exams. Read this book, understand the material, and you’ll stand a very good chance of passing the real test. Exam Cram books help you understand and appreciate the subjects and materials you need to know to pass CompTIA certification exams. Exam Cram books are aimed strictly at test preparation and review. They do not teach you everything you need to know about a subject. Instead, the authors streamline and highlight the pertinent information by presenting and dissecting the questions and problems they’ve discovered that you’re likely to encounter on a CompTIA test. Nevertheless, to completely prepare yourself for any CompTIA test, we recommend that you begin by taking the “Self-Assessment” that immediately follows this introduction. The self-assessment tool will help you evaluate your knowledge base against the requirements for the CompTIA Security+ exam under both ideal and real circumstances. This can also be the first step in earning more advanced security certifications. Based on what you learn from the self-assessment, you might decide to begin your studies with classroom training or some background reading. On the other hand, you might decide to pick up and read one of the many study guides available from Que or a third-party vendor. We also strongly recommend that you spend some time installing, configuring, and working with both Windows and UNIX or Linux operating systems to patch and maintain them for the best and most current security possible because the Security+ exam focuses on such activities and the knowledge and skills they can provide for you. Nothing beats hands-on experience and familiarity when it

01_078973804x_intro.qxd

10/30/08

9:11 PM

Page 2

2

CompTIA Security+ Exam Cram

comes to understanding the questions you’re likely to encounter on a certification test. Book learning is essential, but without doubt, hands-on experience is the best teacher of all!

The CompTIA Certification Program The Computing Technology Industry Association (http://www.comptia.org) offers numerous IT certifications, primarily aimed at entry- and intermediatelevel IT professionals. Here is a list of some other relevant CompTIA certifications, briefly annotated to document their possible relevance to Security+: . A+: An exam that tests basic PC hardware and software installation, con-

figuration, diagnosing, preventive maintenance, and basic networking. This two-part exam also covers security, safety, environmental issues, communication, and professionalism. This exam is an excellent prequalifier for those interested in Security+ who might have little or no PC or computing skills or knowledge. For more information about this exam, see http://certification.comptia.org/a/default.aspx. . Network+: An exam that tests basic and intermediate networking skills

and knowledge, including hardware, drivers, protocols, and troubleshooting topics. This exam is an excellent prequalifier for those interested in Security+ who have little or no networking skills or knowledge. For more information about this exam, go to http://certification.comptia.org/network/default.aspx. . Server+: An exam that tests server knowledge and capabilities, including

RAID, SCSI, multiple CPUs, and disaster recovery. This exam is an excellent prequalifier for those interested in Security+ who have little or no server environment skills or knowledge. For more information about this exam, go to http://certification.comptia.org/server/default.aspx. . Linux+: An exam that tests knowledge and management of Linux systems

via command line, user administration, file permissions, software configurations, Linux-based clients, server systems, and security. For more information about this exam, go to http://certification.comptia.org/ linux/default.aspx. The CompTIA exams are all vendor- and platform-neutral, which means they primarily test general skills and knowledge, instead of focusing on vendor or product specifics. Therefore, they offer certification candidates a chance to

01_078973804x_intro.qxd

10/30/08

9:11 PM

Page 3

3

Introduction

demonstrate necessary general abilities relevant in most workplaces. (This explains why employers generally look at CompTIA certifications favorably.) Because CompTIA changes their website often, the URLs listed above might not work in the future. You should use the Search tool on CompTIA’s site to find more information about a particular certification.

Taking a Certification Exam After you prepare for your exam, you need to register with a testing center. At the time of this writing, the cost to take the Security+ exam is $258 for individuals. CompTIA Corporate Members receive discounts on nonmember pricing. For more information about these discounts, a local CompTIA sales representative can provide answers to any questions you might have. If you don’t pass, you can take the exam again for the same cost as the first attempt, for each attempt until you pass. In the United States and Canada, tests are administered by Prometric or VUE. Here’s how you can contact them: . Prometric—You can sign up for a test through the company’s website,

http://securereg3.prometric.com/. Within the United States and Canada, you can register by phone at 800-755-3926. If you live outside this region, check the Prometric website for the appropriate phone number. . Pearson VUE—You can contact Virtual University Enterprises (VUE) to

locate a nearby testing center that administers the test and to make an appointment. You can find the sign-up web page for the exam itself at http://www.vue.com/comptia/. You can also use this web page (click the Contact button, click the View Telephone Directory by Sponsor link, and then click CompTIA) to obtain a telephone number for the company (in case you can’t or don’t want to sign up for the exam on the web page). To sign up for a test, you must possess a valid credit card or contact either Prometric or Vue for mailing instructions to send a check (in the United States). Only after payment has been verified, or a check has cleared, can you actually register for a test. To schedule an exam, you need to call the appropriate phone number or visit the Prometric or Vue website at least one day in advance. To cancel or reschedule an exam in the United States or Canada, you must call before 3 p.m. Eastern time the day before the scheduled test time (or you might be charged, even if you don’t show up to take the test). When you want to schedule a test, you should have the following information ready:

01_078973804x_intro.qxd

10/30/08

9:11 PM

Page 4

4

CompTIA Security+ Exam Cram . Your name, organization, and mailing address. . Your CompTIA test ID. (In the United States, this means your Social

Security number; citizens of other countries should call ahead to find out what type of identification number is required to register for a test.) . The name and number of the exam you want to take. . A payment method. (As mentioned previously, a credit card is the most

convenient method; alternative means can be arranged in advance, if necessary.) After you sign up for a test, you are told when and where the test is scheduled. You should arrive at least 15 minutes early. To be admitted into the testing room, you must supply two forms of identification, one of which must be a photo ID.

Tracking Certification Status After you pass the exam, you are certified. Official certification is normally granted after six to eight weeks, so you shouldn’t expect to get your credentials overnight. The package for official certification that arrives includes a Welcome Kit that contains a number of elements. (See CompTIA’s website for other benefits of specific certifications.) . A certificate suitable for framing, along with a wallet card. . A license to use the related certification logo, which means you can use

the logo in advertisements, promotions, and documents, and on letterhead, business cards, and so on. Along with the license comes a logo sheet, which includes camera-ready artwork. (Note that before you use any of the artwork, you must sign and return a licensing agreement that indicates you’ll abide by its terms and conditions.) Many people believe that the benefits of certification go well beyond the perks that CompTIA provides to new members of this elite group. We’re starting to see more job listings that request or require applicants to have CompTIA and other related certifications, and many individuals who complete CompTIA certification programs can qualify for increases in pay and responsibility. As an official recognition of hard work and broad knowledge, a certification credential is a badge of honor in many IT organizations.

01_078973804x_intro.qxd

10/30/08

9:11 PM

Page 5

5

Introduction

About This Book We’ve structured the topics in this book to build on one another. Therefore, some topics in later chapters make the most sense after you’ve read earlier chapters. That’s why we suggest that you read this book from front to back for your initial test preparation. If you need to brush up on a topic or if you have to bone up for a second try, you can use the index or table of contents to go straight to the topics and questions that you need to study. Beyond helping you prepare for the test, we think you’ll find this book useful as a tightly focused reference to some of the most important aspects of the Security+ certification.

Chapter Format and Conventions Each topical Exam Cram chapter follows a regular structure and contains graphical cues about important or useful information. Here’s the structure of a typical chapter: . Opening hotlists—Each chapter begins with a list of the terms, tools, and

techniques that you must learn and understand before you can be fully conversant with that chapter’s subject matter. The hotlists are followed with one or two introductory paragraphs to set the stage for the rest of the chapter. . Topical coverage—After the opening hotlists and introductory text, each

chapter covers a series of topics related to the chapter’s subject. Throughout that section, we highlight topics or concepts that are likely to appear on a test, using a special element called an Exam Alert:

EXAM ALERT This is what an alert looks like. Normally, an alert stresses concepts, terms, software, or activities that are likely to relate to one or more certification test questions. For that reason, we think any information in an alert is worthy of extra attentiveness on your part.

Pay close attention to material flagged in Exam Alerts; although all the information in this book pertains to what you need to know to pass the exam, Exam Alerts contain information that is really important. Of course, you need to understand the “meat” of each chapter, too, when

01_078973804x_intro.qxd

10/30/08

9:11 PM

Page 6

6

CompTIA Security+ Exam Cram

preparing for the test. Because this book’s material is condensed, we recommend that you use this book along with other resources to achieve the maximum benefit. In addition to the alerts, we provide tips and notes to help you build a better foundation for security knowledge. Although the tip information might not be on the exam, it is certainly related and will help you become a better-informed test taker.

TIP This is how tips are formatted. Keep your eyes open for these, and you’ll become a Security+ guru in no time!

NOTE This is how notes are formatted. Notes direct your attention to important pieces of information that relate to the CompTIA Security+ certification.

. Exam prep questions—Although we talk about test questions and topics

throughout this book, the section at the end of each chapter presents a series of mock test questions and explanations of both correct and incorrect answers. . Details and resources—Every chapter ends with a section that provides

direct pointers to CompTIA and third-party resources that offer more information about the chapter’s subject. That section also tries to rank or at least rate the quality and thoroughness of the topic’s coverage by each resource. If you find a resource you like in that collection, you should use it; don’t feel compelled to use all the resources. On the other hand, we recommend only resources that we use on a regular basis, so none of our recommendations will be a waste of your time or money. (However, purchasing them all at once probably represents an expense that many network administrators and CompTIA certification candidates might find hard to justify.)

01_078973804x_intro.qxd

10/30/08

9:11 PM

Page 7

7

Introduction

Although the bulk of this book follows this chapter structure just described, we want to point out a few other elements: . “Practice Exam 1” and “Practice Exam 2” and the answer explanations

provide good reviews of the material presented throughout the book to ensure that you’re ready for the exam. . The Glossary defines important terms used in this book. . The tear-out Cram Sheet attached next to the inside front cover of this

book represents a condensed collection of facts and tips that we think are essential for you to memorize before taking the test. Because you can dump this information out of your head onto a sheet of paper just before taking the exam, you can master this information by brute force; you need to remember it only long enough to write it down when you walk into the testing room. You might even want to look at it in the car or in the lobby of the testing center just before you walk in to take the exam. . The MeasureUp Practice Tests CD-ROM that comes with each Exam

Cram and Exam Prep book features a powerful, state-of-the-art test engine that prepares you for the actual exam. MeasureUp Practice Tests are developed by certified IT professionals and are trusted by certification students around the world. For more information, visit http://www.measureup.com.

Exam Topics Table I-1 lists the skills measured by the SY0-201 exam and the chapter in which the topic is discussed. Some topics are covered in other chapters, too.

01_078973804x_intro.qxd

10/30/08

9:11 PM

Page 8

8

CompTIA Security+ Exam Cram

TABLE I-1

CompTIA SY0-201 Exam Topics

Exam Topic

Chapter

Domain 1.0: Systems Security Differentiate among various systems security threats.

1

Explain the security risks pertaining to system hardware and peripherals.

1

Implement OS hardening practices and procedures to achieve workstation and server security.

7

Carry out the appropriate procedures to establish application security.

2

Implement security applications.

4

Explain the purpose and application of virtualization technology.

4

Domain 2.0: Network Infrastructure Differentiate between the different ports and protocols and their respective threats and mitigation techniques.

3

Distinguish between network design elements and components.

3

Determine the appropriate use of network security tools to facilitate network security.

3

Apply the appropriate network tools to facilitate network security.

4

Evaluate user systems and recommend appropriate settings to optimize performance.

4

Explain the vulnerabilities and mitigations associated with network devices.

2

Explain the vulnerabilities and mitigations associated with various transmission media.

2

Explain the vulnerabilities and implement mitigations associated with wireless networking. 6 Domain 3.0: Access Control Identify and apply industry best practices for access control methods.

5

Explain common access control models and the differences between each.

5

Organize users and computers into appropriate security groups and roles while distinguishing between appropriate rights and privileges.

4

Apply appropriate security controls to file and print resources.

4

Compare and implement logical access control methods.

4

Summarize the various authentication models and identify the components of each.

5

Deploy various authentication models and identify the components of each.

6

Explain the difference between identification and authentication (identity proofing).

5

Explain and apply physical access security methods.

5

Domain 4.0: Assessments and Audits Conduct risk assessments and implement risk mitigation.

7

Carry out vulnerability assessments using common tools.

7

Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning.

7

01_078973804x_intro.qxd

10/30/08

9:11 PM

Page 9

9

Introduction

TABLE I-1

Continued

Exam Topic

Chapter

Domain 4.0: Assessments and Audits Use monitoring tools on systems and networks and detect security-related anomalies.

8

Compare and contrast various types of monitoring methodologies.

8

Execute proper logging procedures and evaluate the results.

8

Conduct periodic audits of system security settings.

8

Domain 5.0: Cryptography Explain general cryptography concepts.

9

Explain basic hashing concepts and map various algorithms to appropriate applications.

9

Explain basic encryption concepts and map various algorithms to appropriate applications. 9 Explain and implement protocols.

10

Explain core concepts of public key cryptography.

10

Implement PKI and certificate management.

10

Domain 6.0: Organizational Security Explain redundancy planning and its components.

11

Implement disaster recovery procedures.

11

Differentiate between and execute appropriate incident response procedures.

12

Identify and explain applicable legislation and organizational policies.

12

Explain the importance of environmental controls.

12

Explain the concept of and how to reduce the risks of social engineering.

12

Given all the book’s elements and its specialized focus, we’ve tried to create a tool that will help you prepare for and pass CompTIA Security+ Exam SY0-201. Please share with us your feedback on this book, especially if you have ideas about how we can improve it for future test takers. Send your questions or comments about this book via email to [email protected] We’ll consider everything you say carefully, and we’ll respond to all suggestions. For more information about this book and other Exam Cram titles, visit our website at http://www.informit.com/examcram. Thanks for making this Exam Cram book a pivotal part of your certification study plan. Best of luck on becoming certified!

01_078973804x_intro.qxd

10/30/08

9:11 PM

Page 10

02_078973804x_sa.qxd

10/30/08

9:10 PM

Page 11

Self-Assessment We include a self-assessment in this Exam Cram book to help you evaluate your readiness to tackle CompTIA certifications. It should also help you to understand what you need to know to master the main topic of this book (namely, Exam SY0-201 Security+). You might also want to check out the CompTIA Web page, http://www.CompTIA.com/, on the CompTIA Website. Before you tackle this self-assessment, however, let’s talk about concerns you might face when pursuing a CompTIA certification credential on security and what an ideal CompTIA certification candidate might look like.

CompTIA Certification in the Real World In the next section, we describe the ideal CompTIA certified candidate, knowing full well that only a few real candidates meet that ideal. In fact, our description of those ideal candidates might seem downright scary, especially with the changes that have been made to the CompTIA certifications to support Windows. But take heart: Although the requirements to obtain the advanced CompTIA certification might seem formidable, they are by no means impossible to meet. However, you need to be keenly aware that getting through the process takes time, involves some expense, and requires real effort. Increasing numbers of people are attaining CompTIA certifications. You can get all the real-world motivation you need from knowing that many others have gone before, so you will be able to follow in their footsteps. If you’re willing to tackle the process seriously and do what it takes to obtain the necessary experience and knowledge, you can take and pass all the certification tests involved in obtaining the credentials. In fact, at Que Publishing, we’ve designed the Exam Cram series to make it as easy for you as possible to prepare for these exams. Visit http://www.informit.com/examcram for more certification resources.

02_078973804x_sa.qxd

10/30/08

9:10 PM

Page 12

12

Self-Assessment

The Ideal CompTIA Certification Candidate To give you an idea of what an ideal CompTIA certification candidate is like, here are some relevant statistics about the background and experience such an individual might have:

NOTE Don’t worry if you don’t meet these qualifications or even come very close. Where you fall short is just where you have more work to do.

. Academic or professional training in information security theory, con-

cepts, and operations. This includes everything from “systems security, network infrastructure, access control,” and “assessments and audits,” to “cryptography” and “organizational security,” to quote straight from the CompTIA Web page on general Security+ exam information. . Academic or professional training in networking with a particular

emphasis on TCP/IP. This includes everything from networking media and transmission techniques through network operating systems, services, and applications, to the details involved in installing, configuring, and using common TCP/IP-based networking services such as Web (HTTP) and wireless services, among others. The official CompTIA verbiage for this requirement reads “two years on-the-job networking experience, with an emphasis on security.” . Two or more years of professional networking experience, including

experience with various networking media. This must include installation, configuration, upgrade, and troubleshooting experience. The CompTIA Network+ certification is also recommended.

NOTE All certifications require some hands-on experience. Some of the more advanced exams require you to solve real-world case studies and security-related issues, so the more hands-on experience you have, the better.

. Understand systems security concepts, including differentiating among

various systems security threats and explaining the security risks pertaining to system hardware and peripherals. You also need to understand concepts related to implementing OS hardening practices and procedures to achieve workstation and server security, along with carrying out

02_078973804x_sa.qxd

10/30/08

9:10 PM

Page 13

13

CompTIA Certification in the Real World

the appropriate procedures to establish application security. Candidates must also understand how to properly implement security applications and explain the purpose and application of virtualization technology. . Understand a broad range of topics related to network infrastructure,

including differentiating between the different ports and protocols, their respective threats, and mitigation techniques. You also need to explain the vulnerabilities and mitigations associated with network devices and transmission media and be able to apply the appropriate network tools to facilitate security. . Understand access control topics, including access and authentication

methods. You need to be able to identify common access control models and apply appropriate security controls to all resources. Knowledge of authentication components such as biometrics, VPN, and remote access, along with physical measures, is required. . Learn the roles that tools and security settings play in assessments and

audits. Other relevant concepts include performance monitoring and establishing and maintaining security baselines for networks, servers, and applications. . Understand the basics of cryptography, including key algorithms, public

key infrastructures, security standards and protocols, and what’s involved in managing keys and digital certificates. . Know the concepts and best practices related to organizational security,

including incident response, disaster recovery, and what’s involved in formulating and maintaining organizational policies and procedures. You also need to understand environmental controls and social engineering concerns. . Recognize the concepts related to forensics investigations, legal consider-

ations, and protecting the organization from damage (understanding malice may originate both externally and internally). In addition, you will be required to identify environmental controls and discuss user securityawareness training. Fundamentally, this all boils down to a bachelor’s degree in computer science with a strong focus on security topics, plus two years of experience working in a position involving network design, installation, configuration, maintenance, and security matters. We believe that fewer than half of all certification candidates meet these requirements, and that, in fact, most meet fewer than half of these requirements—at least, when they begin the certification process. But because

02_078973804x_sa.qxd

10/30/08

9:10 PM

Page 14

14

Self-Assessment

so many other IT professionals who already have been certified in security topics have survived this ordeal, you can survive it, too, especially if you heed what this self-assessment can tell you about what you already know and what you need to learn. This self-assessment is designed to show you what you already know and to identify the topics that you need to review.

Put Yourself to the Test The following questions and observations are designed to help you figure out how much work you must do to pursue CompTIA certification and the types of resources you can consult on your quest. Be absolutely honest in your answers. If you are not, you’ll end up wasting money on exams that you’re not yet ready to take. There are no right or wrong answers—only steps along the path to certification. Only you can decide where you really belong in the broad spectrum of aspiring candidates. Two points should be clear from the outset, however: . Even a modest background in computer science will be helpful. . Hands-on experience with security products and technologies is an

essential ingredient for certification success.

Educational Background The following questions concern your level of technical computer experience and training. Depending on your answers to these questions, you might need to review some additional resources to get you to raise your knowledge for the types of questions that you will encounter on CompTIA certification exams: 1. Have you ever taken any computer-related classes? 2. Have you taken any classes on computer operating systems?

You will need to be able to handle various architecture and system component discussions that come up throughout the Security+ materials. If you are rusty, brush up on basic operating system concepts, especially virtual memory, buffer overflows, access controls, and general computer security topics. Consider some basic reading in this area. We strongly recommend a good general operating systems book, such as Operating System Concepts, 7th Edition, by Abraham Silberschatz, Peter Baer Galvin, and Greg Gagne (John Wiley & Sons, 2004). If this title doesn’t appeal to you, check out reviews for other, similar titles at your favorite online bookstore.

02_078973804x_sa.qxd

10/30/08

9:10 PM

Page 15

15

CompTIA Certification in the Real World 3. Have you taken any networking concepts or technologies classes?

You will probably be able to handle the numerous mentions of networking terminology, concepts, and technologies that appear on the Security+ exam. If you are rusty, brush up on basic networking concepts and terminology, especially networking media, transmission types, the OSI reference model, basic networking technologies, and TCP/IP. You might want to read one or two books in this topic area. The two best general books that we know of are Computer Networking Illuminated, by Diane Barrett and Todd King (Jones and Bartlett, 2005) and Computer Networks and Internets, 5th Edition, by Douglas E. Comer (Prentice Hall, 2008). When it comes to TCP/IP, consider also TCP/IP Clearly Explained, 4th Edition, by Pete Loshin (Morgan Kaufmann, 2002), or Guide to TCP/IP, 3rd Edition, by Ed Tittel and Laura Chappell (Course Technology, 2006). 4. Have you done any reading on operating systems or networks?

Review the requirements stated in the first paragraphs after questions 2 and 3. If you do not meet those requirements, consult the recommended reading for both topics. A strong networking background will help you prepare for the Security+ exam in too many important ways to recount them all here. 5. Have you taken any security concepts or information security classes?

You will probably be able to handle the primary focus on information security terminology, concepts, and technologies that drive the Security+ exam. If you are rusty, brush up on basic security concepts and terminology, especially the topics mentioned explicitly in the Security+ exam objectives (download them from http://certification.comptia.org/security/security_update.aspx). If you are not sure whether you are completely knowledgeable about these topics, read one of the general information security references mentioned in the following paragraph. You might want to read one or two books in this topic area. The two best general information security books that we know of are Computer Security Fundamentals by Chuck Easttom (Prentice Hall, 2005), and Computer Security, 2nd Edition by Dieter Gollmann (John Wiley & Sons, 2006).

02_078973804x_sa.qxd

10/30/08

9:10 PM

Page 16

16

Self-Assessment 6. Have you done any reading on general security concepts or information

security? Review the requirements stated in the paragraphs after question 5. If you do not meet those requirements, consult the recommended reading for those topics. A strong information security background is essential when preparing for the Security+ exam.

Hands-On Experience An important key to success on the Security+ exam lies in obtaining hands-on experience, especially with Windows 2003 Server and XP Professional, and with some relatively recent version of Linux or UNIX in both server and workstation configurations. There is simply no substitute for time spent installing, configuring, and using the various Microsoft and Linux or UNIX services, protocols, and configuration settings, about which you will be asked repeatedly on the Security+ exam. That said, such coverage stresses concepts and principles much more than exact installation or configuration details; it is a vendor-neutral exam, after all. Have you installed, configured, and worked with the following operating systems: . Windows 2003 Server?

Make sure you understand basic concepts as covered in Microsoft MCP Exam 70-290. You should also study the TCP/IP interfaces, utilities, and services for Microsoft MCP Exam 70-293, plus have implemented the security features for Microsoft Exam 70-298. Microsoft MCP Exam 70291 can also shed light on the Microsoft slant on information security, which will help you prepare for the Security+ exam, too.

TIP You can download objectives, practice exams, and other data about Microsoft exams from the Training and Certification page at http://www.microsoft.com/learning/default.mspx. Click the Find an Exam link to obtain specific exam info.

If you haven’t worked with Windows 2003 Server, TCP/IP, and the Internet Security and Accelerator (ISA) Server, obtain one or two machines and a copy of Windows 2003 Server. Then learn the operating system. Do the same for TCP/IP and any other software components on which you will also be tested.

02_078973804x_sa.qxd

10/30/08

9:10 PM

Page 17

17

CompTIA Certification in the Real World . Some version of Linux or UNIX configured as a server?

Be sure you understand basic concepts behind Linux or UNIX installation, configuration, operation, and maintenance. You also should study the TCP/IP interfaces, utilities, and related services; specific security utilities; and related configuration tools to make sure you can put Security+ concepts and terms into an operational context. In fact, we recommend that you obtain two computers, each with a network interface, and set up a two-node network on which to practice. With decent Windows 2003- and UNIX/Linux-capable computers selling for less than $500 these days, this shouldn’t be too great a financial hardship. You might have to scrounge to come up with the necessary software, but if you scour the Microsoft Website, you can usually find low-cost options to obtain evaluation copies of most of the software you will need. Linux is open source, which means you can get it for free (if you don’t mind building your own installations without software assistance) or for less than $100 (if you prefer to get a self-installing version of the software with documentation). . Windows XP Professional?

You might want to obtain a copy of Windows XP Professional and learn how to install, configure, and maintain it. Pick up a well-written book to guide your activities and studies (such as MCSE Windows XP Professional Exam Cram 2, by Derek Melber and Dan Baltar), or you can work straight from CompTIA’s exam objectives if you prefer. . Windows Vista?

Consider obtaining a copy of Windows Vista and learn how to install, configure, and maintain it. Carefully read each page of this book while working with your copy of Windows Vista, and review the CompTIA exam objectives.

TIP Microsoft offers resource kits for various topics. You can purchase soft cover resource kits from Microsoft Press (search at http://www.microsoft.com/learning/books/default. mspx), but they also appear on TechNet (http://technet.microsoft.com/en-us/default.aspx).

. Some version of Linux or UNIX configured as a workstation or desktop

machine?

02_078973804x_sa.qxd

10/30/08

9:10 PM

Page 18

18

Self-Assessment

Make sure you understand the concepts involved in installing, configuring, and managing Linux or UNIX desktop machines. Here again, pay special attention to installing, configuring, and maintaining a Linux or UNIX desktop and to client-side security settings, tools, and utilities.

NOTE You can download objectives, practice exams, and other data about CompTIA exams from the Training and Certification page at http://www.comptia.org/trainingandeducation/default. aspx. Click the CompTIA Certification Programs link to obtain specific exam information.

Use One Computer to Simulate Multiple Machines If you own a powerful enough computer—one that has plenty of available disk space, a lot of RAM (at least 1GB), and a dual-core processor or better—check out the available VMware and Virtual PC virtual-machine software products. These software programs create an emulated computer environment within separate windows that are hosted by your computer’s main operating system—Windows Vista, Windows Server 2003, Windows XP, Linux, and so on. With this tool, on a single computer you can have several different operating systems running simultaneously in different windows. You can run everything from DOS to Linux, from Windows 95, XP, or Vista to Windows Server 2003. Within a virtual-machine environment, you can “play” with the latest operating systems, including beta versions, without worrying about “blowing up” your main production computer and without having to buy an additional PC. VMware software is published by VMware, Inc.; you can get more information from its website at http://www.vmware.com. Virtual PC is published by Microsoft; you can find out more information from the Virtual PC 2007 Website at http://www.microsoft.com/ windows/products/winfamily/virtualpc/default.mspx.

Before you even think about taking any CompTIA exam, make sure you’ve spent enough time studying security principles and practices. This time will help you in the exam—and in real life!

TIP Whether you attend a formal class on a specific topic to get ready for an exam or use written materials to study on your own, some preparation for the Security+ certification exam is essential. If you have the funds, or if your employer will pay your way, consider taking a class. CompTIA maintains a list of pointers to Security+ training venues on its website. Visit http://www.comptia.org/trainingandeducation/default.aspx for more details.

02_078973804x_sa.qxd

10/30/08

9:10 PM

Page 19

19

How to Prepare for an Exam

How to Prepare for an Exam Preparing for any CompTIA certification test, including Exam SY0-201, requires that you obtain and study materials designed to provide comprehensive information about the product and its capabilities that will appear on the specific exam for which you are preparing. The following list of materials can help you study and prepare: . The exam preparation materials, practice tests, and self-assessment exams

on the CompTIA Training and Certification site, at http://certification. comptia.org/security/prepare.aspx. The Prepare for Exam link offers samples of the new question types on the CompTIA certification track series of exams. Find the materials, download them, and use them. . The exam preparation advice, practice tests, online references, and dis-

cussion groups on InformIT, at http://www.informit.com/examcram. . Several publishers—including Que Publishing—offer Windows Server

2003, Windows Vista, Windows XP, and CompTIA titles. . CompTIA Learning Alliance (CLA), online partners, and third-party

training companies (such as New Horizons and Global Knowledge) all offer classroom training on Windows Server 2003, Windows Vista, Windows XP, and Network+. These companies aim to help you prepare to pass Exam SY0-201 (and several others). Although this type of training tends to be pricey, most who are lucky enough to attend find this training worthwhile. . There’s no shortage of material available about security. The “Suggested

Readings and Resources” sections at the end of each chapter in this book identify sources for further discussion. This required and recommended material represents a comprehensive collection of sources and resources for security and related topics. We anticipate that you’ll find this book belongs in this company.

Studying for the Exam Although many websites describe what to study for a particular exam, few sites cover how you should study for an exam. The study process can be broken down into various stages. However, critical to all of these stages is the ability to concentrate.

02_078973804x_sa.qxd

10/30/08

9:10 PM

Page 20

20

Self-Assessment

To be able to concentrate, you must remove all distractions. Although you should plan for study breaks, it is the unplanned breaks caused by distractions that do not allow you to concentrate on what you need to learn. Therefore, you first need to create an environment conducive to studying or seek out one that is (such as a library). Do not study with the TV on, and do not have other people in the room. It is easy for the TV or another person to attract your attention (and thus break your concentration). Opinions differ as to whether it is better to study with or without music playing. Some people need to have a little white noise in the background to study. If you do choose to have music, keep the volume low and listen to music without lyrics. After you find a place to study, schedule the time to study. Do not study on an empty stomach. But do not study on a full stomach, either because a full stomach tends to make people drowsy. Keep a glass of water nearby to sip on. Make sure that you are well rested so that you don’t doze off. And find a comfortable position and use ergonomically appropriate furniture. Make sure that your study area is well lit. Natural light is best for fighting fatigue. Before you begin to study, clear your mind of distractions. Take a minute or two, close your eyes, and empty your mind. When you prepare for an exam, the best place to start is to take the list of exam objectives and study each objective carefully for its scope. Then organize your study, keeping these objectives in mind. Doing so will help you narrow your focus to specific topics or subtopics. In addition, you need to understand and visualize the exam process as a whole. This process will help prepare you to deal with practical problems in the real testing environment and perhaps to even deal with questions that you might not have expected. In a multiple-choice exam, you do have one advantage: The answer or answers are already there, and you just have to choose the correct ones. Because the answers are already there, you can use your knowledge and logic to eliminate incorrect answers. One common mistake is to select the first obvious-looking answer without checking the other options. So always examine all the options and then think and choose the right answer. Of course, with multiple-choice questions, you have to be exact and differentiate between similar answers. As mentioned previously, a peaceful study area without distractions will help you prepare; you will more easily be able to focus on the questions and possible answers and not miss key points.

02_078973804x_sa.qxd

10/30/08

9:10 PM

Page 21

21

How to Prepare for an Exam

Testing Your Exam Readiness Whether you attend a formal class on a specific topic to prepare for an exam or use written material for self-study, some preparation for the Security+ certification exam is essential. At $250 a try (the price is lower if you or your employer belong to CompTIA), pass or fail, you want to do everything you can to pass on your first attempt. We have included two practice exams in this book. If you don’t score well on the first test, you can study more and then tackle the second test. If you still don’t hit a score of at least 90% after these tests, investigate the following practice test resources. (Feel free to use your favorite search engine to look for more; this list is by no means exhaustive.) . TestKing—http://www.testking.com/ . Transcender—http://www.transcender.com . PrepLogic—http://www.preplogic.com . Self Test Software—http://www.selftestsoftware.com

For any given subject, consider taking a class if you have tackled self-study materials, taken the test, and failed anyway. The opportunity to interact with an instructor and fellow students can make all the difference, if you can afford that privilege. For information about Security+ classes, use your favorite search engine with a string such as “Security+ class” or “Security+ training.” Even if you can’t afford to spend much at all, you should still invest in some low-cost practice exams from commercial vendors.

TIP CompTIA also maintains a list of pointers to Security+ training venues on its website. Visit http://www.comptia.org/certification/Security/get_training.asp for more information.

The next question deals with your personal test-taking experience. CompTIA certification exams have their own style and idiosyncrasies. The more acclimated you become to the CompTIA testing environment, the better your chances will be to score well on the exams: Have you taken a Security+ practice exam? If you scored 90% or better, you are probably ready to tackle the real thing. If your score isn’t above that threshold, keep at it until you break that barrier.

02_078973804x_sa.qxd

10/30/08

9:10 PM

Page 22

22

Self-Assessment

If you haven’t taken a Security+ practice exam, obtain all the free and low-price practice tests you can find and get to work. Keep at it until you can break the passing threshold comfortably.

TIP When assessing your test readiness, there is no better way than to take a good-quality practice exam and pass with a score of 85% or better. When we are preparing ourselves, we shoot for better than 90%, just to leave room for the “weirdness factor” that sometimes depresses performance on exams when taking the real thing. (The passing score on Security+ is 85% or higher; that is why we recommend shooting for 90%, to leave some margin for the impact of stress when taking the real thing.)

In addition to the general exam-readiness information in this section, you can do several things to prepare for the Security+ exam. As you’re getting ready for the Security+ exam, visit http://www.cramsession.com. You can sign up for “Question of the Day” services for this exam, join relevant ongoing discussion groups, and look for pointers to exam resources, study material, and related tips.

Dealing with Test Anxiety A certification exam costs money and requires preparation time and failing an exam can be a blow to your self-confidence. This is why most people feel a certain amount of anxiety before taking a certification exam. Certain levels of stress can actually help you to raise your level of performance when taking an exam. This anxiety can help you focus and think clearly through a problem. For some people, however, exam anxiety is more than just a nuisance. For these people, exam anxiety is a debilitating condition that negatively affects their performance on exams. Anxiety reduction begins with the preparation process. Ensure that you know the material; you should not be nervous about any topic area. The better prepared you are, the less stress you will experience. Always give yourself plenty of time to prepare; don’t place yourself under unreasonable deadlines. But again, make goals and make every effort to meet those goals. Procrastination and making excuses can be just as bad. No hard-and-fast rule specifies how long it takes to prepare for an exam. The time required will vary from student to student and depends on a number of factors (reading speed, access to study material, personal commitments, and so on). In addition, don’t compare yourself to peers, especially if doing so has a negative effect on your confidence.

02_078973804x_sa.qxd

10/30/08

9:10 PM

Page 23

23

Day of the Exam

For many students, practice exams are a great way to avoid fear that might otherwise arise at the test center. Practice exams are best used near the end of the exam preparation. Be sure to use them as an assessment of your current knowledge, not as a way to try to memorize key concepts. When reviewing practice exam questions, be sure you understand the question and all answers (right and wrong). And finally, set time limits to complete the practice exams. If you know the material, don’t plan on studying the day of your exam. Instead, end your studying the evening before the exam. In addition, get a full good night’s rest before the exam. Of course, study on a regular basis for at least a few weeks before the exam. So long as you do so, you won’t need any last-minute cramming.

Day of the Exam Before you take an exam, eat something light, even if you have no appetite. If your stomach is upset, try mild foods (such as toast or crackers). Plain saltine crackers are great for settling a cranky stomach. Keep your caffeine and nicotine consumption to a minimum; excessive stimulants aren’t conducive to reducing stress. Take a bottle of water or some hard candy with you to combat dry mouth. Be sure to dress comfortably. Arrive at the testing center early. If you have never been to the testing center before, confirm that you know where it is. You might even consider taking a test drive. Arrive between 15 and 30 minutes early for the certification exam so that you can . Pray, meditate, or breathe deeply . Scan glossary terms and quick access tables before taking the exam (to

get the intellectual juices flowing and to build a little confidence) . Practice physical relaxation techniques . Visit the washroom

But don’t arrive too early. Typically, the testing room is furnished with anywhere from one to six computers, and each workstation is separated from the others by dividers designed to keep others from seeing what’s happening on someone else’s computer screen. Most testing rooms feature a wall with a large picture window. This layout permits the exam coordinator to monitor the room. The exam coordinator will have preloaded the appropriate CompTIA certification exam—for this book,

02_078973804x_sa.qxd

10/30/08

9:10 PM

Page 24

24

Self-Assessment

that’s Exam SY0-201 Security+—and you are permitted to start as soon as you’re seated in front of the computer.

TIP Always remember that the testing center’s test coordinator is there to assist you in case you encounter some unusual problems, such as a malfunctioning test computer. If you need some assistance not related to the content of the exam itself, notify one of the test coordinators—after all, they are there to make your exam-taking experience as pleasant as possible.

All exams are completely closed-book. In fact, you are not permitted to take anything with you into the testing area. You usually receive a blank sheet of paper and a pen or, in some cases, an erasable plastic sheet and an erasable pen. We suggest that you immediately write down on that sheet of paper all the information you’ve memorized for the test. In Exam Cram books, this information appears on the tear-out sheet (Cram Sheet) inside the front cover of each book. You are given some time to compose yourself, record this information, and take a sample orientation exam before you begin the real thing. We suggest that you take the orientation test before taking your first exam. Because all the certification exams are more or less identical in layout, behavior, and controls, however, you probably don’t need to do so if you’ve taken an orientation test before. All CompTIA certification exams are timed. (This time is indicated on the exam by an onscreen timer clock, so you can check the time remaining whenever you like.) All CompTIA certification exams are computer-generated. All questions are multiple choice. Although this format might sound quite simple, the questions are constructed not only to check your mastery of basic facts and figures about security concepts, but also to require you to evaluate myriad circumstances and requirements. Often, you are asked to select more than one answer to a question. Likewise, you might be asked to choose the best or most effective solution to a problem from a range of choices, all of which are technically correct. Taking the exam is quite an adventure, and it involves real thinking and concentration. This book shows you what to expect and how to deal with the potential problems, puzzles, and predicaments.

03_078973804x_pt1.qxd

10/30/08

9:10 PM

Page 25

PART I

System Security Chapter 1 System Threats and Risks Chapter 2 Online Vulnerabilities

03_078973804x_pt1.qxd

10/30/08

9:10 PM

Page 26

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 27

1

CHAPTER ONE

System Threats and Risks Terms you need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Privilege escalation Viruses Worm Trojan Spyware Spam Rootkits Botnets Logic bomb BIOS Removable storage

Techniques you need to master: ✓ Understanding and identifying common system security threats ✓ Recognizing when an attack is happening and taking proper steps to end it ✓ Learning to identify which types of attacks you might be subject to and how to implement proper security to protect your environment

✓ Recognizing malicious code and knowing how to respond appropriately ✓ Understanding security risks that threaten system hardware and peripherals

✓ Learning the concepts of network attached storage

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 28

28

Chapter 1: System Threats and Risks

Securing your resources is a challenge in any working environment. It has become common for resources to be subject to myriad attacks through software, hardware, and peripherals. The Security+ exam requires that you understand that minimizing system threats and risks can thwart many would-be attackers and that you understand the different types of attacks that can happen.

Systems Security Threats Because networks today have become so complex and mobile, they have many points of entry. These various points can all be vulnerable, leaving an intruder many points of access. With so many ways of getting into the network, the components must be divided into separate elements so that the security process becomes easier to manage. Before you can begin to look at securing the environment, however, you must understand the threats and risks associated with the environment. This section explores those threats and risks to help you understand everyday potential dangers. In today’s network environment, malicious code, or malware, has become a serious problem. The target is not only the information stored on local computers, but also other resources and computers. As a security professional, part of your responsibility is to recognize malicious code and know how to respond appropriately. This section covers the various types of malicious code you might encounter, including privilege escalation, viruses, worms, Trojans, spyware, spam, adware, rootkits, botnets, and logic bombs.

Privilege Escalation Programming errors can result in system compromise, allowing someone to gain unauthorized privileges. Software exploitation takes advantage of a program’s flawed code, which then crashes the system and leaves it in a state where arbitrary code can be executed or an intruder can function as an administrator. This is known as privilege escalation. Perhaps the most popular method of privilege escalation is a buffer overflow attack. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storagespace allocation that has been reserved in memory for that application or service. Poor application design might allow the input of 100 characters into a field

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 29

29

Systems Security Threats

linked to a variable only capable of holding 50 characters. As a result, the application doesn’t know how to handle the extra data and becomes unstable. The overflow portion of the input data must be discarded or somehow handled by the application; otherwise, it could create undesirable results. Because no check is in place to screen out bad requests, the extra data overwrites some portions of memory used by other applications and causes failures and crashes. A buffer overflow can result in the following: . Overwriting of data or memory storage. . A denial of service due to overloading the input buffer’s ability to cope

with the additional data. . The originator can execute arbitrary code, often at a privileged level.

Services running on Internet-connected computers present an opportunity for compromise using privilege escalation. Some services require special privilege for their operation. A programming error could allow an attacker to obtain special privilege. In this situation, two possible types of privilege escalation exist: a programming error that allows a user to gain additional privilege after successful authentication and a user gaining privilege with no authentication. The following are examples of these types of buffer overflow issues: . In the fall of 2002, the Linux Slapper worm infected about 7,000 servers.

The worm exploited a flaw in Secure Sockets Layer (SSL) on Linuxbased web servers. The premise behind this vulnerability is that the handshake process during an SSL server connection can be made to cause a buffer overflow when a client uses a malformed key. . Flaws such as buffer overflows that cause execution stack overwriting in

the Java Virtual Machine (JVM). The JVM is the client-side environment supporting Java applets. Improperly created applets can potentially generate a buffer overflow condition, crashing the client system. In the case of buffer overflows, good quality assurance and secure programming practices could thwart this type of attack. Currently, the most effective way to prevent an attacker from exploiting software is to keep the manufacturer’s latest patches and service packs applied and to monitor the Web for newly discovered vulnerabilities. Patching operating systems and applications is discussed in Chapter 5, “Access Control and Authentication Basics.” Back doors and other types of privilege escalation that are not specifically buffer overflow-related are discussed in Chapter 2, “Online Vulnerabilities.”

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 30

30

Chapter 1: System Threats and Risks

Viruses A virus is a program or piece of code that runs on your computer without your knowledge. It is designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. It then attaches to other files, adds its code to the application’s code, and continues to spread. Even a simple virus is dangerous because it can use all available resources and bring the system to a halt. Many viruses can replicate themselves across networks and bypass security systems. Viruses are malicious programs that spread copies of themselves throughout a single machine. They infect other machines only if an infected object is accessed and the code is launched by a user on that machine. There are several types of viruses: . Boot sector—This type of virus is placed into the first sector of the hard

drive so that when the computer boots, the virus loads into memory. . Polymorphic—This type of virus can change form each time it is executed.

It was developed to avoid detection by antivirus software. . Macro—This type of virus is inserted into a Microsoft Office document

and emailed to unsuspecting users. . Program—This type of virus infects executable program files and

becomes active in memory. . Stealth—This type of virus uses techniques to avoid detection, such as

temporarily removing itself from an infected file or masking a file’s size. . Multipartite—This type of virus is a hybrid of boot and program viruses.

It first attacks a boot sector then attacks system files or vice versa.

EXAM ALERT Viruses have to be executed by some type of action, such as running a program.

Here are a few of the most popular viruses: . Love Bug—The virus originated in an email titled “I love you.” When

the attachment was launched, the virus sent copies of the same email to everybody listed in the user’s address book. The virus came as a (Visual Basic Scripting Edition, VBScript, attachment and deleted files, including MP3s, MP2s, and JPGs). It also sent usernames and passwords to the

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 31

31

Systems Security Threats

virus author. It infected about 15 million computers and crashed servers around the world. . Melissa—Melissa first appeared in March 1999. It is a macro virus,

embedded in a Microsoft Word document. When the recipient receives the Word document as an attachment to an email message and opens the document, the virus sends email to the first 50 addresses in the victim’s email address book and attaches itself to each message. . Michelangelo—Michelangelo is a master boot record virus. It is based on

an older virus called Stoned. The Michelangelo virus erases the contents of the infected drive on March 6 (its namesake’s birthday) of the current year. Since 2000, the majority of viruses released are actually worms, which are discussed in the following section.

Worms Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. This process repeats with no user intervention. After the worm is running on a system, it checks for Internet connectivity. If it finds connectivity, the worm then tries to replicate from one system to the next. Examples of worms include the following: . Morris—This famous worm took advantage of a Sendmail vulnerability

and shut down the entire Internet in 1988. . Badtrans—This mass-mailing worm attempts to send itself using

Microsoft Outlook by replying to unread email messages. It also drops a remote access Trojan horse. . Nimda—This worm infects using several methods, including mass mail-

ing, network share propagation, and several Microsoft vulnerabilities. Its name is admin spelled backward. . Code Red—A buffer overflow exploit is used to spread this worm. This

threat affects only web servers running Microsoft Windows 2000.

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 32

32

Chapter 1: System Threats and Risks

Worms propagate by using email, instant messaging, file sharing (P2P), and IRC channels. Packet worms spread as network packets and directly infiltrate the RAM of the victim machine, where the code is then executed.

EXAM ALERT A worm is similar to a virus or Trojan, except that it replicates by itself, without any user interaction.

Trojans Trojans are programs disguised as useful applications. Trojans do not replicate themselves like viruses, but they can be just as destructive. Code hidden inside the application can attack your system directly or allow the system to be compromised by the code’s originator. The Trojan is typically hidden, so its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Trojans can perform actions without the user’s knowledge or consent, such as collecting and sending data or causing the computer to malfunction. Examples of Trojan horses include the following: . Acid Rain—This is an old DOS Trojan that, when run, deletes system

files, renames folders, and creates many empty folders. . Trojan.W32.Nuker—This Trojan was designed to function as a denial-of-

service (DoS) attack against a workstation connected to the Internet. . Mocmex—This Trojan is found in digital photo frames and collects

online game passwords. Trojans can download other Trojans, which is part of how botnets are controlled, as discussed later in this chapter.

Spyware Undesirable code sometimes arrives with commercial software distributions. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user.

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 33

33

Systems Security Threats

Like a Trojan, spyware sends information out across the Internet to some unknown entity. In this case, however, spyware monitors user activity on the system, and in some instances include the keystrokes typed. This logged information is then sent to the originator. The information, including passwords, account numbers, and other private information, will no longer be private. Here are some indications that a computer may contain spyware: . The system is slow, especially when browsing the Internet. . It takes a long time for the Windows desktop to come up. . Clicking a link does nothing or goes to an unexpected website. . The browser home page changes, and you might not be able to reset it. . Web pages are automatically added to your favorites list.

EXAM ALERT Spyware monitors user activity on the system, and can include keystrokes typed. The information is then sent to the originator.

Many spyware eliminator programs are available. These programs scan your machine, similarly to how antivirus software scans for viruses; and just as with antivirus software, you should keep spyware eliminator programs updated and regularly run scans.

Spam Just like junk mail clogs our regular mailbox, spam clogs our email box. Spam is a term that refers to the sending of unsolicited commercial email. Email spam targets individual users with direct mail messages. Most spam is commercial advertising, often for products such as “get rich quick” schemes, physical enhancements, and cheap medications. Spam costs the sender little to send because the actual costs are paid for by the carriers rather than by the sender. Email spam lists are often created by scanning newsgroup postings, stealing Internet mailing lists, or searching the Web for addresses. Spammers use automated tools to subscribe to as many mailing lists as possible. From those lists, they capture addresses or use the mailing list as a direct target for their attacks. State, federal, and international laws regulate spam.

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 34

34

Chapter 1: System Threats and Risks

CAUTION Requesting to be removed from junk email lists often results in more spam because it verifies that you have a legitimate, working email address.

When dealing with spam, follow this advice: . Never make a purchase from an unsolicited email. . If you do not know the sender of an unsolicited email message, delete it.

(Don’t be curious and open it.) . Do not respond to spam messages and do not click any links within the

message (even to “unsubscribe”). . Do not use the preview function of your email software because if you do

the email message will automatically show as read. . When sending email messages to a number of people, use the blind car-

bon copy (BCC) field to hide their email addresses. . Be careful about giving out your email address on websites and news-

groups. . Use more than one email address, keeping your personal email address

private. In addition, use software that filters spam. Approximately 75% of the email organizations receive is spam. It is best to filter it before it gets to the users.

Adware Advertising-supported software, or adware, is another form of spyware. It is an online way for advertisers to make a sale. Companies offer to place banner ads in their products for other companies. In exchange for the ad, a portion of the revenue from banner sales goes to the company that places the ad. However, this novel concept presents some issues for users. These companies also install tracking software on your system, which keeps in contact with the company through your Internet connection. It reports data to the company, such as your general surfing habits and which sites you have visited. And although the company might state that they will not collect sensitive or identifying data from your system, the fact remains that you have software on your PC that is sending information about you and your surfing habits to a remote location.

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 35

35

Systems Security Threats

U.S. federal law prohibits secretly installing software that forces consumers to receive pop-ups that disrupt their computer use. Adware is legitimate only when users are informed up front that they will receive ads. In addition, if the adware gathers information about users, it must inform them. Even though legitimate adware is not illegal, certain privacy issues arise. For instance, although legitimate adware discloses the nature of data collected and transmitted, users have little or no control over what data is being collected and dispersed. Remember, this technology can send more than just banner statistics.

Rootkits Rootkits were first documented in the early 1990s. Today, rootkits are more widely used and are increasingly difficult to detect on networks. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges, such as administrative rights. A rootkit is usually installed on a computer by first obtaining user-level access. After a rootkit has been installed, it allows the attacker to gain root or privileged access to the computer. Root or privileged access could also allow the compromise of other machines on the network. A rootkit may consist of programs that view traffic and keystrokes, alter existing files to escape detection, or create a back door on the system.

EXAM ALERT Rootkits can be included as part of software package, installed by way of an unpatched vulnerability or by the user downloading and installing it.

Attackers are creating more sophisticated programs that update themselves, which makes them that much harder to detect. If a rootkit has been installed, traditional antivirus software can’t always detect the malicious programs. Many rootkits run in the background. Therefore, you can usually easily spot them by looking for memory processes, monitoring outbound communications, and checking for newly installed programs. Kernel rootkits modify the kernel component of an operating system. These newer rootkits can intercept system calls passed to the kernel and can filter out queries generated by the rootkit software. Rootkits have also been known to use encryption to protect outbound communications and piggyback on commonly used ports to communicate without interrupting other applications that use that port. These “tricks” invalidate the usual detection methods because they make the rootkits invisible to administrators and to detection tools.

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 36

36

Chapter 1: System Threats and Risks

Many vendors offer applications that can detect rootkits, such as RootkitRevealer. Removing rootkits can be a bit complex because you have to remove the rootkit itself and the malware that the rootkit is using. Often, rootkits change the Windows operating system itself. Such a change might cause the system to function improperly. When a system is infected, the only definitive way to get rid of a rootkit is to completely format the computer’s hard drive and reinstall the operating system. Most rootkits use global hooks for stealth activity. So if you use security tools that can prevent programs from installing global hooks and stop process injection, you can prevent rootkit functioning. In addition, rootkit functionality requires full administrator rights. Therefore, you can avoid rootkit infection by running Windows from an account with lesser privileges.

Botnets A bot, short for robot, is an automated computer program that needs no user interaction. Bots are systems that outside sources can control. A bot provides a spam or virus originator with the venue to propagate. Many computers compromised in this way are unprotected home computers (although many computers in the corporate world are bots, as well). A botnet is a large number of computers that forward transmissions to other computers on the Internet. You might also hear a botnet referred to as a zombie army. A system is usually compromised by a virus or other malicious code that gives the attacker access. A bot can be created through a port that has been left open or an unpatched vulnerability. A small program is left on the machine for future activation. The bot master can then unleash the effects of the army by sending a single command to all the compromised machines. A computer can be part of a botnet even though it appears to be operating normally. This is because bots are hidden and usually go undetected unless you are specifically looking for certain activity. The computers that form a botnet can be programmed to conduct a distributed denial-of-service (DDoS) attack, distribute spam, or to do other malicious acts. Botnets have flooded the Internet. It is estimated that on typical day 40% of the computers connected to the Internet are bots. This problem shows no sign of easing. For example, Storm started out as an email that began circulating on January 19, 2007. It contained a link to a news story about a deadly storm. Fourteen months later, Storm remained the largest, most active botnet on the Internet. Storm was the first to make wide use of peer-to-peer communications. Storm has a self-defense mechanism. When the botnet is probed too much, it

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 37

37

Systems Security Threats

reacts automatically and starts a denial-of-service (DoS) attack against the probing entity. Botnets can be particularly tricky and sophisticated, making use of social engineering. A collection of botnets, known as Zbot, last year stole millions from banks in four nations. The scammers enticed bank customers to click a link to download an updated digital certificate. This was a ruse, and Zbot installed a program that allowed it to see the next time the user successfully accessed the account. Zbot then automatically completed cash transfers to other accounts while the victims did their online banking. The main issue with botnets is that they are securely hidden. This allows the botnet masters to perform tasks, gather information, and commit crimes while remaining undetected. Attackers can increase the depth and impact of their crimes by using multiple computers because each computer in a botnet can be programmed to execute the same command.

Logic Bombs A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. For a virus to be considered a logic bomb, the user of the software must be unaware of the payload. A programmer might create a logic bomb to delete all his code from the server on a future date, most likely after he has left the company. In several cases recently, ex-employees have been prosecuted for their role in this type of destruction. For example, one of the most high-profile cases of a modern-day logic bomb was the case of Roger Duronio. Duronio was a disgruntled computer programmer who planted a logic bomb in the computer systems of UBS, an investment bank. UBS estimated the repair costs at $3.1 million, and that doesn’t include the downtime, lost data, or lost business. The actions of the logic bomb coincided with stock transactions by Mr. Duronio, so securities and mail fraud charges were added to the computer crime charges. The logic bomb that he planted on about 1,000 systems deleted critical files and prevented backups from occurring. He was found guilty of leaving a logic bomb on the systems and of securities fraud. He was sentenced to more than eight years in jail and fined $3.1 million.1

EXAM ALERT A logic bomb is also referred to as slag code. It is malicious in intent and usually planted by a disgruntled employee.

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 38

38

Chapter 1: System Threats and Risks

During software development, it is a good idea to evaluate the code to keep logic bombs from being inserted. Even though this is a preventive measure, code evaluation will not guarantee a logic bomb won’t be inserted after the programming has been completed.

Protecting Against Malicious Code You can take several steps to protect your network from malicious code: . Install antivirus software and update the files on a regular basis. Antivirus

software doesn’t do a company any good if it is not updated often. . Only open attachments sent to you by people you know. Many viruses

infect user address books. So even if you know who the attachment is from, be sure to scan it before you open it. . Do not use any type of removable media from another user without first

scanning the disk. . Perform backups on a daily basis. . Install firewalls or intrusion-prevention systems on client machines. . Subscribe to newsgroups and check antivirus websites on a regular basis.

Security Threats to System Hardware and Peripherals The preceding section discussed issues that arise from threats such as privilege escalations and malware. However, these are not the only threats that exist. System hardware and peripherals can pose just as many threats. This section examines the hardware risks you should be aware of, especially when formulating security policies. Taking the time to evaluate the environment as a whole can save you many headaches down the road.

BIOS There are ample documented procedures for securing operating systems, but significantly less is available on how to secure some of the integrated components of a system, such as the Basic Input/Output System (BIOS). Because the

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 39

39

Security Threats to System Hardware and Peripherals

BIOS performs a basic function, you might not realize that it can be compromised and allow an attacker full control over a machine. The BIOS can be compromised in several ways: . BIOS password . Known vulnerabilities . Bypassing access control

System access to the BIOS configuration utility is controlled by a password. After the password is set, the configuration of the computer cannot be changed without inputting the password. However, many BIOS manufacturers build in backdoor passwords. Often, they are simple, such as the name of the BIOS manufacturer. In addition, lists of known backdoor passwords are available on the Internet. Because this method of access has become so public, BIOS manufacturers have become more secretive about any backdoors they may now use.

EXAM ALERT The BIOS passwords of laptops are a bit different in that the passwords are usually flashed into firmware.

Depending on the manufacturer, the laptop may have a hardware dongle or special loopback device to bypass the password. Again, there are Internet instructions and a helpful YouTube video showing how to create your own dongle. A vulnerability in the BIOS can allow local users to cause a DoS and the system not to boot. This scenario results from an error in the BIOS code. The nature of the coding error means that it is difficult to identify and might leave the computer inoperable for an extended period of time. Any computer using this version of the BIOS can be configured so that the bootable partition is defined below the first slot in the master boot record (MBR) partition table, and then it will not boot. An attack at any time during an operating session can leave the computer unable to reboot. Another BIOS vulnerability is that the BIOS holds the boot order. Boot order determines whether the operating system will be loaded from CD-ROM, hard disk, USB device, or the network. If an attacker gains physical access to the machine and changes the boot order, there is no way to protect the system from compromise. An attacker could boot the system from a device that contains software to change the administrative password, extract password information for a

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 40

40

Chapter 1: System Threats and Risks

later attack, directly access data on the hard disk, or install a backdoor or Trojan. Keep in mind that one compromised system can be used as a catalyst for further attacks on several other systems or the entire network. BIOS access control can be bypassed by cracking the BIOS password, overloading the keyboard buffer, and deleting the contents of the CMOS RAM. On almost all systems, the BIOS password information is stored in the CMOS RAM. Although the passwords are stored in hashed values, the hashes used leave a bit to be desired. Therefore, programs created for this specific purpose can usually crack the password in a short period of time. Information for bypassing the BIOS password is readily available on the Internet. Most organizations do not have a policy for BIOS passwords. In most companies, many computers share the same BIOS password, and that password is seldom changed. If an attacker manages to gain physical access, a large portion of the network could be compromised.

USB Devices When floppy disks were the only form of removable storage, policies regarding the use of removable media were unnecessary, other than scanning the floppy disks for viruses. However, the 8GB micro drives and 32GB thumb drives currently available can carry entire virtualized environments on them. Technological advances in virtualization and storage essentially make removable media a PC that can be carried in a pocket. Mobile employees can leave hardware behind and take only software with them. Entire environments can now be carried on devices such as a USB drive or iPod. Organizations are exploring the possibilities of running environments on smaller devices to eliminate the need for specialized systems. All these technological changes present new challenges to the traditional methods of securing systems. In addition, running operating systems and applications this way leaves little trace on the host system. These small, high-capacity, removable storage devices present a concern when it comes to corporate security and protecting proprietary information. It is quite simple for a disgruntled employee to misuse data (take data and sell it, for instance). Of course, the real issue is access to the information. However, if the information is readily available, even employees with good intentions might misplace or have a removable storage device stolen. Organizations have the option of not allowing removable media. Such a policy can eliminate the issues that arise from the problems presented here.

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 41

41

Security Threats to System Hardware and Peripherals

Organizations must decide whether removable devices will be allowed. If they are allowed, strict policies must dictate who can use them and how. Although it might be difficult to guard against the use of removable storage devices or enforce a policy related to removable storage, it is not impossible. Group Policy can be used to disable the capacity for unauthorized users to use any USB storage devices. Another layer of protection can be applied by encrypting and properly securing sensitive corporate information. Group Policy is discussed further in Chapter 4, “Infrastructure Security and Controls,” and encryption is explored in great depth in Chapter 9, “Cryptography Basics.”

Handheld Devices Just about everyone carries a cell phone, and most corporate workers have PDAs. These devices have associated risks. The first is, of course, theft or loss. It is estimated that at least eight million cell phones are lost or stolen every year in the United States. For many organizations, losing a cell phone or a PDA loaded with contacts, email, and client data can be a severe detriment to business. To provide convenience and redundancy, USB cables and client software can be used to sync PDAs and cell phones to a user’s desktop computer. There are also enterprise-level product suites. Although this might prevent lost data, it also presents other risks. New security threats targeting cell phones and other mobile devices could quickly become bigger than anything the industry has seen so far. Considering that there are more cell phones than computers in today’s environment, the impact of a cell phone virus could prove devastating. The first cell phone virus appeared in 2004. The Cabir smart phone worm attempted to spread between Symbian-based mobile phones by jumping from one Bluetooth-enabled phone to another Bluetooth-enabled phone when both phones were left in the “discoverable” mode. The Cabir virus has since been found in about 15 different variations. The more capabilities a device has, the more vulnerable the device. According to a report from an Ireland-based cell phone security company, in mid-2008 the security company tracked 100,000 virus incidents per day.2 The use of operating systems and Bluetooth technology on handheld devices will enable viruses to spread either through short message service (SMS) or by sending Bluetooth requests when cell phones are physically close enough (as demonstrated by the Cabir worm). The difference in method of infection is that SMS viruses spread based on people’s social connections, whereas Bluetooth viruses spread by people’s mobility patterns and population distribution.

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 42

42

Chapter 1: System Threats and Risks

Other security threats are also surfacing as customers use cell phones to provide more and more of the functions that computers currently do. Handheld devices are rarely password protected, even though they contain a remarkable amount of data. Cell phone hacking and spyware are becoming more common. Vendors have begun introducing customer-side security features, such as a cellular firewall and software solutions with antivirus and antispam protection for wireless mobile devices. Intrusion-prevention technologies are also a key part of the defense against threats from mobile devices. Of course, one of the best defenses against these threats is a clearly defined security policy.

Removable Storage Removable storage is today what floppy disks were 10 years ago. Removable hard drives, especially the small passport types, afford users the convenience to carry files for both their work environment and their home environment on one device. This convenience provides an opportunity for viruses and other malware to spread between networks and physical locations as they share files in both environments and with other users. In addition to malware infections, these devices have a large amount of storage space, so they lend themselves to data theft and information leakage. Preventing unauthorized use of removable storage and portable devices is critical to running a secure environment and meeting compliance requirements. Although some organizations choose to implement measures such as placing a USB lock on ports and prohibiting the use of CDs, this approach is proving inadequate in organizations where data security is paramount. A better approach is to combine security policies with purchasing and issuing removable storage devices as necessary and then allowing the approved devices, while blocking all unauthorized devices. An organization should consider implementing controls that ensure all portable devices and removable media are encrypted and accounted for. The security policy should require encryption of all data on portable computers and removable storage. The loss of a storage device, such as a backup tape or CD, is often the fault of third parties, such as a contracting or outside insurance firm. Security polices should also dictate that sensitive data be encrypted before it is released to any outside agencies.

Network-Attached Storage Data storage has become a vital part of the IT enterprise environment. Data management solutions include network-attached storage (NAS) and storage

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 43

43

Security Threats to System Hardware and Peripherals

area network (SAN) technologies. An organization now needs to protect terabytes of data on NAS. A NAS unit is a self-contained device connected to a network, used to supply data storage services to other devices on the network. A SAN is a centrally located virtual disk storage system separate from network traffic and shared by servers. A good antivirus solution is essential to protect the integrity of stored data and to prevent malware from spreading to other parts of the network through the storage system. In addition, some security appliances sit on a SAN or are connected to NAS to protect data considered “at rest.” Although many organizations protect data in motion using encryption, they fail to protect that same data when it reaches its final resting spot on storage subsystems. Additional considerations when dealing with large data repositories should include encryption, authentication devices, secure logging, and key management.

EXAM ALERT You should know the difference between the various types of storage and the security issues they present.

Subscribing to newsgroups and checking security websites daily ensures that you keep up with the latest attacks and exploits. This information will help arm you to protect all the areas of the organization that may be vulnerable.

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 44

44

Chapter 1: System Threats and Risks

Exam Prep Questions 1. Which of the following is the most common method used to obtain privilege escalation?

❍ A. Buffer overflow ❍ B. Trojan ❍ C. Virus ❍ D. Spyware 2. Which of the following is a program or piece of code that runs on your computer without your knowledge and is designed to attach itself to other code and replicate?

❍ A. Buffer overflow ❍ B. Trojan ❍ C. Virus ❍ D. Spyware 3. Which of the following is a correct definition of a Trojan?

❍ A. It needs no user intervention to replicate. ❍ B. It sends messages to a computer with an IP address indicating that the message is coming from a trusted host.

❍ C. It collects personal information or changes your computer configuration without appropriately obtaining prior consent.

❍ D. It buries itself in the operating system software and infects other systems only after a user executes the application that it is buried in. 4. Which of the following is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system?

❍ A. Spyware ❍ B. Rootkit ❍ C. Botnet ❍ D. Adware

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 45

45

Exam Prep Questions 5. Code Red is considered a _________.

❍ A. Virus ❍ B. Logic bomb ❍ C. Worm ❍ D. Trojan 6. You have created a utility for defragmenting hard drives. You have hidden code inside the utility that will install itself and cause the infected system to erase the hard drive’s contents on April 1, 2008. Which of the following attacks has been used in your code?

❍ A. Virus ❍ B. Spoofing ❍ C. Logic bomb ❍ D. Trojan horse 7. A vulnerability in the BIOS can allow local users to cause which of the following? (Choose two answers.)

❍ A. Hard drive failure ❍ B. System not to boot ❍ C. System to lock up ❍ D. Denial of service 8. Which of the following is a self-contained device connected to a network, used to supply data storage services to other devices on the network?

❍ A. USB device ❍ B. Cell phone ❍ C. Removable storage ❍ D. Network-attached storage 9. BIOS access control can be bypassed by which of the following methods? (Select all correct answers.)

❍ A. Cracking the BIOS password ❍ B. Overloading the keyboard buffer ❍ C. Deleting the contents of the CMOS RAM ❍ D. Deleting the contents of the MBR

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 46

46

Chapter 1: System Threats and Risks 10. Which of the following is associated with behaviors such as collecting personal information or changing your computer configuration, without appropriately obtaining prior consent?

❍ A. Spyware ❍ B. Rootkit ❍ C. Botnet ❍ D. Trojan

Answers to Exam Prep Questions 1. A. Perhaps the most popular method of privilege escalation is a buffer overflow attack. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage space allocation that has been reserved in memory for that application or service. Answer B is incorrect because Trojans are programs disguised as useful applications. Trojans do not replicate themselves like viruses, but they can be just as destructive. Code hidden inside the application can attack your system directly or allow the system to be compromised by the code’s originator. The Trojan is typically hidden, so its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Answer C is incorrect because a virus is program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer D is incorrect because spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. 2. C. A program or piece of code that runs on your computer without your knowledge is a virus. It is designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer A is incorrect. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage space allocation that has been reserved in memory for that application or service. Answer B is incorrect because Trojans are programs disguised as useful applications. Trojans do not replicate themselves like viruses, but they can be just as destructive. Code hidden inside the application can attack your system directly or allow the system to be compromised by the code’s originator. The Trojan is typically hidden, so its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Answer D is incorrect because spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user.

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 47

47

Answers to Exam Prep Questions 3. D. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code when it is executed. Answer A is incorrect because it describes a worm. Worms are similar in function and behavior to a virus with the exception that worms are selfreplicating. Answer B is incorrect because it describes IP spoofing. Answer C is incorrect because it describes spyware. 4. B. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges, such as administrative rights. Answer A is incorrect because spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer C is incorrect. A bot provides the spam or virus originator with the venue to propagate. Many computers compromised in this way are unprotected home computers. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to as a zombie army. Answer D is incorrect. Adware is a form of advertising that installs additional tracking software on your system, which keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited. 5. C. Code Red. A buffer overflow exploit is used to spread this worm. This threat affects only web servers running Microsoft Windows 2000. Answers A, B, and D are incorrect because Code Red is not a virus, logic bomb, or Trojan. 6. C. A logic bomb is a virus or Trojan horse that is built to go off when a certain event occurs or after a certain period of time passes. Answers A and D are incorrect because a specified time element is involved. Answer B is incorrect because spoofing involves modifying the source address of traffic or the source of information. 7. B, D. A vulnerability in the BIOS can allow local users to cause a denial of service and the system not to boot. Answer A is incorrect because a hard drive failure has to do with the hard disk itself and nothing to do with the BIOS. Answer C is incorrect because system lockup implies that the machine was already booted and is associated more with attacks that happen after the machine is up and running. 8. D. A NAS unit is a self-contained device connected to a network, used to supply data storage services to other devices on the network. Answers A, B, and C are all incorrect because they are removable, small-capacity devices. 9. A, B, C. BIOS access control can be bypassed by cracking the BIOS password, overloading the keyboard buffer, and deleting the contents of the CMOS RAM. Answer D is incorrect because the MBR is part of the hard disk configuration and has nothing to do with the BIOS.

04_078973804x_ch01.qxd

10/30/08

9:10 PM

Page 48

48

Chapter 1: System Threats and Risks 10. A. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Answer B is incorrect. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges, such as administrative rights. Answer C is incorrect. A bot provides the spam or virus originator with the venue to propagate. Many computers compromised in this way are unprotected home computers (although many computers in the corporate world are bots, too, as we’ve recently learned). A botnet is a large number of computers that forward transmissions to other computers on the Internet. You might also hear a botnet referred to as a zombie army. Answer D is incorrect. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code when it is executed.

Suggested Reading and Resources 1. McClure, Stuart, Joel Scambray, and George Kurtz. Hacking Exposed, 5th

Edition. McGraw-Hill Osborne Media, 2005. 2. Tittle, Ed. PC Magazine Fighting Spyware, Viruses, and Malware. John

Wiley & Sons, 2004. 3. Virus Bulletin website: http://www.virusbtn.com 4. SANS Top 20 Security Risks: http://www.sans.org/top20/ 5. CERT Coordination Center (CERT/CC): http://www.cert.org

References 1. Raby, Mark. “IT administrator gets 8 years for cyber sabotage.” TG

Daily, December 2006 (http://www.tgdaily.com/content/view/ 30487/118/). 2. The Pittsburgh Channel. “Call 4 Action: Cell Phone Virus Threat

Grows.” July 2008 (http://www.thepittsburghchannel.com/call4action/ 17016797/detail.html).

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 49

2

CHAPTER TWO

Online Vulnerabilities Terms you need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Java JavaScript ActiveX Cookies Cross-site scripting SMTP relay Lightweight Directory Access Protocol (LDAP) Wireless Application Protocol (WAP) Wireless local area network (WLAN) Wi-Fi Wired Equivalent Privacy (WEP) Back doors

Techniques you need to master: ✓ Understanding the common vulnerabilities present in web-based technologies

✓ Knowing the common vulnerabilities of LDAP services ✓ Recognizing the more common considerations in performing a site survey

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 50

50

Chapter 2: Online Vulnerabilities

A common saying about the only truly secure computer is that it is one left in its box and connected to nothing. Although this might be an oversimplification, it is true that the moment a computer is connected to a network, the requirements for securing against unwanted intrusion multiply. In this chapter, you will examine vulnerabilities common to many standard technologies that may be exposed by connecting to the Internet.

Web Vulnerabilities One primary area of network security involves the use of a public web server. Web security includes client-side vulnerabilities presented by ActiveX or JavaScript code running within the client’s browser, server-side vulnerabilities such as Perl, Active Server Page (ASP), and common gateway interface (CGI) scripting exploits and buffer overflows used to run undesirable code on the server, and other forms of web-related security vulnerabilities such as those involving the transfer of cookies or unsigned applets.

TIP Although this section focuses on web-based vulnerabilities, note that many of these are also vulnerabilities affecting HTML-enabled clients of other types, including many modern email clients.

Java and JavaScript Many websites use a scripting language created originally by the Netscape Corporation and now known as JavaScript. Unlike the server-side compilation Java language created by Sun Microsystems, JavaScript code is transferred to the client’s browser, where it is interpreted and used to control the manipulate many browser settings.

Java Vulnerabilities Unlike many languages, Java’s capability to operate on many different computer platforms has made it a popular option for web delivery of application content. Java code is compiled from intermediate bytecode within a platform’s Java Virtual Machine (JVM), allowing the same Java application to run properly on a Linux, Mac OS, or Windows platform. Because Java is a precompiled language, a Java-based mini-program, called an applet, may present many security risks to the client, including those identified in Table 2.1. Applets execute when the client machine’s browser loads the hosting web page.

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 51

51

Web Vulnerabilities

TABLE 2.1

Some Identified Vulnerabilities of the Java Language

Vulnerability

Description

Buffer overflow in the JVM

The client-side environment supporting Java applets is referred to as the Java Virtual Machine. Improperly created applets can potentially generate a buffer overflow condition, crashing the client system.

Ability to execute instructions Early versions of the JVM could be used to issue commands to the client system, allowing manipulation of the file system and data files at will. Resource monopolization

Improperly designed Java applets can easily consume all available system resources on the client system. It is possible to create applets that continue running within the JVM, even after the applet is closed.

Unexpected redirection

Early JVM versions allowed Java applets to redirect the browser and create connections to other hosts without user interaction.

JavaScript Vulnerabilities Unlike precompiled Java applets, JavaScript is interpreted within the client’s browser environment. Because it must be compiled and executed within the client’s environment, JavaScript vulnerabilities must be addressed based on the operating system and browser version in use on each client. Table 2.2 identifies the most common vulnerabilities; remember, however, that new vulnerabilities are regularly discovered. TABLE 2.2

Some Identified Vulnerabilities of JavaScript

Vulnerability

Description

File access

JavaScript code may be used on unsecured systems to access any file on the client computer that the current user may access. These files may then be sent elsewhere, manipulated, or deleted.

Cache access

Properly designed JavaScript code can be used to read the URLs within a browser’s cache, allowing the code to mine the user’s browsing habits, preferences, email settings, site cookies, and information entered in web forms.

File upload

It is possible to create JavaScript coding that will cause access of a web page to upload files from the client’s system without the user’s knowledge or input. The name of the file must be known for this to occur.

Email exposure

Early browser versions allowed JavaScript to send email as if sent by the user.

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 52

52

Chapter 2: Online Vulnerabilities

EXAM ALERT Remember that Java is a compiled language that can lead to the execution of arbitrary commands or direct manipulation of data, while JavaScript is a client-side interpreted language that mainly poses privacy-related vulnerability issues.

ActiveX Controls Microsoft developed a precompiled application technology that can be embedded in a web page in the same way as Java applets. This technology is referred to as ActiveX, and its controls share many of the same vulnerabilities present in embedded Java applets. ActiveX controls may be digitally signed using an Authenticode signature, which is verified by its issuing certificate authority (CA). Unlike Java applets, where browser configuration settings control the possible behavior of the applet, ActiveX controls are restricted based on whether they are signed. ActiveX controls do not have restrictions on which forms of action they may enact. If a user configures his browser to allow execution of unsigned ActiveX controls, controls from any source performing any action may be enacted by visiting a website hosting the control embedded within the HTML page.

TIP To avoid vulnerabilities exposed by earlier forms of Java and ActiveX development, all machines should be kept up-to-date with new version releases. Scripting language vulnerabilities may be addressed in this manner, and by turning off or increasing the client’s browser security settings to prevent automatic code execution.

Cookies To overcome the limitations of a stateful connection when scaled to global website deployments, the Netscape Corporation created a technology using temporary files stored in the client’s browser cache to maintain settings across multiple pages, servers, or sites. These small files are known as cookies and may be used to maintain data such as user settings between visits to the same site on multiple days, or to track user browsing habits such as those used by sites hosting DoubleClick banner advertisements.

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 53

53

Web Vulnerabilities

Privacy Issues Many sites require that browsing clients be configured to accept cookies to store information such as configuration settings or shopping-cart data for electronic commerce sites. Cookies may be used to track information such as the name and IP address of the client system and the operating system and browser client being used. Additional information includes the name of the target and previous URLs, along with any specific settings set within the cookie by the host website.

EXAM ALERT Although cookies generally provide benefits to the end users, spyware would be most likely to use a tracking cookie. A tracking cookie is a particular type of permanent cookie that sticks around, whereas a session cookie stays around only for that particular visit to a website.

If cookies are accessed across many sites, they may be used to track the user’s browsing habits and present the user with targeted advertising or content. Many users believe this is a violation of their privacy.

Session Values Cookies may also be used to store session settings across multiple actual connections to a web server. This proves helpful when connecting to a distributed server farm, where each page access might be handled by a separate physical server, preventing the use of session variables to maintain details from one page to another. This is useful in electronic commerce sites where a shopping cart application might add items from multiple pages to a total invoice before being transferred to a billing application. These cookies are also useful to provide custom user configuration settings on subsequent entries to web portals whose content is presented in a dynamic manner. The danger to maintaining session information is that sites may access cookies stored in the browser’s cache that may contain details on the user’s e-commerce shopping habits, along with many user details that could possibly include sensitive information identifying the user or allowing access to secured sites.

TIP Clients should regularly clear their browser cookie cache to avoid exposing long-term browsing habits in this way. Where possible, client browsers may also be configured to block third-party cookies, although many online commerce sites require this functionality for their operation.

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 54

54

Chapter 2: Online Vulnerabilities

Common Gateway Interface Vulnerabilities A server-side interpretation option includes the use of common gateway interface (CGI) script, often written in the Perl language. Because these scripts are interpreted on the server system, generally utilizing user input values, they are highly subject to exploitation in many ways. Most exploits can be grouped into two general categories: . CGI scripts may leak information about the server. . CGI scripts used to process user input data may be exploited to execute

unwanted commands on the server. These exploits may allow the identification of configuration details of the server that may be helpful to later unauthorized access attempts, a process often referred to as profiling. Because any process that can execute functionality on the server has inherent access rights, improperly formed CGI scripts could be used to execute arbitrary commands on the server, change server configuration settings, and even create unauthorized user accounts on the server that could later be used to gain greater control over the server. CGI script creation requires many considerations for security, including the following: . Poorly written CGI scripts may leak information about the server, such

as the directory structure and any running applications and daemons. . Data input should always include a default value and character limita-

tions to avoid buffer overflow exploitation. . CGI wrapper scripts should be used when possible to perform pre-

execution checks on input, change the ownership of the process, or restrict process access within the file system. . Many standard scripts are installed in default web server installations.

These are in known folder locations and often contain sample code that is not designed for security and may include well-known exploits. . It is possible for poorly written CGI scripts to pass user input data

directly to the shell environment, which could allow a properly formatted input value to execute arbitrary commands on the web server.

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 55

55

Web Vulnerabilities

Browser Threats The evolution of web network applications, Web 2.0 interactive interfaces, and other browser-based secure and anonymous-access resources available via the HTTP and HTTPS protocols presents an “anytime/anywhere” approach to enterprise network resource availability. As more applications are migrated into the browser, attackers have an increasingly large attack surface area for interception and interaction with user input and for directed attacks against web-based resources. The global nature of the Internet allows attackers to place web-based traps in countries of convenience, where law enforcement efforts are complicated by international legal variance.

TIP As mentioned earlier in this chapter, maintaining operating system, application, and addon updates will help to reduce the threat posed by many browser-based attack forms. When possible, restricting automatic code execution of JavaScript or ActiveX controls and cookie generation can also strengthen the client’s browser security stance.

Browser-based vulnerabilities you should know for the exam include the following: . Session hijacking—Because browsers access resources on a remote server

using a predefined port (80 for HTTP or 443 for HTTPS), browser traffic is easily identifiable by an attacker who may elect to hijack legitimate user credentials and session data for unauthorized access to secured resources. Although Secure Sockets Layer (SSL) traffic is encrypted between endpoints, an attacker who crafts a web proxy with SSL can allow a user to connect securely to this proxy system and then establish a secured link from the proxy to the user’s intended resource, capturing plain-text data transport on the proxy system even though the user recieves all appropriate responses for a secured connection. . Cross-site scripting (XXS)—By placing malicious executable code on a web-

site, an attacker can cause an unknowing browser user to conduct unauthorized access activities, expose confidential data, and provide logging of successful attacks back to the attacker without the user being aware of their participation. XXS vulnerabilities can be used to hijack the user’s session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. . Add-in vulnerabilities—Active content within websites offers an attractive

attack space for aggressors, who may craft special “drivers” required for content access that are in fact Trojans or other forms of malware. Other

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 56

56

Chapter 2: Online Vulnerabilities

attackers craft malware to take advantage of unpatched add-ins to directly inject code or gain access to a user’s system when a vulnerable browser is directed to an infected website. . Buffer overflows—Like desktop and system-based applications, many web

browser applications offer an attacker a mechanism for providing input in the form of a crafted uniform resource locator (URL) value. By extending the input values beyond the memory space limitations of the expected input values, an attacker can inject code into adjacent memory space to allow execution of arbitrary code on the web server.

EXAM ALERT When presented with a question that relates to mitigating the danger of buffer overflows or XSS attacks, look for answers that relate to input validation. By restricting the data that can be input, application designers can reduce the threat posed by maliciously crafted URL references and redirected web content.

Peer-to-Peer Networking Internet-based services often make use of the same client-server or n-tier (three or more layers including client, middle processing tiers, and server or source computers) architecture as their older enterprise-based applications. However, many services have evolved to a more decentralized architecture of resource availability better suited to the global Internet. These services negotiate connections directly between clients, without requiring access to a single central server. The common BitTorrent file-sharing application is an example of this type of resource-sharing peer-to-peer (P2P) solution, allowing users to transport files between remote clients without passing through a central server for access. This presents difficulties for access restriction because any two clients may negotiate connections using random ports and protocols, bypassing traffic analysis and access control restrictions.

Instant Messaging Enterprise and personal instant messaging (IM) clients such as AOL, Yahoo! Messenger, and Windows Live Messenger enable users to rapidly check availability and communicate both synchronously and asynchronously with peers, family members, and co-workers. These applications have increased in sophistication to include video and audio teleconferencing, file-sharing, and

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 57

57

Protocol Vulnerabilities

desktop/application-sharing capabilities in addition to the basic textual chat functions from early server operator communications clients. Attackers develop viral malware capable of spreading through contacts listings within IM clients. Others focus on capturing IM traffic and cached logs of past conversations, in an attempt to obtain useful or harmful information. The filetransfer and desktop-sharing capabilities of many clients present challenges against unauthorized data sharing, while creative attackers make use of the audio and video capabilities to directly “tap” unwary IM users.

Simple Mail Transport Protocol Relay Although not specifically a web-related problem, the possible exploitation of Simple Mail Transport Protocol (SMTP) relay agents to send out large numbers of spam email messages is included because many web servers include a local SMTP service used by server-side processes to perform Mailto functions needed within the website. Spammers search for unprotected SMTP relay services running on public servers, which may then be used to resend SMTP messages to obscure their true source.

Protocol Vulnerabilities Many protocols contain common vulnerabilities that may be manipulated to allow unauthorized access, including SSL connections and Lightweight Directory Access Protocol (LDAP).

SSL/TLS Transport Layer Security (TLS), including SSL encapsulated, data transfer may be exploited in many ways. The encapsulated data stream could potentially be compromised through cryptographic identification of the key, although modern 128-bit keys are considered to be beyond a reasonable level of encryption.

EXAM ALERT HTTPS (HTTP over SSL) and SSL use X.509 digital certificates and operate over port 443. Do not confuse HTTPS with the less commonly used Secure Hypertext Transport Protocol (S-HTTP) that operates over port 80 along with regular HTTP traffic.

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 58

58

Chapter 2: Online Vulnerabilities

SSL connections are also particularly vulnerable during the handshake process, where client and server exchange details of the shared encryption keys to be used. Malformed certificates may be used to exploit the parsing libraries used by SSL agents, allowing the compromise of security details and possible code execution on the compromised system. Many forms of buffer overrun may also be used during the SSL handshake process, to compromise the secured connection, along with code execution and system compromise possibilities. SSL certificates may also be used to establish links vulnerable to packet sniffing by using compromised self-signed or expired certificates. Configuring client browsers to raise an alert when blocking content provided through self-signed certificates can help to reduce this threat. Other exploits include the use of small key sizes, outdated certificate revocation lists, and other mechanisms intended to provide weak or compromised SSL certificates.

LDAP Lightweight Directory Access Protocol provides access to directory services, including that used by the Microsoft Active Directory. LDAP was created as a “lightweight” alternative to earlier implements of the X.500 Directory Access Protocol and communicates on port 389. Its widespread use influences many other directory systems, including the Directory Service Markup Language (DSML), Service Location Protocol (SLP), and commercial products such as Microsoft Active Directory. Variations of LDAP share many common vulnerabilities, including the following: . Buffer overflow vulnerabilities may be used to enact arbitrary commands

on the LDAP server. . Format string vulnerabilities may result in unauthorized access to enact

commands on the LDAP server or impair its normal operation. . Improperly formatted requests may be used to create an effective denial-

of-service (DoS) attack against the LDAP server, preventing it from responding to normal requests.

NOTE LDAP uses an object-oriented access model defined by the Directory Enabled Networking (DEN) standard, which is based on the Common Information Model (CIM) standard.

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 59

59

File Transfer Protocol Vulnerabilities

File Transfer Protocol Vulnerabilities Another common publicly exposed service involves the File Transfer Protocol (FTP) defined within the TCP/IP suite. FTP servers provide user access to upload or download files between client systems and a networked FTP server. FTP servers include many potential security issues, including anonymous file access and unencrypted authentication.

