Security+ Slides

CompTIA Security+ Training
Getting Started with CompTIA Security+ Training

Instructor: Lisa Szpunar
Getting Started with CompTIA Security+ Training CompTIA Security+ Training
In This Lesson:
About Your Instructor About This Course
About Your Instructor

Masters degree in computer science Specialization in systems design and analysis and security Certifications CompTIA Security+ SY0-201 and SY0-301 MCTS
Lisa Szpunar
About This Course

Suitable for someone who has passed the CompTIA Network+ certification or whom has equivalent knowledge Covers 100% of the CompTIA Security+ SY0-301 objectives Lessons are best watched in order Lesson layout 1. Overview of what will be covered in the lesson 2. Lesson content 3. Vocabulary list of new terminology introduced in that lesson 4. A quick review of what was covered in the lesson
About This Course

You will learn about: The fundamentals of IT security How to analyze the threats you will be up against Topics to educate employees and users about Helping to integrate security with business needs
So much more!
About This Course

Getting Started with CompTIA Security+ Training Introduction to IT Security Types of Attacks Malware Prevention and Cleanup Network Device Security
Secure Network Administration Secure Network Design TCP/IP Protocols and Port Security
About This Course

Attacks on Wireless Networks Securing Wireless Networks Host Security Securing Applications Data Security Authentication, Authorization, and Access Control Physical and Environmental Security Authentication Services User Account Management
About This Course

Risk Management Threat and Vulnerability Assessment and Detection Risk Mitigation and Deterrence Log Monitoring and Reporting Business Continuity Disaster Recovery Planning Incident Response User Education Social Engineering
About This Course

Cryptography Concepts Cryptography Tools Public Key Infrastructure (PKI) Concepts PKI Implementation
Preparing for your CompTIA Security + SY0-301 Certification Exam Next Steps
Introduction to IT Security
Introduction to IT Security CompTIA Security+ Training
In This Lesson:
What is IT Security? Key Terms You Should Know Confidentiality Integrity Availability Authentication Authorization Accounting
Exam Objective:
2.8 Exemplify the concepts of confidentiality, integrity and availability
What is IT Security?
Precautions taken to guard against incidents Attacks Mischievous behavior Human error Physical devices, software, configurations, policies, and user education Prevent, detect, and recover from an incident Keeps data safe from unauthorized access, modification, or destruction during storage and transmission Must use a multifaceted approach security in layers
Key Terms You Should Know Term Definition

Assets Attacker Mitigation Any type of data or device that helps to support your information systems An entity that is attempting to gain unauthorized access or do harm to a system or information Any method used to lower the likelihood or impact of a threat Prevents a party from denying involvement in a transaction after it has taken place. Also proves that the transaction was complete and the intended party received the data
Non-Repudiation

Any sort of weakness in a system that can be exploited. Vulnerability This can include software bugs, human errors, or a bad configuration Threat Risk Exploit Any potential person, action, or circumstance with the ability to cause damage to a system The likelihood that a vulnerability will be used or exploited by an attacker as well as the impact of the exploit The actual action that compromises the security or integrity of a system or information
The Information Security Triad CIA
Data And Services
Protects data and communications from being seen by unauthorized people
Data should not be able to be modified without being detected
What good is a service if its not up and running?
The AAA Protocol
Authentication
Accounting
Authorization
The AAA Protocol
Authentication
A process where the persons identity is determined. This is usually done by providing evidence to prove that the person or system is who they claim to be.
The AAA Protocol
Determines whether the person or object is permitted to perform an activity or access a resource.
Authorization
The AAA Protocol All access to resources (and failed attempts at access) are recorded for later review.
Accounting
What We Covered
What is IT Security? Key Terms You Should Know Confidentiality Integrity Availability Authentication Authorization Accounting
Types of Attacks

Types of Attacks CompTIA Security+ Training
In This Lesson:
Attacks on Data in Transit Spoofing/Poisoning Pharming Man-in-the-middle Replay Denial of Service (DoS) Distributed DoS Smurf Scanners and Sniffers Attacks Via Email and Other Communications Spam Phishing Other Attacks Privilege Escalation Transitive Access Client-side Attacks
Exam Objective:
3.2 Analyze and differentiate among types of attacks
Attacks on Data in Transit
Spoofing/Poisoning
Making data appear to have come from somewhere it did not or be something that it is not. Example: An attacker changes the MAC address of his wireless card to look like it is from a valid internal machine and uses it to gain access.
Common Spoofing Type
IP Spoofing ARP Spoofing/Poisoning DNS Spoofing/Poisoning
What is Spoofed
IP Source Address
Result
Data appears to have come from a trusted host Data looks like it came from a network that it didnt
MAC Address
DNS Info
Users are sent to the wrong website. Email is rerouted to the wrong place.
Pharming
Take traffic intended for one destination and redirect it to another. DNS spoofing or change the host file on the victims computer Bogus pharming site usually looks nearly identical to the legitimate site Tricks you into entering personal data like username and password Example: You think you are going to a website that you frequent. The site looks fine and you enter your login information. You receive a login error even though you have given the correct credentials.
Man-in-the-Middle
Two parties think they are communicating with each other. The attacker is actually between the two intercepting and controlling the communication. Active attack Attacker could be just eavesdropping or altering data
Mitigation
Strong mutual authentication
Public Key Infrastructure One-time pads
Man-in-the-Middle
Client
MITM
Server
Replay
The attacker captures information during transition and then resends it later. Example: Attacker obtains a copy logon/authentication info and uses it later to gain access to a system
Mitigation
One-time-use session tokens Clock Synchronization
Denial of Service (DoS)

The attacker attempts to overload resources like a web server using large amounts of data. DoS aims to Deny access to resources or information Crash a website or operating system DoS works by Occupying all available bandwidth and/or computing power
Symptoms
Unusually slow network performance Website down
Mitigation (just a little)

Patch Management Firewall
Intrusion Prevention System (IPS)
Denial of Service (DoS)
Common DoS Types Ping of Death Buffer Overflow Ping for acknowledgement with too many IMCM packets to handle Overflow the buffer with larger data than it can handle
TCP SYN Flooding Open too many TCP sessions to handle
Distributed Denial of Service (DDoS)

Uses multiple systems to magnify the intensity of the DoS attack. The attacker uses a master system that coordinates third-party zombie nodes to participate in the DoS attack.
Smurf
An attacker spoofs ICMP packets that are to look like they came from a host that is the target for the attack. These packets are broadcast to ping a group of hosts on a network. All the hosts reply to the target host overloading it and possibly overloading the network along the way.
Smurf
Spoofed Ping Requests
ICMP Ping Replies
Scanners and Sniffers

Network Scanner/Sniffer Captures and displays network traffic Attacker must have internal access Mitigation: Proper physical security and security policies Port Scanner/Sniffer Systematically query ports to see which ones are open Attacker can be internal or external Xmas scan is an advanced scanner that can get around firewalls Mitigation: Properly configure routers and employ firewalls
Attacks Via Email and Other Communications
Spam
Any unwanted or unsolicited communication Sent in bulk Mitigation Normally refers to unwanted email Anti-Spam filter Spim is spam over instant messenger Forums, newsgroups, text, everywhere Can contain malware or links to sites infected with malware Costs companies productivity and money for anti-spam services
Spear Phishing
Using information specific to a person/company to make a phishing attempt seem more legitimate
Phishing
Trying to get personal information by pretending to be as a trusted person, company, or website. Often comes as email Uses logos and color schemes to try to mimic the legitimate entity Tries create a sense of urgency or fear Poses as the security team or customer service rep Mitigation User education Spam filter
Vishing
Phishing over VoIP
Whaling
Spear Phishing targeted at executives or people with access to epically sensitive information
Other Attacks
Privilege Escalation
The ability of someone or an application to gain privileges and access that are not intended to have. Configuration oversight Debugging backdoor left in code Could be an outside attacker, a fortuitous insider, or even a malicious insider
Mitigation
Account Auditing and Management Least Privilege Code Review
Transitive Access
When trust is transferred to a third party through a known trusted entity. Examples: Joint ventures, consultants Mitigation: Dont give trust to your entire forest. Instead create a separate forest with just the resources you want to share.
Trust
Trust
Trust
Client-side Attacks
An attack that exploits the clientserver relationship. A user downloads something from a trusted server (FTP, file share, email, web, etc.) and unknowingly get malicious code too. Allows attacker to execute programs on the infected machine Programs run at the permission level of the user If a client does not interact with the server there is no risk of getting any harmful data from the server.
Mitigation
Firewall with Intrusion Prevention System

Spoofing Pharming Man-in-the-Middle Replay Data that masquerades as something it isn't. Data that looks like it is from a legitimate source An attack that takes traffic intended for one destination and redirects it to another The attacker impersonates two endpoints and controls the communication between them An attacker captures a data transmission and resends it later
Key Terms You Should Know
Term Definition
Deprive the indented users access to a system by Denial of Service overwhelming resources and bandwidth with larger amounts of data than it can handle Distributed DoS Using the resources of many different systems (usually without their consent) to launch a DoS attack
Broadcasting spoofed ICMP pings to many hosts on a Smurf network and aiming the replies to one target machine creating a DoS attack

Term Definition
Spam Unsolicited bulk email or other communication Spim Spam over instant messenger Pretending to be a known company or person and Phishing asking for personal information like passwords or credit card numbers Spear Phishing Whaling Vishing Using knowledge of a person on company to appear trustworthy and extract sensitive information Spear phishing aimed at a high ranking person to gain access to especially sensitive information Using the anonymity of VoIP to employ phishing schemes

Privilege Escalation Transitive Access Client-side Attacks Obtaining permissions, privileges, and access that one is not intended to have A trusts B, B trusts C, so A trusts C. May be without their knowledge or consent A malicious server doles out rogue code to the clients that access it
Malicious Insider A employee that has malevolent intent against his or Threat her company
What We Covered
Attacks on Data in Transit Attacks Via Email and Other Communications Other Attacks
xes nt
he k
Spoofing/Poisoning Pharming Man-in-the-middle Replay Denial of Service (DoS) Distributed DoS Smurf Scanners and Sniffers
Spam Phishing
Privilege Escalation Transitive Access Client-side Attacks Malicious Insider Threat
Malware Prevention and Cleanup