Anonymous Access Many FTP servers include the ability for anonymous access in their default installation configuration. Anonymous access (also known as “blind” FTP) is a popular method to provide general access to publicly available downloads such as a mirror site that contains a new open-access license (OAL) software distribution, or the newest version of Linux. Here, it is unnecessary and even undesirable to require every possible user to first obtain an account and password to access the download area, and so an option is provided to allow anonymous access. The problem with this form of access is that any user may download (and potentially upload) any file desired. This might result in a server’s available file storage and network access bandwidth being rapidly consumed for purposes other than those intended by the server’s administrator. If unauthorized file upload is allowed along with download, illegal file content could be placed on the server for download, without the knowledge of the system’s administrator.

Unencrypted Authentication Even when user authentication is required, FTP passes the username and password in an unencrypted (plain-text) form, allowing packet sniffing of the network traffic to read these values, which may then be used for unauthorized access to the server.

EXAM ALERT A more secure version of FTP (S/FTP) has been developed that includes SSL encapsulation. This version is referred to as FTP over SSH and uses the Secure Shell (SSH) TCP port 22. Do not confuse it with FTPS (FTP over SSL), which uses TCP port 21. Either may be used within a modern enterprise network.

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 60

60

Chapter 2: Online Vulnerabilities

Secure variations of the FTP protocol ensure that data cannot be intercepted during transfer and allow the use of more secure transfer of user access credentials during FTP logon. However, the same certificate vulnerabilities discussed earlier in this chapter apply here, too.

Wireless Network Vulnerabilities Many new technological solutions being embraced by the mobile workforce include mobile data connected equipment such as cell phones, text pagers, and personal digital assistants (PDAs). Mobile equipment may make use of many different communications standards, including long-range mobile communications using the Wireless Application Protocol (WAP) or i-Mode standards, and wireless local area network (WLAN) communications using the 802.11 wireless fidelity (Wi-Fi) or Bluetooth standards.

WAP and i-Mode Wireless technologies such as mobile data cell phones include the ability to present web content in textual format using the Compact Wireless Application Protocol (CWAP) utilized over Japan’s i-Mode standard, or the Wireless Markup Language (WML) supported by the WAP standard. Both standards also enable users to access email, IM, newsgroups, and other types of data.

NOTE The Wireless Application Protocol (WAP) Forum is working with many standards organizations, including the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C), to develop the next official standard. The current version is WAP 2.0, which extended the original specification to include additional XHTML details supporting wireless devices.

The WAP standard includes several other standard specifications, such as the following: . Wireless Application Environment (WAE)—Specifies the framework used to

develop applications for mobile devices, including cell phones, data pagers, and PDAs . Wireless Session Layer (WSL)—Equivalent to the session layer of the

Open Systems Interconnection (OSI) model

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 61

61

Wireless Network Vulnerabilities . Wireless Transport Layer (WTL)—Equivalent to the transport layer of the

OSI model . Wireless Transport Layer Security (WTLS)—Specifies a WTL security

standard based on the TLS standard, optimized for low-bandwidth communications with possible lengthy delay between packet transmission and receipt, which is referred to as latency.

WLANs New technologies using radio frequency transmissions are beginning to replace wired office networks and provide network support for mobile Bluetooth- and for 802.1x-enabled devices. Popular coffee chains, college campuses, apartment complexes, and home users are taking advantage of the rapid proliferation of 802.11b technology using the 2.4GHz unregulated range of frequencies made popular by many vendors producing Wi-Fi network equipment. The 802.11 specifications extend the carrier sense multiple access with collision avoidance (CSMA/CA) method of connectivity specified within the Ethernet protocol to provide wireless network access. To avoid data collisions, CSMA/CA protocols require the device to sense whether the carrier is already busy and to wait a random amount of time to check again, only initiating a signal when there is no traffic.

NOTE The typical bandwidth of 802.11b (Wi-Fi) connections is 11Mbps, the 802.11a and 802.11g specifications extend connectivity up to 54Mbps, and the developing 802.11n specification provides up to 248Mbps. The 802.11 specifications are evolving through the extension of the original Institute of Electrical and Electronics Engineers (IEEE) 802.11 specifications to include additional capabilities such as multiple-input multiple-output (MIMO) and variations for specific regions such as the 802.11j variation developed for the Japanese market.

Wired Equivalent Privacy Specifications for the Wired Equivalent Privacy (WEP) standard are detailed within the 802.11b (Wi-Fi) specification. This specification details a method of data encryption and authentication that may be used to establish a more secured wireless connection.

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 62

62

Chapter 2: Online Vulnerabilities

EXAM ALERT Recent developments in the field of cryptography have revealed the WEP encryption method to be less secure than originally intended and vulnerable to cryptographic analysis of network traffic. More advanced protocols such as WPA and the 802.11i standard supercede WEP, but recommendations for a more secure wireless network may also include the use of IPsec and virtual private network (VPN) connectivity to tunnel data communications through a secured connection.

Wi-Fi Protected Access The Wi-Fi Protected Access (WPA and later WPA2) standards were developed by the Wi-Fi Alliance to replace the WEP protocol while the 802.11i standard was being developed. The WPA includes many of the functions of the 802.11i protocol but relies on the Rivest Cipher 4 (RCA4), which is considered vulnerable to keystream attacks. The later WPA2 standard was certified to include the full 802.11i standard after its final approval.

802.11i The 802.11i-2004 amendment to the 802.11 specification is a set of standards for securing wireless netwrk communications, replacing the earlier vulnerable WEP standard with an Advanced Encryption Standard (AES) block cipher and allows for origin authentication to help protect against rogue WAP man-in-themiddle attacks.

Site Surveys To optimize network layout within each unique location, a site survey is necessary before implementing any WLAN solution. This is particularly important in distributed wireless network configurations spanning multiple buildings or open natural areas, where imposing structures and tree growth may affect network access in key areas. A site survey should include a physical and electronic review of the desired physical and logical structure of the network, selection of possible technologies, and several other factors, including the following: . Federal, state, and local laws and regulations related to the proposed net-

work solution. . Potential sources of radio frequency (RF) interference, including local

broadcast systems, motors, fans, and other types of equipment that

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 63

63

Network Device and Transmission Media Vulnerabilities

generate RF interference. This includes an analysis of potential channel overlap between wireless access point (WAP) hardware. . Available locations for WAP hardware installation and physical network

integration connectivity. . Any special requirements of users, applications, and network equipment

that must function over the proposed wireless network solution. . Whether a point-to-point (ad hoc or wireless bridge) or multipoint wire-

less solution is required. In most solutions, point-to-multipoint connectivity will be required to support multiple wireless clients from each WAP connected to the physical network.

NOTE When conducting a site survey, you can use a wireless-enabled device with a GPS location sensor to establish the boundaries of existing network connectivity. Commonly available packages used to conduct site surveys include AirSnort, NetStumbler, and Kismet. Legal and organizational mandates may preclude the use of promiscuous-mode network traffic analysis.

All wireless networks share several common security vulnerabilities related to their use of RF broadcasts, which may potentially be detected and compromised without the knowledge of the network administrator. Data transported over this medium is available to anyone with the proper equipment, and so must be secured through encryption and encapsulation mechanisms not subject to public compromise.

Network Device and Transmission Media Vulnerabilities Wired and wireless networking relies on a system of underlying devices responsible for coordinating the transport and security of networked data. Namespace services facilitate translation from human-readable addresses to their numeric equivalents, where routers then determine the proper network connections to transfer data packets to identified endpoint network segments. Switches and hubs allow distribtion of data packets to individual endpoints, with myriad dedicated transport systems available for encryption, access control, and other functions necessary to internetwork communications.

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 64

64

Chapter 2: Online Vulnerabilities

You should be familiar with vulnerabilities associated with these network devices, including the following: . Privilege escalation—This vulnerability represents the accidental or inten-

tional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. An example of the latter is if User A can read User B’s email without specific authorization. . Weak passwords—Any resource exposed on a network may be attacked to

gain unauthorized access. The most common form of authentication and user access control is the username/password combination, which can be significantly weakened as a security measure if a “weak” password is selected. Automated and social engineering assaults on passwords are easier when a password is short, lacking in complexity (complexity here meaning a mixture of character case, numbers, and symbols), derived from a common word found in the dictionary, or derived from easily guessible personal information such as birthdays, family names, pet names, and similar details. . Back doors—Back doors are application code functions created intention-

ally or unintentionally that enable unauthorized access to networked resources. Many times during application development, software designers put in shortcut entry points to allow rapid code evaluation and testing. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later. Other back doors may be inserted by the application designers purposefully, presenting later threats to the network if applications are never reviewed by another application designer before deployment. . Default accounts—Many networking devices and services are initially

installed with a default set of user credentials, such as Oracle’s Scott/Tiger and IBM’s qsecofr/qsecofr. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack. . Default identification broadcast—Wireless networks often announce their

service set identifier (SSID) to allow mobile devices to discover available WAPs. Turning off this broadcast can reduce the vulnerability of a broadcast packet sniffer readily identifying a WAP, but is not truly secure because the SSID is broadcast in plain text whenever a client connects to the network. Turning off SSID broadcast should be considered a “best

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 65

65

Network Device and Transmission Media Vulnerabilities

practice,” along with conducting the site survey, selecting channels not already in use in the area, requiring WPA2 (or newer) encryption, and restricting access to a known list of Wi-Fi MAC addresses where possible. . Denial of service (DoS)—Unlike resources located on the local system,

network resources are much more vulnerable to DoS attacks. These attacks attempt to block access to resources by overwhelming network availability, instead of attempting to directly access the resources through unauthorized means. By blocking access to a website or network resource, the attacker effectively prevents authorized availability. This type of attack is often used for Internet extortion schemes, where an attacking botnet of tens of thousands of zombied client systems can be used to consume all available connections to a business website. The business is contacted with an account to which an amount of money should be sent, whereupon the attack is ended and service is restored. Many fringe service industries, such as online casinos, are regularly targeted with this type of attack. . Hubs and supervisory ports—Certain types of networking equipment pro-

vide attackers with access to inspect network traffic for interception of user credentials, security encryption traffic, and other forms of sensitive transmitted data. Before the development of network switches, hubs were commonly used to distribute data packets to endpoint ports. Hubs do not provide data isolation between endpoint ports, allowing any node to observe data traffic to and from all other nodes on the same device. Switches provide this isolation in more updated networks, but an exposed supervisory port can be exploited by an attacker for the same purposes. Physical access control to the networking closet is critical to protect switched networks against this form of attack. . Vampire taps—Data traffic over coaxial network cabling can be intercept-

ed and inspected by an attacker through the use of a vampire tap, which pierces the cable at an arbitrary point and allows direct connection to the data transport wiring. Similar technologies can be applied to modern fiber-optic media, allowing interception of data traffic without a detectable presence on the network. Physical access control to areas where network media is exposed is critical to protecting against unauthorized taps.

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 66

66

Chapter 2: Online Vulnerabilities

Exam Prep Questions 1. Which of the following are client-side web technologies? (Select all that apply.)

❍ A. ActiveX controls ❍ B. JavaScript ❍ C. CGI scripts ❍ D. Cookies ❍

E. Java applets

2. Which of the following is a common bandwidth for 802.11b communications?

❍ A. 19.2Kbps ❍ B. 64Kbps ❍ C. 1.5MBps ❍ D. 10Mbps ❍

E. 11Mbps



F. 100Mbps

3. Why do spammers value unsecured SMTP relay servers?

❍ A. They provide faster network access. ❍ B. They can be used to hide the origin of a message. ❍ C. They can access internal mailing lists. ❍ D. They cannot be blacklisted. 4. Which of the following are good uses for cookies? (Select two correct answers.)

❍ A. Maintaining user portal settings between sessions ❍ B. Storing credit card and user identification data ❍ C. Storing a listing of items within a shopping cart application ❍ D. Maintaining password and logon information for easy return to visited secured sites



E. Providing details regarding the network settings in use by the client, such as its IP address

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 67

67

Exam Prep Questions 5. Which of the following are potential exploits for CGI scripts? (Select all that apply.)

❍ A. Providing information on processes running on the server. ❍ B. Executing arbitrary commands on the client. ❍ C. Samples may not include proper security. ❍ D. Buffer overflows may occur. ❍

E. Arbitrary commands may be executed on the server.

6. Which of the following is a WLAN technology that uses the Ethernet protocols?

❍ A. Bluetooth ❍ B. IETF ❍ C. WAP ❍ D. i-Mode ❍

E. Wi-Fi

7. An attacker places code within a web page that executes when a client’s browser opens the web page, causing the client’s browser to attempt to access a secured banking site in another city. This is an example of what type of attack?

❍ A. Cross-site scripting ❍ B. Man-in-the-middle ❍ C. Session hijacking ❍ D. Buffer overflow 8. Which of the following are potential vulnerabilities of the FTP service? (Select two correct answers.)

❍ A. Buffer overflow ❍ B. Execution of arbitrary commands ❍ C. Anonymous access ❍ D. Unencrypted credentials ❍

E. Cache mining

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 68

68

Chapter 2: Online Vulnerabilities 9. Which encryption standard is currently considered the best for Wi-Fi connections?

❍ A. HTTPS ❍ B. WAP ❍ C. WEP ❍ D. WPA ❍

E. WPA2

10. Which of the following statements about Java and JavaScript is true?

❍ A. Java applets can be used to execute arbitrary instructions on the server. ❍ B. JavaScript code can continue running even after the applet is closed. ❍ C. JavaScript can provide access to files of known name and path. ❍ D. Java applets can be used to send email as the user. ❍

E. Java applets allow access to cache information.

Answers to Exam Prep Questions 1. A, B, D, E. Client-side web technologies include ActiveX controls, JavaScript interpreted code, cookies, and Java applets. Cookies might also be considered a server-side technology because the web server may access them and store information within cookies; however, they reside in the client system’s browser cache. Answer C is incorrect because CGI scripts are stored and interpreted on the web server. 2. E. The 802.11b WLAN specification allows up to 11Mbps wireless connectivity. Answers A and B are incorrect because they specify common modem bandwidth limits, and answer C is incorrect because 1.5MBps is a common speed for cable modem and T1 connectivity. Answers D and F are incorrect because 10Mbps and 100Mbps are common wired LAN data transfer rates. 3. B. Spammers use SMTP relay agents that are not properly secured to relay their SMTP email messages, hiding the true origin of the mail messages. Answer A is incorrect because the targeted server might have a much more limited network connection that the spammer—the key is hiding the source of the messages. Answer C is incorrect because anonymous SMTP relay does not require access to an SMTP server beyond receipt and retransmission. Answer D is incorrect because an SMTP server used to relay spam can easily be blacklisted, requiring effort to reopen normal transfer with major providers after this situation has been identified.

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 69

69

Answers to Exam Prep Questions 4. A, C. Cookies are well-suited for maintaining user portal settings between sessions and storing a list of items within a shopping cart application. Answers B and D are incorrect because cookies that store user identification data, credit card information, or password and logon details could be exploited to allow others to use this information by mining the client’s cache. Answer E is incorrect because cookies are used to store session information between pages or servers, rather than to store information that the server can obtain for itself, such as the IP address used by the client. 5. A, C, D, E. CGI scripts may be exploited to leak information including details about running server processes and daemons, samples included in some default installations are not intended for security and include well-known exploits, and buffer overflows may allow arbitrary commands to be executed on the server. Answer B is incorrect because CGI scripts do not run on the client system. 6. E. The 802.11b (Wi-Fi) standard uses the CSMA/CA connectivity methods commonly found in Ethernet connectivity. Answer A is incorrect because Bluetooth is based on a different transmission protocol. Answer B is incorrect because the Internet Engineering Task Force (IETF) is a standards organization and not a communications protocol. Answers C and D are incorrect because both WAP and i-Mode are standards used by mobile devices such as cell phones, pagers, and PDAs and are not used to specify WLAN standards. 7. A. When a website redirects the client’s browser to attack yet another site, this is referred to as cross-site scripting. Answer B is incorrect because a man-in-the-middle attack involves intercepting data transmission between two sites and examining, altering, or replacing valid data without alerting either endpoint. Answer C is incorrect because a session hijack occurs when an attacker causes the client’s browser to establish a secure connection to a compromised web server acting as a proxy or redirecting traffic to a secure target site, exposing traffic as it passes through the compromised system. Answer D is incorrect because a buffer overflow occurs when data input exceeds the memory space allocated and injects unanticipated data or programmatic code into executable memory. 8. C, D. FTP servers may be exposed to anonymous access and transfer logon credentials in clear form. Answers A and B are incorrect because the FTP service is not known for common vulnerabilities that may be exploited using buffer overflows to execute arbitrary commands on the server. Answer E is incorrect because the FTP service does not provide access to the browser’s cache. 9. E. The WPA2 standard implements the 802.11i-2004 protocols and is currently the highest standard for Wi-Fi communication security. Answer A is incorrect because the HTTPS protocol allows for secure HTTP connectivity between the client’s browser and a target web server, and is unrelated to the networking medium in use. Answer B is incorrect because a WAP refers to a wireless access point, which is the wireless network hardware that functions in the place of a wired switch. Answer C is incorrect because the WEP standard was proven to be unsecure and has been replaced by the newer WPA standards. Answer D is incorrect because the early WPA standard has been superseded by the WPA2 standard, implementing the full 802.11i-2004.

05_078973804x_ch02.qxd

10/30/08

9:09 PM

Page 70

70

Chapter 2: Online Vulnerabilities 10. C. An early exploit of JavaScript allowed access to files located on the client’s system if the name and path were known. Answers A, D, and E are incorrect because JavaScript, not Java, can be used to execute arbitrary instructions on the server, send email as the user, and allow access to cache information. Answer B is incorrect because Java, not JavaScript, can continue running even after the applet has been closed.

Additional Reading and Resources 1. Allen, Julia H. The CERT Guide to System and Network Security Practices.

Addison-Wesley Professional, 2001. 2. The World Wide Web Security FAQ: http://www.w3.org/Security/Faq/ 3. SANS Information Security Reading Room: http://www.sans.org/ 4. IEEE Standards Association: http://standards.ieee.org/

06_078973804x_pt2.qxd

10/30/08

9:09 PM

Page 71

PART II

Infrastructure Security Chapter 3 Infrastructure Basics Chapter 4 Infrastructure Security and Controls

06_078973804x_pt2.qxd

10/30/08

9:09 PM

Page 72

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 73

3

CHAPTER THREE

Infrastructure Basics Terms you need to understand: ✓ TCP/IP hijacking ✓ Spoofing ✓ Man-in-the-middle ✓ Replay ✓ DoS ✓ DNS kiting and DNS poisoning ✓ ARP poisoning ✓ DMZ ✓ VLAN ✓ NAT ✓ NAC ✓ NIDS ✓ HIDS ✓ NIPS ✓ Protocol analyzers

Techniques you need to master: ✓ Differentiate between the different ports and protocols, their respective threats, and mitigation techniques. ✓ Distinguish between network design elements and components. ✓ Determine the appropriate use of network security tools to facilitate network security. ✓ Apply the appropriate network tools to facilitate network security. ✓ Explain the strengths and vulnerabilities of various security zones and devices.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 74

74

Chapter 3: Infrastructure Basics

The network infrastructure is subject to myriad internal and external attacks through services, protocols, and open ports. It is imperative that you understand how to eliminate nonessential services and protocols, especially if the network has been in existence for some period of time and some services are no longer needed or have been forgotten. To stop many would-be attackers, you must understand the different types of attacks that can happen, along with how to implement a network design, components, and tools that can protect the infrastructure. This chapter discusses the concepts of identifying and mitigating network infrastructure threats and alerts you to the most common attacks. In addition to being able to explain these concepts, you will begin to understand how network design and components can be used as a tool to protect and mitigate all types of threats and to protect computers and network infrastructure.

Port and Protocol Threats and Mitigation Techniques There are 65,535 TCP and UDP ports on which a computer can communicate. The port numbers are divided into three ranges: . Well-known ports—The well-known ports are those from 0 through

1,023. . Registered ports—The registered ports are those from 1,024 through

49,151. . Dynamic/private ports—The dynamic/private ports are those from 49,152

through 65,535. Often, many of these ports are not secured and as a result are used for exploitation. Table 3.1 lists some of the most commonly used ports and the services and protocols that use them. All of these ports and services have vulnerabilities associated with them. Some of these were discussed in Chapter 2, “Online Vulnerabilities,” and some are discussed in this chapter. For those that are not discussed, such as Echo, Systat, and Chargen, you can find more detailed information in the “Suggested Reading and Resources” section at the end of this chapter.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 75

75

Port and Protocol Threats and Mitigation Techniques

EXAM ALERT Know the difference between the various types of attacks and the ports they are executed on.

TABLE 3.1

Commonly Used Ports

Port

Service/Protocol

7

Echo

11

Systat

15

Netstat

19

Chargen

20

FTP-Data

21

FTP

22

SSH

23

Telnet

25

SMTP

49

TACACS

53

DNS

80

HTTP

110

POP3

111

Portmap

137, 138, 139

NetBIOS

161/162

SNMP

443

HTTPS

445

SMB

1,812

RADIUS

Ideally, the configuration process should start with installing only the services necessary for the server to function. Table 3.1 includes a combination of protocols that currently are in use and antiquated protocols that might still be in use on a network. These protocols may be configured open by default when an operating system is installed or by the machine manufacturer. Every operating system requires different services for it to operate properly. If ports are opened for manufacturer-installed tools, the manufacturer should have these services listed in the documentation. The next sections cover port and protocol threats and mitigation techniques.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 76

76

Chapter 3: Infrastructure Basics

Antiquated and Older Protocols Notice in Table 3.1 that there are older protocols such as Chargen and Telnet. Although these may be older, you might find that these protocols and the ports they use are still accessible. For example, Finger, which uses port 79, was widely used during the early days of Internet, and today’s sites no longer offer the service. However, you might still find some old implementations of Eudora mail that use the Finger protocol, or worse, the mail clients have long since been upgraded, but the port used 10 years ago was somehow left open. The quickest way to tell which ports are open and which services are running is to do a Netstat on the machine. You can also run local or online port scans. Older protocols that are still in use may leave the network vulnerable. Protocols such as Simple Network Management Protocol (SNMP) and domain name service (DNS) that were developed a long time ago and have been widely deployed can pose security risks, too. SNMP is an application layer protocol whose purpose is to collect statistics from TCP/IP devices. SNMP is used for monitoring the health of network equipment, computer equipment, and devices such as uninterruptible power supplies (UPSs). Many of the vulnerabilities associated with SNMP stem from using SNMPv1. Although these vulnerabilities were discovered in 2002, vulnerabilities are still being reported with current SNMP components. A recent Gentoo Linux Security Advisory noted that multiple vulnerabilities in Net-SNMP allow for authentication bypass and execution of arbitrary code in Perl applications using Net-SNMP. The SNMP management infrastructure consists of three components: . SNMP managed node . SNMP agent . SNMP network management station

The device loads the agent, which in turn collects the information and forwards it to the management station. Network management stations collect a massive amount of critical network information and are likely targets of intruders because SNMPv1 is not secure. The only security measure it has in place is its community name, which is similar to a password. By default, this is “public” and many times is not changed, thus leaving the information wide open to intruders. SNMPv2 uses Message Digest Version 5 (MD5) for authentication. The transmissions can also be encrypted. SNMPv3 is the current standard, but some devices are likely to still be using SNMPv1 or SNMPv2.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 77

77

Port and Protocol Threats and Mitigation Techniques

SNMP can help malicious users learn a lot about your system, making password guessing attacks a bit easier. SNMP is often overlooked when checking for vulnerabilities because it uses User Datagram Protocol (UDP) ports 161 and 162. Make sure network management stations are secure physically and secure on the network. You might even consider using a separate management subnet and protecting it using a router with an access list. Unless this service is required, it should be turned off. The best way to protect the network infrastructure from attacks aimed at antiquated or unused ports and protocols is to remove any unnecessary protocols and create access control lists to allow traffic on necessary ports only. By doing so, you eliminate the possibility of unused and antiquated protocols being exploited and minimize the threat of an attack.

TCP/IP Hijacking Hijacking is the term used when an attacker takes control of a session between the server and a client. This starts as a man-in-the-middle attack and then adds a reset request to the client. The result is that the client gets kicked off the session, while the rogue machine still communicates with the server. The attacker intercepts the source-side packets and replaces them with new packets that are sent to the destination.

EXAM ALERT TCP/IP hijacking commonly happens during Telnet and web sessions where security is lacking or when session timeouts aren’t configured properly.

During web sessions, cookies are commonly used to authenticate and track users. While the authenticated connection is in session, an attacker may be able to hijack the session by loading a modified cookie in the session page. Session hijacking can also occur when a session timeout is programmed to be a long period of time. This provides a chance for an attacker to hijack the session. Telnet type plain-text connections create the ideal situation for TCP hijacking. In this instance, an attacker watches the data being passed in the TCP session. At any point, the attacker can take control of the user’s session. This is why TCP/IP hijacking is also called session hijacking. Forcing a user to reauthenticate before allowing transactions to occur could help prevent this type of attack. Protection mechanisms include the use of unique initial sequence numbers (ISNs) and web session cookies. The more unique the

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 78

78

Chapter 3: Infrastructure Basics

cookie, the harder it is to break and hijack. Additional preventative measures for this type of attack include use of encrypted session keys and Secure Sockets Layer (SSL) encryption.

Null Sessions A null session is a connection without specifying a username or password. Null sessions are a possible security risk because the connection is not really authenticated. A program or service using the system user account logs on with null credentials, and in some web-based programs, the set of credentials used for authentication defaults to anonymous access when null credentials are given. A hacker or worm can exploit this vulnerability and potentially access sensitive data on the system. The best example of this is file and print sharing services on Windows machines. The services communicate by using an interprocess communication share, or IPC$. You have likely seen this on Windows machines (see Figure 3.1).

FIGURE 3.1

A Windows IPC$ share.

These null sessions were created to allow unauthenticated hosts to obtain browse lists from Windows NT servers and to use network file and print sharing services. By default, Windows XP and Windows Server 2003 standalone servers are not vulnerable to null session attacks. However, backward compatibility with Windows 2000 and NT open up vulnerability to null session attacks.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 79

79

Port and Protocol Threats and Mitigation Techniques

On a vulnerable machine, even if you have disabled the Guest account, a null session can be established by using the net use command to map a connection using a blank username and password: net use \\ip_address\ipc$ “” “/user:”

After a null session connection has been established, many possibilities exist. You can use commands such as net view to view a list of shared resources on the target machine. You also can use application programming interfaces (APIs) and remote procedure calls (RPCs) to enumerate information, escalate privileges, and execute attacks.

EXAM ALERT The most effective way to reduce null session vulnerability is by disabling NetBIOS over TCP/IP. After you have this, verify that ports 139 and 445 are closed.

You could also control null session access by editing the Registry on Windowsbased computers to restrict anonymous access: . Key—HKEY_LOCAL_MACHINE\System\CurrentControlSet\

Control\LSA . Value—RestrictAnonymous . Type—DWORD . Value—1

The key default value is 0. Changing this value to 1, which is more restrictive, keeps a null session from seeing user accounts and admin shares. Changing the value to 2 is the most restrictive. This disables null session without explicit permissions. However, this setting may conflict with some applications that rely on null sessions. Keep in mind that even though you can change the Registry settings to try to prevent this type of attack, some tools sidestep this measure. If security is a major concern, you might have to consider not allowing any null sessions on your public and private networks.

Spoofing Spoofing is a method of providing false identity information to gain unauthorized access. This is accomplished by modifying the source address of traffic or source of information.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 80

80

Chapter 3: Infrastructure Basics

EXAM ALERT Spoofing seeks to bypass IP address filters by setting up a connection from a client and sourcing the packets with an IP address that is allowed through the filter.

In blind spoofing, the attacker sends only data and only makes assumptions of responses. In informed spoofing, the attacker can participate in a session and can monitor the bidirectional communications. Services such as email, Web, and file transfer can also be spoofed. Web spoofing happens when an attacker creates a convincing but false copy of an entire website. The false site looks just like the real one: It has all the same pages and links. However, the attacker controls the false site so that all network traffic between the victim’s browser and the site goes through the attacker. In email spoofing, a spammer or a computer virus can forge the email packet information in an email so that it appears the email is coming from a trusted host, from one of your friends, or even from your own email address. If you leave your email address at some Internet site or exchange email with other people, a spoofer may be able to use your email address as the sender address to send spam. File-transfer spoofing involves the FTP service. FTP data is sent in clear text. The data can be intercepted by an attacker. The data could then be viewed and altered before sending it on to the receiver. These forms of attacks are often used to get additional information from network users to complete a more aggressive attack. You should set up a filter that denies traffic originating from the Internet that shows an internal network address. Using the signing capabilities of certificates on servers and clients allows web and email services to be more secure. The use of IPsec can secure transmissions between critical servers and clients. This will help prevent these types of attacks from taking place.

Man in the Middle The man-in-the-middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other. This type of attack is possible because of the nature of the three-way TCP handshake process using SYN and ACK packets. Because TCP is a connection-oriented protocol, a three-way handshake takes place when establishing a connection and when closing a session. When establishing a session, the client sends a SYN request, then the server sends an acknowledgment and synchronization (SYN-ACK) to the client, and then the client sends an ACK (also referred to as SYN-ACK-ACK), completing the connection. During this process, the attacker initiates the man-in-the-middle attack. The attacker

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 81

81

Port and Protocol Threats and Mitigation Techniques

uses a program that appears to be the server to the client and appears to be the client to the server. The attacker can also choose to alter the data or merely eavesdrop and pass it along. This attack is common in Telnet and wireless technologies. It is also generally difficult to implement because of physical routing issues, TCP sequence numbers, and speed. Because the hacker has to be able to sniff both sides of the connection simultaneously, programs such as Juggernaut, T-Sight, and Hunt have been developed to help make the man-in-the-middle attack easier. If the attack is attempted on an internal network, physical access to the network will be required. Be sure that access to wiring closets and switches is restricted; if possible, the area should be locked. After you have secured the physical environment, the services and resources that allow a system to be inserted into a session should be protected. DNS can be compromised and used to redirect the initial request for service, providing an opportunity to execute a man-in-the-middle attack. DNS access should be restricted to read-only for everyone except the administrator. The best way to prevent these types of attacks is to use encryption and secure protocols.

EXAM ALERT A man-in-the-middle attack takes place when a computer intercepts traffic and either eavesdrops on the traffic or alters it.

Replay In a replay attack, packets are captured by using sniffers. After the pertinent information is extracted, the packets are placed back on the network. This type of attack can be used to replay bank transactions or other similar types of data transfer in the hopes of replicating or changing activities, such as deposits or transfers. Protecting yourself against replay attacks involves some type of time stamp associated with the packets or time-valued, nonrepeating serial numbers. Secure protocols such as IPsec prevent replays of data traffic in addition to providing authentication and data encryption.

Denial of Service The purpose of a denial-of-service (DoS) attack is to disrupt the resources or services that a user would expect to have access to. These types of attacks are

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 82

82

Chapter 3: Infrastructure Basics

executed by manipulating protocols and can happen without the need to be validated by the network. An attack typically involves flooding a listening port on your machine with packets. The premise is to make your system so busy processing the new connections that it cannot process legitimate service requests. Many of the tools used to produce DoS attacks are readily available on the Internet. Administrators use them to test connectivity and troubleshoot problems on the network, whereas malicious users use them to cause connectivity issues. Here are some examples of DoS attacks: . Smurf/smurfing—This attack is based on the Internet Control Message

Protocol (ICMP) echo reply function. It is more commonly known as ping, which is the command-line tool used to invoke this function. In this attack, the attacker sends ping packets to the broadcast address of the network, replacing the original source address in the ping packets with the source address of the victim, thus causing a flood of traffic to be sent to the unsuspecting network device. . Fraggle—This attack is similar to a Smurf attack. The difference is that it

uses UDP rather than ICMP. The attacker sends spoofed UDP packets to broadcast addresses as in the Smurf attack. These UDP packets are directed to port 7 (Echo) or port 19 (Chargen). When connected to port 19, a character generator attack can be run. Table 3.1 lists the most commonly exploited ports. . Ping flood—This attack attempts to block service or reduce activity on a

host by sending ping requests directly to the victim. A variation of this type of attack is the ping of death, in which the packet size is too large and the system doesn’t know how to handle the packets. . SYN flood—This attack takes advantage of the TCP three-way hand-

shake. The source system sends a flood of synchronization (SYN) requests and never sends the final acknowledgment (ACK), thus creating half-open TCP sessions. Because the TCP stack waits before resetting the port, the attack overflows the destination computer’s connection buffer, making it impossible to service connection requests from valid users. . Land—This attack exploits a behavior in the operating systems of several

versions of Windows, UNIX, Macintosh OS, and Cisco IOS with respect to their TCP/IP stacks. The attacker spoofs a TCP/IP SYN packet to the victim system with the same source and destination IP address and

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 83

83

Port and Protocol Threats and Mitigation Techniques

the same source and destination ports. This confuses the system as it tries to respond to the packet. . Teardrop—This form of attack targets a known behavior of UDP in the

TCP/IP stack of some operating systems. The Teardrop attack sends fragmented UDP packets to the victim with odd offset values in subsequent packets. When the operating system attempts to rebuild the original packets from the fragments, the fragments overwrite each other, causing confusion. Because some operating systems cannot gracefully handle the error, the system will most likely crash or reboot. . Bonk—This attack affects mostly Windows 95 and NT machines by

sending corrupt UDP packets to DNS port 53.The attack modifies the fragment offset in the packet. The target machine then attempts to reassemble the packet. Because of the offset modification, the packet is too big to be reassembled, and the system crashes. . Boink—This is a Bonk attack that targets multiple ports rather than just

port 53. DoS attacks come in many shapes and sizes. The first step to protecting yourself from an attack is to understand the nature of different types of attacks in the preceding list.

Distributed DoS Another form of attack is a simple expansion of a DoS attack, referred to as a distributed DoS (DDoS) attack. Masters are computers that run the client software, and zombies run software. The attacker creates masters, which in turn create a large number of zombies or recruits. The software running on the zombies can launch multiple types of attacks, such as UDP or SYN floods on a particular target. A typical DDoS is shown in Figure 3.2. In simple terms, the attacker distributes zombie software that allows the attacker partial or full control of the infected computer system.

EXAM ALERT When an attacker has enough systems compromised with the installed zombie software, he can initiate an attack against a victim from a wide variety of hosts. The attacks come in the form of the standard DoS attacks, but the effects are multiplied by the total number of zombie machines under the control of the attacker.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 84

84

Chapter 3: Infrastructure Basics

Attacker

Master

Zombie

Master

Zombie

Zombie

Master

Zombie

Zombie

Zombie

Victim

FIGURE 3.2

A DDoS attack.

Although DDoS attacks generally come from outside the network to deny services, the impact of DDoS attacks mounted from inside the network must also be considered. Internal DDoS attacks allow disgruntled or malicious users to disrupt services without any outside influence. To help protect your network, you can set up filters on external routers to drop packets involved in these types of attacks. You should also set up another filter that denies traffic originating from the Internet that shows an internal network address. When you do this, the loss of ping and some services and utilities for testing network connectivity will be incurred, but this is a small price to pay for network protection. If the operating system allows it, reduce the amount of time before the reset of an unfinished TCP connection. Doing so makes it harder to keep resources unavailable for extended periods of time.

TIP In the case of a DDoS attack, your best weapon is to get in touch quickly with your upstream Internet service provider (ISP) and see whether it can divert traffic or block the traffic at a higher level.

Subscribing to newsgroups and checking security websites daily ensures that you keep up with the latest attacks and exploits. Applying the manufacturer’s latest operating system patches or fixes can also help prevent attacks.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 85

85

Port and Protocol Threats and Mitigation Techniques

DNS Kiting A newly registered domain name can be deleted or dropped with full refund of the registration fee during an initial five-day window called the add grace period (AGP). DNS kiting refers to the practice of taking advantage of this AGP to monopolize domain names without ever paying for them. How domain kiting works is that a domain name is deleted during the five-day AGP and immediately re-registered for another five-day period. This process is continued constantly, resulting in the domain being registered without actually paying for it. DNS kiting can be done on a large scale. In this instance, hundreds or thousands of domain names are registered, populated with advertisements, and then canceled just before the five-day grace period. The amount of revenue generated by an individual kited domain is very small. However, there is no cost, and automation allows the registration of multiple domains. Besides automatically registering domain names and placing advertising, domain kiters can track the amount of revenue generated. This is called domain tasting. It is used to test the profitability of domain names. The AGP is used as a cost-benefit period to determine whether traffic generated by the domain name can offset the registration cost.

EXAM ALERT Kited domains present several issues. They force search engines to return less-relevant results, tie up domain names that legitimate businesses may want to use, and capitalize on slight variations of personal or business website addresses.

The drawback for domain kiters is the chance that when the domain name is dropped at the end of the AGP, it will not be successfully re-registering. DNS kiting can be eliminated if registrars such as the Internet Corporation for Assigned Names and Numbers (ICANN) stop the AGP practice, limit how many domains a client can register per day, or refuse to issue repeated refunds to the same client. It has also been suggested that if the ICANN portion of the registration fee were nonrefundable, the practice would stop.

DNS Poisoning DNS poisoning enables a perpetrator to redirect traffic by changing the IP record for a specific domain, thus permitting the attacker to send legitimate traffic anywhere he chooses. This not only sends a requestor to a different website but also

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 86

86

Chapter 3: Infrastructure Basics

caches this information for a short period, distributing the attack’s effect to the server users. DNS poisoning may also be referred to as DNS cache poisoning because it affects the information that is cached. All Internet page requests start with a DNS query. If the IP address is not known locally, the request is sent to a DNS server. There are two types of DNS servers: authoritative and recursive. DNS servers share information, but recursive servers maintain information in cache. This means a caching or recursive server can answer queries for resource records even if it can’t resolve the request directly. A flaw in the resolution algorithm allows the poisoning of DNS records on a server. All an attacker has to do is delegate a false name to the domain server along with a providing a false address for the server. For example, an attacker creates a hostname hack.hacking.biz. After that, the attacker queries your DNS server to resolve the host hacking.biz. The DNS server resolves the name and stores this information in its cache. Until the zone expiration, any further requests for hacking.biz do not result in lookups but are answered by the server from its cache. It is now possible for me to set your DNS server as the authoritative server for my zone with the domain registrar. If the attacker conducts malicious activity, the attacker can make it appear that your DNS server is being used for these malicious activities. DNS poisoning can result in many different implications. Domain name servers can be used for DDoS attacks. Malware can be downloaded to an unsuspecting user’s computer from the rogue site, and all future requests by that computer will be redirected to the fake IP address. This could be used to build an effective botnet. This method of poisoning could also allow for cross-site scripting exploits, especially because Web 2.0 capabilities allow content to be pulled from multiple websites at the same time. To minimize the effects of DNS poisoning, check the DNS setup if you are hosting your own DNS. Be sure the DNS server is not open-recursive. An openrecursive DNS server responds any lookup request, without checking where it originates. Disable recursive access for other networks to resolve names that are not in your zone files. You can also use different servers for authoritative and recursive lookups and require that caches discard information except from the com servers and the root servers. From the user perspective, education works best. However, it is becoming more difficult to spot a problem by watching the address bar on the Internet browser. Therefore, operating system vendors are adding more protection. Microsoft Vista’s User Account Control (UAC) notifies the user that a program is attempting to change the system’s DNS settings, thus preventing the DNS cache from being poisoned.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 87

87

Port and Protocol Threats and Mitigation Techniques

ARP Poisoning All network cards have a unique 48-bit address that is hard-coded into the network card. For network communications to occur, this hardware address must be associated with an IP address. Address Resolution Protocol (ARP), which operates at Layer 2 (data link layer) of the Open Systems Interconnect (OSI) model, associates MAC addresses to IP addresses. ARP is a lower-layer protocol that is simple and consists of requests and replies without validation. However, this simplicity also leads to a lack of security. When you use a protocol analyzer to look at traffic, you see an ARP request and an ARP reply, which are the two basic parts of ARP communication. There are also Reverse ARP (RARP) requests and RARP replies. Devices maintain an ARP table that contains a cache of the IP addresses and MAC addresses the device has already correlated. The host device searches its ARP table to see whether there is a MAC address corresponding to the destination host IP address. When there is no matching entry, it broadcasts an ARP request to the entire network. The broadcast is seen by all systems, but only the device that has the corresponding information relies. However, devices can accept ARP replies before even requesting them. This type of entry is known as an unsolicited entry because the information was not explicitly requested.

EXAM ALERT Because ARP does not require any type of validation, as ARP requests are sent, the requesting devices believe that the incoming ARP replies are from the correct devices. This can allow a perpetrator to trick a device into thinking any IP is related to any MAC address.

In addition, they can broadcast a fake or spoofed ARP reply to an entire network and poison all computers. This is known as ARP poisoning. Put simply, the attacker deceives a device on your network, poisoning its table associations of other devices. ARP poisoning can lead to attacks such as DoS, man-in-the-middle attacks, and MAC flooding. DoS and man-in-the-middle attacks were discussed earlier in this chapter. MAC flooding is an attack directed at network switches. This type of attack is successful because of the nature of the way all switches and bridges work. The amount of space allocated to store source addresses of packets is very limited. When the table becomes full, the device can no longer learn new information and becomes flooded. As a result, the switch can be forced into a hublike state that will broadcast all network traffic to every device in the network.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 88

88

Chapter 3: Infrastructure Basics

An example of this is a tool called Macof. Macof floods the network with random MAC addresses. Switches may then get stuck in open-repeating mode, leaving the network traffic susceptible to sniffing. Nonintelligent switches do not check the sender’s identity, thereby allowing this condition to happen. A lesser vulnerability of ARP is port stealing. Port stealing is a man-in-the-middle attack that exploits the binding between the port and the MAC address. The principle behind port stealing is that an attacker sends numerous packets with the source IP address of the victim and the destination MAC address of the attacker. This attack applies to broadcast networks built from switches. ARP traffic operates at Layer 2 (data link layer) of the OSI model and is broadcast on local subnets. ARP poisoning is limited to attacks that are local-based, so an intruder needs either physical access to your network or control of a device on your local network. To mitigate ARP poisoning on a small network, you can use static or script-based mapping for IP addresses and ARP tables. For large networks, use equipment that offers port security. By doing so, you can permit only one MAC address for each physical port on the switch. In addition, you can deploy monitoring tools or an intrusion detection system (IDS) to alert you when suspect activity occurs.

Network Design Elements and Components As you create a network security policy, you must define procedures to defend your network and users against harm and loss. With this objective in mind, a network design and the included components play an important role in implementing the overall security of the organization. An overall security solution includes design elements and components such as firewalls, VLANS, and perimeter network boundaries that distinguish between private networks, intranets, and the Internet. This section discusses these elements and will help you tell them apart and understand their function in the security of the network.

Demilitarized Zone A demilitarized zone (DMZ) is a small network between the internal network and the Internet that provides a layer of security and privacy. Both internal and external users may have limited access to the servers in the DMZ. Figure 3.3 depicts a DMZ.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 89

89

Network Design Elements and Components

Internet

Router DMZ

Email Server

FIGURE 3.3

Web Server

Firewall

Internal Server

A DMZ.

Often, web and mail servers are placed in the DMZ. Because these devices are exposed to the Internet, it is important that they are hardened and patches are kept current. Table 3.2 lists the most common services and ports that are run on servers inside the DMZ. TABLE 3.2

Commonly Used Ports on Servers in the DMZ

Port

Service

21

FTP

22

SSH

25

SMTP

53

DNS

80

HTTP

110

POP3

443

HTTPS

The DMZ is an area that allows external users to access information that the organization deems necessary but will not compromise any internal organizational information. This configuration allows outside access, yet prevents external users from directly accessing a server that holds internal organizational data.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 90

90

Chapter 3: Infrastructure Basics

Intranet An intranet is a portion of the internal network that uses web-based technologies. The information is stored on web servers and accessed using browsers. Although web servers are used, they don’t necessarily have to be accessible to the outside world. This is possible because the IP addresses of the servers are reserved for private, internal use. You learn more about private IP addresses in the “NAT” section, later in this chapter. If the intranet can be accessed from public networks, it should be through a virtual private network (VPN) for security reasons. VPNs are described in greater detail in Chapter 6, “Securing Communications.”

Extranet An extranet is the public portion of the company’s IT infrastructure that allows resources to be used by authorized partners and resellers that have proper authorization and authentication. This type of arrangement is commonly used for business-to-business relationships. Because an extranet can provide liability for a company, care must be taken to ensure that VPNs and firewalls are configured properly and that security policies are strictly enforced.

Virtual Local Area Network The purpose of a virtual local area network (VLAN) is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. VLANs provide a way to limit broadcast traffic in a switched network. This creates a boundary and, in essence, creates multiple, isolated LANs on one switch. Because switches operate on Layer 2 (data link layer) of the OSI model, a router is required if data is to be passed from one VLAN to another.

EXAM ALERT The purpose of a VLAN is to logically group network nodes regardless of their physical location.

Frame tagging is the technology used for VLANs. The 802.1Q standard defines a mechanism that encapsulates the frames with headers, which then tags them with a VLAN ID. VLAN-aware network devices look for these tags in frames and make appropriate forwarding decisions. A VLAN is basically a software

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 91

91

Network Design Elements and Components

solution that allows creating unique tag identifiers to be assigned to different ports on the switch. The most notable benefit of using a VLAN is that it can span multiple switches. Because users on the same VLAN don’t have to be associated by physical location, they can be grouped by department or function. Here are the benefits that VLANs provide: . Users can be grouped by department rather than physical location. . Moving and adding users is simplified. No matter where a user physically

moves, changes are made to the software configuration in the switch. . Because VLANs allow users to be grouped, applying security policies

becomes easier. Keep in mind that use of a VLAN is not an absolute safeguard against security infringements. It does not provide the same level of security as a router. A VLAN is a software solution and cannot take the place of a well subnetted or routed network. It is possible to make frames hop from one VLAN to another. This takes skill and knowledge on the part of an attacker, but it is possible. For more information about frame tagging and VLANs, see the “Suggested Reading and Resources” section at the end of the chapter.

Network Address Translation Network Address Translation (NAT) acts as a liaison between an internal network and the Internet. It allows multiple computers to connect to the Internet using one IP address. An important security aspect of NAT is that it hides the internal network from the outside world. In this situation, the internal network uses a private IP address. Special ranges in each IP address class are used specifically for private addressing. These addresses are considered nonroutable on the Internet. Here are the private address ranges: . Class A—10.0.0.0 network. Valid host IDs are from 10.0.0.1 to

10.255.255.254. . Class B—172.16.0.0 through 172.31.0.0 networks. Valid host IDs are

from 172.16.0.1 through 172.31.255.254. . Class C—192.168.0.0 network. Valid host IDs are from 192.168.0.1 to

192.168.255.254.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 92

92

Chapter 3: Infrastructure Basics

For smaller companies, NAT can be used in the form of Windows Internet Connection Sharing (ICS), where all machines share one Internet connection, such as a dial-up modem. NAT can also be used for address translation between multiple protocols, which improves security and provides for more interoperability in heterogeneous networks.

NOTE Keep in mind that NAT and IPsec may not work well together. NAT has to replace the headers of the incoming packet with its own headers before sending the packet. This might not be possible because IPsec information is encrypted.

TIP Another address range to keep in mind when designing IP address space is Automatic Private IP Addressing (APIPA). In the event that no Dynamic Host Configuration Protocol (DHCP) server is available at the time that the client issues a DHCP lease request, the client is automatically configured with an address from the 169.254.0.1 through 169.254.255.254 range.

Subnetting Subnetting can be done for several reasons. If you have a Class C address and 1,000 clients. you will have to subnet the network or use a custom subnet mask to accommodate all the hosts. The most common reason networks are subnetted is to control network traffic. Splitting one network into two or more and using routers to connect each subnet together means that broadcasts can be limited to each subnet. However, often networks are subnetted to improve network security, not just performance. Subnetting allows you to arrange hosts into the different logical groups that isolate each subnet into its own mini network. Subnet divisions can be based on business goals and security policy objectives. For example, perhaps you use contract workers and want to keep them separated from the organizational employees. Often, organizations with branches use subnets to keep each branch separate. When your computers are on separate physical networks, you can divide your network into subnets that enable you to use one block of addresses on multiple physical networks. If an incident happens and you notice it quickly, you can usually contain the issue to that particular subnet.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 93

93

Network Design Elements and Components

IP Classes In case you are unclear about IP classes, the following information will help you review or learn about the different classes. IP address space is divided into five classes: A, B, C, D, and E. The first byte of the address determines which class an address belongs to: . Network addresses with the first byte between 1 and 126 are Class A and can have about 17 million hosts each. . Network addresses with the first byte between 128 and 191 are Class B and can have about 65,000 hosts each. . Network addresses with the first byte between 192 and 223 are Class C and can have about 250 hosts. . Network addresses with the first byte between 224 and 239 are Class D and are used for multicasting. . Network addresses with the first byte between 240 and 255 are Class E and are used as experimental addresses.

Notice that the 127 network address is missing. Although the 127.0.0.0 network is in technically in the Class A area, using addresses in this range causes the protocol software to return data without sending traffic across a network. For example, the address 127.0.0.1 is used for TCP/IP loopback testing, and the address 127.0.0.2 is used by most DNS black lists for testing purposes. Should you need additional review on IP addressing and subnetting, a wide variety of information is available. One such website is Learntosubnet.com. Figure 3.4 shows an internal network with two different subnets. Notice the IP addresses, subnet masks, and default gateway.

EXAM ALERT Watch for scenarios or examples such as Figure 3.4 asking you to identify a correct/incorrect subnet mask, default gateway address, or router.

IPv6 is designed to replace IPv4. Addresses are 128 bits rather than the 32 bits used in IPv4. Just as in IPv4, blocks of addresses are set aside in IPv6 for private addresses. In IPv6, internal addresses are called unique local addresses (ULA). Addresses starting with fe80: are called link-local addresses and are routable only in the local link area. IPv6 addresses are represented in hexadecimal. For more information about IPv6, visit http://www.ipv6.org/.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 94

94

Chapter 3: Infrastructure Basics

IP address: 192.168.1.15 Subnet mask: 255.255.255.0 Default Gateway: 192.168.1.1

Subnet 192.168.1.0

IP address: 192.168.1.25 Subnet mask: 255.255.255.0 Default Gateway: 192.168.1.1

IP address: 192.168.2.15 Subnet mask: 255.255.255.0 Default Gateway: 192.168.2.1

Subnet 192.168.2.0

IP address: 192.168.2.25 Subnet mask: 255.255.255.0 Default Gateway: 192.168.2.1

A segmented network. Notice the subnets 192.168.1.0 and 192.168.2.0 identified next to the router. These are not valid IP addresses for a network router and are used to identify the 192.168.1.x and 192.168.2.x networks in routing tables.

FIGURE 3.4

Network Interconnections Besides securing ports and protocols from outside attacks, connections between interconnecting networks should be secured. This situation may come into play when an organization establishes network interconnections with partners. This might be in the form of an extranet or actual connection between the involved organizations as in a merger, acquisition, or joint project. Business partners can include government agencies and commercial organizations. Although this type of interconnection increases functionality and reduces costs, it can result in security risks. These risks include compromise of all connected systems and any network connected to those systems, along with exposure of data the systems handle. With interconnected networks, the potential for damage greatly increases because one compromised system on one network can easily spread to other networks. Organizational policies should require an interconnection agreement for any system or network that shares information with another external system or network. Organizations need to carefully evaluate risk-management procedures and ensure that the interconnection is properly designed. The partnering organizations have little to no control over the management of the other party’s

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 95

95

Network Design Elements and Components

system, so without careful planning and assessment, both parties can be harmed. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-47, Security Guide for Interconnecting Information Technology Systems, provides guidance for any organization that is considering interconnecting with a government agency or other organization.

Network Access Control One the most effective ways to protect the network from malicious hosts is to use network access control (NAC). NAC offers a method of enforcement that helps ensure computers are properly configured. The premise behind NAC is to secure the environment by examining the user’s machine and based on the results grant (or not grant) access accordingly. It is based on assessment and enforcement. For example, if the user’s computer patches are not up-to-date, and no desktop firewall software is installed, you can decide whether to limit access to network resources. Any host machine that doesn’t comply with your defined policy could be relegated to remediation server, or put on a guest VLAN. The basic components of NAC products are . Access requestor (AR)—This is the device that requests access. The assess-

ment of the device can be self-performed or delegated to another system. . Policy decision point (PDP)—This is the system that assigns a policy based

on the assessment. The PDP determines what access should be granted and may be the NAC’s product-management system. . Policy enforcement point (PEP)—This is the device that enforces the policy.

This device may be a switch, firewall, or router. The four ways NAC systems can be integrated into the network are . Inline—An appliance in the line, usually between the access and the dis-

tribution switches . Out-of-band—Intervenes and performs an assessment as hosts come

online and then grants appropriate access . Switch based—Similar to inline NAC except enforcement occurs on the

switch itself . Host based—Relies on an installed host agent to assess and enforce access

policy In addition to providing the ability to enforce security policy, contain noncompliant users, and mitigate threats, NAC offers a number of business benefits.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 96

96

Chapter 3: Infrastructure Basics

The business benefits include compliance, a better security posture, and operational cost management.

Telephony The transmission of data through equipment in a telecommunications environment is known as telephony. Telephony includes transmission of voice, fax, or other data. This section describes the components that need to be considered when securing the environment. Often, these components are neglected because they are not really network components. However, they use communications equipment that is susceptible to attack and therefore must be secured.

Telecom/PBX The telecommunications (telecom) system and Private Branch Exchange (PBX) are a vital part of an organization’s infrastructure. Besides the standard block, there are also PBX servers, where the PBX board plugs into the server and is configured through software on the computer. Many companies have moved to Voice over IP (VoIP) to integrate computer telephony, videoconferencing, and document sharing. For years PBX-type systems have been targeted by hackers, mainly to get free long-distance service. The vulnerabilities that phone networks are subject to include social engineering, long-distance toll fraud, and breach of data privacy. To protect your network, make sure the PBX is in a secure area, any default passwords have been changed, and only authorized maintenance is done. Many times, hackers can gain access to the phone system via social engineering because this device is usually serviced through a remote maintenance port.

Voice over Internet Protocol VoIP uses the Internet to transmit voice data. A VoIP system might be composed of many different components, including VoIP phones, desktop systems, PBX servers, and gateways. VoIP PBX servers are susceptible to the same type of exploits as other network servers. These attacks include DoS and buffer overflows, with DoS being the most prevalent. In addition, there are voice-specific attacks and threats. H.323 and Inter Asterisk eXchange (IAX) are specifications and protcols for audio/video. They enable VoIP connections between servers and enable client/server communication. H.323 and IAX protocols can be vulnerable to sniffing during authentication. This allows an attacker to obtain passwords that may be used to compromise the voice network. Session Initiation Protocol (SIP) is commonly used in instant messaging, but it can also be used as an alternative for VoIP. Using SIP can leave VoIP networks open to unauthorized transport of data. Man-in-the-middle attacks between the SIP phone and

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 97

97

Network Design Elements and Components

SIP proxy allow the audio to be manipulated, causing dropped, rerouted, or playback calls. Many components comprise a VoIP network, and VoIP security is built upon many layers of traditional data security. Therefore, access can be gained in a lot of areas. Implementing the following solutions can help mitigate the risks and vulnerabilities associated with VoIP: . Encryption . Authentication . Data validation . Nonrepudiation

Modems Modems are used via the phone line to dial in to a server or computer. They are gradually being replaced by high-speed cable and Digital Subscriber Line (DSL) solutions, which are faster than dial-up access. However, some companies still use modems for employees to dial into the network and work from home. The modems on network computers or servers are usually configured to take incoming calls. Leaving modems open for incoming calls with little to no authentication for users dialing in can be a clear security vulnerability in the network. For example, war-dialing attacks take advantage of this situation. War-dialing is the process by which an automated software application is used to dial numbers in a given range to determine whether any of the numbers are serviced by modems that accept dial-in requests. This attack can be set to target connected modems that are set to receive calls without any authentication, thus allowing attackers an easy path into the network. You can resolve this problem area in several ways: . Set the callback features to have the modem call the user back at a preset

number. . Make sure authentication is required using strong passwords. . Be sure employees have not set up modems at their workstations with

remote-control software installed. Cable and DSL modems are popular these days. They act more like routers than modems. Although these devices are not prone to war-dialing attacks, they do present a certain amount of danger by maintaining an always-on connection. If you leave the connection on all the time, a hacker has ample time to get into the machine and the network. The use of encryption and firewall solutions will help keep the environment safe from attacks.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 98

98

Chapter 3: Infrastructure Basics

Network Security Tools The easiest way to keep a computer safe is by physically isolating it from outside contact. The way most companies do business today makes this virtually impossible. Our networks and environments are becoming increasingly more complex. Securing the devices on the network is imperative to protecting the environment. To secure devices, you must understand the basic security concepts of network security tools. This section introduces security concepts as they apply to the physical security devices used to form the protection found on most networks.

NIDS and HIDS IDS stands for intrusion-detection system. Intrusion-detection systems are designed to analyze data, identify attacks, and respond to the intrusion. They are different from firewalls in that firewalls control the information that gets in and out of the network, whereas IDSs can identify unauthorized activity. IDSs are also designed to catch attacks in progress within the network, not just on the boundary between private and public networks. The two basic types of IDSs are network-based and host-based. As the names suggest, network-based IDSs (NIDSs) look at the information exchanged between machines, and host-based IDSs (HIDSs) look at information that originates on the individual machines. Here are some basics: . NIDSs monitor the packet flow and try to locate packets that may have

gotten through the firewall and are not allowed for one reason or another. They are best at detecting DoS attacks and unauthorized user access. . HIDSs monitor communications on a host-by-host basis and try to filter

malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity.

EXAM ALERT NIDSs try to locate packets not allowed on the network that the firewall missed. HIDSs collect and analyze data that originates on the local machine or a computer hosting a service. NIDSs tend to be more distributed.

NIDSs and HIDSs should be used together to ensure a truly secure environment. IDSs can be located anywhere on the network. They can be placed internally or between firewalls. Many different types of IDSs are available, all with

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 99

99

Network Security Tools

different capabilities, so make sure they meet the needs of your company before committing to using them. Chapter 7, “Intrusion Detection and Security Baselines,” covers IDSs in more detail.

Network Intrusion Prevention System Network intrusion-prevention systems (NIPSs) are sometimes considered to be an extension of IDSs. NIPSs can be either hardware- or software-based, like many other network-protection devices. Intrusion prevention differs from intrusion detection in that it actually prevents attacks instead of only detecting the occurrence of an attack. Intrusion-detection software is reactive, scanning for configuration weaknesses and detecting attacks after they occur. By the time an alert has been issued, the attack has usually occurred and has damaged the network or desktop. NIPS are designed to sit inline with traffic flows and prevent attacks in real time. An inline NIPS works like a Layer 2 bridge. It sits between the systems that need to be protected and the rest of the network. They proactively protect machines against damage from attacks that signature-based technologies cannot detect because most NIPS solutions can look at application layer protocols such HTTP, FTP, and SMTP. When implementing a NIPS, keep in mind that the sensors must be physically inline to function properly. This adds single points of failure to the network. A good way to prevent this issue is to use fail-open technology. This means that if the device fails, it doesn’t cause a complete network outage; instead, it acts like a patch cable. NIPS are explained in greater detail in Chapter 7, “Intrusion Detection and Security Baselines.”

Firewalls A firewall is a component placed on computers and networks to help eliminate undesired access by the outside world. It can be composed of hardware, software, or a combination of both. A firewall is the first line of defense for the network. How firewalls are configured is important, especially for large companies where a compromised firewall may spell disaster in the form of bad publicity or a lawsuit, not only for the company, but also for the companies it does business with. For smaller companies, a firewall is an excellent investment because most small companies don’t have a full-time technology staff, and an intrusion could easily put them out of business. All things considered, a firewall is an important part of your defense, but you should not rely on it exclusively for network protection. Figure 3.5 shows a network with a firewall in place.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 100

100

Chapter 3: Infrastructure Basics

Internet

Computer

Firewall Server

Computer

Computer

FIGURE 3.5

A network with a firewall.

There are three main types of firewalls: . Packet-filtering firewall . Proxy-service firewall, including two types of proxies: . Circuit-level gateway . Application-level gateway . Stateful-inspection firewall

The following sections describe each type in detail.

Packet-Filtering Firewall A packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the network layer (Layer 3) of the OSI model. Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session. This leaves the system open to DoS attacks. Even though they are the simplest and least secure, they are a good first line of defense. Their main advantage is speed, which is why they are sometimes used before other types of firewalls to perform the first filtering pass.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 101

101

Network Security Tools

Proxy Service Firewall Proxy service firewalls are go-betweens for the network and the Internet. They hide the internal addresses from the outside world and don’t allow the computers on the network to directly access the Internet. This type of firewall has a set of rules that the packets must pass to get in or out. It receives all packets and replaces the IP address on the packets going out with its own address and then changes the address of the packets coming in to the destination address. Here are the two basic types of proxies: . Circuit-level gateway—Operates at the OSI session layer (Layer 5) by

monitoring the TCP packet flow to determine whether the session requested is a legitimate one. DoS attacks are detected and prevented in circuit-level architecture where a security device discards suspicious requests. . Application-level gateway—All traffic is examined to check for OSI appli-

cation layer (Layer 7) protocols that are allowed. Examples of this type of traffic are File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP). Because the filtering is application-specific, it adds overhead to the transmissions but is more secure than packet filtering.

Stateful-Inspection Firewall A stateful-inspection firewall is a combination of all types of firewalls. This firewall relies on algorithms to process application layer data. Because it knows the connection status, it can protect against IP spoofing. It has better security controls than packet filtering, but because it has more security controls and features, it increases the attack surface and is more complicated to maintain.

Other Firewall Considerations In addition to the core firewall components, administrators should consider other elements when designing a firewall solution. These include network, remote-access, and authentication policies. Firewalls can also provide access control, logging, and intrusion notification.

Proxy Servers A proxy server operates on the same principle as a proxy–level firewall in that it is a go-between for the network and the Internet. Proxy servers are used for

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 102

102

Chapter 3: Infrastructure Basics

security, logging, and caching. When the proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache for previously downloaded web pages. Because web pages are stored locally, response times for web pages are faster, and traffic to the Internet is substantially reduced. The web cache can also be used to block content from websites that you don’t want employees to access, such as pornography, social, or peer-to peer networks. This type of server can be used to rearrange web content to work for mobile devices. It also provides better utilization of bandwidth because it stores all your results from requests for a period of time.

TIP An exposed server that provides public access to a critical service, such as a web or email server, may be configured to isolate it from an organization’s network and to report attack attempts to the network administrator. Such an isolated server is referred to as a bastion host, named for the isolated towers that were used to provide castles advanced notice of pending assault.

Internet Content Filters Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. This type of software can filter content from various types of Internet activity and applications, such as instant messaging, email, and office documents. Content filtering will report only on violations identified in the specified applications listed for the filtering application. In other words, if the application will filter only Microsoft Office documents and a user chooses to use open Office, the content will not be filtered. Internet content filtering works by analyzing data against a database contained in the software. If a match occurs, the data can be addressed in one of several ways, including filtering, capturing, or blocking the content and closing the application. An example of such software is Vista’s Parental Controls. Content filtering requires an agent on each workstation to inspect the content being accessed. If the content data violates the preset policy, a capture of the violating screen is stored on the server with pertinent information relating to the violation. This might include a violation stamp with user, time, date, and application. This information can later be reviewed. Using a predetermined database of specific terminology can help the organization focus on content that violates policy. For example, a sexually explicit database may contain words that are used in the medical industry. Content-filtering applications allow those words that are used in medical context to pass through the filter without reporting a viola-

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 103

103

Network Security Tools

tion. This same principle enables an organization to monitor for unauthorized transfer of confidential information. Content filtering is integrated at the operating system level so that it can monitor events such as opening files via Windows Explorer. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information. Because content filtering uses screen captures of each violation with time-stamped data, it provides proper documentation for forensic investigations and litigation purposes. Unlike antivirus and antispyware applications, content monitoring does not require daily updates to keep the database effective and current. On the downside, content filtering needs to be “trained.” For example, to filter nonpornographic material, the terminology must be input and defined in the database.

Protocol Analyzers Protocol analyzers help you troubleshoot network issues by gathering packetlevel information across the network. These applications capture packets and decode the information into readable data for analysis. Protocol analyzers can do more than just look at packets. They prove useful in many other areas of network management, such as monitoring the network for unexpected, unwanted, and unnecessary traffic. For example, if the network is running slowly, a protocol analyzer can tell you whether unnecessary protocols are running on the network. You can also filter specific port numbers and types of traffic so that you can keep an eye on indicators that may cause you problems. Many protocol analyzers can be run on multiple platforms and do live traffic captures and offline analysis. Software USB protocol analyzers are also available for the development of USB devices and analysis of USB traffic.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 104

104

Chapter 3: Infrastructure Basics

Exam Prep Questions 1. Your company is in the process of setting up a DMZ segment. You have to allow email traffic in the DMZ segment. Which TCP ports do you have to open? (Choose two correct answers.)

❍ A. 110 ❍ B. 139 ❍ C. 25 ❍ D. 443 2. Your company is in the process of setting up a management system on your network, and you want to use SNMP. You have to allow this traffic through the router. Which UDP ports do you have to open? (Choose two correct answers.)

❍ A. 161 ❍ B. 139 ❍ C. 138 ❍ D. 162 3. You want to implement a proxy firewall technology that can distinguish between FTP commands. Which of the following types of firewall should you choose?

❍ A. Proxy gateway ❍ B. Circuit-level gateway ❍ C. Application-level gateway ❍ D. SOCKS proxy 4. You want to use NAT on your network, and you have received a Class C address from your ISP. What range of addresses should you use on the internal network?

❍ A. 10.x.x.x ❍ B. 172.16.x.x ❍ C. 172.31.x.x ❍ D. 192.168.x.x

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 105

105

Exam Prep Questions 5. You are setting up a switched network and want to group users by department. Which technology would you implement?

❍ A. DMZ ❍ B. VPN ❍ C. VLAN ❍ D. NAT 6. You are setting up a web server that needs to be accessed by both the employees and by external customers. What type of architecture should you implement?

❍ A. VLAN ❍ B. DMZ ❍ C. NAT ❍ D. VPN 7. You have recently had some security breaches in the network. You suspect it may be a small group of employees. You want to implement a solution that will monitor the internal network activity and incoming external traffic. Which of the following devices would you use? (Choose two correct answers.)

❍ A. A router ❍ B. A network-based IDS ❍ C. A firewall ❍ D. A host-based IDS 8. Services using an interprocess communication share such as network file and print sharing services leave the network susceptible to which of the following attacks?

❍ A. Spoofing ❍ B. Null sessions ❍ C. DNS kiting ❍ D. ARP poisoning

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 106

106

Chapter 3: Infrastructure Basics 9. You’re the security administrator for a bank. The users are complaining about the network being slow. However, it is not a particularly busy time of the day. You capture network packets and discover that hundreds of ICMP packets have been sent to the host. What type of attack is likely being executed against your network?

❍ A. Spoofing ❍ B. Man-in-the-middle ❍ C. DNS kiting ❍ D. Denial of service 10. Your network is under attack. Traffic patterns indicate that an unauthorized service is relaying information to a source outside the network. What type of attack is being executed against you?

❍ A. Spoofing ❍ B. Man-in-the-middle ❍ C. Replay ❍ D. Denial of service

Answers to Exam Prep Questions 1. A, C. Port 110 is used for POP3 incoming mail, and port 25 is used for SMTP outgoing mail. POP3 delivers mail only, and SMTP transfers mail between servers. Answer B is incorrect because UDP uses port 139 for network sharing. Port 443 is used by HTTPS; therefore, answer D is incorrect. 2. A, D. UDP ports 161 and 162 are used by SNMP. Answer B is incorrect because UDP uses port 139 for network sharing. Answer C is incorrect because port 138 is used to allow NetBIOS traffic for name resolution. 3. C. An application-level gateway understands services and protocols. Answer A is too generic to be a proper answer. Answer B is incorrect because a circuit-level gateway’s decisions are based on source and destination addresses. Answer D is incorrect because SOCKS proxy is an example of a circuit-level gateway. 4. D. In A Class C network, valid host IDs are from 192.168.0.1 to 192.168.255.254. Answer A is incorrect because it is a Class A address. Valid host IDs are from 10.0.0.1 to 10.255.255.254. Answers B and C are incorrect because they are both Class B addresses; valid host IDs are from 172.16.0.1 through 172.31.255.254.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 107

107

Answers to Exam Prep Questions 5. C. The purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Answer A is incorrect because a DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer B is incorrect because a virtual private network (VPN) is a network connection that allows you access via a secure tunnel created through an Internet connection. Answer D is incorrect because NAT acts as a liaison between an internal network and the Internet. 6. B. A DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer A is incorrect. The purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Answer C is incorrect because NAT acts as a liaison between an internal network and the Internet. Answer D is incorrect because a VPN is a network connection that allows you access via a secure tunnel created through an Internet connection. 7. B, D. Because you want to monitor both types of traffic, the IDSs should be used together. Network-based intrusion-detection systems monitor the packet flow and try to locate packets that are not allowed for one reason or another and may have gotten through the firewall. Host-based intrusion-detection systems monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity. Answer A is incorrect because a router forwards information to its destination on the network or the Internet. A firewall protects computers and networks from undesired access by the outside world; therefore, answer C is incorrect. 8. B. A null session is a connection without specifying a user name or password. Null sessions are a possible security risk because the connection is not really authenticated. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. Answer C is incorrect because domain kiting refers to the practice of taking advantage of this AGP period to monopolize domain names without even paying for them. Answer D is incorrect because ARP poisoning allows a perpetrator to trick a device into thinking any IP is related to any MAC address. 9. D. A ping flood is a DoS attack that attempts to block service or reduce activity on a host by sending ping requests directly to the victim using ICMP. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. Answer B is incorrect because a man-in-the middle attack is commonly used to gather information in transit between two hosts. Answer C is incorrect because domain kiting refers to the practice of taking advantage of this AGP period to monopolize domain names without even paying for them. 10. B. A man-in-the-middle attack is commonly used to gather information in transit between two hosts. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. In a replay, an attacker intercepts traffic between two endpoints and retransmits or replays it later; therefore, answer C is incorrect. Because the purpose of a DoS attack is to deny use of resources or services to legitimate users, answer D is incorrect.

07_078973804x_ch03.qxd

10/30/08

9:09 PM

Page 108

108

Chapter 3: Infrastructure Basics

Additional Reading and Resources 1. Davis, David. What is a VLAN? How to Setup a VLAN on a Cisco Switch:

http://www.petri.co.il/csc_setup_a_vlan_on_a_cisco_switch.htm 2. Grance, Tim, Joan Hash, Steven Peck, Jonathan Smith, and Karen

Korow-Diks. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-47, Security Guide for Interconnecting Information Technology Systems: http://csrc.nist.gov/publications/ nistpubs/800-47/sp800-47.pdf 3. Harris, Shon. CISSP All-in-One Exam Guide, Fourth Edition. McGraw-

Hill Osborne Media, 2007. 4. National Institute of Standards and Technology. Guidelines on Securing

Public Web Servers, Special Publication 800-44 Version 2: http://csrc. nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf 5. Odom, Wendell. CCNA Official Exam Certification Library (CCNA Exam

640-802), Third Edition. Cisco Press, 2008. 6. Shinder, Thomas W. The Best Damn Firewall Book Period, Second

Edition. Elsevier, 2007. 7. Simpson, W. RFC 2853, IP in IP Tunneling: http://www.ietf.org/rfc/

rfc1853

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 109

4

CHAPTER FOUR

Infrastructure Security and Controls Terms you need to understand: ✓ Antivirus ✓ Antispam ✓ Pop-up blockers ✓ Virtualization technology ✓ Security groups ✓ Access control lists ✓ Group policies ✓ Logical tokens ✓ Probability ✓ Risk

Techniques you need to master: ✓ Differentiate between the different types of security applications that can be applied on the internal network. ✓ Apply the appropriate network tools to facilitate network security. ✓ Implement the appropriate security groups, roles, rights and permissions. ✓ Define logical internal access control methods. ✓ Explain how to calculate risk and return on investment.

08_078973804x_ch04.qxd

11/6/08

8:51 AM

Page 110

110

Chapter 4: Infrastructure Security and Controls

In the preceding chapter, you learned about the basic components of the network infrastructure, its vulnerabilities, and some methods to mitigate exploitation. Network security goes beyond just knowing the risks and vulnerabilities. To mitigate threats and risks, you must also know how to assess your environment and protect it. This chapter discusses how to implement security applications to help mitigate risk and how to use security groups, roles, rights and permissions in accordance with industry best practices. In addition, this chapter covers how you can use physical security as a tool to mitigate threats and protect computers and network infrastructure.

Implementing Security Applications When dealing with security issues, two areas need to be covered. The first one addresses the physical components such as hardware, network components, and physical security designs. The second one deals with using protocols and software to protect data. The latter covers software that can help protect the internal network components, such as personal firewalls and antivirus software.

Personal Software Firewalls Desktops and laptops need to have layered security just like servers. However, many organizations stop this protection at antivirus software, which in today’s environment may not be enough to ward off malware, phishing, and rootkits. One of the most common ways to protect desktops and laptops is to use a personal firewall. Firewalls can consist of hardware, software, or a combination of both. This discussion focuses on software firewalls that you can implement into the user environment. The potential for hackers to access data through a user’s machine has grown substantially as hacking tools have become more sophisticated and difficult to detect. This is especially true for the telecommuter’s machine. Always-connected computers, typical with cable modems, give attackers plenty of time to discover and exploit system vulnerabilities. Many software firewalls are available, and most operating systems now come with them readily available. You can choose to use the OS vendor firewall or to install a separate one. Like most other solutions, firewalls have strengths and weaknesses. By design, firewalls close off systems to scanning and entry by blocking ports or nontrusted services and applications. However, they require proper configuration. Typically, the first time a program tries to access the Internet, a software firewall asks whether it should permit the communication. Some users might find this

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 111

111

Implementing Security Applications

annoying and disable the firewall or not understand what the software is asking and allow all communications. Another caveat is that some firewalls monitor only for incoming connections and not outgoing. Remember that even a good firewall cannot protect you if you do not exercise a proper level of caution and think before you download. No system is foolproof, but software firewalls installed on user systems can help make the computing environment safer.

EXAM ALERT Monitoring outbound connections is important, so that you protect against malware that “phones home.” Without this type of protection, the environment is not properly protected.

Antivirus Another necessary software program for protecting the user environment is antivirus software. Antivirus software is used to scan for malicious code in email and downloaded files. Antivirus software actually works backward. Virus writers release a virus, it is reported, and then antivirus vendors reverse-engineer the code to find a solution. After the virus has been analyzed, the antivirus software can look for specific characteristic of the virus. Remember that for a virus to be successful, it must replicate its code. The most common method used in an antivirus program is scanning. Scanning searches files in memory, the boot sector, and on the hard disk for identifiable virus code. Scanning identifies virus code based on a unique string of characters known as a signature. When the virus software detects the signature, it isolates the file. Then, depending on the software settings, the antivirus software quarantines it or permanently deletes it. Interception software detects viruslike behavior and then pops up a warning to the user. However, because the software looks only at file changes, it might also detect legitimate files. In the past, antivirus engines used a heuristic engine for detecting virus structures or integrity checking as a method of file comparison. A false positive occurs when the software classifies an action as a possible intrusion when it is actually a nonthreatening action. Chapter 7, “Intrusion Detection and Security Baselines,” explains this concept in more detail.

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 112

112

Chapter 4: Infrastructure Security and Controls

EXAM ALERT Heuristic scanning looks for instructions or commands that are not typically found in application programs. The issue with these methods is that they are susceptible to false positives and cannot identify new viruses until the database is updated.

Antivirus software vendors update their virus signatures on a regular basis. Most antivirus software connects to the vendor website to check the software database for updates and then automatically downloads and installs them as they become available. Besides setting your antivirus software for automatic updates, you should set the machine to automatically scan at least once a week. In the event a machine does become infected, the first step is to remove it from the network so that it cannot damage other machines. The best defense against virus infection is user education. Most antivirus software used today is fairly effective, but only if it’s kept updated and the user practices safe computing habits such as not opening unfamiliar documents or programs. Despite all this, antivirus software cannot protect against brand new viruses, and often users do not take the necessary precautions. Users sometimes disable antivirus software because it may interfere with programs that are currently installed on the machine. Be sure to guard against this type of incident.

Antispam Sophos Research reports that 92.3 percent of all email was spam during the first quarter of 2008. Spam is defined several ways, the most common being unwanted commercial email. Although spam may merely seem to be an annoyance, it uses bandwidth, takes up storage space, and reduces productivity. Antispam software can add another layer of defense to the infrastructure. You can install antispam software in various ways. The most common methods are at the email server or the email client. When the software and updates are installed on a central server and pushed out to the client machines, this is called a centralized solution. When the updates are left up to the individual users, you have a decentralized environment. As with the previous discussions in this section, this discussion focuses on the client-side implementation. The main component of antispam software is heuristic filtering. Heuristic filtering has a predefined rule set that compares incoming email information against the rule set. The software reads the contents of each message and compares the words in that message against the words in typical spam messages. Each rule assigns a numeric score to the probability of the message being spam. This score is then used to determine whether the message meets the acceptable level set. If many of the

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 113

113

Implementing Security Applications

same words from the rule set are in the message being examined, it’s marked as spam. Specific spam filtering levels can be set on the user’s email account. If the setting is high, more spam will be filtered, but it may also filter legitimate email as spam, thus causing false positives.

NOTE It is important to understand that the software can’t assign meaning to the words examined. It simply tracks and compares the words used.

Additional settings can be used in the rule set. In general, an email address added to the approved list is never considered spam. This is also known as a white list. Using white lists allows more flexibility in the type of email you receive. For example, putting the addresses of your relatives or friends in your white list allows you to receive any type of content from them. An email address added to the blocked list is always considered spam. This is also known as a black list. Other factors may affect the ability to receive email on white lists. For example, if attachments are not allowed and the email has an attachment, the message may get filtered even if the address is on the approved list.

Pop-Up Blockers A common method for Internet advertising is using a window that pops up in the middle of your screen to display a message when you click a link or button on a Website. Although some pop-ups are helpful, many are an annoyance, and others can contain inappropriate content or entice the user to download malware. There are several variations of pop-up windows. A pop-under ad opens a new browser window under the active window. These types of ads often are not seen until the current window is closed. Hover ads are Dynamic Hypertext Markup Language (DHTML) pop-ups. They are essentially “floating pop-ups” in a web page. Most online toolbars come with pop-up blockers, various downloadable pop-up blocking software is available, and the browsers included with some operating systems such as Windows XP can block pop-up blockers. Pop-up blockers, just like many of the other defensive software discussed so far, have settings that you can adjust. You might want to try setting the software to medium so that it will block most automatic pop-ups but still allow functionality. Keep in mind that you can adjust the settings on pop-up blockers to meet the organizational policy or to best protect the user environment.

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 114

114

Chapter 4: Infrastructure Security and Controls

Several caveats apply to using pop-up blockers. There are helpful pop-ups. Some web-based programmed application installers use a pop-up to install software. If all pop-ups are blocked, the user may not be able to install applications or programs. Field help for fill-in forms is often in the form of a pop-up. Some pop-up blockers may delete the information already entered by reloading the page, causing users unnecessary grief. You can also circumvent pop-up blockers in various ways. Most pop-up blockers block only the JavaScript; therefore, technologies such as Flash bypass the pop-up blocker. On many Internet browsers, holding down the Ctrl key while clicking a link will allow it to bypass the pop-up filter.

Virtualization Technology With more emphasis being placed on going green and power becoming more expensive, virtualization offers cost benefits by decreasing the number of physical machines required within an environment. This applies to both servers and desktops. On the client side, the ability to run multiple operating environments allows a machine to support applications and services for an operating environment other than the primary environment. Currently, many implementations of virtual environments are available to run on just about everything from servers and routers to USB thumb drives. For virtualization to occur, a hypervisor is used. The hypervisor controls how access to a computer’s processors and memory is shared. A hypervisor or virtual machine monitor (VMM) is a virtualization platform that provides more than one operating system to run on a host computer at the same time. A Type 1 native or bare-metal hypervisor is software that runs directly on a hardware platform. The guest operating system runs at the second level above the hardware. This technique allows full guest systems to be run in a relatively efficient manner. The guest OS is not aware it is being virtualized and requires no modification. A Type 2 or hosted hypervisor is software that runs within an operating system environment, and the guest operating system runs at the third level above the hardware. The hypervisor runs as an application or shell on another already running operating system. Hardware vendors are rapidly embracing virtualization and developing new features to simplify virtualization techniques. Virtual environments can be used to improve security by allowing unstable applications to be used in an isolated environment and providing better disaster recovery solutions. Virtual environments are used for cost-cutting measures as well. One well-equipped server can host several virtual servers. This reduces the need for power and equipment. Forensic analysts often use virtual environments to examine environments that may

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 115

115

Virtualization Technology

contain malware or as a method of viewing the environment the same way the criminal did. Preconfigured virtual appliances are available for operating systems, networking components, and applications. The use of virtualization is growing in the individual-use market and in the corporate environment. Users can now load a virtualized environment using a portable USB storage device or network-attached storage, leaving the original system intact. These advances give the organization more control over the environment because virtual machines can be pushed out to the desktops or given to mobile workers. However, the security of the host machine and the virtual machine must be considered, as must the investigative issues in using such environments. The security concerns of virtual environments begin with the guest operating system. If a virtual machine is compromised, an intruder can gain control of all the guest operating systems. In addition, because hardware is shared, most virtual machines run with very high privileges. This can allow an intruder who compromises a virtual machine to compromise the host machine, too. Vulnerabilities also come into play. For example, a few years ago, VMware’s NAT service had a buffer-overflow vulnerability that allowed remote attackers to execute malicious code by exploiting the virtual machine itself. Virtual machine environments need to be patched just like host environments and are susceptible to the same issues as a host operating system. You should be cognizant of share files among guest and host operating systems.

EXAM ALERT Virtualized environments, if compromised, can provide access to not only the network, but also any virtualization infrastructure. This puts a lot of data at risk.

Security policy should address virtual environments. Any technology software without a defined business need should not be allowed on systems. This applies to all systems, including virtual environments. To secure a virtualized environment, machines should be segmented by the sensitivity of the information they contain. A policy should be in place that specifies that hardware is not shared for test environments and sensitive data. Another way to secure a virtualized environment is to use standard locked-down images. Other areas that present issues for a virtualized environment and need special consideration are deploying financial applications on virtualized shared hosting and secure storage on storage-area network (SAN) technologies.

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 116

116

Chapter 4: Infrastructure Security and Controls

Applying Network Tools to Facilitate Security Chapter 3, “Infrastructure Basics,” described the design elements and components such as firewalls, VLANS, and perimeter network boundaries that distinguish between private networks, intranets, and the Internet. Network compromises now carry an increased threat with the spread of botnets, which were discussed in Chapter 1, “System Threats and Risks.” This means an entire corporate network can be used for spam relay, phishing systems and launching distributed denial-of-service (DDoS) attacks. It is important to not only know how to use the proper elements in design but also how to position and apply these tools to facilitate security. This section discusses just that.

Firewalls In any environment, threats to network integrity come from both external and internal sources. The primary function of a firewall is to mitigate threats by monitoring all traffic entering or leaving a network. As you learned in Chapter 3, there are three basic types of firewalls: . Packet filtering—Best suited for simple networks or used to protect a net-

work that is used mainly for Internet access. The placement of a packetfiltering firewall is between the Internet and the protected network. It filters all traffic entering or leaving the network. . Proxy service—Allows organizations to offer services securely to Internet

users. All servers hosting public services are placed in the demilitarized zone (DMZ) with the proxy firewall between the DMZ and the internal network. . Stateful inspection—Suited for main perimeter security. Stateful inspection

firewalls can thwart port scanning by closing off ports until a connection to the specific port is requested. Although Chapter 3 discussed the types and uses of various firewall technologies, it did not discuss the placement. Knowing the difference between these types of firewalls and the proper placement of each is important to securing the infrastructure. As you read through this section, you might need to review the descriptions of each firewall type in the preceding chapter. The main objective for the placement of firewalls is to allow only traffic that the organization deems necessary and provide notification of suspicious behavior. Most organizations deploy, at a minimum, two firewalls. The first firewall is

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 117

117

Applying Network Tools to Facilitate Security

placed in front of the DMZ to allow requests destined for servers in the DMZ or to route requests to an authentication proxy. The second firewall is placed between the DMZ and the internal network to allow outbound requests. All initial necessary connections are located on the DMZ machines. For example, a RADIUS server may be running in the DMZ for improved performance and enhanced security, even though its database resides inside the company intranet. Most organizations have many firewalls with the level of protection stronger nearest to the outside edge of the environment. Figure 4.1 shows an example.