Malware Prevention and Cleanup CompTIA Security+ Training
In This Lesson:
Viruses Worms Trojans Spyware Adware Rootkits Backdoors Logic Bombs Botnets Ransomware Malware Mitigation Malware Removal
Exam Objective:
3.1 Analyze and differentiate
among types of malware
Malware
A combination of the words malicious and software Broad category of software threats Created with the intent of being damaging (or just annoying) Malicious payloads can: Consume bandwidth and resources Vandalism delete files Install a backdoor Make the PC part of a botnet Data theft Keystroke logging Install unwanted software like other malware Display advertisements
Viruses
Computer viruses can replicate themselves In order to spread to another computer it must attach itself to a program or file Spread from by direct action send an email attachment share files on removable media
Program File
or
Host
Virus
Virus Types
Program/File Viruses that create or infect executable files Parasitic Companion Appends itself to a legitimate host file. When the host file is opened the virus executes first Creates a new program with the same name as an existing program
Written in macro language. This virus is embedded in Macro Microsoft Office templates and runs when the document is opened
Virus Types
Viruses that attempt to avoid detection Concealment by antivirus software
Polymorphic Changes its code or mutates each time it runs while keeping the function intact
Retrovirus Attacks the antivirus software itself Hides by intercepting the antivirus softwares processes. Stealth Example: the process of checking a files size to see if a virus has been added
Virus Types
Other Boot Sector Infects the master boot record Multipartite Infects and spreads in multiple ways
Worms
Has the ability to spread without human interaction Can replicate itself on your system and send those copies to other machines Uses communication/transport features already set up on your machine like email Example: A worm uses your email program to send copies of itself to everyone in your address book.
Worm
Worm
Trojans
Appears to be some kind of desired software or file Is actually concealing malicious code User is tricked into opening or installing it Can not replicate itself A computer with trojan malware installed can now be used by attackers Botnet Data theft, modification, or deletion Proxy
Spyware
Cannot spread on its own Collects computer and user information Internet usage Passwords/account numbers Can control as well as monitor Install additional software adware Redirect browser activity Change settings Usually installed without the users knowledge or consent Presence is hard to detect Forwards information to attacker
Adware
Automatically displays or downloads advertisements Whether or not the user has consented Not necessarily malware Can be used in exchange for free or discounted access to a program or service Mobile phone apps
Pop-ups
Not all pop-ups and pop-unders are adware Use anti spyware/pop-up blocker program like Windows Defender
Rootkits
Allows continued root access to a computer The attacker must have obtained root access to install the rootkit Clicking yes to a prompt asking for permission Actively hides from administrators, OS, and antivirus
Backdoors
A hidden method of bypassing the normal authentication process Can be hard coded in by a programs creator Can be added by malware
Trojans Rootkits
Logic Bombs
Malware designed to launch based on a predetermined event Date and time (time bomb) Deletion of a particular user account Reboot Delivers a malicious payload Delete data Destroy network infrastructure
Botnets
A colony of remote machines that are infected with malware allowing an attacker to use their resources to coordinate an attack. Example uses Distributed denial of service attacks Sending spam Brute force attacks Spammers or others can purchase the use of botnets that are already set up
Ransomware
Holds systems or data hostage by encrypting it Threatens harmful or destructive action Demands ransom money for the return of the data or the removal of malicious code
Malware Mitigation
Install antivirus software and Update antivirus software Disallow common vehicles for viruses .exe files Macros Least privilege User education Acceptable use policy Backups
Virus Found!
Viruses Cause: Privacy Invasion Security Risks System Crashes Infecting other Computers
Click Here to Remove Scareware
Continue Unprotected
Malware Removal
1. Remove the infected computer from the network 2. Take an image or backup files to an isolated drive 3. Antivirus software 4. Internet search (be very cautious) Malware removal tools Infection specific tools or tutorials Forums and blogs 5. Restore or reinstall the OS

Viruses code to replicate
Malicious code that must attach itself to another piece of
Worms Independent malicious code that self-replicates Trojans of) has a hidden purpose
Appears to provide one desired service but also (or instead Malware that works on behalf of a third party to gather Software that automatically downloads and displays
Spyware information and install more malware on a infected machine Adware advertisements
Term Definition
Rootkits Code that offers the attacker prolonged remote root access Backdoors and access control
An intentional or forced way around normal authentication Malicious code that is set to launch after a specific
Logic Bombs condition is met
Botnets attacker to use their resources to anonymously

send attacks and spam
A group of remote hosts with code installed that allows an
Ransomware only release them once a random is met
Malicious code that holds data or systems hostage and will
What We Covered
Viruses Worms Trojans Spyware Adware Rootkits Backdoors Logic Bombs Botnets Ransomware Malware Mitigation Malware Removal
Network Device Security

Network Device Security CompTIA Security+ Training
In This Lesson:
Firewalls Routers Switches Load Balancers Proxies Web Security Gateways VPN Concentrators Network-based Intrusion Detection and Intrusion Prevention Other Security Appliances Protocol Analyzers / Sniffers Exam Objective: Host-based Filtering Tools
1.1 Explain the security function
and purpose of network devices and technologies
Firewalls
Purposes Isolate a network or part of a network Control and filter traffic from untrusted sources Network address translation (NAT) Create a demilitarized zone (DMZ) Form of Hardware Stand-alone Network-based Software Integrated Host-based
Firewall Best Practices
All inbound and outbound communication should be filtered Deploy firewalls between different departments and/or security levels Keep patched and updated
Firewall Types
Packet Filter Filters packets based on their header information Source / Destination address (port number) Doesnt look at packet contents
Example: a packet filtering firewall has a rule to disallow Telnet access. The firewall looks at the IP header and if port 23 is present, the packet is dropped or denied.
Strengths
Already in your environment
Weaknesses
Static and unintelligent
Fast
Spoofing / malicious content
Firewall Types
Proxy Firewall Acts as an intermediary between your network and the outside Intercepts, inspects, and repackages Can look at packet content Forwards or rejects data based on a set of rules Application Level More advanced rules for one application/service/port
Strengths
Hides internal users from the external network
Weaknesses
Slower Harder to set up
Firewall Types
Web Application Firewall Server-side firewall that protects a the web-client web-server interactions Application specific Works to prevent: SQL injection Cross-site scripting (XCC) Other web application attacks
Firewall Types
Stateful Inspection (or Stateful Packet Filtering) Keeps track of the state of network connections Uses a state table to log every communication channel Knows what to expect from a given communication session Keeps ports closed unless they are in use
Strengths
Application-layer awareness Faster then proxy firewalls
Weaknesses
Denial-of-Service attack can overload the state table
Routers
Purposes Communication between separate networks Segmentation Determine the best path for data packets to travel Firewall Form of Hardware Integrated Stand-alone
Router Best Practices
Configure the router to prevent unauthorized modifications to the routing tables Change the default password Keep patched and updated
Routers
Security Functions Segmentation Limits broadcast traffic Isolation Access Control Lists (ACL) Filtering Vulnerabilities Poor configuring and hardening Unauthorized routing table entry
Internet
Internal Network 1
Internal Network 2
Switches
Purposes Create networks or subnets Join resources together Form of stand-alone hardware
Switches
Security Function Data not broadcast (unlike hubs) so it cant be sniffed MAC address filtering rules (basic firewall) Vulnerabilities ARP Spoofing / Man-in-the-Middle Older switches use Telnet to configure An attacker with access can turn on mirroring to sniff all traffic
Switch Best Practices
Hubs should be replaced with switches Configuration of the switch should be done over secure ports/protocols Keep patched and updated
Load Balancers
Purpose Distributes computing workload across multiple machines Form of Hardware Stand-alone Software Integrated (NAT, Routing, Firewall)
Client
Load Balancer
Redundant Servers
Load Balancers
Security Function Availability Can provide failover Usually integrated with other security features
Vulnerabilities Depends on what it is integrated with Model specific vulnerabilities Keep it patched and up-to-date
Proxies
Purposes Intermediary device or software that acts on behalf of a system or person Keeps copies of commonly used items for quick delivery (cache) Form of Computer system Application
Proxy Best Practices
Internal user interaction with the outside internet should go through a proxy Automatically update the list of and block known malicious sites Cache often accessed sites
Proxies
Security Functions Filter and control outbound traffic Proprietary data Outgoing malicious content Prevent visiting restricted sites Keep internal machines anonymous Vulnerabilities Single point for an attacker to gain access to data
Client 1.1.1.1
Proxy 2.2.2.2
www.example.com Resource Web Server
Web Security Gateways

Purposes Proxy, content filtering, and other security functionally in one device Form of Appliance Security Functions Malware inspection/filtering URL filtering Content monitoring Productivity monitoring Data leak prevention (DLP) Policy compliance
VPN Concentrators
Purposes Establish and handle large amounts of simultaneous virtual private network (VPN) tunnel connections Provide authentication and access control Form of Appliance Security Functions Authentication Authorization Accounting Encryption Weakness Denial-of-Service
Network-based Intrusion Detection Systems (NIDS)

Purposes Inspect network traffic and identify suspicious patterns Issue alerts when potential attacks have taken place Form of A system of sensors, controllers, and other components Hardware Stand-alone Software Integrated
Tap
Internet
Network
Network-based Intrusion Detection Systems (NIDS)

Security Functions Filter traffic to look for unauthorized use or attacks
Passive Response Log event details Notify or send an alert to the IDS administrator Active Response Terminate the offending process or session Make configuration changes to block the offending port or IP address
Ignore attacks that are harmless Isolate attack in honeypot and monitor it
Weaknesses False positives and false negatives Can not inspect encrypted data Needs active manual involvement High traffic volume
Network-based Intrusion Prevention Systems (NIPS)

Purposes Filter and detect just like IDS Respond to an attack in process Form of A hardware and software system Security Functions Able to combat attacks in real time Weaknesses More expensive Harder to configure
Kinds of NIDS and NIPS

Signature-based
Compares traffic to a database of known attack signatures Keep this database up-to-date! Content-based signatures Attack Particular flag set, string of characters, etc. Signature Database Context-based signatures An usually high level of ICMP pings and port scans
Behavior-based/Anomaly-based/Heuristic
Network Looks for changes to usual network behavior History Higher traffic volume Database Repeated policy violations Compare the current traffic and events to a network history database
Other Security Appliances

Spam Filters Appliance filters messages before they get to the mail server Block messages from known spammers Scan message for common spam elements Flag, separate, or completely block Looks at both incoming and outgoing mail All-in-one Security Appliance Stateful firewall IDS and IPS Data leak prevention Antivirus Anti-spam Content filtering Load balancing VPN Network analyzer Reporting
Protocol Analyzers / Sniffers

Purposes Find unusual types/amounts of traffic Look for the traffic that infected systems send Find misconfigurations like open ports Capture traffic during incident response Can be placed to look at inbound, outbound, and internal traffic Form of Software on a PC that has a NIC in promiscuous mode A switch with port mirroring turned on A switch with a built-in port analyzer port Hardware taps
Host-based Filtering Tools

URL Filtering Web browser blocks websites based on their URL address Checks URL against a list of known malware sites before showing the page Internet Explorer SmartScreen Filter, McAfee SiteAdvisor Content Inspection Scans the data you are trying to access for red flags Internet Explorer Content Advisor Can find network level content inspection software that works with proxies or other network devices Malware Inspection OS software that attempts to stop malware from entering a host Microsoft Security Essentials

Firewalls network from attackers on the outside public internet Web Application Used to secure a web-server against XSS and injection Firewall attacks
Hardware and/or software that protects the internal
Routers determines the path that data packets will take Switches resources to create a network Load Balancers across multiple machines Proxies between two parties
A device that connects two or more networks and A device joins clients, servers, printers, and other A network device that distributes computing workload Acts as an intermediary and prevents direct connection

Web Security that filters all communication between the internal Gateways clients and the outside internet VPN Concentrators connections
A device that creates and secures multiple VPN A system that inspects network traffic and issues alerts A system that detects and responds to suspicious, An appliance that works at the network layer to block Proxy and content filtering functionally in one device
NIDS for suspicious, malicious, or undesirable behavior NIPS malicious, or undesirable network traffic
Spam Filters spam messages before they enter the email system

Term Definition
All-in-one Security An appliance that offers unified threat management Appliances Protocol Analyzers Software or hardware tool used to observe network and Sniffers traffic for troubleshooting or to create a baseline URL Filtering access based on a list of known unsafe URLs
Software that determines which websites a user can Software that inspects the content on a requested Software that attempts to block malware before it
Content Inspection website and blocks unsafe or undesirable content Malware Inspection enters a machine
What We Covered
Firewalls Routers Switches Load Balancers Proxies Web Security Gateways VPN Concentrators Network-based Intrusion Detection and Intrusion Prevention Other Security Appliances Protocol Analyzers / Sniffers Host-based Filtering Tools
Secure Network Administration

Secure Network Administration CompTIA Security+ Training
In This Lesson:
Rule-based Management Access Control Lists (ACLs) Firewall Rules Secure Router Configuration Port Security Flood Guards Loop Prevention Network Separation and Network Bridging Log Analysis
Exam Objectives:
1.2 Apply and implement secure network administration principles 3.6 (Partial) Analyze and differentiate among types of mitigation and deterrent techniques
Rule-based Management
Controlling communications and access to resources based on a list of rules that are configured by the administrator Examples ACLs and firewall rules Firewalls, routers, proxies, and more Rules are processed in a top-down order The first rule that matches is executed, all others are ignored The last rule on the list must be a catch-all Deny all or implicit deny Allow all or allow any
Access Control Lists (ACLs)

Defines who is allowed to do an activity, access a resource, or use a communication pathway Allow administrators to customize and adapt security to deal with the specific needs and threats of the network Access Control Entries (ACE) on the ACL define these rules Network devices: what hosts or types of traffic can access which ports or services Computer file system: permissions attached to an object
Firewall Rules
Define what traffic is allowed and what traffic is denied Criteria: source or destination address, port, content Action: allow, deny, allow only if secured Should line up with your organizations needs and security polices Use the principles of least access and implicit deny Perform regular rule audits Temporary rules that ended up being permanent Exceptions placed before the general rule Orphaned rules Firewall Rule Best Practices Typos Use a deny-by-default or implicit deny
policy instead of allow-by-default Close ports above 1024 unless you have a specific application that needs one
Virus
Firewall Rules: Ports to Remember

Service Acronym FTP SSH SCP TELNET SMTP TFTP HTTP POP3 SFTP NetBIOS IMAP HTTPS FTPS Service Name File Transfer Protocol Secure Shell Secure Copy Telnet Simple Mail Transfer Protocol Trivial File Transfer Protocol Hypertext Transfer Protocol Post Office Protocol v3 Secure/SSH File Transfer Protocol Network Basic Input/Output System Internet Message Access Protocol HTTP Secure FTP Secure Number 20 data transfer 21 control 22 22 23 25 69 80 110 115 137 name service 138 datagram service 139 session service 143 443 989 data transfer 990 control TCP UDP x x x x x x x x x x x x x x x
x x
Virus
Find more port information at: www.iana.net
Secure Router Configuration

Change the default username and password Keep the firmware patched and updated Study the documentation or hardening guide for your specific model Create and maintain a baseline document for your router Backup configurations before making any major changes or performing updates (keep this backup secure too) Remotely manage the router only over secure channels (not Telnet)
Secure Router Configuration

Never pass the admin password in cleartext Use and configure MAC address filtering (firewall) on the router Use in conjunction with other security devices and technologies Physically secure the router device
Port Security
Disable Unused Ports Any port not in use should be closed Frequently audit your settings MAC Limiting / MAC Filtering Only allow network access to the MAC address of known machines Layer 2 Dont forget that a MAC can be spoofed
802.1X Vulnerabilities
Man-in-the-Middle Hijacking
Port Security
IEEE 802.1X Standard EAPOL: Extensible Authentication Protocol (EAP) over LAN An additional layer of authentication between client and the authentication server (like RADIUS) Unauthorized State: limits communication to the form of encapsulated EAPOL messages until the client has authenticated with the 802.1X authenticator device (like an edge switch) Once the client is authenticated normal ports are opened
Flood Guards
Feature built into firewalls and routers Allows the administrator to change the tolerance for unanswered login attacks Once that tolerance is reached the flood guard will automatically begin blocking that type of request Reduce the likelihood of a DoS attack
Loop Protection
A loop is a transaction pathway that repeats itself Layer 2 switches can be configured to offer loop protection
Resolve Ethernet Looping Spanning Tree Protocol (STP) Make sure there is only one active path between two nodes
Loop Protection
A loop is a transaction pathway that repeats itself Layer 2 switches can be configured to offer loop protection
Resolve Ethernet Looping IP Loop Protection Disable Broadcast Forwarding
Spanning Tree Protocol (STP)
Adds Time To Live (TTL) counters to packets
Make sure there is only Limit the distance one active path between packets are allowed to two nodes travel before discarding
Protects against duplicate ARP requests
Network Separation and Network Bridging

Set up more than one physical network to separate groups inside one company Sensitive proprietary data Customers personal information Test environment Network Bridging happens when a device has more than one network interface, each connected to a different network Doesnt limit broadcast domains Can cause latency and loops Use routers and firewalls for higher control if you must join separate networks
Log Analysis
Administrators can turn logging on in many places Routers, switches, proxies, IPS, every device! More useful after an event than real-time Many products are available to help compile and parse logs Spunk Microsoft System Center Operations Manager
Decide on a log analysis plan and the accompanying tools based on your environments needs and budget

Rule-based Controlling actions and access through rules or filter Management based systems Firewall Rules ports, addresses, or other criteria are allowed to pass Implicit Deny rule specifically permitting it. Found at the end of a
rule set or ACL The action or access is not allowed unless there is a A list of rules that are excited in order and define what
Term Definition
Access Control types of traffic are allowed to access what resources or Lists communication channels MAC Limiting A list of the MAC addresses that are allowed to access MAC Filtering the network 802.1X authentication technology based on EAP. Think of it as
an authentication proxy
The IEEE standard the defines a port based (ACL) A list or table that defines what hosts, users, or

Term Definition
Flood Guards traffic and lower the likelihood of DoS attacks
Protections in place to avoid large amounts of a type of Using the STP and TTL counters to prevent repeating
Loop Protection transmission pathways or bridge loops Spanning Tree A tree list of all available connections. Used to prevent Protocol (STP) looping and help determine the least cost path Network Bridging network interface to connect separate networks
Using a multihomed device with more than one
What We Covered
Rule-based Management Access Control Lists (ACL) Firewall Rules Secure Router Configuration Port Security Flood Guards Loop Prevention Network Separation and Network Bridging Log Analysis
Secure Network Design

Secure Network Design CompTIA Security+ Training
In This Lesson:
Security Zones DMZ (Demilitarized Zone) Subnetting Virtual LAN (VLAN) Network Address Translation (NAT) Remote Access Virtual Private Network (VPN) Telephony Network Access Control (NAC) Virtualization Exam Objectives: Cloud Computing 1.3 Distinguish and differentiate network design elements and compounds
Security Zones
Extremely High
Internet
Threat Level
The global system of interconnected networks that can be accessed by anyone. Assume and prepare for the worst An perimeter network isolated from the internal network where web servers, mail servers, and other public facing services live An Intranet extended to select trusted third parties like vendors or contractors. All users must still authenticate Web like services and other services that are in the internal network and can be accessed by employees or trusted guests
DMZ
Extranet
Intranet
Low
Security Zones
Extremely High
Internet
Threat Level
The global system of interconnected Have a firewall and at theby edge of networks that can beproxy accessed anyone. the intranet filtering for inbound and outbound Assume and prepare the worst
traffic Implement for communications An perimeter IPSec network isolated from the between internal hosts and server internal network where web servers, mail servers, Have enterprise and other level public andfacing host level services live antivirus software Write, implement, and security policy An Intranet extended toaudit select trusted third parties like and vendors ordeny contractors. Least privilege implicit All users must still authenticate
Intranet Best Practices
DMZ
Extranet
Intranet
Low
Web like services and other services that are in the internal network and can be accessed by employees or trusted clients
Security Zones
Extremely High
Internet
Threat Level
The global system of interconnected networks that can be accessed by anyone. Assume and prepare for the worst Extranet Best Practices
Use digital certificates along with usernames and passwords to authenticate An perimeter network isolated from the
DMZ
network where servers, internal Use tunneling across the web public internet mail to servers, other public facing services live connect and external users An Intranet extended to select trusted third parties like vendors or contractors. All users must still authenticate Web like services and other services that are in the internal network and can be acceded by employees or trusted clients
Extranet
Intranet
Low
Security Zones
Extremely High
Internet
Threat Level
The global system of interconnected networks that can be accessed by anyone. Assume and prepare for the worst An perimeter network isolated from the internal network where web servers, mail servers, and other public facing services live An Intranet extended to select trusted Have one! like vendors or contractors. third parties All must stillfirewall authenticate users Use the layered approach instead
of a single multi-homed firewall DMZ Best Practices
DMZ
Extranet
Intranet
Low
Web like services and other services that Regularly back up data in the DMZ and keep the only copy of something are dont in the internal network and can be in the DMZ acceded by employees or trusted clients
Security Zones
Extremely High
Internet
Threat Level
The global system of interconnected networks that can be accessed by anyone. Assume and prepare for the worst An perimeter network isolated from the Consider all interactions to beservers, potentialmail internal network where web attacksand other public facing services live servers,
sensitive data over the Ancommunicating Intranet extended to select trusted public internet third parties like vendors or contractors. Educate your users and have acceptable All users must still authenticate use polices for internet usage Internet Best Practices
DMZ
Use tunneling and encryption whenever
Extranet
Intranet
Low
Web like services and other services that are in the internal network and can be acceded by employees or trusted clients
DMZ (Demilitarized Zone)
DMZ
Why a DMZ? Servers exist that users outside the LAN need to access Email, IIS, FTP, DNS, IPS, honeypots, Public facing servers are the most vulnerable They still need protection and limited access to internal hosts Servers in the DMZ can provide services to both internal and external clients while maintaining security Security Function Adds a layer of security between the LAN and the public internet Attackers only have access to the perimeter machines

Mail Server FTP Server
DMZ Design
Multiple Interfaces 1 firewall with 3 or more network interfaces Can be less secure DMZ
Internet
Protected Network
Multi-homed Firewall
DMZ Design
Layered Put DMZ systems between two separate firewalls Can be more secure
Mail Server FTP Server
Internet Front-end Firewall
DMZ
Back-end Firewall
Protected Network
Subnetting
Process of taking a large network and dividing it into smaller networks to increase efficiency and manageability Example: Before
Whole Network Subnet Mask 192.168.0.0 255.255.0.0 65534 hosts
After
Accounting Subnet
Marketing Subnet Subnet Mask
192.168.1.0
192.168.3.0 255.255.255.0
254 hosts 254 hosts

254 hosts
Customer Service Subnet 192.168.2.0
Subnetting
Security Functions Network separation Easier to administer Speed up the network
Virtual Local Area Network (VLAN)

VLAN Basics A VLAN is: A group of hosts, servers, and users that are logically connected by layer 2 switches An isolated broadcast domain Trunks use a point-to-point connection to physically connect each switch that are part of the same VLAN
VLAN Management
Use VLANs to Confine traffic to one area of the network Hide segments of the network from other segments to control access Control the path that data takes from one point to another Segment off users with common needs and data sensitivity levels together Security Considerations Do not use VLAN as a security measure by itself Layer 2 switching is not stateful Vulnerabilities MAC flooding, spanning tree attack, ARP spoofing, more
Network Address Translation (NAT)

Translates between two addressing schemes internal and external IP addresses Firewalls, routers, proxies Developed to conserve IPv4 addresses Also performs vital security roles Hides the structure and addressees of the internal network Forces all inbound/outbound traffic through a perimeter device
Static NAT Dynamic NAT Port Address Translation A 1:1 scheme used for incoming communication with services like a web server A pool of public addresses assigned to internal addresses for outbound communication PAT allows a single public IP address to be used for multiple simultaneous connections from internal clients

Source Network Address Translation Keeps internal machines and network topology anonymous Internal machines are inaccessible unless they have requested communication
192.168.42.3 NAT Device 75.27.113.72 Public 192.168.42.1 LAN I would like to access TrainSignal.com 192.168.42.4
TrainSignal.com responds to 75.27.113.72
Internet
192.168.42.11