EXAM ALERT Watch for scenarios that ask you to select the proper firewall placement based on organizational need.

DMZ Internet

Web Server Email Server

Router

Firewall

FIGURE 4.1

RADIUS Server

Firewall

Database Server

A network with two firewalls.

When deploying multiple firewalls, you might experience network latency. If you do, check the placement of the firewalls and possibly reconsider the topology to be sure you get the most out of the firewalls. Another factor to think about is the use of a storage-area network (SAN) or network-area storage (NAS) behind a firewall. Because most storage environments span multiple networks, this creates a virtual bridge that can counteract a firewall, providing a channel into the storage environment if a system is compromised in the DMZ.

Proxy Servers Proxy servers are used for a variety of reasons, so the placement will depend on the usage. Proxy servers can be placed between the private network and the Internet for Internet connectivity or internally for Web content caching. If the organization is using the proxy server for both Internet connectivity and Web content caching, the proxy server should be placed between the internal

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 118

118

Chapter 4: Infrastructure Security and Controls

network and the Internet, with access for users who are requesting the Web content. In some proxy server designs, the proxy server is placed in parallel with IP routers. This design allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router. Every proxy server in your network must have at least one network interface. Proxy servers with a single network interface can provide Web content caching and IP gateway services. To provide Internet connectivity, you must specify two or more network interfaces for the proxy server.

Internet Content Filters Network Internet content filters can be hardware or software. Many network solutions combine both. Hardware appliances are usually connected to the same network segment as the users they will monitor. Other configurations include being deployed behind a firewall or in a DMZ, with public addresses behind a packet-filtering router. These appliances use access control filtering software on the dedicated filtering appliance. The device monitors every packet of traffic that passes over a network.

Protocol Analyzers Protocol analyzers can be placed in-line or in between the devices from which you want to capture the traffic. If you are analyzing SAN traffic, the analyzer can be placed outside the direct link with the use of an optical splitter. The analyzer is placed to capture traffic between the host and the monitored device.

Logical Access Control Methods In this section, we focus on the logical methods of access control. Logical controls are important to infrastructure security because these controls are part of assessing your environment and protecting it to mitigate threats and risks. Insider threats are very real, and the more access someone has, the bigger the threat he or she can become. Logical access controls are used in addition to physical security controls to limit access to data. This design helps ensure the integrity of information, preserve the confidentiality of data, and maintain the availability of information. In addition, it helps the organization conform to laws, regulations, and standards. This section covers the most common methods used for logical access control. Chapter 5, “Access Control and Authentication

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 119

119

Logical Access Control Methods

Basics,” focuses on access control mechanisms and methods for secure network authentication. The access level that users are given directly affects the level of network protection you have. Even though it might sound strange that the network should be protected from its own users, the internal user has the greatest access to data and the opportunity to either deliberately sabotage it or accidentally delete it.

Security Groups and Roles with Appropriate Rights and Privileges When dealing with user access, a fine line often exists between enough access and too much access. In this section, we look at how to manage user access by using groups and group policies. A user account holds information about the specific user. It can contain basic information such as name, password, and the level of permission the user has. It can also contain more specific information, such as the department the user works in, a home phone number, and the days and hours the user is allowed to log on to specific workstations. Groups are created to make the sharing of resources more manageable. A group contains users who share a common need for access to a particular resource. Even though the connotations may differ with each operating system, all of these terms still refer to the access that a user or group account is granted. When working with logical controls, there are two models for assignment of permissions and rights: user-based and group-based. Within a user-based model, permissions are uniquely assigned to each account. One example of this is a peer-to-peer network or a workgroup where access is granted based on individual needs. This access type is also found in government and military situations and in private companies where patented processes and trademark products require protection. User-based privilege management is usually used for specific parts of the network or specific resources. This type of policy is time-consuming and difficult for administrators to handle, plus it does not work well in large environments. Access control over large numbers of user accounts can be more easily accomplished by managing the access permissions on each group, which are then inherited by the group’s members. This is called group-based access control. In this type of access, permissions are assigned to groups, and user accounts become members of the groups. Each user account has access based on the combined permissions inherited from its group memberships. These groups often reflect

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 120

120

Chapter 4: Infrastructure Security and Controls

divisions or departments of the company, such as human resources, sales, development, and management. Users can be placed in universal, global, or local groups. The last item that warrants mentioning is that in enterprise networks, groups may be nested. Group nesting can simplify permission assignment if you know how to use it, or it can complicate troubleshooting when you don’t know what was set up or why.

EXAM ALERT By using groups, access control can be accomplished more efficiently and effectively by fewer administrators and with less overhead.

You will find that making groups and assigning users to these groups will make the administration process much easier. In Windows 2003, Active Directory Services provides flexibility by allowing two types of groups: security groups and distribution groups. Security groups are used to assign rights and permissions to groups for resource access. Distribution groups are assigned to a user list for applications or non-security-related functions. For example, a distribution group can be used by Microsoft Exchange to distribute mail. Certain groups are installed by default. As an administrator, you should know what these groups are and know which accounts are installed by default. In dealing with individual accounts, the administrative account should be used only for the purpose of administering the server. Granting users this type of access is a disaster waiting to happen. An individual using the administrative account can put a company’s entire business in jeopardy. By knowing which accounts are installed by default, you can determine which are really needed and which can be disabled, thereby making the system more secure. You should also know which accounts, if any, are installed with blank passwords. The security settings in many of the newer operating systems do not allow blank passwords. However, there might still be accounts in older operating systems that have a blank password. User rights are applied to security groups to determine what members of that group can do within the scope of a Windows domain or forest. The assignment of user rights is through security options that apply to user accounts. The user rights assignment is twofold: It can grant specific privileges and it can grant log-on rights to users and groups in your computing environment. Log-on rights control who and how users log on to the computer, such as the right to log on to a system locally, whereas privileges allow users to perform system tasks, such as the right to back up files and directories. Although user rights can apply to individual user accounts, they are best administered by using group accounts.

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 121

121

Logical Access Control Methods

When working with groups, remember a few key items. No matter what OS you are working with, if you are giving a user full access in one group and no access in another group, the result will be no access. However, group permissions are cumulative, so if a user belongs to two groups and one has more liberal access, the user will have the more liberal access, except where the no access permission is involved.

EXAM ALERT When assigning user permissions, if the groups the user is assigned to have liberal access and another group has no access, the result is no access.

There are no exceptions. If a user has difficulty accessing information after he or she has been added to a new group, the first item you may want to check for is conflicting permissions.

Security Controls for File and Print Resources Print and file sharing increases the risk of intruders being able to access any of the files on a computer’s hard drive. Locking down these shares is imperative because unprotected network shares are always easy targets and rank high in the list of top security exploits. Depending on your operating systems in use, there are two areas to look at: Server Message Block (SMB) file-sharing protocol and Common Internet File System (CIFS). Determine whether file and print sharing is really needed. If it isn’t, unbind NetBIOS from TCP/IP. By doing so, you effectively disable Windows SMB file and print sharing. CIFS is a newer implementation of SMB that allows file and print sharing. Here are some recommendations for securing file and print sharing: . Use an antivirus product that searches for CIFS worms. . Run intrusion testing tools. . Filter traffic on UDP/TCP ports 137, 138, 139, and 445. . Install proper firewalls.

User education and mandatory settings can go a long way toward making sure that file sharing is not enabled unless needed. Finally, keep in mind that as Microsoft operating systems are installed, a number of hidden shares are created

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 122

122

Chapter 4: Infrastructure Security and Controls

by default. Any intruder would be aware of this and can map to them if given the chance.

Access Control Lists In its broadest sense, an access control list (ACL) is the underlying data associated with a network resource that defines the access permissions. The most common privileges are read, write to, delete, and execute a file. ACLs can apply to routers and other devices. For purposes of this discussion, however, we limit the definition to operating system objects. Every operating system object created has a security attribute that matches it to an ACL. The ACL has an entry for each system user that defines the access privileges to that object. In Microsoft operating systems, each ACL has one or more access control entries (ACEs). These are descriptors that contain the name of a user, group, or role. The access privileges are stated in a string of bits called an access mask. Generally, the object owner or the system administrator creates the ACL for an object. ACLs can be broken down further into discretionary access control lists (DACLs) and system access control lists (SACLs). DACL use and SACL use are specific to Microsoft operating systems and are based on ACEs. A DACL identifies who or what is allowed access to the object. If the object does not have a DACL, everyone is granted full access. If the object’s DACL has no ACEs, the system denies all access. An SACL enables administrators to log attempts to access the object. Each ACE specifies the types of access attempts that cause the system to generate a record in the security event log. Implementation of access management is based on one of two models: centralized or decentralized. Both the group-based and role-based methods of access control have a centralized database of accounts and roles or groups to which the accounts are assigned. This database is usually maintained on a central server that is contacted by the server providing the resource when a user’s ACL must be verified for access. The drawback to the centralized model is scalability. As the company and network grow, it becomes more and more difficult to keep up with the tasks of assigning and managing network resource access and privileges. Decentralized security management is less secure but more scalable. Responsibilities are delegated, and employees at different locations are made responsible for managing privileges within their administrative areas. For example, in Microsoft Active Directory, this can be relegated by domain. Decentralized management is less secure because more people are involved in the process and there is a greater possibility for errors.

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 123

123

Logical Access Control Methods

Group Policies After you create groups, Group Policy can be used for ease of administration in managing the environment of users. This can include installing software and updates or controlling what appears on the desktop based on the user’s job function and level of experience. The Group Policy object (GPO) is used to apply Group Policy to users and computers. A GPO is a virtual storage location for Group Policy settings, which are stored in the Group Policy container or template. How companies use Group Policy depends on the level of client management required.

EXAM ALERT An excessive number of group policies can create longer logon times, and if conflicting policies are implemented, you might have a difficult time tracking down why one of them isn’t working as it should.

In a highly managed environment where users cannot configure their own computers or install software, there will be considerable control over users and computers with Group Policy. In a minimally managed environment where users have more control over the environment, Group Policy will be used minimally. Group Policy is versatile and can be used with Active Directory to define standards for the whole organization or for the members of a single workgroup, location, or job function. Group Policy enables you to set consistent common security standards for a certain group of computers and enforce common computer and user configurations. For example, you can use Group Policy to restrict the use of USB devices in a group of computers. It also simplifies computer configuration by distributing applications and restricting the distribution of applications that may have limited licenses. To allow this wide range of administration, GPOs can be associated with or linked to sites, domains, or organizational units. Because Group Policy is so powerful, various levels of administrative roles can be appointed. These include creating, modifying, and linking policies. Group Policy can be applied at multiple levels in Active Directory. It is important that you understand policy application order and the effect that it can have on the resulting security policy of a computer. Group policies are applied in a specific order or hierarchy. By default, a group policy is inherited and cumulative. GPOs are processed in the following order: 1. The local GPO 2. GPOs linked to sites

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 124

124

Chapter 4: Infrastructure Security and Controls 3. GPOs linked to domains 4. GPOs linked to organizational units

The order of GPO processing is important because a policy applied later overwrites a policy applied earlier. Group policies get applied from the bottom up. So if there is a conflict, the policy higher up in the list will prevail. Now let’s talk about the exceptions. The default order of processing has the following exceptions: . If the computer is a workgroup member rather than a domain member,

only the local policy is applied. . Any policy except for the local one can be set to No Override, meaning

none of its policy settings can be overridden. . Block Inheritance can be set at the site, domain, or organizational unit

level so that policies are not inherited; however, if the policy is marked No Override, it cannot be blocked. . Loopback is an advanced setting that provides alternatives to the default

method of obtaining the ordered list of GPOs. As you can see, Group Policy can be tricky to configure after you put numerous policies in place. To troubleshoot Group Policy appropriately, know the order of application and the exceptions. Group Policy changes can be audited, and thus you can track any changes made and confirm their validity.

Password Policy Because passwords are one of the best methods of acquiring access, password length, duration, history, and complexity requirements are all important to the security of the network. When setting up user accounts, proper planning and policies should be determined. Passwords are one of the first pieces of information entered by a user. Strong passwords can be derived from events or things the user knows and are discussed in Chapter 12, “Organizational Controls.” Make users aware of these requirements and the reasons for them. Consider the following when setting password policies: . Make the password length at least eight characters and require the use of

uppercase and lowercase letters, numbers, and special characters. . Lock user accounts out after three to five failed logon attempts. This

policy stops programs from deciphering the passwords on locked accounts.

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 125

125

Logical Access Control Methods . Require users to change passwords every 60 to 90 days, depending on

how secure the environment needs to be. Remember that the more frequently users are required to change passwords, the greater the chance that they will write them down. . Set the server to not allow users to use the same password over and over

again. Certain operating systems have settings that do not allow users to reuse a password for a certain length of time or number of password changes. . Never store passwords in an unsecure location. Sometimes a company

may want a list of server administrative passwords. This list might end up in the wrong hands if not properly secured. . Upon logon, show a statement to the effect that network access is grant-

ed under certain conditions and that all activities may be monitored. This way you can be sure that any legal ramifications are covered. If you are using Windows servers on your network, you will most likely have domains. Domains have their own password policy in addition to the local password policy. These are two different policies, and you need to understand the difference between them.

Domain Password Policy Password policies help secure the network and define the responsibilities of users who have been given access to company resources. You should have all users read and sign security policies as part of their employment process. Domain password policies affect all users in the domain. The effectiveness of these policies depends on how and where they are applied. The three areas that can be configured are password, account lockout, and Kerberos policies. When configuring these settings, keep in mind that you can have only one domain account policy. The policy is applied at the root of the domain and becomes the policy for any system that is a member of the domain in Windows Server 2003 and earlier server versions. Domain password policies control the complexity and lifetime settings for passwords so that they become more complex and secure. This reduces the likeliness of a successful password attack. Table 4.1 lists the default settings for Windows 2003 SP1.

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 126

126

Chapter 4: Infrastructure Security and Controls

TABLE 4.1

Default Password Policy Settings

Option Enforce Password History

Default Setting 24 passwords remembered

Possible Values and Recommended Values 0 to 24 Set to 24 to limit password reuse

Maximum Password Age

42 days

0 to 999

Minimum Password Age

1 days

0 to 998

Set to either 30 or 60 days Set to 2 days, to disallow immediately changes Minimum Password Length

7 characters

0 to 14

Passwords Must Meet Complexity Requirements

Enabled

Set to Enabled

Store Password Using Reversible Encryption

Disabled

Set to Disabled

Set to at least 8

All the settings in Table 4.1 should be configured to conform to the organization’s security policy. Also, setting the change frequency and password complexity too strictly can cause user frustration, leading to passwords being written down. The account lockout policy can be used to secure the system against attacks by disabling the account after a certain number of attempts, for a certain period of time. The Kerberos policy settings are used for authentication services. In most environments, the default settings should suffice. If you do need to change them, remember that they are applied at the domain level.

TIP In Windows Server 2008, you can specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain.

Time-of-Day Restrictions and Account Expiration Besides password restrictions, logon hours can be restricted in many operating systems. By default, all domain users can log on at any time. Many times, it is necessary to restrict logon hours for maintenance purposes. For example, at

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 127

127

Logical Access Control Methods

11:00 P.M. each evening, the backup is run; therefore, you might want to be sure that everyone is off of the system. Or if databases get re-indexed on a nightly basis, you might have to confirm that no one is on them. This is also a good way to be sure that a hacker isn’t logging on with stolen passwords. Logon hours can be restricted by days of the week, hours of the day, or both. Each OS is different, so the effect of the restrictions will differ if the user is currently logged on when the restriction time begins. In a Microsoft environment, whether users are forced to log off when their logon hours expire is determined by the Automatically Log Off Users setting. In other environments, the user may be allowed to stay logged on, but once logged off, the user cannot log back on. The logon schedule is enforced by the Kerberos Group Policy setting Enforce User Logon Restrictions, which is enabled by default in Windows Server 2003. You can also assign time-of-day restrictions to ensure that employees use computers only during specified hours. This setting is useful for organizations where users require supervision, where security certification requires it, or where employees are mainly temporary or shift workers. The account expires attribute specifies when an account expires. This setting may be used under the same conditions as mentioned previously for the timeof-day restrictions. Temporary or contract workers should have user accounts that are valid only for a certain amount of time. This way when the account expires, it can no longer be used to log on to any service. Statistics show that a large number of temporary accounts are never disabled. Limiting the time an account is active for such employees should be part of the policies and procedures. In addition, user accounts should be audited on a regular basis.

Logical Tokens This section focuses on logical tokens. Physical tokens are discussed in Chapter 5. An access token is created whenever a user logs on to a computer, or an attempt is made to access a resource, as part of the authentication process. An access token contains information about the identity and privileges associated with the security principal, such as users, groups, computers, or domain controllers. A security identifier (SID) is a unique value that identifies a security principal. In a Microsoft Windows environment, a SID is issued to every security principal when it is created. A user’s access token includes SIDs of all groups to which the user is a member. When a user logs on and authentication succeeds, the logon process returns a SID for the user and a list of SIDs for the user’s security groups; these comprise the access token. Because of a system limitation, the field that contains the SIDs of the principal’s group memberships in the access token can contain a maximum of 1,024 SIDs.

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 128

128

Chapter 4: Infrastructure Security and Controls

If there are more than 1,024 SIDs in the principal’s access token, the local security authority (LSA) cannot create an access token for the principal during the logon attempt. If this happens, the principal cannot log on or access resources.

Physical Control When evaluating the physical security of the infrastructure, the security team should coordinate the security setup of the facility and surrounding areas, identify which groups are allowed to enter different areas, and determine the method of authentication to be used. As you deploy the new security systems, include training on how to use the systems. The timing of training should be coordinated so that training and physical deployment finish at about the same time. As with all facets of security, physical security must be maintained. If maintenance is overlooked, the system will begin to fall apart. Broken locks, loose doorknobs, and cracked windows will let a potential intruder know that you are not maintaining your security systems. In addition, if security mechanisms are left in poor or nonfunctional condition, employees will bypass the security to get their jobs done. This will compromise the entire system and make the original investment of time and money worthless. Chapter 5 discusses physical access in greater detail. This brings us to the next topic: the investment of time and money and the return on investment and calculation of risk. To protect the infrastructure, security vulnerabilities must be presented in terms of dollars and cents. Before funding a project, a formal business case analysis should be performed.

Risk and Return on Investment You have already learned about a variety of software and hardware solutions that will make the infrastructure safer, but to justify the cost, you must know how to calculate the return on investment. Items such as antivirus software, firewalls, intrusion-detection systems, and virtualized environments do not generate revenue. IT is a cost center. By identifying assets, threats, and vulnerabilities, you can make informed decisions about a solution’s cost-effectiveness.

Identifying Risk Risk is the possibility of loss or danger. Risk management is the process of identifying and reducing risk to a level that is comfortable and then implementing controls to maintain that level. Risk analysis helps align security objectives with

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 129

129

Risk and Return on Investment

business objectives. Chapter 7, “Intrusion Detection and Security Baselines,” explains the options available when dealing with risk. Here, we deal with how to calculate risk and return on investment. Risk comes in a variety of forms. Risk analysis identifies risks, estimates the impact of potential threats, and identifies ways to reduce the risk without the cost of the prevention outweighing the risk. The annual cost of prevention against threats is compared to the expected cost of loss, for a cost/benefit comparison. To calculate costs and return on investment, you must first identify your assets, the threats to your network, your vulnerabilities, and what risks result. For example, a virus is a threat; the vulnerability would be not having antivirus software; and the resulting risk would be the effects of a virus infection. All risks have loss potential. Because security resources will always be limited in some manner, it is important to determine what resources are present that may need securing. Then, you need to determine the threat level of exposure that each resource creates and plan your network defenses accordingly.

Asset Identification Before you can determine which resources are most in need of protection, it is important to properly document all available resources. A resource can refer to a physical item (such as a server or piece of networking equipment), a logical object (such as a website or financial report), or even a business procedure (such as a distribution strategy or marketing scheme). Sales demographics, trade secrets, customer data, and even payroll information could be considered sensitive resources within an organization. When evaluating assets, consider the following factors: . The original cost . The replacement cost . Its worth to the competition . Its value to the organization . Maintenance costs . The amount it generates in profit

After assets have been identified and valued, an appropriate dollar amount can be spent to help protect those assets from loss.

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 130

130

Chapter 4: Infrastructure Security and Controls

Risk and Threat Assessment After assets have been identified, you must determine the assets’ order or importance and which assets pose significant security risks. During the process of risk assessment, it is necessary to review many areas, such as the following: . Methods of access . Authentication schemes . Audit policies . Hiring and release procedures . Isolated services that may provide a single point of failure or avenue of

compromise . Data or services requiring special backup or automatic failover support

NOTE Risk assessment should include planning against both external and internal threats. An insider familiar with an organization’s procedures can pose a very dangerous risk to network security.

During a risk assessment, it is important to identify potential threats and document standard response policies for each. Threats may include the following: . Direct access attempts . Automated cracking agents . Viral agents, including worms and Trojan horses . Released or dissatisfied employees . Denial-of-service (DoS) attacks or overloaded capacity on critical

services . Hardware or software failure, including facility-related issues such as

power or plumbing failures When examining threat assessment, the likelihood that the threats you’ve identified might actually occur is considered. To gauge the probability of an event occurring as accurately as possible, you can use a combination of estimation and

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 131

131

Risk and Return on Investment

historical data. Most risk analyses use a fiscal year to set a time limit of probability and confine proposed expenditures, budget, and depreciation.

Vulnerabilities After you have identified all sensitive assets and performed a detailed risk assessment, it is necessary to review potential vulnerabilities and take actions to protect each asset based on its relative worth and level of exposure. Evaluations should include an assessment of the relative risk to an organization’s operations, the ease of defense or recovery, and the relative popularity and complexity of the potential form of attack. Because of the constant discovery of new vulnerabilities, it is vital to include a review of newly discovered vulnerabilities as part of your standard operating procedures.

NOTE Online resources such as those provided by the SANS Institute and the BUGTRAQ lists are good examples of the resources available to network administrators responsible for watching for new vulnerabilities.

Calculating Risk To calculate risk, use this formula: Risk = Threat × Vulnerability To help you understand this, let’s look at an example using DoS attacks. Firewall logs indicate that the organization was hit hard one time per month by a DoS attack in each of the past six months. We can use this historical data to estimate that it’s likely we will be hit 12 times per year. This information will help you calculate the single loss expectancy (SLE) and the annual loss expectancy (ALE). SLE equals asset value multiplied by the threat exposure factor or probability. The formula looks like this: Asset value × Probability = SLE The exposure factor or probability is the percentage of loss that a realized threat could have on a certain asset. In the DoS example, let’s say that if a DoS were successful, 25 percent of business would be lost. The daily sales from the website are $100,000, so the SLE would be $25,000 (SLE = $100,000 × 25 percent).

08_078973804x_ch04.qxd

11/6/08

8:53 AM

Page 132

132

Chapter 4: Infrastructure Security and Controls

The possibility of certain threats is greater than that of others. Historical data presents the best method of estimating these possibilities. After you calculate the SLE, you can calculate the ALE. This gives you the probability of an event happening over a single year’s time. This is done by calculating the product of the SLE and the value of the asset. ALE equals the SLE times the ARO (annualized rate of occurrence): SLE × ARO = ALE The ARO is the estimated possibility of a specific threat taking place in a oneyear time frame. When the probability that a DoS attack will occur is 50%, the ARO is 0.5. Going back to the example, if the SLE is estimated at $25,000 and the ARO is .5, our ALE is 12,500. ($25,000 × .5 = $12,500). If we spent more than that, we might not be prudent because the cost would outweigh the risk. Other risk models for calculating risk include the cumulative loss expectancy (CLE) and Iowa risk model. The cumulative loss expectancy (CLE) model calculates risk based on single systems. It takes into account all the threats that are likely to happen to this system over the next year, such as natural disasters, malicious code outbreak, sabotage, and backup failure. The Iowa risk model determines risk based on criticality and vulnerability.

Calculating ROI Return on investment is the ratio of money realized or unrealized on an investment relative to the amount of money invested. Because there are so many vulnerabilities to consider and so many different technologies available, calculating the ROI for security spending can prove difficult. The formulas present too many unknowns. Many organizations don’t know how many actual security incidents have occurred, nor have they tracked the cost associated with them. One method that may be helpful in this area is called reduced risk on investment (RROI). This method enables you to rank security investments based on the amount of risk they reduce. Risk is calculated by multiplying potential loss by the probability of an incident happening and dividing the result by the total expense: RROI = Potential loss × (Probability without expense – Probability with expense) / Total expense

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 133

133

Risk and Return on Investment

By using this formula, alternative security investments can be based on their projected business value. Another approach is to look at security as loss prevention. It can be equated to loss prevention in that attacks can be prevented. ROI is calculated using the following formula: ROI = Loss prevented – Cost of solution If the result of this formula is a negative number, you spent more than the loss prevented.

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 134

134

Chapter 4: Infrastructure Security and Controls

Exam Prep Questions 1. Which of the following best describes the formula for calculating single loss expectancy?

❍ A. Potential loss × (Probability without expense – Probability with expense) / Total expense.

❍ B. Calculates risk based on criticality and vulnerability ❍ C. Asset value multiplied by the threat exposure factor or probability ❍ D. The estimated possibility of a specific threat taking place in a one-year time frame 2. Which of the following is the process of identifying and reducing risk to a level that is comfortable and then implementing controls to maintain that level?

❍ A. Return on investment ❍ B. Risk ❍ C. Risk analysis ❍ D. Risk management 3. Which of the following are the best reasons for the use of virtualized environments? (Choose two correct answers.)

❍ A. Reduced need for equipment ❍ B. Reduced threat risk ❍ C. Capability to isolate applications ❍ D. Capability to store environments on USB devices 4. Your company is in the process of locking down CIFS and SMB file and print sharing. Which of the following ports do you have to secure? (Select all correct answers.)

❍ A. 161 ❍ B. 139 ❍ C. 138 ❍ D. 162

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 135

135

Exam Prep Questions 5. Which of the following are recommended password account policies? (Select all correct answers.)

❍ A. Make the password length at least eight characters and require the use of uppercase and lowercase letters, numbers, and special characters

❍ B. Require users to change passwords every 60 to 90 days ❍ C. Lock user accounts out after one to two failed logon attempts ❍ D. Set the server to not allow users to use the same password over and over again 6. When evaluating assets which of the following factors must be considered? (Choose three.)

❍ A. The replacement cost ❍ B. Its worth to the competition ❍ C. Its value to the organization ❍ D. Its salvage value 7. Which of the following are uses for proxy servers? (Choose all correct answers.)

❍ A. Intrusion detection ❍ B. Internet connectivity ❍ C. Load balancing ❍ D. Web content caching 8. Which of the following is the most common method used in an antivirus program?

❍ A. Integrity checking ❍ B. Scanning ❍ C. Heuristics ❍ D. Metrics 9. A peer-to-peer network or a workgroup where access is granted based on individual needs is an example of which type of access control?

❍ A. Group-based access control ❍ B. Mandatory access control ❍ C. Role-based access control ❍ D. User-based access control

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 136

136

Chapter 4: Infrastructure Security and Controls 10. Which of the following groups is the most appropriate for email distribution lists?

❍ A. Only distribution groups. ❍ B. Only security groups. ❍ C. Neither one; you must use a mail application group. ❍ D. Both security and distribution groups.

Answers to Exam Prep Questions 1. C. SLE equals asset value multiplied by the threat exposure factor or probability. Answer A is incorrect because it describes reduced risk on investment (RROI). Answer B is incorrect because it describes the Iowa risk model. Answer D is incorrect because it describes annualized rate of occurrence. 2. D. Risk management is the process of identifying and reducing risk to a level that is comfortable and then implementing controls to maintain that level. Answer A is incorrect because return on investment is the ratio of money realized or unrealized on an investment relative to the amount of money invested. Answer B is incorrect because risk is the possibility of loss or danger. Answer C is incorrect because risk analysis helps align security objectives with business objectives. 3. A, C. Virtual environments can be used to improve security by allowing unstable applications to be used in an isolated environment and by providing better disaster recovery solutions. Virtual environments are used for cost-cutting measures as well. One wellequipped server can host several virtual servers. This reduces the need for power and equipment. Forensic analysts often use virtual environments to examine environments that might contain malware, or as a method of viewing the environment in the same way as the criminal. Answer B is incorrect because virtualized environments, if compromised, can provide access to not only the network, but also to any virtualization infrastructure. This puts a lot of data at risk. Answer D is incorrect because the capability to store environments on USB devices puts data at risk. 4. B, C. SMB and CIFS use UDP/TCP ports 137, 138, 139, and 445. Answers A and D are incorrect because 161 and 162 are used by SNMP. 5. A, B, and D. Good password policies include making the password length at least 8 characters; requiring the use of uppercase and lowercase letters, numbers, and special characters; requiring users to change passwords every 60 to 90 days; and setting the server to not allow users to use the same password over and over again. Answer C is incorrect because locking user accounts out after one to two failed logon attempts will cause undue stress on the help desk. 6. A, B, and C. When evaluating assets, you must consider their replacement cost, their worth to the competition, and their value to the organization. Answer D is incorrect because an asset’s salvage value is not factored in.

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 137

137

Additional Reading and Resources 7. B, C, and D. Proxy servers can be placed between the private network and the Internet for Internet connectivity or internally for Web content caching. If the organization is using the proxy server for both Internet connectivity and Web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the Web content. In some proxy server designs, the proxy server is placed in parallel with IP routers. This allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router. Answer A is incorrect because proxy servers are not used for intrusion detection. 8. B. The most common method used in an antivirus program is scanning. Answers A and C are incorrect because in the past antivirus engines used a heuristic engine for detecting virus structures or integrity checking as a method of file comparison. The issue with these methods is that they are susceptible to false positives and cannot identify new viruses until the database is updated. Answer D is incorrect because metrics are associated with network monitoring tools. 9. D. Within a user-based model, permissions are uniquely assigned to each account. Answer B incorrect because in the past antivirus engines used a heuristic engine for detecting virus structures or integrity checking as a method of file comparison. The issue with these methods is that they are susceptible to false positives and cannot identify new viruses until the database is updated. Answer D is incorrect because in group-based access control permissions are assigned to groups. 10. A. Distribution groups are assigned to a user list for applications or non-security-related functions. For example, a distribution group can be used by Microsoft Exchange to distribute mail. Answers B and D are incorrect because the most appropriate use of security groups is to assign rights and permissions to groups for resource access. Answer C is incorrect because you do not need to use a mail application group.

Additional Reading and Resources 1. Bragg, Roberta. CISSP Training Guide. Que, 2002. 2. Firewall architectures: http://www.invir.com/int-sec-firearc.html 3. Microsoft Server 2003 Security Guide: http://www.microsoft.com/

downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655521ea6c7b4db&DisplayLang=en 4. National Institute of Standards and Technology (NIST) Firewall Guide

and Policy Recommendations: http://csrc.nist.gov/publications/nistpubs/ 800-41/sp800-41.pdf

08_078973804x_ch04.qxd

10/30/08

9:08 PM

Page 138

138

Chapter 4: Infrastructure Security and Controls 5. Odom, Wendell. CCENT/CCNA ICND1 Official Exam Certification Guide

(CCENT Exam 640-822 and CCNA Exam 640-802), 2nd Edition. Cisco Press, 2007. 6. Odom, Wendell. CCNA ICND2 Official Exam Certification Guide (CCNA

Exams 640-816 and 640-802), 2nd Edition. Cisco Press, 2007. 7. Security tools: http://www.securitymetrics.com/securitytools.adp 8. SANS InfoSec Reading Room - Physical Security: http://www.sans.org/

reading_room/whitepapers/physcial/

09_078973804x_pt3.qxd

10/30/08

9:08 PM

Page 139

PART III

Access Control Chapter 5 Access Control and Authentication Basics Chapter 6 Securing Communications

09_078973804x_pt3.qxd

10/30/08

9:08 PM

Page 140

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 141

5

CHAPTER FIVE

Access Control and Authentication Basics Terms you need to understand: ✓ Mandatory access control (MAC) ✓ Discretionary access control (DAC) ✓ Role-based access control (RBAC) ✓ Kerberos authentication ✓ Challenge-Handshake Authentication Protocol (CHAP) ✓ Certificates ✓ Tokens ✓ Biometrics ✓ Multifactor authentication ✓ Identity proofing ✓ Mantraps ✓ Video surveillance

Techniques you need to master: ✓ Be able to recognize the forms of access control (MAC/DAC/RBAC). ✓ Understand the process of authentication and the various forms of authentication available. ✓ Be able to recognize asymmetric and symmetric encryption methods. ✓ Explain the strengths and vulnerabilities of various physical security zones and devices.

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 142

142

Chapter 5: Access Control and Authentication Basics

The concept of security within the network environment includes aspects drawn from all operating systems, application software packages, hardware solutions, and networking configurations present within the network to be secured, and from within any network-sharing connectivity directly or indirectly with the network to be secured. For the Security+ exam, you need to develop the broadest set of skills possible, gaining experience from the most specific to the most general of security concepts. Awareness of emerging threats is essential to testing success. This chapter and Chapter 6, “Securing Communications,” provide an overview of general concepts you should familiarize yourself with. This chapter focuses on access control mechanisms and methods for secure network authentication and physical access. A general knowledge of network terminology will aid in understanding these concepts. As a prospective security professional, you should also take every opportunity you may find to expand your skill base beyond these. The practice of a security professional is never an end unto itself, but rather a never-ending path threaded through constant change and ever-evolving possibility.

Access Control This section examines the methods for controlling access to network resources. Planning for access control may affect the methods used in the authentication process examined later in this chapter. For example, if there will be a need only for anonymous access to a public read-only HTML document, the simple access control mandates eliminate the need for a complex authentication process. Access control generally refers to the process of making resources available to accounts that should have access, while limiting that access to only what is required. The forms of access control you need to know include the following: . Mandatory access control (MAC) . Discretionary access control (DAC) . Role-based access control (RBAC)

We discuss these types of access control and access control best practices in the following sections. These methods and best practices are based on security criteria set by various efforts. Trusted Computer System Evaluation (TCSEC) and Information Technology Security Evaluation Criteria (ITSEC) are major security criteria efforts. The Common Criteria is based on both TCSEC and ITSEC.

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 143

143

Access Control

CAUTION The Trusted Computer System Evaluation Criteria (TCSEC) specification used by many government networks explicitly specifies only the MAC and DAC forms of access control. Because of the color of the original printed manual’s cover (DoD 5200.28-STD), the TCSEC may be referred to as the “orange book.” The TCSEC is the first book in the DoDpublished Rainbow series of security criteria, released in 1983. The TCSEC specification identifies levels of security based on the minimum level of access control used in a network environment. The four divisions of access control are D – Minimal, C – Discretionary, B – Mandatory, and A – Verified. Category “A” is the highest level, essentially encompassing all elements of Category B, in addition to formal design and verification techniques. You should be aware that individual categories are subdivided based on the complexity of implementation. Category C (Discretionary Access Control) separates basic separation of user data and controlling access to resources (C1 – Discretionary Security Protection) from environments using data segmentation, authenticated logons, and access audit controls (C2 – Controlled Access Protection).

Mandatory Access Control The most basic form of access control involves the assignment of labels to resources and accounts. If the labels on the account and resource do not match, the resource remains unavailable in a nondiscretionary manner. This type of access control is called mandatory access control (MAC, also referred to as multilevel access control) and is often used within governmental systems where resources and access may be granted based on categorical assignment such as classified, secret, or top secret. Mandatory access control applies to all resources within the network and does not allow users to extend access rights by proxy.

NOTE Note that in the Security+ exam the acronym MAC can refer both to mandatory access control and to the Media Access Control sublayer of the data link layer in the OSI model. When the question involves access control, MAC applies to mandatory controls over access rather than Layer 2 networking.

Discretionary Access Control A slightly more complex system of access control involves the restriction of access for each resource in a discretionary manner. DAC scenarios allow individual resources to be made available or secured from access individually. Access

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 144

144

Chapter 5: Access Control and Authentication Basics

rights are configured at the discretion of accounts with authority over each resource, including the ability to extend administrative rights through the same mechanism. In DAC a subject has complete control over the objects that it owns. The owner assigns security levels based on objects and subjects.

Role-Based Access Control In an RBAC scenario, access rights are first assigned to roles, and accounts are then assigned these roles without direct assignment of resource access rights. This solution provides the greatest level of scalability within large enterprise scenarios, where the explicit granting of rights to each individual account could rapidly overwhelm administrative staff, and the potential for accidental grant of unauthorized permissions increases. RBAC combines direct access aspects of MAC and varying access rights based on role membership. Delegation of administration over rights granted through RBAC is itself managed by specialized administration roles, rather than though ownership or direct control over the individual resources as in DAC solutions.

EXAM ALERT The exam may include an alternative use for the RBAC acronym that refers to rulebased access controls. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. The most common form of rule-based access control involves testing against an access control list (ACL) that details systems and accounts with access rights and the limits of its access for the resource. ACLs are used within operating systems such as Novell NetWare, Microsoft Windows, DEC OpenVMS, and most UNIX and Linux packages. Exam items dealing with conditional testing for access (for example, time-of-day controls) are examining rule-based access control. Items involving assignment of rights to groups for inheritance by group member accounts are focused on role-based access control.

Access Control Best Practices Along with the previously mentioned “less-is-more” stance for access control, a number of other best practices exist. You should be familiar with the following: . Implicit deny—An access control practice wherein resource availability is

restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access. This practice is used commonly in Cisco networks, where most ACLs have a default setting of

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 145

145

Access Control

“implicit deny.” This ensures that when access is not explicitly granted, it is automatically denied by default. . Least privilege—An access control practice wherein a logon is provided

only the bare minimum access to resources required to perform its tasks. Whenever confronted by a solution involving the determination of proper levels of access, remember the phrase “less is more.” This is a convenient reminder of the security practice known as the principle of least privilege, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. . Separation of duties—An access control practice involving both the separa-

tion of logons, such as day-to-day and admin accounts both assigned to the same network admin, and the separation of roles, such as security assignment and compliance audit procedures. Separation of account functionality protects the network by ensuring that an inadvertent malware execution during normal daily operations cannot then attack the network with full administrative privileges. Separation of role duties ensures that validation is maintained apart from execution, protecting the network against fraudulent actions or incomplete execution of security mandates. The User Access Control (UAC) technology used by the Microsoft Vista operating system ensures that software applications cannot perform privileged access without additional authorization from the user. Within the Microsoft environment, lesser accounts may perform privileged processes using the “run as” option to specify the explicit use of a privileged account. . Expiration—An access control practice to expire passwords on a regular

basis, protecting against brute-force password guessing attacks, and to expire accounts not used after a certain period of time. Unused accounts often retain weak passwords used in initial assignment and may be more susceptible to password-guessing routines. . Job rotation—As an extension of the separation of duties, rotating admin-

istrative users between roles both improves awareness of the mandates of each role, while also ensuring that fraudulent activity cannot be sustained. This is also the reason that users with administrative access may be required take vacations, allowing other administrators to review standard operating practices in place.

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 146

146

Chapter 5: Access Control and Authentication Basics

Authentication Before authorization may occur for anything other than anonymous access to wholly public resources, the identity of the account attempting to access a resource must first be determined. This process is known as authentication. The most well-known form of authentication is the use of a logon account identifier and password combination to access controlled resources. Access is not possible without both parts required for account authentication, so a level of protection is provided.

CAUTION The shortcoming of any authentication system is that if the keys used may be easily falsified, access rights may be granted to an unauthorized access attempt. Null or easily guessed passwords are one of the most widespread examples of the potential for this weakness.

The relative strength of an authentication system involves the difficulty involved in falsifying or circumventing its process. Anonymous or open access represents the weakest possible form of authentication, whereas the requirement for both a logon identifier and password combination may be considered the most basic of actual account verification. The highest levels of authentication may involve not only account logon, but also if the logon is occurring from specific network addresses or whether a security token such as an access smart card is present.

EXAM ALERT The exam may contrast identification (the presentation of a unique identity) with authentication, which is the mechanism by which the unique identity is associated with a security principal (a specific user or service). Identification presents credentials, authentication associates those credentials with a security principal, and then access control provides a set of resources available to the authenticated identity.

In theory, the strongest security would be offered by identifying biometric keys unique to a particular user’s person or physical body, such as fingerprints and retinal or iris patterns, combined with other authentication methods involving access passwords or token-based security requiring the possession of a physical smart card key.

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 147

147

Authentication

TIP Authentication can be generally broken into four basic forms, depending on what is required to authorize access: something you know, something you have, something you are, or something you do. Location-specific logons from a particular GPS coordinate, time-of-day restrictions on logon, or console terminal may also factor in limiting access to authorized users.

Obviously, the needs for authentication are going to be relative to the value assigned to a particular resource’s security. Additional authentication layers required for access increase both the administrative overhead necessary for management and the difficulty users will have trying to access needed resources. Consider, for example, the differences in authentication requirements for access to a high-security solution such as the Federal Reserve’s banking network as opposed to those needed to access an unprivileged local account in a public kiosk. In the first scenario, to establish authentication for rightful access, the use of a combination of biometric, token-based, and password-form access methods may be mandatory. You may also use these access methods with even more complex forms of authentication, such as the use of dedicated lines of communication, time-of-day restrictions, synchronized shifting-key hardware encryption devices, and redundant-path comparison. You would use these to ensure that each account attempting to make a transaction is properly identified. In the second scenario, authentication might be as simple as an automatic anonymous guest logon shared by all visitors. Each mechanism for authentication provides different levels of identification, security over data during the authentication exchange, and suitability to different access methods such as wireless or dial-up network access. We will now examine several forms of authentication you should be familiar with for the exam.

Kerberos Authentication The most basic aspects of authentication within a completely isolated network include only the need to determine the identity of an account. If a network is physically or logically accessible to external parties that might seek to sniff (capture and examine) data being transacted between systems, the problem arises as to how to keep the authentication keys themselves safe.

10_078973804x_ch05.qxd

11/4/08

10:21 AM

Page 148

148

Chapter 5: Access Control and Authentication Basics

Here is an example: A basic File Transfer Protocol (FTP) access session involves the client sending a logon identifier and a password to the FTP server, which accepts or rejects this access. The logon identifier and password, by default, are sent in plain-text form, readable by any agent with access to the data as it is transmitted from the client to the server. An unauthorized party, pretending to be the authorized user, might use this information later to gain access to the server. To avoid sending the actual logon information across an unsecured network, one solution is the symmetric-key authentication protocol known as Kerberos (created by the Athena project at MIT). A symmetric key means that both the client and server must agree to use a single key in both the encryption and decryption processes (see Figure 5.1). Kerberos is primarily a UDP protocol, although it falls back to TCP for large Kerberos tickets. Kerberos clients send UDP and TCP packets on port 88 and receive replies from the Kerberos servers. Port 88 is the standard port for Kerberos 5. You may also find references to ports 749 and 750 used by earlier versions of Kerberos.

1101 0011 0110 1001 1011 1100… Source File

+ Encryption Key

1010 0001 1011 0011 1010 0101…

Encrypted File

The Internet

1000 0001 0010 0001 1010 0100…

1000 0001 0010 0001 1010 0100…

+

Encrypted File Decrypted with Key

1010 0001 1011 0011 1010 0101…

1101 0011 0110 1001 1011 1100… Source File

Example of a symmetric-key encrypted data transfer.

FIGURE 5.1

10_078973804x_ch05.qxd

11/4/08

10:21 AM

Page 149

149

Authentication

In Kerberos authentication, a client sends its authentication details not to the target server, but rather to a Key Distribution Center (KDC), as follows: 1. The client first contacts a certification authority (CA). 2. The CA creates a time-stamped session key with a limited duration (by

default, eight hours) using the client’s key and a randomly generated key that includes the identification of the target service. 3. This information is sent back to the client in the form of a Ticket-

Granting Ticket (TGT). 4. The client then submits the TGT to a Ticket-Granting Server (TGS). 5. This server then generates a time-stamped key encrypted with the ser-

vice’s key and returns both to the client. 6. The client then uses its key to decrypt its ticket, contacts the server, and

offers the encrypted ticket to the service. 7. The service uses its key to decrypt the ticket and verify that the time

stamps match and the ticket remains valid. 8. The service contacts the KDC and receives a time-stamped session keyed

ticket that it returns to the client. 9. The client then decrypts the keyed ticket using its key. When both agree

that the other is the proper account and that the keys are within their valid lifetime, communication occurs. The short lifespan of a ticket ensures that if someone attempts to intercept the encrypted data to try to break its keys, the key will have changed before he or she can reasonably be able to break the key using cryptographic algorithms. The handshaking between the client and the KDC and between the service and the KDC provides verification that the current session is valid, without requiring the transmission of logons or passwords between client and service. The strengths of Kerberos authentication come from its time-synchronized connections and the use of registered client and service keys within the KDC. These also create some drawbacks, such as the need to use a standard time base for all systems involved, and difficulties that can result if the KDC is unavailable or the cached client and service credentials were accessed directly from the granting servers. An important advantage of time-stamped credentials is that they help prevent spoofing and replay attacks.

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 150

150

Chapter 5: Access Control and Authentication Basics

Mutual Authentication Kerberos 5 includes support for a process known as mutual authentication, in which both client and server verify that the computer with which they are communicating is the proper system. This process helps to prevent man-in-the-middle attacks, where an unauthorized party intercepts communications between two systems and pretends to be each to the other, passing some data intact, modifying other data, or inserting entirely new sets of values to accomplish desired tasks. (Chapter 3, “Infrastructure Basics,” covers man-in-the-middle attacks in more detail.) In mutual authentication, one system creates a challenge code based on a random number and then sends this code to the other system. The receiving system generates a response code using the original challenge code and creates a challenge code of its own, sending both back to the originating system. The originating system verifies the response code as a value and returns its own response code to the second system, generated from the challenge code returned with the first response code. After the second system has verified its returned response code, it notifies the originating system, and both systems consider themselves mutually authenticated.

Challenge-Handshake Authentication Protocol The Challenge-Handshake Authentication Protocol (CHAP) can be used to provide on-demand authentication within an ongoing data transmission. CHAP is an improvement over Password Authentication Protocol (PAP). PAP is a basic form of authentication during which the username and password are transmitted unencrypted. CHAP uses a one-way hashing function that first involves a service requesting a CHAP response from the client. The client creates a hashed value that is derived using the message digest (MD5) hashing algorithm and sends this value to the service, which also calculates the expected value itself. The server, referred to as the authenticator, compares these two values. If they match, the transmission continues. This process is repeated at random intervals during a session of data transaction.CHAP functions over Point-to-Point Protocol (PPP) connections. PPP is a protocol for communicating between two points using a serial interface, providing service at the second layer of the OSI model: the data-link layer. PPP can handle both synchronous and asynchronous connections. Occasionally, you might find Shiva Password Authentication Protocol (SPAP) implemented. SPAP was designed by Shiva and is an older, two-way reversible

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 151

151

Authentication

encryption protocol that encrypts the password data sent between client and server. A computer running Windows XP Professional, when connecting to a Shiva LAN Rover, uses SPAP, as does a Shiva client that connects to a server running Routing and Remote Access. This form of authentication is more secure than plaintext but less secure than CHAP or MS-CHAP.

EXAM ALERT Remember that CHAP functions over Point-to-Point Protocol (PPP) connections. There are also two forms of CHAP that are Microsoft-specific (MS-CHAP and MS-CHAPv2) that you should be able to recognize.

Terminal Access Controller Access Control System Plus The Terminal Access Controller Access Control System Plus (TACACS+) remote-access control system, which provides authentication, accounting, and access control, relies on a central server to provide access over network resources, including services, file storage, and network routing hardware. TACACS+ is a replacement for the older TACACS and is not backward compatible with the legacy TACACS standard made popular over Telnet connectivity originally developed for UNIX systems. TACACS+ is similar to Remote Authentication Dial-In User Service (RADIUS), but relies on Transmission Control Protocol (TCP) rather than RADIUS’s User Datagram Protocol (UDP) transport developed originally for modem-based connectivity access control.

Remote Authentication Dial-In User Service The RADIUS remote-access control system provides authentication and access control within an enterprise network using UDP transport to a central network access server, which in turn provides credentials for access to resources within an extended enterprise. Developed originally for use in dial-up connectivity over telephonic modems, you might still find RADIUS servers in larger enterprises where logons must span resources located in multiple logon realms.

IEEE 802.1x The IEEE 802.1x standard for wireless, port-based access control can be used to provide authentication and access control but is often paired with a RADIUS

10_078973804x_ch05.qxd

11/6/08

8:55 AM

Page 152

152

Chapter 5: Access Control and Authentication Basics

service to facilitate enterprisewide access management. Because of the broadcast nature of wireless connectivity, additional transport security is often used in conjunction with 802.1x authentication to secure communications between the mobile device and the secured network. Internet Protocol Security (IPsec) is another common protocol used in conjunction with IEEE 802.1x to provide this functionality.

Certificates One of the most rigorous forms of authentication involves the use of digital certificates within a public key infrastructure (PKI) to establish encrypted communication streams through unsecured networks. Public key systems use an asymmetric cryptographic process in which the encryption and decryption keys are not the same as in a symmetric cryptographic process like that used in Kerberos authentication.

NOTE Public key encryption is the basis for many commonly encountered data encryption solutions, including the use of the X.509 compliant keys used to establish Secure Sockets Layer (SSL) connections (most often seen in secured website forms; HTTPS on port 443).

In public key encryption, a public and private key are generated by a CA, and these keys are returned to the client in the form of digital certificates. The public key is given to those who need to encrypt data and send it to the client. The client then decrypts the data using its private key that only the client has. The public key is used to encrypt a message, and the private key is used to decrypt the results. A registration authority (RA) provides authentication to the CA of the validity of a client’s certificate request. One of the most commonly used certification and registration authorities is VeriSign, a vendor specializing in the issuance of X.509 certificates for secure website connections.

Username and Password The most commonform of authentication combines a username and a password or pass-phrase. If both match values are stored within a locally stored table, the user is authenticated for a connection. Password strength is a measure of the dif-

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 153

153

Authentication

ficulty involved in guessing or breaking the password through cryptographic techniques or library-based automated testing of alternative values. A weak password might be very short or only use alphanumeric characters, making decryption simple. A weak password can also be one that is easily guessed by someone profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money, or password. Password policy is discussed in greater detail in Chapter 4, “Infrastructure Security and Controls.” Make sure that you are familiar with the details presented there, too.

Tokens One of the best methods of authentication involves the use of a token, which may either be a physical device or a one-time password issued to the user. Tokens include solutions such as a chip-integrated smart card or a digital token such as RSA Security’s SecurID tokens. Without the proper token, access is denied. Because the token is unique and granted only to the user, it is harder to pretend to be (spoof) the properly authorized user. Digital tokens are typically used only one time so that they cannot be captured and reused later by an unauthorized party. Chapter 4 includes details on logical tokens that you should be familiar with.

Biometrics The most unique quality of a user is his or her unique physical characteristics, such a fingerprints, retinal patterns, iris patterns, facial blood-vessel patterns, bone structure, and other forms of specific unique biophysical qualities. Other values may be used, such as voice-pattern recognition or high-resolution cardiac patterns; but because these may change based on illness or exertion, they can be somewhat less dependable. New systems are becoming available to allow authentication users by their body measurements (biometrics), which are compared to values stored within a local table to provide authentication only if the biometric values match. Another alternative is to store biometric data on smart card tokens. Under this scenario, users must be authenticated within a widely distributed scheme where transactions against a central server storing large and complex biometric values might be difficult. Table 5.1 describes the most common biometrics methods.

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 154

154

Chapter 5: Access Control and Authentication Basics

TABLE 5.1

Biometric Technologies

Method

Description

Fingerprint

Scans and matches a thumbprint or fingerprint to a reference file.

Hand/palm geometry Uses a person’s palm or hand profile, which includes the length and width of the hand and fingers. Voiceprint

Identifies a person by having her speak into a microphone to measure speech patterns.

Facial geometry

Identifies a user based on the profile and characteristics of his face. This includes bone structure, chin shape, and forehead size.

Iris profile

Identifies an individual by using the colored part of the eye that surrounds the pupil.

Retina scan

Identifies an individual by using the blood-vessel pattern at the back of the eyeball.

Signature

Matches an individual’s electronic signature to a database by comparing electronic signals created by the speed and manner in which a document is signed.

EXAM ALERT The exam may include questions on the various biometric technologies. Be sure you are familiar with the methods and descriptions in the Table 5.1.

Biometric devices are susceptible to false acceptance and false rejection rates. The false acceptance rate (FAR) is a measure of the likelihood that the access system will wrongly accept an access attempt—in other words, allow access to an unauthorized user. The false rejection rate (FRR) is the percentage of identification instances in which false rejection occurs. In false rejection, the system fails to recognize an authorized person and rejects that person as unauthorized.

Multifactor Authentication The best possible authentication solution combines multiple other methods. One example of a multifactor solution is the use of a smart card token that stores biometric values that are compared to those of the user, who might also be asked to enter a valid password. The difficulty involved in gaining unauthorized access increases as more types of authentication are used, although the difficulty for users wanting to authenticate themselves is also increased similarly. Administrative overhead and cost of support also increase with the complexity of the authentication scheme, so a solution should be reasonable based on the sensitivity of data being secured.

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 155

155

Authentication

EXAM ALERT Remember that multifactor authentication involves the use of two or more different forms of authentication. What you know (logon, password, PIN), what you have (keycard, SecureID number generator), what you are (biometrics), or what you do (handwriting analysis, voice recognition) constitute different forms. Two of the same type (such as a password and logon ID) do not provide multifactor authentication. A username/passcode combination is only a single-factor authentication scheme, whereas a smart card/PIN combination is a two-factor solution.

Single Sign-On Distributed enterprise networks often include many different resources, each of which may require a different mechanism for authentication and access control. To reduce user support and authentication complexity, a single sign-on (SSO) capable of granting access to all services is desirable. SSO solutions may use a central directory service, such as Microsoft Active Directory or Novell eDirectory service, or may sequester services behind a series of proxy applications as in the service-oriented architecture (SOA) approach. In the SOA network environment, the client-facing proxy application provides a standard mechanism for interacting with each service, handling specialized logon, authentication, and access control functions “behind the scenes” out of sight of the consuming user or service.

Identity Proofing Identity proofing is an organizational process that binds users to authentication methods. Identity proofing gives the organization assurance that the user performing an authentication is the legitimate user. Identity proofing is the main component of authentication life cycle management. The first link in the chain of trust is established when a person is issued a credential establishing identity or privileges. It must provide a firm assurance that persons are who they say they are. This technique can include integrated biometrics or online database validation. Identity proofing comes in a variety of forms. A poorly identity-proofed smart card provides less identity assurance than an effectively identity-proofed password. Authenticators include smart cards, biometrics, and one-time password (OTP) devices. Identity proofing is especially important in emergency access (for example, when users forget their hardware token).

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 156

156

Chapter 5: Access Control and Authentication Basics

Operating System Hardening In security terms, hardening a system refers to reducing its security exposure and strengthening its defenses against unauthorized access attempts and other forms of malicious attention. A “soft” system is one that is installed with default configurations or unnecessary services, or one that is not maintained to include emerging security updates. There is no such thing as a “completely safe” system, so the process of hardening reflects attention to security thresholds.

Nonessential Services and Protocols Systems installed in default configurations often include many unnecessary services that are configured automatically. These provide many potential avenues for unauthorized access to a system or network. Many services have known vulnerabilities that require specific action to make them more secure, or ones that might just impair system function by causing additional processing overhead. Default configurations also allow for unauthorized access and exploitation.

CAUTION A denial-of-service (DoS) attack against an unneeded Web service is one example of how a nonessential service could potentially cause problems for an otherwise functional system.

Common default-configuration exploits include both services such as anonymous-access FTP servers and network protocols such as the Simple Network Management Protocol (SNMP). Others may exploit vendor-supplied default logon/password combinations, such as the Oracle Db default admin: scott/tiger.

EXAM ALERT When presented with a scenario on the exam, you might be tempted to keep all services enabled to cover all requirements. Be wary of this option; it might cause the installation of unnecessary services or protocols.

Patch Management Many vendors provide regular updates for installed products, managed through automated deployment tools or by manual update procedures carried out by a system user. Regular maintenance is required to meet emerging security threats,

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 157

157

Operating System Hardening

whether applying an updated RPM (Redhat Package Manager, a file format used to distribute Linux applications and update packages) by hand or through fully automated “call home for updates” options like those found in many commercial operating systems and applications. Because of the emergence of blended-threat malware, which targets multiple vulnerabilities within a single attack, all major operating systems and application solutions must be considered in system hardening plans. Automated reverseengineering of newly released patches has significantly reduced the time from an update’s initial release until its first exploits are seen in the wild, down from months to hours before unpatched applications can be targeted. Types of updates you should be familiar with include the following: . Hotfixes—Typically, small and specific-purpose updates that alter the

behavior of installed applications in a limited manner. These are the most common type of update. . Service packs—Major revisions of functionality or service operation in an

installed application. Service packs are the least common type of update, often requiring extensive testing to ensure against service failure in integrated network environments before application. Service packs are usually cumulative, including all prior service packs, hotfixes, and patches. . Patches—Like hotfixes, patches are usually focused updates that affect

installed applications. Patches are generally used to add new functionality, update existing code operation, or to extend existing application capabilities.

Security Settings To establish effective security baselines, enterprise network security management requires a measure of commonality between systems. Mandatory settings, standard application suites, and initial setup configuration details all factor into the security stance of an enterprise network. Types of configuration settings you should be familiar with include the following: . Group policies—Collections of configuration settings applied to a system

based on computer or user group membership, which may influence the level, type, and extent of access provided. . Security templates—Sets of configurations that reflect a particular role

or standard established through industry standards or within an

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 158

158

Chapter 5: Access Control and Authentication Basics

organization, assigned to fulfill a particular purpose. Examples include a “minimum-access” configuration template assigned to limited-access kiosk systems, whereas a “high-security” template could be assigned to systems requiring more stringent logon and access control mechanisms. . Configuration baselines—Many industries must meet specific criteria,

established as a baseline measure of security. An example of this is the health-care industry, which has a lengthy set of requirements for information technology specified in the Health Insurance Portability and Accountability Act (HIPAA) security standards. Unless the mandated security baseline is met, penalties and fines could be assessed. Security baselines are often established by governmental mandate, regulatory bodies, or industry representatives, such as the PCI requirements established by the credit card industry for businesses collecting and transacting credit information.

Physical Access Security Methods When planning security for network scenarios, many organizations overlook physical security. In many smaller organizations, the servers, routers, and patch panels are placed as a matter of convenience because of space restrictions. This can cause security issues. Speaking from experience, this equipment ends up in the oddest places, such as in the coat closet by the receptionist’s desk in the lobby, in the room with the copy machine, or in a storage room with a backdoor exit that’s unlocked most of the time. Securing physical access and ensuring that access requires proper authentication is necessary to avoid accidental exposure of sensitive data to attackers performing physical profiling of a target organization. When planning physical security, you must consider events such as natural and man-made disasters. If you have space constraints and put the servers in a room with the water heater, how will you deal with the consequences when the water heater springs a leak? How soon will your network be back up and running? If your building is in a flood zone and the most important equipment is in the lowest spot in the building, you need to be prepared when heavy rains come. Manmade disasters can be as simple as a clumsy technician spilling his soda into the most important piece of equipment you have. Many times, these types of scenarios are overlooked until it is too late.

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 159

159

Physical Access Security Methods

EXAM ALERT Be familiar with physical security descriptions indicating potential security flaws. Watch for descriptions that include physical details or organizational processes.

Physical access to a system creates many avenues for a breach in security, for several reasons. Many tools may be used to extract password and account information that can then be used to access secured network resources. Given the ability to reboot a system and load software from a floppy disk, attackers may be able to access data or implant Trojan horses and other applications intended to weaken or compromise network security. Unsecured equipment is also vulnerable to social engineering attacks. It is much easier for an attacker to walk into a reception area, say she is there to do some work on the server, and get access to that server in the closet in the front lobby than to get into a physically secured area with a guest sign-in and sign-out sheet. As mentioned earlier, weak physical controls can also amplify the effects of natural and man-made disasters. Physical security controls parallel the data controls. Mandatory physical access controls are commonly found in government facilities and military installations, where users are closely monitored and very restricted. Because they are being monitored by security personnel and devices, users cannot modify entry methods or let others in. Discretionary physical control to a building or room is delegated to parties responsible for that building or room. In role-based access methods for physical control, groups of people who have common access needs are predetermined, and access to different locations is allowed with the same key or swipe card. Users in this model generally have some security training and are often allowed to grant access to others by serving as an escort or by issuing a guest badge. The security department coordinates the secure setup of the facility and surrounding areas, identifies the groups allowed to enter various areas, and allows them access based on their group membership. When physical security is considered, the most obvious element to control is physical access to systems and resources. Your goal is to allow only trusted use of these resources via positive identification that the entity accessing the systems is someone or something that has permission to do so based on the security model you have chosen. When planning for access control, you pay attention not only to direct physical contact with hosts and network hardware but also to line-of-sight access, which means you need to place systems in such a way that you don’t allow an attacker with a telescope or binoculars to spy on typed passwords. You also need to consider areas covered by wireless device transmissions, which may be detected at far greater distances than are useful for two-way network connectivity. Even the location of systems in low-traffic, public, or unmonitored areas may pose security risks.

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 160

160

Chapter 5: Access Control and Authentication Basics

This section covers physical access control, including barriers, facilities, and environments. Social engineering and user education are also covered.

Physical Barriers Access might be controlled by physically securing a system within a locked room or cabinet; attaching the system to fixed, nonmovable furniture using locking cables or restraints; and locking the case itself to prevent the removal of key components. Nonstandard case screws are also available to add another layer of security for publicly accessible terminals. Other secured-area considerations include ensuring that air ducts, drop ceilings, and raised floors do not provide unauthorized avenues for physical access. You can have the most secure lock on the door with biometric devices for identification, but if the walls don’t go up all the way and ceiling tiles can be removed to access rooms with sensitive equipment in them, someone can easily walk off with equipment and sensitive data. Frosted or painted glass can be used to eliminate direct visual observation of user actions, and very high-security scenarios may mandate the use of electromagnetic shielding to prevent remote monitoring of emissions generated by video monitors, network switching, and system operation. In addition, many modems and network hardware solutions use raw, transmitted data to illuminate activity indicator lights. Direct observation of these may enable an attacker to remotely eavesdrop on transmitted data using a telescope. Security guards, surveillance cameras, motion detectors, limited-access zones, token-based and biometric access requirements for restricted areas, and many other considerations may be involved in access control planning. In addition, users must be educated about each measure taken, to prevent circumvention to improve ease of normal access. A single propped-open door, a system left logged in when the administrator is away from her desk, or a paper with sensitive data on it thrown in the garbage could undo many layers of protection.

Facilities Because a physical security plan should start with examining the perimeter of the building, this section discusses the various methods used to secure your facilities from the outside of the building. Buildings that house sensitive information and systems usually have an area of cleared land surrounding them. This area is referred to as no-man’s land. The purpose of this area is to eliminate the possibility of an intruder hiding in the bushes or behind another building. Intruders often piggyback their way into a building, meaning they wait for someone with proper access to enter the building and then

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 161

161

Physical Access Security Methods

enter behind before the door closes. Depending on the company policy, the time of day, or the employee, these intruders may never be questioned or escorted out. Having a clear area in the main facility can keep this from happening. Another common deterrent is a fence or similar device that surrounds the entire building. A fence keeps out unwanted vehicles and people. One factor to consider in fencing is the height. The higher the fence, the harder it is to get over. Another factor to consider is the material the fence is made of. It is much easier to remove wooden slats or cut a chain-link fence with bolt cutters than it is to drill through concrete or block. One final note: If the fence isn’t maintained or the area around it isn’t well lit, the fence can easily be compromised. Another physical barrier is a moat. Moats surround part or all of a facility and are excellent physical barriers because they have a low profile and are not as obtrusive as fencing. In this instance, the consideration is the depth and width. As with all physical barriers, the moat must be well maintained.

Other Deterrents You can implement the following additional security measures to help deter unauthorized access: . Security guards and dogs—Security guards and dogs can be great deter-

rents to intruders. It is imperative that they are trained properly. They are often used in combination with other measures. . External lighting and cameras—If areas are brightly lit and have cameras,

they are less likely to have unauthorized access attempts. . External and internal motion detectors—Motion detectors can alert security

personnel of intruders or suspicious activity on the company’s premises. They can be based on light, sound, infrared, or ultrasonic technology. These devices must be properly configured because they are extremely sensitive and can issue false alarms if set too stringently. . External doors and windows—Steel doors are the best deterrent, but steel-

reinforced wooden doors work, too. Windows should have locking mechanisms, and building security alarms should monitor the open/closed position of all windows that could pose an entry risk. . Mantraps—A mantrap is a holding area between two entry points that

gives security personnel time to view a person before allowing him into the internal building. . Locks—Locks must be easy to operate yet deter intruders. Besides the

normal key locks, several different types can be considered. A cipher lock

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 162

162

Chapter 5: Access Control and Authentication Basics

has a punch-code entry system. A wireless lock is opened by a receiver mechanism that reads the card when it is held close to the receiver. A swipe card lock requires a card to be inserted into the lock; many hotels use these. The factors to consider are strength, material, and cost. . Biometrics—Physical security can also integrate biometric methods into a

door-lock mechanism. Biometrics can use a variety of methods. See Table 5.1 for a review of these technologies. When using biometrics, remember that each method has its own degree of error ratios, and some methods may seem invasive to the users and may not be accepted gracefully. . Door access systems—Door access systems include biometric access, prox-

imity access, and coded access systems, Disability Discrimination Act (DDA) door entry systems, and modular door entry systems. The type of access used will depend on the amount of security needed. . Video surveillance—Closed-circuit television (CCTV) is the most com-

mon method of surveillance. The picture is viewed or recorded, but not broadcast. It was originally developed as a means of security for banks. IP video surveillance uses TCP/IP for recording and monitoring.

EXAM ALERT The exam may include questions about the various physical-barrier techniques. Be sure you are familiar with the methods previously listed.

Physical Security During Building Evacuations Because a physical security plan should start with an examination of the perimeter of the building, it might also be wise to discuss what happens when an evacuation is necessary. You don’t want intruders plundering the building while employees are running haphazardly all over the place. The evacuation process could be a part of the disaster recovery plan, described in Chapter 11, “Organizational Security,” and should include some of the following items: . A map of the internal building and all exit areas . Which departments will exit through which doors . What equipment will be shut down and by whom . Who will do a final inspection of each area and make sure it is secure

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 163

163

Physical Access Security Methods

. Where each department, once evacuated, will go and how far away from the building they will be located . Who will notify the proper authorities or agencies of the incident

Make sure that all users understand how these plans function and practice orderly evacuation procedures so that an emergency situation does not leave critical systems unguarded or unsecured. Smoke from a cigarette or a purposefully set flame could create an opportunity for an attacker to gain access to highly secure areas if evacuation planning does not include security considerations.

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 164

164

Chapter 5: Access Control and Authentication Basics

Exam Prep Questions 1. You are the network administrator responsible for selecting the access control method that will be used for a new kiosk system to be used in a local museum. The museum’s donors want to have full access to information about all items, but visitors should have access only to those items on current display. Which forms of access control are most appropriate to this requirement? (Choose two correct answers.)

❍ A. Discretionary access control ❍ B. Mandatory access control ❍ C. Role-based access control ❍ D. Rule-based access control 2. Which of the following best describes identity proofing?

❍ A. Specifies the types of access attempts that cause the system to generate a record in the security event log

❍ B. Model in which permissions are uniquely assigned to each account ❍ C. Organizational process that binds users to authentication methods ❍ D. Controls how access to a computer’s processors and memory is shared 3. Which of the following criteria is not a common criterion to authenticate a valid access request?

❍ A. Something you have ❍ B. Where you logon ❍ C. What you know ❍ D. Something you do ❍

E. Something you are

4. When reviewing user access to a service or resource, what is the order of operation?

❍ A. Access must be granted first, and then authentication occurs. ❍ B. Authentication occurs first, and then access is determined. ❍ C. Authentication and access control occur separately at the same time. ❍ D. A user’s access rights are determined by the method of authentication used.

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 165

165

Exam Prep Questions 5. Which type of authentication involves comparison of two values calculated using the message digest (MD5) hashing algorithm?

❍ A. Biometric authentication ❍ B. Challenge-Handshake Authentication Protocol (CHAP) ❍ C. Kerberos authentication ❍ D. Mutual authentication ❍

E. Public key infrastructure (PKI)

6. Many different keys may be used to perform user authentication. Which of the following are biometric authentication types? (Choose all that apply.)

❍ A. One-use passcode ❍ B. Voice recognition ❍ C. Fingerprint ❍ D. Smart card ❍

E. Facial recognition



F. Iris identification

7. Which of the following is an example of the use of an asymmetric encryption method?

❍ A. Biometric authentication ❍ B. Challenge-Handshake Authentication Protocol (CHAP) ❍ C. Kerberos authentication ❍ D. Username and password ❍

E. Public key infrastructure (PKI)

8. You are the network administrator responsible for selecting the access control method that will be used for a new parking garage. Members of the board of directors must always be granted access, whereas other staff members should be granted access to the parking garage only when spaces are available. Visitors should be allowed access only during normal business hours. What form of access control is best for this scenario?

❍ A. Discretionary access control ❍ B. Mandatory access control ❍ C. Role-based access control ❍ D. Rule-based access control

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 166

166

Chapter 5: Access Control and Authentication Basics 9. Which of the following might be used in multifactor authentication? (Choose all correct answers)

❍ A. Biometric authentication ❍ B. Challenge-Handshake Authentication Protocol (CHAP) ❍ C. Kerberos authentication ❍ D. Username and password ❍

E. Public key infrastructure (PKI)

10. You are presented with an authentication scheme in which Computer A calculates a code it sends to Computer B, Computer B returns a calculated code based on the one from Computer B and one of its own, and then Computer A returns a calculated code to computer B based on its transmitted code. What type of authentication is this?

❍ A. Biometric authentication ❍ B. Challenge-Handshake Authentication Protocol (CHAP) ❍ C. Kerberos authentication ❍ D. Mutual authentication ❍

E. Public key infrastructure (PKI)

11. External motion detectors can use which of the following technologies? (Select all correct answers.)

❍ A. RFID ❍ B. Infrared ❍ C. Ultrasonic ❍ D. Sound

Answers to Exam Prep Questions 1. B, C. A mandatory access control solution involving labels such as DONOR and DISPLAY would suffice for the user access assignment. A role-based access control solution involving the roles of User and Donor would also be appropriate. Answer A is incorrect because the complexity of assigning by-user access rights over each item’s files would involve a large amount of administrative overhead. Answer D is incorrect because the complexity of the requirement is not great enough to involve detailed conditional testing.

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 167

167

Answers to Exam Prep Questions 2. C. Identity proofing gives the organization assurance that the user performing an authentication is the legitimate user. Answer A is incorrect because access control entries specify the types of access attempts that cause the system to generate a record in the security event log. Answer B is incorrect because in a user-based model permissions are uniquely assigned to each account. Answer D is incorrect because a hypervisor controls how access to a computer’s processors and memory is shared. 3. B. Although rules-based access controls may restrict access to a particular address or terminal, the location does not provide authentication for the account requesting access. Answer A is incorrect because security tokens (something you have) are commonly used for authentication. Answer C is incorrect because logon/password combinations (something you know) represent the most common single-factor authentication mechanism. Answers D and E are also incorrect because both something you do (such as handwriting analysis) and something you are (biometrics) represent authentication mechanisms that interact directly with the requesting user’s person. 4. B. Before access rights can be determined, a user must first be authenticated. Answers A and C are incorrect because authentication must precede access rights determination to avoid granting an unauthorized account access rights. Answer D is incorrect because the processes of authentication and access rights determination are not explicitly dependent on one another. 5. B. The Challenge-Handshake Authentication Protocol uses two compared values created using the MD5 hashing algorithm. Answer A is incorrect because biometric authentication relies on biological patterns rather than calculated values. Answers C and D are incorrect because Kerberos and mutual authentication schemes involve time-stamped ticket-based key or time-based random code exchange rather than an MD5 calculated value. Answer E is incorrect because a PKI solution involves the use of digital certificates rather than a calculated hashed value. 6. B, C, E, and F. These are all biometric authentication types. Answers A and D are incorrect because they are token authentication types. 7. E. A PKI solution involves an asymmetric encryption scheme in which a public key is used to encrypt data and a separate private key is used to decrypt the data. Answer A is incorrect because biometric identification relies on biological patterns and not encrypted values. Answers B and C are incorrect because both CHAP and Kerberos authentication involve the use of symmetric encryption schemes, in which the same key values are used to calculate or encrypt and decrypt data by both client and service. Answer D is incorrect because the username and password are simply available values and do not involve encryption. 8. D. A rule-based access control solution would allow detailed conditional testing of the user’s account type and the time of day and day of the week to allow or deny access. Answers A and B are incorrect because both solutions do not allow for conditional testing. Answer C is also incorrect because role-based access control involves testing against role-assigned access rights, rather than by other qualities such as a test for normal working hours.

10_078973804x_ch05.qxd

10/30/08

9:08 PM

Page 168

168

Chapter 5: Access Control and Authentication Basics 9. A, B, C, D, and E. Any combination of authentication methods may be used in a multifactor solution. Multifactor authentication just refers to solutions including more than a single type of authentication. 10. D. In mutual authentication, both computers exchange calculated values and verify a returned code based on these. Answer A is incorrect because biometric authentication involves comparisons against stored biological values. Answer B is incorrect because CHAP is service demanded and does not provide verification back to the client that the service is also authentic. Answers C and E are incorrect because Kerberos and PKI authentication involve the exchange and comparison of keys or certificates issued by a third agent (the certificate authority) rather than by direct negotiation between the two systems. 11. B, C, and D. External motion detectors can be based on light, sound, infrared, or ultrasonic technology. Answer A is incorrect because radio-frequency identification (RFID) is an automatic identification method.

Additional Reading and Resources 1. Allen, Julia H. The CERT Guide to System and Network Security Practices.

Addison-Wesley, 2001. 2. Krause, Micki and Harold F. Tipton. Information Security Management

Handbook, Sixth Edition. Auerbach Publications, 2007. 3. SANS Top Twenty 2007 Security Risks: http://www.sans.org/top20/

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 169

6

CHAPTER SIX

Securing Communications Terms you need to understand: ✓ VPN ✓ L2TP ✓ PPTP ✓ RADIUS ✓ IPsec ✓ SSH ✓ OSI model ✓ PGP ✓ S/MIME ✓ HTTPS ✓ S-HTTP ✓ SSL ✓ TLS

Techniques you need to master: ✓ Understand the use of encapsulating protocols in the creation of a virtual private network (VPN) over a public network. ✓ Recognize the use of Internet Protocol Security (IPsec) to create a secured encapsulation of client and server data. ✓ Be able to identify the use of HTTP and HTTPS protocol connections over ports 80 and 443, respectively.

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 170

170

Chapter 6: Securing Communications

The hallmark of modern computer use involves network connectivity over many local area network (LAN) and wide area network (WAN) protocols. A wide variety of solutions for connectivity are available, although the most universally available addressing scheme involves the TCP/IP-based global network commonly referred to as the Internet. This connectivity creates the need for many security considerations, including encapsulation and authentication mechanisms, internetworking communications such as email and web-based connectivity, and issues surrounding the transfer of data across distributed public networks. In this chapter, you learn about the security-related issues surrounding communications through modern network technologies.

Remote Access The first area of focus within the arena of communications security involves enabling remote or mobile clients to connect to necessary resources. Remote access might include a wireless fidelity (Wi-Fi) link supporting a small office/home office (SOHO) network using modern 802.1x-compliant wireless networking equipment or perhaps allowing a mobile sales force the ability to be authenticated as they dial in to a central office using telephony carriers. This section focuses on several specific areas of concern related to remote access, including the following: . 802.1x wireless networking . Virtual private network (VPN) connections using the Layer 2 Tunneling

Protocol (L2TP) or Point-to-Point Tunneling Protocol (PPTP) connections . Dial-up authentication using the Remote Authentication Dial-In User

Service (RADIUS) or the Terminal Access Controller Access Control System (TACACS and TACACS+) . Secure terminal connections using the Secure Shell (SSH) interface . Packet-level authentication of VPN connections using the IPsec standard

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 171

171

Remote Access

EXAM ALERT The exam will contain many acronyms specifying security terminology. Make sure that you are very comfortable with the common acronyms, with particular attention to similar acronyms such as PPP (Point-to-Point Protocol used by L2TP) and PPTP (Point-toPoint Tunneling Protocol, which is an alternative to L2TP connectivity).

802.1x Wireless Networking The IEEE 802.1x specification establishes standards for wireless network connectivity. When a client attempts to make an 802.1x-compliant connection, the client attempts to contact a wireless access point (AP). The AP authenticates the client through a basic challenge-response method and then provides passthrough to a wired network or serves as a bridge to a secondary wireless AP. The one-way initiating authentication process, broadcast using radio waves, is susceptible to several security concerns: . Data emanation—802.1x transmissions generate detectable radio-frequen-

cy signals in all directions. Although intervening material and walls may affect the functional distance at which these transmissions may be used for normal network connectivity, they remain detectable at extended range. Persons wishing to “sniff” the data transmitted over the network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures.

NOTE A common means to detect wireless transmissions at an extended range involves the use of a metal-lined tube (often a Pringles potato chip can), serving as a waveguide for a standard wireless antenna. Focused receipt of the omnidirectional wireless broadcasts can be accomplished at a much greater range than is used for two-way network connectivity.

. Weak encryption—Without the use of a mandated encryption standard,

data transacted over an 802.1x wireless link may be passed in clear form. Additional forms of encryption may be implemented, such as the Wired Equivalent Privacy (WEP) and the Advanced Encryption Standard (AES), but transport encryption mechanisms suffer from the fact that a

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 172

172

Chapter 6: Securing Communications

determined listener can obtain enough traffic data to calculate the encoding key in use. New standards that involve time-changing encryption keys may help with this, such as the Temporal Key Integrity Protocol (TKIP) and Wi-Fi Protected Access (WPA/WPA2) standards. . Session hijacking—Because the authentication mechanism is one way, it is

easy for a hijacker to wait until the authentication cycle is completed and then generate a signal to the client that causes the client to think it has been disconnected from the access point, while at the same time beginning to transact data traffic pretending to be the original client. Unless a secondary authentication and access control mechanism is employed, mobile wireless connectivity may be subjected to this type of attack— particularly when a mobile client moves between locations and must negotiate successive WAP connections in transit. . Man-in-the-middle attacks—Because the request for connection by the

client is an omnidirectional open broadcast, it is possible for a hijacker to act as an access point to the client, and as a client to the true network access point, allowing the hijacker to follow all data transactions with the ability to modify, insert, or delete packets at will. By implementing a rogue AP with stronger signal strength than more remote permanent installations, the attacker can cause a wireless client to preferentially connect to their own stronger nearby connection using the wireless device’s standard roaming handoff mechanism. . War driving/chalking—Coordinated efforts are underway aimed at identi-

fication of existing wireless networks, the service set identifier (SSID) used to identify the wireless network, and any known WEP keys. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x APs announcing their SSID broadcasts, which is known as war driving. Many websites provide central repositories for identified networks to be collected, graphed, and even generated against city maps for the convenience of others looking for open access links to the Internet. A modification of Depression era symbols is being used to mark buildings, curbs, and other landmarks indicating the presence of an available AP and its connection details. This so-called war chalking uses a set of symbols and shorthand details to provide specifics needed to connect using the AP. . Bluejacking/Bluesnarfing—Mobile devices equipped for Bluetooth short-

range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as Bluejacking. Although typically benign, attackers can use this form of

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 173

173

Remote Access

attack to generate messages that appear to be from the device itself, leading users to follow obvious prompts and establish an open Bluetooth connection to the attacker’s device. Once paired with the attacker’s device, the user’s data becomes available for unauthorized access, modification, or deletion, which is a more aggressive attack referred to as Bluesnarfing.

VPN Connections When data must pass across a public or unsecured network, one popular way to secure the data involves the use of a virtual private network (VPN) connection. VPN connections provide a mechanism for the creation of a secured tunnel through a public network such as the Internet, which then encapsulates data packets to prevent sniffing over the public network. This technology allows a secure, authenticated connection between a remote user and the internal private network of an organization. Additional security may be gained through the use of encryption protocols and authentication methods, such as using the IP Security (IPsec) protocol over the VPN connection. VPN connections may be used to create secured connections between remote offices to allow replication traffic and other forms of intersite communication to occur, without incurring the cost of expensive dedicated leased circuits. Some VPN solutions can provide additional checks that ensure users connecting from home have virus software and patches properly installed. A VPN quarantine ensures that computers connecting to the network using the VPN are subject to preconnection and postconnection checks, and can be isolated until the computer meets the required security policy. These checks can examine service pack versions, security updates, and whether the antivirus program is running with the most recent virus definition files. This is especially important because it is often difficult to be sure telecommuters and road warriors conform to security policies by keeping virus software and patches up to date and properly configuring firewalls. Additionally, it is necessary to make sure that any USB devices these employees use are encrypted. There are many solutions that use AES encryption, such as IronKey and TrueCrypt.

NOTE VPN connections are also often used to connect remote-access service (RAS) servers located within an organization’s demilitarized zone (DMZ) through a secure conduit to a RADIUS server located within an organization’s private network. This provides a secured channel for the authentication of dial-in users connecting to RAS servers located within the semiprivate DMZ, without placing authentication servers directly in the DMZ.

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 174

174

Chapter 6: Securing Communications

The VPN tunneling process includes three protocols: carrier protocol (IP), encapsulating protocol (PPTP or L2TP), and the passenger protocol (original data). We now examine the encapsulating protocol options PPTP and L2TP.

PPTP Connections One common VPN encapsulation protocol initially proposed by a group of companies, including Microsoft, in RFC 2637 is the Point-to-Point Tunneling Protocol (PPTP). Connections made between remote users and sites may be made using this encapsulation protocol, which creates a secured “tunnel” through which other data can be transferred.

Layer 2 Tunneling Protocol Connections The Layer 2 Tunneling Protocol (L2TP) is an extension of the earlier PPTP and Layer 2 Forwarding (L2F) standards. Proposed by Cisco and its partners (RFC 2661), L2TP protocol is rapidly replacing PPTP as the standard encapsulation protocol used for VPN connections. L2TP connections are created by first allowing a client to connect to an L2TP access concentrator, which then tunnels individual PPP frames through a public network to the network access server (NAS), where the frames may then be processed as if generated locally.

EXAM ALERT Remember that the L2TP protocol is gaining widespread acknowledgment as the successor to the older PPTP-based VPN connection.

Dial-Up User Access Although broadband solutions such as cable-modems and Digital Subscriber Line (DSL) connections are becoming more available, the use of an acoustic modulator/demodulator (modem) over normal telephony lines remains a common means of remote connectivity. Client systems equipped with a modem can connect using normal dial-up acoustic connections to a properly equipped RAS server, which then functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet. Most Internet service providers (ISPs) offer this type of network connectivity for their users, although many organizations still maintain the use of RAS servers to provide direct connectivity for remote users or administrators and to provide failover fault-tolerant communication means in the event of WAN connectivity

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 175

175

Remote Access

loss. Demand-dial solutions involving the use of modem technology may even provide on-demand intersite connectivity for replication or communications, without requiring a continuous form of connection between the remote sites. This section reviews several options for authentication and access control within the dial-up network environment, including the TACACS, RADIUS, TACACS+, and LDAP protocols.