Destination Network Address Translation A firewall with NAT can be configured to only let specific types of traffic through
Edge Email Server 192.168.42.3 NAT Device 75.27.113.73 Public 192.168.42.1 LAN Protected Network
I would like to access your email server at 75.27.113.73
Internet
Remote Access
Sharing resources between physically separated LANs and users Remote Access Concepts Remote Access Server Establishes and supports remote connections Remote Authentication The method used to authenticate remote users RADIUS, TACACS, CHAP, 802.1x Point-to-Point Protocol (PPP) Encapsulation using Network Control Protocol (NCP) Authentication using Link Control Protocol (LCP) No encryption not secure Use aline only on dedicated connections and dial-up
Remote Access
Tunneling Encapsulating packets before sending them over the public internet Tunneling Protocols Layer 2 Tunneling Protocol (L2TP) Integrity, confidentiality, authentication, replay prevention Does not offer encryption on its own uses IPSec Two levels of authentication: computer level and user level Point-to-Point Tunneling Protocol (PPTP) Older, less secure, less flexible Internet Protocol Security (IPSec) Not a true protocol but a standard for encrypting data Network layer
Virtual Private Network (VPN)

A private network connection that happens over the public network Provides authentication, access control, confidentiality, and integrity Used to connect physically separated LANs or to allow remote users to access LAN resources Employs tunneling to keep this communication private Tunneling only provides some protection Need encryption like IPSec

Site-to-site VPN Home office and branch office appear to be logically connected Remote Access VPN Remote user has VPN client software installed
Remote User
Internet
Branch Office LAN

VPN Best Practices Avoid PPTP if possible Instead use L2TP with IPSec Use the strongest encryption and authentication available
Keep disconnected when not in use

Force re-authentication for long sessions Use extra layers of intrusion detection, access control, and policy compliance (NAC) for users that are connecting from locations outside the company LANs
Telephony
PBX / Telecom Private Branch Exchange Used in larger organizations Routes many internal extensions out on limited public phone numbers Feature rich
PBX Security Concerns
Denial-of-service Modern phreakers Remote access turn off if no maintenance is being performed
VoIP Voice over IP Tunneling voice and other data over the existing network and public internet Offers video conferencing Cost saving
VoIP Security Concerns
Vishing and Caller ID Spoofing Denial-of-service Sniffing Extra security: Encrypt with VPN
Network Access Control (NAC)

A baseline security standard that a workstation must adhere to before it can interact with network resources Updates and patches installed Antivirus software running and updated Other configuration policies Must authenticate as a trusted machine/user
Software client installed on each workstation that communicates with the NAC appliance Standard met: can connect as normal Standard not met: blocked or remediation is attempted
Called Network Admission Control by Cisco Called Network Access Protection by Microsoft
Virtualization
Security Considerations If a VM is compromised can malware or an attacker break out of the virtual machine? This has never been seen in the wild Keep up to date on virtualization news to keep track of this idea Misconfiguration is the biggest concern Virtual environments can grow very quickly Dynamic environments Stale, unpatched, and forgotten systems Virtual networking is the biggest area for misconfiguraiton A denial-of-service attack on one VM can effect the performance of the other VMs in the cluster
Virtualization
Security Best Practices Use security tools that are created for virtualization vShield, Hytrust, more Use design guides, hardening papers, and other resources for solid virtual architecture Virtual machines have the same risks as physical machines Do everything we are discussing in this course on the VMs too Log analysis, auditing, least privilege, baselining, hardening, security policies, everything!
Virtualization
Security Best Practices Employ security at each layer of the virtual environment
Virtual Machines
Hypervisor
Hypervisor
Physical Host
Physical Networking Devices
Cloud Computing
SaaS PaaS IaaS
Internet
Software as a Service Platform as a Service Infrastructure as a Service
Offering software to end users from within the cloud instead of installing it on each hardware machine Apps can be created and run on a cloud-based platform Contracting data centers, VMs, or other infrastructure services
Cloud Computing
Security Considerations The third party Time delay Regulatory compliance Data mingling You are ultimately responsible Encrypt data before it leaves your site

Term Definition
Bastion Host specifically configured to withstand attacks Multi-homed A device that has more then one network interface Broadcast Domain each other by broadcast at the data link layer Phreaker A person who exploits or attacks telephone systems Private Branch Exchange (PBX) Voice over IP (VoIP)
A segment of a network where all the nodes can reach A device that is visible to the public internet and
A telephone routing system for use by businesses that allows many local extensions to use a limited number of public phone numbers Sending of voice communications and other media data over IP

Point-to-Point A data link protocol used to send IP packets between Protocol (PPP) two directly connected nodes Tunneling an unsecured network Layer 2 Tunneling A protocol used to create VPN tunnels by Protocol (L2TP) encapsulating PPP packets Point-to-Point An older protocol used to create VPN tunnels by Tunneling encapsulating PPP packets. Initialization is not Protocol (PPTP) encrypted
Encapsulating packets to create a secure path through
Term Definition
Demilitarized Zone A semi-protected network segment that separates the (DMZ) local network from the public internet Subnetting into segments
switch
Using separate IP address ranges to split a network Separating a network/subnet into separate logical
Virtual LAN (VLAN) segments even though they share a common network Network Address and public addresses at the network boundary Translation (NAT) gateway
Readdressing packets between local non-routeable

Term Definition
Remote Access resources
Allowing physically separated users and LANs to share A networking technique used to send private data
Virtual Private through a public network by creating a secure path Network (VPN) through the public network. Telephony The technology of voice data service Network Access Monitoring and remediating client security before Control (NAC) allowing them to access the internal network
What We Covered
Security Zones DMZ (Demilitarized Zone) Subnetting Virtual LAN (VLAN) Network Address Translation (NAT) Remote Access Virtual Private Network (VPN) Telephony Network Access Control (NAC) Virtualization Cloud Computing
TCP/IP Protocols and Port Security

TCP/IP Protocols and Port Security CompTIA Security+ Training
In This Lesson:
Transport Layer TCP/IP TCP Application Layer UDP FTP Internet Layer SSH and SCP IP Telnet IPv4 vs. IPv6 SMTP ICMP DNS ARP TFTP IPSec HTTP SFTP Exam Objectives: SNMP 1.4 Implement and use common protocols HTTPS 1.5 Identify commonly used default network ports FTPS SSL and TLS
TCP/IP
Internet Protocol Suite A suite of protocols used to communicate between hosts Each layer has it own rules and protocols The layers only pass information to and from the layer directly above or below it Application Layer
Transport Layer
Internet Layer
Network Access Layer
Does process-to-process communications across an IP network Provides the application layer with session and datagram services, reliability, flow control, and multiplexing. Also called the host-to-host layer Responsible for packaging, addressing, and routing IP packets
Application Layer
Transport Layer
Internet Layer
Places and removes packets on the physical network. Also called the Link Layer
Payload
Message
Application Layer
Transport Layer
Segment
Internet Layer
Datagram

Frame
FTP
Description File Transfer Protocol Used for remote data access File transfer Client to server Server to client Widely available and widely used Application Layer
Transport Layer
Internet Layer
Security Considerations Provides basic access control with file permissions Network Access Layer Not secure transmissions sent in plain text Credentials can be sniffed and used for MitM or replay
SSH and SCP

Application Layer SSH Description Secure Shell A tunneling protocol Used alone for remote configuration Transport Layer Add security to other protocols Security Considerations Encrypts transmissions for confidentiality Internet Layer SSH-2 has strong integrity checking Uses PKI for authentication Secure Copy (SCP) Network Access Layer Used for secure unattended file transfer Uses SSH for authentication and confidentiality
Telnet
Description Used for remote access and remote configuration Application Layer
Transport Layer Security Considerations No encryption all communications sent in clear text Do not make Telnet sessions between the internal and Internet Layer external network Disable port 23 if not needed Network Access Layer
SMTP
Application Layer Description Simple Mail Transfer Protocol Used for email delivery POP and IMAP move mail from server to client Transport Layer Security Considerations No encryption on its own Uses S/MIME and PGP for encryption Disable the SMTP open relay feature
Internet Layer
DNS
Description Domain Name System/Service Used to switch between IP addresses and human friendly hostnames Application Layer
Transport Layer
Security Considerations Vulnerable to DNS poisoning Can be spoofed for phishing
Internet Layer
TFTP
Application Layer Description Trivial File Transfer Protocol Can be used to transfer files unattended without user interaction Transport Layer Security Considerations No security at all No error checking Anonymous Avoid!
Internet Layer
HTTP
Application Layer Description Hypertext Transfer Protocol Rules for viewing text and other media file types on the web A web servers wait for http requests and responds asLayer they Transport arrive
Security Considerations Header injection Man-in-the-Middle Eavesdropping
Internet Layer
SFTP
Application Layer Description Secure FTP or SSH File Transfer Protocol Transport Layer Provides remote file transfer, access, and management Security Considerations Encrypts control info and data with SSH Note: Do not confuse with FTP over SSH Network Access Layer Internet Layer
SNMP
Description Simple Network Management Protocol Application Layer
Used for remote management, reporting, and maintenance for Transport Layer IP network devices Install agent software is on the devices you want to manage Use network management system to manage all the nodes Internet Layer from one place Security Considerations Brute force attack Network Access Layer Dictionary attack Some versions are vulnerable to sniffing
HTTPS
Description Hypertext Transfer Protocol Secure or Hypertext Transfer Protocol over SSL Used for secure webpages Security Considerations HTTP over SSL or TLS for encryption Can be used for client authentication Application Layer
Transport Layer
Internet Layer
Note: Do not confuse with S-HTTP Network Access Layer Secure Hypertext Transfer Protocol Adds messages security with RSA or digital certificates
FTPS
Description FTP Secure or FTP over SSL Used for secure file transfer Security Considerations Uses TLS/SSL for encryption You can turn the encryption off Application Layer
Transport Layer
Internet Layer
SSL and TLS

Application Layer SSL Secure Sockets Layer A cryptographic tool Widespread implementations Transport Layer TLS Transport Layer Security Newer, based on SSL Internet Layer Security Considerations Adds confidentiality and data integrity by encapsulating other protocols Initiates a stateful session with a handshake procedure Network Access Layer
TCP
Application Layer Description Transmission Control Protocol Provides session service to the application layer Transport Layer Security Considerations One-to-one connection oriented Error checking Internet Layer The packets arrived and are in the correct order Vulnerable to: TCP/IP hijacking Network Access Layer TCP sequence number attack TCP SYN flood attack
TCP
TCP 3-way Handshake
SYN SYN/ACK ACK
TCP
TCP 3-way Handshake
Communication Session
TCP
TCP/IP Hijacking
The attacker disconnects the host after a communication session has begun and replaces it with another machine with the same IP address (spoofed)
TCP
TCP Sequence Number Attack
The attacker takes control of an in-progress communication session by correctly guessing the next sequence number
TCP
TCP SYN flood attack
SYN
SYN SYN/ACK SYN/ACK ACK
The attacker half opens multiple sessions but never completes the handshakes causing the server to become overloaded
UDP
Description User Datagram Protocol Provides datagram service to the application layer Security Considerations Connectionless Faster than TCP No error checking Vulnerable to UDP flooding attacks Application Layer
Transport Layer
Internet Layer
IP
Description Internet Protocol Used for addressing and routing Security Considerations Does not verify message accuracy (leaves this to TCP) Application Layer
Transport Layer
Internet Layer
IPv4 vs. IPv6

IPv4 32-bit address space IPv6 128-bit longer address Mandatory use of IPSec built-in New packet format More flexible and scalable Both can be run at the same time but they are not directly compatible. A conversion gateway is needed Application Layer
Transport Layer
Internet Layer
ICMP
Application Layer Description Internet Control Message Protocol Provides reporting and maintenance Used to share path information between routers Transport Layer Example: Use the PING command to test connectivity between hosts Security Considerations Ping-of-Death Smurf attack
Internet Layer
ARP
Application Layer Description Address Resolution Protocol Resolves IP address (Internet layer) to the hardwares network interface addresses (Network Access Layer) Layer Transport Security Considerations Does not do authentication relies on higher layer protocols for that Internet Layer Vulnerable to ARP spoofing Also called ARP cache poisoning Network Access Layer
TCP/IP Ports to Remember