Terminal Access Controller Access Control System An early authentication mechanism used by UNIX-based RAS servers to forward dial-up user logon and password values to an authentication server is the Terminal Access Controller Access Control System (TACACS) protocol. TACACS did not provide authentication itself; instead, it provided an encryption protocol used to send the logon information to a separate authentication service.

Remote Authentication Dial-In User Service and TACACS+ Modern solutions provide for both user authentication and authorization, including the Remote Authentication Dial-In User Service (RADIUS) and TACACS+ protocols. A RADIUS server functions to authenticate dial-in users using a symmetric-key (private key) method and provides authorization settings through a stored user profile. Authentication is managed through a client/server configuration in which the RAS server functions as a client of the RADIUS server, passing dial-in user access information to the RADIUS server, often through a VPN connection between the two systems.

NOTE Remember that in RADIUS-based authentication, the RAS server is the RADIUS client, not the system initiating the dial-up connection to the RAS server.

The TACACS+ protocol is an extension of the earlier TACACS form, adding authentication and authorization capabilities similar to the RADIUS authentication method. One important difference between these two is that the TACACS+ protocol relies on TCP connectivity, whereas RADIUS uses the User Datagram Protocol (UDP). The TACACS+ protocol is a Cisco proprietary enhancement to

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 176

176

Chapter 6: Securing Communications

improve upon TACACS and extended TACACS (XTACACS). Other differences between RADUIS and TACACS+ include the following: . RADIUS encrypts only the password in the access-request packet, from

the client to the server. The remainder of the packet is unencrypted. . TACACS+ encrypts the entire body of the packet but leaves a standard

TACACS+ header. . RADIUS combines authentication and authorization. . TACACS+ uses the AAA architecture, which separates AAA. . RADIUS does not support the AppleTalk Remote Access (ARA) proto-

col, NetBIOS Frame Protocol Control protocol, Novell Asynchronous Services Interface (NASI), or X.25 PAD connections. . TACACS+ offers multiprotocol support. . RADIUS does not allow users to control which commands can or can’t

be executed on a router. . TACACS+ allows control of the authorization of router commands on a

per-user or per-group basis. TACACS+ does have weaknesses, as it is vulnerable to birthday attacks and packet sniffing.

EXAM ALERT RADIUS encrypts only the password in the access-request packet that is sent to the RADIUS server. TACACS+ encrypts the entire packet body, but will leave the TACACS+ header intact.

Lightweight Directory Access Protocol Often used within extended enterprise networks, Lightweight Directory Access Protocol (LDAP) allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory. As of this writing, the Internet Engineering Task Force (IETF) has established the third official version of LDAP, although additional LDAP variations exist in commercial directory services, such as the Microsoft Active Directory.

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 177

177

Remote Access

EXAM ALERT Remember that LDAP is a TCP/IP-based protocol connecting by default to TCP port 389, querying a hierarchical tree-structured directory that includes directory entries for elements such as printers, servers, services, and user accounts. Each entry may have multiple attributes, which are defined in the directory’s schema. The designation of an entry is its Distinguished Name (DN) assembled from a Relative Distinguished Name (RDN) that reflects specific attributes of the entity in combination with the entry’s parent DN to create the hierarchical directory tree.

Secure Shell Connections As a more secure replacement for the common command-line terminal utility Telnet, the Secure Shell (SSH) utility establishes a session between the client and host computers using an authenticated and encrypted connection. SSH uses the asymmetric (public key) Rivest-Shamir-Adleman (RSA) cryptography method to provide both connection and authentication. Data encryption is accomplished using one of the following algorithms: . International Data Encryption Algorithm (IDEA)—The default encryption

algorithm used by SSH, which uses a 128-bit symmetric key block cipher. . Blowfish—A symmetric (private key) encryption algorithm using a vari-

able 32- to 448-bit secret key. . Data Encryption Standard (DES)—A symmetric key encryption algorithm

using a random key selected from a large number of shared keys. Most forms of this algorithm cannot be used in products meant for export from the United States. The SSH suite encapsulates three secure utilities: slogin, ssh, and scp, derived from the earlier non-secure UNIX utilities rlogin, rsh, and rcp. SSH provides a large number of available options that you should be at least somewhat familiar with. Like Telnet, SSH provides a command-line connection through which an administrator may input commands on a remote server. SSH provides an authenticated and encrypted data stream, as opposed to the clear-text communications of a Telnet session. The three utilities within the SSH suite provide the following functionality: . Secure Login (slogin)—A secure version of the UNIX Remote Login

(rlogin) service, which allows a user to remotely connect to a remote server and interact with the system as if directly connected

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 178

178

Chapter 6: Securing Communications . Secure Shell (ssh)—A secure version of the UNIX Remote Shell (rsh)

environment interface protocol . Secure Copy (scp)—A secure version of the UNIX Remote Copy (rcp) util-

ity, which allows transfer of files in a manner similar to the File Transfer Protocol (FTP)

NOTE Some versions of SSH, including the Secure Shell for Windows Server, provide a secure version of the File Transfer Protocol (SFTP) along with the other common SSH utilities.

Remote Desktop Protocol (RDP) The Microsoft Remote Desktop Protocol (RDP) evolved from Terminal Services. RPD is an extension of the ITU T.120 family of protocols supporting various types of network topologies and LAN protocols. It provides remote display and input capabilities over network connections for Windows-based applications running on a server. This is similar to the environment provided by Citrix for remote access to applications. The server functionality is provided by the Terminal Server component. It handles Remote Assistance, Remote Desktop and Remote Administration clients. Two client applications that use terminal services are Remote Assistance and Remote Desktop. The RDP allows a user to log on to a remote system and access the desktop, applications, and data on the system, as well as control it remotely just as if it were on the local machine. RDP allows for separate virtual channels to carry device communication and present data from the server, as well as encrypt client mouse and keyboard data. RDP uses RSA Security’s RC4 cipher and uses TCP port 3389 by default.

Internet Protocol Security The Internet Protocol Security (IPsec) authentication and encapsulation standard is widely used to establish secure VPN communications. Unlike most security systems that function within the application layer of the Open Systems Interconnection (OSI) model, the IPsec functions within the network layer.

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 179

179

Remote Access

EXAM ALERT The OSI model is a logically structured model that encompasses the translation of data entered at the application layer through increasingly more abstracted layers of data, resulting in the actual binary bits passed at the physical layer. At the other end of a data transfer, the individual packets of data are ordered and reassembled by passing back through the layers of operation of the OSI model until the original data is reproduced at the application layer on the receiving system. The layers of the OSI model are as follows: 7. Application layer 6. Presentation layer 5. Session layer 4. Transport layer 3. Network layer 2. Data link layer (subdivided into the logical-link control (LLC) and Media Access Control [MAC] sublayers) 1. Physical layer You should be very familiar with the OSI model, and the common protocols and network hardware that function within each level. For example, you should know that hubs operate at the physical layer of the OSI model. Intelligent hubs, bridges, and network switches operate at the data link layer, and Layer 3 switches and routers operate at the network layer. The Network+ Exam Cram and Exam Prep books cover the OSI model in much greater detail. If you will be working extensively with network protocols and hardware, you should also look at these texts.

IPsec provides authentication services and encapsulation of data through support of the Internet Key Exchange (IKE) protocol.

IPsec Services The asymmetric key standard defining IPsec provides two primary security services: . Authentication Header (AH)—This provides authentication of the data’s

sender, along with integrity and nonrepudiation. RFC2402 states that AH provides authentication for as much of the IP header as possible, as well as for upper-level protocol data. However, some IP header fields might change in transit, and when the packet arrives at the receiver, the value of these fields might not be predictable by the sender. The values of such fields cannot be protected by AH. Thus the protection provided to the IP header by AH is somewhat piecemeal.

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 180

180

Chapter 6: Securing Communications . Encapsulating Security Payload (ESP)—This supports authentication of the

data’s sender and encryption of the data being transferred along with confidentiality and integrity protection. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality. The set of services provided depends on options selected at the time of security association establishment and on the placement of the implementation. Confidentiality may be selected independently of all other services. However, the use of confidentiality without integrity/authentication (either in ESP or separately in AH) might subject traffic to certain forms of active attacks that could undermine the confidentiality service. Protocols 51 and 50 are the well-known port numbers assigned to the Authentication Header and Encapsulating Security Payload components of the IPsec protocol. IPsec inserts ESP or AH (or both) as protocol headers into an IP datagram that immediately follows an IP header. The protocol field of the IP header will be 50 for ESP, or 51 for AH. If IPsec is configured to do authentication rather than encryption, you must configure an IP filter to let protocol 51 traffic pass. If IPsec uses nested AH and ESP, an IP filter can be configured to let only protocol 51 (AH) traffic pass.

Internet Key Exchange Protocol IPsec supports the Internet Key Exchange (IKE) protocol, which is a key management standard used to allow specification of separate key protocols to be used during data encryption. IKE functions within the Internet Security Association and Key Management Protocol (ISAKMP), which defines the payloads used to exchange key and authentication data appended to each packet.

EXAM ALERT Make sure that you are familiar with common key exchange protocols and standard encryption algorithms, including asymmetric key solutions such as the Diffie-Hellman Key Agreement and Rivest-Shamir-Adleman (RSA) standards, symmetric key solutions such as the International Data Encryption Algorithm (IDEA) and Digital Encryption Standard (DES), and hashing algorithms such as the Message Digest 5 (MD5) and Secure Hash Algorithm (SHA). Chapter 9, “Cryptography Basics,” includes additional detail on encryption standards. Make sure to review these technologies when studying that chapter’s content.

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 181

181

Electronic Mail

Electronic Mail One of the most fundamental changes brought by the global interconnectivity of networked computers is electronic mail (email). Originally used to send messages between systems operators on the early Bitnet and other pre-Internet networks, email messages are becoming an increasingly pervasive method of communications between individuals, business partners, and to facilitate financial transactions and electronic commerce. Email has been used successfully as evidence in several court trials and forms the fundamental method of communication within many organizations. The global nature of email distribution and the speed of delivery (often only seconds separate transmission and receipt, even between users on separate continents), makes email a valuable tool. However, the speed and accessibility of this technology also carry several security considerations. Public transfer of sensitive information could potentially expose this information to undesired recipients, undesired and often unsolicited email messages can require a significant amount of time to review and discard, and email messages may contain any number of hazardous programmatic file attachments directed at unsuspecting users.

NOTE We do not focus on potentially hazardous payloads here, beyond mentioning that many viruses, Trojan horses, worms, and other forms of viral programming agents transmit themselves using email as their carrier. A detailed discussion of viral programming agents was covered in Chapter 1, “System Threats and Risks.”

This section reviews mechanisms for securing email transmissions using the S/MIME protocol and the PGP third-party application. In addition, this section touches on some of the undesirable elements of email, including spam and hoaxes.

Secure Multipurpose Internet Mail Extension The Multipurpose Internet Mail Extension (MIME) protocol extended the capability of the original Simple Mail Transfer Protocol (SMTP) to allow the inclusion of nontextual data within an electronic mail message. Embedding data within an electronic mail message allows a simple method for the transmission and receipt of images, audio and video files, application programs, and many other types of non-ASCII text.

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 182

182

Chapter 6: Securing Communications

To provide a secure method of transmission, the Secure Multipurpose Internet Mail Extension (S/MIME) standard was developed. S/MIME uses the RivestShamir-Adleman asymmetric encryption scheme to encrypt email transmissions over public networks. Modern versions of Netscape and Internet Explorer include S/MIME support in their role as email clients.

Pretty Good Privacy An alternative to the use of S/MIME is the proposed PGP/MIME standard, derived from the Pretty Good Privacy (PGP) application program developed by Phillip R. Zimmerman in 1991. This program is used to encrypt and decrypt email messages using either the Rivest-Shamir-Adleman or the Diffie-Hellman asymmetric encryption schemes. The PGP application must be purchased and is available for individual and corporate use. One useful feature of the PGP program is the ability to include a digital signature and thus validate an email to its recipient. This recipient can use this calculated hash value to verify that the received email has not been tampered with.

Undesirable Email The strength of email involves its ability to be rapidly transmitted to one or many recipients, who rapidly receive the directed message, generally without per-item charges, as would be the case for surface mail, which requires a stamp for each item. Via email, small organizations can rapidly reach a tremendously large potential base of consumers, whether with a possible item for sale, request for donation, notice of service, or any other manner of information.

Spam With the entire world only a single click of the Send button away, the volume of messages that a user may receive rapidly becomes too great to easily manage. Undesired or unsolicited email has gained the nickname spam, derived from the name of an amalgamated meat product by the same name. These electronic junk mail messages can rapidly overtax the capacity of email servers and require a large amount of user time to review each item and respond or discard each. Many solutions attempt to stem the rising tide of spam messages flowing into users’ inboxes, such as blacklist subscriptions. These blacklists register known spam senders. Email messages that match the sender’s address can be discarded before they are received by an organization’s clients. Most email clients enable users to configure automatic rule, which can handle many types of spam

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 183

183

Instant Messaging

automatically, discarding items from particular senders or items that contain certain words or phrases. The subjective nature of any type of email filtering can be problematic to implement, particularly when it is critical that messages be received from clients or vendors, who might inadvertently put the wrong words or phrases within the body of an important message. Chapter 1 discussed spam in greater detail.

Hoaxes Another form of problematic email includes those messages that include incorrect or misleading information. These hoax messages may warn of emerging threats that do not exist. They might instruct users to delete certain files to ensure their security against a new virus, while actually only rendering the system more susceptible to later viral agents. Hoaxes may warn of pending legislation, offer to send the user great sums of money if the user will just provide all their identity and financial information to the source, or may even tell of a $1,000 cookie recipe that the sender will be glad to make available for only a fraction of the price. These and many more hoax items circulate in a growing thread of tales and ideas, everything from urban myths to detailed instructions that may result in loss of functionality or later security vulnerability.

Instant Messaging One alternative to the asynchronous communications of email is instant messaging (IM) software solutions, such as the Windows Live Messenger, ICQ, and AOL Instant Messenger. These products link to a central server when they are opened and provide a continuously available means of communications with other users of the same system. Other file-sharing solutions using both client/server and peer-to-peer network connectivity are also included in this category, such as the Napster and Gnutella products, which have been the subject of much legislation recently. IM solutions pose many of the same vulnerabilities as email, in that they are readily accessible to a broad audience and may receive a high volume of spam, hoaxes, and unwanted viral programs. Because the IM client application may not integrate strongly with the operating system, file-transfer capabilities can be used to transmit viral agents that bypass some forms of antivirus protection. Because some file-sharing systems advertise only the platform-independent short name form of a file’s name, which specifies only an eight-character filename and a three-character file extension (often written as 8.3 naming), it is

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 184

184

Chapter 6: Securing Communications

possible for improperly named executable files to be received and automatically processed by the IM software (and then perform unexpected and often undesirable actions). Open file shares inadvertently advertised by file-sharing systems can generate a tremendous load on the network bandwidth as others connect to the shared system and potentially expose many forms of sensitive information. In addition, because many IM clients transmit data in plain text, user conversations along with any sensitive information they may transfer can be sniffed and later used for nefarious purposes.

Web Connectivity The Internet enables users to connect to many millions of sources of information, services, products, and other functionality through what has come to be known as the World Wide Web (or simply, the Web). Business transactions, membership information, vendor/client communications, and even distributed business logic transactions can all occur using the basic connectivity of the Web, which uses the Hypertext Transport Protocol (HTTP) on TCP port 80. Chapter 2, “Online Vulnerabilities,” examined the vulnerabilities of many webbased technologies. Here, we focus only on the protocols used to secure basic communications with a web server.

Hypertext Transport Protocol over Secure Sockets Layer Basic Web connectivity using HTTP occurs over TCP port 80, providing no security against interception of transacted data sent in clear text. An alternative to this involves the use of Secure Sockets Layer (SSL) transport protocols operating on port 443, which creates an encrypted pipe through which HTTP traffic can be conducted securely. To differentiate a call to port 80 (http://servername/), HTTP over SSL calls on port 443 using HTTPS as the URL port designator (https://servername/). HTTPS was originally created by the Netscape Corporation and used a 40-bit RC4 stream encryption algorithm to establish a secured connection encapsulating data transferred between the client and web server, although it can also support the use of X.509 digital certificates to allow the user to authenticate the sender. Now, 128-bit encryption keys are possible and have become the accepted level of secure connectivity for online banking and electronic commerce transactions.

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 185

185

Web Connectivity

EXAM ALERT An alternative to HTTPS is the Secure Hypertext Transport Protocol (S-HTTP) developed to support connectivity for banking transactions and other secure Web communications. S-HTTP supports DES, 3DES, RC2, and RSA2 encryption, along with CHAP authentication, but was not adopted by the early web browser developers (for example, Netscape and Microsoft) and so remains less common than the HTTPS standard.

Secure Sockets Layer Secure Sockets Layer (SSL) protocol communications occur between the HTTP (application) and TCP (transport) layers of Internet communications. SSL establishes a stateful connection negotiated by a handshaking procedure between client and server. During this handshake, the client and server exchange the specifications for the cipher that will be used for that session. SSL communicates using an asymmetric key with cipher strength of 40 or 128 bits.

Transport Layer Security Another asymmetric key encapsulation currently considered the successor to SSL transport is the Transport Layer Security (TLS) protocol based on Netscape’s Secure Sockets Layer 3.0 (SSL3) transport protocol, which provides encryption using stronger encryption methods, such as the Data Encryption Standard (DES), or without encryption altogether if desired for authentication only. TLS has two layers of operation: . TLS Record Protocol—This protocol allows the client and server to com-

municate using some form of encryption algorithm (or without encryption if desired). . TLS Handshake Protocol—This protocol allows the client and server to

authenticate one another and exchange encryption keys to be used during the session.

NOTE SSL and TLS transport are similar, but not entirely interoperable. TLS also provides confidentiality and data integrity.

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 186

186

Chapter 6: Securing Communications

Exam Prep Questions 1. Between which two layers of the OSI model does the Secure Sockets Layer (SSL) protocol function?

❍ A. Application layer ❍ B. Presentation layer ❍ C. Session layer ❍ D. Transport layer ❍

E. Network layer



F. Data link layer

❍ G. Physical layer 2. Which of the following encryption protocols are used in Secure Shell connections? (Select all that apply.)

❍ A. International Data Encryption Algorithm ❍ B. Blowfish ❍ C. Rivest Cipher 4 ❍ D. Digital Encryption Standard ❍

E. Message Digest

3. In a RADIUS authentication scenario, which of the following systems would be considered the RADIUS client?

❍ A. The RADIUS server ❍ B. The RAS server ❍ C. The authentication server ❍ D. The dial-up client 4. Which of the following encryption methods are available when using Pretty Good Privacy? (Select all that apply.)

❍ A. International Data Encryption Algorithm ❍ B. Blowfish ❍ C. Diffie-Hellman ❍ D. Digital Encryption Standard ❍

E. Rivest-Shiva-Aldeman

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 187

187

Exam Prep Questions 5. Which standard port will be used to establish a web connection using the 40-bit RC4 encryption protocol?

❍ A. 21 ❍ B. 80 ❍ C. 443 ❍ D. 8,250 6. Which of the Secure Shell utilities is used to establish a secured command-line connection to a remote server?

❍ A. rlogin ❍ B. slogin ❍ C. rsh ❍ D. ssh ❍

E. rcp



F. scp

7. When using RADIUS to authenticate a dial-in user, which of the following is the RADIUS client?

❍ A. The dial-in user’s computer ❍ B. The RAS server ❍ C. The RADIUS server ❍ D. The client’s Internet service provider ❍

E. The virtual private network

8. You have decided to use the Terminal Access Controller Access Control System (TACACS) standard for dial-up authentication. Which of the following capabilities will be provided by this service?

❍ A. User authentication ❍ B. Authorization ❍ C. Encrypted forwarding ❍ D. All of the above

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 188

188

Chapter 6: Securing Communications 9. At which layer of the OSI model does the Internet Protocol Security protocol function?

❍ A. Application layer ❍ B. Presentation layer ❍ C. Session layer ❍ D. Transport layer ❍

E. Network layer



F. Data link layer

❍ G. Physical layer 10. Which of the following are possible dangers of using instant messaging clients? (Select all that apply.)

❍ A. Spam ❍ B. Hoaxes ❍ C. Viruses ❍ D. File sharing ❍

E. File execution

11. Which of the following are asymmetric encryption standards? (Choose two correct answers.)

❍ A. IDEA ❍ B. MD5 ❍ C. RSA ❍ D. SHA ❍

E. Diffie-Hellman



F. DES

Answers to Exam Prep Questions 1. A, D. SSL connections occur between the application and transport layers. Answers B and C are incorrect because the Secure Sockets Layer transport effectively fills the same role as these OSI model layers. Answers E, F, and G are incorrect because the data has been abstracted beyond the level at which SSL operates.

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 189

189

Answers to Exam Prep Questions 2. A, B, and D. SSH connections can make use of the IDEA, Blowfish, and DES encryption methods. Answer C is incorrect because the RC4 protocol is used by the SSL protocol. Answer E is incorrect because the MD5 hashing algorithm is not used by Secure Shell connectivity. 3. B. The RAS server is considered the RADIUS client, authenticating dial-up connection requests against the RADIUS server. Answer A is incorrect because the RADIUS server does not directly provide remote dial-up functionality of the RAS server. Answer C is incorrect because the RADIUS server provides authentication response to the RAS server as its client. Answer D is incorrect because the dial-up client is a client of the RAS server, rather than of the RADIUS server, which is not directly contacted by the dial-up client. 4. C, E. PGP can make use of either the Diffie-Hellman or RSA public key encryption methods. Answers A, B, and D are incorrect because these protocols are not available within PGP. 5. C. A connection using the HTTP protocol over SSL (HTTPS) will be made using the RC4 cipher and will be made using port 443. Answer A is incorrect because port 21 is used for FTP connections. Answer B is incorrect because port 80 is used for unsecure plain-text HTTP communications. Answer D is incorrect because port 8250 is not designated to a particular TCP/IP protocol. 6. B. The slogin SSH utility provides secured command-line connections to a remote server. Answers A, C, and E are incorrect because rlogin, rsh, and rcp do not use secured connections. Answer D is incorrect because the ssh utility is used to establish a secured environment link to a remote server, and answer F is incorrect because the scp utility is used for secure file copying. 7. B. The RAS server functions as the RADIUS client authenticating dial-in user attempts against the RADIUS server. Answer A is incorrect because the dial-in user does not directly contact the RADIUS server. Answer C is incorrect because the RADIUS server would not be its own client. Answer D is incorrect because a client dialing in to an RAS server would not be connecting through a separate ISP. Answer E is incorrect because a VPN connection establishes a secured tunnel between two systems and is not involved in RADIUS authentication. 8. C. TACACS forwards logon information to an authentication server through an encrypted connection. Answer A is incorrect because TACACS cannot provide authentication by itself. Answer B is incorrect because the original TACACS protocol does not provide authorization support. Answer D is incorrect because the question specifies the original TACACS protocol, rather than the extended TACACS+ protocol that adds authentication and authorization to the earlier protocol’s functionality. 9. E. IPsec validation and encryption function at the network layer of the OSI model. Answers A, B, C, and D are incorrect because IPsec functions at a lower level of the OSI model. Answers F and G are incorrect because they define a more abstracted level of data manipulation than is managed by the IPsec standard.

11_078973804x_ch06.qxd

10/30/08

9:07 PM

Page 190

190

Chapter 6: Securing Communications 10. A, B, C, D, and E. IM solutions have many potential security problems, including the receipt of spam and hoax messages, possible execution of files and viruses bypassing operating system protections, and possible exposure of file shares to public access. 11. C, E. The Diffie-Hellman and Rivest-Shamir-Adleman encryption standards specify public key (asymmetric) encryption methods. Answers A and F are incorrect because the Digital Encryption Standard and International Data Encryption Algorithm standards specify private key (symmetric) encryption methods. Answers B and D are incorrect because the Message Digest 5 and Secure Hash Algorithm standards are hashing algorithms.

Suggested Reading and Resources 1. Allen, Julia H. The CERT Guide to System and Network Security Practices.

Addison-Wesley, 2001. 2. SANS Information Security Reading Room: http://www.sans.org/read-

ing_room/

12_078973804x_pt4.qxd

10/30/08

9:07 PM

Page 191

PART IV

Assessments and Audits Chapter 7 Intrusion Detection and Security Baselines Chapter 8 Auditing

12_078973804x_pt4.qxd

10/30/08

9:07 PM

Page 192

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 193

7

CHAPTER SEVEN

Intrusion Detection and Security Baselines Terms you need to understand: ✓ Intrusion ✓ Misuse ✓ Knowledge-based detection ✓ Behavior-based IDS ✓ Network-based IDS ✓ Host-based IDS ✓ Honeypot ✓ Deflection ✓ Attack signature ✓ Countermeasures ✓ Baseline ✓ Hardening

Techniques you need to master: ✓ Understand the use of host-based and network-based IDS solutions and how they may be used together to secure a network. ✓ Understand the purpose behind establishing security baselines. ✓ Recognize common considerations in planning for operating system, network, and application hardening.

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 194

194

Chapter 7: Intrusion Detection and Security Baselines

To secure a network, it is important to identify the normal operating parameters and be able to identify atypical variations from this baseline operational level. The first step toward minimizing the potential damage that may result from unauthorized access attempts is the detection and identification of an unauthorized intrusion. Intrusion detection requires a detailed understanding of all operational aspects of the network, along with a means to identify variations and bring these changes to the attention of the proper responsible parties. In this chapter, you examine several forms of intrusion-detection solutions and review the requirements for establishing reasonable baseline standards.

Intrusion Detection An intrusion includes any unauthorized resource access attempt within a secured network. Although it is possible for human monitoring to identify real-time intrusion events within small tightly controlled networks, it is more likely that a human administrator will monitor alerts and notifications generated by intrusion-detection systems (IDSs). These software and hardware agents monitor network traffic for patterns that may indicate an attempt at intrusion, called an attack signature, or may monitor server-side logs for improper activity or unauthorized access. Both passive and active forms of IDS exist: . A passive IDS solution is intended to detect an instrusion, log the event,

and potentially raise some form of alert. . An active IDS solution acts to terminate or deny an intrustion attempt

by changing firewall or IPsec policy settings automatically before logging the event and raising an alert for human operators.

EXAM ALERT Intrusion generally refers to unauthorized access by outside parties, whereas misuse is typically used to refer to unauthorized access by internal parties.

Both active and passive IDSs must first identify an intrusion before altering the network configuration (in an active system), logging the event, and raising an alert. The sections that follow examine some common mechanisms for intrusion detection.

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 195

195

Intrusion Detection

Methods of Intrusion Detection Intrusion detection may be managed by two basic methods: knowledge-based and behavior-based detection. Knowledge-based detection relies on the identification of known attack signatures and events that should never occur within a network. Behavior-based detection involves the use of established patterns of use and baseline operation to identify variations that may identify unauthorized access attempts.

Knowledge-Based IDS The most common form of IDS detection involves knowledge-based (also termed signature-based) identification of improper, unauthorized, or incorrect access and use of network resources. Identification of known attack signatures allows for few false alarms; a known attack pattern is almost always a good sign of a danger to the network. Because the signature identifies a known method of attack, detailed planning may be made beforehand for countering and recovering from the attack. Knowledge-based IDSs may also monitor for patterns of access that have been established as never being appropriate within the monitored network. An example of this might include communications directed at common ports used by services such as FTP or web servers running on workstation systems. Details of individual network transactions can be identified by examining the transacted data packets (also called “sniffing” the packets). Figure 7.1 illustrates data evaluation using a human-readable packet-sniffing application. Knowledge-based IDS has several limitations, including the following: . Maintenance of the knowledge library to include newly identified signa-

tures can become a complex and time-consuming task. . Knowledge-based detection of internal misuse is difficult because most

misuse involves an improper use of a normal form of access or priviledge. . As new exploits are identified, it will take some time before an identified

signature for the attack can be prepared and distributed. During this time, knowledge-based IDSs cannot identify attacks of the new type. . Knowledge-based IDS is closely tied to the technologies in use within a

particular network. As new technologies are integrated, or evolutionary changes are made to the network environment, knowledge-based systems may be unable to provide support for all potential avenues of attack created by the changes.

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 196

196

Chapter 7: Intrusion Detection and Security Baselines

An example of packet-level identification of port and protocol access using the Ethereal packet sniffer.

FIGURE 7.1

Behavior-Based IDS One of the most common methods to detect a compromised workstation involves a user noticing an unusual pattern of behavior, such as a continually operating hard drive or a significantly slowed level of performance. Through the detection of anomalies from normal patterns of operation, it becomes possible to identify new threats that may bypass knowledge-based IDSs. Because this method detects anomalies, it is also called statistical anomaly detection. Highly secure environments might use complex patterns of behavior analysis, in some cases learning individual patterns of use common to each user profile, so that variations can be identified. Behavior-based IDSs provide the following advantages over knowledge-based IDSs: . Better able to identify new forms of vulnerability . More flexible as network evolution occurs . Can be used to identify internal misuse by recognizing actions outside of

normal access patterns or authorized events occurring outside of normal profile usage, such as the access of protected files during off-hours

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 197

197

Intrusion Detection

Although more flexible than knowledge-based intrusion detection, behaviorbased detection has several limitations, including the following: . High incidence of false alarms. Because anything falling outside of the

established behavior profile is considered a potential sign of attack, any action that varies from the norm may generate an alert. . Behavior profiles must be regularly updated to include changes in tech-

nology, network configuration, and changes to business practices that may affect the normal order of operations. In systems that maintain detailed user access profiles, even a simple promotion within the business structure might require administrative action to update the use profile of the user involved. . Because behavior profiles must be periodically updated, behavior-based

intrusion detection might not identify threats during the update cycle and might even identify an ongoing attack pattern as part of the normal pattern of use, creating a potential area for later exploitation.

Intrusion-Detection Sources Whether knowledge-based or behavior-based, intrusion detection relies on the ability to monitor activity, identify potential risks, and alert the appropriate responsible parties. Monitoring might be performed on the network itself or on a host system, based on the security requirements mandated by business requirements.

Network-Based IDS Network-based IDS (NIDS) solutions monitor all network traffic to identify signatures within the network packets that may indicate an attack, including the following: . String signatures—Used to identify text strings that are used in common

attacks, such as the code transmitted by Code Red infected systems . Port signatures—Used to identify traffic directed to ports of common

services not running on the identified host or on ports used by wellknown exploits such as the Blade Runner and SubSeven Trojan horse services . Header signatures—Used to detect the presence of conflicting or inappro-

priate packet headers, such as the SYN packets that might indicate a flood attack

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 198

198

Chapter 7: Intrusion Detection and Security Baselines

NIDS solutions are designed to catch attacks in progress within the network, not just on individual machines or the boundary between private and public networks.

TIP During normal operation, a network interface card (NIC) will register packets directed to its address only. To capture raw packets directed at any host within a network, it is necessary to have a NIC and network driver that support promiscuous mode.

Table 7.1 details some of the strengths and weaknesses of NIDS solutions. TABLE 7.1

Strengths and Weaknesses of NIDS Solutions

Strength

Description

Low cost of ownership

Because a single NIDS system can be used to monitor traffic passing through the entire network, the number of systems required remains small, while providing network coverage.

Pre-host detection

NIDS solutions can be used to detect attacks that cannot be easily identified by the host, such as denial-of-service (DoS) attacks that target the host’s ability to connect to a network. IDS systems placed outside of a firewall or within a demilitarized zone (DMZ) can also identify patterns of failed attempts and successful intrusions.

Real-time detection

NIDS solutions analyze network traffic as it occurs, allowing alerts to be generated while the attack is underway. This also makes it harder for attackers to cover their tracks because network monitoring can capture not only the packets detailing the access attempt, but also those that detail attackers’ attempts to remove evidence of the attack.

Environment independent

Because NIDS solutions analyze raw data packets, they are more adaptable to a wide variety of network and technology configurations.

Weakness

Description

Encrypted transit

Because many forms of network connectivity occur over encrypted communications, NIDS solutions may not be able to identify intrusion attempts hidden by the encryption.

Nonstandard endpoint use Many applications can make use of commonly open ports to transfer alternative protocol traffic. Peer-to-peer networking clients commonly use this technique to bypass firewall restrictions. NIDS examination of packets based on port routing can provide false negatives in this case.

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 199

199

Intrusion Detection

TABLE 7.1

Continued

Weakness

Description

Locally blind

Intrusion attempts initiated from another service on the same network host never pass through the network and so can remain undetected by NIDS solutions. Viral contagions spreading across multiple file shares on the same file server might be an example of this type of transaction.

When deploying a NIDS, you must decide how many sensors you need and where to place them. When planning, you should consider the priority of each sensor and deploy accordingly within your budgetary or bandwidth constraints. Evaluate the organization’s business model and determine the importance of each server. Sensor placement should then be based on this determination. If a sensor is placed before the firewall, it tends to generate a lot of useless events that will have to be sorted through.

TIP A specialized form of network intrusion detection is identified as the application protocolbased intrusion-detection system (APIDS). This solution typically monitors middleware transactions, such as those between a database and a web user application. The APIDS examines traffic between service endpoints to ensure protocol traffic occurs correctly, based on learned or established allowable use.

Host-Based IDS Users often bring in outside devices that can easily affect the environment; many times, this is the port of entry for malware. In addition, one of the greatest threats to an organization is from trusted insiders. A host intrusion-detection system (HIDS) can help as a line of defense against this type of threat. HIDS solutions involve processes running on a host and monitoring event and applications logs, port access, and other running processes to identify signatures or behaviors that indicate an attack or unauthorized access attempt. Some HIDS solutions involve the deployment of individual client applications on each host, which relay their findings to a central IDS server responsible for compiling the data to identify distributed trends. Table 7.2 details some of the strengths and weaknesses of HIDS solutions.

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 200

200

Chapter 7: Intrusion Detection and Security Baselines

TABLE 7.2

Strengths and Weaknesses of HIDS

Strength

Description

Low number of false positives

Because HIDS solutions analyze logged events, both success and failure events may be monitored and alerts generated only after a proper threshold has been achieved.

Auditing change monitoring

HIDS solutions can monitor individual processes on each host, including changes to the auditing process itself.

Non-network attack detection

HIDS solutions can be used to monitor events on standalone systems, including access from the keyboard.

Encrypted communication monitoring

Some attacks make use of encrypted or encapsulated data communications, bypassing the NIDS.

Cost savings by directed monitoring

Unlike NIDS systems, which must monitor all data traffic across the monitored network, host-based solutions require no additional hardware and may be deployed on just those systems that require intrusion detection.

Single-point monitoring

Within large switched networks, NIDS solutions may be inadvertently or purposefully bypassed by using a secondary access route. HIDS solutions are not limited to a particular communications path for detection.

Weakness

Description

Witness after the fact

Host-based intrusion detection occurs after data is received and processed by the target host. In the event of buffer overflow and other types of injected attack, processing of the attack has already occurred before application processing of the input begins.

Vulnerable logging

Successful compromise of a targeted system can allow attackers to remove intrusion logs stored on the same system, or to block alerting attempts by HIDS applications hosted on the compromised system.

Resource impact

HIDS technologies rely on the same resources they are monitoring. During resource-intensive attacks such as a DoS attempt, HIDS solutions can amplify the attack’s effects by generating additional resource consumption for each access attempt, in effect doubling the impact on system availability.

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 201

201

Intrusion Detection

EXAM ALERT The exam may present two different acronyms in intrusion-detection questions: NIDS and NIPS. A network intrusion-detection system (NIDS) examines data traffic to identify unauthorized access attempts and generates alerts. A network intrusion-prevention system (NIPS) is intended to provide direct protection against identified attacks. A NIPS solution might be configured to automatically drop connections from a range of IP addresses during a DoS attack, for example.

To plan the use of intrusion-detection systems for infrastructure protection, you need to be aware that the cost of implementation can depend on the size of your network and the number of individual computers to be monitored. In addition, the systems will require signature updates, and sometimes the system might incorrectly flag legitimate requests as security breaches or fail to detect something it should. These types of errors can be categorized as follows: . False positive error—Occurs when the intrusion-detection system detects a

legitimate action as a possible intrusion. . False negative error—Occurs when the intrusion-detection system allows

an intrusive action to pass as nonintrusive behavior. . Subversion error—Occurs when the intrusion-detection system is modi-

fied by an intruder to cause false negatives or fooling the system over time by executing small individual steps that by themselves don’t mean much, but when combined can amount to an attack. In most network deployment scenarios, a layered approach is required to provide protection against all forms of attack. User training, HIDS and NIDS solutions, and the hardening of services and systems to exclude known vulnerabilities will together form a unified solution to many developing security requirements.

Honeypots and Honeynets Honeypots are often used to identify the level of aggressive attention directed at a network and to study and learn from an attacker’s common methods of attack. Honeypots are systems configured to simulate one or more services within an organization’s network and left exposed to network access. When attackers access a honeypot system, their activities are logged and monitored by other processes, so that the attacker’s actions and methods may be later reviewed in detail, while the honeypot distracts the attacker from valid network resources.

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 202

202

Chapter 7: Intrusion Detection and Security Baselines

Honeypots might be simple targets exposed for identification of vulnerability exposure, or might interact with the attacker to extend access time and allow tracking and logging of an attacker’s activities to build better attack profile data. Honeynets are collections of honeypot systems interconnected to create functional-appearing networks that may be used to study an attacker’s behavior within the network. Honeynets make use of specialized software agents to create normal-seeming network traffic. Honeynets and honeypots may be used to distract attackers from valid network content, to study the attacker’s methods, and to provide early warning of attack attempts that may later be waged against the more secured portions of the network. Padded cells take a different approach. Instead of trying to attract attackers with tempting data, When an IDS detects an attacker, the attacker may then be transparently transferred to a padded cell host. This is a seamless transfer to a simulated environment, where harm cannot be done.

Incident Handling When IDS solutions alert responsible parties to a successful or ongoing attack attempt, it is important to have previously established, documented plans for incident response. Several forms of response can be derived from analysis and identification of attack attempts, including the following: . Deflection—Redirecting or misdirecting an attacker to secured segmented

areas, allowing them to assume they have been successful, while preventing access to secured resources. Honeypots, padded cells and honeynets are examples of deflection solutions. . Countermeasures—Intrusion-countermeasure equipment (ICE) may be

used in some scenarios to provide automatic response in the event of intrustion detection. ICE agents may automatically lock down a network or increase access security to critical resources in the event of an alert; however, false positives could create problems for legitimate users in such a scenario. . Detection—After identification of an attack, forensics analysis of affected

systems can yield information that identifies the attacker. This information may then be used to direct the attention of the proper authorities to the source of the attack.

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 203

203

Security Baselines . Analysis—Collection and analysis of log files allows the identification of

the type and methods of attack used and may provide details useful in identifying the attacker for law enforcement. Later analysis of successful intrusions should be used to harden systems against later attempts that use the same methodology. Planning should include access restrictions and attempts to make the network appear less desirable to potential attackers.

Security Baselines To identify atypical behavior, you must first identify what identifies typical behavior of both network and application processes. The measure of normal activity is known as a baseline. Baselines must be regularly updated as networks and deployed technology changes. Security monitoring during baselining is important because an ongoing attack during the baselining process could be registered as the normal level of activity. The sections that follow examine mechanisms for identifying vulnerabilities and hardening vulnerable systems revealed during this process.

Vulnerability Assessment Metrics for security baselines and hardening efforts rely on identification of vulnerability and risk within the extended network enterprise. It is necessary to have some mechanism for measuring vulnerability to determine whether a baseline has been met or if a new security measure has been effective.

Dealing with Risk An enterprise relies on the identification of key assets and resources, enumeration of the risk factors associated with each, and the requirements for each. Before any baseline can be established, beyond those developed by regulatory bodies outside of the business entity, a risk assessment must be conducted to identify existing risks and potential mitigation mechanisms. A risk, once identified, can be dealt with in several ways: . Accepted—Some risks cannot be addressed within a reasonable time or

cost constraint and may be accepted, along with proper documentation as to the reasons why the risk is acceptable.

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 204

204

Chapter 7: Intrusion Detection and Security Baselines . Transferred—A risk may be transferred, such as when the risk of equip-

ment loss is covered by a full-replacement insurance policy. . Eliminated—Some risks can be eliminated through a change in the tech-

nology, policy, or mechanism of employment. For example, the risk of “war dialing” attacks can be eliminated by removing legacy dial-up telephony modem devices. . Mitigated—Most risks fall into this response area, where the application

of additional effort may reduce the risk to a level documented as acceptable.

Identifying Vulnerability Many risks to enterprise networks relate to vulnerabilities present in system and service configurations and to network and user logon weaknesses. For the exam, you should be familiar with some of the more common tools used to conduct vulnerability assessments, including the following: . Port scanners—This software utility will scan a single machine or a range

of IP addresses, checking for a response on service ports. A response on port 80, for example, may reveal the operation of an HTTP host. Port scanners are useful in creating an inventory of services hosted on networked systems. When applied to test ports on a single system, this is termed a port scan, whereas a scan across multiple hosts is referred to as a port sweep. . Vulnerability scanners—This software utility will scan a range of IP

addresses, testing for the presence of known vulnerabilities in software configuration and accessible services. Unlike port scanners, which only test for the availability of services, vulnerability scanners may check for the particular version or patch level of a service to determine its level of vulnerability. . Protocol analyzers—This software utility is used on a hub, a switch super-

visory port, or in line with network connectivity to allow the analysis of network communications. Individual protocols, specific endpoints, or sequential access attempts may be identified using this utility, which is often referred to as a packet sniffer. . Network mappers—Another software utility used to conduct network

assessments over a range of IP addresses, the network mapper compiles a listing of all systems, devices, and network hardware present within a network segement. This information can be used to identify simple

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 205

205

Security Baselines

points of failure, to conduct a network inventory, and to create graphical details suitable for reporting on network configurations. . Password crackers—This software utility allows direct testing of user logon

password strength by conducting a brute-force password test using dictionary terms, specialized lexicons, or mandatory complexity guidelines. Password crackers should provide only the relative strength of a password, rather than the password itself, to avoid weakening logon responsibility under evidentiary discovery actions.

NOTE Within U.S. governmental agencies, vulnerability may be discussed using the Open Vulnerability Assessment Language (OVAL) sponsored by the Department of Homeland Security’s National Cyber Security Division (NCSD). OVAL is intended as an international language for representing vulnerability information using an XML schema for expression, allowing tools to be developed to test for identified vulnerabilities in the OVAL repository.

Penetration Testing In some cases, vulnerability assessments may be complemented by directed efforts to exploit vulnerabilities in an attempt to gain access to networked resources. These are, in essence, “friendly” attacks against a network to test the security measures put into place. Such attacks are referred to a penetration tests or simply pen tests, and may cause some disruption to network operations as a result of the actual penetration efforts conducted. Penetration tests can also mask legitimate attacks by generating false data in IDS systems, concealing aggression that is otherwise unrelated to the offically sanctioned penetration test. Some tools use passive OS fingerprinting. A passive attack attempts to passively monitor data being sent between two parties, and does not insert data into the data stream.

CAUTION Some systems administrators may perform amateur pen tests against networks in an attempt to prove a particular vulnerability exists or to evaluate the overall security exposure of a network. This is a bad practice because it generates false intrusion data, may weaken the network’s security level, and may be a violation of privacy laws, regulatory mandates, or business entity guidelines.

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 206

206

Chapter 7: Intrusion Detection and Security Baselines

Hardening When establishing operational baselines, it is important to harden all technologies against as many possible avenues of attack as possible. The three basic areas of hardening are . Operating system—Security of the operating system, including domain

architecture and user logon access planning . Network—Security of the network through hardware implementations

such as firewall and NAT devices and logical security involving access control over distributed resources . Application—Security of applications and services such as domain name

system (DNS), Dynamic Host Configuration Protocol (DHCP), and Web servers, and user client-side applications and integration suites The following sections describe each area of hardening in greater detail.

Operating System Hardening Hardening of the operating system includes planning against both accidental and directed attacks, such as the use of fault-tolerant hardware and software solutions. In addition, it is important to implement an effective system for filelevel security, including encrypted file support and secured file system selection that allows the proper level of access control. For example, the Microsoft New Technology File System (NTFS) allows file-level access control, whereas most File Allocation Table (FAT)-based file systems allow only share-level access control. It is also imperative to include regular update reviews for all deployed operating systems, to address newly identified exploits and apply security patches, hotfixes, and service packs. Many automated attacks make use of common vulnerabilities, often ones for which patches and hotfixes are already available but not yet applied. Failure to update applications on a regular basis or to update auditing can result in an unsecure solution that provides an attacker access to additional resources throughout an organization’s network. IP Security (IPsec) and public key infrastructure (PKI) implementations must also be properly configured and updated to maintain key and ticket stores. Some systems may be hardened to include specific levels of access, gaining the C2 security rating required by many government deployment scenarios. (Mentioned in Chapter 5, “Access Control and Authentication Basics,” the Trusted Computer System Evaluation Criteria (TCSEC) rating of C2 indicates

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 207

207

Security Baselines

a discretionary access control environment with additional requirements such as individual logon accounts and access logging.) Operating system hardening includes configuring log files and auditing, changing default administrator account names and default passwords, and the institution of account lockout and password policies to guarantee strong passwords that can resist brute-force attacks. File-level security and access control mechanisms serve to isolate access attempts within the operating system environment. Make sure to understand the principle of least privilege addressed in Chapter 5.

Network Hardening Network hardening involves access restrictions to network shares and services, updates to security hardware and software, and disabling unnecessary protocol support and services. In homogenous networks, it might be possible to terminate support for AppleTalk, IPX/SPX, or other forms of unused network communications protocols. Firewall and Network Address Translation (NAT) software and hardware solutions will provide the first layer of defense against unauthorized access attempts. Ensuring updates to system firmware also helps to address emergent hardware-related vulnerabilities. Mapping avenues of access is critical in hardening a network. This process is a part of the site survey that should be performed for any network, especially those that involve public areas where a simple connection through a workstation might link the protected internal network directly to a public broadband connection. Wireless networks also create significant avenues for unsecure access to a secured network. A user who configures a PC card on his workstation to allow synchronization of their 802.11-compliant wireless PDA may have inadvertently bypassed all security surrounding an organization’s network.

NOTE A popular pastime for potential attackers is war driving, which refers to driving around with a Wi-Fi device configured in promiscuous mode to identify open wireless access points in public areas or target locations.

As with operating system hardening, default configurations and passwords must be changed in network hardware such as routers and managed network devices. Routing hardware must also be maintained in a current state by regularly reviewing applied firmware updates and applying those that are required for the network configuration and hardware solutions in use.

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 208

208

Chapter 7: Intrusion Detection and Security Baselines

If a centralized access control system is used, such as those found in Windows and Novell networks, resource access and restrictions may be assigned to groups, and users granted membership to those groups. By properly configuring access control lists, resource access may be made to authorized parties while also limiting potential avenues of unauthorized access. Network hardening practices also include configuring network devices and firewalls to exclude unsecure protocols, such as raw Telnet sessions that transfer logon and session details in plain-text format.

Application Hardening Each application and service that may be installed within a network must also be considered when planning security for an organization. Applications must be maintained in an updated state through the regular review of hotfixes, patches, and service packs. Many applications, such as antivirus software, require regular updates to provide protection against newly emerging threats. Default application administration accounts, standard passwords, and common services installed by default should also be reviewed and changed or disabled as required. Web Services Access restrictions to Internet and intranet web services may be required to ensure proper authentication for nonpublic sites, while anonymous access may be required for other pages. Access control may be accomplished at the operating system or application level, with many sites including a requirement for regular update of Secure Sockets Layer (SSL) certifications for secured communications. Regular log review is critical for web servers, to ensure that submitted URL values are not used to exploit unpatched buffer overruns or to initiate other forms of common exploits. Many web servers may also be integrated with security addins provided to restrict those URLs that may be meaningfully submitted, filtering out any that do not meet the defined criteria. Microsoft’s URLScan for the Internet Information Services (IIS) web service is one such filtering add-in. Email Services Email servers require network access to transfer Simple Mail Transfer Protocol (SMTP) traffic. Email is often used to transport executable agents, including Trojan horses and other forms of viral software. Email servers may require transport through firewall solutions to allow remote Post Office Protocol 3 (POP3) or Internet Message Access Protocol (IMAP) access or may require integration with VPN solutions to provide secure connections for remote users. User authentication is also of key importance, especially when email and calendaring solutions allow delegated review and manipulation. Inadequate hardware may be attacked through mail bombs and other types of attack meant to

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 209

209

Security Baselines

overwhelm the server’s ability to transact mail messages. Email service hardening also includes preventing SMTP relay from being used by spammers and limiting attachment and total storage per user to prevent denial-of-service attacks using large file attachments. FTP Services File Transfer Protocol (FTP) servers are used to provide file upload and download to users, whether through anonymous or authenticated connection. Because of limitations in the protocol, unless an encapsulation scheme is used between the client and host systems, the logon and password details are passed in clear text and may be subject to interception by packet sniffing. Unauthorized parties may also use FTP servers that allow anonymous access to share files of questionable or undesirable content, while also consuming network bandwidth and server processing resources. DNS Services DNS servers responsible for name resolution may be subject to many forms of attack, including attempts at DoS attacks intended to prevent proper name resolution for key corporate holdings. Planning to harden DNS server solutions should include redundant hardware and software solutions and regular backups to protect against loss of name registrations. Technologies that allow dynamic updates must also include access control and authentication to ensure that registrations are valid. Unauthorized zone transfers should also be restricted to prevent DNS poisoning attacks. NNTP Services Network News Transfer Protocol (NNTP) servers providing user access to newsgroup posts raise many of the same security considerations risks as email servers. Access control for newsgroups may be somewhat more complex, with moderated groups allowing public anonymous submission (and authenticated access required for post approval). Heavily loaded servers may be attacked to perform a DoS, and detailed user account information in public newsgroup posting stores like those of the AOL and MSN communities may be exploited in many ways. File and Print Services User file-storage solutions often come under attack when unauthorized access attempts provide avenues for manipulation. Files may be corrupted, modified, deleted, or manipulated in many other ways. Access control through proper restriction of file and share permissions is necessary, coupled with access auditing and user authentication schemes to ensure proper access. Network file shares are not secure until you remove default access permissions.

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 210

210

Chapter 7: Intrusion Detection and Security Baselines

Distributed file system and encrypted file system solutions may require bandwidth planning and proper user authentication to allow even basic access. Security planning for these solutions may also include placing user access authenticating servers close to the file servers to decrease delays created by authentication traffic. Print servers also pose several risks, including possible security breaches in the event that unauthorized parties access cached print jobs. DoS attacks may be used to disrupt normal methods of business, and network-connected printers require authentication of access to prevent attackers from generating printed memos, invoices, or any other manner of printed materials. DHCP Services Dynamic Host Configuration Protocol (DHCP) servers share many of the same security problems associated with other network services, such as DNS servers. DHCP servers may be overwhelmed by lease requests if bandwidth and processing resources are insufficient. This can be worsened by the use of DHCP proxy systems relaying lease requests from widely deployed subnets. Scope address pools may also be overcome if lease duration is insufficient, and short lease duration may increase request traffic. If the operating system in use does not support DHCP server authentication, attackers may also configure their own DHCP servers within a subnet, taking control of the network settings of clients and obtaining leases from these rogue servers. Planning for DHCP security must include regular review of networks for unauthorized DHCP servers. Data Repositories Data repositories of any type might require specialized security considerations, based on the bandwidth and processing resources required to prevent DoS attacks, removal of default password and administration accounts such as the SQL default sa account and security of replication traffic to prevent exposure of access credentials to packet sniffing. Placement of authentication, name resolution, and data stores within secured and partially secured zones such as an organization’s DMZ may require the use of secured VPN connections or the establishment of highly secured bastion hosts. Role-based access control may be used to improve security, and the elimination of unneeded connection libraries and character sets may help to alleviate common exploits. Take care to include data repositories beyond the obvious file, email, and database stores. Hardening efforts must also address security of the storage and backup of storage area networks (SANs), network access server (NAS) configurations, and directory services such as Microsoft Active Directory and Novell eDirectory.

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 211

211

Exam Prep Questions

Exam Prep Questions 1. Which of the following IDS forms uses known attack signatures to identify unauthorized access attempts?

❍ A. Knowledge-based IDS ❍ B. Behavior-based IDS ❍ C. Network-based IDS ❍ D. Host-based IDS 2. Which of the following IDS forms is subject to common false-positive attack indications?

❍ A. Knowledge-based IDS ❍ B. Behavior-based IDS ❍ C. Network-based IDS ❍ D. Host-based IDS 3. A denial-of-service attack is being waged against the company’s web server using a large external botnet. Which of the following IDS solutions could enhance the attack’s effect?

❍ A. Host-based ❍ B. Application protocol-based ❍ C. Behavior-based ❍ D. Network-based 4. Which of the following IDS forms are relatively platform independent? (Select two correct answers.)

❍ A. Knowledge-based IDS ❍ B. Behavior-based IDS ❍ C. Network-based IDS ❍ D. Host-based IDS

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 212

212

Chapter 7: Intrusion-Detection and Security Baselines 5. You have deployed a packet-monitoring system to sniff packets passing through an organization’s DMZ. Which of the following types of IDS is this solution?

❍ A. Knowledge-based IDS ❍ B. Behavior-based IDS ❍ C. Network-based IDS ❍ D. Host-based IDS 6. You have installed a custom monitoring service on the web server that reviews web service logs to watch for the URLs used by the Code Red worm to propagate itself. When this custom service detects an attack, it raises an alert via email. Which of the following types of IDS is this solution? (Select two correct answers.)

❍ A. Knowledge-based IDS ❍ B. Behavior-based IDS ❍ C. Network-based IDS ❍ D. Host-based IDS 7. Which of the following describes a host configured to expose a specific service to a public network, while hardening all other resource access to restrict access within an organization’s secure network?

❍ A. Honeypot ❍ B. Honeynet ❍ C. Bastion ❍ D. War driving 8. Acquiring insurance to cover the costs of potential lost data is an example of which risk-management strategy?

❍ A. Accepting the risk ❍ B. Eliminating the risk ❍ C. Mitigating the risk ❍ D. Transferring the risk

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 213

213

Answers to Exam Prep Questions 9. You have configured your web server to use Windows partitions and the Microsoft System Update Service (SUS) to regularly apply new hotfixes and patches. Which of the follow forms of hardening is specified in this solution?

❍ A. Application ❍ B. Baseline ❍ C. Operating system ❍ D. Network 10. Which of the following servers may be overcome by a denial-of-service type of attack? (Select all that apply.)

❍ A. Web servers ❍ B. FTP servers ❍ C. DNS servers ❍ D. NNTP servers ❍

E. DNS servers

Answers to Exam Prep Questions 1. A. Knowledge-based IDS solutions use known attack signatures to identify network attacks. Answer B is incorrect because behavior-based IDS solutions measure access patterns against known baselines to identify attacks. Answers C and D are incorrect because either might include knowledge-based or behavior-based IDS solutions, and so neither is the best answer here. 2. B. Behavior-based IDS solutions measure patterns of access against known security baselines. As a result, any variation from the previous baseline may be detected as a possible attack. Answer A is incorrect because knowledge-based IDS solutions use known attack signatures to identify attacks and so are not often subject to false positives. Answers C and D are incorrect because either might include knowledge-based or behavior-based IDS solutions, and so neither is the best answer here. 3. A. Because host-based IDS solutions use the same resources that are being attacked, they can enhance denial-of-service attempts by consuming additional resources for each identified intrusion event. Answer B is incorrect because an application protocolbased detection system would generally operate away from the web server itself, residing in the middleware layer to monitor protocol use between service elements. Answer C is incorrect because any of the solutions may be behavior-based, and it is likely that the successful identification of a DoS attack would be behavior-based. Answer D is incorrect because a NIDS solution would not impact the service or resource performance of the separate host under attack.

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 214

214

Chapter 7: Intrusion-Detection and Security Baselines 4. B, C. Behavior-based IDS solutions and network-based solutions operate on patterns of access and data packet transfer to identify attacks. As a result, both can evolve to meet changes in network technologies in use. Answers A and D are incorrect because knowledge-based IDS solutions must be able to identify known attack signatures directed at the protected technologies, and host-based IDS solutions involve client agents running on the monitored hosts, and so both are strongly affected by changes to the protected technologies. 5. C. This is a common NIDS solution, where packet data is monitored for unauthorized access patterns. Answers A and B are incorrect because the proposed solution might make use of either knowledge-based or behavior-based IDS, and so neither is the best answer here. Answer D is incorrect because a HIDS solution would use client agents operating on the monitored hosts rather than sniffing the network traffic. 6. A, D. This solution describes a host-based solution identifying a known attack signature. Answer B is incorrect because no baselining is required for this solution. Answer C is incorrect because the agent does not attempt to capture packet data; it only reviews the web service logs on the local system. 7. C. A bastion host exposes a service or port while protecting against other forms of exploit. Answers A and B are incorrect because honeypots and honeynets are used to distract attackers or to monitor their access methods. Answer D is incorrect because war driving refers to driving around with a wireless card in promiscuous mode, attempting to detect open wireless access points. 8. D. Obtaining insurance to cover the cost of a potential exposure is an example of transferring an identified risk without reduction. Answer A is incorrect because the risk has not simply been accepted. Answer B is incorrect because the risk remains; only the costs have been addressed by this solution. Answer C is incorrect because the level of risk remains the same. 9. C. Selecting a secure file system such as NTFS and regularly applying operating system updates are examples of operating system hardening. Answer A is incorrect because application hardening involves the security of user applications and services. Answer D is incorrect because network hardening involves the security of network access. Answer B is incorrect because a baseline establishes the normal operating levels of a network and is not itself hardened. 10. A, B, C, D, and E. All of these services may be overcome by a DoS attack if the attacker can overload the available processing and bandwidth resources available to each. When multiple services are loaded onto a single system, this problem can be compounded.

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 215

215

Additional Reading and Resources

Additional Reading and Resources 1. Jones, Andy and Debi Ashenden. Risk Management for Computer Security:

Protecting Your Network and Information Assets. Butterworth-Heinemann, 2005. 2. Stein, Lincoln D. and John N. Stewart. The World Wide Web Security

FAQ: http://www.w3.org/Security/Faq/ 3. SANS Information Security Reading Room: http://www.sans.org/

reading_room/ 4. CERT Incident Reporting Guidelines: http://www.cert.org/tech_tips/

incident_reporting.html 5. US-CERT OVAL: http://www.us-cert.gov/oval.html

13_078973804x_ch07.qxd

10/30/08

9:07 PM

Page 216

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 217

8

CHAPTER EIGHT

Auditing Terms you need to understand: ✓ Performance monitoring ✓ System monitoring ✓ Performance baseline ✓ Behavior-based monitoring ✓ Signature-based monitoring ✓ Anomaly-based monitoring ✓ Application logging ✓ System logging ✓ Auditing ✓ Storage policy ✓ Retention policy ✓ Group policies

Techniques you need to master: ✓ Use monitoring tools on systems and networks and detect security-related anomalies. ✓ Compare and contrast various types of monitoring methodologies. ✓ Execute proper logging procedures and evaluate the results. ✓ Conduct periodic audits of system security settings.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 218

218

Chapter 8: Auditing

Auditing is done to protect the validity and reliability of organizational information and systems. As a security professional, you have the capability to audit a vast amount of data. Auditing can create a large repository of information that has to be filtered through. How much you audit depends on how much information the organization wants to store or what retention policies are in place. Monitoring can be as simple or complex as you want to make it. Many organizations monitor an extensive amount of information, whereas others may monitor little or nothing. Because every organization is different, with different policies and requirements, no “one size fits all” rules will ensure all security bases are covered. This chapter covers the use of monitoring tools on systems and networks to detect security-related anomalies. The discussion examines various monitoring methodologies, proper logging procedures, results evaluation, and the periodic audits of system security settings.

Using Monitoring Tools to Detect Security-Related Anomalies Most organizations use monitoring and diagnostic tools to help manage their networks. Diagnostic tools can be actual tools, such as cable testers and loopback connectors, third-party software programs, or built-in operating system tools. This section focuses solely on software utilities. The most basic level of system monitoring tells whether connectivity, a process, or a service is available. The more common network diagnostic tools used for this purpose include the following: . Ping—Packet Internet Grouper (ping) is a utility that tests network con-

nectivity by sending an Internet Control Message Protocol (ICMP) echo request to a host. It is a good troubleshooting tool to tell whether a route is available to a host. . Tracert/traceroute—This utility traces the route a packet takes and records

the hops along the way. This is a good tool to use to find out where a packet is getting hung up. . Nslookup—This is a command-line utility used to troubleshoot a domain

name system (DNS) server database. It queries the DNS server to check whether the correct information is in the zone database. . Netstat—Netstat displays all the ports on which the computer is listen-

ing. It can also be used to display the routing table and interface statistics.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 219

219

Using Monitoring Tools to Detect Security-Related Anomalies . Ipconfig/Ifconfig—Ipconfig is used to display the TCP/IP settings on a

Windows machine, whereas Ifconfig is used on UNIX/Linux machines. Depending on which command you are using, the command can display the IP address, subnet mask, default gateway, Windows Internet Naming Service (WINS), DNS, and MAC information, or it can be used to display and control TCP/IP information and interfaces. This is useful in verifying that the TCP/IP configuration is correct if connectivity issues arise. . Telnet—Telnet is a terminal emulation program used to access remote

routers and systems. This is an excellent tool to use to determine whether the port on a host computer is working properly.

EXAM ALERT Know the different utilities that you can use to troubleshoot networks and what they are used for.

ICMP is a protocol meant to be used as an aid for other protocols and system administrators to test for connectivity and search for configuration errors in a network. Ping uses the ICMP echo function and is the lowest-level test of whether a remote host is alive. A small packet containing an ICMP echo message is sent through the network to a particular IP address. The computer that sent the packet then waits for a return packet. If the connections are good and the target computer is up, the echo message return packet will be received. It is one of the most useful network tools available because it tests the most basic function of an IP network. It also shows the Time To Live (TTL) value and the amount of time it takes for a packet to make the complete trip, also known as round-trip time (RTT), in milliseconds (ms). One caveat with using ICMP: It can be manipulated by malicious users, as specified in Chapter 3, “Infrastructure Basics,” so some administrators block ICMP traffic. If that is the case, you will receive a request timeout even though the host is available. Traceroute uses an ICMP echo request packet to find the path. It sends an echo reply with the TTL value set to 1. When the first router sees the packet with TTL 1, it decreases it by 1 to 0 and discards the packet. As a result, it sends an ICMP Time Exceeded message back to the source address. The source address of the ICMP error message is the first router address. Now the source knows the address of the first router. Generally, three packets are sent at each TTL, and the RTT is measured for each one. Most implementations of traceroute

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 220

220

Chapter 8: Auditing

keep working until they have gone 30 hops, but this can be extended up to 254 routers. Pathping is a Windows route-tracing tool that combines features of the ping and tracert commands with additional information. The pathping command uses traceroute to identify which routers are on the path. When the traceroute is complete, pathping then sends pings periodically to all the routers over a given time period and computes statistics based on the number packets returned from each hop. By default, pathping pings each router 100 times, with a single ping every 0.25 seconds. Consequently, a default query requires 25 seconds per router hop. This is especially helpful in identifying routers that cause delays or other latency problems on a connection between two IP hosts. Port scanners, vulnerability scanners, and intrusion-detection systems are also used in network monitoring. These tools were discussed in the Chapter 7, “Intrusion Detection and Security Baselines.” If these tools are used on the network, be sure the information they gather is protected, too, because they contain information of great value to an intruder.

Performance Benchmarking and Baselining Benchmarking determines how much of a load the server can handle by comparing two or more systems or components of a system. The most common use of a benchmark is to measure performance. However, a benchmark also can be used to burn in a new piece of hardware or a new application. When a server is set up, you should allow a burn-in period. During burn-in, the server is placed under a heavy stress level for long periods of time to see whether any part of the system fails. When performing a burn-in, you will often catch problems that might arise only after extended use or that might not turn up unless the system is under a heavy load.

EXAM ALERT It is essential to identify typical behavior to identify abnormal behavior. This measure of normal activity is known as a baseline.

Baselines must be updated on a regular basis and certainly when the network has changed or new technology has been deployed. An initial baseline should be done for both network and application processes so that you can tell whether you have a hardware or software issue. Sometimes applications have memory leaks, or a new version may cause performance issues. Without having a baseline

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 221

221

Using Monitoring Tools to Detect Security-Related Anomalies

on applications, you may spend a long time trying to figure out what the problem is. Be sure that you do the baseline during normal business hours under normal conditions. Taking a baseline on a day when there is little activity may later cause alarm when there is probably no reason; conversely, taking a baseline when there is a denial-of-service (DoS) attack going on will cause you not to pay attention when you should. Security monitoring during baselining is important because an ongoing attack during the baselining process could be registered as the normal level of activity. To be sure the network is secure when establishing baselines, it is important to harden all technologies against as many avenues of attack as possible. The major areas of concern should be the network itself, the machine operating system, applications, and services. After the baseline has been created, you can then use tools to monitor the performance. The next few sections describe tools that you can use to monitor the performance of systems, applications, and the network to detect security-related anomalies.

Performance Monitoring As your network changes, you must monitor and improve its performance. You will find that often it is necessary to make adjustments and possibly change the topology or structure of the network. You can use many tools to monitor the performance on the network. Event Viewer, Performance console, Network Monitor, and Task Manager are tools designed for Windows operating systems. Other operating systems have comparable programs that you can use, and you can purchase many third-party programs that will also do the job. On the open source side, Nagios, which is a popular Linux-based enterprise monitoring application, works with text configuration files that store information about hosts and services. The Microsoft Performance console is used for tracking and viewing the utilization of operating system resources. You can view information that you have tracked in charts, alerts, logs, and reports. The Performance console keeps track of set counters for system objects. Figure 8.1 shows a sample Performance console screen. The console consists of two snap-ins: the System Monitor and the Performance Logs and Alerts. The Performance console keeps track of set counters for system objects. This tool is used to monitor the physical disks, memory, processor, network, and other services. It can also send alerts to an assigned administrator or user when the performance exceeds a predetermined threshold level, and it can monitor more than one server at a time. Here are some of the parameters that should be monitored:

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 222

222

Chapter 8: Auditing

FIGURE 8.1

Performance console.

. Random access memory (RAM)—Microsoft operating systems are memory

intensive; therefore, it is important to monitor the memory. Also sometimes applications have memory leaks that affect performance. . Logical and physical disks—Monitor for excessive disk usage. Keep in mind

that if memory is insufficient, excessive disk usage will occur as the system swaps information in and out of the pagefile. . CPU—Track the utilization rate to help determine which programs or

processes have excessive time usage. . Protocols—Some protocols tend to grab more processor power, causing

other protocols to drop packets. Keep in mind that performance monitoring is resource-intensive. Only monitor what you need and as necessary.

System Monitoring System monitoring is the next method of monitoring. The methodology to perform system monitoring depends on the operating system on the desktop or

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 223

223

Using Monitoring Tools to Detect Security-Related Anomalies

server. In Microsoft operating systems, the Event Viewer records events in the system event log. Event Viewer enables you to view certain events that occur on the system. Event Viewer maintains three log files: one for system processes, one for security information, and one for applications.

EXAM ALERT The security log records security events and is available for view only to administrators. For security events to be monitored, you must enable auditing.

Unlike the security log, the application and system logs are available to all users to view. You can use the application log to tell how well an application is running. The system log shows events that occur on the individual system. You can configure settings such as the size of the file and the filtering of events. Event logging is used for troubleshooting or for notifying administrators of unusual circumstances. It is important to be sure that you have the log file size set properly, that the size is monitored, and that the logs are periodically archived and cleared. Consider carefully where you store log files to make sure that intruders don’t have access them. By doing so, you eliminate the ability for intruders to cover their tracks. Table 8.1 lists the fields and definitions of Windows events. TABLE 8.1

Windows Events

Field Name

Field Description

Type

The type of the event, such as error, warning, or information

Time

The date and time of the local computer at which the event occurred

Computer

The computer on which the event occurred

Provider Type

The type of event that generated the event, such as a Windows event log

Provider Name

The name of the event, such as Application or Security

Source

The application that logged the event, such as MSSQL Server

Event ID

The Windows event number

Description

The description of the event

Of these fields, it is important to note the Event ID and the Description Text fields. The event ID is the easiest way to research the event in the Microsoft Knowledge Base, and the description text usually explains what happened in simple language. Figure 8.2 shows the system event log for a system.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 224

224

Chapter 8: Auditing

FIGURE 8.2

Event Viewer.

There are also built-in and downloadable tools in other operating systems, such as iStat nano for Macintosh systems. iStat nano is a system monitor widget that enables you to view statistics about the system, such as CPU usage, memory usage, hard drive space, bandwidth usage, temperatures, fan speeds, battery usage, uptime, and the top five processes. In addition, third-party programs are available that provide network health monitoring. These programs can monitor the entire network and include devices such as modems, printers, routers, switches, and hubs. To monitor the health of all systems, you install agents on the machines and then monitor the agents from a central location. For example, Simple Network Management Protocol (SNMP) is an application layer protocol whose purpose is to collect statistics from TCP/IP devices. If you choose to use SNMP, be aware of the vulnerabilities this protocol has. The vulnerabilities of SNMP are discussed in Chapter 3, “Infrastructure Basics.”

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 225

225

Using Monitoring Tools to Detect Security-Related Anomalies

Protocol Analyzers Some operating systems have built-in protocol analyzers. Protocol analyzers were introduced in Chapter 3. The purpose of the discussion in this chapter is to show how you can use them to detect security-related anomalies. Windows Server operating systems come with a protocol analyzer called Network Monitor. Novell’s comparable network-monitoring tool is called LANalyzer. In the UNIX environment, many administrators use the tools that come with the core operating system, such as ps and vmstat. Sun Solaris has a popular utility called iostat that provides good information about I/O performance. Other third-party programs such as Wireshark can also be used for network monitoring.

EXAM ALERT A protocol analyzer is used to capture network traffic and generate statistics for creating reports. When the packets have been captured, you can view the information.

Figure 8.3 shows the information output by the Microsoft Network Monitor. Some of the basic information recorded is the source address, destination address, headers, and data. Network Monitor detects other installed instances of Network Monitor and identifies the machine name and user account that it is running under. Often, Network Monitor is used in conjunction with Microsoft System Management Server (SMS) so that it can capture data across routers and resolve IP addresses from names. In addition, you can access the Performance console from within Network Monitor. Network Monitor can be used to view IPsec communication. It includes parsers for the Internet Security Associate and Key Management Protocol (ISAKMP) Internet Key Exchange (IKE), Authentication Header (AH), and Encapsulating Security Payload (ESP) protocols. Network Monitor cannot parse encrypted portions of IPsec-secured ESP traffic when the encryption is provided by software. It can, however, process the packets if they are being encrypted and decrypted by IPsec-aware network adapters because the packets are already decrypted by the time they reach Network Monitor’s parsers.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 226

226

Chapter 8: Auditing

FIGURE 8.3

Network Monitor.

Monitoring Methodologies When implementing a monitoring methodology, you need to be able to distinguish the difference between the various methods and compare the effects of implementing each method. To do this, you should have some fundamental knowledge of what levels of the system are to be monitored. Monitoring for detection of abnormalities or intrusion should be established at five different levels: . The kernel—The kernel level is the execution profile. It is here that mali-

cious software such as rootkits operate. When changes to this profile occur, something possibly intrusive is occurring on the system. . The network layer—The network-level profile consists of the assembly

and transport of data packets. Potentially dangerous activity is denoted by an unusual increase or decrease in packets, when enormous packets are produced, or when the send or receive process takes unusual steps.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 227

227

Monitoring Methodologies

Attacks at this level would include DoS and other malformed packet attacks. . The file system—At the file system level, there is a lot variation among

users. This is because each user accesses different files in different locations with different frequencies. However, each user creates certain patterns that can be represented in a profile. . The shell—At the shell level, each user generates a standard profile repre-

senting the normal activities that are routine for that person. Changes in these profiles may indicate something amiss, such as a compromised account or malfeasance. . The end application—All applications generate a normal profile of behav-

ior. Changes in the normal application behavior warrants further investigation for a compromise. The following sections cover the most common ways to monitor the various levels and their activity, including behavior-based, signature-based, and anomalybased monitoring.

Behavior-Based Monitoring Behavior-based intrusion detection monitoring was discussed in Chapter 7. This section serves as a review and provides additional information about this type of monitoring.

EXAM ALERT Behavior-based scanning works by looking at the way certain executable files make your computer behave. This information is then used as a model of normal or valid behavior.

This model is then compared with current activity. The premise of behaviorbased monitoring is that an intrusion can be detected by variations from expected system or user behavior. So for example, if you install a program that doesn’t contain a known signature and causes your email program to begin sending out emails to everyone in your address book, the behavior-based scanning tool will detect this abnormal behavior and mark it as such. Based on this logic, all attacks can be detected. However, because this method is based solely on behavior, it can generate false positives. Table 8.2 shows the advantages and

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 228

228

Chapter 8: Auditing

disadvantages of behavior-based monitoring. Behavior-based intrusion detection is sometimes referred to as statistical-based intrusion detection. TABLE 8.2

Advantages and Disadvantages of Behavior-Based Monitoring

Advantages

Disadvantages

Can identify malware before its added to signature files

Tends to trigger false alarms

Can monitor for malware activities

Slow file checking

Can learn about malware based on previous detection

Tends to be more costly

Not dependent on OS-specific mechanisms

Needs retraining (when behavior changes)

Anomaly-Based Monitoring Anomaly detection, a subset of behavior-based monitoring, stores normal system behavior profiles and triggers an alarm when some type of unusual behavior occurs. This type of monitoring falls under behavior-based monitoring. Anomalybased monitoring uses different types of measures depending on what is being protected and what is being monitored. The classifications of anomaly detection techniques include statistical methods, rule-based methods, distance-based methods, profiling methods, and model-based approaches. For example, under the profiling method, normal behavior can be programmed based on offline research, or the system can learn behavior while processing network traffic. Because it detects any traffic behavior that is new or unusual, the anomaly-based method provides early notification of potential intrusions. Anomaly-based monitoring is useful for detecting these types of attacks: . Protocol and port exploitation . New exploits or buffer overflow attacks . DoS attacks based on payloads or volume . Normal network failures . Variants of existing attacks in new environments

Detection of anomalies is used in many security domains, ranging from video surveillance and security systems to intrusion detection and fraudulent transactions. Anomalies are by definition events out the ordinary. Although their occurrence should be minimal, properly detecting their presence is highly important compared to other events.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 229

229

Logging Procedures and Evaluation

Signature-Based Monitoring Almost every program has some identifiable text inside its code. This identifiable text is its signature. A signature-based monitoring method is sometimes considered a part of the misuse-detection category.

EXAM ALERT A signature-based monitoring method looks for specific byte sequences or signatures known to appear in attack traffic. The signatures are identified through careful analysis of the byte sequence from captured attack traffic.

Signature-based systems have an advantage because of their simplicity and their ability to operate online in real time. The problem is that they can detect only known attacks with identified signatures. In some products, such as Snort, these signatures are in the form of rules or rule sets. Nearly all signature-based product vendors provide rules for their products with variable numbers of signatures. The rules are developed as new vulnerabilities are discovered and documented. Table 8.3 lists the advantages and disadvantages of signature-based monitoring. TABLE 8.3

Advantages and Disadvantages of Signature-Based Monitoring

Advantages

Disadvantages

Accurate detection because of prior detection

Polymorphic viruses make signature scanning nearly obsolete for critical systems.

Low number of false positives

Rule sets need constant updating.

Detailed text logs

Inability to detect new and previously unidentified attacks.

Uses few system resources

Based excessively on passive monitoring.

Logging Procedures and Evaluation Logging is the process of collecting data to be used for monitoring and auditing purposes. The log files themselves are documentation, but how do you set up a log properly? Standards should be developed for each platform, application, and server type to make this a checklist or monitoring function. When choosing what to log, be sure you choose carefully. Logs take up disk space and use system resources. They also have to be read; if you log too much, the system will bog down, and it will take a long time to weed through the log files to determine

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 230

230

Chapter 8: Auditing

what is important. A common storage location for all logs should be mandated, and documentation should state proper methods for archiving and reviewing logs. Logging procedures and evaluation are an important part of keeping your network safe. However, before you can configure logging, it is essential to identify what is typical behavior for your network. If you don’t know what normal behavior is, it is hard to identify what is abnormal behavior. For example, UDP ports 137 and 138 and TCP port 139 are used for NetBIOS activity. If you don’t know that this is a normal part of Microsoft operating system communication, you may think someone is trying to attack your network. Baselining gives you a point of reference when something on the network goes awry. When you have a baseline of activity as described in prior sections, you can configure logging. This next section covers some the main areas of logging and evaluation procedures.

Application Security Application security and logging have become a major focus of security as we move to a more web-based world and exploits such as cross-site scripting and SQL injections are an everyday occurrence. Web-based applications and application servers contain a wealth of valuable data. Internally, application servers store a wide variety of data from web pages to critical data and sensitive information. Regulatory compliance issues make it necessary to have sound procedures in place for logging and retention of secured data. Centralized logging solutions can be based on a variety of standards such as the UNIX syslog or Linux syslog-ng format.

NOTE When implementing an application logging strategy, look for a solution that uses standard protocols and formats so that analysis is simpler.

Standards should also be implemented for the types of events you want to log based on business, technical, and regulatory requirements and the threats the organization faces. Should you choose to use manual analysis, consider creating the logs in a format that can readily be parsed, such as comma-separated value (CSV). Doing so will allow for more flexibility when importing the information into applications for analysis.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 231

231

Logging Procedures and Evaluation

Because SQL injections are a large concern for organizations, we will look at an example of the need for consistent logging in finding SQL injection attempts. If an attacker is trying to perform SQL injection and executes it on a variety of different fields, these fields will map to different objects. If these objects are written by different developers, there is a good chance that the syntax in the logs will also vary. So, not only do you need to read the logs, you may also have to know how to correlate events when examining output. Logging HTTP requests may expose attempts—successful or unsuccessful—to exploit a buffer overflow. Most web servers offer the option to store log files in either the common log format or a proprietary format. The common log file format is supported by the majority of analysis tools. The extended log file format is designed to meet the following needs: . Permit control over the data recorded . Support needs of proxies, clients, and servers in a common format . Provide robust handling of character escaping issues . Allow exchange of demographic data . Allow summary data to be expressed

Internet Information Services (IIS) logs information specific to the events and processes of the service. The IIS logs may include information about site visitors and their viewing habits. They can be used to assess content, identify bottlenecks, or investigate attacks. Plan the selection of the fields that will be logged carefully to limit the size of the logs. To improve server performance, logs should be stored on a nonsystem striped or striped/mirrored disk volume. Besides logging the IIS service, you can enable logging for individual web and FTP sites. After you enable logging on a web or FTP site, all traffic to the site including virtual directories is written to the corresponding file for each site.

DNS Domain name system (DNS) is called the “heartbeat” of the Internet. DNS resolves IP addresses to domain names. Many organizations choose to host their own DNS server as opposed to paying for third-party hosting. There are a couple of options available for DNS: Microsoft DNS and Berkeley Internet Name Domain (BIND). Each has logging features, and this section discusses those options.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 232

232

Chapter 8: Auditing

BIND offers several logging options. The logging system is configured using the logging statement in the /etc/named.conf file. The options include specifying which types of messages are logged, where each message type is sent, and the severity of each message type to log. Additional logging information can be found in the BIND documentation. In BIND 8 and 9, the DNS server logs messages to output channels. Channels are where logging data is sent. Here are channel types: . File channels—Messages logged to file channels are sent to a file. . Syslog channels—Messages logged to this channel are sent to the job log. . Null channels—All messages logged to the null channel will be discarded.

You can create your own file channels in addition to the default channels provided. Messages are grouped into categories. You can specify what message categories should be logged to each channel. There are many categories, including config, db, queries, lame-servers, update, xfer-in, and xfer-out. Log files can become large, and they should be deleted on a regular basis. Channels enable you to filter by message severity. For each channel, you can specify the severity level for which messages are logged. All messages of the severity you select and any levels above it in the list are logged. All DNS server log file contents are cleared when the DNS server is stopped and started. Microsoft DNS provides a couple of options for identifying DNS events. The Event Viewer DNS server log file provides information about errors and other information relating to the DNS service. The DNS server log contains events logged by the DNS Server service. For example, when the DNS server starts or stops, a corresponding event message is written to this log. This should be the first place you look when troubleshooting DNS-related issues. DNS logging logs selected DNS event information in a dns.log file in the %systemroot%\system32\dns folder on the server. DNS logging may cause performance degradation on the server. It should be used only for troubleshooting purposes. By enabling DNS debug logging, you can log all DNS-related information. This includes zone transfers, DNS queries, and resource record updates. Configuring DNS debug logging can be done from the command line using DNSCmd.exe or from the GUI. For troubleshooting DNS without logging, use Nslookup. Nslookup has two modes: noninteractive and interactive. Interactive mode is used when you are running multiple queries one after another. Noninteractive mode is used for looking up a single piece of data, such as one DNS record.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 233

233

Logging Procedures and Evaluation

System Logging The types of log files found in Microsoft operating systems were discussed previously in the section “System Monitoring.” The Event Viewer records events in the system event log. In UNIX- or Linux-based systems, programs send log entries to the system logging daemon, syslogd. Syslogd compares each submission to the entries in /etc/syslog.conf. When it finds a matching entry, it processes the log entry. There are two columns in /etc/syslog.conf: one for providing the information to be logged, and one for the action to be taken when a log message matches. The standard method of specifying a logging source is by facility and level. As with other operating systems, when using UNIX/Linux you should centralize logs files by copying them from the system to a log server. This way if the logs on the system don’t match the logs on the syslog server, you know they have been altered. This also provides you with a backup of the logs, enabling you to trace when and where the intrusion occurred. Best practices for system logging include the following: . Use a host that is dedicated to logging. . Employ strict access controls on all logging servers. . Encrypt the log files when allowed. . Log multiple systems to increase reliability. . Monitor the capacity of log partitions and storage. . Store log files on a standalone computer.

Performance Logging Earlier in the chapter, we discussed performance monitoring and the tools used for monitoring. All these tools create log files that need to be reviewed. Remember that if you log everything, you end up with too much useless data consuming system resources. This section explores some tools directly related to the performance of the system itself. Task Manager is a tool that you can use to end processes or applications that get hung up or cause the operating system to become unstable, without having to reboot the machine. Although Task Manger does not actually log performance, it gives you an instant history view of CPU and memory usage and can be extremely useful in determining where further investigation is warranted.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 234

234

Chapter 8: Auditing

As you learned earlier in the chapter, the Microsoft Performance console keeps track of set counters for system objects, but it also has a second component specifically related to performance logging called Performance Logs and Alerts. The Performance Logs and Alerts snap-in enables you to collect performance data automatically from local or remote computers. The logged data can be viewed using System Monitor, or it can be exported in a variety of formats for later analysis and report generation. The counter data collected can be viewed during collection and after collection has stopped because logging runs as a service. This means data collection occurs regardless of whether any user is logged on to the computer being monitored.

Access Logging An important step in protecting the environment is logging remote, local, and network access. Countless examples of intruders being present in a system for a long period of time demonstrate the need to pay particular attention to logging network access. You can use several tools to track what is happening on the network. These tools include Windows events, log files, and audit files. Some of the activities that can be logged include reading, modifying, or deleting files; logging on or off the network; creation, deletion, and modification of user accounts; using services such as remote access or Terminal Services; and using devices such as printers.

EXAM ALERT Log what’s really essential. It is also important to set the proper size of the security log based on the number of events that you generate.

In addition to the built-in methods to log access, other programs are available to log and monitor network access such as the Microsoft System Center Configuration Manager 2007 and third-party tools such as McAfee’s Network Access Control. Authentication and accounting logging is particularly useful for troubleshooting remote-access policy issues. A VPN server running Windows Server 2003 with Windows accounting enabled supports the logging of information for remoteaccess and site-to-site VPN connections in local logging files. Authentication and accounting logging information is used to track remote-access usage and authentication attempts. This logging is separate from the events recorded in the system event log, which we discussed earlier in the chapter.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 235

235

Logging Procedures and Evaluation

To configure authentication and accounting logging, you must first enable either Windows Authentication or Windows Accounting. The log files are stored in the %SystemRoot%\WINDOWS\System32\LogFiles folder. The log files are saved in a format that any database program can read, so the log files can either be exported or accessed directly for analysis. You configure accounting or authentication logging and log file settings from the properties of the Local File method within the Remote Access Logging folder in the Routing and Remote Access (RRAS) snap-in. If your RADIUS server is also running Internet Authentication Service (IAS), authentication and accounting information is logged in log files stored on the IAS server, too. RRAS supports the following types of logging: . Event logging . Local authentication and accounting logging . RADIUS-based authentication and accounting logging . Netsh command-line utility

Firewall Logging Firewall logs contain entries about the packets that had been handled by the packet filter. All firewall manufacturers have some type of logging capability. The following are some events you want to take a closer look at: . Repeated traffic to particular ports—This can indicate a DoS or distributed

DoS (DDoS) attack. . Blocked attempts—A large number of blocked attempts can indicate an

intrusion attempt. . Suspicious signatures—These can indicate activity by worms or malicious

code. If you are simply using a router and depending on a Microsoft Internet Security and Acceleration (ISA) server for filtering activity, by default only dropped packets are logged. If you want to log all the packets that are dropped and enabled by the firewall, the option is available in the IP packet filters. However, if you enable this option, the packet filter logs can become quite large depending on the amount of traffic that the ISA server handles. In ISA server, when you configure firewall logging or web proxy logging to use the MSDE database format or the SQL database format, fields that you do not

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 236

236

Chapter 8: Auditing

configure may appear in the log file. You can define filter criteria to query log files to display specific data that may help troubleshoot common web connectivity issues. ISA server contains an HTTP filter, which is an application layer filter that examines HTTP commands and data. The HTTP filter screens all HTTP traffic that passes through the ISA server computer and only allows compliant requests to pass through. This significantly improves the security of your web servers, by helping ensure that they respond only to valid requests. It also enables you to control the specifics of ISA server client Internet access. If you are using older operating systems such as Windows NT with Windows 98 clients, account lockouts can be difficult to track. One reason for this is that the bad password attempts are recorded only on the domain controller that processed the logon attempt. A relatively easy way to track bad password attempts in a domain is to install the checked build of Netlogon.dll on the primary domain controller (PDC). This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts. In the event you are having issues with accounts being locked out such as in a brute-force attack, you should install the Netlogon.dll and then examine the Netlogon.log files.

Antivirus Logging Antivirus software, just like other software applications, usually contains a folder within the application for logging events such as updates, quarantined viruses, and update history. Third-party programs are also available for centralizing log file. For example, Sawmill, which is well suited to web server logs, can process almost any log. It can process log files in Symantec Antivirus Log Format, generate dynamic statistics, import them into a SQL database, and generate dynamically filtered reports. This can be done on any platform, including Window, Linux, FreeBSD, OpenBSD, Mac OS, Solaris, other UNIX, and others.

Periodic Audits of System Security Settings How much you should audit depends on how much information you want to store. Keep in mind that auditing should be a clear-cut plan built around goals and policies. Without proper planning and policies, you probably will quickly fill your log files and hard drives with useless or unused information.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 237

237

Periodic Audits of System Security Settings

TIP The more quickly you fill up your log files, the more frequently you need to check the logs; otherwise, important security events may get deleted unnoticed.

Here are some items to consider when you are ready to implement an audit policy: . Identify potential resources at risk within your networking environment.

These resources might typically include sensitive files, financial applications, and personnel files. . After the resources are identified, set up the audit policy through the

operating system tools. Each operating system will have its own method for tracking and logging access. . Auditing can easily add an additional 25% load on a server. If the policy

incorporates auditing large amounts of data, be sure that the hardware has the additional space needed and processing power and memory. After you have auditing turned on, log files will be generated. Take time to view the logs.

User Access and Rights Review After you have established the proper access control scheme, it is important to monitor changes in access rights. Auditing user privileges is generally a two-step process that involves turning auditing on within the operating system and then specifying the resources to be audited. After enabling auditing, you also need to monitor the logs that are generated. Auditing should include both privilege and usage. Auditing of access use and rights changes should be implemented to prevent unauthorized or unintentional access or escalation of privileges, which might allow a guest or restricted user account access to sensitive or protected resources. Some of the user activities that can be audited include the following: . Reading, modifying, or deleting files . Logging on or off the network

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 238

238

Chapter 8: Auditing . Using services such as remote access or terminal services . Using devices such as printers

Figure 8.4 provides an example of an auditing policy configured to log privilege use and account management.

An example of a Windows audit policy configured for the monitoring of privilege use and account management.

FIGURE 8.4

TIP When configuring an audit policy, it is important to monitor successful and failed access attempts. Failure events allow you to identify unauthorized access attempts; successful events can reveal an accidental or intentional escalation of access rights.

The roles of the computers will also determine which events or processes you need to audit and log. For example, auditing a developer’s computer might include auditing process tracking, whereas auditing a desktop computer might include auditing directory services access. To audit objects on a member server or a workstation, turn on the audit object access. To audit objects on a domain controller, turn on the audit directory service access. Table 8.4 lists some of the best practices for auditing events recommended by Microsoft, the reason why you would audit them, and additional information about the auditing of the event.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 239

239

Periodic Audits of System Security Settings

TABLE 8.4

Auditing Best Practices

Event to Audit

Reason

Audit success and failure Unusual activity may events in the system events indicate that an intruder is category. attempting to gain access to the computer or network.

Additional Information The number of audits that are generated when this setting is enabled is relatively low, and information gained tends to be relatively high.

Audit success events in the A logged event indicates Auditing failed events increases policy change event category someone has changed the resource use, which usually on domain controllers. Local Security Authority (LSA). outweighs the benefits. Audit success events in the Used to verify changes that account management event are made to account category. properties and group properties.

Auditing failed events increases resource use, which usually outweighs the benefits.

Audit success events in the Records when each user logs The possibility of a DoS attack logon event category. on to or logs off from a increases with the auditing of computer. failure events in this category. Audit success events in the Used to verify when users log Auditing failed events increases account logon event on to or log off from the resource use, which usually category on domain domain. outweighs the benefits. controllers.

Do not audit the use of user rights unless it is strictly necessary for your environment. If you must audit the use of user rights, it is advisable to purchase or write an event-analysis tool that can filter only the user rights of interest to you. The following user rights are never audited mainly because they are used by processes. However, the assignment of them is . Bypass traverse checking . Generate security audits . Create a token object . Debug programs . Replace a process-level token

In addition to auditing events on domain controllers and user computers, servers that perform specific roles, such as a DNS, DHCP, SQL, or Exchange server, should have certain events audited. For example, you should enable audit logging for DHCP servers on your network and check the log files for an unusually high number of lease requests from clients. DHCP servers running Windows

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 240

240

Chapter 8: Auditing

Server 2003 include several logging features and server parameters that provide enhanced auditing capabilities, such as specifying the following: . The directory path in which the DHCP server stores audit log files. By

default, the DHCP audit logs are located in the %windir%\System32\Dhcp directory. . A minimum and maximum size for the total amount of disk space that is

available for audit log files created by the DHCP service. . A disk-checking interval that determines how many times the DHCP

server writes audit log events to the log file before checking for available disk space on the server.

CAUTION Turning on all audit counters for all objects could significantly impact server performance.

In SQL Server, audit failure produces an entry in the Microsoft Windows event log and the SQL Server error log. It is strongly recommended that during SQL Server setup you create a new directory to contain your audit files. The suggested path is \mssql\audit. If you are running SQL Server on a named instance, the suggested path is MSSQL$Instance\audit.

Storage and Retention Policies Retention and storage documentation should outline the standards for storing each classification level of data. Take, for example, the military levels of data classification. Data and information classification levels are discussed further in Chapter 12, “Organizational Controls.” Their documentation would include directions on handling and storing the following types of data: . Unclassified . Sensitive . Confidential . Secret . Top secret

Documentation for data should include how to classify, handle, store, and destroy it. The important point to remember here is to document your security

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 241

241

Periodic Audits of System Security Settings

objectives. Then, change and adjust that documentation when and as needed (with emphasis on when and as needed). There may be a reason to make new classifications as business goals change, but make sure this gets into your documentation. This is an ongoing, ever-changing process. Log files, physical records, security evaluations, and other operational documentation should be managed within an organization’s retention and disposal policies. These should include specifications for access authorization, term of retention, and requirements for disposal. Depending on the relative level of data sensitivity, retention and disposal requirements may become extensive and detailed. Laws may also affect the retention and storage of data, log files, and audit logs. For example, in the United States, changes to the Federal Rules of Civil Procedure (FRCP) have implications for data retention policies. This governs the conduct and procedure of all civil actions in federal district courts. Organizations may face issues relating to the discovery, preservation, and production of “electronically stored information.” For example, if an organization is sued by a former employee for wrongful termination, the department may be compelled during the discovery phase of the suit to produce all documents related to that individual’s work performance. This used to mean the personnel records and copies of any written correspondence (memos, letters, and so on) concerning the performance of that employee. Over the past several years, there has been some level of debate over what a “document” is, given that most records now reside in electronic format. The FRCP changes establish that electronic data is now clearly subject to discovery. It goes further to say that all data is subject to discovery regardless of storage format or location: Email, instant messaging, PDAs, laptops, voice mail, and so on all fall under this. The organization should have a legal hold policy in place, have an understanding of statutory and regulatory document retention requirements, understand the varying statues of limitations, have a policy, and have a records-retention and destruction schedule.

Group Policies To set auditing on a file or folder, use Group Policy to enable auditing and then use security settings in Windows Explorer to specify which files to audit and which type of file access events to audit. When you audit a file or folder, an entry is written to the Event Viewer security log whenever the file or folder is accessed in a certain way. You specify which files and folders to audit, whose actions to audit, and which types of actions are audited.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 242

242

Chapter 8: Auditing

In Group Policy, the settings that will actually be applied to an object will be a combination of all the settings that can affect the object. All the settings that do not conflict will, in effect, “snowball,” and therefore settings might be applied to an object from many different policies. Settings that conflict will be applied in order of precedence. If you need a refresher on how Group Policy is applied, refer to the resources at the end of the chapter. This being the case, you need a tool that will enable you to quickly determine which settings will apply to a user, a group of users, a computer, or a group of computers. You can use the Resultant Set of Policy (RSoP) tool to determine the effective settings on the computer that you are working from or any other computer in a Windows Server 2003 Active Directory domain. You cannot use RSoP for any computers other than the one from which you are currently working if you are not on a Windows Server 2003 domain. This means that the domain must contain at least one domain controller running Windows Server 2003. The RSoP tool has two main modes: Planning mode and Logging mode. If you want to be able to script Group Policy object (GPO) troubleshooting of multiple computers, you might want to use the gpresult command-line tool. You can use gpresult to perform almost all the actions that are available in RSoP Logging Mode, with one exception. You cannot determine policy precedence information with the gpresult tool. The gpresult command is simple to use and provides many additional switches for specific functionality. You can determine significant information about group policies by just entering gpresult on a command line.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 243

243

Exam Prep Questions

Exam Prep Questions 1. You are having problems with your email server. No one seems to be receiving any mail. You’re not exactly sure where the problem lies. You go to a workstation, open a DOS prompt, and enter which of the following commands?

❍ A. Netstat ❍ B. Tracert ❍ C. Ipconfig ❍ D. Nslookup 2. You suspect that there are problems with your DNS server. No one seems to be able to contact intranet hosts using DNS names. However, the intranet can be contacted by IP address. You’re not exactly sure where the problem lies. You go to a workstation, open a DOS prompt, and enter which of the following commands?

❍ A. Netstat ❍ B. Tracert ❍ C. Ipconfig ❍ D. Nslookup 3. Why is it important to audit both failed events and successful events?

❍ A. It’s not. You only need to audit failed events. ❍ B. Because they will reveal unauthorized access attempts. ❍ C. Because you can’t just audit one. Both have to be activated. ❍ D. It’s not. You only need to audit successful events. 4. In which of the following models would you require a centralized database of user accounts? (Choose the two best answers.)

❍ A. User-based ❍ B. Group-based ❍ C. Role-based ❍ D. Risk-based

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 244

244

Chapter 8: Auditing 5. What is the name given to the activity that involves collecting information that will later be used for monitoring and review purposes?

❍ A. Logging ❍ B. Auditing ❍ C. Inspecting ❍ D. Vetting 6. You are the network administrator responsible for overseeing the help desk. An employee calls to report that she cannot view the security events in event viewer. Which of the following is a reason why the security events cannot be viewed? (Choose the two best answers.)

❍ A. This is available for view only to administrators. ❍ B. Auditing must be enabled. ❍ C. The user already cleared the events. ❍ D. The log is set to overwrite events daily. 7. To monitor the health of all systems, agents are installed on the machines, and then the agents are monitored from a central location. This is an implementation of which of the following?

❍ A. Event Viewer ❍ B. SMTP ❍ C. SNMP ❍ D. Task Manager 8. Which of the following are advantages of behavior-based monitoring? (Choose all correct answers.)

❍ A. Can identify malware before it’s added to signature files ❍ B. Tendency to trigger false alarms ❍ C. Can monitor for malware activities ❍ D. Can learn about malware based on previous detection

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 245

245

Answers to Exam Prep Questions 9. Anomaly-based monitoring is useful for detecting which types of attacks? (Choose all correct answers.)

❍ A. Protocol and port exploitation ❍ B. New exploits or buffer overflow attacks ❍ C. Normal network failures ❍ D. DoS attacks based on payloads or volume 10. Which of the following are performance parameters that should be monitored? (Choose all correct answers.)

❍ A. RAM ❍ B. CPU ❍ C. Applications ❍ D. Logical disks

Answers to Exam Prep Questions 1. B. Tracert traces the route a packet takes and records the hops along the way. This is a good tool to use to find out where a packet is getting hung up. Netstat displays all the ports on which the computer is listening; therefore, answer A is incorrect. Answer C is incorrect because Ipconfig is used to display the TCP/IP settings on a Windows machine. Answer D is also incorrect because Nslookup is a command-line utility used to troubleshoot a domain name system (DNS) database. 2. D. Nslookup is a command-line utility used to troubleshoot a DNS database. Netstat displays all the ports on which the computer is listening; therefore, answer A is incorrect. Answer B is incorrect. Tracert traces the route a packet takes and records the hops along the way. This is a good tool to use to find out where a packet is getting hung up. Answer C is incorrect because Ipconfig is used to display the TCP/IP settings on a Windows machine. 3. B. It is equally important to audit both failed and successful events because both may reveal unauthorized access or an unexpected escalation of access rights. Answers A and D are incorrect because it is important to audit both types of events. Answer C is incorrect because you can audit either successful or failed events if you choose. 4. B, C. Both group-based and role-based access control models require a centralized database of user accounts and groups or roles through which permissions may be inherited. Answer A is incorrect because a user-based access control scenario is used within a peer-to-peer network. Answer D is not a valid model and is therefore incorrect.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 246

246

Chapter 8: Auditing 5. A. Logging is the process of collecting data to be used for monitoring and reviewing purposes. Auditing is the process of verification that normally involves going through log files; therefore, answer B is incorrect. Typically, the log files are frequently inspected, and inspection is not the process of collecting the data; therefore, answer C is incorrect. Vetting is the process of thorough examination or evaluation; therefore, answer D is incorrect. 6. A, B. The security log records security events and is available for view only by administrators. For security events to be monitored, auditing must be enabled. Answer C is incorrect because this cannot be done by the user. Answer D is also incorrect because if this were the case, there would be some events available for view. 7. C. Simple Network Management Protocol (SNMP) is an application layer protocol whose purpose is to collect statistics from TCP/IP devices by installing agents on the machines, and then the agents are monitored from a central location. Answer A is incorrect because Event Viewer monitors individual systems. Answer B is incorrect because SMTP is a mail protocol. Answer D is also incorrect because Task Manager monitors individual systems. 8. A, C, and D. Behavior-based monitoring advantages include: It can identify malware before its added to signature files, monitor for malware activities, and learn about malware based on previous detection. Answer B is incorrect because it is a disadvantage. 9. A, B, C, and D. Anomaly-based monitoring is useful for detecting these types of attacks: protocol and port exploitation, new exploits or buffer overflow attacks, DoS attacks based on payloads or volume, normal network failures, and variants of existing attacks in new environments. 10. A, B, and D. Performance parameters that should be monitored include the following: Random access memory (RAM)—Microsoft operating systems are memory intensive; therefore, it is important to monitor the memory. Also sometimes applications have memory leaks that affect performance. Logical and physical disks—Monitor for excessive disk usage. Keep in mind that if memory is insufficient, excessive disk usage will occur as the system swaps memory into and out of disk. CPU—Track the utilization rate to help determine which programs or processes have excessive time usage. Answer C is incorrect because applications are not performance parameters. However, they do affect the performance of other three parameters: CPU, memory, and logical disk.

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 247

247

Additional Reading and Resources

Additional Reading and Resources 1. Anonymous. Maximum Security, Fourth Edition. Que, 2002 2. Bragg, Roberta. CISSP Training Guide. Que, 2003. 3. Cole, Eric. Hackers Beware. Pearson Education, 2001. 4. Tenable Network Security. NIST Audit Policies for Nessus 3: http://

blog.tenablesecurity.com/2007/04/nist_audit_poli.html 5. Wilson, Mark (ed.), Dorothea E. de Zafra, Sadie I. Pitcher, John D. Tressler, and John B. Ippolito. How to Use NIST SP 800-16

“Information Technology Security Training Requirements”: http://csrc. nist.gov/publications/nistpubs/800-16/800-16.pdf 6. Microsoft Technet. Auditing Security Events Best Practices: http://

technet2.microsoft.com/WindowsServer/en/library/5658fae8-985f-48ccb1bf-bd47dc2109161033.mspx?mfr=true 7. Windows Server Group Policy: http://technet.microsoft.com/en-us/

windowsserver/grouppolicy/default.aspx

14_078973804x_ch08.qxd

10/30/08

9:06 PM

Page 248

15_078973804x_pt5.qxd

10/30/08

9:06 PM

Page 249

PART V

Cryptography Chapter 9 Cryptography Basics Chapter 10 Deploying Cryptography

15_078973804x_pt5.qxd

10/30/08

9:06 PM

Page 250

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 251

9

CHAPTER NINE

Cryptography Basics Terms you need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Cryptography Algorithm Key management Steganography Symmetric key Asymmetric key Confidentiality Integrity Availability Digital signatures Hashing Private key Public key Whole disk encryption Trusted platform module (TPM) One-time pad (OTP)

Techniques you need to master: ✓ Identifying key terms and understanding general cryptography concepts ✓ Identifying and understanding encryption algorithms and how they can be used to help improve security

✓ Identifying and understanding hashing algorithms and how they can be used to help improve security

✓ Understanding the concepts of using cryptography in a secure environment

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 252

252

Chapter 9: Cryptography Basics

A cryptosystem or cipher system provides a method for protecting information by disguising (encrypting) it into a format that can be read only by authorized systems or individuals. The use and creation of such systems is called cryptography, which is often considered to be both an art and a science. Cryptography dates back to the ancient Assyrians and Egyptians. In the beginning, the systems of cryptography were manually performed, but during the twentieth century, machine and mechanical cryptography was born. The cryptography that is the focus of this chapter and the exam is modern cryptography, which began with the advent of the computer. Recently, modern cryptography has become increasingly important and ubiquitous. There has been increasing concern about the security of data, which continues to rapidly grow across information systems and traverse and reside in many different locations. This combined with more sophisticated attacks and a growing economy around computer-related fraud and data theft makes the need to protect the data itself even more important than in the past. One practical way to secure this data is to use cryptography in the form of encryption algorithms applied to data that is passed around networks and to data at rest.

NOTE As related to cryptography, an algorithm is the mathematical procedure or sequence of steps taken to perform the encryption and decryption. Practically speaking, however, an algorithm can be thought of as a cooking recipe, which provides the ingredients needed and step-by-step instructions.

This chapter discusses the concepts of cryptography and many popular encryption methods and their applications. In addition to being able to explain these fundamental cryptography concepts, you will begin to understand how cryptography can be used as a tool to protect and authenticate all types of information and to protect the computers and networks in information security systems.

Encryption Algorithms Encryption takes plain text data and converts it into an unreadable format (ciphertext) by using an algorithm (cipher), which can be converted back to the easily readable plain text only by those in possession of the appropriate keys (or password, for example).

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 253

253

Encryption Algorithms

There are two fundamental types of encryption algorithms: symmetric key and asymmetric key. As you might have guessed, symmetric key cryptography systems use symmetric key algorithms. These systems use the same key to encrypt and decrypt a message. Asymmetric key cryptography systems use asymmetric key algorithms, which rely on a different, but mathematically related key pair.

NOTE Discussions about cryptography use the term key, which is analogous to the traditional metal object used with a physical locking device. A cryptography key describes a string of bits used to encrypt and decrypt data. These keys can also be thought of as a password or table.

This section describes symmetric keys, asymmetric keys, and the importance of key management.

Symmetric Keys Symmetric key cryptography is an encryption system that uses a common shared key between the sender and receiver. The primary advantage to such a system is it is easier to implement than an asymmetric system and is typically fast. However, the two parties must first somehow exchange the key securely. Assume, for example, you have a friend located thousands of miles away from you, and to exchange secured messages you send messages back and forth in a secured lockbox; you both have a copy of the key to the lockbox. Although this works, how did you securely deliver the key to your friend? Somehow the key must have be communicated or delivered to your friend, which introduces additional challenges around logistics and ensuring that the key was not compromised in the process. We address this issue later when we discuss asymmetric keys in the following section. Now imagine a system in which more than two parties are involved. In this scenario, every party participating in communications must have the exact same key on the other end to compare the information. If the key is compromised at any point, it is impossible to guarantee that a secure connection has commenced.

NOTE Symmetric key algorithms are often referred to as secret key algorithms, private key algorithms, and shared secret algorithms.

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 254

254

Chapter 9: Cryptography Basics

Even given the possible risks involved with symmetric key encryption, the method is used often today mainly because of its simplicity and easy deployment. In addition, it is generally considered a strong encryption method as long as the source and destination that house the key information are kept secure.

EXAM ALERT A symmetric key is a single cryptographic key used with a secret key (symmetric) algorithm. The symmetric key algorithm uses the same private key for both operations of encryption and decryption.

Asymmetric Keys The asymmetric encryption algorithm has two keys: a public one and a private one. The public key is made available to whoever is going to encrypt the data sent to the holder of the private key. The private key is maintained on the host system or application. Often, the public encryption key is made available in a number of fashions, such as email or centralized servers that host a pseudo address book of published public encryption keys. One of the challenges, however, is ensuring authenticity of the public key. To address this, a public key infrastructure (PKI) is often used. A PKI uses trusted third parties that certify or provide proof of key ownership. PKI is discussed in greater detail in Chapter 10, “Cryptography Deployment.” Figure 9.1 illustrates the asymmetric encryption process. Public Key

aglkjd laskd adlkjf Plaintext

FIGURE 9.1

Private Key

[email protected]#% [email protected]$% (*&^ Ciphertext

aglkjd laskd adlkjf Plaintext

An example of asymmetric encryption.

NOTE Asymmetric algorithms are often referred to as public key algorithms because of their use of the public key as the focal point for the algorithm.

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 255

255

Encryption Algorithms

As an example of asymmetric encryption, we’ll use the secure exchange of an email. When someone wants to send a secure email to another, he or she obtains the target user’s public encryption key and encrypts the message using this key. Because the message can be unencrypted only with the private key, just the target user can read the information held within. Ideally, for this system to work well, everyone should have access to everyone else’s public keys. Imagine a postal mailbox that allows the letter carrier to insert your mail via an open slot, but only you have the key to get the mail out. This is analogous to an asymmetric system in which the open slot is the public key. If you are concerned about the security of your mail, this is much easier than ensuring every letter carrier has a copy of your mailbox key! The letter carrier is also thankful he or she isn’t required to carry hundreds of different keys to complete mail-delivery duties.

NOTE Some general rules for asymmetric algorithms include the following: . The public key can never decrypt a message that it was used to encrypt with. . Private keys should never be able to be determined through the public key (if it is designed properly). . Each key should be able to decrypt a message made with the other. For instance, if a message is encrypted with the private key, the public key should be able to decrypt it.

Public key encryption has proven useful on networks such as the Internet. This is primarily because the public key is all that needs to be distributed. Because nothing harmful can be done with the public key, it is useful over unsecured networks where data can pass through many hands and is vulnerable to interception and abuse. Symmetric encryption works fine over the Internet, too, but the limitations on providing the key securely to everyone that requires it can be difficult. In addition, asymmetric key systems are also used to verify digital signatures, which provide assurance that communications have not been altered and that the communication arrived from an authorized source.

EXAM ALERT In an asymmetric key system, each user has a pair of keys: a private key and a public key. Sending an encrypted message requires you to encrypt the message with the recipient’s public key, which in turn gets decrypted by the recipient with his or her private key.

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 256

256

Chapter 9: Cryptography Basics

Key Management Even data encrypted with the most powerful encryption algorithm is still highly vulnerable if proper management of the keys is not addressed. Analogous to a door lock, keys provide the mechanism necessary to perform the lock and unlock. And just like your house door, even the best dead-bolt is no match for the burglar who finds the key in the flowerpot, under the doormat, or worse, left in the door lock itself. Over the past several years, while encryption of sensitive data has seen an increase in use, only recently has the importance key management plays in any encryption strategy been understood. Proper management of the keys is vital to the effectiveness of cryptosystems. The management of keys is really a life cycle and involves various tasks, including registration, generation, use, storage, distribution, rotation, revocation, and destruction.

Steganography Steganography is a word of Greek origin meaning “hidden writing.” Steganography is a method for hiding messages so that unintended recipients aren’t even aware of any message. Compare this to cryptography, which does not seek to hide the fact a message exists, but rather to just make it unreadable by anyone other than the intended recipients. For example, writing a letter using plain text but in invisible ink is an example of the use of steganography. The content is not scrambled in any way; it is just hidden. Another interesting example, albeit a bit cumbersome, is the historical use of writing a secret message on the scalp of one’s bald head, and then allowing the hair to grow back, ultimately to be shaved again upon arrival at the intended recipient.

EXAM ALERT Steganography is not cryptography, but the two are related and often used in conjunction with one another. Steganography seeks to hide the presence of a message, whereas the purpose of cryptography is to transform a message from its readable plain text into an unreadable form known as ciphertext.

Of course, steganography is useless if someone other than the intended recipient knows where to look. Therefore, steganography is best used when combined with encryption. This adds an additional layer of security by not even allowing attackers to attempt to crack encryption into a readable form, if they don’t even

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 257

257

CIA Triad

know the message exists in the first place. As a result, steganography is not just the stuff of child’s play or far-fetched spy movies. In fact, steganography recently entered into mainstream media with various reports since the terrorist attacks of 9/11: that terrorists may have and are using this practice to secretly hide messages. Modern uses are various, including hiding messages in digital media and digital watermarking. In addition, steganography has been used by many printers, using tiny dots that reveal serial numbers and time stamps.

CIA Triad For many years, information security has maintained three core principles: confidentiality, integrity, and availability (also known as the CIA triad). This section discusses each of these in detail. Later, this chapter touches upon some ideas that augment the CIA triad. Analysis of security risk exposure first considers the likelihood of a particular threat being realized against a vulnerability. Next, you must consider how grave the impact might be on confidentiality, integrity, and availability of data and information systems.

EXAM ALERT Confidentiality is concerned with the unauthorized disclosure of sensitive information. Integrity pertains to preventing unauthorized modifications of information or systems. Availability is about maintaining continuous operations and preventing service disruptions.

Confidentiality A key benefit that derives from encryption is the promise of confidentiality. Confidentiality describes the act of limiting disclosure of private information. In fact, the ability of encryption to provide confidentiality is important to today’s companies and to individuals in countries that restrict free speech and monitor the messages and email sent and received over the Internet. Like any open environment where sensitive information is shared, the most important thing to most people is keeping the information secret and not letting anyone know you are sending the data. It is not unheard of to have large corporations hire people to spy on and try to capture sensitive data being transmitted on competitors’ networks to try to gain an edge.

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 258

258

Chapter 9: Cryptography Basics

In some countries, access to the Internet is limited by the government. In addition to restricting the information an individual can access, the government might record and monitor the information the individual posts. Encryption enables people to take some control away from the government; therefore, publicly available, strong encryption isn’t popular with these types of governments unless it’s for their own use.

Pretty Good Privacy (PGP) In the early 1990s, the U.S. government tried to suppress the use of Pretty Good Privacy (PGP), which was gaining popularity and exposure in the media. The government tried to force the software to be taken down and made unavailable to public consumption. (PGP is the email program that uses encryption and is available to anyone who wants to download it within North America.) Part of the government’s argument against PGP was that it could not control the information people were sending. For example, criminals could use encryption and seemingly be able to hide their online activities and data from the prying eyes of the government. Eventually, the public’s right to use encryption (and PGP in particular) won out.

Integrity Ensuring that the data you send arrives at its intended destination unmodified is one of those things you take for granted in most cases. If you have sensitive data or you need to assure the recipient that the data being delivered is actually from you, consider one of the other major benefits of encryption: integrity. Integrity is the assurance that data and information can be modified only by those authorized to do so. Integrity can take many forms. On the one hand, integrity can be provided using encryption if you have a secure algorithm. When the data arrives at its destination, it can be decrypted. If the key has been changed or the data modified, the recipient may not be able to open or decrypt the data, depending on the encryption algorithm used. In the case of digital signatures (which you will learn about shortly), you can also provide verification that the data is from you. If the digital signature on the data being sent cannot be unencrypted, it might have been modified. In addition, the data might not be from whom it purports to be. The recipient can either discard the data or request another copy or confirmation directly from the sender. Like confidentiality, corporations and organizations around the world require integrity when transferring data over unsecured networks. In many cases, contractors that deal with the U.S. government (particularly with the military) have

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 259

259

Nonrepudiation and Digital Signatures

to run a minimum level of encryption before they are even allowed to do any kind of work. This restriction exists because of the sensitive nature of the information transmitted. For some contractors, a minimum level of overall security compliance relates not only to encryption but also to specific security practices. By selecting the right encryption algorithm or the right combination of algorithms and digital signature schemes, you can increase both the confidentiality and integrity of your data.

Availability Availability refers to the accessibility of information and information systems when they are needed. Organizations increasingly rely on information systems, and so the availability of these systems becomes increasingly important. In many cases, any denial of service can contribute to significant monetary losses and perhaps even endanger lives (hospital information systems, for instance). The most sound security practices mean little if the systems aren’t available. Keep in mind that availability not only refers to ensuring acceptable uptime; it also addresses guaranteed service and system performance levels.

Nonrepudiation and Digital Signatures Nonrepudiation is intended to provide, through encryption, a method of accountability that makes it impossible to refute the origin of data. It guarantees that the sender cannot later deny being the sender and that the recipient cannot deny receiving the data. This definition, however, does not factor in the possible compromise of the workstation or system used to create the private key and the encrypted digital signature. The following list outlines four of the key elements that nonrepudiation services provide on a typical client/server connection: . Proof of origin—The host gets proof that the client is the originator of

particular data or authentication request from a particular time and location. . Proof of submission—The client gets proof that the data (or authentication

in this case) has been sent. . Proof of delivery—The client gets proof that the data (or authentication in

this case) has been received.

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 260

260

Chapter 9: Cryptography Basics . Proof of receipt—The client gets proof that the data (or authentication in

this case) has been received correctly. Earlier in this chapter, you read that digital signatures provide integrity and authentication. In addition, digital signatures provide nonrepudiation with proof of origin. Although authentication and nonrepudiation may appear to be similar, the difference is that with nonrepudiation, proof can be demonstrated to a third party. A sender of a message signs a message using his or her private key. This provides unforgeable proof that the sender did indeed generate the message. Nonrepudiation is unique to asymmetric systems because the private (secret) key is not shared. Remember that in a symmetric system, both parties involved share the secret key, and therefore any party can deny sending a message by claiming the other party originated the message. Digital signatures attempt to guarantee the identity of the person sending the data from one point to another. The digital signature acts as an electronic signature used to authenticate the identity of the sender and to ensure the integrity of the original content (that it hasn’t been changed).

CAUTION Do not confuse a digital signature with a digital certificate (discussed in the next chapter). In addition, do not confuse digital signatures with encryption. Although digital signatures and encryption use related concepts, their intentions and operations differ significantly. Finally, do not confuse a digital signature with the block of identification information, such as the sender’s name and telephone number or digitally created image, often appended to the end of an email.

Digital signatures can easily be transported and are designed so that they cannot be copied by anyone else. This ensures that something signed cannot be repudiated. A digital signature does not have to accompany an encrypted message. It can simply be used to assure the receiver of the sender’s identity and that the message’s integrity was maintained. The digital signature contains the digital signature of the certificate authority (CA) that issued the certificate for verification. The point of this verification is to prevent or alert the recipient to any data tampering. Ideally, if a packet of data is digitally signed, it can only bear the original mark of the sender. If this mark differs, the receiver knows that the packet differs from what it is supposed to be, and either the packet is not unencrypted or is dropped altogether. This works based on the encryption algorithm

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 261

261

Whole Disk Encryption

principles discussed previously. If you cannot determine what the original data was in the encrypted data (in this case, the signature), it becomes much harder to fake the data and actually get it past the receiver as legitimate data. For example, suppose you need to digitally sign a document sent to your stockbroker. You need to ensure the integrity of the message and assure the stockbroker that the message is really from you. The exchange looks like this: 1. You type the email. 2. Using software built in to your email client, you obtain a hash (which

you can think of as digital fingerprint) of the message. 3. You use your private key to encrypt the hash. This encrypted hash is

your digital signature for the message. 4. You send the message to your stockbroker. 5. Your stockbroker receives the message. Using his software, he makes a

hash of the received message. 6. The stockbroker uses your public key to decrypt the message hash. 7. A match of the hashes proves that the message is valid.

Whole Disk Encryption Often called full disk encryption (FDE), whole disk encryption has gained popularity in recent years to help mitigate the risks associated with lost or stolen laptops and accompanying disclosure laws. Whole disk encryption can either be hardware- or software-based, and unlike file- or folder-level encryption, whole disk encryption is meant to encrypt the entire contents of the drive (even temporary files and memory). Unlike selective file encryption, which might require the end user to take responsibility for encrypting files, encrypting the contents of the entire drive takes the onus off individual users. It is not unusual for end users to sacrifice security for convenience, especially when they do not fully understand the associated risks. Nevertheless, along with the benefits of whole disk encryption come certain tradeoffs. For example, key management becomes increasingly important; loss of the decryption keys could render the data unrecoverable. In addition, although whole disk encryption might make it easier for an organization to deal with a stolen or otherwise lost laptop, the fact that the entire disk is encrypted could present management challenges, including not being able to effectively control who has unauthorized access to sensitive data.

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 262

262

Chapter 9: Cryptography Basics

To effectively use whole disk encryption products, you should also use a preboot authentication mechanism. That is, the user attempting to log on must provide authentication before the actual operating system boots. Thus, the encryption key is decrypted only after another key is input into this preboot environment. Most vendors typically offer different options, such as the following: . Username and password (typically the least secure) . Smart card or smart card–enabled USB token along with a PIN (which

provides two-factor functionality and can often be the same token or smart card currently used for access elsewhere) . A Trusted Platform Module to store the decryption key (discussed more

in the next section)

Trusted Platform Module The Trusted Computing Group is responsible for the Trusted Platform Module (TPM) specification. TPM refers to a secure cryptoprocessor used to authenticate hardware devices such as PC or laptop. At the most basic level, TPM provides for the secure storage of keys, passwords, and digital certificates, and is hardware-based, typically attached to the circuit board of the system. In addition, TPM can be used to ensure that a system is authenticated and to ensure that the system is has not been altered or breached. TPM is composed of various components. You should be familiar with some key TPM concepts, including the following: . Endorsement key (EK)—A 2048-bit asymmetric key pair created at the

time of manufacturing and which cannot be changed. . Storage root key (SRK)—A 2048-bit asymmetric key pair generated within

a TPM and used to provide encrypted storage. . Sealed storage—Protects information by binding it to the system, which

means the information can be read only by the same system in a particular described state. . Attestation—Vouching for the accuracy of the system.

The idea behind TPM is to allow any encryption-enabled application to take advantage of the chip. Therefore, it has many possible applications, such as network access control (NAC), secure remote access, secure transmission of data, whole disk encryption, software license enforcement, digital rights management (DRM), and

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 263

263

Hashing Concepts

credential protection. Interestingly, part of what makes TPM effective is the TPM module is given a unique ID and master key that even the owner of the system neither controls nor has knowledge of. On the other hand, critics of TPM argue that this security architecture puts too much control into the hands of those who design the related systems and software. So, concerns arise about several issues, including DRM, loss of end-user control, loss of anonymity, and interoperability.

Hashing Concepts A hash is a generated summary from a mathematical rule or algorithm and is used commonly as a “digital fingerprint” to verify the integrity of files and messages and to ensure message integrity and provide authentication verification. In other words, hashing algorithms are not encryption methods but offer additional system security via a “signature” for data confirming the original content. Hash functions work by taking a string (for example, a password or email) of any length and producing a fixed-length string for output. Keep in mind that hashing is one way. Although you can create a hash from a document, you cannot recreate the document from the hash. If this all sounds confusing, the following example should help clear things up. Suppose you want to send an email to a friend, and you also want to ensure that during transit it cannot be read or altered. You would first use software that generates a hash value of the message to accompany the email, and then encrypt both the hash and the message. After receiving the email, the recipient’s software decrypts the message and the hash and then produces another hash from the received email. The two hashes are then compared, and a match indicates that the message was not tampered with. (Any change in the original message produces a change in the hash.) A Message Authentication Code (MAC) is similar to a hash function, but is able to resist forgery and is not open to man-in-the-middle attacks. A MAC can be thought of as an encrypted hash—combining a encryption key and a hashing algorithm. The MAC is a small piece of data known as an authentication tag, which is derived by applying a message or file combined with a secret key to a cryptographic algorithm. The resulting MAC value can ensure the integrity of the data as well as its authenticity, as one in possession of the secret key can subsequently detect whether there are any changes from the original.

EXAM ALERT A message authentication code (MAC) is a bit of a misnomer. Remember that in addition to providing authentication services, as the name suggests, a MAC also provides for data integrity.

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 264

264

Chapter 9: Cryptography Basics

Cryptographic Hash Functions Numerous hash functions exist, and many published algorithms are known to be unsecure; however, you should be familiar with the following two common hash algorithms: . Secure Hash Algorithm (SHA, SHA-1)—Hash algorithms pioneered by

the National Security Agency and widely used in the U.S. government. SHA-1 can generate a 160-bit hash from any variable-length string of data, making it very secure, but also resource-intensive. Recently, a contest was announced to design a hash function (SHA-3) to replace the aging SHA-1. . Message Digest Series Algorithm (MD2, MD4, MD5)—A series of encryp-

tion algorithms created by Ronald Rivest (founder of RSA Data Security, Inc.) designed to be fast, simple, and secure. The MD series generates a hash of up to 128-bit strength out of any length of data. Both SHA and the MD series are similar in design; however, keep in mind that because of the higher bit strength of the SHA-1 algorithm, it will be in the range of 20% to 30% slower to process than the MD family of algorithms.

EXAM ALERT Hashing within security systems is used to ensure the integrity of transmitted messages (that is, to be certain they have not been altered) and for password verification. Be able to identify both the SHA and MD series as hashing algorithms.

The Message Digest Algorithm has been refined over the years (and hence the version numbers). The most commonly used is MD5, which is faster than the others. Both MD4 and MD5 produce a 128-bit hash; however, the hash used in MD4 has been successfully broken. This security breach spurred the development of MD5, which features a redeveloped cipher that makes it stronger than the MD4 algorithm while still featuring a 128-bit hash. Although MD5 is the more common hashing algorithm, SHA-1 is quickly being embraced by those outside of the U.S. government.

Windows Authentication Hashing Algorithms In addition to the hashing algorithms just mentioned, you also should be aware the LAN Manager hash (LM hash or LANMan hash) and the NT LAN Manager hash (NTLM hash, also called the Unicode hash).

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 265

265

Symmetric Encryption Algorithms

LM hash is based on DES encryption (discussed in the next section), but it is not considered effective (and is technically not truly a hashing algorithm) because of design implementation weaknesses. (It’s quite easy to crack an LM hash using your average computer system and one of the many cracking tools available.) The two primary weaknesses of LM hash are as follows: . All passwords longer than seven characters are broken down into two

chunks, from which each piece is hashed separately. . Before the password is hashed, all lowercase characters are converted to

uppercase characters. As a result, the scope of the characters set is greatly reduced, and each half of the password can be cracked separately. As a result of weaknesses within the LM hash, Microsoft later introduced the NTLM hashing method in early versions of Windows NT. However, the LM hash algorithm was still commonly used by Microsoft operating systems before Windows Vista.

TIP Although the latest versions of Windows since NT 3.1 use the NTLM hash, Windows still makes use of the LM hash for compatibility with earlier systems (Windows Me and earlier operating systems). It is recommended that this be disabled if it is not required. Although Windows Vista still includes support, it is disabled by default.

The NTLM hash is an improvement over the LM hash. NTLM hashing makes use of the MD4 hashing algorithm and is used on more recent versions of the Windows operating system.

Symmetric Encryption Algorithms Earlier in this chapter, you were introduced to the concept of symmetric key encryption, in which a common shared key or identical key is used between the sender and the receiver. Symmetric algorithms can be classified as either block ciphers or stream ciphers. A stream cipher, as the name implies, encrypts the message bit by bit, one at a time. A block cipher encrypts the message in chunks. Myriad symmetric key algorithms are in use today. The more commonly used algorithms include the following: . Data Encryption Standard (DES)—DES was adopted for use by the

National Institute of Standards and Technology (NIST) in 1977. DES is

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 266

266

Chapter 9: Cryptography Basics

a block cipher that uses a 56-bit key and 8 bits of parity on each 64-bit chunk of data. Although it is considered a strong algorithm, it is limited in use because of its relatively short key-length limit. . Triple Data Encryption Standard (3DES)—3DES, also known as Triple-

DES, dramatically improves upon the DES by using the DES algorithm three times with three distinct keys. This provides total bit strength of 168 bits. 3DES superseded DES in the late 1990s. . Advanced Encryption Standard (AES)—Also called Rinjdael, NIST chose

this block cipher to be the successor to DES. AES is similar to DES in that it can create keys from 128 bits to 256 bits in length and can perform the encryption and decryption of up to 128-bit chunks of data (in comparison to the 64-bit chunks of the original DES). Similar to 3DES, the data is passed through three layers, each with a specific task, such as generating random keys based on the data and the bit strength being used. The data is then encrypted with the keys through multiple encryption rounds, like DES, and then the final key is applied to the data. . Blowfish Encryption Algorithm—Blowfish is a block cipher that can

encrypt using any size chunk of data; in addition, Blowfish can also perform encryption with any length encryption key up to 448 bits, making it a flexible and secure symmetric encryption algorithm. . International Data Encryption Algorithm (IDEA)—Originally created

around 1990, IDEA went through several variations before arriving at its final acronym. Originally called the Proposed Encryption Standard (PES), it was later renamed and refined to the Improved Proposed Encryption Standard (IPES). After even more refinement, it was ultimately named IDEA in 1992. In its final form, IDEA is capable of encrypting 64-bit blocks of data at a time and uses a 128-bit-strength encryption key. The use of IDEA has been limited primarily because of software patents on the algorithm, which many believe hinder development, research, and education. . Rivest Cipher (RC2, RC4, RC5, RC6)—As far as widely available commer-

cial applications go, the Rivest Cipher (RC) encryption algorithms are the most commonly implemented ciphers for encryption security. The RC series (RC2, RC4, RC5, and RC6) are all similarly designed, yet each version has its own take on cipher design, as well as its own capabilities. RC2, RC5, and RC6 are block ciphers, whereas RC4 is a stream cipher. Table 9.1 compares the algorithms just mentioned (and some lesser-known ones). In addition, notice the differences between the various types of RC algorithms.

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 267

267

Symmetric Encryption Algorithms

TABLE 9.1

A Comparison of Symmetric Key Algorithms

Algorithm

Cipher Type

Key Length

DES

Block

56 bits

Triple-DES (3DES)

Block

168 bits

AES (Rinjdael)

Block

128–256 bits

Blowfish

Block

1–448 bits

IDEA

Block

128 bits

RC2

Block

1–2048 bits

RC4

Stream

1–2048 bits

RC5

Block

128–256 bits

RC6

Block

128–256 bits

CAST

Block

128–256 bits

MARS

Block

128–256 bits

Serpent

Block

128–256 bits

Twofish

Block

128–256 bits

EXAM ALERT Be sure you understand the differences between various symmetric key algorithms. Note that these are symmetric, and not asymmetric, and be sure to differentiate between stream ciphers and block ciphers.

An Unbreakable Algorithm? Throughout history, the common theme among “unbreakable” algorithms is that through practice or theory, they are all breakable. However, one type of cipher has perhaps earned the distinction of being completely unbreakable: one-time pad (OTP). Unfortunately, the OTP currently has the tradeoff of requiring a key as long as the message, thus creating significant storage and transmission costs. Within an OTP, there are as many bits in the key as in the plain text to be encrypted, and this key is to be random and, as the name suggests, used only once, with no portion of the key ever being reused. Without the key, an attacker cannot crack the ciphertext, even via a brute-force attack in search of the entire key space.

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 268

268

Chapter 9: Cryptography Basics

Asymmetric Encryption Algorithms Various asymmetric algorithms have been designed, but few have gained the widespread acceptance of symmetric algorithms. While reading this section about the asymmetric algorithms, keep in mind that some have unique features, including built-in digital signatures (which you will learn more about later). Also because of the additional overhead generated by using two keys for encryption/decryption, asymmetric algorithms require much more resources than symmetric algorithms. Some systems incorporate a mixed approach, using both asymmetric and symmetric encryption to take advantage of the benefits that each provides. For example, asymmetric algorithms are used at the beginning of a process to securely distribute symmetric keys. From that point on, after the private keys have been securely exchanged, they can be used for encryption and decryption (thus solving the issue of key distribution). PGP is an example of such a system. PGP was originally designed to provide for the encryption/decryption of email and for digitally signing emails. PGP and other similar hybrid encryption systems such as the GNU Privacy Guard (GnuPG or GPG) program follow the OpenPGP format and use a combination of public key and private key encryption. Popular asymmetric encryption algorithms include the following: . Rivest, Shamir, and Adleman encryption algorithm (RSA)—RSA, named

after the three men who developed it, is a well-known cryptography system used for encryption and digital signatures. In fact, the RSA algorithm is considered by many the standard for encryption and the core technology that secures most business conducted on the Internet. The RSA key length may be of any length, and the algorithm works by multiplying two large prime numbers. In addition, through other operations in the algorithm, it derives a set of numbers: one for the public key and the other for the private key. . Diffie-Hellman key exchange—The Diffie-Hellman key exchange (also

called exponential key agreement) is an early key exchange design whereby two parties, without prior arrangement, can agree upon a secret key that is known only to them. The keys are passed in a way that they are not compromised, using encryption algorithms to verify that the data is arriving at its intended recipient. . El Gamal encryption algorithm—As an extension to the Diffie-Hellman

design, in 1985 Dr. El Gamal took to task the design requirements of

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 269

269

Asymmetric Encryption Algorithms

using encryption to develop digital signatures. Instead of focusing just on the key design, El Gamal designed a complete public key encryption algorithm using some of the key exchange elements from Diffie-Hellman and incorporating encryption on those keys. The resultant encrypted keys reinforced the security and authenticity of public key encryption design and helped lead to later advances in asymmetric encryption technology. . Elliptic curve cryptography (ECC)—Elliptic curve techniques use a method

in which elliptic curves are used to calculate simple but very difficult to break encryption keys for use in general-purpose encryption. One of the key benefits of ECC encryption algorithms is that they have a compact design because of the advanced mathematics involved in ECC. For instance, an ECC encryption key of 160-bit strength is, in actuality, equal in strength to a 1024-bit RSA encryption key.

NOTE In 2000, RSA Security Inc. (now known as RSA, The Security Division of EMC) released the RSA algorithm into the public domain. This release allows anyone to create products incorporating their own implementation of the algorithm without being subject to license and patent enforcement.

Throughout this section on different encryption algorithms, you have learned how each type of symmetric and asymmetric algorithm performs. One thing you haven’t seen yet is how bit strengths compare to each other when looking at asymmetric and symmetric algorithms in general. The following list reveals why symmetric algorithms are favored for most applications and why asymmetric algorithms are widely considered very secure but often too complex and resource-intensive for every environment: . 64-bit symmetric key strength = 512-bit asymmetric key strength . 112-bit symmetric key strength = 1792-bit asymmetric key strength . 128-bit symmetric key strength = 2304-bit asymmetric key strength

As you can see, a dramatic difference exists in the strength and consequently the overall size of asymmetric encryption keys. For most environments today, 128bit strength is considered adequate; therefore, symmetric encryption may often suffice. If you want to simplify how you distribute keys, however, asymmetric encryption may be the better choice.

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 270

270

Chapter 9: Cryptography Basics

Wireless In recent years, there has been the proliferation of wireless local area networks (WLANs), based on the standards defined in IEEE 802.11. One of the earlier algorithms used to secure 802.11 wireless networks is Wired Equivalent Privacy (WEP), which uses the RC4 cipher for confidentiality. However, the WEP algorithm, although still widely used, is no longer considered secure and has been replaced. Temporal Key Integrity Protocol (TKIP) is the security protocol designed to replace WEP and is also known by its later iterations of Wi-Fi Protected Access (WPA) or even WPA2. Similar to WEP, TKIP uses the RC4 algorithm and does not require an upgrade to existing hardware, whereas more recent protocols such as Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), which use the AES algorithm, do require an upgrade.

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 271

271

Exam Prep Questions

Exam Prep Questions 1. What type of algorithm does the MD series of encryption algorithms use?

❍ A. Asymmetric encryption algorithm ❍ B. Digital signature ❍ C. Hashing algorithm ❍ D. All of the above ❍

E. None of the above

2. In encryption, when data is broken into a single unit of varying sizes (depending on the algorithm) and the encryption is applied to those chunks of data, what type of algorithm is this?

❍ A. Symmetric encryption algorithm ❍ B. Elliptic curve ❍ C. Block cipher ❍ D. All of the above ❍

E. None of the above

3. The National Institute of Standards and Technology (NIST) put out a call to have a new algorithm replace the aging DES as the standard encryption algorithm. Which algorithm was eventually selected as the Advanced Encryption Standard?

❍ A. Rijndael ❍ B. 3DES ❍ C. RC6 ❍ D. Twofish ❍

E. CAST

4. Which type of algorithm generates a key pair (a public key and a private key) that is then used to encrypt and decrypt data and messages sent and received?

❍ A. Elliptic curve ❍ B. Symmetric encryption algorithm ❍ C. Asymmetric encryption algorithm ❍ D. Paired algorithm

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 272

272

Chapter 9: Cryptography Basics 5. Which of the following algorithms are examples of a symmetric encryption algorithm? (Choose three answers.)

❍ A. Rijndael ❍ B. Diffie-Hellman ❍ C. RC6 ❍ D. AES 6. Which of the following algorithms are examples of an asymmetric encryption algorithm? (Choose two answers.)

❍ A. Elliptic curve ❍ B. 3DES ❍ C. CAST ❍ D. RSA ❍

E. AES

7. When encrypting and decrypting an email using an asymmetric encryption algorithm, you __________.

❍ A. Use the private key to encrypt and only the public key to decrypt ❍ B. Use a secret key to perform both encrypt and decrypt operations ❍ C. Can use the public key to either encrypt or decrypt ❍ D. Use the private key to decrypt data encrypted with the public key 8. Which of the following are primary weaknesses of LM hash? (Choose two answers.)

❍ A. Passwords longer than seven characters are broken down into two chunks. ❍ B. LM hash is based on DES encryption. ❍ C. LM hash uses the MD4 hashing algorithm, which can easily be broken. ❍ D. Before being hashed, all lowercase characters in the password are converted to uppercase characters. 9. Which one of the following is true of Trusted Platform Module?

❍ A. It is hardware-based. ❍ B. It uses an AES key created at the time of manufacturing. ❍ C. It is software-based. ❍ D. Both A and B.

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 273

273

Answers to Exam Prep Questions 10. Which of the following is a type of cipher that has earned the distinction of being unbreakable?

❍ A. RSA ❍ B. OTP ❍ C. 3DES ❍ D. WPA

Answers to Exam Prep Questions 1. C. Although the Message Digest algorithms are classified globally as a symmetric key encryption algorithm, the correct answer is hashing algorithm, which is the method that the algorithm uses to encrypt data. Answer A is incorrect because this is an algorithm that uses a public and private key pair and is not associated with MD encryption. A digital signature is not an encryption algorithm, and so answer B is incorrect. Answers D and E are both incorrect choices. 2. C. When data that is going to be encrypted is broken into chunks of data and then encrypted, the type of encryption is called a block cipher. Although many symmetric algorithms use a block cipher, answer A is incorrect because a block cipher is a more precise and accurate term for the given question. Answer B is incorrect because this describes a public key encryption algorithm. Answers D and E are both incorrect. 3. A. Rijndael was the winner of the new AES standard. Although RC6 and Twofish competed for selection, they were not chosen. 3DES and CAST did not participate; therefore, answers B, C, D, and E are incorrect. 4. C. Although many different types of algorithms use public and private keys to apply their encryption algorithms in their own various ways, algorithms that perform this way are called asymmetric encryption algorithms (or public key encryption). Answer A is incorrect because this is only a type of asymmetric encryption algorithm. Answer B is incorrect because symmetric algorithms use a single key. Answer D is not a type of algorithm, and so it is incorrect. 5. A, C, and D. Because Rijndael and AES are now one in the same, they both can be called symmetric encryption algorithms. RC6 is symmetric, too. Answer B is incorrect because Diffie-Hellman uses public and private keys, and so it is considered an asymmetric encryption algorithm. 6. A, D. In this case, both elliptic curve and RSA are types of asymmetric encryption algorithms. Although the elliptic curve algorithm is typically a type of algorithm incorporated into other algorithms, it falls into the asymmetric family of algorithms because of its use of public and private keys, just like the RSA algorithm. Answers B, C, and E are incorrect because 3DES, CAST, and AES are symmetric encryption algorithms.

16_078973804x_ch09.qxd

10/30/08

9:06 PM

Page 274

274

Chapter 9: Cryptography Basics 7. D. Answer D provides the only valid statement to complete the sentence. Answer A is incorrect because the public key would be used to encrypt and the private key to decrypt. Answer B is incorrect because this describes symmetric encryption. Answer C is incorrect because the public key cannot decrypt the same data it encrypted. 8. A, D. The two primary weaknesses of LM hash are that first all passwords longer than seven characters are broken down into two chunks, from which each piece is hashed separately. Second, before the password is hashed, all lowercase characters are converted to uppercase characters. Answer B is incorrect because it is the implementation that is weak, not the encryption method. Answer C is incorrect because NTLM hashing makes use of the MD4 hashing algorithm 9. A. TPM is hardware-based and typically attached to the circuit board of a system. Answer B is incorrect because TPM uses an asymmetric RSA key pair created at the time of manufacturing. Answers C and D are both incorrect. 10. B. The one type of cipher that has earned the distinction of being completely unbreakable is the one-time pad (OTP). This assumes, however, that the key is truly random, is used only once, and is kept secret. Unfortunately, the OTP currently has the tradeoff of requiring a key as long as the message (and thus creates significant storage and transmission costs). Answers A, C, and D are all incorrect choices.

Suggested Readings and Resources 1. Tyson, Jeff. How Encryption Works: http://www.howstuffworks.com/

encryption.htm 2. RSA, The Security Division of EMC: http://www.rsa.com/ 3. W3C XML Encryption Working Group: http://www.w3.org/

Encryption/2001/e 4. National Institute of Standards and Technology: http://www.nist.gov 5. Chokhani, S. and W. Ford. RFC 2527, Internet X.509 Public Key

Infrastructure Certificate Policy and Certification Practices Framework (http://www.ietf.org/rfc/rfc2527.txt). 6. Crypto link farm (security books, journals, bibliographies, and publica-

tions listings): http://www.cs.auckland.ac.nz/~pgut001/links/books.html 7. Krutz, Ronald L. and Russell Dean Vines. The CISSP Prep Guide:

Mastering the Ten Domains of Computer Security. John Wiley & Sons, 2001. 8. Levy, Steven. Crypto: How the Code Rebels Beat the Government, Saving

Privacy in the Digital Age. Penguin Books, 2002.

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 275

10

CHAPTER TEN

Cryptography Deployment Terms you need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Public key infrastructure (PKI) Certificate authority (CA) X.509 Public key infrastructure based on X.509 certificates (PKIX) Public Key Cryptography Standards (PKCS) Secure Sockets Layer (SSL) Transport Layer Security (TLS) Internet Security Associate and Key Management Protocol (ISAKMP) Certificate Management Protocol (CMP) XML Key Management Specification (XKMS) Secure/Multipurpose Internet Mail Extensions (S/MIME) Pretty Good Privacy (PGP) Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) Internet Protocol Security (IPsec) Certificate Enrollment Protocol (CEP) Wired Equivalent Privacy (WEP) Key management Certificate life cycle

Techniques you need to master: ✓ Understanding the basic security features and operational concepts involved with digital certificates

✓ Recognizing and understanding the essential standards and protocols associated with a PKI

✓ Recognizing and understanding the applications and uses associated with a PKI

✓ Understanding the concepts involved in key management and the digital certificate life cycle

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 276

276

Chapter 10: Cryptography Deployment

In Chapter 9, “Cryptography Basics,” you learned the basic concepts of public and private keys. A public key infrastructure (PKI) makes use of both types of keys and provides the foundation for binding keys to an identity via a certificate authority (CA), thus providing the system for the secure exchange of data over a network through the use of an asymmetric key system. This system for the most part consists of digital certificates and the CAs that issue the certificates. These certificates identify individuals, systems, and organizations that have been verified as authentic and trustworthy. Recall that symmetric key cryptography requires a key to be shared. For example, suppose the password to get into the clubhouse is “open sesame.” At some point in time, this key or password needs to be communicated to other participating parties before it can be implemented. PKI provides confidentiality, integrity, and authentication by overcoming this challenge. With PKI, it is not necessary to exchange the password, key, or secret information in advance. This is useful where involved parties have no prior contact or where it is neither feasible nor secure to exchange a secure key. PKI is widely used to provide the secure infrastructure for applications and networks, including access control, resources from Web browsers, secure email, and much more. PKI protects information by providing the following: . Identity authentication . Integrity verification . Privacy assurance . Access authorization . Transaction authorization . Nonrepudiation support

EXAM ALERT A public key infrastructure is a vast collection of varying technologies and policies for the creation and use of digital certificates. PKI encompasses certificate authorities, digital certificates, and tools and systems used to bring it all together.

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 277

277

PKI Standards

PKI Standards PKI is composed of several standards and protocols. These standards and protocols are necessary to allow for interoperability among security products offered by different vendors. Keep in mind, for instance, that digital certificates may be issued by different trusted authorities; therefore, a common language or protocol must exist. Next, we look at some specific PKI standards. Standards that rely on a PKI that provide services, such as secure remote access and secure email, are discussed later in this chapter. Figure 10.1 illustrates this relationship between standards that apply to PKI at the foundation to the standards that rely on PKI and finally to the applications supported by those standards.

Email

Online Banking

Groupware

Online Shopping

S/MIME

SSL TLS

IPsec PPTP

PKIX

PKCS

X.509

VPN

Standards that define PKI up to the applications supported by standards that may rely on PKI.

FIGURE 10.1

PKIX The PKIX Working Group of the Internet Engineering Task Force (IETF) is developing Internet standards for PKI based on X.509 certificates with the following focus: . Profiles of X.509 version 3 public key certificates and X.509 version 2

certificate revocation lists (CRLs) . PKI management protocols . Operational protocols . Certificate policies and certificate practice statements (CPSs) . Time-stamping, data-certification, and validation services

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 278

278

Chapter 10: Cryptography Deployment

Public Key Cryptography Standards Whereas PKIX describes the development of Internet standards for X.509based PKI, the Public Key Cryptography Standards (PKCS) are the de facto cryptographic message standards developed and published by RSA Laboratories, now part of RSA, The Security Division of EMC. PKCS provides a basic and widely accepted framework for the development of PKI solutions. There were recently 15 documents in the PKCS specification library; however, 2 of the documents have been incorporated into another. These documents are as follows: . PKCS #1 RSA Cryptography Standard provides recommendations for the

implementation of public key cryptography based on the RSA algorithm. . PKCS #2 no longer exists and has been integrated into PKCS #1. . PKCS #3 Diffie-Hellman Key Agreement Standard describes a method for

using the Diffie-Hellman key agreement. . PKCS #4 no longer exists and has been integrated into PKCS #1. . PKCS #5 Password-Based Cryptography Standard provides recommenda-

tions for encrypting a data string, such as a private key, with a secret key that has been derived from a password. . PKCS #6 Extended-Certificate Syntax Standard provides a method for cer-

tifying additional information about a given entity beyond just the public key by describing the syntax of a certificate’s attributes. . PKCS #7 Cryptographic Message Syntax Standard describes the syntax for

data streams such as digital signatures that may have cryptography applied to them. . PKCS #8 Private-Key Information Syntax Standard describes syntax for

private key information. This includes the private key of a public key cryptographic algorithm. . PKCS #9 Selected Attribute Types defines certain attribute types of use in

PKCS #6, PKCS #7, PKCS #9, and PKCS #10. . PKCS #10 Certification Request Syntax Standard describes the syntax for a

certification request to include a distinguished name, a public key, and an optional set of attributes. . PKCS #11 Cryptographic Token Interface Standard defines an application

programming interface (API) named Cryptoki for devices holding cryptographic information.

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 279

279

PKI Standards . PKCS #12 Personal Information Exchange Syntax Standard specifies a for-

mat for storing and transporting a user’s private key, digital certificate, and attribute information. . PKCS #13 Elliptic Curve Cryptography Standard addresses elliptic curve

cryptography as related to PKI. As of this writing, PKCS #13 is still under development. . PKCS #14 Pseudo Random Number Generation addresses pseudo random

number generation (PRNG), which produces a sequence of bits that has a random-looking distribution. As of this writing, PKCS #14 is still under development. . PKCS #15 Cryptographic Token Information Format Standard establishes a

standard for the format of cryptographic information on cryptographic tokens. Each of the preceding standards documents may be revised and amended periodically, as changes in cryptography occur, and they are always accessible from RSA’s Website (http://www.rsa.com/rsalabs/). In addition, some have started to move within the control of standards organizations (for example, IETF).

X.509 It was stated earlier that PKIX is an IETF working group established to create standards for X.509 PKI. X.509 is an International Telecommunications Union (ITU) recommendation and is implemented as a de facto standard. X.509 defines a framework for authentication services by a directory.

NOTE X.509 was first published as part of the ITU’s X.500 directory service standard. X.500 is similar to a telephone book in that it is a database of names. This directory may include people, computers, and printers, for example. Although X.500 has not become an accepted standard, like its slimmer cousin, Lightweight Directory Access Protocol (LDAP), X.509 has become the Internet’s PKI standard for digital certificates.

The X.509 standard additionally defines the format of required data for digital certificates. The preceding chapter briefly introduced you to the contents of a digital certificate; however, it is worth reiterating some of these fields in more detail, which include those required to be compliant to the X.509 standard (see Figure 10.2). These include the following:

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 280

280

Chapter 10: Cryptography Deployment . Version—This identifies the version of the X.509 standard for which the

certificate is compliant. . Serial Number—The CA that creates the certificate is responsible for

assigning a unique serial number. . Signature Algorithm Identifier—This identifies the cryptographic algo-

rithm used by the CA to sign the certificate. . Issuer—This identifies the directory name of the entity signing the cer-

tificate, which is typically a CA. . Validity Period—This identifies the time frame for which the private key

is valid, if the private key has not been compromised. This period is indicated with both a start and an end time and may be of any duration, but it is often set to one year. . Subject Name—This is the name of the entity that is identified in the

public key associated with the certificate. This name uses the X.500 standard for globally unique naming and is often called the distinguished name (DN) (for example, CN=John MacNeil, OU=Sales Division, O=RSA, C=US). . Subject Public Key Information—This includes the public key of the entity

named in the certificate, as well as a cryptographic algorithm identifier and optional key parameters associated with the key.

FIGURE 10.2

certificate.

Details of a digital

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 281

281

PKI Components

Currently, there are three versions of X.509. Version 1 has been around since 1988, and although it is the most generic it is also ubiquitous. Version 2, which is not widely used, introduced the idea of unique identifiers for the issuing entity and the subject. Version 3, introduced in 1996, supports an optional Extension field to provide for more informational fields, and thus an extension can be defined by an entity and included in the certificate.

PKI Components To begin to understand the applications and deployment of PKI, you should understand the various pieces that make up a PKI, including the following: . Certificate authority (CA) . Registration authority (RA) . Certificates . Certificate policies . Certificate practice statement (CPS) . Revocation . Trust model

Certificate Authorities Certificate authorities are trusted entities and are an important concept within PKI. Aside from the third-party CAs, such as Entrust and VeriSign, an organization may establish its own CA, typically to be used only within the organization. The CA’s job is to issue certificates, to verify the holder of a digital certificate, and to ensure that holders of certificates are who they claim to be. A common analogy used is to compare a CA to a passport-issuing authority. To obtain a passport, you need the assistance of another (for example, a customs office) to verify your identity. Passports are trusted because the issuing authority is trusted. You have learned about various components and terms that make up PKI, such as digital signatures, public key encryption, confidentiality, integrity, authentication, access control, and nonrepudiation. In the following sections, you learn more about the digital certificates and trust hierarchies involved in PKI.

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 282

282

Chapter 10: Cryptography Deployment

Registration Authorities Registration authorities provides authentication to the CA as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. A user, for example, contacts an RA, which in turn verifies the user’s identity before issuing the request of the CA to go ahead with issuance of a digital certificate.

Certificates A digital certificate is a digitally signed block of data that allows public key cryptography to be used for identification purposes. CAs issue these certificates, which are signed using the CA’s private key. Most certificates are based on the X.509 standard and contain the following information: . Name of the CA . CA’s digital signature . Serial number . Issued date . Period of validity . Version . Subject or owner . Subject or owner’s public key

NOTE Although most certificates follow the X.509 version 3 hierarchical PKI standard, the PGP key system uses its own certificate format.

The most common application of digital certificates that you have likely used involves websites. Websites that ask for personal information, especially credit card information, use digital certificates (not necessarily all do; however, they should). The traffic from your computer to the website is secured via a protocol called Secure Sockets Layer (SSL), and the Web server uses a digital certificate for the secure exchange of information. This is easily identified by a small padlock located in the bottom status bar of most browsers. By clicking this icon, you can view the digital certificate and its details.

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 283

283

PKI Components

Certificate Policies A certificate policy indicates specific uses applied to a digital certificate and other technical details. Not all certificates are created equal. Digital certificates are issued often following different practices and procedures and are issued for different purposes. Therefore, the certificate policy provides the rules that indicate the purpose and use of an assigned digital certificate. For example, one certificate may have a policy indicating its use for electronic data interchange to conduct e-commerce, whereas another may be issued to only digitally sign documents. You need to remember that a certificate policy identifies the purpose for which the certificate can be used, but you should also be able to identify the other types of information that can be included within a certificate policy, including the following: . Legal issues often used to protect the CA . Mechanisms for how users will be authenticated by the CA . Key management requirements . Instructions for what to do if the private key is compromised . Lifetime of the certificate . Certificate enrollment and renewal . Rules regarding exporting the private key . Private and public key minimum lengths

Certificate Practice Statements A certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates. The information within a CPS provides for the general practices followed by the CA in issuing certificates and customer-related information about certificates, responsibilities, and problem management. It is important to understand that these statements are described in the context of operating procedures and systems architecture, as opposed to certificate policies, discussed previously, which indicate the rules that apply to an issued certificate. A CPS includes the following items: . Identification of the CA . Types of certificates issued and applicable certificate policies

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 284

284

Chapter 10: Cryptography Deployment . Operating procedures for issuing, renewing, and revoking certificates . Technical and physical security controls used by the CA

EXAM ALERT The focus of a certificate policy is on the certificate, whereas the focus of a CPS is on the CA and the way that the CA issues certificates.

Revocation Just as digital certificates are issued, they can also be revoked. Revoking a certificate invalidates a certificate before its expiration date. Revocation typically occurs because the certificate is considered no longer trustworthy. For example, if a certificate holder’s private key is compromised, the certificate is likely to be revoked. Other reasons for revocation include fraudulently obtained certificates or a change in the holder’s status, which may indicate less trustworthiness. One component of a PKI is a mechanism for distributing certificate revocation information, called certificate revocation lists (CRLs). A CRL is used when verification of digital certificate takes place to ensure the validity of a digital certificate.

NOTE A newer mechanism for identifying revoked certificates is the Online Certificate Status Protocol (OCSP). A limitation of CRLs is that they must be constantly updated; otherwise, certificates might be accepted despite the fact they were recently revoked. The OSCP, however, checks certificate status in real time, instead of relying on the end user to have a current copy of the CRL.

You learn more about revocation as part of the certification life cycle later in this chapter.

Trust Models Certificate authorities within a PKI follow several models or architectures. The simplest model consists of a single CA. In the single-CA architecture, only one CA exists to issue and maintain certificates. Although this model might benefit

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 285

285

PKI Components

smaller organizations because of its administrative simplicity, it has the potential to present many problems. For example, if the CA fails, no other CA can quickly take its place. Another problem can arise if the private key of the CA becomes compromised; in this scenario, all the issued certificates from that CA would then be invalid. A new CA would have to be created, which, in turn, would need to reissue all the certificates. A more common model, and one that reduces the risks inherent with a single CA, is the hierarchical CA model. In this model, an initial root CA exists at the top of the hierarchy, and subordinate CAs reside beneath the root. The subordinate CAs provide redundancy and load balancing should any of the other CAs fail or be taken offline.

NOTE You may hear PKI referred to as a trust hierarchy.

A root CA differs from subordinate CAs in that the root CA is usually offline. Remember, if the root CA is compromised, the entire architecture is compromised. If a subordinate CA is compromised, however, the root CA can revoke the subordinate CA. An alternative to this hierarchical model is the cross-certification model, often referred to as a web of trust. In this model, CAs are considered peers to each other. Such configuration, for example, may exist at a small company that started with a single CA. Then, as the company grew, it continued to implement other single-CA models and then decided that each division of the company needed to communicate with the others and ensure secure exchange of information across the company. To enable this, each of the CAs established a peer-topeer trust relationship with the others. As you might imagine, such a configuration could become difficult to manage over time.

EXAM ALERT The root CA should be taken offline to reduce the risk of key compromise, and the root CA should be made available only to create and revoke certificates for subordinate CAs. A compromised root CA compromises the entire system.

A solution to the complexity of a large cross-certification model is to implement what is known as a bridge CA model. Remember that in the cross-certification model each CA must trust the others. By implementing bridging, however, you can have a single CA, known as the bridge CA, be the central point of trust.

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 286

286

Chapter 10: Cryptography Deployment

Key Management and the Certificate Life Cycle We previously discussed the management structure for digital certificates and the standards and protocols available to use them. In this section, we discuss the management structure for the keys themselves. This review includes the critical elements that must be taken into account to properly protect and account for the private key material, which is the most important element of a PKI solution. Being able to manage digital certificates and key pairs used is critical to any PKI solution. One management method involves the use of a life cycle for digital certificates and their keys. The life cycle is typically based on two documents discussed earlier: the certificate policy and the CPS. The life cycle refers to those events required to create, use, and destroy public keys and the digital certificates with which they are associated. The certificate life cycle comprises the following events: . Key generation—A generator creates a public key pair. Although the CA

may generate the key pair, the requesting entity may also generate the pair and provide the public key upon the submission of identity. . Identity submission—The requesting entity submits its identify informa-

tion to the CA. . Registration—The CA registers the request for a certificate and ensures

the accuracy of the identity submission. . Certification—If the identity is validated, the CA creates a certificate and

then digitally signs the certificate with its own digital signature. . Distribution—The CA distributes or publishes the digital certificate. . Usage—The entity receiving the certificate is authorized to use the cer-

tificate only for its intended use. . Revocation and expiration—The certificate will typically expire and must

be withdrawn. Alternatively, the certificate might need to be revoked for various reasons before expiration (for example, if the owner’s private key becomes compromised). . Renewal—A certificate can be renewed if requested, as long as a new key

pair is generated. . Recovery—Recovery might become necessary if a certifying key is com-

promised but the certificate holder is still considered valid and trusted.

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 287

287

Key Management and the Certificate Life Cycle . Archiving—This involves the recording and storing of certificates and

their uses. The preceding list offers a broad view of the certificate life cycle. The following sections delve into more detail about important topics you should understand about key management and the digital certificate life cycle.

Centralized Versus Decentralized There are alternative methods for creating and managing cryptographic keys and digital certificates. These operations may either be centralized or decentralized depending on the organization’s security policy. Centralized key management allows the issuing authority to have complete control over the process. Although this provides for a high level of control, many do not like the idea of a centralized system having a copy of the private key. Whereas the benefit of central control may be seen as an advantage, a centralized system also has disadvantages (for instance, additional required infrastructure, a need to positively authenticate the end entity before transmitting the private key, and the need for a secure channel to transmit the private key). Decentralized key management allows the requesting entity to generate the key pair and only submit the public key to the CA. Although the CA can still take on the role of distributing and publishing the digital certificate, it can no longer store the private key. Therefore, the entity must maintain complete control over the private key, which is considered one of the most sensitive aspects of a PKI solution. In this scenario, the CA has the additional burden of ensuring that the keys were generated properly and that all key-pair generation policies were followed.

Storage After the key pairs are generated and a digital certificate has been issued by the CA, both keys must be stored appropriately to ensure their integrity is maintained. However, the key use must still be easy and efficient. The methods used to store the keys may be hardware- or software-based. Hardware storage is typically associated with higher levels of security and assurance than software because hardware can have specialized components and physical encasements to protect the integrity of the data stored within. In addition to being more secure, hardware devices are more efficient because they

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 288

288

Chapter 10: Cryptography Deployment

provide dedicated resources to PKI functions. Naturally, however, hardware solutions often have a higher cost than software solutions. Although software solutions do not have the same level of security as their hardware counterparts, the ability to easily distribute the storage solutions provides for easier administration, transportability, and lower costs. Because the private key is so sensitive, it requires a higher level of protection than the public key. As a result, special care needs to be taken to protect private keys, especially the root key for a CA. Remember that if the private key is compromised, the public key and associated certificate is also compromised and should no longer be valid. If the CA’s root key becomes compromised, all active keys generated using the CA are compromised and should therefore be revoked and reissued. As a result of this need for increased security over the private keys, hardware solutions are often used to protect private keys. Even a private key in the possession of an end user should be carefully guarded. At a minimum, this key is protected via a password. An additional safeguard is to provide an additional layer of security by storing the private key on a portable device such as a smart card (thus requiring both possession of the card and knowledge of the password).

Key Escrow Key escrow occurs when a CA or other entity maintains a copy of the private key associated with the public key signed by the CA. This scenario allows the CA or escrow agent to have access to all information encrypted using the public key from a user’s certificate and to create digital signatures on behalf of the user. Therefore, key escrow is a sensitive topic within the PKI community because harmful results may occur if the private key is misused. Because of this issue, key escrow is not a favored PKI solution. Despite the concerns of the general public about escrow for private use, key escrow is often considered a good idea in corporate PKI environments. In most cases, an employee of an organization is bound by the information security policies of that organization (which usually mandate that the organization has a right to access all intellectual property generated by a user and to any data that an employee generates). In addition, key escrow enables an organization to overcome the large problem of forgotten passwords. Rather than revoke and reissue new keys, an organization can generate a new certificate using the private key stored in escrow.

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 289

289

Key Management and the Certificate Life Cycle

Expiration When digital certificates are issued, they receive an expiration date. This validity period is indicated in a specific field within the certificate. Many certificates are set to expire after one year; however, the time period may be shorter or longer depending on specific needs. Open a certificate from within your browser while visiting a secured site (in most web browsers, select the padlock icon from the browser’s status bar) and notice the “Valid to” and “Valid from” fields within the certificate (see Figure 10.3).

FIGURE 10.3 General information for a digital certificate, including validity period.

In the late 1990s, certificate expiration dates in older web browsers became an issue as the year 2000 approached. VeriSign’s root certificate, which is embedded into web browsers, had an expiration date of December 31, 1999. When the certificate expired, if the browsers weren’t updated, they were unable to correctly verify certificates issued or signed by VeriSign. As a result, many certificates are given expiration dates much further out up to over 20 years in many cases.

Revocation As you learned earlier in this chapter, once a certificate is no longer valid, certificate revocation occurs. There are many reasons why this may occur—for

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 290

290

Chapter 10: Cryptography Deployment

example, a private key may become compromised, the private key is lost, or the identifying credentials are no longer valid. Revoking a certificate is just not enough, however. The community that trusts these certificates must be notified that the certificates are no longer valid. This is accomplished via a certificate revocation list (CRL) or the Online Certificate Status Protocol (OCSP).

Status Checking Both OSCP and CRLs are used to verify the status of a certificate. Three basic status levels exist in most PKI solutions: valid, suspended, and revoked. The status of a certificate can be checked by going to the CA that issued the certificate or to an agreed upon directory server that maintains a database indicating the status level for the set of certificates. In most cases, however, the application (such as a web browser) will have a function available that initiates a check for certificates.

Suspension Certificate suspension occurs when a certificate is under investigation to determine whether it should be revoked. This mechanism allows a certificate to stay in place, but it is not valid for any type of use. Like the status checking that occurs with revoked certificates, users and systems are notified of suspended certificates in the same way. The primary difference is that new credentials will not need to be retrieved; it is only necessary to be notified that current credentials have had a change in status and are temporarily not valid for use.

Recovery Key recovery is the process of restoring a key pair from a backup and re-creating a digital certificate using the recovered keys. Unlike in the case of a key compromise, this should be done only if the key pair becomes corrupted but they are still considered valid and trusted. Although it is beneficial to back up an individual user’s key pair, it is even more important to back up the CA’s keys in a secure location for business continuity and recovery purposes.

M of N Control M of N control as it relates to PKI refers to the concept of backing up the public and private key across multiple systems. This multiple backup provides a protective measure to ensure that no one individual can re-create his or her key pair

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 291

291

Key Management and the Certificate Life Cycle

from the backup. The backup process involves a mathematical function to distribute that data across a number of systems. A typical setup includes multiple personnel with unique job functions, and from different parts of the organization, to discourage collusion for the purpose of recovering keys without proper authority.

Renewal As mentioned previously, every certificate is issued with an expiration date. When the certificate expires, a new certificate needs to be reissued. So long as the certificate holder’s needs or identity information has not changed, the process is relatively simple. After the issuing CA validates the entity’s identity, a new certificate can be generated based on the current public key.

Destruction Destruction of a key pair and certificate typically occurs when the materials are no longer valid. Care should be taken when destroying a key pair. If the key pair to be destroyed is used for digital signatures, the private key portion should be destroyed first to prevent future signing activities with the key. If the materials were used for privacy purposes only, however, it might be necessary to archive a copy of the private key. You might need it later to decrypt archived data that was encrypted using the key. In addition, a digital certificate associated with keys that are no longer valid should be added to the CRL regardless of whether the key is actually destroyed or archived.

Key Usage Digital certificates and key pairs can be used for various purposes, including privacy and authentication. The security policy of the organization that is using the key or the CA will define the purposes and capabilities for the certificates issued. To achieve privacy, a user will require the public key of the individual or entity he or she wants to communicate with securely. This public key is used to encrypt the data that is transmitted, and the corresponding private key is used on the other end to decrypt the message. Authentication is achieved by digitally signing the message being transmitted. To digitally sign a message, the signing entity requires access to the private key. In short, the key usage extension of the certificate specifies how the private key can be used—either to enable the exchange of sensitive information or to create

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 292

292

Chapter 10: Cryptography Deployment

digital signatures. In addition, the key usage extension can specify that an entity can use the key for both the exchange of sensitive information and for signature purposes.

Multiple Key Pairs In some circumstances, dual or multiple key pairs might be used to support distinct and separate services. For example, an individual in a corporate environment may require one key pair just for signing, and another just for encrypting messages. Another example is the reorder associate who has one key pair to be used for signing and sending encrypted messages, and might have another restricted to ordering equipment worth no more than a specific dollar amount. Multiple key pairs require multiple certificates because the X.509 certificate format does not support multiple keys

Protocols and Applications Thus far, you have learned a fair amount about the standards for PKI deployment. But we still need to cover many other protocols and associated applications. For example, three common examples of where PKI is used are secure remote access or virtual private networks (VPNs), accessing secure websites, and securing email. In this section, we explore these applications and specifically the protocols that facilitate the use of each application.

SSL and TLS Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the most widely used cryptographic protocols for managing secure communication between a client and server over the Web. Both essentially serve the same purpose (with TLS being the successor to SSL). Both provide for client- and server-side authentication and for encrypted connection between the two. TLS consists of two additional protocols: the TLS Record Protocol and the TLS Handshake Protocol. The Handshake Protocol allows the client and server to authenticate to one another, and the Record Protocol provides connection security. The three basic phases of SSL and TLS are as follows: 1. Peer negotiation to decide which public key algorithm and key exchange

to use. Usually, the decision is based on the strongest cipher and hash function supported by both systems.

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 293

293

Protocols and Applications 2. Key exchange and authentication occurs. A digital certificate is

exchanged, which includes the public encryption key, which is used to generate a session key. 3. Symmetric cipher encryption and message authentication occur. Both

parties can generate keys for encryption and decryption during the session as a result of the asymmetric cryptography transaction that occurred in step 2. SSL and TLS are best known for protecting HTTP (Hypertext Transfer Protocol) Web traffic and transactions, commonly known as Hypertext Transfer Protocol over SSL (HTTPS), which is a secure HTTP connection. HTTPS, like HTTP, is used as part of the uniform resource identifier (URI) specified in the address bar of web browsers (https://). When we use HTTPS rather than just plain HTTP, an additional layer is provided for encryption and authentication, and whereas HTTP traffic is usually over port 80, HTTPS traffic typically occurs over port 443.

EXAM ALERT HTTPS simply combines HTTP with SSL or TLS. The default port for unencrypted HTTP traffic is port 80. The secure version, HTTPS, runs by default over port 443.

Web servers are generally ready to begin accepting HTTP traffic to serve up Web pages, but to deploy HTTPS the Web server must have a certificate signed by a CA. When a Web server will be serving content outside of the organization (that is, public-facing sites), the certificate is usually signed by a trusted thirdparty CA. If the site will be used internally only (that is, an intranet), however, a certificate signed by an in-house CA generally suffices. Aside from its use with HTTP for Web servers, TLS can provide security to many other protocols. It can, for instance, provide the capability to tunnel the connection forming a VPN, providing for easier firewall traversal compared to traditional IPsec VPNs, for example, which we discuss shortly.

Point-to-Point Tunneling Protocol The Point-to-Point Tunneling Protocol (PPTP) is an older method used for providing secured connections over public networks or VPNs, although PPTP is still widely supported across many systems. PPTP connections can be authenticated using certificate-based technology (for example, EAP-TLS), but PPTP does not require a PKI and in fact was developed before the existence of PKI

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 294

294

Chapter 10: Cryptography Deployment

standards. PPTP has the advantage of being easier and often a more viable option to deploy but typically only in situations that don’t require the greater security provided by PKI environments.

Layer 2 Tunneling Protocol and IP Security Layer 2 Tunneling Protocol (L2TP) is an encapsulated tunneling protocol often used to support the creation of VPNs. It is important to understand that L2TP typically provides support along with other protocols. For example, L2TP by itself does not provide for authentication or strong authentication. To meet these needs, L2TP is often combined with IPsec (Internet Protocol Security). IPsec is a set of protocols widely implemented to support VPNs. It provides for the secure exchange of packets at the IP layer. Therefore, organizations have been able to leverage IPsec to exchange private information over public networks such as the Internet. IPsec can achieve this higher level of assurance for data transport through the use of multiple protocols, including Authentication Header (AH), Encapsulated Secure Payload (ESP), and Internet Key Exchange (IKE). The AH protocol provides data integrity, authentication, and (optionally) antireplay capabilities for packets. ESP provides for confidentiality of the data being transmitted and also includes authentication capabilities. IKE provides for additional features and ease of configuration. IKE specifically provides authentication for IPsec peers and negotiates IPsec keys and security associations. IKE functions within the Internet Security Association and Key Management Protocol (ISAKMP), which defines the payloads used to exchange key and authentication data appended to each packet. Combining these technologies with a PKI provides for high level of security and access control whereby certificates can be distributed to individual systems to provide authentication.