Service Acronym FTP SSH SCP TELNET SMTP TFTP HTTP POP3 SFTP NetBIOS IMAP HTTPS FTPS Service Name File Transfer Protocol Secure Shell Secure Copy Telnet Simple Mail Transfer Protocol Trivial File Transfer Protocol Hypertext Transfer Protocol Post Office Protocol v3 Secure/SSH File Transfer Protocol Network Basic Input/Output System Internet Message Access Protocol HTTP Secure FTP Secure Port Number 20 data transfer 21 control 22 22 23 25 69 80 110 115 137 name service 138 datagram service 139 session service 143 443 989 data transfer 990 control TCP UDP x x x x x x x x x x x x x x x
x x
Virus
Find more port information at: www.iana.net
IPSec
IP Security Defines a policy but does not dictate the exact implementation Options: Authentication Header or Encapsulating Security Payload Transport Mode or Tunnel Mode
Authentication Header (AH) Encapsulating Security Payload (ESP) Provides authentication Digitally signs the packets for authentication and integrity Does authentication and encryption Adds confidentiality with encryption
IPSec
Transport Mode Encapsulates the IP packets payload Makes a secure connection between two host endpoints Payload IP IPSec Header Header
Not Encrypted
Transport Mode
Internet LAN1 LAN2
IPSec
Tunnel Mode Encapsulates the entire IP packet Makes a secure hop between: - Two IPSec gateways - A host and a gateway Payload IP IPSec Header Header
Not Encrypted
Tunnel Mode
Internet LAN1 LAN2

Acronym FTP SSH Term File Transfer Protocol Secure Shell Function Used to transfer files from local to remote systems A more secure alternative to Telnet. Used for remote access and configuration An unattended file transfer protocol that uses SSH for security An unsecure method to create a terminal connection to remote devices
SCP
Secure Copy
TELNET
Telnet

Acronym Term Function Used to transfer email A connectionless and unsecure file transfer protocol Used to display multimedia files on the web An extension of SSH that offers file transfer functionality Used to manage and report on network devices Adds SSL/TLS security to the HTTP protocol
SMTP TFTP HTTP SFTP SNMP

HTTPS
Simple Mail Transfer Protocol Trivial File Transfer Protocol Hypertext Transfer Protocol Secure/SSH File Transfer Protocol Simple Network Management Protocol
HTTP Secure

Acronym
FTPS SSL TLS TCP UDP IP FTP Secure Secure Sockets Layer Transport Layer Security Transmission Control Protocol User Datagram Protocol Internet Protocol
Term
Function
FTP with added SSL/TLS security The predecessor to TLS Provides encryption and authentication to other protocols Offers a reliable connectionoriented connection Offers fast connectionless datagram communication Responsible for routing packets across network boundaries

Acronym IPv6 ICMP ARP Term Internet Protocol Version 6 Internet Control Message Protocol Address Resolution Protocol Function Offers longer IP address and more security than IPv4 Used to send pings and error messages Resolves IP addresses to network interfaces An open standard that uses AH and ESP to add security features like authentication, data integrity, and confidentiality
IPSec
Internet Protocol Security
Transport Layer TCP/IP TCP Application Layer UDP FTP Internet Layer SSH and SCP Telnet SMTP DNS TFTP HTTP SFTP SNMP HTTPS FTPS SSL and TLS
What We Covered
IPSec
IP IPv4 vs. IPv6 ICMP ARP
Attacks on Wireless Networks

Attacks on Wireless Networks CompTIA Security+ Training
In This Lesson:
Rogue Access Points Evil Twin Wardriving Warchalking IV Attack Packet Sniffing Attacks on Bluetooth Bluejacking Bluesnarfing Interference
Exam Objectives:
3.4 Analyze and differentiate among types of wireless attacks
Rogue Access Points

A wireless access point that has not been authorized With extended access an attacker can: Run key cracking software Create an evil twin Establish a Man-in-the Middle
Rouge AP Mitigation
Use an intrusion detection system to report about a new a AP or Regularly audit your environment to manually to find them Have a baseline of all the authorized AP equipment
Evil Twin
A access point that looks like it is legitimate Could use spoofed MAC addresses Entices users to connect through it Stronger signal Friendly name Interfere with the signal for the legitimate AP Analyzes all transmissions that go through it
Evil Twin Mitigation
Educate users about bogus APs at Wi-Fi hotspots Regularly audit your environment to manually to find them
Looking for open access points or wireless networks with weak encryption
Wardriving
Driving around with: A laptop with a NIC set to promiscuous mode Often homemade equipment Specialized software
Wardriving
Once a network is found Run sniffers or key cracking programs Use it for free internet access
Wardriving Mitigation
Use wardriving as a tool to find the open APs before the attackers do Watch for unfamiliar cars driving or parking near your buildings Look for warchalking symbols Dont have open access points!
Wardriving
Warchalking
Using symbols to mark the location of wireless network access points For future personal use or to let other wardrivers know
Warchalking
Warchalking symbols:
Open Node
Closed Node
WEP Node
SSID
SSID
SSID
Access Contact
W Bandwidth
Bandwidth
IV Attack
Initialization vector Supposed to be used to reduce predictability and repeatability of encryption keys The IV is vulnerable to attack if it is Too short Exchanged in cleartext Often repeated
IV Attack
IV attacks are used to crack Wireless Equivalent Privacy (WEP) RC4 algorithm only has a 24 bit IV causing them to repeat The attackers cracking program examines the repeating IV datastreams to deduce the secret key
Key
IV
Keystream
Keystream
Message
Cyphertext
IV
Packet Sniffing
Installing a sniffer on a wireless network can happen from outside the walls of your building
What can Eavesdroppers See? POP3 email usernames and passwords Web-based email messages if no encryption is used FTP usernames and passwords and data HTTP connections Instant messages
Packet Sniffing
Installing a sniffer on a wireless network can happen from outside the walls of your building
Packet Sniffing Mitigation

Have layers of protection Use strong wireless encryption, dont broadcast the SSID, and other wireless hardening best practices
Independently secure all services Turn on optional encryption Use VPNs Dont use unsecure protocols Use sniffers and other network monitoring tools
Attacks on Bluetooth
Bluejacking Unsolicited messages over Bluetooth (Bluetooth spam) Can happen when Bluetooth on a device is set to discoverable Bluesnarfing Unauthorized access to a device through Bluetooth Theft of: Contact lists, calendar info, email, texts, images, or video
Bluetooth Attack Mitigation
Turn Bluetooth off when not in use When Bluetooth is turned on make sure it is not discoverable Disable Bluetooth on devices that are known to be vulnerable to bluesnarfing
Interference
Wireless signals can be corrupted or interfered with To do this on purpose is illegal in the US There are numerous devices that can cause interference Spectrum analyzers are available to see if an attacker (or your own equipment) is interfering with your wireless network
Dealing with Wireless Interference
Move your access point Change the frequency of the access point Boost the access points signal Find the source of the interference Notify law enforcement if the interference is intentional

Rogue Access An unauthorized access point to your wireless network Points Evil Twin it by spoofing a legitimate device or offering
exceptional signal strength An access point that entices users to connect through
Wardriving wireless networks to use for free or attack Warchalking and details of access points
Trying to discover unprotected or lightly protected Using symbols to share knowledge about the location
Term Definition
IV Attack to crack weak encryption like WEP Packet Sniffing network
Using initialization vectors that are passed in cleartext Passively analyzing the communications across a
Bluejacking Unwanted spam messages sent over Bluetooth Bluesnarfing Unauthorized access and theft of data over Bluetooth Interference Degrading or completely jamming wireless signals
What We Covered
Rogue Access Points Evil Twin Wardriving Warchalking IV Attack Packet Sniffing Attacks on Bluetooth
Bluejacking Bluesnarfing Interference
Securing Wireless Networks

Securing Wireless Networks CompTIA Security+ Training
In This Lesson:
WEP WPA and WPA2 TKIP CCMP WAP EAP, LEAP, and PEAP Securing Wireless Routers and Access Points SSID Broadcast MAC Filter Antenna Placement and Power Level Controls
Exam Objectives:
1.6 Implement wireless networks in a secure manner
IEEE 802.11x Wireless Standards

Standard Bandwidth 802.11 802.11a 802.11b 1 or 2 Mbps < 54Mbps < 11Mbps Frequency 2.4GHz 5GHz 2.4GHz Compatibility 802.11 802.11a 802.11b
802.11g
801.11n
< 54Mbps
< 600Mbps
2.4GHz
2.4GHz and 5GHz
802.11g/b
802.11n/g/b
802.11i
A security amendment that outlines WPA2
For more information: www.standards.ieee.org
WEP
Wired Equivalent Privacy An older weak 802.11 wireless encryption protocol for WLANs Uses the RC4 stream cipher encryption algorithm Attempts to do confidentiality and authentication Uses a checksum for some integrity Vulnerable to IV attacks Can be cracked in a few minutes with easily obtainable software
WEP Best Practices
Only use WEP if newer protocols are not supported Place a WEP access point outside your firewall and then VPN in
WEP
The access points and clients must share a secret key Authentication Open Authentication Knowing the SSID is the only thing clients needs to associate with the AP The WEP keys can still be used to encrypt data Clients need to have the WEP key in this case
WEP
The access points and clients must share a secret key Authentication Shared Key Authentication Uses a 4 step challenge-response handshake Attackers can figure out the key from this handshake
Authentication Request Cleartext Challenge Encrypts cleartext with WEP key Cyphertext Positive Reply Decrypts and matches text to original
WPA and WPA2

Wi-Fi Protected Access More secure than WEP alone Based on the 802.11i standard
WPA Does most of the 802.11i standard TKIP used for extra encryption layer RC4 encryption algorithm still used Backward compatible with WEP WPA2 Full implementation of the 802.11i CCMP used for extra security Uses the AES encryption algorithm Not backward compatible with WEP
TKIP
Temporal Key Integrity Protocol Wraps a 128-bit layer of encryption around WEP Uses a second key based on the MAC address of the machine and the serial number of the packet Mixes this additional key with the initialization vector for a perpacket key Is backward compatible with WEP Unfortunately TKIP is also quickly crackable
CCMP
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol Used by WPA2 128-bit AES encryption 48-bit initialization vector Much reduced vulnerability to cracking and replay attacks Offers real confidentiality, authentication, and integrity Use WPA2 and CCMP!
WAP
Wireless Application Protocol Used to provide mobile devices (phones, tablets) with internet connection Equivalent to TCP/IP for wireless devices
Wireless Transport Layer Security (WTLS) Provides authentication, encryption, and data integrity Secures the communication between the WAP mobile device and the WAP server Similar to TLS
EAP, PEAP, and LEAP

Extensible Authentication Protocol A set of authentication frameworks for wireless networks LEAP and PEAP are types of EAP Lightweight Extensible Authentication Protocol (LEAP) Created by Cisco did not have Windows support Requires mutual authentication Easy to set up no digital certificates Weak Passwords only no digital certificates Vulnerable to dictionary attacks Cleartext transmissions
EAP, PEAP, and LEAP

Extensible Authentication Protocol A set of authentication frameworks for wireless networks LEAP and PEAP are types of EAP
Protected Extensible Authentication Protocol (PEAP) Replaces LEAP Created by Cisco, Microsoft, and RSA together One digital certificate is used on the authentication server The authentication process is encrypted within a TLS tunnel between the client and the server
Securing Wireless Routers and Access Points
Securing Wireless Routers and Access Points Best Practices