Secure/Multipurpose Internet Mail Extensions The global nature of email distribution and the speed of delivery make email a valuable tool. However, the speed and accessibility of the technology also carry several security considerations. Public transfer of sensitive information may potentially expose this information to undesired recipients. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a specification that provides email privacy using encryption and authentication via digital signatures. It is a newer and more secure version of the popular Multipurpose

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 295

295

Protocols and Applications

Internet Mail Extensions (MIME). MIME extends the original Simple Mail Transfer Protocol (SMTP) to allow the inclusion of nontextual data within an email message, and S/MIME was subsequently developed to provide a secure method of transmission. S/MIME supports various encryption algorithms and is integrated into many email products (thus allowing for easy interoperability among different clients). As mentioned earlier, PKCS describes various public key standards, and S/MIME was originally derived as a result of specifically combining MIME with the PKCS #7: Cryptographic Message Syntax. Similar to SSL/TLS, S/MIME requires the use of digital certificates signed by a CA.

Pretty Good Privacy Chapter 9 briefly covered Pretty Good Privacy (PGP) and its history of providing for confidentiality. PGP/MIME derives from the Pretty Good Privacy application developed by Phillip R. Zimmerman in 1991 and is an alternative to S/MIME. Basically, it encrypts and decrypts email messages using asymmetric encryptions schemes such as RSA. Another useful feature of the PGP program is that it can include a digital signature that validates that the email has not been tampered with (thus assuring the recipient of the email’s integrity).

Secure Shell Secure Shell (SSH) provides an authenticated and encrypted session between the client and host computers using public key cryptography. SSH provides a more secure replacement for the common command-line terminal utility Telnet. SSH uses the asymmetric RSA cryptography algorithm to provide both connection and authentication. In addition, data encryption is accomplished using one of several available symmetric encryption algorithms. The SSH suite encapsulates three secure utilities—slogin, ssh, and scp—derived from the earlier nonsecure UNIX utilities rlogin, rsh, and rcp. Like Telnet, SSH provides a command-line connection through which an administrator may input commands on a remote server. SSH provides an authenticated and encrypted data stream, as opposed to the clear-text communications of a Telnet session. The three utilities within the SSH suite provide the following functionalities: . Secure Login (slogin)—A secure version of the UNIX Remote Login

(rlogin) service, which allows a user to connect to a remote server and interact with the system as if directly connected.

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 296

296

Chapter 10: Cryptography Deployment . Secure Shell (ssh)—A secure version of the UNIX Remote Shell (rsh)

environment interface protocol. . Secure Copy (scp)—A secure version of the UNIX Remote Copy (rcp) util-

ity, which allows for the transfer of files in a manner similar to FTP.

NOTE Some versions of SSH, including the Secure Shell for Windows Server, include a secure version of FTP (SFTP), along with other common SSH utilities.

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 297

297

Exam Prep Questions

Exam Prep Questions 1. Which of the following are included within a digital certificate? (Select three correct answers.)

❍ A. User’s public key ❍ B. User’s private key ❍ C. Information about the user ❍ D. Digital signature of the issuing CA 2. Which of the following are associated with the secure exchange of email? (Select two correct answers.)

❍ A. S/MIME ❍ B. HTTPS ❍ C. PGP ❍ D. M of N 3. What part of the IPsec protocol provides authentication and integrity but not privacy?

❍ A. Encapsulated Security Payload ❍ B. Sans-Privacy Protocol ❍ C. Authentication Header ❍ D. Virtual private network 4. In a decentralized key management system, the user is responsible for which one of the following functions?

❍ A. Creation of the private and public key ❍ B. Creation of the digital certificate ❍ C. Creation of the CRL ❍ D. Revocation of the digital certificate 5. To check the validity of a digital certificate, which one of the following would be used?

❍ A. Corporate security policy ❍ B. Certificate policy ❍ C. Certificate revocation list ❍ D. Expired domain names

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 298

298

Chapter 10: Cryptography Deployment 6. What is the acronym for the de facto cryptographic message standards developed by RSA Laboratories?

❍ A. PKIX ❍ B. X.509 ❍ C. PKCS ❍ D. Both A and C 7. Which one of the following defines APIs for devices such as smart cards that will contain cryptographic information?

❍ A. PKCS #11 ❍ B. PKCS #13 ❍ C. PKCS #4 ❍ D. PKCS #2 8. Which of the fields included within a digital certificate identifies the directory name of the entity signing the certificate?

❍ A. Signature Algorithm Identifier ❍ B. Issuer ❍ C. Subject Name ❍ D. Subject Public Key Information 9. Which version of X.509 supports an optional Extension field?

❍ A. Version 1 ❍ B. Version 2 ❍ C. Version 3 ❍ D. Answers B and C 10. Which of the following protocols are used to manage secure communication between a client and a server over the Web? (Select two correct answers.)

❍ A. SSL ❍ B. ISAKMP ❍ C. PGP ❍ D. TLS

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 299

299

Exam Prep Questions 11. Which of the following are typically associated with virtual private networks (VPNs)? (Select two correct answers.)

❍ A. IPsec ❍ B. ISAKMP ❍ C. S/MIME ❍ D. PGP 12. Which of the following is not true regarding expiration dates of certificates?

❍ A. Certificates may be issued for a week. ❍ B. Certificates are issued only at yearly intervals. ❍ C. Certificates may be issued for 20 years. ❍ D. Certificates must always have an expiration date. 13. Which of the following are used to verify the status of a certificate? (Select two correct answers.)

❍ A. OSCP ❍ B. CRL ❍ C. OSPF ❍ D. ACL 14. Which one of the following best identifies the system of digital certificates and certification authorities used in public key technology?

❍ A. Certificate practice system (CPS) ❍ B. Public key exchange (PKE) ❍ C. Certificate practice statement (CPS) ❍ D. Public key infrastructure (PKI) 15. Which of the following is not a certificate trust model for the arranging of certificate authorities?

❍ A. Bridge CA architecture ❍ B. Sub-CA architecture ❍ C. Single-CA architecture ❍ D. Hierarchical CA architecture

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 300

300

Chapter 10: Cryptography Deployment 16. When a certificate authority revokes a certificate, notice of the revocation is distributed via what?

❍ A. Certificate revocation list ❍ B. Certificate policy ❍ C. Digital signature ❍ D. Certificate practice statement

Answers to Exam Prep Questions 1. A, C, D. Information about the user, the user’s public key, and the digital signature of the issuing CA are all included within a digital certificate. A user’s private key should never be contained within the digital certificate and should remain under tight control; therefore, answer B is incorrect. 2. A, C. Both S/MIME and PGP are used for the secure transmission of email messages. HTTPS is used on the Web for HTTP over SSL; therefore, answer B is incorrect. M of N control provides assurance that no one individual acting alone can perform an entire operation; therefore, answer D is incorrect. 3. C. The Authentication Header (AH) provides authentication so that the receiver can be confident of the source the data. It does not use encryption to scramble the data, so it cannot provide privacy. Encapsulate Security Payload (ESP) provides for confidentiality of the data being transmitted and also includes authentication capabilities; therefore, answer A is incorrect. Answer B does not exist, and so it is incorrect. A virtual private network makes use of the IPsec protocol and is used to secure communications over public networks; therefore, answer D is incorrect. 4. A. In a decentralized key system, the end user generates his or her own key pair. The other functions, such as creation of the certificate, CRL, and the revocation of the certificate, are still handled by the certificate authority; therefore, answers B, C, and D are incorrect. 5. C. A certificate revocation list (CRL) provides a detailed list of certificates that are no longer valid. A corporate security policy would not provide current information on the validity of issued certificates; therefore, answer A is incorrect. A certificate policy does not provide information on invalid issued certificates, either; therefore, answer B is incorrect. Finally, an expired domain name has no bearing on the validity of a digital certificate; therefore, answer D is incorrect. 6. C. The Public Key Cryptography Standards (PKCS) are the de facto cryptographic message standards developed and maintained by RSA Laboratories, a division of the RSA Security Corporation. PKIX describes the development of Internet standards for X.509based digital certificates; therefore, answers A, B, and D are incorrect.

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 301

301

Answers to Exam Prep Questions 7. A. PKCS #11, the Cryptographic Token Interface Standards, defines an API named Cryptoki for devices holding cryptographic information. Answer B is incorrect because PKCS #13 is the Elliptic Curve Cryptography Standard. Both answers C and D are incorrect because PKCS #2 and PKCS #4 no longer exist and have been integrated into PKCS #1, RSA Cryptography Standard. 8. B. The Issuer field identifies the name of the entity signing the certificate, which is usually a certificate authority. The Signature Algorithm Identifier identifies the cryptographic algorithm used by the CA to sign the certificate; therefore, answer A is incorrect. The Subject Name is the name of the end entity identified in the public key associated with the certificate; therefore, answer C is incorrect. The Subject Public Key Information field includes the public key of the entity named in the certificate, including a cryptographic algorithm identifier; therefore, answer D is incorrect. 9. C. Version 3 of X.509, which was introduced in 1996, supports and optional Extension field used to provide for more informational fields. Version 1 is the most generic and did not yet incorporate this feature; therefore, answer A is incorrect. Version 2 did introduce the idea of unique identifiers, but not the optional Extension field; therefore, answers B and D are incorrect. 10. A, D. Secure Sockets Layer is the most widely used protocol for managing secure communication between clients and servers on the Web; the Transport Layer Security protocol is similar, and it is considered the successor to SSL. Answer B is incorrect because ISAKMP is a protocol common to virtual private networks. Answer C is incorrect because Pretty Good Privacy is used for the encryption of email. 11. A, B. Both IPsec and ISAKMP are used in the creation of VPNs. IPsec provides for the secure exchange of packets at the IP layer, and ISAKMP defines a common framework for the creation, negotiation, modification, and deletion of security associations in VPNs. S/MIME and PGP are used for secure mail transfer; therefore, answers C and D are incorrect. 12. B. Digital certificates contain a field indicating the date to which the certificate is valid. This date is mandatory, and the validity period can vary from a short period of time up to a number of years; therefore, answers A, C, and D are incorrect. 13. A, B. The Online Certificate Status Protocol (OCSP) and the certificate revocation list (CRL) are used to verify the status of digital certificates. OSPF is a routing protocol; therefore, answer C is incorrect. And an ACL is used to define access control; therefore, answer D is incorrect. 14. D. PKI represents the system of digital certificates and certificate authorities. Answers A, B, and C are incorrect. A CPS is a document created and published by a CA that provides for the general practices followed by the CA. Answers A and B are fictitious terms.

17_078973804x_ch10.qxd

10/30/08

9:25 PM

Page 302

302

Chapter 10: Cryptography Deployment 15. B. Sub-CA architecture does not represent a valid trust model. Answers A, C, and D, however, all represent legitimate trust models. Another common model also exists, called cross-certification; however, it usually makes more sense to implement a bridge architecture over this type of model. 16. A. Certificate revocation lists are used to identify revoked certificates; however, they are being replaced by the Online Certificate Status Protocol (OSCP), which provides certificate status in real time. Answers B and D are both incorrect because these terms relate to the policies and practices of certificates and the issuing authorities. Answer C is incorrect because a digital signature is an electronic signature used for identity authentication.

Suggested Readings and Resources 1. Housely, Russ and Tim Polk. Planning for PKI. John Wiley & Sons,

2001. 2. IETF PKI X.509 PKIX Working Group: http://www.ietf.org/

html.charters/pkix-charter.html 3. International Telecommunications Union: http://www.itu.int/rec/

recommendation.asp?type=products&lang=e&parent=T-REC-X 4. Krutz, Ronald L. and Russell Dean Vines. The CISSP Prep Guide:

Mastering the Ten Domains of Computer Security. John Wiley & Sons, 2001. 5. Levy, Steven. Crypto: How the Code Rebels Beat the Government, Saving

Privacy in the Digital Age. Penguin Books, 2001. 6. RSA Public Key Cryptography Standards: http://www.rsa.com/

rsalabs/node.asp?id=2124

18_078973804x_pt6.qxd

10/30/08

9:12 PM

Page 303

PART VI

Organizational Security Chapter 11 Organizational Security Chapter 12 Organizational Controls

18_078973804x_pt6.qxd

10/30/08

9:12 PM

Page 304

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 305

11

CHAPTER ELEVEN

Organizational Security Terms you need to understand: ✓ ✓ ✓ ✓ ✓ ✓ ✓

Redundancy planning Single point of failure Redundant array of independent (or inexpensive) disks (RAID) Uninterruptible power supply (UPS) Disaster recovery Backup techniques Restoration

Techniques you need to master: ✓ Knowing the common areas of concern when planning for redundant site services

✓ Understanding how to plan and conduct disaster exercises ✓ Recognizing backup techniques and restoration processes

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 306

306

Chapter 11: Organizational Security

Network security and system hardening provide the strongest possible levels of security against directed attacks, but organizational security must also be considered when planning an organization’s data security. This chapter examines the issues surrounding redundancy planning, disaster recovery, backup, and restoration policies.

Disaster Recovery and Redundancy Planning For many organizations, downtime is not an option. Organizational security encompasses identifying the critical business needs and the resources associated with those needs. Critical business functions must be designed to continue operating in the event of hardware or other component failure. Critical systems such as servers and Internet availability will require redundant hardware. Redundancy planning requires that you prioritize the data and systems that need to be recovered first. Then plan backup methods, data replication, and failover systems. Make sure you have redundancy for critical systems, whether it’s as simple as a redundant array of independent (or inexpensive) disks (RAID) storage system or as complex as a complete duplicate data center.

EXAM ALERT Be familiar with redundancy descriptions indicating potential flaws. Watch for descriptions that include physical details or organizational processes.

Too many organizations realize the criticality of disaster recovery planning only after a catastrophic event (such as a hurricane, flood, or terrorist attack). However, disaster recovery is an important part of overall organization security planning, for every organization! Natural disasters and terrorist activity can bypass even the most rigorous physical security measures. Common hardware failures and even accidental deletions may require some form of recovery capability. Failure to recover from a disaster may destroy an organization. Disaster recovery involves many aspects, including the following: . Impact and risk assessment—To plan recovery appropriately, companies

must determine the scope and criticality of its services and data. In addition, an order (a priority) of recovery must be established. . Disaster recovery plan—A disaster recovery plan is a written document

that defines how the organization will recover from a disaster and how to

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 307

307

Disaster Recovery and Redundancy Planning

restore business with minimum delay. The document also explains how to evaluate risks, how data backup and restoration procedures work, and the training required for managers, administrators, and users. A detailed disaster recovery should address various processes, including backup, data security, and recovery. . Disaster recovery policies—These policies detail responsibilities and proce-

dures to follow during disaster recovery events, including how to contact key employees, vendors, customers, and the press. They should also include instructions for situations in which it may be necessary to bypass the normal chain of command to minimize damage or the effects of a disaster. . Service level agreements (SLAs)—SLAs are contracts with Internet service

providers (ISPs), utilities, facilities managers, and other types of suppliers that detail minimum levels of support that must be provided (including in the event of failure or disaster). Detailed responsibilities and procedures to follow during disaster recovery events should be in place. The procedures must include contact methods. Plans must also be established in case it is necessary to bypass normal access for any reason (perhaps, for instance, to avoid potential sources of failure). Disaster recovery and redundancy require organizations to consider how best to deal with the following issues: . Power in the event of a complete loss of city power . Alternative locations for business operations . Telecommunications restoration . Internet connectivity to continue business operations . Equipment that will be put in place for operations to continue . Replacement software . Data restoration . The contact method for employees and clients . The order in which the recovery process should proceed . Physical security at current and alternative sites . The estimated time to complete the steps in the disaster recovery plan

and get the business back to normal

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 308

308

Chapter 11: Organizational Security

After a “disaster” or other failure situation has been evaluated, and the damage assessed, the company can begin the recovery process. A hard copy of the plan must be available (and key elements of that plan should be removable, such as a vendors list or team member phone numbers). After all, a disaster recovery plan does not do you any good if it is locked in someone’s desk drawer and that desk is in a building that has been evacuated. Beyond backup and restoration of data, disaster recovery planning must include a detailed analysis of underlying business practices and support requirements. This is called business continuity planning. Business continuity planning is a more comprehensive approach to provide guidance so that the organization can continue making sales and collecting revenue. As with disaster recovery planning, it covers natural and man-made disasters. Business continuity planning should identify required services, such as network access and utility agreements, and arrange for automatic failover of critical services to redundant offsite systems. Business continuity planning may address the following: . Network connectivity—In the event that a disaster is widespread or target-

ed at an ISP or key routing hardware point, an organization’s continuity plan should include options for alternative network access, including dedicated administrative connections that may be required for recovery. . Facilities—Continuity planning should include considerations for recov-

ery in the event that existing hardware and facilities are rendered inaccessible or unrecoverable. Hardware configuration details, network requirements, and utilities agreements for alternative sites (that is, warm and cold sites) should be included in this planning consideration. . Clustering—To provide load balancing to avoid functionality loss because

of directed attacks meant to prevent valid access, continuity planning may include clustering solutions that allow multiple nodes to perform support while transparently acting as a single host to the user. Highavailability clustering may also be used to ensure that automatic failover will occur in the event that hardware failure renders the primary node unable to provide normal service. . Fault tolerance—Cross-site replication may be included for high-availabil-

ity solutions requiring high levels of fault tolerance. Individual servers may also be configured to allow for the continued function of key services even in the case of hardware failure. Common fault-tolerant solutions include RAID solutions, which maintain duplicated data across multiple disks so that the loss of one disk will not cause the loss of data. Many of

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 309

309

Disaster Recovery and Redundancy Planning

these solutions may also support the hot-swapping of failed drives and redundant power supplies so that replacement hardware may be installed without ever taking the server offline. A business recovery plan, business resumption plan, and contingency plan are also considered part of business continuity planning. The following sections describe several critical aspects of organizational security and disaster and business continuity planning.

Redundant Sites In the beginning stages of the organizational security plan, the organization must decide how it will operate and how it will recover from any unfortunate incidents that affect its ability to conduct business. Redundancy planning encompasses the effects of both natural and man-made catastrophes. Often, these catastrophes result from unforeseen circumstances. Hot, warm, and cold sites can provide a means for recovery should an event render the original building unusable. These are discussed individually in the sections that follow.

Hot Site A hot site is a location that is already running and available 7 days a week, 24 hours a day. These sites allow the company to continue normal business operations, usually within a minimal period of time after the loss of a facility. This type of site is similar to the original site in that it is equipped with all necessary hardware, software, network, and Internet connectivity fully installed, configured, and operational. Data is regularly backed up or replicated to the hot site so that it can be made fully operational in a minimal amount of time in the event of a disaster at the original site. The business can be resumed without significant delay. In the event of a catastrophe, all people need to do is drive to the site, log on, and begin working. Hot sites are the most expensive to operate and are mostly found in businesses that operate in real time, for whom any downtime might mean financial ruin. The hot site should be located far enough from the original facility to avoid the disaster striking both facilities. A good example of this is a flood. The range of a flood depends on the category and other factors as wind and the amount of rain that follows. A torrential flood can sink and wash away buildings and damage various other property, such as electrical facilities. If the hot site is within this range, the hot site is affected, too.

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 310

310

Chapter 11: Organizational Security

Warm Site A warm site is a scaled-down version of a hot site. The site is generally configured with power, phone, and network jacks. The site may have computers and other resources, but they are not configured and ready to go. In a warm site, the data is replicated elsewhere for easy retrieval. However, you still have to do something to be able to access the data. This “something” might include setting up systems so that you can access the data or taking special equipment over to the warm site for data retrieval. It is assumed that the organization itself will configure the devices, install applications, and activate resources or that it will contract with a third party for these services. Because the warm site is generally office space or warehouse space, the site can serve multiple clients simultaneously. The time and cost for getting a warm site operational is somewhere between a hot and a cold site.

Cold Site A cold site is the weakest of the recovery plan options but also the cheapest. These sites are merely a prearranged request to use facilities if needed. Electricity, bathrooms, and space are about the only facilities provided in a cold site contract. Therefore, the organization is responsible for providing and installing all the necessary equipment. If the organization chooses this type of facility, it will require additional time to secure equipment, install operating systems and applications, and contract services such as Internet connectivity. The same distance factors should be considered when planning a cold site as when planning a hot site.

Choosing a Recovery Site Solution The type of recovery site an organization chooses will depend on the criticality of recovery and budget allocations. Hot sites are traditionally more expensive, but they can be used for operations and recovery testing before an actual catastrophic event occurs. Cold sites are less costly in the short term. However, equipment purchased after such an event may be more expensive or difficult to obtain. As part of redundancy and recovery planning, an organization can contract annually with a company that offers redundancy services (for a monthly, or otherwise negotiated, service charge). When contracting services from a provider, the organization should carefully read the contract. Daily fees and other incidental fees might apply. In addition, in a large-scale incident, the facility could very well become overextended.

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 311

311

Disaster Recovery and Redundancy Planning

EXAM ALERT Be familiar with the various types of site descriptions. Watch for scenarios that require you to choose a hot, warm, or cold site solution.

Utilities When planning for redundancy, keep in mind that even though the physical building may be spared destruction in a catastrophic event, it can still suffer power loss. If power is out for several days or weeks, your business itself could be in jeopardy. The most common way to overcome this problem is to supply your own power when an emergency scenario calls for it.

Backup Power Generator Backup power refers to a power supply that runs in the event of a primary power outage. One source of backup power is a gas-powered generator. The generator can be used for rolling blackouts, emergency blackouts, or electrical problems. Most generators can be tied in to the existing electrical grid so that if power is lost, the generator starts supplying power immediately. When selecting a generator, issues to consider include the following: . Power output—Rated in watts or kilowatts . Fuel source—Gasoline, diesel, propane, or natural gas . Uptime—How long the unit will run on one tank of fuel . How unit is started—Battery or manually with a pull-cord . Transfer switch—Automatic or manual

Determine how big a generator you need by adding up the wattages required by devices you want turned on at one time. Gasoline-run generators are the least expensive. However, they are louder and have a shorter lifespan than diesel, propane, and natural gas generators.

Uninterruptible Power Supply Power problems will occur in various ways. One of the most obvious is when power strips are daisy-chained. Often, daisy-chained devices do not get enough power. At the other end of the spectrum, daisy chaining of devices will occasionally trip the circuit breakers or start a fire. Be aware that power issues can quickly burn out equipment. If power is not properly conditioned, it can have devastating

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 312

312

Chapter 11: Organizational Security

effects on equipment. The following list describes some of the power variations that can occur: . Noise—Also referred to as electromagnetic interference (EMI) and radio

frequency interference (RFI), noise can be caused by lightning, load switching, generators, radio transmitters, and industrial equipment. . Spikes—These are instantaneous and dramatic increases in voltage that

result from lightning strikes or when electrical loads are switched on or off. They can destroy electronic circuitry and corrupt stored data. . Surges—These are short-term increases in voltage commonly caused by

large electrical load changes and from utility power-line switching. . Brownouts—These are short-term decreases in voltage levels that most

often occur when motors are started or are triggered by faults on the utility provider’s system. . Blackouts—These are caused by faults on the utility provider’s system and

results in a complete loss of power. Rolling blackouts occur when the utility company turns off the power in a specific area. To protect your environment from such damaging fluctuations in power, always connect your sensitive electronic equipment to power conditioners, surge protectors, and a UPS (uninterruptible power supply, which provides the best protection of all). A UPS is a power supply that sits between the wall power and the computer. In the event of power failure at the wall, the UPS takes over and powers the computer so that you can take action to not lose data (such as saving your work or shutting down your servers). Three different types of devices are classified as UPSs: . Standby power supply (SPS)—This is also referred to as an “offline” UPS.

In this type of supply, power usually derives directly from the power line until power fails. After a power failure, a battery-powered inverter turns on to continue supplying power. Batteries are charged, as necessary, when line power is available. . Hybrid or ferroresonant UPS systems—This device conditions power using

a ferroresonant transformer. This transformer maintains a constant output voltage even with a varying input voltage and provides good protection against line noise. The transformer also maintains output on its secondary briefly when a total outage occurs. . Continuous UPS—This is also called an “online” UPS. In this type of sys-

tem, the computer is always running off of battery power, and the battery

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 313

313

Disaster Recovery and Redundancy Planning

is continuously being recharged. There is no switchover time, and these supplies generally provide the best isolation from power-line problems.

CAUTION Never plug a printer into a UPS. Printers use large amounts of power and will drain the battery quickly. Remember that the purpose of having a UPS is to have enough time to properly shut down equipment before damage is caused.

You cannot eliminate all risk associated with power problems just by connecting your sensitive electronic equipment to power conditioners, surge protectors, or a UPS. However, you can certainly minimize (if not entirely prevent) the damage such problems may cause.

Redundant Equipment and Connections The main goal of preventing and effectively dealing with any type of disruption is to ensure availability. Of course, you can use RAID, UPS equipment, and clustering to accomplish this. But neglecting single points of failure can prove disastrous. A single point of failure is any piece of equipment that can bring your operation down if it stops working. To determine the number of single points of failure in the organization, start with a good map of everything the organization uses to operate. Pay special attention to items such as the Internet connection, routers, switches, and proprietary business equipment. After identifying the single points of failure, perform a risk analysis. In other words, compare the consequences if the device fails to the cost of redundancy. For example, if all your business is web-based, it is a good idea to have some redundancy in the event the Internet connection goes down. However, if the majority of your business is telephone-based, you might look for redundancy in the phone system as opposed to the ISP. In some cases, the ISP may supply both the Internet and the phone services. The point here is to be aware of where your organization is vulnerable and understand what the risk is, so that you can devise an appropriate backup plan.

RAID Perhaps the biggest asset an organization has is its data. The planning of every server setup should consider how to salvage the data should a component fail. The decision about how to store and protect data will be determined by how the organization uses its data. This section examines data-redundancy options.

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 314

314

Chapter 11: Organizational Security

The most common approach to data availability and redundancy is called RAID. RAID organizes multiple disks into a large, high-performance logical disk. In other words, if you have three hard drives, you can configure them to look like one large drive. Disk arrays are created to stripe data across multiple disks and access them in parallel, which allows the following: . Higher data transfer rates on large data accesses . Higher I/O rates on small data accesses . Uniform load balancing across all the disks

Large disk arrays are highly vulnerable to disk failures. To solve this problem, you can use redundancy in the form of error-correcting codes to tolerate disk failures. With this method, a redundant disk array can retain data for a much longer time than an unprotected single disk. With multiple disks and a RAID scheme, a system can stay up and running when a disk fails and during the time the replacement disk is being installed and data restored. The two major goals when implementing disk arrays are data striping for better performance and redundancy for better reliability. There are many types of RAID. Some of the more common ones are as follows: . RAID Level 0—Striped disk array without fault tolerance. RAID 0 imple-

ments a striped disk array, the data is broken into blocks, and each block is written to a separate disk drive. This requires a minimum of two disks to implement. See Figure 11.1 for an illustration. . RAID Level 1—Mirroring and duplexing. This solution, called mirroring

or duplexing, requires a minimum of two disks and offers 100% redundancy because all data is written to both disks. The difference between mirroring and duplexing is the number of controllers. Mirroring uses one controller, whereas duplexing uses one controller for each disk. In RAID 1, disk usage is 50% as the other 50% is for redundancy. See Figure 11.2 for an illustration. . RAID Level 2—Hamming Code Error Correcting Code (ECC). In RAID

2, each bit of a data word is written to a disk. RAID 2 requires the use of extra disks to store an error-correcting code. A typical setup requires 10 data disks and 4 ECC disks. Because all modern disk drives incorporate ECC, this offers little additional protection. No commercial implementations exist today. The controller required is complex, specialized, and expensive, and the performance is not very good.

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 315

315

Disaster Recovery and Redundancy Planning RAID 0

Disk 1

Disk 2

Disk 3

Disk 4

Block 1

Block 2

Block 3

Block 4

Block 5

Block 6

Block 7

Block 8

Block 9

Block 10

Block 11

Block 12

Block 13

Block 14

Block 15

Block 16

FIGURE 11.1

RAID Level 0. RAID 1

Disk 1

Disk 2

Block 1

Block 1

Block 2

Block 2

Block 3

Block 3

Block 4

Block 4

FIGURE 11.2

RAID Level 1.

. RAID Level 3—Parallel transfer with parity. In RAID 3, the data block is

striped and written on the data disks. This requires a minimum of three drives to implement. In a parallel transfer with parity, data is interleaved bit-wise over the data disks, and a single parity disk is added to tolerate any single disk failure.

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 316

316

Chapter 11: Organizational Security . RAID Level 4—Independent data disks with shared parity disk. Entire

blocks are written onto a data disk. RAID 4 requires a minimum of three drives to implement. RAID 4 is similar to RAID 3 except that data is interleaved across disks of arbitrary size rather than in bits. . RAID Level 5—Independent data disks with distributed parity blocks. In

RAID 5, each entire block of the data, and the parity is striped. RAID 5 requires a minimum of three disks. Because it writes both the data and the parity over all the disks, it has the best small read, large write performance of any redundancy disk array. See Figure 11.3 for an illustration. RAID 0

Disk 1

Disk 2

Disk 3

Disk 4

Block 1

Block 2

Block 3

Parity 1-3

Block 4

Block 5

Parity 4-6

Block 6

Block 7

Parity 7-9

Block 8

Block 9

Parity 10-12

Block 10

Block 11

Block 12

FIGURE 11.3

RAID Level 5.

. RAID Level 6—Independent data disks with two independent parity

schemes. This is an extension of RAID 5 and allows for additional fault tolerance by using two-dimensional parity. This method uses ReedSolomon codes to protect against up to two disk failures using the bare minimum of two redundant disk arrays. . RAID Level 10—High reliability combined with high performance.

RAID 10 requires a minimum of four disks to implement. This solution is a striped array that has RAID 1 arrays. Disks are mirrored in pairs for redundancy and improved performance, and then data is striped across multiple disks for maximum performance.

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 317

317

Disaster Recovery and Redundancy Planning

EXAM ALERT Know the different levels of RAID and the number of disks required to implement each one.

There are several additional levels of RAID: 7, 50, 53, and 0+1. RAID 7 is a proprietary solution that is a registered trademark of Storage Computer Corporation. This RAID has a fully implemented, process-oriented, real-time operating system residing on an embedded array controller microprocessor. RAID 50 is more fault tolerant than RAID 5 but has twice the parity overhead and requires a minimum of six drives to implement. RAID 53 is an implementation of a striped array that has RAID 3 segment arrays. This takes a minimum of five drives, three for RAID 3 and two for striping. RAID 0+1 is a mirrored array that has RAID 0 segments. RAID 0+1 requires a minimum of four drives, two for striping and two to mirror the first striped set. When choosing a method of redundancy, choose a level of RAID that is supported by the operating system. Not all operating systems support all versions of RAID. For example, Microsoft Windows servers support RAID levels 0, 1, and 5. In addition to hardware RAID, software RAID can be used. Software RAID can be used when the expense of additional drives is not included in the budget or if the organization is using older servers. Software RAID can provide more flexibility, but it requires more CPU cycles and power to run. Software RAID operates on a partition-by-partition basis and tends be slightly more complicated to run. Another point to remember is that even though you set up the server for redundancy, you must still back up your data. RAID does not protect you from multiple disk failures. Regular tape backups allow you to recover from data loss that result from errors unrelated to disk failure (such as human, hardware, and software errors). We discuss the different types and methods of backups later in this chapter in the section “Backup Techniques and Practices.”

Servers It might be necessary to set up redundant servers so that the business can still function in the event of hardware or software failure. If a single server hosts vital applications, a simple equipment failure might result in days of downtime as the problem is repaired. To ensure availability and reliability, server redundancy is implemented. This means multiple servers are used to perform the same task. For example, if you have a web-based business with more than one server hosting your site, when

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 318

318

Chapter 11: Organizational Security

one of the servers crashes, the requests can be redirected to another server. This provides a highly available website.

CAUTION If you do not host your own website, confirm whether the vendor you are using provides high availability and reliability.

In today’s world, mission-critical businesses demand 100% uptime 24 hours a day 7 days a week. Availability is vital, and many businesses would not be able to function without redundancy. Redundancy can take several forms, such as automatic failover, failback, and virtualization. The most notable advantage of server redundancy, perhaps, is load balancing. In load balancing, the system load is spread over all available servers. This proves especially useful when traffic volume is high. It prevents one server from being overloaded while another sits idle. Another way to increase availability is server clustering. A server cluster is the combination of two or more servers so that they appear as one. This clustering increases availability by ensuring that if a server is out of commission because of failure or planned downtime, another server in the cluster takes over the workload. In addition, some manufacturers provide redundant power supplies in mission-critical servers.

ISPs Along with power and equipment loss, telephone and Internet communications may be out of service for a while when a disaster strikes. Organization must consider this factor when formulating a disaster recovery plan. Relying on a single Internet connection for critical business functions could prove disastrous to your business. With a redundant ISP, a backup ISP could be standing by in the event of an outage at the main ISP. Should this happen, traffic is switched over to the redundant ISP. The organization can continue to do business without any interruptions. Although using multiple ISPs is mostly considered for disaster recovery purposes, it can also relieve network traffic congestion and provide network isolation for applications. As organizations become global, dealing with natural disasters will become more common. Solutions such as wireless ISPs used in conjunction with VoIP to quickly restore phone and data services are looked at more closely. Organizations may look to ISP redundancy to prevent application perform-

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 319

319

Disaster Recovery and Redundancy Planning

ance failure and supplier diversity. For example, businesses that transfer large files can use multiple ISPs to segregate voice and file transfer traffic to a specific ISP. More and more organizations are implementing technologies such as VoIP. When planning deployment, explore using different ISPs for better network traffic performance, for disaster recovery, and to ensure a quality level of service.

Connections In disaster recovery planning, you might need to consider redundant connections between branches or sites. Internally, for total redundancy, you might need two network cards in computers connected to different switches or hubs. With redundant connections, all devices are connected to each other more than once, to create fault tolerance. A single device or cable failure will not affect the performance because the devices are connected by more than one means. This setup is more expensive because it requires more hardware and cabling. This type of topology can also be found in enterprisewide networks, with routers being connected to other routers for fault tolerance.

Service Level Agreements In the event of a disaster, an organization might also need to restore equipment (in addition to data). One of the best ways to ensure the availability of replacement parts is through service level agreements (SLAs). These are signed contracts between the organization and the vendors with which they commonly deal. SLAs are covered in greater detail in the next chapter. SLAs can be for services such as access to the Internet, backups, restoration, and hardware maintenance. Should a disaster destroy your existing systems, the SLA can also help you guarantee the availability of computer parts or even entire computer systems.

CAUTION It is important to understand all equipment warranties, especially if the organization decides against SLAs for computer equipment. Often, opening a computer yourself and replacing the parts will void a warranty if the warranty has not expired. Also confirm that critical suppliers have strict disaster recovery plans. There’s no point in having your equipment in the hands of a company that is struggling to get back on its feet after a disaster or merger.

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 320

320

Chapter 11: Organizational Security

When evaluating SLAs, the expected uptime and maximum allowed downtime on a yearly basis are considered. Uptime is based on 365 days a year, 24 hours a day. Here is an example: 99.999%

53.3 minutes downtime/year

99.99%

53 minutes downtime/year

99.9%

8.7 hours downtime/year

99%

87 hours downtime/year

Backup Techniques and Practices Fundamental to any disaster recovery plan is the need to provide for regular backups of key information, including user file and email storage, database stores, event logs, and security principal details such as user logons, passwords, and group membership assignments. Without a regular backup process, loss of data through accidents or directed attack could severely impair business processes.

TIP Any backup and recovery plan must include regular testing of the restoration process to ensure that backup media and procedures are adequate to restore lost functionality.

The backup procedures in use may also affect what is recovered following a disaster. Disaster recovery plans should identify the type and regularity of the backup process. The following sections cover the types of backups you can use and different backup schemes.

Backup Types The different types of backups you can use are full, differential, incremental, and copy. A full backup is a complete backup of all data and is the most time-intensive and resource-intensive form of backup, requiring the largest amount of data storage. In the event of a total loss of data, restoration from a complete backup will be faster than other methods. A full backup copies all selected files and resets the archive bit. An archive bit is a file attribute used to track incremental changes to files for the purpose of backup. The operating system sets the archive bit any time changes occur, such as when a file is created, moved, or renamed.

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 321

321

Backup Techniques and Practices

This method enables you to restore using just one tape. Theft poses the most risk, however, because all data is on one tape. A differential backup includes all data that has changed since the last full backup, regardless of whether or when the last differential backup was made, because it doesn’t reset the archive bit. This form of backup is incomplete for full recovery without a valid full backup. For example, if the server dies on Thursday, two tapes are needed—the full from Friday and the differential from Wednesday. Differential backups require a variable amount of storage, depending on the regularity of normal backups and the number of changes that occur during the period between full backups. Theft of a differential tape is more risky than an incremental tape because larger chunks of sequential data may be stored on the tape the further away it is from the last full backup. An incremental backup includes all data that has changed since the last incremental backup, and it resets the archive bit. An incremental backup is incomplete for full recovery without a valid full backup and all incremental backups since the last full backup. For example, if the server dies on Thursday, four tapes are needed—the full from Friday and the incremental tapes from Monday, Tuesday, and Wednesday. Incremental backups require the smallest amount of data storage and require the least amount of backup time, but they can take the most time during restoration. If an incremental tape is stolen, it might not be of value to the offender, but it still represents risk to the company. A copy backup is similar to a full backup in that it copies all selected files. However, it doesn’t reset the archive bit. From a security perspective, the loss of a tape with a copy backup is the same as losing a tape with a full backup.

Schemes When choosing a backup strategy, a company should look at the following factors: . How often it needs to restore files—As a matter of convenience, if files are

restored regularly, a full backup may be decided on because it can be done with one tape. . How fast the data needs to be restored—If large amounts of data are backed

up, the incremental backup method may work best. . How long the data needs to be kept before being overwritten—If used in a

development arena where data is constantly changing, a differential backup method may be the best choice.

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 322

322

Chapter 11: Organizational Security

After the backups are complete, they must be clearly marked or labeled so that they can be properly safeguarded. In addition to these backup strategies, organizations employ tape rotation and retention policies. The various methods of tape rotation include the following: . Grandfather-father-son backup refers to the most common rotation

scheme for rotating backup media. The basic method is to define three sets of backups. The first set, “son,” represents daily backups. A second set, “father,” is used to perform full backups. The final set of three tapes, “grandfather,” is used to perform full backups on the last day of each month. . Tower of Hanoi is based on the mathematics of the Tower of Hanoi puz-

zle. This is a recursive method where every tape is associated with a disk in the puzzle, and the disk movement to a different peg corresponds with a backup to a tape. . Ten-tape rotation is a simpler and more cost-effective method for small

businesses. It provides a data history of up to two weeks. Friday backups are full backups. Monday through Thursday backups are incremental. All tape-rotation schemes can protect your data, but each one has different cost considerations. The Tower of Hanoi is more difficult to implement and manage but costs less than the grandfather-father-son scheme. In some instances, it might be more beneficial to copy or image a hard drive for backup purposes. For example, in a development office, where there might be large amounts of data that changes constantly, instead of spending money on a complex backup system to back up all the developers’ data, it may be less expensive and more efficient to buy another hard drive for each developer and have him back up his data that way. If the drive is imaged, it ensures that if a machine has a hard drive failure, a swift way of getting it back up and running again is available. Another option available for backups is offsite tape storage with trusted third parties. Vendors offer a wide range of offsite tape vaulting services. These are highly secure facilities that may include secure transportation services, chain-ofcustody control for tapes in transit, and environmentally controlled storage vaults.

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 323

323

System Restoration

System Restoration Disaster recovery planning should include detailed system restoration procedures. This planning should explain any needed configuration details that may be required to restore access and network function. These may include items that can either be general or specific. The procedure for restoring a server hardware failure, for example, is as follows: 1. Upon discovery, a first responder is to notify the on-duty IT manager. If

not on the premises, the manager should be paged or reached via cell phone. 2. The IT manager assesses the damage to determine whether the machine

can survive on the UPS. If it can, for how long? If it cannot, what data must be protected before the machine shuts down. 3. Because all equipment is under warranty, no cases should be opened

without the consent of the proper vendor. 4. The IT manager will assign a technician to contact the vendor for

instructions and a date when a replacement part can be expected. 5. A determination will be made by the IT manager as to whether the

organization can survive without the machine until the replacement part is received. 6. If the machine is a vital part of the business, the IT manager must then

notify the head of the department affected by the situation and give an assessment of how and when it will be remedied. 7. The IT manager will then find another machine with similar hardware

to replace the damaged server. 8. The damaged machine will be shut down properly, if possible, unplugged

from the network, and placed in the vendor-assigned work area. 9. The replacement machine will be configured by an assigned technician

to ensure it meets the specifications listed in the IT department’s server configuration manual. 10. The most recent backup will be checked out of the tape library by the IT

manager. The assigned technician will then restore the data. 11. When the technician has determined that the machine is ready to be

placed online, the IT manager will evaluate it to confirm it meets the procedure specifications.

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 324

324

Chapter 11: Organizational Security 12. The IT manager puts the replacement server in place. Connectivity must

be verified, and then the appropriate department head can be notified that the situation has been remedied. Also a restoration plan should include contingency planning to recover systems and data even in the event of administration personnel loss or lack of availability. This plan should include procedures on what to do if a disgruntled employee changes an administrative password before leaving. Statistics show that more damage to a network comes from inside than outside. Therefore, any key rootlevel account passwords and critical procedures should be properly documented so that another equally trained individual can manage the restoration process. Recovery planning documentation and backup media contain many details that an attacker can exploit when seeking access to an organization’s network or data. Therefore, planning documentation, backup scheduling, and backup media must include protections against unauthorized access or potential damage. The data should be protected by at least a password, and preferably encryption. When the backups are complete, they must be clearly labeled so that they can be properly safeguarded. Imagine having to perform a restore for an organization that stores its backup tapes unlabeled in a plastic bin in the server room. The rotation is supposed to be on a two-week basis. When you go to get the needed tape, you discover that the tapes are not marked, nor are they in any particular order. How much time will you spend just trying to find the proper tape? Also, is it a good practice to keep backup tapes in the same room with the servers? What happens if there is a fire? How backup media is handled is just as important as how it is marked. You certainly don’t want to store CDs in a place where they can easily be scratched or store tapes in an area that reaches 110 degrees Fahrenheit during the day. You should ensure that you also have offsite copies of your backups where they are protected from unauthorized access as well as fire, flood, and other forms of environmental hazards that might impact the main facility. Normal backups should include all data that cannot be easily reproduced. Secure recovery services are another method of offsite storage and security that organizations may consider. In military environments, a common practice is to have removable storage media locked in a proper safe or container at the end of the day.

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 325

325

Exam Prep Questions

Exam Prep Questions 1. Which of the following levels of RAID do Windows servers support? (Choose all that apply.)

❍ A. RAID 0 ❍ B. RAID 1 ❍ C. RAID 2 ❍ D. RAID 3 ❍

E. RAID 4



F. RAID 5

2. Which of the following backup strategies uses three sets of backups, such as daily, weekly, and monthly, with backup sets rotated on a daily, weekly, and monthly basis?

❍ A. Grandfather, father, son ❍ B. Tower of Hanoi ❍ C. Tower of Pisa ❍ D. Grandmother, mother, daughter 3. Which of the following is a type of site similar to the original site in that it has all the equipment fully configured, has up-to-date data, and can become operational with minimal delay?

❍ A. Cold site ❍ B. Warm site ❍ C. Hot site ❍ D. Mirror site 4. Which of the following is a type of uninterruptible power supply where power usually derives directly from the power line, until the power fails?

❍ A. Hybrid power supply ❍ B. Standby power supply ❍ C. Ferroresonant power supply ❍ D. Continuous power supply

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 326

326

Chapter 11: Organizational Security 5. A system restoration plan should include which of the following? (Select the two best answers)

❍ A. Backup generator procedures ❍ B. Procedures for what to do if a disgruntled employee changes an administrative password before leaving

❍ C. Single points of failure risks ❍ D. Contingency planning to recover systems and data even in the event of administration personnel loss 6. Which of the following aspects of disaster recovery planning details how fast an ISP must have a new Frame Relay connection configured to an alternative site?

❍ A. Impact and risk assessment ❍ B. Disaster recovery plan ❍ C. Disaster recovery policies ❍ D. Service level agreement 7. Which type of backup requires the least amount of time to restore in the event of a total loss?

❍ A. Full ❍ B. Daily ❍ C. Differential ❍ D. Incremental 8. Which of the following statements best describes a disaster recovery plan (DRP)?

❍ A. A DRP reduces the impact of a hurricane on a facility. ❍ B. A DRP is an immediate action plan used to bring a business back on line immediately after a disaster has struck.

❍ C. A DRP attempts to manage risks associated with theft of equipment. ❍ D. A DRP plans for automatic failover of critical services to redundant offsite systems.

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 327

327

Answers to Exam Prep Questions 9. Redundancy planning includes which of the following? (Choose the two best answers.)

❍ A. RAID ❍ B. UPS placement ❍ C. Backup procedures ❍ D. Restoring data 10. Full backups are performed weekly on Sunday at 1:00 a.m., and incremental backups are done on weekdays at 1:00 a.m. If a drive failure causes a total loss of data at 8:00 a.m. on Tuesday morning, what is the minimum number of backup files that must be used to restore the lost data?

❍ A. One ❍ B. Two ❍ C. Three ❍ D. Four ❍

E. Five

Answers to Exam Prep Questions 1. A, B, F. Windows servers support striped disk arrays without fault tolerance, mirroring and duplexing, and independent data disks with distributed parity blocks. Answers C, D, and E are incorrect because some implementations of RAID are not used in Microsoft operating systems. 2. A. Grandfather-father-son backup refers to the most common rotation scheme for rotating backup media. Originally designed for tape backup, it works well for any hierarchical backup strategy. The basic method is to define three sets of backups, such as daily, weekly, and monthly. Answer B is incorrect. The Tower of Hanoi is based on the mathematics of the Tower of Hanoi puzzle, with what is essentially a recursive method. It is a “smart” way of archiving an effective number of backups and provides the ability to go back over time, but it is more complex to understand. Answer C is incorrect. The various methods of tape rotation include the grandfather, Tower of Hanoi, and 10-tape rotation schemes. Answer D is incorrect because the method does not exist. 3. C. A hot site is similar to the original site in that it has all the equipment needed for the organization to continue operations, such as hardware and furnishings. Answer A is incorrect because a cold site does not provide any equipment. Answer B is incorrect because a warm site is not similar to the original site. Answer D is incorrect because a mirror site is an exact copy of another Internet site.

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 328

328

Chapter 11: Organizational Security 4. B. In a standby power supply, power usually derives directly from the power line until power fails. After a power failure, a battery-powered inverter turns on to continue supplying power. Answer A is incorrect because a hybrid device conditions power using a ferroresonant transformer. This transformer maintains a constant output voltage even with a varying input voltage and provides good protection against line noise. Answer C is incorrect because this device conditions power using a ferroresonant transformer. This transformer maintains a constant output voltage even with a varying input voltage and provides good protection against line noise. Answer D is incorrect because in this type of system the computer is always running off of battery power, and the battery is continuously being recharged. 5. B, D. A restoration plan should include contingency planning to recover systems and data even in the event of administration personnel loss or lack of availability. This plan should include procedures that address what to do if a disgruntled employee changes an administrative password before leaving. Answers A and C are incorrect because they are part of disaster recovery planning. 6. D. Service level agreements establish the contracted requirements for service through utilities, facility management, and ISPs. Answer A is incorrect because risk assessment is used to identify areas that must be addressed in disaster recovery provisions. Answers B and C are incorrect because although the disaster recovery plan and its policies may include details of the service level agreement’s implementation, neither is the best answer in this case. 7. A. A full backup includes a copy of all data, so it may be used to directly restore all data and settings as of the time of the last backup. Answers B, C, and D are incorrect because daily, differential, and incremental backups all require a full backup and additional backup files to restore from a total loss of data. 8. B. A DRP is an immediate action plan to be implemented after a disaster. Answer A is incorrect because it describes physical disasters. Answer C is incorrect because it describes loss prevention. Answer D is incorrect because it describes a business continuity plan. 9. A, B. RAID and UPS placement are both part of redundancy planning. Answers C and D are incorrect because backup procedures and restoring data are part of disaster recovery processes. 10. C. Sunday’s full backup must be installed, followed by Monday’s incremental backup, and finally Tuesday morning’s incremental backup. This will recover all data as of 1:00 a.m. Tuesday morning. Answers A and B are incorrect because a full backup Tuesday morning would be required to allow a single-file recovery of all data, whereas a differential backup on Tuesday morning would be required so that only two backup files would be needed. Answers D and E are incorrect because no files from before the last full backup would be required.

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 329

329

Suggested Readings and Resources

Suggested Readings and Resources 1. Schmidt, Klaus. High Availability and Disaster Recovery: Concepts, Design,

Implementation. Springer, 2006. 2. Wells, April, Charlyne Walker, Timothy Walker, and David Abarca.

Disaster Recovery: Principles and Practices. Prentice Hall, 2006. 3. CERT incident reporting guidelines: http://www.cert.org/tech_tips/

incident_reporting.html 4. RAID tutorial: http://www.acnc.com/raid.html 5. SANS Information Security Reading Room: http://www.sans.org/

reading_room/?ref=3701

19_078973804x_ch11.qxd

10/30/08

9:12 PM

Page 330

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 331

12

CHAPTER TWELVE

Organizational Controls Terms you need to understand: ✓ Forensics ✓ Chain of custody ✓ Acceptable use ✓ Change management ✓ Personally identifiable information (PII) ✓ Due care ✓ Service level agreements (SLAs) ✓ Security policies ✓ Social engineering ✓ Dumpster diving

Techniques you need to master: ✓ Understand the implications of incident response and forensic analysis of data. ✓ Understand applicable legislation and organizational policies. ✓ Know the importance of environmental controls. ✓ Understand how social engineering may be used to obtain unauthorized access.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 332

332

Chapter 12: Organizational Controls

After planning for disaster and recovery procedures as discussed in Chapter 11, “Organizational Security,” it is necessary to plan for incident response, forensics investigations, and protecting the organization from malice that can cause both external and internal damages. This chapter looks at incident response, forensics analysis, and security policies. It also covers environmental controls and user security awareness training. Although only 12% of the exam is based on the organizational security domain, this is a growing area of security planning. Therefore, additional resources are detailed at the end of the chapter.

Incident Response Procedures Incidents do happen from time to time in most organizations no matter how strict security policies and procedures are. It is important to realize that proper incident handling is just as vital as the planning stage, and its presence may make the difference between being able to recover quickly and ruining a business and damaging customer relations. Customers need to see that the company has enough expertise to deal with the problem. Incident response guidelines, change-management procedures, security procedures, and many other security-related factors require extensive planning and documentation. Incident response documentation should include the identification of required forensic and data-gathering procedures and proper reporting and recovery procedures for each type of security-related incident. The components of an incidence response plan should include preparation, roles, rules, and procedures. Incident response procedures should define how to maintain business continuity while defending against further attacks. Although many organizations have an Incident Response Team (IRT), which is a specific group of technical and security investigators that respond to and investigate security incidents, many do not. In the event there is no IRT, first responders will need to handle the scene and the response. Systems should be secured to prevent as many incidents as possible and monitored to detect security breaches as they occur. The National Institute of Standards and Technology (NIST) has issued a report on incident response guidelines that can help an organization spell out their own internal procedures. This is referenced in the “Suggested Reading and Resources” section at the end of the chapter.

Forensics When a potential security breach must be reviewed, the digital forensics process comes into play. Similar to other forms of forensics, this process requires a vast

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 333

333

Forensics

knowledge of computer hardware, software, and media to protect the chain of custody over the evidence, avoid accidental invalidation or destruction of evidence, and preserve the evidence for future analysis. Computer forensics review involves the application of investigative and analytical techniques to acquire and protect potential legal evidence. Therefore, a professional within this field needs a detailed understanding of the local, regional, national, and even international laws affecting the process of evidence collection and retention, especially in cases involving attacks that may be waged from widely distributed systems located in many separate regions.

NOTE The practice of forensics analysis is a detailed and exacting one. The information provided in this chapter allows an entering professional to recognize that precise actions must be taken during an investigation. It is crucial that you do not attempt to perform these tasks without detailed training in the hardware, software, network, and legal issues involved in forensics analysis.

The major concepts behind computer forensics are to . Identify the evidence . Determine how to preserve the evidence . Extract, process, and interpret the evidence . Ensure that the evidence is acceptable in a court of law

Each state has its own laws that govern how cases can be prosecuted. For cases to be prosecuted, evidence must be properly collected, processed, and preserved. The corporate world focuses more on prevention and detection, whereas law enforcement focuses on investigation and prosecution.

Chain of Custody Forensics analysis involves establishing a clear chain of custody over the evidence, which is the documentation of all transfers of evidence from one person to another, showing the date, time, and reason for transfer and the signatures of both parties involved in the transfer. In other words, it tells how the evidence made it from the crime scene to the courtroom, including documentation of how the evidence was collected, preserved, and analyzed. If you are asked to testify regarding data that has been recovered or preserved, it is critical that you, as

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 334

334

Chapter 12: Organizational Controls

the investigating security administrator, be able to prove that no other individuals or agents could have tampered with or modified the evidence. This requires careful collection and preservation of all evidence, including the detailed logging of investigative access and the scope of the investigation. Definition of the scope is crucial to ensure that accidental privacy violations or unrelated exposure will not contaminate the evidence trail. After data is collected, it must be secured in such a manner that you, as the investigating official, can state with certainty that the evidence could not have been accessed or modified during your custodial term.

First Responders First responders are the first ones to arrive at the incident scene. The success of data recovery and potential prosecution depends on the actions of the individual who initially discovers a computer incident. How the evidence scene is handled can severely affect the ability of the organization to prosecute if need be. While police officers are trained to have a good understanding of the limits of the Fourth and Fifth Amendments and applicable laws, many system administrators and network security personnel are not.

NOTE The Fourth Amendment guards against unreasonable search and seizure. Although law enforcement might need a search warrant to look or evidence, most corporations do not. However, they need to be aware of how reasonable expectation of privacy affects the ability to examine employees and their working environment. The Fifth Amendment deals with double jeopardy, self-incrimination, eminent domain, and due process. Due process extends to all persons and corporate entities. System administrators and network security should be aware of and understand the basic legal issues governing their actions in any matter that involves examination and investigation of employee workspaces and environments.

The entire work area is a potential crime scene, not just the computer itself. There might be evidence such as removable media, voice-mail messages, or handwritten notes. The work area should be secured and protected to maintain the integrity of the area. Under no circumstances should you touch the computer or should anyone be allowed to remove any items from the scene.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 335

335

Forensics

NOTE If you are an untrained first responder, touch nothing and contact someone trained in these matters for help. Although it seems that just viewing the files or directories on a system would not change the original media, merely browsing a file can change it.

Damage and Loss Control When the response team has determined that an incident occurred, the next step in incident analysis involves taking a comprehensive look at the incident activity to determine the scope, priority, and threat of the incident. This will aid with researching possible response and mitigation strategies. In keeping with the severity of the incident, the organization can act to mitigate the impact of the incident by containing it and eventually restoring operations back to normal. Depending on the severity of the incident and the organizational policy, incident response functions can take many forms. The response team may send out recommendations for recovery, containment, and prevention to systems and network administrators at sites who then complete the response steps. The team may perform the remediation actions themselves. The follow-up response can involve sharing information and lessons learned with other response teams and other appropriate organizations and sites. After the incident is appropriately handled, the organization may issue a report that details the cause of the incident, the cost of the incident, and the steps the organization should take to prevent future incidents. It is important to accurately determine the cause of each incident so that it can be fully contained and the exploited vulnerabilities can be mitigated to prevent similar incidents from occurring in the future.

Reporting and Disclosure Request For Comments (RFC) 2350, Expectations for Computer Security Incident Response, can be helpful in formulating organizational best practices for reporting and disclosure. Section 3.4.2 addresses cooperation, interaction, and disclosure of information. The reporting and disclosure policy should make clear who the incident response team’s report will go to in each circumstance. It should also note whether the team will be expected to operate through another internal team or directly with outside affected parties such as vendors. A clear statement of the policies and procedures helps all the parties involved understand how best to report incidents and what support to expect afterward.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 336

336

Chapter 12: Organizational Controls

The guidelines for reporting organizational security breaches may not be straightforward. Because of adverse publicity, many organizations choose to quietly fix a breach without reporting or disclosing. However, legal and ethical responsibilities now require organizations to be more diligent in this area. In many cases, security incidents must be reported by the chief information officer (CIO) and the board members need to be notified. The information reported may include the scope of the incident, impact, actions being taken, and actions taken to prevent a further occurrence. Board notification usually occurs as soon as the incident is known. Subsequent updates to the board may occur until the incident is closed, as determined by the chief information security officer (CISO).

Applicable Legislation and Organizational Policies To ensure that proper incident response planning is managed and maintained, it is important to establish clear and detailed security policies that are ratified by an organization’s management and brought to the attention of its users. Policies of which the users have no knowledge are rarely effective, and those that lack management support may prove to be unenforceable. Current and pending legislation will affecting the formulation of those polices. The first data breach notification law in the United States was California’s S.B. 1386. This bill was enacted in August 2002, and went into effect in July 2003. Currently, 38 states have passed laws requiring companies to notify consumers whose personal information has been compromised. In most cases, companies must immediately disclose a data breach to customers, usually in writing. Federal bills regarding data breach notification currently in process include . S. 239—Notification of Risk to Personal Data Act . H.R. 958—Data Accountability and Trust Act . H.R. 836—Cyber-Security Enhancement & Consumer Data Protection

Act . S. 495—Personal Data Privacy and Security Act of 2007

Besides state and federal data-breach notification, organizations formed in the United States are also bound by the following laws that relate to protection and proper disclosure of data: . Health Insurance Portability and Accountability Act (HIPAA) of 1996

sets national standards for protecting health information.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 337

337

Applicable Legislation and Organizational Policies . Gramm-Leach-Bliley Act (GLB) establishes privacy rules for the finan-

cial industry. . Sarbanes-Oxley (SOX) governs financial and accounting disclosure infor-

mation. The U.S. Supreme Court made changes to the Federal Rules of Civil Procedure that make requests for electronic data a standard part of the discovery process during civil lawsuits. The changes took effect December 1, 2006. Therefore, organizations need to have a record-retention policy. This topic is covered in further detail in the “Security-Related Human Resources Policy” section later in this chapter. The point is, it is imperative to know legal ramifications if there is an incident. You should check the state laws concerning privacy, liability, and spam. For example, assume your state has an antispam law. Your company email server has an open relay on it allowing it to be used for spamming purposes. A spammer sends email about the price of gasoline in Europe to 500,000 people. This proves fatal to the company. First, your Internet service provider (ISP) puts you on the spammers list, and you must fix the open relay before you can send any email. You have also been reported for spamming; the fine per incident is $10 per mail. This could put a company out of business even if you have insurance because there’s a good chance the insurance company will not cover this type of incident. Different countries mandate different customer notification approaches. Being aware of this is especially important in a global economy. Notification of affected customers should be a part of an organization’s incident response plan. If an organization resides in an area that is not subject to a specific notification law, they should adhere to common law liability and treat each incident on a caseby-case basis.

Secure Disposal of Computers and Media ISO 17799, particularly sections 7 and 8, has established standards for dealing with the proper disposal of obsolete hardware. Standards dictate that equipment owned/used by the organization should be disposed of only in accordance with approved procedures, including independent verification that the relevant security risks have been mitigated. This policy addresses issues that should be considered when disposing of old computer hardware, either for recycle, disposal, donation, or resale. The most prominent example of a security risk involved is

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 338

338

Chapter 12: Organizational Controls

that the hard disk inside the computer has not been completely or properly wiped. Stories about this exact problem surface on almost a daily basis. When implementing a policy on the secure disposal of outdated equipment, a wide range of scenarios need to be considered, such as the following: . Breaches of health and safety requirements. . Inadequate disposal planning results in severe business loss. . Remnants of legacy data from old systems may still be accessible. . Disposal of old equipment that is necessary to read archived data. . Theft of equipment in use during cleanup of unwanted equipment.

Besides properly disposing of old hardware, removable media disposal is just as important. There is a proper way to handle removable media when either the data should be overwritten or is no longer useful or pertinent to the organization. The following methods are acceptable to use for media sanitation: . Declassification—A formal process of assessing the risk involved in dis-

carding particular information. . Sanitization—The process of removing the contents from the media as

fully as possible, making it extremely difficult to restore. . Degaussing—This method uses an electrical device to reduce the magnet-

ic flux density of the storage media to zero. . Overwriting—This method is applicable to magnetic storage devices. . Destruction—The process of physically destroying the media and the

information stored on it.

TIP An organization’s information sensitivity policy will define requirements for the classification and security of data and hardware resources based on their relative level of sensitivity. Some resources, such as hard drives, might require very extensive preparations before they may be discarded.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 339

339

Applicable Legislation and Organizational Policies

Acceptable Use Policies An organization’s acceptable use policy must provide details that specify what users may do with their network access. This includes email and instant messaging usage for personal purposes, limitations on access times, and the storage space available to each user. It is important to provide users the least possible access rights while allowing them to fulfill legitimate actions. An acceptable use policy should contain these main components: . Clear, specific language . Detailed standards of behavior . Detailed enforcement guidelines and standards . Outline of acceptable and not acceptable uses . Consent forms . Privacy statement . Disclaimer of liability

The organization should be sure the acceptable use policy complies with current state and federal legislation and does not create unnecessary business risk to the company by employee misuse of resources. Upon logon, show a statement to the effect that network access is granted under certain conditions and that all activities may be monitored. This way you can be sure that any legal ramifications are covered.

Password Complexity The organization’s password policy specifies password requirements, including length, strength, history, and required rate of change. Password policies were discussed in detail in Chapter 4, “Infrastructure Security and Controls.” Although the organization may have password policies in place, allowing users to create their own passwords produces an unsecure environment because users typically choose passwords that contain easy-to-remember words. On the other end of the spectrum, if the passwords are too difficult to remember, users will write them down and post them on monitors, keyboards, and any number of easy-to-find places. A weak password might be very short or only use alphanumeric characters, containing information easily guessed by someone profiling

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 340

340

Chapter 12: Organizational Controls

the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money, or password. Organizational policies should include training to educate users to create stronger passwords from events or things the user knows. For example, let’s say that the password must be nine characters long and must be a combination of letters, numbers, and special characters. The user is going to Fiji on August 8, 2009, with his spouse named Joan. The phrase “Going to Fiji on August 8, 2009 with Joan” can become [email protected] Now you have a complex password that is easy for the user to remember. Alternatively, users can use a phrase that has more than 13 characters so that password-cracking utilities will not be able to crack it. For example, using the password [email protected] creates a longer string than most programs can crack. Strong password policies help protect the network from hackers and define the responsibilities of users who have been given access to company resources. You should have all users read and sign security policies as part of their employment process and provide periodic training.

Change Management All configuration changes should be documented. Many companies are lacking in this area. We are often in a hurry to make changes and say we will do the documentation later—most of the time, that doesn’t happen. You should realize that documentation is critical. It eliminates misunderstandings and serves as a trail if something goes wrong down the road. Change documentation should include the following: . Specific details, such as the files being replaced, the configuration being

changed, the machines or operating systems affected, and so on . The name of the authority who approved the changes . A list of the departments that will be involved in performing the changes

and the names of their supervisors . What the immediate effect of the change will be . What the long-term effect of the change will be . The date and time the change will occur

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 341

341

Applicable Legislation and Organizational Policies

After the change has occurred, the following should be added to the documentation: . Specific problems and issues that occurred during the process . Any known workarounds if issues have occurred . Recommendations and notes on the event

After the change has been requested, documented, and approved, you should then send out notification to the users so that they will know what to expect when the change has been implemented.

Classification of Information ISO 17799 can help an organization establish information classification criteria. It is essential to classify information according to its value and level of sensitivity so that the appropriate level of security can be used. A system of classification should be easy to administer, effective, and uniformly applied throughout the organization. Organizational information that is not public should not be disclosed to anyone who is not authorized to access it. The organization should have a strict policy in place for violations that could result in disciplinary proceedings against the offending individual. It is recommended to limit the number of information classification levels in your organization. Following are two different options. The first divides information into four classifications: . Class 1: Public information—Data available in the public domain. . Class 2: Internal information—Should this data become public, the conse-

quences are not critical. . Class 3: Confidential information—Should this data become public, it could

influence the organization’s operational effectiveness and cause financial loss. . Class 4: Secret information—This data is critical to the company, should be

accessed by very few, and should never become public. The next example adds an additional class: . Top secret—Highly sensitive internal documents and data. This is the

highest security level possible.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 342

342

Chapter 12: Organizational Controls . Highly confidential—Information that is considered critical to the organi-

zation’s ongoing operations. Security should be very high. . Proprietary—Internal information that defines the way in which the

organization operates. Security should be high. . Internal use only—Information that is unlikely to result in financial loss or

serious damage to the organization. This is a restricted but normal security level. . Public documents—Information in the public domain. This is a minimal

security level. The important thing to remember here is to document how your data classifications correlate to your security objectives. When classifications are established, they should be adhered to and closely monitored. All too often, top secret documents end up on unsecured family computers. Data classifications can also help when submitting discoverable information subject to the Federal Rules of Civil Procedure should the organization be involved in a lawsuit.

Separation of Duties and Mandatory Vacations Too much power can lead to corruption, whether it is in politics or network administration. Most governments and other organizations implement some type of a balance of power through a separation of duties. It is important to include a separation of duties when planning for security policy compliance. Without this separation, all areas of control and compliance may be left in the hands of a single individual. The idea of separation of duties hinges on the concept that multiple people conspiring to corrupt a system is less likely than a single person corrupting it. Often, you will find this in financial institutions, where to violate the security controls, all the participants in the process would have to agree to compromise the system. For security purposes, avoid having one individual who has complete control of a transaction or process from beginning to end and implement policies such as job rotation, mandatory vacations, and cross-training. Users should be required to take mandatory vacations as part of the organization’s security policy. This part of the policy outlines the manner in which a user is associated with necessary information and system resources. There must be other employees who can do the job of each employee so that corruption does

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 343

343

Applicable Legislation and Organizational Policies

not occur. It is imperative that all employees are adequately cross-trained and only have the level of access necessary to perform normal duties.

Personally Identifiable Information Privacy-sensitive information is referred to as personally identifiable information (PII). This is any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. Examples of PII are name, address, phone number, fax number, email address, financial profiles, Social Security number, and credit card information. To be considered PII, information must be specifically associated with an individual person. Information provided either anonymously or not associated with its owner before collection is not considered PII. Unique information such as a personal profile, unique identifier, biometric information, and IP address that is associated with PII can also be considered PII. The California Online Privacy Protection Act of 2003 (OPPA), which became effective on July 1, 2004, requires owners of commercial websites or online services to post a privacy policy. OPPA requires that each operator of a commercial website conspicuously post a privacy policy on its website. The privacy policy itself must contain the following features: . A list of the categories of PII the operator collects . A list of the categories of third parties with whom the operator may

share such PII . A description of the process by which the consumer can review and

request changes to his or her PII collected by the operator . A description of the process by which the operator notifies consumers of

material changes to the operator’s privacy policy . The effective date of the privacy policy

Other federal and state laws may apply to PII. In addition, other countries have laws as to what information can be collected and stored by organizations. As with most of the information in this chapter, it is imperative that you know the regulations that govern the digital terrain in which your organization operates. The organization then has an obligation to be sure proper policies and procedures are in place.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 344

344

Chapter 12: Organizational Controls

Due Care An organization may be negligent in its duties if it fails to take common and necessary precautions to avoid a security threat. It also may be negligent if its actions contribute to an environment that allows a security threat to happen. For example, if an employee hacks into a vendor’s network, the company can be held liable for lack of due care. Due care is the knowledge and actions that a reasonable and prudent person would possess or act upon. Because of this, it is important to establish clear lines of responsibility and expectations for users and administrators. Due care is based on best practices and what a prudent organization would do in a similar case. In other words, it involves doing the right thing and acting responsibly. Your security policy must specify how your organization operates within applicable laws and regulations to ensure data privacy. This is especially important in industries that now have to comply with legislation. Users and administrators must be made aware of privacy issues and the consequences of unintentional disclosure of private data that may arise over web, email, and instant messaging traffic within the organization’s network. All employees should be familiar with and exercise due care when dealing with organizational assets.

Due Diligence Due diligence can have several connotations that relate to technology. Generally, due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party. In this context, it may be used in connection with a due diligence investigation of a vendor, outsourcing agency, venture capital investment, or a partnering entity. This entails the request for various kinds of documents from the company to be used in connection with a legal due diligence investigation. Due diligence is a way of preventing unnecessary harm to either party involved in the transaction. Due diligence can also be used internally. This is the process of investigation, such as an examination of operations and management and the verification of material facts. This is basically an investigation or audit to confirm all material facts. Many times, due diligence is done to assess the viability of the organization or to ensure that they have adequate controls and procedures in place so that they know the vendors and customers with whom they are dealing. This is particularly important in the banking industry. Adequate due diligence on new and existing customers is a key part of controls and oversight. Without due diligence, banks can become subject to reputation, operation, and legal risks, result-

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 345

345

Applicable Legislation and Organizational Policies

ing in significant financial cost. Again, it is important to know the market in which you operate and what is expected of the organization.

Due Process Due process is the concept that laws and legal proceedings must be fair. The U.S. Constitution guarantees that before depriving a citizen of life, liberty, or property, government must follow fair procedures. Other countries may have similar laws in effect. As an organization, policies and procedures must comply with the basic rights of the individual. How this affects the organization depends on the type of employer. In the United States, most private-sector employees are governed by the employmentat-will doctrine. This means that both an employer and an employee have the privilege to end a working relationship without prior notice or explanation. All federal, state, and local government employees are protected by the Fifth and Fourteenth Amendments. These prohibit the government from depriving any person of life, liberty, or property without due process of law. Government employees’ services cannot be terminated under circumstances that violate the U.S. Constitution or the constitution of the state in which they work. They have the right to due process in cases of arbitrary dismissals not linked to job performance. Before termination, a government employer has to offer a reasonable explanation to the employee and provide a proper channel for the employee to answer those charges. If the charges are going to impede future job prospects, the employee has the right to a name-clearing hearing.

Service Level Agreements Service level agreements (SLAs) are part of every organization. The purpose of a SLA is to establish a cooperative partnership, bring both sides together, and map out each party’s responsibilities. SLAs can help you determine what you will provide to your client, what is beyond your responsibility, and who should be contacted when something goes wrong. SLAs spell out the processes, service expectations, and service metrics. The organization should make sure that the affected staff is aware of the terms of each SLA. Failure to comply can result in a violation of the SLA and potential nullification of any vendor warranties or liabilities. When SLAs are established, change, monitoring, and testing procedures should be in place. Changes to a SLA should be handled under agreed change-control procedures.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 346

346

Chapter 12: Organizational Controls

Security-Related Human Resources Policy Human resources (HR) policies and practices should reduce the risk of theft, fraud, or misuse of information facilities by employees, contractors, and thirdparty users. The primary legal and HR representatives should review all policies, especially privacy issues, legal issues, and HR enforcement language. Legal and HR review of policies is required in many, if not most, organizations. Security planning must include procedures for the creation and authorization of accounts for newly hired personnel and the planned removal of privileges following employment termination. When termination involves power users with high-level access rights or knowledge of service administrator passwords, it is critical to institute password and security updates to exclude known avenues of access while also increasing security monitoring for possible reprisals against the organization. The hiring process should also include provisions for making new employees aware of acceptable use and disposal policies and the sanctions that may be enacted if violations occur. An organization should also institute a formal code of ethics to which all employees should subscribe, particularly power users with broad administrative rights.

User Education and Awareness Training One of the most powerful tools available to a security administrator is the body of network users, who may notice and draw attention to unusual access methods or unexpected changes. This same body of users also creates the greatest number of potential security holes because each user may be unaware of newly emerging vulnerabilities, threats, or required standards of action and access that must be followed. Like a chain, a network is only as secure as its weakest link— and users present a wide variety of bad habits, a vast range of knowledge, and varying intent in access.

TIP When planning for user notification of new threats, such as a virus or an email-distributed agent of mischief, it is crucial that your solution includes a means of communication other than that affected by the potential threat. For example, it will do little good to warn users of a new email bomb via email if the bomb has already affected your avenue of distribution.

User education is mandatory to ensure that users are made aware of expectations, options, and requirements related to secure access within an organization’s

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 347

347

The Importance of Environmental Controls

network. Education may include many different forms of communication, including the following: . New employees and contract agents should be provided education in

security requirements as a part of the hiring process. . Reminders and security-awareness newsletters, emails, and flyers should

be provided to raise general security awareness. . General security policies must be defined, documented, and distributed

to employees. . Regular focus group sessions and on-the-job training should be provided

for users regarding changes to the user interface, application suites, and general policies. . General online security-related resources should be made available to

users through a simple, concise, and easily navigable interface. Although all the previously mentioned practices are part of a security-awareness training program, security training during employee orientation combined with yearly seminars is the best choice, as these are active methods of raising security awareness. Email and posters are passive and tend to be less effective.

CAUTION It is important to locate a suitable upper-level sponsor for security initiatives to ensure that published security training and other requirements are applied to all users equally. Hackers, crackers, and other agents seeking unauthorized access often search for highly placed users within an organization who have exempted themselves from standard security policies.

The Importance of Environmental Controls The location of everything from the actual building to wireless antennas affects security. When picking a location for a building, an organization should investigate the type of neighborhood, population, crime rate, and emergency response times. This will help in the planning of the physical barriers needed, such as fencing, lighting, and security personnel. An organization must also analyze the potential dangers from natural disasters and plan to reduce their impact when possible.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 348

348

Chapter 12: Organizational Controls

When protecting computers, wiring closets, and other devices from physical damage due to either natural or manmade disasters, you must select their locations carefully. Proper placement of the equipment should cost a company little money upfront yet provide significant protection from possible loss of data due to flooding, fire, or theft.

Fire Suppression Fire is a danger common to all business environments and one that must be planned for well in advance of any possible occurrence. The first step in a fire safety program is fire prevention. The best way to prevent fires is to train employees to recognize dangerous situations and report these situations immediately. Knowing where a fire extinguisher is and how to use it can stop a small fire from becoming a major catastrophe. Many of the newer motion- and ultrasonic-detection systems also include heat and smoke detection for fire prevention. These systems alert the monitoring station of smoke or a rapid increase in temperature. If a fire does break out somewhere within the facility, a proper fire-suppression system can avert major damage. Keep in mind that laws and ordinances apply to the deployment and monitoring of a fire-suppression system. It is your responsibility to ensure that these codes are properly met. In addition, the organization should have safe evacuation procedures and periodic fire drills to protect its most important investment: human life. Fire requires three main components to exist: heat, oxygen, and fuel. Eliminate any of these components and the fire goes out. A common way to fight fire is with water. Water attempts to take away oxygen and heat. A wet-pipe fire-suppression system is the one that most people think of when discussing an indoor sprinkler system. The term wet is used to describe the state of the pipe during normal operations. The pipe in the wet-pipe system has water under pressure in it at all times. The pipes are interconnected and have sprinkler heads attached at regularly spaced intervals. The sprinkler heads have a stopper held in place with a bonding agent designed to melt at an appropriate temperature. After the stopper melts, it opens the valve and allows water to flow from the sprinkler head and extinguish the fire. Keep in mind that electronic equipment and water don’t get along well. Fires that start outside electrical areas are well served by water-based sprinkler systems. Also keep in mind that all these systems should have both manual activation and manual shutoff capabilities. You want to be able to turn off a sprinkler system to prevent potential water damage. Most systems are designed to activate only one head at a time. This works effectively to put out fires in the early stages.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 349

349

The Importance of Environmental Controls

Dry-pipe systems work in exactly the same fashion as wet-pipe systems, except that the pipes are filled with pressurized air rather than water. The stoppers work on the same principle. When the stopper melts, the air pressure is released, and a valve in the system opens. One of the reasons for using a dry-pipe system is that when the outside temperature drops below freezing, any water in the pipes will freeze, causing them to burst. Another reason for justifying a dry-pipe system is the delay associated between the system activation and the actual water deployment. Because some laws require a sprinkler system even in areas of the building that house electrical equipment, there is enough of a delay that it is feasible for someone to manually deactivate the system before water starts to flow. In such a case, a company could deploy a dry-pipe system and a chemical system together. The delay in the dry-pipe system can be used to deploy the chemical system first and avoid serious damage to the running equipment from a waterbased sprinkler system.

EXAM ALERT Know the difference between the different types of fire-suppression systems.

For Class A fires (trash, wood, and paper), water will decrease the fire’s temperature and extinguish its flames. Foam is usually used to extinguish Class B fires, which are fueled by flammable liquids, gases, and greases. Liquid foam mixes with air while passing through the hose and the foam. Class C fires (energized electrical equipment, electrical fires, and burning wires) are put out using extinguishers based on carbon dioxide or halon. Halon was once used as a reliable, effective, and safe fire protection tool, but in 1987 an international agreement known as the Montreal Protocol mandated the phaseout of halons in developed countries by the year 2000 and in less-developed countries by 2010, due to emissions concerns. Therefore, carbon dioxide extinguishers have replaced halon extinguishers. They don’t leave a harmful residue, making them a good choice for an electrical fire on a computer or other electronic devices. Class D fires are fires that involve combustible metals such as magnesium, titanium, and sodium. The two types of extinguishing agents for Class D fires are sodium chloride and a copper-based dry powder.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 350

350

Chapter 12: Organizational Controls

HVAC Cooling requirements of computer data centers and server rooms need to be taken into consideration when doing facilities planning. The amount of heat generated by some of this equipment is extreme and highly variable. Depending on the size of the space, age, and type of equipment the room contains, energy consumption typically ranges from 20 to 100 watts per square foot. Newer servers, although smaller and more powerful, may consume more energy. Therefore, some high-end facilities with state-of-the-art technology may require up to 400 watts per square foot. These spaces consume many times more energy than office facilities of equivalent size and must be planned for accordingly. Smaller, more powerful IT equipment is considerably hotter than older systems, making heat management a major challenge. When monitoring the HVAC system, keep in mind that overcooling causes condensation on equipment, and too dry leads to excessive static. The area should be monitored for hot spots and cold spots. This is where one exchange is frigid cold under vent and still hot elsewhere. Water or drain pipes above facilities also raises a concern about upper-floor drains clogging, too. One solution is to use rubberized floors above the data center or server room. Above all else, timely A/C maintenance is required. As mentioned previously, overcooling causes condensation on equipment, and too dry leads to excessive static. In addition to temperature monitoring, humidity should be monitored. Humidity is a measurement of moisture content in the air. A high level of humidity can cause components to rust and degrade electrical resistance or thermal conductivity. A low level of humidity can subject components to electrostatic discharge (ESD), causing damage; at extremely low levels, components may be affected by the air itself. The American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) recommends optimal humidity levels in the 40% to 55% range.

Shielding One risk that is often overlooked is electronic and electromagnetic emissions. Electrical equipment generally gives off electrical signals. Monitors, printers, fax machines, and even keyboards use electricity. These electronic signals are said to “leak” from computer and electronic equipment. Shielding seeks to reduce this output. The shielding can be local, cover an entire room, or cover a whole building, depending on the perceived threat. We’re going to look at two types of shielding: TEMPEST and Faraday cages.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 351

351

The Importance of Environmental Controls

TEMPEST is a code word developed by the U.S. government in the 1950s. It is an acronym built from the Transient Electromagnetic Pulse Emanation Standard. It describes standards used to limit or block electromagnetic emanation (radiation) from electronic equipment. TEMPEST has since grown in its definition to include the study of this radiation. Individual pieces of equipment are protected through extra shielding that helps prevent electrical signals from emanating. This extra shielding is a metallic sheath surrounding connection wires for mouse, keyboard, and video monitor connectors. It can also be a completely shielded case for the motherboard, CPU, hard drive, and video display system. This protection prevents the transfer of signals through the air or nearby conductors, such as copper pipes, electrical wires, and phone wires. You are most likely to find TEMPEST equipment in government, military, and corporate environments that process government/military classified information. Because this can be costly to implement, protecting an area within a building makes more sense than protecting individual pieces of equipment. A more efficient way to protect a large quantity of equipment from electronic eavesdropping is to place the equipment into a well-grounded metal box called a Faraday cage, which is named after its inventor, Dr. Michael Faraday. The box can be small enough for a cell phone or can encompass an entire building. The idea behind the cage is to protect its contents from electromagnetic fields. Figure 12.1 shows an example of a Faraday cage. Contents completely enclosed

FIGURE 12.1 Configuration of a Faraday cage that completely encloses the contents.

The cage surrounds an object with interconnected and well-grounded metal. The metal used is typically a copper mesh that is attached to the walls and covered with plaster or drywall. The wire mesh acts as a net for stray electric signals, either inside or outside the box.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 352

352

Chapter 12: Organizational Controls

Shielding also should be taken into consideration when choosing cable types and the placement of cable. Coaxial cable was the first type of cable used to network computers. Coaxial cables are made of a thick copper core with an outer metallic shield to reduce interference. Coaxial cables have no physical transmission security and are very simple to tap without being noticed or interrupting regular transmissions. The electric signal, conducted by a single core wire, can easily be tapped by piercing the sheath. It would then be possible to eavesdrop on the conversations of all hosts attached to the segment because coaxial cabling implements broadband transmission technology and assumes many hosts are connected to the same wire. Another security concern of coaxial cable is reliability. Because no focal point is involved, a faulty cable can bring the whole network down. Missing terminators or improperly functioning transceivers can cause poor network performance and transmission errors. Twisted-pair cable is used in most of today’s network topologies. Twisted-pair cabling is either unshielded (UTP) or shielded (STP). UTP is popular because it is inexpensive and easy to install. UTP consists of eight wires twisted into four pairs. The design cancels much of the overflow and interference from one wire to the next, but UTP is subject to interference from outside electromagnetic sources, and is prone to radio frequency interference (RFI) and electromagnetic interference (EMI) as well as crosstalk. STP is different from UTP in that it has shielding surrounding the cable’s wires. Some STP has shielding around the individual wires, which helps prevent crosstalk. STP is more resistant to EMI and is considered a bit more secure because the shielding makes wire tapping more difficult. Both UTP and STP are possible to tap, although it is physically a little trickier than tapping coaxial cable because of the physical structure of STP and UTP cable. With UTP and STP, a more inherent danger lies in the fact that it is easy to add devices to the network via open ports on unsecured hubs and switches. These devices should be secured from unauthorized access, and cables should be clearly marked so a visual inspection can let you know whether something is awry. Also, software programs that can help detect unauthorized devices are available. The plenum is the space between the ceiling and the floor of a building’s next level. It is commonly used to run network cables, which must be of plenumgrade. Plenum cable is a grade that complies with fire codes. The outer casing is more fire-resistant than regular twisted-pair cable. Fiber was designed for transmissions at higher speeds over longer distances. It uses light pulses for signal transmission, making it immune to RFI, EMI, and eavesdropping. Fiber-optic wire has a plastic or glass center, surrounded by

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 353

353

The Risks of Social Engineering

another layer of plastic or glass with a protective outer coating. On the downside, fiber is still quite expensive compared to more traditional cabling, it is more difficult to install, and fixing breaks can be costly. As far as security is concerned, fiber cabling eliminates the signal tapping that is possible with coaxial cabling. It is impossible to tap fiber without interrupting the service and using specially constructed equipment. This makes it more difficult to eavesdrop or steal service.

The Risks of Social Engineering One area of security planning that is often considered the most difficult to adequately secure is the legitimate user. Social engineering is a process by which an attacker may extract useful information from users who are often just tricked into helping the attacker. It is extremely successful because it relies on human emotions. Common examples of social engineering attacks include the following: . An attacker calls a valid user pretending to be a guest, temp agent, or

new user asking for assistance in accessing the network or details involving the business processes of the organization. . An attacker contacts a legitimate user, posing as a technical aide attempt-

ing to update some type of information, and asks for identifying user details that may then be used to gain access. . An attacker poses as a network administrator, directing the legitimate

user to reset his password to a specific value so that an imaginary update may be applied. . An attacker provides the user with a “helpful” program or agent, through

email, a website, or other means of distribution. This program may require the user to enter logon details or personal information useful to the attacker, or it may install other programs that compromise the system’s security. Another form of social engineering has come to be known as reverse social engineering. Here, an attacker provides information to the legitimate user that causes the user to believe the attacker is an authorized technical assistant. This may be accomplished by obtaining an IT support badge or logo-bearing shirt that validates the attacker’s legitimacy, by inserting the attacker’s contact information for technical support in a secretary’s Rolodex, or by making himself known for his technical skills by helping people around the office.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 354

354

Chapter 12: Organizational Controls

Many users would rather ask assistance of a known nontechnical person who they know to be skilled in computer support rather than contact a legitimate technical staff person, who may be perceived as busy with more important matters. An attacker who can plan and cause a minor problem will then be able to easily correct this problem, gaining the confidence of the legitimate user while being able to observe operational and network configuration details and logon information, and potentially being left alone with an authorized account logged on to the network.

Phishing Phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually an email. Phishing attacks rely on a mix of technical deceit and social engineering practices. In the majority of cases, the phisher must persuade the victim to intentionally perform a series of actions that will provide access to confidential information. As scam artists become more sophisticated, so do their phishing email messages. The messages often include official-looking logos from real organizations and other identifying information taken directly from legitimate websites. Here is a list of the most common ones: . Verify your account—Businesses do not ask you to send personal informa-

tion through email. . If you don’t respond within 48 hours, your account will be closed—These mes-

sages have an urgent tone so that you’ll respond without thinking. . Dear Valued Customer as part of our continuing commitment to providing

excellent service, we require that you update your account—This is a bulk email message. . Click the link below to gain access to your account—The links that you are

urged to click appear to be legitimate, but they are not. They look similar to the vendor’s website, but when examined more closely are fraudulent. For best protection, proper security technologies and techniques must be deployed at the client side, the server side, and the enterprise level. Ideally, users should not be able to directly access email attachments from within the email application. However, the best defense is user education.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 355

355

The Risks of Social Engineering

Hoaxes Hoaxes were described in Chapter 6, “Securing Communications,” in the “Undesirable Email” section. Although they present issues such as loss of functionality or security vulnerabilities, they also use system resources and consume users’ time. This results in lost productivity and an undue burden on the organization’s resources, especially if many employees respond. Organizational security awareness and training programs should alert employees to this type of situation and instruct them to not respond, or polices should spell out what is acceptable. Many organizations do not allow employees to send mass emails for this reason.

Shoulder Surfing Shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder to get information. Shoulder surfing is an effective way to get information in crowded places such as airports, conventions, or supermarkets because it’s relatively easy to stand next to someone and watch as the person enters a PIN or a password. Shoulder surfing can also be done longdistance with the aid of binoculars or other vision-enhancing devices. The immediate solution to prevent shoulder surfing is to shield paperwork or your keypad from view by using your body or cupping your hand. Biometrics and gaze-based password entry makes gleaning password information difficult for the unaided observer while retaining the simplicity and ease of use for the user.

Dumpster Diving As humans, we naturally seek the path of least resistance. Instead of shredding documents or walking them to the recycle bin, they are often thrown in the wastebasket. Equipment sometimes is put in the garbage because city laws do not require special disposal. Because intruders know this, they scavenge discarded equipment and documents, called dumpster diving, and extract sensitive information from it without ever contacting anyone in the organization. In any organization, the potential that an intruder can gain access to this type of information is huge. What happens when employees are leaving the organization? They clean out their desks. Depending on how long the employees have been there, what ends up in the garbage can be a goldmine for an intruder.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 356

356

Chapter 12: Organizational Controls

Other potential sources of information that are commonly thrown in the garbage include the following: . Old company directories . Old QA or testing analysis . Employee manuals . Training manuals . Hard drives . Floppy disks . CDs . Printed emails

Proper disposal of data and equipment should be part of the organization’s security policy. It is prudent to have a policy in place that requires shredding of all documents and security erasure of all types of storage media before they may be discarded.

User Education and Awareness Training Users must be trained to avoid falling victim to social engineering attacks. This should be an ongoing process. Human behavior is difficult, if not impossible, to predict. Some guidelines for information to be included in user training may consist of the following points: . How to address someone who has her hands full and asks for help get-

ting into a secure area . How to react to someone who has piggybacked into the building . What procedure should be followed when a vendor comes into the

building to work on the servers . What to say to a sales representative who is at a customer site doing a

demonstration and has forgotten the website password . What to say to a vice president who has forgotten his password and

needs it right away . What items can and cannot go in the trash or recycle bin and what

paperwork must be shredded . What to do when an administrator calls and asks for a user’s password

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 357

357

The Risks of Social Engineering

As new methods of social engineering come out, so must new training methods. The scope of the training should be done so that management has a different type of training than the users. Management training should focus on the ramifications of social engineering, such as the liability of the company when a breach happens, the financial damage that can happen, and how this can affect the reputation or credibility of the company.

EXAM ALERT Planning, training, regular reminders, and firm and clear security policies are important when you’re attempting to minimize vulnerabilities created by social engineering.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 358

358

Chapter 12: Organizational Controls

Exam Prep Questions 1. Which of the following security policies would identify that a user may be fined for using email to run a personal business?

❍ A. Acceptable use ❍ B. Due diligence ❍ C. Due care ❍ D. Separation of duties 2. Which of the following is a well-grounded metal structure used to protect a large quantity of equipment from electronic eavesdropping?

❍ A. TEMPEST ❍ B. Degausser ❍ C. Faraday cage ❍ D. Sonar 3. An attacker offers her business card as an IT solution provider and then later causes a user’s computer to appear to fail. What is this an example of?

❍ A. Reverse social engineering ❍ B. Social engineering ❍ C. Separation of duties ❍ D. Inverse social engineering 4. Which of the following would be defined in an acceptable use policy? (Choose the three best answers.)

❍ A. Detailed standards of behavior ❍ B. Detailed enforcement guidelines and standards ❍ C. Privacy statement ❍ D. Background check consent forms

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 359

359

Exam Prep Questions 5. What is the difference between a wet-pipe and a dry-pipe fire-suppression system?

❍ A. A dry-pipe system uses air to suppress fire, whereas a wet-pipe system uses water.

❍ B. A dry-pipe system uses dry chemicals, whereas a wet-pipe system uses wet chemicals.

❍ C. A wet-pipe system has water in the pipe at all times, whereas in a dry-pipe system water is used but is held back by a valve until a certain temperature is reached.

❍ D. A wet-pipe system uses wet chemicals that deploy after the pipe loses air pressure, whereas a dry-pipe system uses dry chemicals that deploy before the pipe loses air pressure. 6. When implementing a policy on the secure disposal of outdated equipment, which of the following needs to be considered? (Choose all that apply.)

❍ A. Breaches of health and safety requirements. ❍ B. Inadequate disposal planning results in severe business loss. ❍ C. Remnants of legacy data from old systems may still be accessible. ❍ D. Disposal of old equipment that is necessary to read archived data. 7. Which of the following security policies would require users to take mandatory vacations?

❍ A. Acceptable use ❍ B. Due diligence ❍ C. Due care ❍ D. Separation of duties 8. Which of the following tells how the evidence made it from the crime scene to the courtroom, including documentation of how the evidence was collected, preserved, and analyzed?

❍ A. Incident response ❍ B. Due diligence ❍ C. Chain of custody ❍ D. Due process

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 360

360

Chapter 12: Organizational Controls 9. Which of the following are examples of social engineering? (Choose the two best answers.)

❍ A. An attacker configures a packet sniffer to monitor user logon credentials. ❍ B. An attacker sets off a fire alarm so that he can access a secured area when the legitimate employees are evacuated.

❍ C. An attacker waits until legitimate users have left and sneaks into the server room through the raised floor.

❍ D. An attacker unplugs a user’s network connection and then offers to help try to correct the problem.



E. An attacker obtains an IT office T-shirt from a local thrift store and takes a user’s computer for service.

10. Which of the following best describes the objective of a service-level agreement (SLA)?

❍ A. Guidelines for reporting organizational security breaches ❍ B. Requests for electronic data during federal lawsuits ❍ C. Investigative and analytical techniques to acquire and protect potential legal evidence

❍ D. Contracts with suppliers that detail levels of support that must be provided

Answers to Exam Prep Questions 1. A. Answers B, C, and D are incorrect because they detail individual policies that may detail sanctions if violated, but they would not be used to define the use of company resources. 2. C. To protect a large quantity of equipment from electronic eavesdropping, place the equipment into a well-grounded metal box called a Faraday cage. Answer A is incorrect because TEMPEST describes standards used to limit or block electromagnetic emanation (radiation) from electronic equipment. Answer B is incorrect because a degausser is an electrical device used to reduce the magnetic flux density of the storage media to zero. Answer D is incorrect because sonar is underwater sound propagation. 3. A. Reverse social engineering involves an attacker convincing the user that she is a legitimate IT authority, causing the user to solicit her assistance. Answer B is incorrect because social engineering is when an intruder tricks a user into giving him private information. Answer C is incorrect because separation of duties is when two users are assigned a part of a task that both of them need to complete. Answer D is incorrect because it is a bogus answer.

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 361

361

Recommended Reading and Resources 4. A, B, and C. An acceptable use policy should contain these components: detailed standards of behavior, detailed enforcement guidelines and standards, and a privacy statement. Answer D is incorrect because background check consent forms are part of the employment process and have nothing to do with acceptable use. 5. C. A wet-pipe system constantly has water in it. In dry-pipe systems, water is used but is held back by a valve until a certain temperature is reached. Therefore, answers A, B, and D are incorrect. 6. A, B, C, and D. All these scenarios should be considered when formulating a policy on the secure disposal of outdated equipment. 7. D. Answers A, B, and C are incorrect because they detail individual policies that may detail sanctions if violated, but they would not be used to define that too much power can lead to corruption. 8. C. Chain of custody tells how the evidence made it from the crime scene to the courtroom, including documentation of how the evidence was collected, preserved, and analyzed. Answer A is incorrect because it describes how an organization responds to an incident. Answer B is incorrect because it describes processes for compliance. Answer D is incorrect because it describes employee rights. 9. D, E. Social engineering attacks involve tricking a user into providing the attacker with access rights or operational details. Answer A is incorrect because packet sniffing is a form of a network security threat. Answers B and C are incorrect because they involve physical access control risks rather than social engineering. 10. D. SLAs are contracts with ISPs, utilities, facilities managers, and other types of suppliers that detail minimum levels of support that must be provided in the event of failure or disaster. Answer A is incorrect because it describes an incident response plan. Answer B is incorrect because it describes the discovery process. Answer C is incorrect because it describes the forensics process.

Recommended Reading and Resources 1. CERT Incident Reporting Guidelines: www.cert.org/tech_tips/incident_

reporting.html 2. First Responders Guide to Computer Forensics: www.cert.org/archive/

pdf/FRGCF_v1.3.pdf 3. NIST SP 800-61 Computer Security Incident Handling Guide: http://

www.nist.org/print.php?plugin:content.42 4. ISO 17799: Code of Practice for Information Security Management:

http://www.iso.org/iso/support/faqs/faqs_widely_used_standards/widely_ used_standards_other/information_security.htm

20_078973804x_ch12.qxd

10/30/08

9:12 PM

Page 362

21_078973804x_pt7.qxd

10/30/08

9:11 PM

Page 363

PART VII

Practice Exams and Answers Practice Exam 1 Practice Exam 1 Answer Key Practice Exam 2 Practice Exam 2 Answer Key

21_078973804x_pt7.qxd

10/30/08

9:11 PM

Page 364

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 365

Practice Exam 1 The 100 multiple-choice questions provided here help you determine how prepared you are for the actual exam and which topics you need to review further. Write down your answers on a separate sheet of paper so that you can take this exam again if necessary. Compare your answers against the answer key that follows this exam. 1. Which of the following are architectural models for the arranging of certificate authorities? (Select all correct answers.)

❍ A. Bridge CA architecture ❍ B. Sub CA architecture ❍ C. Single CA architecture ❍ D. Hierarchical CA architecture 2. Your company is in the process of setting up a DMZ segment. You have to allow secure web traffic in the DMZ segment. Which TCP port do you have to open?

❍ A. 110 ❍ B. 139 ❍ C. 25 ❍ D. 443 3. You are in sales and you receive an email telling you about an easy way to make money. The email instructs you to open the attached letter of intent, read it carefully, and then reply to the email. Which of the following should you do?

❍ A. Open the letter of intent, read it, and reply to the email. ❍ B. Forward this great offer to your friends and co-workers. ❍ C. Notify your system administrator of the email. ❍ D. Delete the email and reboot your computer.

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 366

366

Practice Exam 1 4. You have an FTP server that needs to be accessed by both employees and external customers. What type of architecture should be implemented?

❍ A. Bastion host ❍ B. Screened subnet ❍ C. Screened host ❍ D. Bastion subnet 5. The main fan in your server died on Wednesday morning. It will be at least two days before it can be replaced. You decide to use another server instead, but need to restore the data from the dead one. You have been doing differential backups, and the last full backup was performed on Friday evening. The backup doesn’t run on weekends. How many backup tapes will you need to restore the data?

❍ A. Two ❍ B. Four ❍ C. One ❍ D. Three 6. You are planning to set up a network for remote users to use their own Internet connections to connect to shared folders on the network. Which technology would you implement?

❍ A. DMZ ❍ B. VPN ❍ C. VLAN ❍ D. NAT 7. What type of algorithm is SHA-1?

❍ A. Asymmetric encryption algorithm ❍ B. Digital signature ❍ C. Hashing algorithm ❍ D. Certificate authority

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 367

367

Practice Exam 1 8. Which of the following is an effective way to get information in crowded places such as airports, conventions, or supermarkets?

❍ A. Social engineering ❍ B. Shoulder surfing ❍ C. Reverse social engineering ❍ D. Phishing 9. Which of the following are not methods for minimizing a threat to a web server? (Choose the two best answers.)

❍ A. Disable all non-web services. ❍ B. Ensure Telnet is running. ❍ C. Disable nonessential services. ❍ D. Enable logging. 10. Trusted Platform Module (TPM) provides for which of the following? (Select two correct answers.)

❍ A. Secure storage of keys ❍ B. Secure software-based authentication ❍ C. Secure storage of passwords ❍ D. Secure network data transfers 11. Separation of duties is designed to guard against which of the following?

❍ A. Social engineering ❍ B. Viruses ❍ C. Fraud ❍ D. Nonrepudiation 12. Which of the following describes a network of systems designed to lure an attacker away from another critical system?

❍ A. Bastion host ❍ B. Honeynet ❍ C. Vulnerability system ❍ D. Intrusion-detection system

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 368

368

Practice Exam 1 13. Which of the following best describes false acceptance?

❍ A. The system recognizes an authorized person and accepts that person. ❍ B. The system detects a legitimate action as a possible intrusion. ❍ C. The system allows an intrusive action to pass as nonintrusive behavior. ❍ D. The system fails to recognize an authorized person and rejects that person. 14. Which of the following attacks is most likely to be successful, even if all devices are properly secured and configured?

❍ A. Trojan horse ❍ B. Mantrap ❍ C. Social engineering ❍ D. All the options are correct 15. When using CHAP, when can the challenge/response mechanism happen?

❍ A. Only at the beginning of the connection ❍ B. At the beginning and the end of the connection ❍ C. Only at the end of the connection ❍ D. At any time during the connection 16. With discretionary access control (DAC), how are access rights to resources determined?

❍ A. Roles ❍ B. Rules ❍ C. Owner discretion ❍ D. Security label 17. Which of the following best describes the difference between AH and ESP?

❍ A. ESP provides authentication, integrity, and nonrepudiation. AH provides authentication, encryption, confidentiality, and integrity protection.

❍ B. AH provides authentication only. ESP provides encryption only. ❍ C. AH provides authentication, integrity, and nonrepudiation. ESP provides authentication, encryption, confidentiality, and integrity protection.

❍ D. ESP provides authentication only. AH provides encryption only.

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 369

369

Practice Exam 1 18. What is a potential concern to weaker encryption algorithms as time goes on? (Choose the best answer.)

❍ A. Performance of the algorithm will worsen over time. ❍ B. Keys generated by users will start to repeat on other users’ systems. ❍ C. Hackers using distributed computing may be able to finally crack an algorithm.

❍ D. All options are correct. 19. Which of the following types of programs can be used to determine whether network resources are locked down correctly?

❍ A. Password sniffers ❍ B. Port scanners ❍ C. Keystroke loggers ❍ D. Cookies 20. You are the network administrator for a small company that has recently been the victim of several attacks. Upon rebuild of the server, which of the following should be the first step?

❍ A. Nonrepudiation ❍ B. Hardening ❍ C. Auditing ❍ D. Hashing 21. Which one of the following types of servers would be the target for an attack where a malicious individual attempts to change information by connecting to port 53?

❍ A. FTP server ❍ B. File server ❍ C. Web server ❍ D. DNS server

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 370

370

Practice Exam 1 22. Ensuring that all data is sequenced, time-stamped, and numbered is a characteristic of which of the following?

❍ A. Data authentication ❍ B. Data integrity ❍ C. Data availability ❍ D. Data confidentiality 23. Which of the following programs can be used for vulnerability scanning to check the security of your servers? (Choose the two best answers.)

❍ A. John the Ripper ❍ B. SATAN ❍ C. L0phtCrack ❍ D. SAINT 24. Which of the following describes a type of algorithm where data is broken into several units of varying sizes (dependent on algorithm) and encryption is applied to those chunks of data?

❍ A. Symmetric encryption algorithm ❍ B. Elliptic curve ❍ C. Block cipher ❍ D. All the options are correct. 25. You are the administrator at a large university. You have received a Class A address from your ISP, and NAT is being used on your network. What range of addresses should you use on your internal network?

❍ A. 10.x.x.x ❍ B. 172.16.x.x ❍ C. 172.31.x.x ❍ D. 192.168.x.x

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 371

371

Practice Exam 1 26. As the network administrator, you are implementing a policy for passwords. What is the best option for creating user passwords?

❍ A. Uppercase and lowercase letters combined with numbers and symbols ❍ B. A randomly generated password ❍ C. A word that is familiar to the user with a number attached to the end ❍ D. The user’s last name spelled backward 27. Which of the following is true of digital signatures? (Choose the two best answers.)

❍ A. They use the skipjack algorithm. ❍ B. They can be automatically time-stamped. ❍ C. They allow the sender to repudiate that the message was sent. ❍ D. They cannot be imitated by someone else. 28. Which of the following are parts of Kerberos authentication? (Choose the two best answers.)

❍ A. Authentication service ❍ B. Time-based induction ❍ C. Ticket-granting service ❍ D. TEMPEST 29. Which of the following must be provided for proper smart card authentication? (Choose the two best answers.)

❍ A. Something you have ❍ B. Something you know ❍ C. Something you are ❍ D. Something you do 30. Which of the following types of attacks can result from the length of variables not being properly checked in the code of a program?

❍ A. Buffer overflow ❍ B. Replay ❍ C. Spoofing ❍ D. Denial of service

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 372

372

Practice Exam 1 31. Which of the following is a method of backup tape rotation based on a mathematical puzzle?

❍ A. Grandfather ❍ B. Tower of Hanoi ❍ C. Tower of Pisa ❍ D. Grandmother 32. Mocmex is considered to be which of the following?

❍ A. Virus ❍ B. Logic bomb ❍ C. Worm ❍ D. Trojan 33. Which of the following are methods used for securing email messages? (Choose the two best answers.)

❍ A. POP3 ❍ B. S/MIME ❍ C. PGP ❍ D. SMTP 34. User groups that are built around business units and then have privileges assigned to these groups instead of individual users is an example of which type of management?

❍ A. Role-based privilege management ❍ B. User-based privilege management ❍ C. Group-based privilege management ❍ D. Individual-based privilege management 35. Which of the following statements is true about SSL?

❍ A. SSL provides security for both the connection and the data after it is received.

❍ B. SSL only provides security for the connection, not the data after it is received.



C. SSL only provides security for the data once it is received, not the connection.

❍ D. SSL does not provide security for either the connection or the data after it is received.

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 373

373

Practice Exam 1 36. Of the following, which is a characteristic of a hot site?

❍ A. The facility is equipped with plumbing, flooring, and electricity only. ❍ B. The facility resources are shared by mutual agreement. ❍ C. The facility and equipment are already set up and ready to occupy. ❍ D. The facility is equipped with some resources, but not computers. 37. Which of the following algorithms is not an example of a symmetric encryption algorithm?

❍ A. Rijndael ❍ B. Diffie-Hellman ❍ C. RC6 ❍ D. AES 38. The RBAC model can use which of the following types of access? (Choose the three best answers.)

❍ A. Role-based ❍ B. Task-based ❍ C. Lattice-based ❍ D. Discretionary-based 39. You are having problems with access to the company website. When the users try to open the website, they receive an error saying that the site is not found. You go to one of the machines, open a DOS prompt, and type which command to find out what the problem is?

❍ A. Netstat ❍ B. Tracert ❍ C. Ipconfig ❍ D. Nslookup 40. Which of the following statements about Java and JavaScript is true?

❍ A. Java applets can be used to execute arbitrary instructions on the server. ❍ B. JavaScript code can continue running even after the applet is closed. ❍ C. JavaScript can provide access to files of a known name and path. ❍ D. Java applets can be used to send email as the user. ❍

E. Java applets allow access to cache information.

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 374

374

Practice Exam 1 41. Which of the following statements best describes nonrepudiation?

❍ A. A set of mathematical rules used in encryption ❍ B. A means of proving that a transaction occurred ❍ C. A method of hiding data in another message ❍ D. A drive technology used for redundancy and performance improvement 42. LDAP connects by default to which of the following TCP ports?

❍ A. 139 ❍ B. 389 ❍ C. 110 ❍ D. 443 43. Which of the following are not used to verify the status of a certificate? (Select two correct answers.)

❍ A. OCSP ❍ B. CRL ❍ C. OSPF ❍ D. ACL 44. Which of the following is the process of systematically looking for unprotected modems?

❍ A. Sniffing ❍ B. War driving ❍ C. War dialing ❍ D. Social engineering 45. Under mandatory access control, the category of a resource can be changed by whom?

❍ A. All managers ❍ B. Administrators only ❍ C. The owner/creator ❍ D. All users

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 375

375

Practice Exam 1 46. Which of the following ports would be used to remotely access a system?

❍ A. 25 ❍ B. 8080 ❍ C. 139 ❍ D. 3389 47. Which protocol is used to enable remote-access servers to communicate with a central server to authenticate and authorize access to resources?

❍ A. Kerberos ❍ B. IPsec ❍ C. RADIUS ❍ D. PPTP 48. Which of the following are common tools used to conduct vulnerability assessments? (Select all correct answers.)

❍ A. Port scanner ❍ B. Protocol analyzer ❍ C. Network mapper ❍ D. NetStat Performance Monitor 49. Which of the following is a hardware or software solution used to protect a network from unauthorized access?

❍ A. Intrusion-detection system ❍ B. Digital certificate ❍ C. Honeypot ❍ D. Firewall

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 376

376

Practice Exam 1 50. Unauthorized access has been detected on the network. Someone had been logging in as one of the administrative assistants during off hours. Later, you find out she received an email from the network administrator asking her to supply her password so that he could make changes to her profile. What types of attacks have been executed? (Choose two correct answers.)

❍ A. Spoofing ❍ B. Man in the middle ❍ C. Replay ❍ D. Social engineering 51. Which of the following is not true regarding log files?

❍ A. They should be stored and protected on a machine that has been hardened. ❍ B. Log information traveling on the network must be encrypted, if possible. ❍ C. They should be stored in one location. ❍ D. They must be modifiable, and there should be no record of the modification. 52. A CA with multiple subordinate CAs would use which of the following PKI trust models?

❍ A. Cross-certified ❍ B. Hierarchical ❍ C. Bridge ❍ D. Linked 53. Which of the following are reasons why it is unsafe to allow signed code to run on your systems?

❍ A. The fact that the code is signed guarantees only that the code belongs to a certain entity, not that it is absolutely harmless.

❍ B. Malicious users are known to have attempted obtaining legitimate certificates to sign harmful code, with some succeeding.

❍ C. Scripts may be used to employ signed code that comes preinstalled and signed with the operating system.

❍ D. All the options are correct.

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 377

377

Practice Exam 1 54. You have installed a custom monitoring service that reviews logs to watch for the URLs used by the Nimda worm to propagate itself. When the service detects an attack, it sends an email alert. Which of the following types of IDS solutions are you using? (Select two correct answers.)

❍ A. Knowledge-based IDS ❍ B. Behavior-based IDS ❍ C. Network-based IDS ❍ D. Host-based IDS 55. Which of the following is true about fire-suppression systems?

❍ A. A dry-pipe system uses air to suppress fire, whereas a wet-pipe system uses water.

❍ B. A dry-pipe system uses dry chemicals, whereas a wet-pipe system uses wet chemicals.

❍ C. A wet-pipe system has water in the pipe at all times, whereas in a dry-pipe system, water is used but is held back by a valve until a certain temperature is reached.

❍ D. A wet-pipe system uses wet chemicals that deploy after the pipe loses air pressure, whereas a dry-pipe system uses dry chemicals that deploy before the pipe loses air pressure. 56. You’re the security administrator for a credit union. The users are complaining about the network being slow. It is not a particularly busy time of the day. You capture network packets and discover that there have been hundreds of ICMP packets being sent to the host. What type of attack is likely being executed against your network?

❍ A. Spoofing ❍ B. Man in the middle ❍ C. Denial of service ❍ D. Worm 57. Which of the following PKI functions do SSL/TLS protocols currently support? (Choose the two best answers.)

❍ A. Authentication ❍ B. Certificate revocation lists ❍ C. Encryption ❍ D. Attribute certificates

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 378

378

Practice Exam 1 58. Which of the following is true in regard to the principle of least privilege?

❍ A. It ensures that all members of the user community are given the same privileges as long as they do not have administrator or root access to systems.

❍ B. It requires that a user be given no more privilege than necessary to perform a job.

❍ C. It is a control enforced through written security policies. ❍ D. It assumes that job functions will be rotated frequently. 59. Which of the following is true regarding expiration dates of certificates? (Select all correct answers.)

❍ A. Certificates may be issued for a week. ❍ B. Certificates are only issued at yearly intervals. ❍ C. Certificates may be issued for 20 years. ❍ D. Certificates must always have an expiration date. 60. You have found that someone has been running a program to crack passwords. This has been successful enough that many of the users’ passwords have been compromised. You suspect that several user files have been altered. Which of the following techniques can be implemented to help protect against this type of attack?

❍ A. Increase the value of the password history to 8. ❍ B. Have users present proper identification before being granted a password. ❍ C. Lock the account after three unsuccessful password entry attempts. ❍ D. Require password resets every 60 days. 61. Which of the following best describes a behavior-based IDS?

❍ A. Detects anomalies from normal patterns of operation ❍ B. Identifies signatures within the network packets ❍ C. Relies on the identification of known attack signatures ❍ D. Monitors middleware transactions, such as those between a database and a web user application

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 379

379

Practice Exam 1 62. You need to provide your users with the capability to log on once and retrieve any resource to which they have been granted access, regardless of where the resource is stored. Which configuration will you deploy?

❍ A. Role-based access control (RBAC) ❍ B. Multifactor ❍ C. Biometric ❍ D. Single sign-on (SSO) 63. Which of the following describes the process of documenting how evidence was collected, preserved, and analyzed?

❍ A. Incident response ❍ B. Due diligence ❍ C. Chain of custody ❍ D. Due process 64. You are a consultant for a company that wants to secure its web services and provide a guarantee to its online customers that all credit card information is securely transferred. Which technology would you recommend?

❍ A. S/MIME ❍ B. VPN ❍ C. SSL/TLS ❍ D. SSH 65. You are configuring a security policy for your company. Which of the following components make up the security triad? (Choose the three best answers.)

❍ A. Encryption ❍ B. Confidentiality ❍ C. Integrity ❍ D. Authorization ❍

E. Availability

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 380

380

Practice Exam 1 66. Which of the following is used to check the validity of a digital certificate?

❍ A. Certificate policy ❍ B. Certificate revocation list ❍ C. Corporate security policy ❍ D. Trust model 67. Which of the following statements are true when discussing physical security? (Select all correct answers.)

❍ A. Physical security attempts to control access to data from Internet users. ❍ B. Physical security attempts to control unwanted access to specified areas of a building.

❍ C. Physical security attempts to control the impact of natural disasters on facilities and equipment.

❍ D. Physical security attempts to control internal employee access into secure areas. 68. SMTP relay is a common exploit used among hackers for what purpose?

❍ A. DNS zone transfers ❍ B. Spamming ❍ C. Port scanning ❍ D. Man-in-the-middle attacks 69. CGI scripts can present vulnerabilities in which of the following ways? (Choose the two best answers.)

❍ A. They can be used to relay email. ❍ B. They can be tricked into executing commands. ❍ C. They may expose system information. ❍ D. They store the IP address of your computer.

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 381

381

Practice Exam 1 70. Your company has decided to deploy a hardware token system along with usernames and passwords. This technique of using more than one type of authentication is known as which of the following?

❍ A. Parallel authentication ❍ B. Factored authentication ❍ C. Mutual authentication ❍ D. Multifactor authentication 71. Which of the following algorithms is now known as the Advanced Encryption Standard?

❍ A. Rijndael ❍ B. 3DES ❍ C. RC6 ❍ D. Twofish ❍

E. CAST

72. What should you do upon finding out an employee is terminated?

❍ A. Disable the user account and have the data kept for a specified period of time.

❍ B. Maintain the user account and have the data kept for a specified period of time.

❍ C. Disable the user account and delete the user’s home directory. ❍ D. Do nothing until the employee has cleaned out her desk and you get written notification. 73. Which of the following statements best describes the difference between authentication and identification?

❍ A. Authentication is the same as identification. ❍ B. Authentication is a means to verify who you are, whereas identification is what you are authorized to perform.

❍ C. Authentication is the byproduct of identification. ❍ D. Authentication is what you are authorized to perform, whereas identification is a means to verify who you are.

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 382

382

Practice Exam 1 74. Which of the following best describes the process of encrypting and decrypting data using an asymmetric encryption algorithm?

❍ A. Only the public key is used to encrypt, and only the private key is used to decrypt.

❍ B. The public key is used to either encrypt or decrypt. ❍ C. Only the private key is used to encrypt, and only the public key is used to decrypt.

❍ D. The private key is used to decrypt data encrypted with the public key. 75. Which of the following pieces of information are used by a cookie? (Select all correct answers.)

❍ A. The operating system you are running ❍ B. The type of browser you are using ❍ C. Your network login and password ❍ D. The name and IP address of your computer 76. The organization requires a segmented, switched network to separate users based on roles. Which of the following technologies satisfies this requirement?

❍ A. DMZ ❍ B. VPN ❍ C. VLAN ❍ D. NAT 77. Your company is in the process of setting up an application that tracks open shares on your network. Which ports would need to accessible? (Choose two correct answers.)

❍ A. 161 ❍ B. 139 ❍ C. 138 ❍ D. 162

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 383

383

Practice Exam 1 78. Which of the following best describes FTP communications? (Choose the two best answers.)

❍ A. Authentication credentials are sent in clear text. ❍ B. Authentication credentials are encrypted. ❍ C. It is vulnerable to sniffing and eavesdropping. ❍ D. It is very secure and not vulnerable to either sniffing or eavesdropping. 79. Which of the following best describes the relationship between centralized and decentralized security?

❍ A. Centralized is more secure but less scalable, whereas decentralized security is less secure but more scalable.

❍ B. Decentralized security is more scalable and more secure than centralized. ❍ C. Centralized security is more scalable and less secure than decentralized. ❍ D. Centralized and decentralized have about the same security, but centralized is more scalable. 80. You are establishing a secured command-line connection to a remote server. Which of the following utilities would you use?

❍ A. rlogin ❍ B. slogin ❍ C. rsh ❍ D. rcp ❍

E. scp

81. Which of the following components are methods of addressing risk? (Choose the three best answers.)

❍ A. Transferring the risk ❍ B. Mitigating the risk ❍ C. Vetting the risk ❍ D. Accepting the risk

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 384

384

Practice Exam 1 82. Which of the following is an exposed device used as the foundation for firewall software?

❍ A. Bastion host ❍ B. Screened subnet ❍ C. Screened host ❍ D. Bastion subnet 83. Which of the following best describes the process whereby a user is able to perform administrator functions by exploiting a known weakness in the operating system code?

❍ A. Privilege management ❍ B. Trojan horse ❍ C. Privilege escalation ❍ D. Single sign-on 84. Which of the following best describes a vulnerability?

❍ A. A weakness in the configuration of software or hardware that could allow a threat to damage the network

❍ B. Any agent that could do harm to your network or its components ❍ C. The likelihood of a particular event happening given an asset and a threat ❍ D. Measures the cost of a threat attacking your network 85. Which of the following best describes an attack where traffic patterns indicate an unauthorized service is relaying information to a source outside the network?

❍ A. Spoofing ❍ B. Man in the middle ❍ C. Replay ❍ D. Denial of service 86. Which of the following looks at the long-term actions taken by an organization after an incident?

❍ A. Emergency response plan ❍ B. Security plan ❍ C. Disaster recovery plan ❍ D. Business continuity plan

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 385

385

Practice Exam 1 87. Who is ultimately responsible for setting the tone of the role of security in an organization?

❍ A. Staff ❍ B. Management ❍ C. Consultants ❍ D. Everyone 88. You download and install a newly released Microsoft server patch, and several of the servers stop functioning properly. What should your first step be to return the servers to a functional state? (Choose the best answer.)

❍ A. Reload the patch and see whether the problems stop. ❍ B. Roll back the changes. ❍ C. Call the manufacturer and see whether there is a fix. ❍ D. Document the changes and troubleshoot. 89. Your company is in the process of setting up an IDS system. You want to scan for irregular header lengths and information in the TCP/IP packet. Which IDS methodology is most suitable for this purpose?

❍ A. Heuristic analysis ❍ B. Anomaly analysis ❍ C. Stateful inspection ❍ D. Pattern matching 90. Which of the following is used to provide centralized management of computers through a remotely installed agent?

❍ A. SMTP ❍ B. SNMP ❍ C. LDAP ❍ D. L2TP

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 386

386

Practice Exam 1 91. What are the major security concerns with using DHCP? (Choose the two best answers.)

❍ A. The network is vulnerable to man-in-the-middle attacks. ❍ B. Anyone hooking up to the network can automatically receive a network address

❍ C. Clients might be redirected to an incorrect DNS address. ❍ D. There are no security concerns with using DHCP. 92. Which of the following is the security layer of the Wireless Application Protocol (WAP)?

❍ A. Wireless Security Layer (WSL) ❍ B. Wireless Transport Layer (WTL) ❍ C. Wireless Transport Layer Security (WTLS) ❍ D. Wireless Security Layer Transport (WSLT) 93. Which of the following are tunneling protocols used in VPN connections? (Select all correct answers.)

❍ A. PPTP ❍ B. L2TP ❍ C. CHAP ❍ D. IPsec 94. Which of the following statements best describes the behavior of a worm?

❍ A. A worm is self-replicating and needs no user interaction. ❍ B. A worm attacks only after it is triggered. ❍ C. A worm attacks system files only. ❍ D. A worm attempts to hide from antivirus software by garbling its code. 95. Which of the following best describes the difference between TACACS and RADIUS?

❍ A. RADIUS is an authentication protocol; TACACS is an encryption protocol. ❍ B. RADIUS is an actual Internet standard; TACACS is not. ❍ C. TACACS is an actual Internet standard; RADIUS is not. ❍ D. RADIUS is an encryption protocol; TACACS is an authentication protocol.

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 387

387

Practice Exam 1 96. In which of the following types of architecture is the user responsible for the creation of the private and public key?

❍ A. Decentralized key management ❍ B. Centralized key management ❍ C. Revocation key management ❍ D. Multilevel key management 97. Which of the following is the weakest link in a security policy?

❍ A. Management ❍ B. A misconfigured firewall ❍ C. An unprotected web server ❍ D. Uneducated users 98. Which of the following is true of Pretty Good Privacy (PGP)? (Choose the two best answers.)

❍ A. It uses a web of trust. ❍ B. It uses a hierarchical structure. ❍ C. It uses public key encryption. ❍ D. It uses private key encryption. 99. Which of the following is the type of algorithm used by MD5?

❍ A. Block cipher algorithm ❍ B. Hashing algorithm ❍ C. Asymmetric encryption algorithm ❍ D. Cryptographic algorithm 100. You are the consultant for a small manufacturing company that wants to implement a backup solution. Which of the following methods is the best choice for this type of organization?

❍ A. Site redundancy ❍ B. Offsite, secure recovery ❍ C. Onsite backup ❍ D. High-availability systems

22_078973804x_pe1.qxd

10/30/08

9:15 PM

Page 388

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 389

Practice Exam 1 Answer Key Answers at a Glance 1. A, C, and D

23. B and D

45. B

2. D

24. C

46. D

3. C

25. A

47. C

4. B

26. A

48. A, B, and C

5. A

27. B and D

49. D

6. B

28. A and C

50. A and D

7. C

29. A and B

51. D

8. B

30. A

52. B

9. B and D

31. B

53. D

10. A and C

32. D

54. A and D

11. C

33. B and C

55. C

12. B

34. C

56. C

13. A

35. B

57. A and C

14. C

36. C

58. B

15. D

37. B

59. A, C, and D

16. C

38. A, B, and C

60. C

17. C

39. B

61. A

18. C

40. C

62. D

19. B

41. B

63. C

20. B

42. B

64. C

21. D

43. C and D

65. B, C, and E

22. B

44. C

66. B

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 390

390

Practice Exam 1 Answer Key 67. B, C, and D

79. A

91. B and C

68. B

80. B

92. C

69. B and C

81. A, B, and D

93. A, B, and D

70. D

82. A

94. A

71. A

83. C

95. B

72. A

84. A

96. A

73. D

85. B

97. D

74. D

86. D

98. A and C

75. A, B, and D

87. B

99. B

76. C

88. B

100. C

77. B and C

89. C

78. A and C

90. B

Answers with Explanations Question 1 Answers A, C, and D are correct. These answers all represent legitimate trust models. Another common model also exists, called cross-certification; however, it usually makes more sense to implement a bridge architecture over this type of model. Answer B is incorrect because it does not represent a valid trust model.

Question 2 Answer D is correct. Port 443 is used by HTTPS. Answer A is incorrect because Port 110 is used for POP3 incoming mail. Answer B is incorrect because UDP uses port 139 for network sharing. Port 25 is used for SMTP outgoing mail; therefore, answer C is incorrect.

Question 3 Answer C is correct. The email is likely a hoax; and although the policies may differ among organizations, given this scenario and the available choices, the best answer is to notify the system administrator. Answers A, B, and D are all therefore incorrect.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 391

391

Practice Exam 1 Answer Key

Question 4 Answer B is correct. A screened subnet is an isolated subnet between the Internet and the internal network. A bastion host is the first line of security that a company allows to be addressed directly from the Internet; therefore, answer A is incorrect. A bastion host on the private network communicating directly with a border router is a screened host; therefore, answer C incorrect. Answer D is a fictitious term and is therefore incorrect, too.

Question 5 Answer A is correct. You will need the full backup from Friday and the differential tape from Tuesday. Answer B is incorrect because four tapes are too many for any type of backup because Wednesday’s backup has not been done yet. Answer C is incorrect because one tape would be enough only if full backups were done daily. Answer D is incorrect because three would be the number of tapes needed if the backup type were incremental.

Question 6 Answer B is correct. A VPN is used to provide secure remote access services to the company’s employees and agents. Answer A is incorrect because a DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer C is incorrect because the purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Answer D is incorrect because NAT acts as a liaison between an internal network and the Internet.

Question 7 Answer C is correct. SHA-1 is an updated version of Secure Hash Algorithm (SHA), which is used with DSA. Answer A is incorrect because this is an algorithm that uses a public and private key pair and is not associated with the SHA1. Answer B is incorrect because a digital signature is not an encryption algorithm. Answer D is incorrect because a certificate authority accepts or revokes certificates.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 392

392

Practice Exam 1 Answer Key

Question 8 Answer B is correct. Shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder to get information. Answer A is incorrect because social engineering is when an intruder tricks a user into giving him private information. Answer C is incorrect because reverse social engineering involves an attacker convincing the user that she is a legitimate IT authority, causing the user to solicit her assistance. Answer D is incorrect because phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually an email.

Question 9 Answers B and D are correct. Having Telnet enabled presents security issues and is not a primary method for minimizing threat. Logging is important for secure operations and is invaluable when recovering from a security incident. However, it is not a primary method for reducing threat. Answer A is incorrect because disabling all non-web services may provide a secure solution for minimizing threats. Answer C is incorrect because each network service carries its own risks; therefore, it is important to disable all nonessential services.

Question 10 Answers A and C are correct. Trusted Platform Module (TPM) provides for the secure storage of keys, passwords, and digital certificates, and is hardware based, typically attached to the circuit board of the system. In addition, TPM can be used to ensure that a system is authenticated and ensure that the system has not been altered or breached. Answer B is incorrect because TPM is hardware-based. Answer D is incorrect because TPM is system related, not network related.

Question 11 Answer C is correct. Separation of duties is considered valuable in deterring fraud because fraud can occur if an opportunity exists for collaboration between various job-related capabilities. Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set. Answer A is incorrect because social engineering relies on the faults in human behavior. Answer B is incorrect because a virus is designed to attach itself to other code and replicate. Answer D is incorrect because nonrepudiation means that neither a sender nor a receiver can deny sending or receiving a message.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 393

393

Practice Exam 1 Answer Key

Question 12 Answer B is correct. Honeynets are collections of honeypot systems interconnected to create networks that appear to be functional and that may be used to study an attacker’s behavior within the network. A bastion host is the first line of security that a company allows to be addressed directly from the Internet; therefore, answer A is incorrect. Answer C is incorrect because it is a made-up term. Answer D is incorrect because an IDS is used for intrusion detection.

Question 13 Answer A is correct. The false acceptance rate (FAR) is a measure of the likelihood that the access system will wrongly accept an access attempt; that is, will allow the access attempt from an unauthorized user. A false positive error occurs when the intrusion-detection system detects a legitimate action as a possible intrusion; therefore, answer B is incorrect. Answer C is incorrect because it describes a false negative error. Answer D is incorrect because it describes false rejection.

Question 14 Answer C is correct. In computer security systems, social engineering attacks are usually the most successful, especially when the security technology is properly implemented and configured. Usually, these attacks rely on the faults in human beings. Answer A is incorrect because a Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it is executed. Answer B is incorrect because a mantrap is a physical barrier. Finally, because there is only one correct answer, answer D is incorrect.

Question 15 Answer D is correct. Challenge Handshake Authentication Protocol (CHAP) continues the challenge/response activity throughout the connection to be sure that the user holds the proper credentials to communicate with the authentication server. This makes answers A, B, and C incorrect.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 394

394

Practice Exam 1 Answer Key

Question 16 Answer C is correct. Discretionary access control (DAC) enables the owner of the resources to specify who can access those resources. Answer A is incorrect because roles are used to group access rights by role name; the use of resources is restricted to those associated with an authorized role. Answer B is incorrect because rules are mandatory access control. Answer D is incorrect because security labels are also used in mandatory access control.

Question 17 Answer C is correct. AH provides authentication, integrity, and nonrepudiation. ESP provides authentication, encryption, confidentiality, and integrity protection. Answers A, B, and D are incorrect because AH provides authentication, integrity, and nonrepudiation. ESP provides authentication, encryption, confidentiality, and integrity protection.

Question 18 Answer C is correct. As computers get faster, so does the ability for hackers to use distributed computing as a method of breaking encryption algorithms. With computer performance, in some cases, increasing by 30% to 50% a year on average, this could become a concern for some older algorithms. Answer A is incorrect because weak keys exhibit regularities, and the weakness has nothing to do with performance. Answer B is incorrect because the weakness in keys comes from a block cipher regularity in the encryption of secret keys. The keys will not repeat themselves on other machines. Answer D is incorrect because there is only one correct answer.

Question 19 Answer B is correct. A port scanner is a program that searches for unsecured ports. The number of open ports can help determine whether the network is locked down enough to deter malicious activity. Answer A is incorrect because password sniffers monitor network traffic and record the packets sending passwords. Answer C is incorrect because a keystroke logger is able to capture passwords locally on the computer as they are typed and record them. Answer D is incorrect because cookies are small text files used to identify a web user and enhance the browsing experience.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 395

395

Practice Exam 1 Answer Key

Question 20 Answer B is correct. System hardening is a process by which all unnecessary services are removed and all appropriate patches applied to make the system more secure. Answer A is incorrect because nonrepudiation means that neither a sender nor a receiver can deny sending or receiving a message. Answer C is incorrect because auditing is a process whereby events are traced in log files. Answer D is incorrect because hashing is an algorithm method.

Question 21 Answer D is correct. DNS is the TCP/UDP service that runs on port 53. Answer A is incorrect because FTP is a TCP service that runs on port 21 (or 20). Sharing runs on UDP port 139; therefore, answer B is incorrect. HTTP (web server) is a TCP service that runs on port 80; therefore, answer C is incorrect.

Question 22 Answer B is correct. Data integrity ensures that data is sequenced, timestamped, and numbered. Answer A is incorrect because data authentication ensures that the data is properly identified. Answer C is incorrect because data availability ensures that no disruption in the process occurs. Answer D is incorrect because data confidentiality ensures that the data is available only to authorized users.

Question 23 Answers B and D are correct. Both SATAN and SAINT are vulnerability testing tools. Answers A and C are incorrect because John the Ripper and L0phtCrack are both used to crack passwords.

Question 24 Answer C is correct. When data that is going to be encrypted is broken into chunks of data and then encrypted, the type of encryption is called a block cipher. Although many symmetric algorithms use a block cipher, answer A is incorrect because block cipher is a more precise and accurate term for the given question. Answer B is incorrect because elliptic curve is a type of asymmetric encryption algorithm. Answer D is an incorrect choice because only one answer is correct.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 396

396

Practice Exam 1 Answer Key

Question 25 Answer A is correct. In a Class A network, valid host IDs are from 10.0.0.1 to 10.255.255.254. Answers B and C are incorrect because they are both Class B addresses; valid host IDs are from 172.16.0.1 through 172.31.255.254. Answer D is incorrect because it is a Class C address. In a Class C network, valid host IDs are from 192.168.0.1 to 192.168.255.254.

Question 26 Answer A is correct. A combination of both uppercase and lowercase letters along with numbers and symbols will make guessing the password difficult. It will also take longer to crack using brute force. Answer B is incorrect because randomly generated passwords are difficult if not impossible for users to remember. This causes them to be written down, thereby increasing the risk of other people finding them. Answers C and D are incorrect because both can easily be guessed or cracked.

Question 27 Answers B and D are correct. A digital signature is applied to a message, which keeps it from being modified or imitated. Digital signatures can also be automatically time-stamped. Answer A is incorrect because digital signatures are based on an asymmetric scheme. Skipjack is a symmetric key algorithm designed by the U.S. National Security Agency (NSA). Answer C is incorrect because digital signatures allow for nonrepudiation. This means the sender cannot deny that the message was sent.

Question 28 Answers A and C are correct. The Key Distribution Center (KDC) used by Kerberos provides authentication services and ticket-distribution services. Time-based induction is a virtual machine used in IDS; therefore, answer B is incorrect. Answer D is incorrect because TEMPEST is the study and control of electrical signals.

Question 29 Answers A and B are correct. A smart card provides for two-factor authentication. The user must enter something he knows (a user ID or PIN) to unlock the smart card, which is something he has. A biometric technique based on distinct

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 397

397

Practice Exam 1 Answer Key

characteristics, such as a fingerprint scan, is considered something you are; therefore, answer C is incorrect. Answer D has nothing to do with authentication and is therefore incorrect.

Question 30 Answer A is correct. Buffer overflows are a result of programming flaws that allow for too much data to be sent. When the program does not know what to do with all this data, it crashes, leaving the machine in a state of vulnerability. Answer B is incorrect because a replay attacks records and replays previously sent valid messages. Answer C is incorrect because spoofing involves modifying the source address of traffic or the source of information. Answer D is incorrect because the purpose of a DoS attack is to deny the use of resources or services to legitimate users.

Question 31 Answers B is correct. The Tower of Hanoi is based on the mathematics of the Tower of Hanoi puzzle, with what is essentially a recursive method. It is a “smart” way of archiving an effective number of backups and the ability to go back over time, but it is more complex to understand. Answer B is incorrect because grandfather-father-son backup refers to the most common rotation scheme for rotating backup media. Originally designed for tape backup, it works well for any hierarchical backup strategy. The basic method is to define three sets of backups, such as daily, weekly and monthly. Answers C and D are incorrect because they are made-up methods that do not exist.

Question 32 Answer D is correct. Mocmex is a Trojan found in digital photo frames and collects online game passwords. Because Mocmex is a Trojan, answers A, B, and C are incorrect.

Question 33 Answers B and C are correct. PGP (Pretty Good Privacy) uses encryption to secure email messages, as does S/MIME. Answers A and D are incorrect because these are both methods for sending unsecured email.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 398

398

Practice Exam 1 Answer Key

Question 34 Answer C is correct. Group-based privilege management focuses on business units such as marketing to assign and control users. Answer A is incorrect because functions such as server maintenance are role-based. Answer B is incorrect because users get to decide who has access to files used and the level of permissions that will be set. Answer D is incorrect because users are directly assigned privilege based on job function or business need.

Question 35 Answer B is correct. Secure Sockets Layer (SSL) provides security only for the connection, not the data after it is received. The data is encrypted while it is being transmitted, but when received by the computer, it is no longer encrypted. Therefore, answers A, C, and D are incorrect.

Question 36 Answer C is correct. A hot site is a facility and equipment that are already set up and ready to occupy. Answer A is incorrect because a cold site requires the customer to provide and install all the equipment needed for operations. Answer B is incorrect because it describes a mutual agreement. Answer D is incorrect because it describes a warm site.

Question 37 Answer B is correct. Diffie-Hellman uses public and private keys, so it is considered an asymmetric encryption algorithm. Because Rijndael and AES are now one in the same, they both can be called symmetric encryption algorithms; therefore, answers A and D are incorrect. Answer C is incorrect because RC6 is symmetric, too.

Question 38 Answers A, B, and C are correct. The RBAC model can use role-based access, determined by the role the user has, task-based access, determined by the task assigned to the user, or lattice-based access, determined by the sensitivity level assigned to the role. Discretionary-based access involves the explicit specification of access rights for accounts with regards to each particular resource; therefore, answer D is incorrect.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 399

399

Practice Exam 1 Answer Key

Question 39 Question Answer B is correct. Tracert traces the route a packet takes and records the hops along the way. This is a good tool to use to find out where a packet is getting hung up. Answer A is incorrect because Netstat displays all the ports on which the computer is listening. Answer C is incorrect because Ipconfig is used to display the TCP/IP settings on a Windows machine. Answer D is also incorrect because Nslookup is a command-line utility used to troubleshoot a domain name system (DNS) database.

Question 40 Answer C is correct. An early exploit of JavaScript allowed access to files located on the client’s system if the name and path were known. Answers A, D, and E are incorrect because JavaScript, not Java, can be used to execute arbitrary instructions on the server, send email as the user, and allow access to cache information. Answer B is incorrect because Java, not JavaScript, can continue running even after the applet has been closed.

Question 41 Answer B is correct. Nonrepudiation means that neither a sender nor a receiver can deny sending or receiving a message or data. Answer A is incorrect because it describes an algorithm. Answer C is incorrect because it describes steganography. Answer D is incorrect because it describes RAID.

Question 42 Answer B is correct. Lightweight Directory Access Protocol (LDAP) connects by default to TCP port 389. Answer A is incorrect because UDP uses port 139 for network sharing. Answer C is incorrect because Port 110 is used for POP3 incoming mail. Answer D is incorrect because Port 443 is used for HTTPS.

Question 43 Answers C and D are correct. OSPF is a routing protocol, and an ACL is used to define access control. Answers A and B are incorrect because the Online Certificate Status Protocol and the certificate revocation list (CRL) are used to verify the status of digital certificates.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 400

400

Practice Exam 1 Answer Key

Question 44 Answer C is correct. War dialing is the process of systematically dialing a range of phone numbers hoping to gain unauthorized access to a network via unprotected dial-in modems. Sniffing is the process of capturing packets traveling across the network; therefore, answer A is incorrect. Answer B is incorrect because war driving involves using wireless technology to connect to unprotected networks from outside the building. Social engineering preys upon weaknesses in the human factor; therefore, answer D is incorrect.

Question 45 Answer B is correct. With mandatory access controls, only administrators may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control. Therefore, answers A, C, and D are incorrect.

Question 46 Answer D is correct. Remote Desktop Protocol uses port 3389. Answer A is incorrect because SMTP uses port 25. Answer B is incorrect because port 8080 is used for HTTP. Answer C is incorrect because port 139 is used for NetBIOS traffic.

Question 47 Answer C is correct. Remote Authentication Dial In User Service (RADIUS) is a protocol for allowing authentication, authorization, and configuration information between an access server and a shared authentication server. Answer A is incorrect because Kerberos is a network authentication protocol that uses secret key cryptography. Answer B is incorrect because IPsec is used for the tunneling and transport of data. PPTP is an Internet tunneling protocol; therefore, answer D is incorrect.

Question 48 Answers A, B, and C are correct. Some of the more common tools used to conduct vulnerability assessments, include port scanners, vulnerability scanners, protocol analyzers, and network mappers. Answer D is incorrect. NetStat Performance Monitor is used to monitor individual system components, not test for vulnerabilities.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 401

401

Practice Exam 1 Answer Key

Question 49 Answer D is correct. A firewall is a hardware device or a software program used to prevent a network from unauthorized access. Many firewalls are also designed to prevent unauthorized traffic from leaving the network. Answer A is incorrect because intrusion-detection systems are designed to analyze data, identify attacks, and respond to the intrusion. Answer B is also incorrect because a digital certificate electronically identifies an individual. Answer C is incorrect because a honeypot is used as a decoy to lure malicious attacks.

Question 50 Answers A and D are correct. Spoofing involves modifying the source address of traffic or source of information. In this instance, the email was spoofed to make the user think it came from the administrator. By replying to the request, the user was tricked into supplying compromising information, which is a classic sign of social engineering. Answer B is incorrect because a man-in-the-middle attack is commonly used to gather information in transit between two hosts. In a replay, an attacker intercepts traffic between two endpoints and retransmits or replays it later; therefore, answer C is incorrect.

Question 51 Answer D is correct. Logs should be centralized for easy analysis and stored on a machine that has been hardened, logging information traveling on the network should be encrypted if possible, and log files must not be modifiable without a record of the modification. Therefore, answers A, B, and C are incorrect.

Question 52 Answer B is correct. A PKI structure with a single CA and multiple subordinate CAs would benefit the most from a hierarchical structure. This is because it allows the top CA to be the root CA and control trust throughout the PKI. Answer A is incorrect because a cross-certified model is where CAs have a trust relationship with each other; they trust certificates from other CAs. Answer C is incorrect because a bridge is a central point for a cross-certified model. Answer D is incorrect because linked is not a PKI trust model.

Question 53 Answer D is correct. All the statements are good reasons why it is unsafe to run signed code on your system.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 402

402

Practice Exam 1 Answer Key

Question 54 Answers A and D are correct. This solution describes a host-based solution identifying a known attack signature. Answer B is incorrect because no baselining is required for this solution. Answer C is incorrect because the agent does not attempt to capture packet data; it just reviews the web service logs on the local system.

Question 55 Answer C is correct. A wet-pipe system constantly has water in it. In dry-pipe systems, water is used but is held back by a valve until a certain temperature is reached. Therefore, answers A, B, and D are incorrect.

Question 56 Answer C is correct. A DoS attack attempts to block service or reduce activity on a host by sending requests directly to the victim. Answer A is incorrect because spoofing involves modifying the source address of traffic or the source of information. Answer B is incorrect because a man-in-the middle attack is commonly used to gather information in transit between two hosts. Answer D is incorrect because a worm is a form of malicious code.

Question 57 Answers A and C are correct. SSL/TLS supports authentication and encryption. SSL/TLS does not support either certificate revocation lists (CRLs) or attribute certificates; therefore, answers B and D are incorrect.

Question 58 Answer B is correct. Users should not be given privileges above those necessary to perform their job functions. The other choices do not adequately and accurately describe the principle of least privilege. Therefore, answers A, C, and D are incorrect.

Question 59 Answers A, C, and D are correct. Digital certificates contain a field indicating the date to which the certificate is valid. This date is mandatory and can be from a very short period of time up to a number of years. This makes answer B incorrect because it is not necessary that the certificates be issued yearly.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 403

403

Practice Exam 1 Answer Key

Question 60 Answer C is correct. By an account being locked after a few consecutive attempts, the effectiveness of a brute-force attack is reduced. Increasing the value of the password history only prevents the user from using previously used passwords; therefore, answer A is incorrect. Having an employee show proper identification does nothing to reduce brute-force attacks; therefore, answer B is incorrect. The use of password resets is an adequate mechanism in case a password has been compromised; however, it does little to circumvent brute-force attacks; therefore, answer D is incorrect.

Question 61 Answer A is correct. Behavior-based IDSs use the detection of anomalies from normal patterns of operation to identify new threats. Answer B is incorrect because it describes network-based IDS (NIDS). Answer C is incorrect because it describes knowledge-based detection. Answer D is incorrect because it describes application protocol-based intrusion detection.

Question 62 Answer D is correct. The ability to log on once and gain access to all needed resources is referred to as single sign-on. Answer A is incorrect because it describes an access control method. Answer B is incorrect because multifactor authentication uses two or more authentication techniques. Answer C is incorrect because biometrics relate to authentication.

Question 63 Answer C is correct. Chain of custody tells how the evidence made it from the crime scene to the courtroom, including documentation of how the evidence was collected, preserved, and analyzed. Answer A is incorrect because it describes how an organization responds to an incident. Answer B is incorrect because it describes processes for compliance. Answer D is incorrect because it describes employee rights.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 404

404

Practice Exam 1 Answer Key

Question 64 Question Answer C is correct. SSL/TLS is used to secure web communications and ensure that customer information is securely transferred. Answer A is incorrect because S/MIME is used to secure email communications. Answer B is incorrect because VPN is not used to secure public anonymous connections to web servers but instead is used to provide secure remote-access services to the company’s agents. Answer D is incorrect because SSH is used to secure file transfers and terminal sessions.

Question 65 Answers B, C, and E are correct. Confidentiality, integrity, and availability make up the security triad. Answers A and D are incorrect because they are not associated with the security triad.

Question 66 Answer B is correct. The certificate revocation list (CRL) provides a detailed list of all the certificates that are no longer valid for a CA. Answers A and D are both incorrect because these terms relate to the polices and practices of certificates and the issuing authorities. Answer C is incorrect because a corporate security policy is a set of rules and procedures that relate to how information is protected.

Question 67 Answers B, C, and D are correct. Natural disasters, unwanted access, and user restrictions are all physical security issues. Preventing Internet users from getting to data is data security, not physical security; therefore, answer A is incorrect.

Question 68 Answer B is correct. SMTP relay is a process whereby port 25 is used to forward email. If a hacker can exploit your system, he can send junk mail through your server. Answer A is incorrect because a DNS zone transfer is when a DNS server transfers its database information to another DNS server. DNS servers are used for name resolution, not mail. Answer C is incorrect because port scanning involves a utility being used to scan a machine for open ports that can be exploited. Answer D is incorrect because a man-in-the-middle attack is commonly used to gather information in transit between two hosts.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 405

405

Practice Exam 1 Answer Key

Question 69 Answers B and C are correct. Common Gateway Interface (CGI) is a standard that allows a web server to execute a separate program to output content. Because of this, CGI scripts can be tricked into executing commands and could also expose system information. Answer A is incorrect because SMTP is used for email relay. Answer D is incorrect because cookies store the IP address of your computer.

Question 70 Answer D is correct. Multifactor authentication uses two or more factors for completing the authentication process. Mutual authentication is a process that authenticates both sides of A connection; therefore, answer C is incorrect. Answers A and B are fictitious terms and are therefore incorrect, too.

Question 71 Answer A is correct. Rijndael was the winner of the new AES standard. Although RC6 and Twofish competed for selection, they were not chosen. 3DES and CAST did not participate; therefore, answers B, C, D and E are incorrect.

Question 72 Answer A is correct. A record of user logins with time and date stamps must be kept. User accounts should be disabled and data kept for a specified period of time as soon as employment is terminated. Answers B, C, and D are incorrect because they are not actions you should take when you find out an employee has been terminated.

Question 73 Answer D is correct. Authentication is what you are authorized to perform, access, or do. The two processes are not the same; therefore, answer A is incorrect. Identification is a means to verify who you are; therefore, answers B and C are incorrect.

Question 74 Answer D is correct. When encrypting and decrypting data using an asymmetric encryption algorithm, you use only the private key to decrypt data encrypted with the public key. Answers A and B are both incorrect because in public key encryption, if one key is used to encrypt, you can use the other to decrypt the data. Answer C is incorrect because the public key is not used to decrypt the same data it encrypted.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 406

406

Practice Exam 1 Answer Key

Question 75 Answers A, B, and D are correct. Cookies are used in web page viewing. Cookies use the name and IP address of your machine, your browser type, your operating system, and the URLs of the last pages you visited. Answer C is incorrect. Cookies do not use the network login or password.

Question 76 Answer C is correct. The purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Answer A is incorrect because a DMZ is a small network between the internal network and the Internet that all provides a layer of security and privacy. Answer B is incorrect because a VPN is used to provide secure remote-access services to the company’s employees and agents. Answer D is incorrect because NAT acts as a liaison between an internal network and the Internet.

Question 77 Answers B and C are correct. UDP uses port 139 for network sharing, and port 138 is used to allow NetBIOS traffic for name resolution. Answers A and D are incorrect. UDP ports 161 and 162 are used by SNMP.

Question 78 Answers A and C are correct. FTP is vulnerable because the authentication credentials are sent in clear text, which makes it vulnerable to sniffing and eavesdropping. Answers B and D are incorrect because they do not accurately describe FTP.

Question 79 Answer A is correct. Centralized security requires that a single group of administrators manages privileges and access. This makes the model more secure but less scalable than decentralized security, which is made up of teams of administrators trained to implement security for their area. Therefore, answers B, C, and D are incorrect.

Question 80 Answer B is correct. The slogin SSH utility provides secured command-line connections to a remote server. Answers A, C, and D are incorrect because rlogin, rsh, and rcp do not use secured connections. Answer E is incorrect because the scp utility is used for secure file copying.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 407

407

Practice Exam 1 Answer Key

Question 81 Answers A, B, and D are correct. Risk can be accepted, mitigated, transferred, or eliminated. Answer C is incorrect. Vetting often refers to performing a background check on someone and has nothing to do with risk.

Question 82 Answer A is correct. A bastion host is the first line of security that a company allows to be addressed directly from the Internet. A screened subnet is an isolated subnet between the Internet and internal network; therefore, answer B is incorrect. A bastion host on the private network communicating directly with a border router is a screened host; therefore, answer C incorrect. Bastion subnet is a fictitious term; therefore, answer D is incorrect.

Question 83 Answer C is correct. The process of elevating privilege or access is referred to as privilege escalation. Answer A is incorrect because privilege management has to do with programming functions. A Trojan horse is a program used to perform hidden functions; therefore, answer B is incorrect. The ability to log on once and gain access to all needed resources is referred to as single sign-on; therefore, answer D is incorrect.

Question 84 Answer A is correct. A vulnerability is a weakness in hardware or software. Answer B is incorrect because it describes a threat. Answer C is incorrect because it describes a risk. Answer D is incorrect because it describes exposure factor.

Question 85 Answer B is correct. A man-in-the-middle attack is commonly used to gather information in transit between two hosts. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. Answer C is incorrect because in a replay, an attacker intercepts traffic between two endpoints and retransmits or replays it later. Because the purpose of a DoS attack is to deny use of resources or services to legitimate users, answer D is incorrect.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 408

408

Practice Exam 1 Answer Key

Question 86 Answer D is correct. A business continuity plan looks at the long-term actions taken by a company after a disaster has taken place. Answer A is incorrect because emergency response can be a part of disaster recovery. Answer B is incorrect because it deals with the security of a company as a whole, not disaster planning. Answer C is incorrect because a DRP is an immediate action plan to be implemented following a disaster.

Question 87 Answer B is correct. It is management’s responsibility to set the tone for what type of role security plays in the organization. Answers A, C, and D are incorrect because, although they all play a part in security, the ultimate responsibility lies with management.

Question 88 Answer B is correct. Rolling back changes should be the next step to recovering the servers and making them quickly available for users. Answers A, C, and D are incorrect. Even though they are all options, answer B is the best choice.

Question 89 Answer C is correct. Stateful inspection will look for strings in the data portion of the TCP/IP packet stream on a continuous basis. Answer A is incorrect because heuristics is all about detecting virus-like behavior, rather than looking for specific signatures. Answer B is incorrect because anomaly analysis is used to detect abnormal behavior patterns. Answer D is incorrect because pattern matching searches through thousands of patterns, including popular, obscure, and discontinued patterns.

Question 90 Answer B is correct. Simple Network Management Protocol (SNMP) was developed specifically to manage devices. Answer A is incorrect because Simple Mail Transfer Protocol (SMTP) is a mail protocol used for outgoing mail service. Answer C is incorrect because Lightweight Directory Access Protocol (LDAP) is a directory services protocol. Answer D is incorrect because L2TP is used for packet encapsulation.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 409

409

Practice Exam 1 Answer Key

Question 91 Answers B and C are correct. Because DHCP dynamically assigns IP addresses, anyone hooking up to the network can be automatically configured for network access. Answer A is incorrect because a man-in-the-middle attack is commonly used to gather information in transit between two hosts. This is a media concern, not A DHCP issue. Answer D is incorrect because there are security concerns with using DHCP.

Question 92 Answer C is correct. Wireless Transport Layer Security (WTLS) is the security layer for WAP applications. Even though answer B is part of the WAP, it is not the security layer. Answers A and D are incorrect because the Wireless Security Layer and Wireless Security Layer Transport don’t exist.

Question 93 Answers A, B, and D are correct. PPTP, L2TP, and IPsec are the three main tunneling protocols used in VPN connections. Answer C is incorrect because CHAP is an authentication protocol that uses a challenge/response mechanism.

Question 94 Answer A is correct. A worm is similar to a virus and Trojan horse, except that it replicates by itself without any user interaction; therefore, answer B is incorrect. A worm can propagate via email, TCP/IP, and disk drives; therefore, answer C is incorrect. Answer D is incorrect because it describes a self-garbling virus, not a worm.

Question 95 Answer B is correct. TACACS is a client/server protocol that provides the same functionality as RADIUS, except that RADIUS is an actual Internet standard; therefore, answer C is incorrect. Answers A and D are incorrect because both RADIUS and TACACS are authentication protocols.

23_078973804x_pa1.qxd

10/30/08

9:28 PM

Page 410

410

Practice Exam 1 Answer Key

Question 96 Answer A is correct. In a decentralized key-management scheme, the user will create both the private and public key and then submit the public key to the CA to allow it to apply its digital signature after it has authenticated the user. Answer B is incorrect because centralized key management allows the organization to have complete control over the creation, distribution, modification, and revocation of the electronic credentials that it issues. Answers C and D are incorrect because they are nonexistent terms.

Question 97 Answer D is correct. Users who are uneducated about security policies are the weakest links. Answer A is incorrect because management is responsible for setting the security policies of a company. Answers B and C are incorrect because they are a result of poor security policies.

Question 98 Answers A and C are correct. PGP uses a web of trust rather than the hierarchical structure. It also uses public key encryption. Based on this, answers B and D are incorrect.

Question 99 Answer B is correct. Although the Message Digest (MD) series of algorithms is classified globally as a symmetric key encryption algorithm, the correct answer is hashing algorithm, which is the method that the algorithm uses to encrypt data. Answer A in incorrect because a block cipher divides the message into blocks of bits. Answer C is incorrect because MD5 is a symmetric key algorithm, not an asymmetric encryption algorithm (examples of this include RC6, Twofish, and Rijndael). Answer D is incorrect because cryptographic algorithm is a bogus term.

Question 100 Answer C is correct. Onsite backup is the most common way for companies to protect their data. Although the other answers are viable solutions, onsite backup is the best choice for a small company. Therefore, answers A, B, and D are incorrect.

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 411

Practice Exam 2 The 125 multiple-choice questions provided here help you determine how prepared you are for the actual exam and which topics you need to review further. Write down your answers on a separate sheet of paper so that you can take this exam again if necessary. Compare your answers against the answer key that follows this exam. 1. What is the name given to the process of collecting, processing, and storing evidence, as well as analyzing computer systems after an attack has taken place?

❍ A. Discovery ❍ B. Due care ❍ C. Due process ❍ D. Forensics 2. A _______ is an agent that could intentionally or unintentionally do harm to your computer systems and network.

❍ A. Threat ❍ B. Risk ❍ C. Vulnerability ❍ D. Both A and B 3. You are the security technician at your company and are directed to implement a virtual private network (VPN). Which of the following would you not consider using because they are not tunneling protocols? (Check all correct answers.)

❍ A. MD5 ❍ B. L2TP ❍ C. 3DES ❍ D. PPTP

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 412

412

Practice Exam 2 4. In which two of the following modes can Authentication Header (AH) be applied?

❍ A. Tunnel ❍ B. Encrypt ❍ C. Transport ❍ D. Authentication 5. Of the following, which is a network device that works at the third layer of the OSI model and is responsible for forwarding packets between networks?

❍ A. Hub ❍ B. Switch ❍ C. Router ❍ D. Bridge 6. Layer 2 Tunneling Protocol (L2TP) merges the best features of what other two tunneling protocols?

❍ A. L2F and PPP ❍ B. PPP and PPTP ❍ C. V L2F and IPsec ❍ D. PPTP and L2F 7. Which one of the following is an encryption system used to protect email?

❍ A. L2TP ❍ B. PPTP ❍ C. S/MIME ❍ D. MIME 8. Which one of the following is issued by a CA and can be used as a sort of electronic identification card?

❍ A. Digital certificate ❍ B. Certificate authority ❍ C. Microsoft Passport ❍ D. Password

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 413

413

Practice Exam 2 9. A password and a personal identification number (PIN) are examples of what?

❍ A. Something you have ❍ B. Something you make ❍ C. Something you know ❍ D. Something you are 10. Which one of the following access control mechanisms prevents disclosure of information by assigning security levels to objects and subjects?

❍ A. LDAP ❍ B. MAC ❍ C. DAC ❍ D. RBAC 11. Which one of the following best describes the type of attack designed to bring a network to a halt by flooding the systems with useless traffic?

❍ A. DoS ❍ B. Ping of death ❍ C. Teardrop ❍ D. Social engineering 12. Which of the following two services are provided by Message Authentication Code (MAC)?

❍ A. Integrity ❍ B. Authenticity ❍ C. Availability ❍ D. Confidentiality 13. Which of the following is a coordinated effort in which multiple machines attack a single victim or host with the intent to prevent legitimate service?

❍ A. DoS ❍ B. Masquerading ❍ C. DDoS ❍ D. Trojan Horse

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 414

414

Practice Exam 2 14. Which of the following is a hardware or software system used to protect a network from unauthorized access?

❍ A. Firepot ❍ B. Windows XP ❍ C. Honeypot ❍ D. Firewall 15. Which of the following describes a firewall technique that looks at each packet and accepts or rejects the packet based on defined rules?

❍ A. Circuit-level gateway ❍ B. Packet filtering ❍ C. Application gateway ❍ D. Proxy server 16. Which one of the following best describes a worm or a virus?

❍ A. A virus propagates itself and destroys data. ❍ B. A worm attacks only after being triggered. ❍ C. A worm attacks system files, and a virus attacks only email. ❍ D. A worm is self-replicating, whereas a virus must be activated to replicate. 17. Which of the following serves the purpose of trying to lure a malicious attacker into a system?

❍ A. Honeypot ❍ B. Pot of gold ❍ C. DMZ ❍ D. Bear trap 18. The acronym WEP is short for what?

❍ A. Wired Equivalent Privacy ❍ B. Wireless Encryption Protocol ❍ C. Wired Equivalency Privacy ❍ D. Wireless Encryption Privacy

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 415

415

Practice Exam 2 19. Of the following characteristics, which one should be included in every password?

❍ A. Uppercase letters ❍ B. Lowercase letters ❍ C. Numbers ❍ D. Special characters ❍

E. All of the above



F. None of the above

❍ G. A and B only 20. Which one of the following is the best password?

❍ A. QwErTy ❍ B. Economics32 ❍ C. OliverMiles ❍ D. One4a11$ 21. Which one of the following is not considered a physical security component?

❍ A. VPN tunnel ❍ B. Mantrap ❍ C. Fence ❍ D. CCTV 22. Which of the following is the study of measurable human characteristics? Examples include hand scanning, iris profiling, fingerprinting, and voiceprinting.

❍ A. Geometrics ❍ B. Biometrics ❍ C. Photometrics ❍ D. Telemetrics

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 416

416

Practice Exam 2 23. To filter incoming network traffic based on IP address, which one of the following should you implement?

❍ A. Firewall ❍ B. Intranet ❍ C. DoS ❍ D. Server 24. What is the widely used standard for defining digital certificates?

❍ A. X.25 ❍ B. X.400 ❍ C. X.200 ❍ D. X.509 25. What is the name given to the system of digital certificates and certificate authorities used for public key cryptography over networks?

❍ A. Protocol Key Instructions (PKI) ❍ B. Public Key Extranet (PKE) ❍ C. Protocol Key Infrastructure (PKI) ❍ D. Public Key Infrastructure (PKI) 26. Which of the following ports are used by an email client? (Check all correct answers.)

❍ A. 110 ❍ B. 21 ❍ C. 143 ❍ D. 25 27. Public key encryption uses which of the following types of keys?

❍ A. Public keys only ❍ B. Private keys only ❍ C. Public and private key pairs ❍ D. A pair of public keys ❍

E. A pair of private keys

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 417

417

Practice Exam 2 28. Which one of the following is not an example of a denial-of-service attack?

❍ A. Fraggle ❍ B. Smurf ❍ C. Gargomel ❍ D. Teardrop ❍

E. Ping of death



F. Bonk

29. Which of the following are examples of suspicious activity? (Check all correct answers.)

❍ A. A log report that indicates multiple login failures on a single account. ❍ B. Multiple connections that are in an a half-open state. ❍ C. A user reporting that she is unable to print to the Finance printer. ❍ D. A user is prompted to change his password upon initial login. 30. What does an administrator use to allow, restrict, or deny access to a network or local resource?

❍ A. Access controls ❍ B. Configuration properties ❍ C. Control panel ❍ D. PGP 31. Which one of the following is designed to keep a system of checks and balances within a given security structure?

❍ A. Principal of least privilege ❍ B. Separation of duties ❍ C. Access controls ❍ D. Principal privileges 32. Which one of the following is not considered one of the three tenets of information security?

❍ A. Integrity ❍ B. Confidentiality ❍ C. Privacy ❍ D. Availability

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 418

418

Practice Exam 2 33. What is the term given an area within a network that sits between a public network and an internal, private network, and typically contains devices accessible to the public network?

❍ A. Web content zone ❍ B. Safe DMC ❍ C. Safe area ❍ D. DMZ 34. What type of attack attempts to use every possible key until the correct key is found?

❍ A. Brute-force attack ❍ B. Denial-of-service attack ❍ C. Passive attack ❍ D. Private key cryptography 35. At what layer does IPsec operate?

❍ A. Data link ❍ B. Presentation ❍ C. Transport ❍ D. Network 36. Your manager wants you to implement a client/server system that allows your company’s remote access servers to talk with a central server to authenticate dial-in users and authorize their access. What type of systems should you research?

❍ A. RADIUS ❍ B. RAS servers ❍ C. Single sign-on ❍ D. PPTP 37. What is the name given to the process whereby a server authenticates a client and a client authenticates the server?

❍ A. Reverse authentication ❍ B. Mirrored authentication ❍ C. Mutual authentication ❍ D. Dual-factor authentication

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 419

419

Practice Exam 2 38. Which of the following on a UNIX system is susceptible to an offline attack?

❍ A. etc/passwd ❍ B. etc/shadow ❍ C. usr/home ❍ D. usr/bin 39. WEP is a security protocol for _______ and is defined in the _______ standard.

❍ A. LANs, 802.11b ❍ B. 802.11a, WLAN ❍ C. WLANs, 802.11b ❍ D. IEEE, X.509 40. Which of the following are protocols for transmitting data securely over the Web? (Check all correct answers.)

❍ A. SSL ❍ B. S-HTTP ❍ C. FTP ❍ D. TCP/IP 41. Which one of the following will help prevent the casual user from accessing your wireless network but does little to prevent access from more determined attackers?

❍ A. Broadcasting the SSID ❍ B. Broadcasting MAC addresses ❍ C. Not broadcasting the SSID ❍ D. Not broadcasting MAC addresses 42. Risk is made up of which of the following three components? (Choose three best answers.)

❍ A. Vulnerability ❍ B. Threat ❍ C. Probability ❍ D. Value

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 420

420

Practice Exam 2 43. Your are the security technician for your company. The CISO wants to block the protocol that allows for the distribution, inquiry, retrieval, and posting of news articles. What port number should you block at the firewall?

❍ A. 119 ❍ B. 80 ❍ C. 25 ❍ D. 110 44. While performing regular security audits, you suspect that your company is under attack and someone is attempting to use resources on your network. The IP addresses in the log files belong to a trusted partner company, however. Assuming an attack, which of the following may be occurring?

❍ A. Replay ❍ B. Authorization ❍ C. Social engineering ❍ D. Spoofing 45. What should be used to prevent specific types of traffic from certain IP addresses and subnets from entering into the secured segment of your network?

❍ A. NAT ❍ B. Static packet filter ❍ C. VLAN ❍ D. Intrusion detection system 46. Which of the following is a firewall architecture that monitors connections throughout the communication session and checks the validity of the IP packet stream?

❍ A. Static inspection ❍ B. Spoofing inspection ❍ C. Stateful inspection ❍ D. Nonstateful inspection

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 421

421

Practice Exam 2 47. Which of the following describes a passive attack?

❍ A. Does not insert data into the stream but instead monitors information being sent.

❍ B. Records and replays previously sent valid messages. ❍ C. Inserts false packets into the data stream. ❍ D. Makes attempts to verify the identify of the source of information. 48. What is the name given to the government standard describing methods implemented to limit or block electromagnetic radiation from electronic equipment?

❍ A. EMR ❍ B. Electroleak ❍ C. Wiretapping ❍ D. TEMPEST 49. Users received a spam email from an unknown source and chose the option in the email to unsubscribe and are now getting more spam as a result. Which one of the following is most likely the reason?

❍ A. The unsubscribe option does not actually do anything. ❍ B. The unsubscribe request was never received. ❍ C. Spam filters were automatically turned off when making the selection to unsubscribe.

❍ D. They confirmed that they are a “live” email. 50. Select the two best choices for achieving security awareness among your users in your organization? (Check all correct answers.)

❍ A. Training during employee orientation ❍ B. Monthly emails ❍ C. Security exhortations through posters ❍ D. Yearly seminars

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 422

422

Practice Exam 2 51. Which one of the following is a process whereby a user can enter a single username and password and have access across multiple domains, eliminating the need to reauthenticate?

❍ A. Authentication ❍ B. Single sign-on (SSO) ❍ C. Lightweight Directory Access Protocol (LDAP) ❍ D. None of the above 52. What ports does Kerberos use? (Check all correct answers.)

❍ A. 88 ❍ B. 80 ❍ C. 21 ❍ D. 749 53. Spyware is most likely to use which one of the following types of cookies?

❍ A. Session ❍ B. Transport ❍ C. Tracking ❍ D. Poisonous 54. What determines what a user can view and alter?

❍ A. Confidentiality ❍ B. Integrity ❍ C. Authentication ❍ D. Access control 55. Your company suffers a security incident in which 11 of your employees are unable to work for 4 hours. These individuals each make $30 per hour. Given this information, which of the following is the single loss expectancy for this event?

❍ A. $1,320 ❍ B. $120 ❍ C. $1,200 ❍ D. $132

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 423

423

Practice Exam 2 56. You suspect one of your servers may have succumbed to a SYN flood attack. Which one of the following tools might you consider using to help confirm your suspicions?

❍ A. Netstat ❍ B. Ping ❍ C. Tracert ❍ D. Ipconfig 57. Which of the following is the best choice for extinguishing a Class C fire?

❍ A. Dry powder ❍ B. Water ❍ C. Carbon dioxide ❍ D. Helium 58. What is the required number of security associations in an IPsec encrypted session in each direction?

❍ A. One ❍ B. Two ❍ C. Three ❍ D. Four 59. Which one of the following is not true of NIDS and HIDS?

❍ A. Both HIDS and NIDS monitor operating system activity on specific machines.

❍ B. NIDS look at the information exchanged between machines. ❍ C. HIDS look at information on the individual machines. ❍ D. Both HIDS and NIDS gather and analyze data to identify possible threats. 60. An opening left in a program that allows additional, undocumented access to data is known as what?

❍ A. Back door ❍ B. Algorithm ❍ C. Blowfish ❍ D. Demilitarized zone

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 424

424

Practice Exam 2 61. An attacker trying to exploit a web server will likely want to scan systems running web services. What port will the attacker scan for?

❍ A. 21 ❍ B. 25 ❍ C. 80 ❍ D. 110 62. Which of the following IP protocols is used by ESP?

❍ A. 50 ❍ B. 135 ❍ C. 156 ❍ D. 48 63. Information that is combined and results in a greater understanding is known as what?

❍ A. Data mining ❍ B. Data aggregation ❍ C. Data retrieval ❍ D. Data composition 64. Your company has several systems that contain sensitive data. What is a method of ensuring that individual system data cannot be combined with data across the other systems?

❍ A. Separation of duties ❍ B. Classifying the data ❍ C. Enforce stronger passwords ❍ D. Conduct background checks 65. Which of the following is a type of access control that provides access rights assigned to roles and then accounts assigned to these roles?

❍ A. ACL ❍ B. MAC ❍ C. DAC ❍ D. RBAC

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 425

425

Practice Exam 2 66. Which of the following standards ensures privacy between communicating applications and clients on the Web and has been designed to replace SSL?

❍ A. Secure Sockets Layer 2 ❍ B. Point-to-Point Tunneling Protocol ❍ C. Transport Layer Security ❍ D. Internet Protocol Security 67. Of the following, which one transmits log-on credentials as clear text?

❍ A. CHAP ❍ B. PAP ❍ C. MSCHAP-v2 ❍ D. All of the above 68. At what layer of the OSI model does the Point-to-Point Protocol (PPP) provide services?

❍ A. 1 ❍ B. 2 ❍ C. 3 ❍ D. 4 69. Which of the following is the best choice for encrypting large amounts of data?

❍ A. Asymmetric encryption ❍ B. Symmetric encryption ❍ C. Elliptical curve encryption ❍ D. RSA encryption 70. The Point-to-Point Protocol (PPP) can handle which of the following data communication methods?

❍ A. Synchronous and asynchronous ❍ B. Synchronous only ❍ C. Asynchronous only ❍ D. Synchronous, asynchronous, and half-synchronous

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 426

426

Practice Exam 2 71. With Role Based Access Control (RBAC), how are access rights grouped?

❍ A. Role name ❍ B. Rules ❍ C. Role identification number ❍ D. Rule identification name 72. Within a router, access may be granted or denied based on IP address. What name is given to this method?

❍ A. ACLU ❍ B. ACL ❍ C. AP ❍ D. Answers A and B 73. Which of the following items should normally be shared among multiple users?

❍ A. Password ❍ B. User home directory ❍ C. Username ❍ D. None of the above 74. You are an accountant in Finance and you receive an email warning you of a devastating virus that is going around. The email instructs you to be weary of any email containing a specific file and further instructs you to delete the specific file if found from your computer. Which of the following should you do?