Change the default admin account and password Change the SSID and turn off SSID broadcast Consider using MAC filtering Work with antenna placement and power level controls Configure the strongest encryption and authentication available Change keys and passwords often
Keep your firmware patched and up-to-date

Only use wireless when absolutely necessary and for users that absolutely need it Use additional layers of security like pre-authentication, IPSec tunneling, network separation, and host security
Change the SSID and Turn off SSID Broadcast

SSID Service Set Identifier Name of the wireless LAN Change the default SSID Something unique No identifiable information in the name Hide the SSID from being broadcast This keeps honest people honest Security through obscurity The SSID can still be sniffed
Consider Using MAC Filtering

A list of MAC addresses for known trusted devices The 48-bit unique identifier for the network interface on a physical device Only those on the list can connect to the network You can blacklist certain MAC addresses too Requires manual administration Need to update the list for new or guest devices Not recommended for larger environments MAC addresses can easily be spoofed Only use as one layer of protection
Work with Antenna Placement and Power Level Controls

Antenna Placement Not near outside walls or windows Not near other networks Find and avoid obstructions and interference Consider multiple access points on different channels Some antennas allow you to change the direction they point Power Level Controls Turn the power as low as possible while still covering your users Might need to play with this to get it perfect

Term Definition
Wired Equivalent Privacy An weak protocol used for encryption (WEP) on 802.11 WLANs Wi-Fi Protected Access A weak wireless protocol that uses RC4 (WPA) with TKIP The 802.11i standard WPA2 is a more Wi-Fi Protected Access 2 secure wireless protocol that uses AES (WPA2) encryption with CCMP
Term Definition
An extra layer of encryption for WEP Temporal Key Integrity that uses a new keyspace for every Protocol (TKIP) packet Counter Mode with Cipher Encryption and authentication used by Block Chaining Message WPA2 that provides confidentiality, Authentication Code Protocol authentication, and integrity (CCMP)
Wireless Application Protocol The protocol stack used by wireless (WAP) devices. Security is done at the WTLS

Extensible Authentication Protocol (EAP) Lightweight Extensible Authentication Protocol (LEAP) Protected Extensible Authentication Protocol (PEAP) Service Set Identifier (SSID) A set of 5 authentication frameworks for wireless networks A easy to set up version of EAP that uses passwords for authentication A version of EAP that uses digital certificates The name of the wireless network
What We Covered
WEP WPA and WPA2 TKIP CCMP WAP EAP, LEAP, and PEAP Securing Wireless Routers and Access Points
SSID Broadcast MAC Filter Antenna Placement and Power Level Controls
Host Security

Host Security CompTIA Security+ Training
In This Lesson:
Securing Workstations Antimalware Host-based Firewalls Updates and Patch Management Disabling Unused Services Users and Accounts Virtualization Host Software Baselining Securing Servers Securing Mobile Devices
Exam Objectives:
4.2 Carry out appropriate procedures to establish host security
Securing Workstations
Antimalware
Antivirus and antispyware Software that is designed to identify, prevent, and remove/quarantine malicious code Antispyware is often included with antivirus Study and understand your tools licensing Methods Known virus/spyware signatures Behavior based Real time prevention that monitors all incoming files Full scans look for malware that has already been installed
Antimalware
Antivirus and antispyware Software that is designed to identify, prevent, and remove/quarantine malicious code Antispyware is often included with antivirus Study and understand your tools licensing
Antivirus and Antispyware Best Practices
A trustworthy tool should be installed on every workstation
Choose a tool that does real time monitoring Configure the software to automatically update Schedule full scans to run on a regular basis Educate your users on how to interact with prompts from your antimalware software
Antimalware
Antispam Determines if a message is likely to be spam and then labels, quarantines, or blocks it Blacklist Rule-based Bayesian
Host-based Integrated with your email client Part of a complete antimalware package Not often a host-based solution Done by your email system, a third party service, or an appliance
Antimalware
Pop-up Blockers Block pop-up windows from appearing over or under you browser window Built into your browser Configure to be off for any work related website that use legitimate pop-ups Have the blocker turned on for every other website Configure pop-up blockers and other browser-based tools for every workstation Content inspection URL filtering
Host-based Firewalls
Filters all incoming traffic Should be on every workstation especially mobile computers There are free firewalls included with current operating systems Customized protection Applications installed Configurations Protects the workstation from other users on the same network
Host-based Firewalls
Host-based Firewall Best Practices

Keep it turned on and configured on every workstation Set the firewall to automatically update Configure according to the needs of the machine and its user Educate your users on how to interact with prompts from the firewall Remember to turn the firewall back on if you turned it off during troubleshooting Consider using with a host-based IDS system
Updates and Patch Management

Patches A quick fix that is not meant to be permanent A full update or new software version will fully fix the issue Hotfixes A bug fix or other change without disrupting normal operation Service Packs/Support Packs A group of many different fixes Can add functionality Consider update automation tools
Update Best Practices
Configure the OS to update automatically
Keep informed so you can install non-automatic updates

Perform a backup before installing any updates Document updates performed
Updates and Patch Management

Plan
Document
Test
Audit
Install
Disabling Unused Services

Shrink the attack surface! Remove/Disable Unneeded Applications Programs Ports Services Do not permit users to install applications that are not needed for their job
Users and Accounts

User accounts Not also the workstations admin No registry access Remove unused local accounts
Least privilege for users access to resources and data

Strong policies Passwords Acceptable use Educate your users
Virtualization
Virtual Workstations/Servers
Hypervisor
Hypervisor
Physical Host
Virtualization
Do provide the same security as you do for physical hosts Hypervisor Single point of failure Single point of attack
Virtual Workstations/Servers
Hypervisor
Physical Host
Host Software Baselining

A standardized minimal level of security that all hosts must comply with Services and applications installed / disabled Security updates applied Firewall and antimalware configured Document each system after it is hardened and meets the baseline Frequently compare workstations to this documented baseline state to see if they still comply Use configuration automation tools Update your baseline when changes are made
Securing Servers
Securing Servers
Everything from the workstation security section Disable unused services, ports, and applications Have antimalware and a host based firewall Create and maintain security baselines Consider the servers purpose when designing security Intrusion protection system Administrator accounts Have super strong passwords Are only known by people who need them Never log on with admin/service account when not doing administration tasks
Securing Mobile Devices

Strong Passwords A thief with your device has unlimited time to try a brute force attack A long string of letters, numbers, special characters, and no real words Screen Lock When a device is inactive for a short time the screen times out and will not display again until a password is entered

Device Encryption A stolen device is worthless to the thief if it is encrypted Not accessible without a password The stronger the encryption the more the performance is effected Choose a tool that meets your needs Which platforms Key management Cost Voice Encryption Encrypts the communications of mobile phones Will effect the performance and battery life of your device

GPS Tracking If a device has GPS functionality (enabled) you can use it to find a lost device The device needs a GPS tracking app installed and configured Remote Wipe/Sanitation Offers the ability to erase the device if it has been lost or stolen A device with a remote wipe tool configured can be sanitized from a web browser or management console An added feature to messaging solutions Microsoft Exchange Google Apps for Business

Mobile devices should be treated as an entrance point for malware and attacks Avoid mobile devices connecting to the LAN Any connections need to be filtered Educate users Vulnerabilities of mobile devices Keeping personal and company data separate

Term Definition
Antimalware removes malware from the system it is protecting. This
Software that prevents, detects, quarantines, and
includes antivirus, antispyware, and antispam software A type of antimalware that prevents, detects,
Antivirus quarantines, and removes viruses, trojans and other
malicious code from the system it is protecting A type of antimalware that prevents, detects, protecting
Antispyware quarantines, and removes spyware from the system it is
Term Definition
Antispam
Uses different methods to filter incoming messages and label, quarantine, or block those that appear to be spam Matching systems to a minimum standard of security systems stay compliant
Baselining actions and configurations and making sure those
What We Covered
Securing Workstations Antimalware Host-based Firewalls Updates and Patch Management Disabling Unused Services Users and Accounts Virtualization Host Software Baselining Securing Servers Securing Mobile Devices
Securing Applications

Securing Applications CompTIA Security+ Training
In This Lesson:
Application Attacks and Vulnerabilities
Cookies Session Hijacking Header Manipulation Cross-site Scripting Cross-site Request Forgery Injection Attacks Buffer Overflow Java Applets and JavaScript ActiveX Controls Malicious Add-ons Attachments Zero Day Exploits
In This Lesson:
Application Security
Secure Coding Concepts Fuzzing Application Hardening Patch Management Configuration Baseline
Exam Objectives:
3.5 Analyze and differentiate among types of application attacks 4.1 Explain the importance of application security
Application Attacks and Vulnerabilities
Cookies
Little text files that contain information about you Created by websites that you visit and stored locally your machine Used for Session IDs Browsing or shopping history Shopping cart contents Personal information or preferences A stolen cookie is stolen information A privacy concern A security issue Browser settings can disallow cookies from first or third-parties Browser add-ons can manage on a cookie-by-cookie basis
Session Hijacking
A session token can be stolen (or guessed) and then replayed Often a cookie Used to carry out MitM and replay attacks A sniffer can capture session information Cross-site scripting can steal cookies
Session Hijacking Prevention
Log out of all websites while not using them Do not allow persistent login cookies Encrypt sessions when possible Web server requires secondary authentication or re-authentication for performing critical functions
Header Manipulation
Changes values in HTTP headers In an HTTP request Force into as HTTP response Used to carry out other attacks and spoofs
Cache-poisoning, cross-site request forgery, etc

There are tools available to easily manipulate headers
Cross-site Scripting (XSS)

Exploits the trust a user has for a specific website The website must be vulnerable to XSS attacks Tricking a user into running a malicious script on their machine Victim must click on the attackers URL or open the attackers message Sends the victim to the XSS vulnerable site Runs a script on the victims browser The script runs at the permission level of the victim Malicious script steals session cookies or other information and sends it back to the attacker

Reflected XSS (Non-persistent) URL for the attack is sent to the victim in an email or other message URL points to a trusted (XSS vulnerable) website but also contains the malicious code Stored XSS (Persistent) Malicious code is stored on the server and displayed on social networking or other website A greater number of victims will click on it

Cross-site Scripting Prevention
Client Side Disable script running Log out of all websites while not using them Do not use remember me or allow browsers to store login credentials Patch management of browsers and applications User Education dont click links in emails Server Side Secure coding and testing of webpages Input sanitation
Cross-site Request Forgery (XSRF or CSRF)

Exploits the trust that a website has for a users browser Requests are sent to the web server from a trusted user that were not authorized by the user (victim) Victim must have an open session or unexpired cookie with the target website at the time of attack Attack is initiated when the victim clicks on or opens something from the attacker URL links in social networking or email Image tags
Cross-site Request Forgery (XSRF or CSRF)

Attacker targets forms or other actions on the website Must know exactly what info the website will ask for Attack may: Change email address and password to hijack the account Take screenshots of personal information Transfer money
Cross-site Request Forgery Prevention
Client Side Disallow social networking website access Log out of all websites while not using them Do not use remember me Server Side Header checking
Cross-site Scripting vs. Request Forgery

Finds a XSS vulnerable site Sends a URL to the victim for that site with the malicious script inside A website that dynamically creates pages using unsanitized user input Echoes back the malicious script Clicks on the link to visit the site The script runs stealing the victim's cookie
Cross-site Scripting vs. Request Forgery

Uses social engineering to get the victim to click on a link that contains the attack
Social Networking Site
The web server processes the forged request as usual
Attack uses an unexpired session ID on the victim's computer to interact with the web server
Injection Attacks
When user-supplied data is used to dynamically create commands without validation and sanitation, injection attacks can occur. Attack Type SQL Injection Also Called SQL Insertion SQLi Lightweight Directory Access Protocol Injection Description Entering malicious text/commands either along with or instead of the expected user input to manipulate the database or return unauthorized information Exploiting a week LDAP instance by entering unexpected user input that executes commands, returns unauthorized data, or modifies content
LDAP Injection XML Injection Command Injection
Using XPath to exploit XML vulnerabilities and XPath Injection return data that was not intended or expected by the data owner Code injection Inserting commands into an application through user input. Used in Directory Traversal and other attacks both to the server and client
Preventing Injection Attacks

Secure coding practices Proper type assignment for variables and parameters Input validation / filtering / sanitation Validate all user input to make sure it is exactly what is expected Filter out all commands, escape characters, null, and parameters of the wrong type Vulnerability scanning and fuzzing Patch management
Buffer Overflow
More data is sent to an application that it can process or store in the buffer Junk data Buffer Overflow Attack Malicious commands Prevention Results: Patch management Application crash Vulnerability testing Good data overwritten Secure coding practices and testing Executing code with escalated privileges Changes in application behavior
Java Applets and JavaScript

Java Applets Run in a virtual machine/sandbox on the client Applets can get outside a flawed Java virtual machine (JVM) Only run Java Applets from tested and trusted websites and vendors JavaScript Executable and potentially dangerous Browsers do have built-in policies for what JavaScript is allowed to do Tools available to help control which JavaScripts are allowed Security Zones in Internet Explorer NoScript Firefox plug-in (advanced users)
ActiveX Controls
Microsofts version of applets Stored and run directly on the local machine not in a sandbox Runs with the permission level of the logged in user Should be digitally signed (Authenticode) You know who the author is You know it has not been tampered with Do not allow unsigned ActiveX controls Even signed ActiveX have been known to have security holes Keep browser prompts on for ActiveX downloading and running in all IE Security Zones Educate your users about ActiveX browser prompts
Malicious Add-ons
Browser add-ons can be a good thing Add functionality to your browser Many add-ons are not authored by the browser creator Anyone can download the SDK and create an add-on Browser creators do attempt to keep malware out of add-ons Research and test an add-on before using it your production environment
Internet Explorer Security Settings Demonstration

Security Zones Protected Mode InPrivate Browsing Tracking Protection ActiveX Filtering Cross-site Scripting Filter
Attachments
Email attachments are a security threat A very common attack vector Could contain virus, worms, trojans, or other malware May be part of phishing or social engineering attacks
Preventing Attacks Through Attachments
Do not allow script or executable attachments Consider disallowing all attachments User education do not open attachments unless you were expecting that attachment from someone you know
Run all attachments through an antivirus scanner
Zero Day Exploits

Attackers taking advantage of a new found vulnerability before the developer can release a patch Often happens before you realize it If known turn off that application or service until a patched is released Your other layers of security can help mitigate these attacks
Secure Coding Concepts

Error and exception handling An exception is an error that the programmer did not foresee Explicitly program what should happen in all possible cases Including a catch-all general case
Program in human error messages so that any compiler errors or codes are not displayed to the end-user Gives away too much information
Input validation Ensure that all user-supplied input is exactly what is expected and all other characters are not allowed
Fuzzing
Technique of inputting unexpected values into applications to see what happens Random, invalid, unanticipated Results can be Client-side crash Server-side crash Unauthorized access to data Automated tools are available Can be an attack if done by an unauthorized person Utilize fuzzing in your environment before an attacker does Time consuming but worth it
Application Hardening
Keep up with application patch management Regularly research, test, install, audit, and document updates to the applications in your environment Updates may reset your configurations Hotfixes, patches, upgrades, new versions Application updates come from the application vendor Once a vulnerability is found attackers will exploit it Remove programs that are no longer used Restrict access to only the users that need each application for their job
Application Hardening
Have, maintain, and use application configuration baselines For performance and security The applications author and third-party authorities often offer best practice guidelines Use baselines when an application is deployed Creates consistency Frequently recheck for continued compliance Secure all your management consoles against unauthorized access Change default account Strong passwords Log out when not using Consider third-party or secondary authentication

Cookies stored by web browser that contain information about
the user Little text files that are created by websites and
Session Hijacking session token and impersonating the rightful user Header Manipulation attacks
Changing fields in the header to carry out various Tricking users into running malicious scripts on their
An unauthorized third-party stealing and using a
Cross-site Scripting machine. Used to steal cookies and other info Cross-site Request Forged requests are sent to a web server from a Forgery trusted user that were not authorized by the user

Term Definition
SQL Injection LDAP Injection XML Injection
Using unexpected user input that is not properly validated and sanitized to exploit SQL Using unexpected user input that is not properly validated and sanitized to exploit LDAP Using unexpected user input that is not properly validated and sanitized to exploit Xpath/XML
Command Injection exploit the application used to carry out directory

traversal attacks
Inserting commands into user input fields in order to
Directory Traversal of what is authorized. The attacker gets to the
The attacker is able to gain access directories outside

websites root or even worse the OS root directory

Buffer Overflow process and store in the buffer. Leads to malicious Malicious Add-ons Browser add-ons that include malicious code Zero Day Exploits patch is released
Attackers taking advantage of an exploit before a The application is given more data than it can code being written outside the designated buffer area

Error and Exception accounted for and any exceptions will be handled Handling gracefully with a human error message Input Validation exactly the type and length that is expected so no
code or unexpected characters are accepted The practice of entering in random or unexpected exceptions The practice of making sure user-supplied input is of A secure coding practice where all errors are
Fuzzing data into user input fields to find vulnerabilities and
What We Covered
Application Attacks and Vulnerabilities Cookies
Session Hijacking Header Manipulation Cross-site Scripting Cross-site Request Forgery Injection Attacks Buffer Overflow Java Applets and JavaScript ActiveX Controls Malicious Add-ons Attachments Zero Day Exploits
What We Covered
Secure Coding Concepts Fuzzing Application Hardening
Patch Management Configuration Baseline
Data Security

Data Security CompTIA Security+ Training
In This Lesson:
Data Loss Prevention (DLP) Software-based Data Encryption Individual Files/Folders Full Disk/Whole Disk Database Removable Media Mobile Devices Hardware-based Data Encryption Trusted Platform Module (TPM) Hardware Security Module (HSM) USB Encryption Exam Objective: Hard Drive Encryption 4.3 Explain the Data Encryption Key Management importance of data security Data in the Cloud
Data Loss Prevention (DLP)

Making sure your data is available and not being accessed by unauthorized people or systems Internal or external breaches DLP systems monitor and report on data Best to monitor data in all locations At rest DLP System Functions In transit/motion Not deleted or moved Availability In use Not sent in email or put Examples Confidentiality on removable media Microsoft Forefront Watches for Access Control MyDLP unauthorized access
Software-based Data Encryption
Individual Files/Folders
Encrypting specific files/folders where they are stored or for confidentiality during transit End user controlled Encryption/decryption is done by the file system or application The file/folder stays encrypted if it is moved Often includes access control
Individual Files/Folders
Encrypting specific files/folders where they are stored or for confidentiality during transit Examples: Windows Encryption File Standard (EFS) Microsoft Office Many third-party providers have moved to whole disk encryption
Full Disk/Whole Disk

Encrypting an entire physical hard disk or logical volume The entire volume is encrypted including the file system Can be transparent to the end user Data is only protected while it is on the encrypted drive Examples: Microsofts BitLocker Macs Disk Utility creates encrypted virtual disk images TrueCrypt Pretty Good Privacy (PGP)
Database
Can be whole database-level encryption or encrypt only specific rows, columns, fields, cells, etc. Protects the data at rest Might be mandatory for regulatory compliance Is done either by the DB management system or by a separate encryption server Examples: Microsoft SQL Servers Transparent Data Encryption (TDE)
Removable Media
Encrypting the data on removable media like CDs and DVDs and portable devices like USB drives, SD cards, and external hard drives Helps protect data if the device is lost or stolen Encryption software is often included on USB and removable hard drives User controlled Great for personal use A enterprise wide solution transfers control to administrators Often included with a full featured enterprise encryption solution Look for logging and auditing capabilities May include remote management
Mobile Devices
Encrypting the data on digital phones, PDAs, and tablets Helps protect data if the device is lost or stolen Platform specific apps are available to encrypt and password protect mobile devices
Enterprise solutions are available that work across platforms

Remote wipe functionality is often included
Hardware-based Data Encryption
Trusted Platform Module (TPM)

The TPM specification is a standard created by the Trusted Computing Group A built-in physical TPM chip stores keys, passwords, or certificates for encryption Includes a cryptographic processor
Adds extra security to software-based encryption by storing keys on a separate hardware chip
Used for disk encryption, password protection, software licensing enforcement, and configuration integrity checking
Hardware Security Module (HSM)

Physical device (often a PCI adaptor) Used in larger environments Offloads cryptographic processes to save CPU resources Stores keys separate from the protected data Includes key management Often used by the certificate authority in public key infrastructure systems
USB Encryption
Encryption that is done by a chip built in to the USB drive or external USB hard drive Whole device encryption for the data on the USB drive Also used as key/token for authentication or encryption of the device you plug the USB drive into
Hard Drive Encryption

Hardware-based encryption built into a hard drive or A separate device that sits between the hard drive and motherboard Invisible to the user and operating system Separates the key from the data and operating system
Encryption Key Management

Where and how is the key stored At the same location as the data (less secure) On separate hardware Who has access to keys and passwords Attacks can happen from internal employees or contractors Your solution should support the ability to share encrypted files Strong password policies in use What happens if the key is lost Key backup Protect keys through their entire life-cycle
Data in the Cloud

Know what happens to your data when it leaves your network Software as a service Platform as a service Infrastructure as a service May effect regulatory compliance Encrypt data transfer with SSL/TLS or VPN Consider encrypting data before it leaves your network

Term Definition
Encryption File Standard NTFS file system file/folder level encryption (EFS) built into Windows operating systems Trusted Platform Module A chip built into laptops and other devices that (TPM) create and store keys for encryption Hardware Security Module A hardware device that performs encryption (HSM) and key management
Data Loss Prevention (DLP) Software-based Data Encryption Individual Files/Folders Full Disk/Whole Disk Database Removable Media Mobile Devices Hardware-based Data Encryption Trusted Platform Module (TPM) Hardware Security Module (HSM) USB Encryption Hard Drive Encryption Data Encryption Key Management Data in the Cloud
What We Covered
Authentication, Authorization, and Access Control

Authentication, Authorization, and Access Control CompTIA Security+ Training
In This Lesson:
Authentication and Authorization Identification vs. Authentication Authentication and Authorization Something You Know, Something You Have, and Something You Are Passwords Tokens Smart Cards Common Access Cards (CAC) Personal Identification Verification Cards (PIV) Biometrics Single Factor vs. Multifactor Authentication
In This Lesson:
Access Control Key Terms You Should Know Types of Access Control Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role-based Access Control (RBAC) Rule-based Access Control (RBAC) Information Models
Policies and Best Practices Mandatory Vacations Job Rotation Separation of Duties Trusted OS
Exam Objectives:
5.2 Explain the fundamental concepts and best practices related to
authentication, authorization, and access control
Authentication and Authorization
Identification vs. Authentication

Identification The actual identity of the user is verified A human has confirmed that the person with the credentials is the owner of them Drivers license Employee ID card Authentication User knows or has the authentication credentials Username, password That user should be but is not guaranteed to be the true owner of the credentials Even the credential owners real identity may be anonymous
Authentication and Authorization