❍ A. Search for and delete the file from your computer. ❍ B. Forward the email to your friends and co-workers. ❍ C. Notify your system administrator of the email. ❍ D. Delete the email and reboot your computer. 75. What is the name given to the activity that consists of collecting information that will be later used for monitoring and review purposes?

❍ A. Logging ❍ B. Auditing ❍ C. Inspecting ❍ D. Vetting

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 427

427

Practice Exam 2 76. Which one of the following best represents the principle of least privilege?

❍ A. Requiring that a user be given no more privilege than necessary to perform a job.

❍ B. Ensuring that all members of the user community are given the same privileges so long that they do not have administrator or root access to systems.

❍ C. A control enforced through written security policies. ❍ D. An assumption that job functions will be rotated frequently. 77. The enforcement of separation of duties is a valuable deterrent to which one of the following?

❍ A. Trojan horses ❍ B. Viruses ❍ C. Fraud ❍ D. Corporate audits ❍

E. Answers A and B

78. You notice that one of the pages on one of your company’s web servers does not perform input validation. As a result, which one of the following are potential dangers?

❍ A. Viruses and ISAPI filters ❍ B. Viruses and worms ❍ C. XML and buffer overflow ❍ D. XXS and buffer overflow 79. Which of the following techniques will best help protect a system against a brute-force password attack?

❍ A. Lock the account after three unsuccessful password entry attempts. ❍ B. Have users present proper identification before being granted a password. ❍ C. Increase the value of the password history control. ❍ D. Require password resets every 90 days.

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 428

428

Practice Exam 2 80. Which of the following should be used to help prevent against the mishandling of media?

❍ A. Tokens ❍ B. SSL ❍ C. Labeling ❍ D. Ticketing 81. What provides the basis for the level of protection applied to information? (Check all correct answers.)

❍ A. Data classification ❍ B. Value ❍ C. Risk of loss ❍ D. Size of the organization 82. An intrusion detection system (IDS) detects an attacker and seamlessly transfers the attacker to a special host. What is this host called?

❍ A. Honeypot ❍ B. Padded cell ❍ C. Remote-access host ❍ D. Byte host 83. Which of the following are advantages of honeypots and honeynets? (Check all correct answers.)

❍ A. Attackers are diverted to systems that they cannot damage. ❍ B. Administrators are allotted time to decide how to respond to an attack. ❍ C. Attackers’ actions can more easily be monitored and resulting steps taken to improve system security.

❍ D. Well-defined legal implications. ❍

E. Provides a structure that would require less security administrators.

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 429

429

Practice Exam 2 84. Which of the following is a formal set of statements that defines how systems or network resources can be used?

❍ A. Policies ❍ B. Standards ❍ C. Guidelines ❍ D. Procedures 85. What is the IEEE standard for wireless LAN technology?

❍ A. 802.2 ❍ B. 802.11 ❍ C. 802.1 ❍ D. 802.6 86. Which of the following represent the pool of well-known ports?

❍ A. 0 through 255 ❍ B. 0 through 1023 ❍ C. 0 through 49151 ❍ D. 1024 through 49151 87. Your company does not allow users to use the Internet for personal reasons during work hours. Where is this statement most likely documented?

❍ A. Company standards ❍ B. Company procedures ❍ C. Company guidelines ❍ D. Company policies 88. Which one of the following is an older, proprietary, two-way reversible encryption protocol?

❍ A. Password Authentication Protocol (PAP) ❍ B. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) ❍ C. Microsoft Point-to-Point Encryption (MPPE) ❍ D. Shiva Password Authentication Protocol (SPAP)

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 430

430

Practice Exam 2 89. What file system is preferred for use on all systems running Microsoft Windows NT, Windows 2000, Windows XP, and Windows Vista operating systems?

❍ A. CDFS ❍ B. NFS ❍ C. FAT ❍ D. NTFS 90. Which of the following ports are assigned to NetBIOS services? (Check all correct answers.)

❍ A. 137 ❍ B. 138 ❍ C. 139 ❍ D. 140 91. What type of backup is normally done once a day and clears the archive bit after the files have been backed up?

❍ A. Copy ❍ B. Daily ❍ C. Incremental ❍ D. Differential 92. The sender of data is provided with proof of delivery, and neither the sender nor receiver can deny either having sent or received the data. What is this called?

❍ A. Nonrepudiation ❍ B. Repetition ❍ C. Nonrepetition ❍ D. Repudiation 93. A disaster recovery plan (DRP) is an agreed upon plan detailing how operations will be restored after a disaster. When is the DRP created?

❍ A. After a disaster ❍ B. During a disaster ❍ C. Before a disaster ❍ D. Anytime

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 431

431

Practice Exam 2 94. The process of making an operating system more secure by closing known vulnerabilities and addressing security issues is known as which of the following?

❍ A. Handshaking ❍ B. Hardening ❍ C. Hotfixing ❍ D. All of the above 95. Which of the following are examples of protocol analyzers? (Check all correct answers.)

❍ A. Metasploit ❍ B. Wireshark ❍ C. SATAN ❍ D. Network Monitor 96. What is the name given to viruses that mutate and can appear differently, which makes them more difficult to detect?

❍ A. Stealth ❍ B. Cavity ❍ C. Polymorphic ❍ D. Multipartite 97. What type of virus does not require programming knowledge and is found in electronic office documents?

❍ A. Stealth ❍ B. Macro ❍ C. Polymorphic ❍ D. Multipartite 98. A hacker attempting to break into a server running Microsoft Windows will most likely attempt to break into which account?

❍ A. Supervisor ❍ B. Root ❍ C. Administrator ❍ D. Group

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 432

432

Practice Exam 2 99. Which of the following is a UNIX-based command interface and protocol for accessing a remote computer securely?

❍ A. Secure Electronic Transaction (SET) ❍ B. Secure Hash Algorithm (SHA) ❍ C. Secure Socket Shell (SSH) ❍ D. Telnet 100. What port is used for a DNS zone transfer?

❍ A. 53 ❍ B. 80 ❍ C. 135 ❍ D. 137 101. Which one of the following is not true about a web server?

❍ A. The default port for a web server is port 80. ❍ B. A web server must always run on port 80. ❍ C. A commonly used alternate port for web servers is 8080. ❍ D. The browser client must specify the port if not using well-known port 80. 102. What RAID level array configuration is composed of two drives that duplicate the data?

❍ A. RAID 0 ❍ B. RAID 1 ❍ C. RAID 2 ❍ D. RAID 3 103. Which of the following best describes the term false positive?

❍ A. Occurs when the intrusion-detection system detects a legitimate action as a possible intrusion

❍ B. Occurs when the intrusion-detection system allows an intrusive action to pass as nonintrusive behavior

❍ C. Occurs when the intrusion-detection system is modified by an intruder to make false negatives occur

❍ D. Fooling the system over time by executing small individual steps that when combined can amount to an attack

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 433

433

Practice Exam 2 104. Passwords can be intercepted as they move through networks via which of the following?

❍ A. Keyboard sniffers ❍ B. Password sniffers ❍ C. Trojan horses ❍ D. Cookies 105. A fire involving computer equipment and other electronic appliances is likely to be considered what class of fire?

❍ A. Class A ❍ B. Class B ❍ C. Class C ❍ D. Class D 106. A physical security plan should include which of the following? (Check all correct answers.)

❍ A. Description of the physical assets being protected ❍ B. The threats from which you are protecting against and their likelihood ❍ C. Location of a hard disk’s physical blocks ❍ D. Description of the physical areas where assets are located 107. A certificate authority discovers it has issued a digital certificate to the wrong person. What needs to be completed?

❍ A. Certificate practice statement (CPS) ❍ B. Revocation ❍ C. Private key compromise ❍ D. Fraudulent practices statement (FPS) 108. Which of the following is a primary method for minimizing threat to a web server?

❍ A. Disable all non-web services and enable Telnet for interactive logins. ❍ B. Ensure finger and echo are running. ❍ C. Disable nonessential services. ❍ D. Enable logging.

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 434

434

Practice Exam 2 109. A collection of compromised computers running software installed by a Trojan horse or a worm is referred to as what?

❍ A. Zombie ❍ B. Botnet ❍ C. Herder ❍ D. Virus 110. The enforcement of minimum privileges for system users is achieved via which of the following?

❍ A. IPsec ❍ B. RBAC ❍ C. IDS ❍ D. DRP 111. Which of the following is not a major security evaluation criteria effort?

❍ A. TCSEC ❍ B. Common Criteria ❍ C. IPsec ❍ D. ITSEC 112. Which one of the following types of servers would be the target for an attack where a malicious individual would attempt to change information during a zone transfer?

❍ A. Database server ❍ B. File and print server ❍ C. Web server ❍ D. DNS server 113. In preventing which of the following are white lists and black lists most likely to be found?

❍ A. Spam ❍ B. Viruses ❍ C. DoD attacks ❍ D. SQL injection attacks

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 435

435

Practice Exam 2 114. Which of the following is a hybrid cryptosystem?

❍ A. IDEA ❍ B. MD5 ❍ C. RSA ❍ D. PGP 115. Which of the following is a type of cable in which the signals cannot be detected by electronic eavesdropping equipment?

❍ A. Fiber optic ❍ B. Unshielded twisted-pair (UTP) ❍ C. Shielded twisted-pair (STP) ❍ D. Coaxial thicknet 116. What is the space above a drop ceiling called?

❍ A. Raised floor ❍ B. Fire-retardant space ❍ C. Plenum ❍ D. Teflon 117. You are tracking SNMP traffic. Which of the following ports would you monitor? (Select all correct answers.)

❍ A. 161 ❍ B. 139 ❍ C. 162 ❍ D. 138 118. Which one of the following is not a private IP address?

❍ A. 10.1.2.1 ❍ B. 165.193.123.44 ❍ C. 172.18.36.4 ❍ D. 192.168.0.234

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 436

436

Practice Exam 2 119. Of the following, which are characteristics of a cold site?

❍ A. Requires setup time ❍ B. Company needs to bring its own equipment ❍ C. Facility and equipment is already set up and ready to occupy ❍ D. A and B 120. Which of the following is used to trap and ground stray electrical signals?

❍ A. TEMPEST ❍ B. Faraday cage ❍ C. EMR ❍ D. None of the above 121. Which one of the following best describes a service level agreement (SLA)?

❍ A. A method of procuring services after a disaster has struck ❍ B. A contract between a service provider and customer that specifies how the provider will ensure recovery in the event of a disaster

❍ C. A contract between a service provider and customer that specifies the measurable services the provider will furnish

❍ D. A method of protecting a facility from disaster 122. A situation in which a program or process attempts to store more data in a temporary data storage area than it was intended to hold is known as a what?

❍ A. Buffer overflow ❍ B. Denial of service ❍ C. Distributed denial of service ❍ D. Storage overrun 123. Which of the following is used in many encryption algorithms and is the transformation of a string of characters into a shorter fixed-length value or key that represents the original string?

❍ A. Cipher block chaining ❍ B. Hashing ❍ C. PKI ❍ D. Ciphertext

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 437

437

Practice Exam 2 124. What is usually the first phase conducted before doing a site penetration?

❍ A. Information gathering ❍ B. Cracking ❍ C. Social engineering ❍ D. Spoofing 125. What type of server acts as an intermediary intercepting all requests to a target server to see whether it can fulfill the request itself?

❍ A. Web server ❍ B. Packet filter ❍ C. Proxy server ❍ D. Firewall

24_078973804x_pe2.qxd

10/30/08

9:14 PM

Page 438

25_078973804x_pa2.qxd

10/30/08

9:30 PM

Page 439

Practice Exam 2 Answer Key Answers at a Glance 1. D

23. A

45. B

2. A

24. D

46. C

3. A and C

25. D

47. A

4. A and C

26. A, C and D

48. D

5. C

27. C

49. D

6. D

28. C

50. A and D

7. C

29. A and B

51. B

8. A

30. A

52. A and D

9. C

31. B

53. C

10. C

32. C

54. D

11. A

33. D

55. A

12. A and B

34. A

56. A

13. C

35. D

57. C

14. D

36. A

58. A

15. B

37. C

59. A

16. D

38. A

60. A

17. A

39. C

61. C

18. A

40. A and B

62. A

41. C

63. B

20. D

42. A, B and C

64. A

21. A

43. A

65. D

22. B

44. D

66. C

19. E

25_078973804x_pa2.qxd

10/30/08

9:30 PM

Page 440

440

Practice Exam 2 Answer Key 67. B

87. D

107. B

68. B

88. D

108. C

69. B

89. D

109. B

70. A

90. A, B, and C

110. B

71. A

91. C

111. C

72. B

92. A

112. D

73. D

93. C

113. A

74. C

94. B

114. D

75. A

95. B and D

115. A

76. A

96. C

116. C

77. C

97. B

117. A and C

78. D

98. C

118. B

79. A

99. C

119. D

80. C

100. A

120. B

81. A, B, and C

101. B

121. C

82. B

102. B

122. A

83. A, B, and C

103. A

123. B

84. A

104. B

124. A

85. B

105. C

125. C

86. B

106. A, B, and D

Answers with Explanations Question 1 Answer D is correct. Forensics is the practice of using tools to investigate and establish facts, usually for evidence within a court of law. According to the question, the attack has already taken place, and evidence is being retrieved, and therefore answer A is incorrect. Answers B and C are both incorrect. Due care describes a process before an attack takes place, and due process describes the course taken during court proceedings designed to safeguard the legal rights of individuals.

25_078973804x_pa2.qxd

10/30/08

9:30 PM

Page 441

441

Practice Exam 2 Answer Key

Question 2 Answer A is correct. A threat is something that could intentionally (such as a malicious hacker) or unintentionally (such as a tornado) do harm to your computer systems and network. Answer B is incorrect because a risk describes the possibility of realizing a threat. Answer C is incorrect because a vulnerability describes the susceptibility to attack. Answer D is therefore also incorrect.

Question 3 Answers A and C are correct. Both MD5 and 3DES are cryptography algorithms. Answers B and D are both tunneling protocols used in virtual private networks and are therefore incorrect.

Question 4 Answers A and C are correct. The IPsec Authentication Header (AH) provides integrity and authentication only and can be used in tunnel mode and transport mode. Therefore, answer B is incorrect; and although AH provides authentication and integrity, answer D does not describe one of the operating modes.

Question 5 Answer C is correct. A router is a networking device that works at Layer 3 in the OSI model. Answer A is incorrect because a hub works at Layer 1. A switch works at Layer 2; therefore, answer B is incorrect. A bridge operates on Layer 2 of the OSI model; therefore, answer D is incorrect.

Question 6 Answer D is correct. Both PPTP and L2F (Layer 2 Forward) are leveraged within L2TP. Answers A, B, and C are all incorrect because each answer contains a protocol that is not a tunneling protocol.

Question 7 Answer C is correct. S/MIME is the secure version of MIME and is used to protect email messages. Answers A and B are incorrect because L2TP and PPTP are tunneling protocols. Answer D is incorrect because MIME is used for plain text (the unsecured version of S/MIME).

25_078973804x_pa2.qxd

10/30/08

9:30 PM

Page 442

442

Practice Exam 2 Answer Key

Question 8 Answer A is correct. Digital certificates are issued by certificate authorities (CAs) and serve as a virtual ID or passport, commonly used to conduct business over the Web. Answer B is incorrect because a CA is the issuer of these certificates used to establish identification. Answer C is incorrect because this describes a Microsoft authentication service. A password is a secret word or phrase used to gain access; therefore, answer D is incorrect.

Question 9 Answer C is correct. A password and a PIN are usually private alphanumeric codes, which are known by an individual. Something you have describes an item such as a swipe card or token; therefore, answer A is incorrect. Something you make is not associated with authentication; therefore, answer B is incorrect. Answer D is incorrect because something you are involves biometrics such as fingerprints and voiceprints. Using an ATM card typically requires something you have (the card) and something you know (the PIN).

Question 10 Answer C is correct. Mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC) are common types of access control mechanisms used within computer systems, yet DAC is the only one that assigns security levels to objects and subjects. Therefore, answers B and D are incorrect. LDAP is a directory protocol; therefore, answer A is incorrect.

Question 11 Answer A is correct. A DoS attack (or denial of service) is designed to bring down a network by flooding the system with an overabundance of useless traffic. Although answers B and C are both types of DoS attacks, they are incorrect because DoS more accurately describes “a type of attack.” Answer D is incorrect because social engineering describes the nontechnical means of obtaining information.

Question 12 Answers A and B are correct. A Message Authentication Code (MAC) provides both an integrity check and authenticity check. It ensures a message, for example, has not been altered and that only an individual knowing the secret key can produce the MAC. Availability and confidentiality are not functions provided by MAC; therefore, answers C and D are both incorrect choices.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 443

443

Practice Exam 2 Answer Key

Question 13 Answer C is correct. A distributed denial of service (DDoS) is similar to a denialof-service (DoS) attack in that they both try to prevent legitimate access to services; however, a DDoS is a coordinated effort among many computer systems; therefore, answer A is incorrect. Masquerading involves using someone else’s identity to access resources; therefore, answer B is incorrect. A Trojan horse is a program used to perform hidden functions; therefore, answer D is incorrect.

Question 14 Answer D is correct. A firewall is a hardware or software device used to protect a network from unauthorized access. Many firewalls are also designed to prevent unauthorized traffic from leaving the network. Answer A is incorrect; it is not a legitimate term. A honeypot is used as a decoy to lure malicious attacks; therefore, answer C is incorrect. Answer B is also incorrect because Windows XP is a Microsoft operating system.

Question 15 Answer B is correct. Many firewalls today employ stateful packet inspections and have replaced many packet-filtering firewalls. Answer A is used as a decoy and is incorrect. Answers C and D do not employ stateful packet inspections and are both incorrect. Answer C describes a system used to manage encryption keys, and Answer D is a system used to manage logs.

Question 16 Answer D is correct. Traditionally, a worm replicates itself, and a virus must be activated to replicate. Answer A is incorrect because a virus must be activated to propagate. Answer B is incorrect because a worm can perform its functions without being triggered. Answer C is also an incorrect statement because worms and viruses are capable of much more

Question 17 Answer A is correct. A honeypot is used to serve as a decoy and lure a malicious attacker. Answers B and D are incorrect answers and are not legitimate terms for testing purposes. Answer C is incorrect because a DMZ is an area between the Internet and the internal network.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 444

444

Practice Exam 2 Answer Key

Question 18 Answer A is correct. Wired Equivalent Privacy (WEP) is part of the 802.11b standard, and it designed to provide for the same level of security as on a wired network. Answers B, C, and D are all incorrect.

Question 19 Answer E is correct. A good password will make use of uppercase and lowercase letters, as well as numbers and special characters; therefore, answers F and G are both incorrect.

Question 20 Answer D is correct. Choice D is a good password because it is eight characters long and makes use of mixed case, numbers, and special characters. Answer A is incorrect because it uses a familiar keyboard pattern. Although answer B might make a good password, it would be better if it incorporated numbers within the password (not at the beginning or end) and if it were not a word found in the dictionary; therefore, answer B is incorrect. Answer C is incorrect because a person’s name should not be used.

Question 21 Answer A is correct. A VPN tunnel is an example of data security—not physical security. Mantrap, fence, and CCTV are all components of physical security; therefore, answers B, C, and D are incorrect.

Question 22 Answer B is correct. Biometrics is the study of biological characteristics. Geometrics describes geometric qualities or properties; therefore, answer A is incorrect. Answer C, photometrics, is incorrect because this is the study and measurement of the properties of light. Telemetrics is the study and measurement of the transmission of data over certain mediums; therefore, answer D is incorrect.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 445

445

Practice Exam 2 Answer Key

Question 23 Answer A is correct. A firewall is a hardware or software system designed to protect networks against threats, and can be used to permit or deny traffic based on IP address. Answer B is incorrect because an intranet is a private network. Answer C is incorrect because this is a type of attack meant to disrupt service. Although a firewall may be called a firewall server, Answer D is incorrect because this is not nearly specific enough.

Question 24 Answer D is correct. X.509 is the defining standard upon which digital certificates are based. Answer A is incorrect because X.25 is a standard for connecting packet-switched networks. X.400 is a standard for transmitting email; therefore, answer B is incorrect. And X.200 deals with the top layer of the OSI model; therefore, answer C is incorrect.

Question 25 Answer D is correct. Public Key Infrastructure describes the trust hierarchy system for implementing a secure public key cryptography system over TCP/IP networks. Answers A, B, and C are incorrect because these are bogus terms.

Question 26 Answers A, C, and D are correct. Port 110 is used by the POP3 incoming mail protocol. Port 143 is used by the IMAP4 incoming mail protocol. And port 25 is used by SMTP outgoing mail protocol. Answer B is incorrect because this is the port used for FTP.

Question 27 Answer C is correct. Public key encryption uses a public and private key pair. Answer A is incorrect because there are no encryption technologies that use only public keys. Answer B is incorrect because only a symmetric key cryptography system would use just private keys. Answer D is incorrect for the same reason as answer A, and answer E is incorrect for the same reason as answer B.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 446

446

Practice Exam 2 Answer Key

Question 28 Answer C is correct. A Gargomel attack, although cool sounding, does not actually exist. Fraggle, Smurf, Teardrop, Ping of death, and Bonk are names of specific denial-of-service attacks; therefore, answers A, B, D, E, and F are incorrect.

Question 29 Answers A and B are correct. A log report that shows multiple login failures for a single account should raise suspicion because this might be an attempt by an unauthorized person to gain access. Multiple connections in a half-open state are likely waiting for a SYN-ACK and may indicate a SYN flood attack. Answers C and D are incorrect because these appear to be typical network problems or controls that have been implemented by an administrator.

Question 30 Answer A is correct. Access controls allow an administrator to allow, restrict, or deny access to resources. Two common access control methods are discretionary access control (DAC) and mandatory access control (MAC). Answers B and C are both incorrect because neither of these relates to administrative controls to administer the security on resources. Answer D is incorrect because PGP is used for secure email.

Question 31 Answer B is correct. Separation of duties and responsibilities is used to ensure a system of checks and balances. Answer A is incorrect because the principal of least privilege is to ensure that users are granted only the minimum level of access required to perform their job functions. Answer C is incorrect because access controls allows for the control of access to resources. Answer D is incorrect; it’s is an invalid term.

Question 32 Answer C is correct. The three tenets of information security are confidentiality, integrity, and availability. Privacy, although similar to confidentiality, is not considered one of the three; therefore, answers A, B, and D are incorrect.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 447

447

Practice Exam 2 Answer Key

Question 33 Answer D is correct. A demilitarized zone (DMZ) sits between a public network such as the Internet and an organizations internal network. A web content zone is a security term used in Microsoft’s web browser; therefore, answer A is incorrect. Both answers B and C are made-up terms and are therefore incorrect.

Question 34 Answer A is correct. A brute-force attack attempts to use every key and relies on adequate processing power. Answer B is incorrect because a denial-of-service attack is an attempt to prevent legitimate service. Answer C is incorrect because this describes an attempt to intercept data without altering it. Answer D is incorrect because this is the crypto system relying on secret keys.

Question 35 Answer D is correct. IPsec operates at Layer 3, the network layer, of the OSI model, whereas other security protocols such as SSL operate at higher layers. Answers A, B, and C are other layers within the OSI model but are not the layers at which IPsec operates.

Question 36 Answer A is correct. Remote Authentication Dial-In User Service (RADIUS) is a client/server system that facilitates the communication between remote access servers and a central server. This central server authenticates the dial-in users and authorizes the user’s access. Answer B is incorrect because a Remote Access Server (RAS) is the system used to handle remote user access, and your manager wants a central server to communicate with these servers. Answer D is incorrect because PPTP is a tunneling protocol.

Question 37 Answer C is correct. Mutual authentication describes the process whereby a client and server both authenticate each other, rather than the server just authenticating the client. Answers A, B, and D are invalid terms and are therefore incorrect.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 448

448

Practice Exam 2 Answer Key

Question 38 Answer A is correct. The etc/passwd file on a UNIX system is world-readable, which is a file anyone can read and could as a result allow an attacker to obtain the hash of everyone’s password to mount on offline attack. In contrast, the etc/shadow file makes the hashed password unreadable by unprivileged users; therefore, answer B is incorrect. Answers C and D are incorrect and do not reference password files.

Question 39 Answer C is correct. The Wired Equivalent Privacy (WEP) is a security protocol designed for wireless local area networks, and it is defined in the 802.11b standard. Answers A, B, and D are incorrect. 802.11a is an older specification. The IEEE (Institute of Electrical and Electronics Engineers) developed the 802.11 standards, and X.509 is the standard for defining digital certificates.

Question 40 Answers A and B are correct. Both Secure Sockets Layer (SSL) and Secure HTTP (S-HTTP) are protocols designed to transmit data securely across the Web. SSL uses public key encryption to encrypt the data, and S-HTTP creates a secure connection between the client and server. File Transfer Protocol (FTP) is a simple and unsecured protocol for the transfer of files across the Internet, and TCP/IP, which is inherently unsecured, is the language of the Internet; therefore, answers C and D are incorrect.

Question 41 Answer C is correct. Not broadcasting the wireless SSID, although a common practice, will not prevent a more determined attack on your wireless network. It does, however, keep the wireless access point from advertising the name of the network. Answers B and D are incorrect because MAC addresses don’t get broadcasted. Rather, wireless access points typically provide a mechanism to filter system access by MAC address; however, like disabling SSID broadcast, this does not stop the more determined attack because one’s MAC address can be spoofed.

Question 42 Answers A, B, and C are correct. Risk can be defined as the probability of a threat exploiting a vulnerability. Answer D is incorrect. Value is not a component of risk; however, value may affect your decision whether to accept a risk.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 449

449

Practice Exam 2 Answer Key

Question 43 Answer A is correct. The Network News Transfer Protocol (NNTP) provides access to newsgroups and uses TCP port 119. The Hypertext Transfer Protocol (Web) uses port 80; therefore, answer B is incorrect. Answers C and D are also incorrect because these ports are used for the sending and receiving of mail. Port 25 is for the Simple Mail Transfer Protocol (SMTP), and port 110 is for the Post Office Protocol (POP).

Question 44 Answer D is correct. The most likely answer is spoofing because this allows an attacker to misrepresent the source of the requests. Answer A is incorrect because this type of attack records and replays previously sent valid messages. Answer B is incorrect because this is not a type of attack but is instead the granting of access rights based on authentication. Answer C is incorrect because social engineering involves the nontechnical means of gaining information.

Question 45 Answer B is correct. On a firewall, static packet filtering provides a simple solution for the basic filtering of network traffic based on source, destination addresses, and protocol types. Answer A is incorrect because NAT is used to hide internal addresses. Answer C is incorrect because a VLAN is used to make computers on physically different network segments appear as if they are one physical segment. Answer D is incorrect because an intrusion detection system is used to identify suspicious network activity.

Question 46 Answer C is correct. Stateful inspection (also called dynamic packet filtering) monitors the connection throughout the session and verifies the validity of IP packet streams. Answer A is incorrect because static packet filtering examines packets based on information in their headers. Answer B is incorrect because there is no such firewall architecture. As opposed to stateful inspection, nonstateful inspection does not maintain the state of the packets; therefore, answer D is incorrect.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 450

450

Practice Exam 2 Answer Key

Question 47 Answer A is correct. A passive attack attempts to passively monitor data being sent between two parties and does not insert data into the data stream. A reply attack records and replays previously sent valid messages; therefore, answer B is incorrect. An active attack does make attempts to insert false packets into the data stream; therefore, answer C is incorrect. Authentication refers to the process of verifying the identity of a source and is not a type of attack; therefore, answer D is incorrect.

Question 48 Answer D is correct. TEMPEST originated with the U.S. military and deals with the study of devices that emit electromagnetic radiation. Electromagnetic radiation or EMR is emitted from devices; therefore, answer A is incorrect. Answer B is a bogus term; therefore, answer B is incorrect. Answer C is incorrect because wiretapping involves the secret monitoring of information being passed.

Question 49 Answer D is correct. Often an option to opt out of further email does not unsubscribe users, but rather means, “send me more spam” because it has been confirmed that the email address is not dormant. This is less likely to occur with email a user receives that he or she opted into in the first place, however. Answers A, B, and C are incorrect because these are less likely and not the best choices.

Question 50 Answer A and D are correct. Security training during employee orientation, as well as yearly seminars, are the best choices as these are active methods of raising security awareness. Email and posters are passive; therefore, answers B and C are incorrect.

Question 51 Answer B is correct. Single sign-on provides the mechanism whereby a user needs to authenticate to a system just one time and can then access multiple systems without the need to reauthenticate or maintain separate usernames and passwords. Answer A is incorrect because authentication is simply the process of identification. Answer C is incorrect because this is a protocol for directory access. Answer D is incorrect.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 451

451

Practice Exam 2 Answer Key

Question 52 Answers A and D are correct. Kerberos uses ports 88 and 749. Port 749 is used for Kerberos administration. Answers B and C are incorrect because port 80 is used for HTTP and port 21 is used for FTP.

Question 53 Answer C is correct. Whereas cookies generally provide benefits to the end users, spyware would be most likely to use a tracking cookie. A tracking cookie is a particular type of permanent cookie that stays around, whereas a session cookie stays around only for the particular visit to a website. Therefore, answer A is incorrect. Answers B and D are not types of cookies and are incorrect.

Question 54 Answer D is correct. Access control defines what a user can access and what the user can specifically view and alter. Confidentiality ensures data remains private; therefore, answer A is incorrect. Integrity describes the reliability of the data in that it has not been altered; therefore, answer B is incorrect. Authentication verifies the identity of a user or system; therefore, answer C is incorrect.

Question 55 Answer A is correct. SLE can be solved by multiplying the asset value (AV) by the exposure factor (EF). Multiplying the number of affected employees by their hourly wage means the company will be losing $330 an hour. Because they are unable to work for 4 hours, we must then multiply $330 by 4. Answers B, C, and D are incorrect.

Question 56 Answer A is correct. By using the Netstat command, you can check the number of open connections that have received a SYN but not an ACK, which may indicate connections left in a half-opened state. Ping, Tracert, and Ipconfig are other useful utilities but will not show connection states as does Netstat; therefore, answers B, C, and D are incorrect.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 452

452

Practice Exam 2 Answer Key

Question 57 Answer C is correct. Both carbon dioxide and dry chemicals can be used to extinguish a class C electrical fire; however, carbon dioxide is better suited for computer and other electrical equipment because carbon dioxide does not leave a harmful residue; therefore, answer A is incorrect. Answers B and D are also incorrect. Water should never be used on a class C fire because of the risk of electrical shock, and helium is not an extinguishing agent.

Question 58 Answer A is correct. Security associations (SAs) are created to help protect the traffic stream, and two SAs are required—one in each direction. Therefore, answers B, C, and D are incorrect.

Question 59 Answer A is correct. A host-based intrusion-detection system (HIDS) and a network-based intrusion-detection system differ primarily in that a NIDS is concerned with monitoring the external interfaces, whereas the HIDS is concerned with only the system itself. Answers B, C, and D are accurate statements, therefore based on the question, they are incorrect answers.

Question 60 Answer A is correct. A back door is an opening in a program, often left by a developer, that enables access through nontraditional means. Answer B is incorrect because an algorithm refers to the steps to arrive at a result. Blowfish is a type of symmetric block cipher; therefore, answer C is incorrect. Answer D is incorrect because a demilitarized zone is a zone within a network where publicly accessible servers are typically placed.

Question 61 Answer C is correct. Port 80 is used for web services, also known as Hypertext Transfer Protocol. Port 21 is used for the File Transfer Protocol (FTP); therefore, answer A is incorrect. Port 25 is used for the Simple Mail Transfer Protocol (SMTP); therefore, answer B is incorrect. Port 110 is used for the Post Office Protocol (POP); therefore, answer D is incorrect.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 453

453

Practice Exam 2 Answer Key

Question 62 Answer A is correct. Encapsulating Security Payload (ESP) is IP protocol 50. Answers B, C, and D are incorrect.

Question 63 Answer B is correct. Data aggregation is the process of combining separate pieces of data that by themselves might be of no use but when combined with other bits of data will provide a greater understanding. The other choices are invalid answers; therefore, answers A, C, and D are incorrect.

Question 64 Answer A is correct. Individuals granted widespread authorization to data have a much easier chance to perform data aggregation. Ensuring the separation of duties provides a countermeasure against such data collection. Classifying the data does not help against the risk that the information may be collected by authorized individuals; therefore, answer B is incorrect. Answers C and D are also incorrect because these are irrelevant to the process of piecing together separate pieces of data.

Question 65 Answer D is correct. Role-based access control (RBAC), as the name implies, assigns access rights to roles. Answer A is incorrect because an access control list is a list of permissions attached to an object. Answers B and C are also incorrect because these are other types of access control.

Question 66 Answer C is correct. Although the two are not interoperable, TLS is based on SSL and provides security between web applications and their clients. TLS was designed to be the successor to Secure Sockets Layer; therefore, answer A is incorrect. Answer B is a protocol used to create secure tunnels, such as in a virtual private network; therefore, answer B is incorrect. Internet Protocol Security (IPsec) is also used to create virtual private networks; therefore, answer D is incorrect.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 454

454

Practice Exam 2 Answer Key

Question 67 Answer B is correct. The Password Authentication Protocol (PAP) is a basic form of authentication during which the username and password are transmitted unencrypted. Both CHAP and MSCHAP-v2 support the secure transmission of usernames and passwords; therefore answers A, C, and D are incorrect.

Question 68 Answer B is correct. PPP, a protocol for communicating between two points using a serial interface, provides service at the second layer of the OSI model: the data link layer. Layer 1 (physical), Layer 3 (network), and Layer 4 (transport) are not the layers at which PPP provides its service; therefore, answers A, C, and D are incorrect.

Question 69 Answer B is correct. Public key encryption is not usually used to encrypt large amounts of data, but it is does provide an effective and efficient means of sending a secret key from which to do symmetric encryption thereafter, which provides the best method for efficiently encrypting large amounts of data. Therefore, answers A, C, and D are incorrect.

Question 70 Answer A is correct. PPP can handle synchronous and asynchronous connections; therefore, answers B, C, and D are incorrect.

Question 71 Answer A is correct. Access rights are grouped by the role name, and the use of resources is restricted to those associated with the authorized role. Answers B, C, and D are incorrect ways of describing how access rights are grouped within RBAC.

Question 72 Answer B is correct. An access control list (ACL) coordinates access to resources based on a list of allowed or denied items such as users or network addresses. Answer A is incorrect because ACLU identifies a nonprofit organization that seeks to protect the basic civic liberties of Americans. An access point (AP) is often used in relation to a wireless access point (WAP); therefore, answer C is incorrect. Answer D is also incorrect.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 455

455

Practice Exam 2 Answer Key

Question 73 Answer D is correct. Passwords, home directories, and usernames in most cases are unique to the individual users. Although the use of shared usernames and passwords is common in many instances, it is a practice that generally should not be used.

Question 74 Answer C is correct. The email is likely a hoax, and although the policies might differ among organizations, given this scenario and the available choices, the best answer is to notify the system administrator. Answers A, B, and D are incorrect.

Question 75 Answer A is correct. Logging is the process of collecting data to be used for monitoring and auditing purposes. Auditing is the process of verification that normally involves going through log files; therefore, answer B is incorrect. Typically, the log files are frequently inspected, and inspection is not the process of collecting the data; therefore, answer C is incorrect. Vetting is the process of thorough examination or evaluation; therefore, answer D is incorrect.

Question 76 Answer A is correct. Users should not be given privileges above those necessary to perform their job function. The other choices do not adequately and accurately describe the principle of least privilege; therefore, answers B, C, and D are incorrect.

Question 77 Answer C is correct. The potential for fraudulent activity is greater when the opportunity exists for one who is able to execute all the transactions within a given set. The separation of duties is not a deterrent to Trojan horses, viruses, or corporate audits; therefore, answers A, B, D, and E are incorrect.

Question 78 Answer D is correct. Answers A, B, and C are not the best choices. Cross-site scripting (XXS) and buffer overflow are two potentially real dangers of not performing input validation within forms on a website.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 456

456

Practice Exam 2 Answer Key

Question 79 Answer A is correct. By locking an account after a few consecutive attempts, you can reduce the likelihood of a brute-force attack. Having an employee show proper identification does nothing to reduce brute-force attacks; therefore, answer B is incorrect. Increasing the value of the password history only prevents the user from using previously used passwords; therefore, answer C is incorrect. Password resets is an adequate mechanism to use in case a password has been compromised but does little to circumvent brute-force attacks; therefore, answer D is incorrect.

Question 80 Answer C is correct. Proper labeling concerning the sensitivity of information should be placed on media such as tapes and disks to prevent the mishandling of the information. Tokens are a hardware device; therefore, answer A is incorrect. SSL is a protocol for protecting documents on the Internet; therefore, answer B is incorrect. Answer D, ticketing, is also incorrect.

Question 81 Answers A, B, and C are correct. Protecting data against accidental or malicious events is based on the classification level of the data, the data’s value, and the level of risk or compromise of the data. The size of the organization has no bearing on the level of protection to be provided; therefore, answer D is incorrect.

Question 82 Answer B is correct. When an IDS detects an attacker, the attacker may then be transparently transferred to a padded cell host, which is a simulated environment where harm cannot be done. All three terms used for answers A, C, and D are incorrect because these are not related to intrusion-detection systems.

Question 83 Answers A, B, and C are correct. All except answers D and E are advantages of honeypots and honeynets. Currently, the legal implications of using such systems are not that well defined, and the use of these systems will typically require more administrative resources.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 457

457

Practice Exam 2 Answer Key

Question 84 Answer A is correct. A policy is the formal set of statements that define how systems are to be used. Standards are a definition or format that is approved and must be used; therefore, answer B is incorrect. Guidelines are similar to standards but serve as more of a suggestion; therefore, answer C is incorrect. Procedures typically provide step-by-step instructions to follow; therefore, answer D is incorrect.

Question 85 Answer B is correct. 802.11 is the IEEE standard relating the family of specifications for wireless LAN technologies. 802.2 is the standard for the data link layer in the OSI reference model; therefore, answer A is incorrect. 802.1 is the standard related to network management; therefore, answer C is incorrect. 802.6 is the standard for metropolitan area networks (MANs); therefore, answer D is incorrect.

Question 86 Answer B is correct. The well-known ports are those from 0 through 1023. Registered ports are those from 1,024 through 49,151, and dynamic or private ports are those from 49,152 through 65,535; therefore, answers A, C, and D are incorrect.

Question 87 Answer D is correct. A policy is the formal set of statements that define how systems are to be used. Standards are a definition or format that is approved and must be used; therefore, answer A is incorrect. Procedures typically provide stepby-step instructions to follow; therefore, answer B is incorrect. Guidelines are similar to standards but serve as more of a suggestion; therefore, answer C is incorrect.

Question 88 Answer D is correct. SPAP was designed by Shiva and is an older, two-way reversible encryption protocol that encrypts the password data sent between client and server. PAP is a basic authentication protocol that does not provide for encryption; therefore, answer A is incorrect. MS-CHAP uses a one-way encryption scheme for encryption; therefore, answer B is incorrect. Answer C is incorrect. MPPE is used to encrypt data in PPP and PPTP dial-up connections and VPN connections.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 458

458

Practice Exam 2 Answer Key

Question 89 Answer D is correct. NTFS (NT File System) is the preferred system because it supports file and folder permissions (among many other benefits, such as auditing). CDFS (CD-ROM File System) is used to control the CD-ROM; therefore, answer A is incorrect. NFS (Network File System) is a client/server application; therefore, answer B is incorrect. FAT (File Allocation Table) file systems are not recommended because they lack native file-level security support; therefore, answer C is incorrect.

Question 90 Answers A, B, and C are correct. The NetBIOS name service uses port 137. The NetBIOS datagram service uses port 138, and the NetBIOS session service uses port 139. Port 140 is used by the EMFIS data service; therefore, answer D is incorrect.

Question 91 Answer C is correct. An incremental backup backs up only files created or changed since the last normal or incremental backup and clears the archive bit. A copy backup backs up all selected files but doesn’t clear the archive bit; therefore, answer A is incorrect. A daily backup copies all selected files that you have modified the day the backup is performed but does not clear the archive bit; therefore, answer B is incorrect. A differential backup is similar to an incremental, but it does not clear the archive bit; therefore, answer D is incorrect.

Question 92 Answer A is correct. Nonrepudiation means that neither party can deny either having sent or received the data in question. Both answers B and C are incorrect. And repudiation is defined as the act of repudiation or refusal; therefore, answer D is incorrect.

Question 93 Answer C is correct. A disaster recovery plan is an agreed-upon plan that details the restoration of operations in the event of a disaster, and it should already be in existence before a disaster strikes; therefore, answers A, B, and D are incorrect.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 459

459

Practice Exam 2 Answer Key

Question 94 Answer B is correct. Hardening refers to the process of securing an operating system. Handshaking relates the agreement process before communication takes place; therefore, answer A is incorrect. A hotfix is just a security patch that gets applied to an operating system; therefore, answer C is incorrect. Hardening is the only correct answer; therefore, answer D is incorrect.

Question 95 Answers B and D are correct. Windows Server operating systems come with a protocol analyzer called Network Monitor. Third-party programs such as Wireshark can also be used for network monitoring. Metasploit is a framework used for penetration testing and SATAN is a network security testing tool; therefore, answers A and C are incorrect.

Question 96 Answer C is correct. Polymorphic viruses are designed to change part of their code after they infect a file in an attempt to invade detection. A stealth virus tries to hide its existence by taking over portions of your system; therefore, answer A is incorrect. A cavity virus attempts to install itself with a program; therefore, answer B is incorrect. A multipartite virus uses multiple methods of infecting a system, and so answer D is incorrect.

Question 97 Answer B is correct. Macro viruses are easy to create and do not require programming knowledge, and are known to infect Microsoft Office documents such as those created with Microsoft Word. Stealth, polymorphic, and multipartite viruses, unlike macro viruses, require programming, and they are associated with infecting the operating system; therefore, answers A, C, and D are incorrect.

Question 98 Answer C is correct. On Windows systems, the account with the greatest privileges is referred to as administrator. On UNIX systems, however, this account is named root, and supervisor is used in Novell NetWare environments; therefore, answers A, B, and D are incorrect.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 460

460

Practice Exam 2 Answer Key

Question 99 Answer C is correct. SSH provides for the secure access of remote computers and uses RSA public key cryptography. SET is a system for ensuring the security of financial transactions on the Web; therefore, answer A is incorrect. Answer B is incorrect because SHA is a hashing algorithm used to create a condensed version of a message. Telnet is used to access computer remotely, but it is unsecured; therefore, answer D is incorrect.

Question 100 Answer A is correct. DNS uses port 53 for zone transfers. The Hypertext Transfer Protocol (Web) uses port 80; therefore, answer B is incorrect. The NetBIOS name service uses port 137, and the NetBIOS datagram service uses port 138; therefore, answers C and D are incorrect.

Question 101 Answer B is correct. Although the assigned port for the Hypertext Transfer Protocol (Web) is port 80, it is not required. In most cases, web servers do run on port 80 because browsers use this port by default, and the port number does not need to be specified within the Uniform Resource Locator (URL). Port 8080 is an assigned alternative port for web servers but still requires this port be specified in the URL when used. Answers A, C, and D are incorrect choices because these are all valid statements about web servers.

Question 102 Answer B is correct. Disk mirroring, also known as RAID 1, is made up of two drives that are duplicates of each other. RAID level 0, also known as disk striping, does not provide any fault tolerance; therefore, answer A is incorrect. RAID 2 uses an error-correcting algorithm that employs disk striping; therefore, answer C is incorrect. Answer D, RAID 3, which is similar to RAID 2, is also incorrect.

Question 103 Answer A is correct. A false positive error occurs when the intrusion-detection system detects a legitimate action as a possible intrusion. Answer B is incorrect because it describes a false negative error. Answers C and D are incorrect because they describe subversion errors.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 461

461

Practice Exam 2 Answer Key

Question 104 Answer B is correct. Password sniffers monitor traffic and record the packets sending passwords. Answer A is incorrect because a keyboard sniffer can capture passwords locally on the computer as they are typed and recorded. A Trojan horse is a program that has a hidden function; therefore, answer C is incorrect. Answer D is incorrect because cookies are small text files used to identify a web user and enhance the browsing experience.

Question 105 Answer C is correct. A class C fire involves energized electrical equipment and is usually suppressed with nonconducting agents. Class A fires involve combustibles such as wood and paper; therefore, answer A is incorrect. Answer B is incorrect because a class B fire involves flammables or combustible liquids. Answer D is incorrect because a class D fire involves combustible metals such as magnesium.

Question 106 Answers A, B, and D are correct. A physical security plan should be a written plan that addresses your current physical security needs and future direction. With the exception of answer C, all the answers are correct and should be addressed in a physical security plan. A hard disk’s physical blocks pertain to the file system.

Question 107 Answer B is correct. There are numerous reasons why a certificate might need to be revoked (including a certificate being issued to the incorrect person). A CPS is a published document from the CA describing their policies and procedures for issuing and revoking certificates; therefore, answer A is incorrect. A private key compromise is actually another reason to perform revocation of a certificate; therefore, answer C is incorrect. Answer D is incorrect because this is a bogus term.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 462

462

Practice Exam 2 Answer Key

Question 108 Answer C is correct. Each network services carries its own risks; therefore, it is important to disable all nonessential services. Although disabling all non-web services may provide a secure solution for minimizing threats, having Telnet enabled for interactive logins presents security issues, and is not a primary method for minimizing threat; therefore, answer A is incorrect. Answer B is incorrect because both these services are not recommended to be enabled on a web server. Logging is important for secure operations and is invaluable when recovering from a security incident; however, it is not a primary method for reducing threat. Therefore, answer D is incorrect.

Question 109 Answer B is correct. Answers A and C are incorrect but are related to a botnet in that a zombie is one of many computer systems that make up a botnet, whereas a bot herder is the controller of the botnet. Answer D is incorrect. A virus is a program that infects a computer without the knowledge of the user.

Question 110 Answer B is correct. Role-based access control (RBAC) ensures the principal of least privilege by identifying the user’s job function and ensuring a minimum set of privileges required to perform that job. IPsec is a set of protocols to enable encryption, authentication, and integrity; therefore, answer A is incorrect. Answer C is incorrect because an IDS is used for intrusion detection, and answer D is incorrect because a DRP is a plan used in the event of disaster.

Question 111 Answer C is correct. Trusted Computer System Evaluation (TCSEC) and Information Technology Security Evaluation Criteria (ITSEC) are major security criteria efforts, and the Common Criteria is based on both TCSEC and ITSEC; therefore, answers A, B, and D are the three major security evaluation criteria efforts. IPsec, however, is a set of protocols to enable encryption, authentication, and integrity.

Question 112 Answer D is correct. Zone transfers are associated with DNS servers. If a malicious hacker were to obtain a DNS zone file, the hacker could identify all the hosts present within the network. Zone transfers are not functions of a database, file and print, or web server; therefore, answers A, B, and C are incorrect.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 463

463

Practice Exam 2 Answer Key

Question 113 Answer A is correct. Antispam software programs use black and white lists to control spam by refusing or allowing email that originates from these lists. Answer B is incorrect because antivirus software uses signatures. Answer C is incorrect because DoD attacks are prevented by filter-by-access control lists. Answer D is incorrect because SQL injection attacks can be prevented with the use of a web vulnerability scanner. This router does most of the packet filtering for the firewall. Answers B, C, and D are incorrect choices.

Question 114 Answer D is correct. Pretty Good Privacy (PGP) is a hybrid cryptosystem that makes use of the incorrect choices, A, B, and C. IDEA is a symmetric encryption cipher, and RSA is an asymmetric cipher, and MD5 is a hash.

Question 115 Answer A is correct. Signals within fiber-optic cables are not electrical in nature, and therefore they do not emit electromagnetic radiation to be detected. This makes fiber-optic cabling ideal for high-security networks. Both UTP and STP are susceptible to eavesdropping, but STP is less susceptible than UTP; therefore, answers B and C are incorrect. Answer D is incorrect because coaxial thicknet is also susceptible to eavesdropping, yet it is a better choice than UTP.

Question 116 Answer C is correct. The plenum is the space between the ceiling and the floor of a building’s next level. It is commonly used to run network cables, which must be of plenum-grade. A raised floor, sometimes called a plenum floor, is open space below a floor; therefore, answer A is incorrect. Answer B is incorrect; in fact, there the plenum is of concern during a fire because there are actually little if any barriers to contain fire and smoke. Answer D is incorrect because Teflon is a trademarked product of the DuPont corporation. Telfon is often used to coat wiring placed in the plenum of a building.

Question 117 Answers A and C are correct. UDP ports 161 and 162 are used by SNMP. Answers B and D are incorrect. UDP uses port 139 for network sharing, and port 138 is used to allow NetBIOS traffic for name resolution.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 464

464

Practice Exam 2 Answer Key

Question 118 Answer B is correct. The Internet Numbers Authority (IANA) has reserved three blocks of IP addresses for private networks: 10.0.0.0 through 10.255.255.255, 172.16.0.0 through 172.31.255.255, and 192.168.0.0 through 192.168.255.255. In addition, 169.254.0.0 through 169.254.255.255 are reserved for automatic private IP addressing; therefore, answers A, C, and D are incorrect.

Question 119 Answer D is correct. A cold site is a disaster recovery service, similar to hot site in that it provides office space. However, a cold site requires the customer to provide and install all the equipment needed for operations, whereas a hot site is all ready to go. Naturally, a cold site is less expensive than a hot site.

Question 120 Answer B is correct. A Faraday cage is a solid or mesh metal box used to trap and ground stray electrical signals. The box completely surrounds the protected equipment and is well-grounded to dissipate stray signals from traveling to or from the cage. TEMPEST is a government standard describing methods implemented to block or limit electromagnetic radiation (EMR) from electronic equipment; therefore, answers A and C are incorrect. Answer D is also incorrect.

Question 121 Answer C is correct. An SLA is a written contract between a service provider and customer, and it specifies the services the provider will furnish to the customer. Answers A, B, and D are incorrect. Answer B may describe a specific type of SLA, but it is not the best answer.

Question 122 Answer A is correct. A buffer overflow occurs when a program or process attempts to store more data in a buffer than the buffer was intended to hold. The overflow of data can flow over into other buffers overwriting or deleting data. A denial of service is a type of attack in which too much traffic is sent to a host, preventing it from responding to legitimate traffic. A distributed denial of service is similar, but it is initiated through multiple hosts; therefore, answers B and C are incorrect. Although answer D sounds correct, it is not.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 465

465

Practice Exam 2 Answer Key

Question 123 Answer B is correct. Hashing, which is used in many encryption algorithms, is a smaller number achieved from a larger string of text. Cipher block chaining is an operation in which a sequence of bits is encrypted as a single unit; therefore, answer A is incorrect. PKI is comprised of various components making up the infrastructure to provide public and private key cryptography over networks; therefore, answer C is incorrect. Answer D is incorrect because ciphertext is synonymous with encrypted text.

Question 124 Answer A is correct. Before attempting to break into a system, the hacker will first try to analyze and footprint as much information as possible. Cracking describes malicious attacks on network resources; therefore, answer B is incorrect. Answer C is incorrect because social engineering is the nontechnical means of intrusion that often relies on tricking people into divulging security information. Spoofing is the electronic means of pretending to be someone else; therefore, answer D is incorrect.

Question 125 Answer C is correct. A proxy server provides security and caching services by serving as the intermediary between the internal network and external resources. Answer B is incorrect because a packet filter is type of firewall in which each packet is examined and is either allowed or denied based on policy. A firewall is similar to a proxy server in the security it provides. However, a firewall does not seek to fulfill requests as does a proxy server, which will maintain previously accessed information in its cache; therefore, answer D is incorrect.

25_078973804x_pa2.qxd

10/30/08

9:31 PM

Page 466

26_078973804x_app.qxd

10/30/08

9:13 PM

Page 467

APPENDIX

What’s on the CD-ROM The CD-ROM features an innovative practice test engine powered by MeasureUp™, giving you yet another effective tool to assess your readiness for the exam.

Multiple Test Modes MeasureUp practice tests can be used in Study, Certification, or Custom Modes.

Study Mode Tests administered in Study Mode enable you to request the correct answer(s) and the explanation for each question during the test. These tests are not timed. You can modify the testing environment during the test by selecting the Options button. You may also specify the objectives or missed questions you want to include in your test, the timer length, and other test properties. You can also modify the testing environment during the test by selecting the Options button. In Study Mode, you receive automatic feedback on all correct and incorrect answers. The detailed answer explanations are a superb learning tool in their own right.

Certification Mode Tests administered in Certification Mode closely simulate the actual testing environment you will encounter when taking a certification exam and are timed. These tests do not allow you to request the answer(s) and/or explanation for each question until after the exam.

26_078973804x_app.qxd

10/30/08

9:14 PM

Page 468

468

Appendix: What’s on the CD-ROM

Custom Mode Custom Mode enables you to specify your preferred testing environment. Use this mode to specify the objectives you want to include in your test, the timer length, number of questions, and other test properties. You can also modify the testing environment during the test by selecting the Options button.

Attention to Exam Objectives MeasureUp practice tests are designed to appropriately balance the questions over each technical area covered by a specific exam. All concepts from the actual exam are covered thoroughly to ensure you’re prepared for the exam.

Installing the CD System Requirements: . Windows 95, 98, ME, NT4, 2000, or XP . 7MB disk space for the testing engine . An average of 1MB disk space for each individual test . Control Panel Regional Settings must be set to English (United States) . PC only

To install the CD-ROM, follow these instructions: 1. Close all applications before beginning this installation. 2. Insert the CD into your CD-ROM drive. If the setup starts automatical-

ly, go to step 6. If the setup does not start automatically, continue with step 3. 3. From the Start menu, select Run. 4. Click Browse to locate the MeasureUp CD. In the Browse dialog box,

from the Look In drop-down list, select the CD-ROM drive. 5. In the Browse dialog box, double-click Setup.exe. In the Run dialog

box, click OK to begin the installation. 6. On the Welcome screen, click MeasureUp Practice Questions to begin

installation.

26_078973804x_app.qxd

10/30/08

9:14 PM

Page 469

469

Creating a Shortcut to the MeasureUp Practice Tests 7. Follow the Certification Prep Wizard by clicking Next. 8. To agree to the Software License Agreement, click Yes. 9. On the Choose Destination Location screen, click Next to install the

software to C:\Program Files\Certification Preparation. If you cannot locate MeasureUp Practice Tests through the Start menu, see the section titled “Creating a Shortcut to the MeasureUp Practice Tests,” later in this appendix. 10. On the Setup Type screen, select Typical Setup. Click Next to continue. 11. In the Select Program Folder screen, you can name the program folder

where your tests will be located. To select the default, simply click Next and the installation continues. 12. After the installation is complete, verify that Yes, I Want to Restart My

Computer Now is selected. If you select No, I Will Restart My Computer Later, you cannot use the program until you restart your computer. 13. Click Finish. 14. After restarting your computer, choose Start, Programs, Certification

Preparation, Certification Preparation, MeasureUp Practice Tests. 15. On the MeasureUp Welcome Screen, click Create User Profile. 16. In the User Profile dialog box, complete the mandatory fields and click

Create Profile. 17. Select the practice test you want to access and click Start Test.

Creating a Shortcut to the MeasureUp Practice Tests To create a shortcut to the MeasureUp Practice Tests, follow these steps: 1. Right-click on your Desktop. 2. From the shortcut menu, select New, Shortcut. 3. Browse to C:\Program Files\MeasureUp Practice Tests and select the MeasureUpCertification.exe or Localware.exe file.

4. Click OK.

26_078973804x_app.qxd

10/30/08

9:14 PM

Page 470

470

Appendix: What’s on the CD-ROM 5. Click Next. 6. Rename the shortcut MeasureUp. 7. Click Finish.

After you complete step 7, use the MeasureUp shortcut on your Desktop to access the MeasureUp products you ordered.

Technical Support If you encounter problems with the MeasureUp test engine on the CDROM, please contact MeasureUp at (800) 649-1687 or email sup[email protected] Support hours of operation are 7:30 a.m. to 4:30 p.m., EST. Additionally, you can find Frequently Asked Questions (FAQ) in the “Support” area at www.measureup.com. If you would like to purchase additional MeasureUp products, call 678-356-5050 or 800-649-1687 or visit www.measureup.com.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 471

Glossary A acceptable use An organization’s policy that provides specific detail about what users may do with their network access, including email and instant messaging usage for personal purposes, limitations on access times, and the storage space available to each user. access control list (ACL) In its broadest sense, an access control list is the underlying data associated with a network resource that defines the access permissions. The most common privileges include the ability to read, write to, delete, and execute a file. accounting The tracking of users’ access to resources primarily for auditing purposes. ActiveX A Microsoft-developed a precompiled application technology that can be embedded in a web page in the same way as Java applets. Address Resolution Protocol (ARP) poisoning This can allow a perpetrator to trick a device into thinking any IP is related to any MAC address. In addition, they can broadcast a fake or spoofed ARP reply to an entire network and poison all computers.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 472

472

algorithm

algorithm A set of sequenced steps that are repeatable. In encryption, the algorithm is used to define how the encryption is applied to data.

public key, which means anyone who obtains a copy of the public key can send data to the private key holder in confidence.

anomaly-based monitoring Anomaly-based monitoring, a subset of behavior-based monitoring, stores normal system behavior profiles and triggers an alarm when some type of unusual behavior occurs.

attack signature A signature that identifies a known method of attack.

antispam A software program that can add another layer of defense to the infrastructure by filtering out undesirable email. antivirus A software program used for protecting the user environment that scans for email and downloadable malicious code. applet Java-based mini-program that executes when the client machine’s browser loads the hosting web page. application logging Application logging has become a major focus of security as we move to a more Webbased world and exploits such as cross-site scripting and SQL injections are an everyday occurrence. asset A company or personal resource that has value. asymmetric key A pair of key values—one public and the other private—used to encrypt and decrypt data, respectively. Only the holder of the private key can decrypt data encrypted with the

auditing The tracking of user access to resources, primarily for security purposes. Authentication Header (AH) A component of the IPsec protocol that provides integrity, authentication, and anti-replay capabilities. authentication The process of identifying users. authorization The process of identifying what a given user is allowed to do. availability Ensures any necessary data is available when it is requested.

B back door A method of gaining access to a system or resource that bypasses normal authentication or access control methods. backup technique A defined method to provide for regular backups of key information, including user files and email storage, database stores, event logs, and security principal details such as user logons, passwords, and group membership assignments.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 473

473

certificate authority (CA)

baseline This measure of normal activity is used as a point to determine abnormal system and network behaviors. behavior-based IDS A detection method that involves a user noticing an unusual pattern of behavior, such as a continually operating hard drive or a significantly slowed level of performance. behavior-based monitoring The use of established patterns of baseline operations to identify variations that may identify unauthorized access attempts. biometrics Authentication based on some part of the human anatomy (retina, fingerprint, voice, and so on). BIOS Basic Input/Output System is the firmware code run by upon start of a system. block cipher Transforms a message from plain text (unencrypted form) to cipher text (encrypted form) one piece at a time, where the block size represents a standard chunk of data that is transformed in a single operation. botnet A large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to a zombie army.

business continuity plan A plan that describes a long-term systems and services replacement and recovery strategy, designed for use when a complete loss of facilities occurs. A business continuity plan prepares for automatic failover of critical services to redundant offsite systems.

C centralized key management Involves a Certificate Authority generating both public and private key pairs for a user and then distributing them to the user. certificate An electronic document that includes the user’s public key and the digital signature of the certificate authority (CA) that has authenticated her. The digital certificate can also contain information about the user, the CA, and attributes that define what the user is allowed to do with systems she accesses using the digital certificate. certificate authority (CA) A system that issues, distributes, and maintains current information about digital certificates. Such authorities can be private (operated within a company or an organization for its own use) or public (operated on the Internet for general public access).

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 474

474

Certificate Enrollment Protocol (CEP)

Certificate Enrollment Protocol (CEP) A proprietary Cisco protocol that allows Cisco IOS–based routers to communicate with certificate authorities. certificate life cycle The period of time a certificate is valid. Issued certificates expire at the end of their lifetime and can be renewed. Certificate Management Protocol (CMP) A protocol used for advanced PKI management functions. These functions include certificate issuance, exchange, invalidation, revocation, and key commission. certificate policy A statement that governs the usage of digital certificates. certificate practice statement (CPS) A document that defines the practices and procedures a CA uses to manage the digital certificates it issues. certificate revocation The act of invalidating a digital certificate. certificate revocation list (CRL) A list generated by a CA that enumerates digital certificates that are no longer valid and the reasons they are no longer valid. certificate suspension The act of temporarily invalidating a certificate while its validity is being verified. chain of custody The documentation of all transfers of evidence from

one person to another, showing the date, time, and reason for transfer, and the signatures of both parties involved in the transfer. Chain of custody also refers to the process of tracking evidence from a crime scene to the courtroom. Challenge Handshake Authentication Protocol (CHAP) A widely used authentication method in which a hashed version of a user’s password is transmitted during the authentication process. change management This term indicates that a formal process to schedule, implement, track, and document changes to policies, configurations, systems, and software is used in an organization. cipher A method for encrypting text, the term cipher is also used to refer to an encrypted message (although the term cipher text is preferred). code of ethics A formal list of rules governing personal and professional behavior that is adopted by a group of individuals or organizations. Many security certifications, including Security+, require their holders to adhere to a code of ethics that’s designed to foster ethical and legal behavior and discourage unethical or illegal behavior.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 475

475

degaussing

cold site A remote site that has electricity, plumbing, and heating installed, ready for use when enacting disaster recovery or business continuity plans. At a cold site, all other equipment, systems, and configurations are supplied by the company enacting the plan. confidentiality Involves a rigorous set of controls and classifications associated with sensitive information to ensure that such information is neither intentionally nor unintentionally disclosed. cookies Temporary files stored in the client’s browser cache to maintain settings across multiple pages, servers, or sites. countermeasures Methods used in some scenarios to provide automatic response in the event of intrustion detection. cross-certification When two or more CAs choose to trust each other and issue credentials on each other’s behalf. cross-site scripting (XSS) Malicious executable code placed on a website that allows an attacker to hijack a user session to conduct unauthorized access activities, expose confidential data, and provide logging of successful attacks back to the attacker.

cryptographic module Any combination of hardware, firmware, or software that implements cryptographic functions such as encryption, decryption, digital signatures, authentication techniques, and random number generation. cryptography A process that provides a method for protecting information by disguising (encrypting) it into a format that can be read only by authorized systems or individuals.

D decentralized key management Key management that occurs when a user generates a public and private key pair and then submits the public key to a certificate authority for validation and signature. deflection Redirecting or misdirecting attackers to secured segmented areas, allowing them to assume they have been successful while preventing access to secured resources. degaussing A method of removing recorded magnetic fields from magnetic storage media by applying strong cyclic magnetic pulses, thereby erasing the content and making the media unreadable.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 476

476

demilitarized zone (DMZ)

demilitarized zone (DMZ) Also called the neutral zone, a DMZ is an area in a network that allows limited and controlled access from the public Internet. denial of service (DoS) A type of attack that denies legitimate users access to a server or services by consuming sufficient system resources or network bandwidth or by rendering a service unavailable. distributed denial of service (DDoS) A DDoS attack originates from multiple systems simultaneously thereby causing even more extreme consumption of bandwidth and other resources than a DoS attack. dictionary attack An attack in which software is used to compare hashed data, such as a password, to a word in a hashed dictionary. This is repeated until matches are found in the hash, with the goal being to match the password exactly to determine the original password that was used as the basis of the hash. digital certificate See certificate. digital signature A hash encrypted to a private key of the sender that proves user identity and authenticity of the message. Signatures do not encrypt the contents of an entire message. A digital signature uses data to provide an electronic signature that authenticates the identity of the original sender of the message or data.

disaster recovery Actions to be taken in case a business is hit with a natural or manmade disaster. discretionary access control (DAC) A distributed security method that allows users to set permissions on a per-object basis. DMZ

See demilitarized zone.

Domain Name Service (DNS) kiting DNS kiting refers to the practice of taking advantage of the Add Grace Period to monopolize domain names without even paying for them. How domain kiting works is that a domain name is deleted during the five-day AGP and immediately reregistered for another fiveday period. Domain Name Service (DNS) poisoning DNS poisoning allows a perpetrator to redirect traffic by changing the IP record for a specific domain, thus permitting the attacker to send legitimate traffic anywhere he chooses. This not only sends a requestor to a different website but also caches this information for a short period, distributing the attack’s effect to the server users. dry-pipe fire suppression A sprinkler system with pressurized air in the pipes. If a fire starts, a slight delay occurs as the pipes fill with water. This system is used in areas where wet-pipe systems might freeze.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 477

477

Faraday cage

due care Assurance that the necessary steps are followed to satisfy a specific requirement, which can be an internal or external requirement, as in an agency regulation. dumpster diving Scavenging discarded equipment and documents and extracting sensitive information from it without ever contacting anyone in the company.

E elliptic curve cryptography (ECC) A method in which elliptic curve equations are used to calculate encryption keys for use in generalpurpose encryption. Encapsulating Security Payload (ESP) ESP can be used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service, and traffic flow confidentiality. encryption algorithm A mathematical formula or method used to scramble information before it is transmitted over unsecure media. Examples include RSA, DH, IDEA, Blowfish, MD5, and DSS/DSA. environment The physical conditions that affect and influence growth, development, and survival. Used in the security field to describe the surrounding conditions of an area to be protected. escalation The upward movement of privileges when using network

resources or exercising rights (such as moving from read permissions to write). evidence Any hardware, software, or data that can be used to prove the identity and actions of an attacker. Extensible Markup Language (XML) A flexible markup language is based on standards from the World Wide Web Consortium XML and is used to provide widely accessible services and data to end users, exchange data among applications, and capture and represent data in a large variety of custom and standard formats. extranet A special internetwork architecture wherein a company’s or organization’s external partners and customers are granted access to some parts of its intranet and the services it provides in a secure, controlled fashion.

F Faraday cage A metal enclosure used to conduct stray EMEs (electromagnetic emissions) to ground, thereby eliminating signal leakage and the ability of external monitors or detectors to “read” network or computer activity. A Faraday cage can be very small or encompass an entire building, and it is generally used only when security concerns are extremely high (as in national defense, classified areas, or highly sensitive commercial environments).

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 478

478

Federal Information Processing Standard (FIPS)

Federal Information Processing Standard (FIPS) A standard created by the U.S. government for the evaluation of cryptographic modules. It consists of four levels that escalate in their requirement for higher security levels. firewall A hardware device or software application designed to filter incoming or outgoing traffic based on predefined rules and patterns. Firewalls can filter traffic based on protocol uses, source or destination addresses, and port addresses; and they can even apply state-based rules to block unwanted activities or transactions. forensics As related to security, forensics is the process of analyzing and investigating a computer crime scene after an attack has occurred and of reconstructing the sequence of events and activities involved in such an attack.

G Group Policy Group Policy can be used for ease of administration in managing the environment of users in a Microsoft network. This can include installing software and updates or controlling what appears on the desktop. The Group Policy object (GPO) is used to apply a group policy to users and computers.

guideline Specific information about how standards should be implemented. A guideline is generally not mandatory, thus acting as a kind of flexible rule used to produce a desired behavior or action. A guideline allows freedom of choice on how to achieve the behavior.

H hash value The resultant output or data generated from an encryption hash when applied to a specific set of data. If computed and passed as part of an incoming message and then recomputed upon message receipt, such a hash value can be used to verify the received data when the two hash values match. hashing A methodology used to calculate a short, secret value from a data set of any size (usually for an entire message or for individual transmission units). This secret value is recalculated independently on the receiving end and compared to the submitted value to verify the sender’s identity. honeypot A decoy system designed to attract hackers. A honeypot usually has all its logging and tracing enabled, and its security level is lowered on purpose. Likewise, such systems often include deliberate lures or bait, in hopes of attracting would-be attackers who think there are valuable items to be attained on these systems.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 479

479

Internet Security Associate and Key Management Protocol (ISAKMP)

host-based IDS (HIDS) Host-based intrusion-detection systems (HIDSs) monitor communications on a hostby-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity. hypervisor A hypervisor controls how access to a computer’s processors and memory is shared. A hypervisor or virtual machine monitor (VMM) is a virtualization platform that provides more than one operating system to run on a host computer at the same time. hot site A site that is immediately available for continuing computer operations if an emergency arises. It typically has all the necessary hardware and software loaded, configured and is available 24/7. Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) A protocol used in a secured connection encapsulating data transferred between the client and Web server that occurs on port 443.

I identity proofing Identity proofing is an organizational process that binds users to authentication methods. Identity proofing gives the organization assurance that the user performing an authentication is the legitimate user. This is the main component of authentication life cycle management.

incident Any violation or threatened violation of a security policy. incident response A clear action plan on what each response team member needs to do and when it has to be done in the event of an emergency or a security incident. integrity Involves a monitoring and management system that performs integrity checks and protects systems from unauthorized modifications to data, system, and application files. When applied to messages or data in transit, integrity checks rely on calculating hash or digest values before and after transmission to ensure nothing changed between the time the data was sent and the time it was received. Internet Key Exchange (IKE) A method used in the IPsec protocol suite for public key exchange, security association parameter negotiation, identification, and authentication. Internet Protocol Security (IPsec) Used for encryption of TCP/IP traffic, IP Security provides security extensions to IPv4. IPsec manages special relationships between pairs of machines, called security associations. Internet Security Associate and Key Management Protocol (ISAKMP) Defines a common framework for the creation, negotiation, modification, and deletion of security associations.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 480

480

intranet

intranet A portion of the information technology infrastructure that belongs to and is controlled by the company in question. intrusion Malicious activity such as denial-of-service attacks, port scans, or attempts to break into computers. intrusion-detection system (IDS) A sophisticated network-protection system designed to detect attacks in progress but not to prevent potential attacks from occurring (although many IDSs can trace attacks back to an apparent source; some can even automatically notify all hosts through which attack traffic passes that they are forwarding such traffic).

K Kerberos authentication Kerberos defines a set of authentication services and includes the Authentication Service (AS) Exchange protocol, the Ticket-Granting Service (TGS) Exchange protocol, and the Client/ Server (CS) Exchange protocol. key escrow Key escrow occurs when a CA or other entity maintains a copy of the private key associated with the public key signed by the CA. key exchange A technique in which a pair of keys is generated and then exchanged between two systems (typically a client and server) over a network connection to

allow a secure connection to be established between them. key management The methods for creating and managing cryptographic keys and digital certificates. knowledge-based detection Knowledge-based detection relies on the identification of known attack signatures and events that should never occur within a network.

L Layer 2 Tunneling Protocol (L2TP) A technology used with a VPN to establish a communication tunnel between communicating parties over unsecure media. L2TP permits a single logical connection to transport multiple protocols between a pair of hosts. L2TP is a member of the TCP/IP protocol suite and is defined in RFC 2661; a framework for creating virtual private networks that uses L2TP appears in RFC 2764. Lightweight Directory Access Protocol (LDAP) A TCP/IP protocol that allows client systems to access directory services and related data. In most cases, LDAP is used as part of management or other applications or in browsers to access directory services information.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 481

481

Multifactor authentication

logic bomb A piece of software designed to do damage at a predetermined point in time or in response to some type of condition (for example, “disk is 95% full”) or event (for example, some particular account logs in or some value the system tracks exceeds a certain threshold). logical tokens A method of access controls used in addition to physical security controls to limit access to data.

M M of N Control The process of backing up a private key material across multiple systems or devices. This provides a protective measure to ensure that no one individual can recreate their key pair from the backup. man in the middle An attack in which a hacker attempts to intercept data in a network stream and then inserts her own data into the communication with the goal of disrupting or taking over communications. The term itself is derived from the insertion of a third party—the proverbial “man in the middle”— between two parties engaged in communications. mandatory access control (MAC) A centralized security method that doesn’t allow users to change permissions on objects.

mantrap A two-door configuration in a building or office that can lock unwanted individuals in a secured area, preventing them from entering other areas or even from exiting wherever it is they’re being held. message The content and format a sender chooses to use to communicate with some receiver across a network, an intranet, an extranet, or the Internet. message digest The output of an encryption hash that’s applied to some fixed-size chunk of data. A message digest provides a profound integrity check because even a change to 1 bit in the target data also changes the resulting digest value. This explains why digests are included so often in network transmissions. misuse Misuse is typically used to refer to unauthorized access by internal parties. Multifactor authentication Multifactor authentication involves the use of two or more different forms of authentication. What you know (logon, password, PIN), what you have (keycard, SecureID number generator), or what you are (biometrics) constitute different forms.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 482

482

mutual authentication

mutual authentication A situation in which a client provides authentication information to establish identity and related access permissions with a server and in which a server also provides authentication information to the client to ensure that illicit servers cannot masquerade as genuine servers.

N network access control (NAC) NAC offers a method of enforcement that helps ensure computers are properly configured. The premise behind NAC is to secure the environment by examining the user’s machine and based on the results, grant access accordingly. Network Address Translation (NAT) TCP/IP protocol technology that maps internal IP addresses to one or more external IP addresses through a NAT server of some type. NAT enables the conservation of public IP address space by mapping private IP addresses used in an internal LAN to one or more external public IP addresses to communicate with the external world. NAT also provides address-hiding services thus adding both security and simplicity to network addressing. network-based IDS (NIDS) Network-based IDSs monitor the packet flow and try to locate packets that may have gotten through the firewall and that are not allowed for one reason or another. They are

best at detecting DoS attacks and unauthorized user access. network-based IPS (NIPS) A device or software program designed to sit inline with traffic flows and prevent attacks in real-time.

O One Time Pad (OTP) Within an OTP, there are as many bits in the key as there are in the plain text to be encrypted; and as the name suggests, this key is to be random and used only once, with no portion of the key ever being reused. Online Certificate Status Protocol (OCSP) An Internet protocol defined by the IETF that is used to validate digital certificates issued by a CA. OCSP was created as an alternative to certificate revocation lists (CRLs) and overcomes certain limitations of CRL. OSI model The Open Systems Interconnect model is a logically structured model that encompasses the translation of data entered at the application layer through increasingly more abstracted layers of data, resulting in the actual binary bits passed at the physical layer.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 483

483

procedure

P passive detection A method of intrusion detection that has an IDS present in the network in a silent fashion; it does not interfere with communications in progress. pattern matching A network-analysis approach that compares each individual packet against a database of signatures. The inherent weakness in this method is that such patterns must be known (and definitions in place) before they can be used to recognize attacks or exploits. performance baseline

See baseline.

performance monitoring The act of using tools to monitor changes to system and network performance. personally identifiable information (PII) Privacy-sensitive information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. Point-to-Point Tunneling Protocol (PPTP) A TCP/IP technology used to create virtual private networks (VPN) or remote-access links between sites or for remote access. PPTP is generally regarded as less secure than L2TP and is used less frequently for that reason. policy A broad statement of views and positions. A policy that states high-level intent with respect to a specific area of security is more properly called a security policy.

pop-up blocker A program used to block a common method for Internet advertising, using a window that pops up in the middle of your screen to display a message when you click a link or button on a website. Pretty Good Privacy (PGP) A shareware encryption technology for communications that utilizes both public and private encryption technologies to speed up encryption without compromising security. private key In encryption, this is the key used to unencrypt a message. privilege escalation A method of software exploitation that takes advantage of a program’s flawed code. Usually, this crashes the system and leaves it in a state where arbitrary code can be executed or an intruder can function as an administrator. privilege management The process of controlling users and their capabilities on a network. probability Used in risk assessment, probability measures the likelihood or chance that a threat will actually exploit some vulnerability. procedure A procedure specifies how policies will be put into practice in an environment (that is, it provides necessary how-to instructions).

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 484

484

protocol analyzer

protocol analyzer Protocol analyzers help troubleshoot network issues by gathering packet level information across the network. These applications capture packets and decode the information into readable data for analysis.

Public Key Infrastructure based on X.509 Certificates (PKIX) A working group of the Internet Engineering Task Force (IETF) focused on developing Internet standards for certificates.

Public Branch Exchange (PBX) A telephone switch used on a company’s or organization’s premises to create a local telephone network. Using a PBX eliminates the need to order numerous individual phone lines from a telephone company and permits PBX owners to offer advanced telephony features and functions to their users.

R

public key A key that is made available to whoever is going to encrypt the data sent to the holder of a private key.

redundant array of inexpensive disks (RAID) A redundant array of inexpensive disks is an organization of multiple disks into a large, high-performance logical disk to provide redundancy in the event of a disk failure.

Public Key Cryptography Standards (PKCS) The de facto cryptographic message standards developed and published by RSA Laboratories. public key infrastructure (PKI) A paradigm that encompasses certificate authorities and X.509 certificates used with public encryption algorithms to distribute, manage, issue, and revoke public keys. Public key infrastructures typically also include registration authorities to issue and validate requests for digital certificates, a certificate-management system of some type, and a directory in which certificates are stored and can be accessed. Together, all these elements make up a PKI.

receiver The party that receives a message from its sender. redundancy planning The process of planning for continuing service in the event of failure by providing more than one of the same components or services.

Remote Authentication Dial-In User Services (RADIUS) An Internet protocol, used for remote-access services. It conveys user authentication and configuration data between a centralized authentication server and a remote-access server (RADIUS client) to permit the remote access server to authenticate requests to use its network access ports. replay An attack that involves capturing valid traffic from a network and then retransmitting that traffic at a later time to gain unauthorized access to systems and resources.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 485

485

Secure Hypertext Transfer Protocol (S-HTTP)

removable storage This is a small, high-capacity, removable device that can store information such as an iPod, thumb drive, or cell phone.

rootkit A piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system.

restoration The process whereby data backups are restored into the production environment.

round A selection of encrypted data that is split into two or more blocks of data. Each block of data is then run through an encryption algorithm that applies an encryption key to each block of data individually, rather than applying encryption to the entire selection of data in a single operation.

retention policy Documentation of the amount of time an organization will retain information. risk The potential that a threat might exploit some vulnerability. role A defined behavior for a user or group of users based on some specific activity or responsibilities. (For example, a tape backup administrator is usually permitted to back up all files on one or more systems; that person might or might not be allowed to restore such files, depending on the local security policies in effect.) role-based access control (RBAC) A security method that combines both MAC and DAC. RBAC uses profiles. Profiles are defined for specific roles within a company, and then users are assigned to such roles. This facilitates administration in a large group of users because when you modify a role and assign it new permissions, those settings are automatically conveyed to all users assigned to that role. rollback A process used to undo changes or transactions when they do not complete, when they are suspected of being invalid or unwanted, or when they cause problems.

router A device that connects multiple network segments and routes packets between them. Routers split broadcast domains. rule-based access control (RBAC) A rule-based access control method is an extension of access control that includes stateful testing to determine whether a particular request for resource access may be granted. When a rule-based method is in force, access to resources may be granted or restricted based on conditional testing.

S Secure Hypertext Transfer Protocol (S-HTTP) An alternative to HTTPS is the Secure Hypertext Transport Protocol developed to support connectivity for banking transactions and other secure Web communications.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 486

486

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Secure/Multipurpose Internet Mail Extensions (S/MIME) An Internet protocol governed by RFC 2633 and used to secure email communications through encryption and digital signatures for authentication. It generally works with PKI to validate digital signatures and related digital certificates. Secure Shell (SSH) A protocol designed to support secure remote login, along with secure access to other services across an unsecure network. SSH includes a secure transport layer protocol that provides server authentication, confidentiality (encryption), and integrity (message digest functions), along with a user-authentication protocol and a connection protocol that runs on top of the user-authentication protocol. Secure Sockets Layer (SSL) An Internet protocol that uses connection-oriented, end-to-end encryption to ensure that client/server communications are confidential (encrypted) and meet integrity constraints (message digests). Because SSL is independent of the application layer, any application protocol can work with SSL transparently. SSL can also work with a secure transport layer protocol, which is why the term SSL/TLS appears frequently. See also Transport Layer Security.

security association (SA) A method in IPsec that accounts for individual security settings for IPsec data transmission. security baseline Defined in a company’s or organization’s security policy, a security baseline is a specific set of security-related modifications to and patches and settings for systems and services in use that underpins technical implementation of security. security groups A logical boundary that helps enforce security policies. security policies Documentation of the goals and elements of an organization’s systems and resources. sender The party that originates a message. sequence number A counting mechanism in IPsec that increases incrementally each time a packet is transmitted in an IPsec communication path. It protects the receiver from replay attacks. service level agreement (SLA) A contract between two companies or a company and individual that specifies, by contract, a level of service to be provided by one company to another. Supplying replacement equipment within 24 hours of loss of that equipment or related services is a simple example of an SLA.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 487

487

spam

signature-based monitoring A signature-based monitoring method is sometimes considered a part of the misuse-detection category. This type of monitoring method looks for specific byte sequences or signatures that are known to appear in attack traffic. The signatures are identified through careful analysis of the byte sequence from captured attack traffic. Simple Network Management Protocol (SNMP) A UDP-based application layer Internet protocol used for network management, SNMP is governed by RFCs 2570 and 2574. In converting management information between management consoles (managers) and managed nodes (agents), SNMP implements configuration and event databases on managed nodes that can be configured to respond to interesting events by notifying network managers. Simple Mail Transport Protocol (SMTP) relay An exploitation of SMTP relay agents used to send out large numbers of spam messages. single sign-on (SSO) The concept or process of using a single logon authority to grant users access to resources on a network regardless of what operating system or application is used to make or handle a request for access. The concept behind the term is that users need to authenticate only once and can then access any resources available on a network.

smart card A credit card–size device that contains an embedded chip. On this chip, varying and multiple types of data can be stored, such as a driver’s license number, medical information, passwords, or other authentication data, and even bank account data. sniffer A hardware device or software program used to capture and analyze network data in real time. Because such a device can typically read and interpret all unencrypted traffic on the cable segment to which it is attached, it can be a powerful tool in any competent hacker’s arsenal. social engineering The process of using human behavior to attack a network or gain access to resources that would otherwise be inaccessible. Social engineering is a term that emphasizes the well-known fact that poorly or improperly trained individuals can be persuaded, tricked, or coerced into giving up passwords, phone numbers, or other data that can lead to unauthorized system access, even when strong technical security measures can otherwise prevent such access. spam A term that refers to the sending of unsolicited commercial email.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 488

488

spoofing

spoofing A technique for generating network traffic that contains a different (and usually quite specific) source address from that of the machine actually generating the traffic. Spoofing is used for many reasons in attacks: It foils easy identification of the true source, it permits attackers to take advantage of existing trust relationships, and it deflects responses to attacks against some (usually innocent) third party or parties. spyware Software that communicates information from a user’s system to another party without notifying the user. standard This term is used in many ways. In some contexts, it refers to best practices for specific platforms, implementations, OS versions, and so forth. Some standards are mandatory and ensure uniform application of a technology across an organization. In other contexts, a standard might simply describe a well-defined rule used to produce a desired behavior or action. steganography Steganography is a word of Greek origin meaning hidden writing, which can be further described as both an art and a science for simply hiding messages so that unintended recipients wouldn’t even be aware of any message. storage policy A policy defining the standards for storing each classification level of data.

switch A hardware device that manages multiple, simultaneous pairs of connections between communicating systems. Switches split collision domains, but can also provide greater aggregate bandwidth between pairs or groups of communicating devices because each switched link normally gets exclusive access to available bandwidth. symmetric key A single encryption key that is generated and used to encrypt data. This data is then passed across a network. After that data arrives at the recipient device, the same key used to encrypt that data is used to decrypt it. This technique requires a secure way to share keys because both the sender and receiver use the same key (also called a shared secret because that key should be unknown to third parties). system logging The process of collecting system data to be used for monitoring and auditing purposes. system monitoring A method of monitoring used to analyze events that occur on individual systems.

T Terminal Access Controller AccessControl System Plus (TACACS+) An authentication, access control, and accounting standard that relies on a central server to provide access over network resources, including services, file storage, and network routing hardware.

27_078973804x_gloss.qxd

10/30/08

9:13 PM

Page 489

489

virtual local area network (VLAN)

threat A danger to a computer network or system (for example, a hacker or virus represents a threat). token This is a hardware- or software-based system used for authentication wherein two or more sets of matched devices or software generate matching random passwords with a high degree of complexity. Transmission Control Protocol/Inte