Authorization Permitting or denying access Access control or authentication system defines what level of access a particular authenticated user has Subject to rules like time of day restrictions Allows access to only specific times and days Protects systems from attacks while no one is working A user must be authenticated before they can do/access what they are authorized
Something You Know, Something You Have, and Something You Are Authentication by Knowledge (Type I) A string of characters entered from memory Passwords PIN number Pass codes Pass phrases Security questions Combinations Can be stolen, guessed, or cracked Have strong password policies
Something You Know
Something You Have
Something You Are
Something You Know, Something You Have, and Something You Are Authentication by Ownership (Type II) Keys To open locked doors and cabinets Tokens Hold information about the user like access privileges Digital (session token) Issued by the system at authentication To be used for that session Physical Hardware (security token) Many forms: Keychain fob, USB dongle, scan card Often a one-time password generator SecureID
Something You Know
Something You Have
Something You Are
Something You Know, Something You Have, and Something You Are Authentication by Ownership (Type II) Smart Cards A physical card Stores access permissions and other data Hard to duplicate but easy to steal Often blank, so if lost the finder doesnt know who it belongs to or where to use it Used along with pin numbers Lock out happens if the incorrect pin is entered too many times
Something You Know
Something You Have
Something You Are
Something You Know, Something You Have, and Something You Are Authentication by Ownership (Type II) Smart Cards A physical card Stores access permissions and other data Hard to duplicate but easy to steal Often blank, so if lost the finder doesnt know who it belongs to or where to use it Used along with pin numbers Lock out happens if the incorrect pin is entered too many times Common Access Cards (CAC) US Department of Defense Identification and authorization Access to computers Signing email PKI
Something You Know
Something You Have
Something You Are
Something You Know, Something You Have, and Something You Are Authentication by Ownership (Type II) Smart Cards A physical card Stores access permissions and other data Hard to duplicate but easy to steal Often blank, so if lost the finder doesnt know who it belongs to or where to use it Used along with pin numbers Lock out happens if the incorrect pin is entered too many times Personal Identification Verification Cards Also called Personal Identity Verification Card (PIV) For U.S. government employees and contractors Physical access to government buildings Logical access to government information systems
Something You Know
Something You Have
Something You Are
Something You Know, Something You Have, and Something You Are Authentication by Characteristic (Type III) Biometrics Use a unique biological trait as the authentication credential Fingerprint, handprint, retina scan, facial recognition Starting to include behavior traits as well as physical ones Can be built into laptops and other devices Can be used for physical access to buildings or rooms Concerns False positives and false negatives Inability to change your password if it is stolen Privacy issues
Something You Know
Something You Have
Something You Are
Single Factor vs. Multifactor Authentication

Single Factor Authentication Only one set of authentication values are checked Example: Username and Password Multifactor Authentication More than one type of authentication happens Example: Username and Password + Smart Card scan Identity Proofing Answering an additional question When you forget your password When logging in from a new computer
Know Have Know
Access Control

Permissions, Privileges, or Rights The level of access granted to users, groups, and roles Objects Files Folders Printers Applications Databases Subjects Users Processes Services
Types of Access Control

Mandatory Access Control (MAC) Access is predefined and inflexible Controlled by administrators Users cant choose to share objects themselves More secure but less flexible More overhead management that can fall into disrepair MAC Example
Military Classifications Use of data labels like Secret or Top Secret Users have a clearance level and can only access data at that level

Discretionary Access Control (DAC) Allows users to share objects with other users More flexible Less secure DAC Example
Unix Permissions
Users are in different groups Owner, group, or other The owner of an object sets the permission for each group Read, write, or execute

Role-based Access Control (RBAC) Permissions are set based on roles A person/subject can be added to one or more role groups Simplifies administration When a persons role changes so does his/her permissions RBAC Example
Microsoft Active Directory Users and computers are put into groups based on their job role Permissions are set per group

Rule-based Access Control (RBAC) Access is determined by a set of rules Access control lists (ACLs) list who can access what Implicit Deny rejects anything not explicitly allowed by the list RBAC Example
Firewall Rules A list of rules that specify what is permitted through the firewall under what conditions IP addresses, ports, sources, destinations, and others
Information Models
Bell-LaPadula Focus on confidentiality No read-up (Simple Security Policy) No write-down (-property)
Top Secret
Secret
Confidential Unclassified
Information Models
Biba Focus on integrity No write-up (Simple Integrity Axiom) No read-down ( Integrity Axiom)
Confirmed Trusted Unverified
Information Models
Clark-Wilson Constrained data items only accessed through transformative procedures Different applications for read and write Separation of duty
Policies and Best Practices
Mandatory Vacations
Helps prevent and uncover misuses or illegal activities by internal employees Lets others at the company see what that employee does An audit can be performed while the employee is away Acts as a deterrent if employees knows about the vacations and audits May only be mandated for higher ranking or those with financial responsibilities
Job Rotation
Employees are moved between two or more jobs in a scheduled system Helps prevent and uncover misuses or illegal actives by internal employees Also provides redundant skills and reduces boredom Does not work well in smaller companies
Database Admin
Website Admin
Network Admin
Separation of Duties
Limits misuse of systems and data Helps prevent fraud and error Split an important job into parts/steps and have them be performed by two or more people SoD in IT Security Restrict the amount of power held by any one individual A deferent person designs/implements as tests/audits security systems Any single system administrator account should be limited in its abilities Least Privilege each IT person should only have permissions to what they need for their job
Trusted OS
An operating system has been tested and is certified to be secure Common Criteria (CC) International standard ISO/IEC 15408
A product receives a Evaluation Assurance Level (EAL) after testing

Also applies to hardware, devices, and software For high security environments like government or military

Identification Verifying the true identity of a person
Single Factor Using only one type of credentials for authentication Authentication Multifactor Using more than one type of credentials for Authentication authentication
Biometrics
Using a biological trait such as fingerprint as an authentication credential

Security Tokens Smart Cards Common Access Cards A hardware device used for authentication most often in a challenge-response situation Hardware cards that include electronics to be scanned or read for access to areas or resources US Department of Defense smart cards that are used to access computers and digital signatures
Personal Identification US Government smart cards used to access Verification Cards buildings and computer systems

Term Definition
Mandatory Access Inflexible access control that is controlled by Control (MAC) administrators Discretionary Access More flexible access control that allows object Control (DAC) owners to share access Role-based Access Access control is based on the roles that a subject Control (RBAC) belongs to Rule-based Access Access is defined by a set of rules Control (RBAC) An operating system that meets the Common Trusted OS Criteria's requirements for security at a EAL of 4 or above

Permissions, The level of access granted to users, groups, and Privileges, or Rights roles When referring to access control an object is what Objects we are grating uses access to these can be riles, folders printers, or databases When referring to access control an subject is who Subjects we are granting object access to these can be people, computers, or processes
What We Covered
Authentication and Authorization Identification vs. Authentication Authentication and Authorization Something You Know, Something You Have, and Something You Are Passwords Tokens Smart Cards Common Access Cards (CAC) Personal Identification Verification Cards (PIV) Biometrics Single Factor vs. Multifactor Authentication
What We Covered
Access Control Key Terms You Should Know Types of Access Control Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role-based Access Control (RBAC) Rule-based Access Control (RBAC) Information Models
Mandatory Vacations Job Rotation Separation of Duties Trusted OS
Policies and Best Practices
Physical and Environmental Security

Physical and Environmental Security CompTIA Security+ Training
In This Lesson:
Physical Security Fencing Mantraps Access List Proximity Readers Video Surveillance and Monitoring Hardware Locks Cable Locks Safe Locking Cabinets Environmental Security HVAC Hot and Cold Aisles Environmental Monitoring and Controls Temperature and Humidity Controls Fire Suppression Power Systems Electromagnetic Emissions Interference and Shielding
Exam Objectives:
Partial Coverage of 3.6 and 4.2
2.6 Explain the impact and proper use of environmental controls
Physical Security
Fencing
c
Server Room
Security Office
Fencing The outer layer of physical security
c
c
Server Room
Security Office
Access List
Mantrap An small area that limits access to an area or individual A person must be allowed through the mantrap by someone with authority Access lists specify who is allowed into what areas
Mantrap
c c
Server Room
Security Office
# P
Proximity Readers Reads the electronic signal from proximity devices Electronic ID cards or fobs Use Radio Frequency Identification RFID Can use one-time password authentication
Proximity Readers
c Video Surveillance c
Server Room
Security Office
# P
Video Surveillance and Monitoring Closed Circuit television (CCTV) Recorded for later review May be monitored live
Hardware Locks
Cable Locks Laptops have a built-in slot meant for cable locks Secure a laptop or even a desktop and other devices to the desk Lock PC cases to keep people from removing or destroying hard drives and other components Safes and Locking Cabinets Store backups, documentation, and other important information in a locked cabinet or safe Rack mounted servers and appliances should be locked to the racks Dont forget key management!
Environmental Security
HVAC Considerations
Heating, ventilation, and air conditioning Server rooms, data centers, and computer labs need extra HVAC considerations
Extra cooling and heat transfer Separate zone or separate system from the rest of the building
HVAC on at all times not turned down or off on weekends and holidays Contract experts that have experience with computer specific HVAC
Hot and Cold Aisles
Hot Aisle
Hot Aisle
Hot Aisle
HVAC
Rack
Rack
Rack
Raised Floor
Environmental Monitoring and Controls

Systems for monitoring alerting on environmental variables Temperature Humidity Moisture Dust Smoke Chemical Temperature and humidity controls Needed for older systems and larger modern systems like communication equipment and datacenters Low humidity causes equipment damaging static shocks High humidity causes corrosion
Rack
Fire Suppression
Fire extinguisher Portable Unplug equipment if possible
http://www.usfa.fema.gov
Fire Suppression
Fire suppression system Built-in and integrated with fire/smoke detectors Water-based Not preferred for computers Should cut the power to computers first
Wet Pipe Dry Pipe Pre-action Pipes remain undamaged Slow acting
Pipes could freeze, Pipes remain burst, or leak undamaged Fast acting No time to stop the system from starting Slower acting
Allows time to Gives you time to use shut off valve extinguisher to put out a small for false alarms fire before system goes off
Fire Suppression
Fire suppression system Built-in and integrated with fire/smoke detectors Gas-based Safer than water for electronics More expensive and more maintenance Could harm humans
Power Systems
Surge protector Protect electronics from a surge of electricity Range in size Small for a few devices Large for the entire building Can protect phone, coaxial, and Ethernet cables as well Passively wait for a spike in power Often one time use
Power Systems
Power conditioner Actively normalizes and improves the quality of electricity Different models do different things Regulate power voltage Filter noise Load balance Surge protection Battery backup Rack sized or building sized
Power Systems
Backup power Uninterruptable Power Supply (UPS) Instantaneous protection form power interruptions Short term solution Backup generators Not instantaneous Often used in conjunction with backup batteries Run on gas or diesel Require regular maintenance
Electromagnetic Emissions: Interference and Shielding

Interference EMI: Electromagnetic Interference Electronic emissions that interrupt, obstruct, degrade, or desensitize the performance of electronics RFI: Radio Frequency Interference EMI that is projected across the radio spectrum From fluorescent lights, motors, and other outside equipment Also from the computer components themselves

Shielding Prevents interference and protects your electronic emissions from being gathered by attackers Comes in many forms: spray, tape, filter, cage, and more Built into devices and computer components TEMPTEST certified systems Certified by the government to be electromagnetic emission free and safe to contain classified information Shielded Twisted Pair (STP) vs. Unshielded Twisted Pair (UTP)
STP UTP
Best Practices
Use shielded conduit when running cables Do not have communication cables in the same conduit as power cables Keep cables away from sources of EMI and RFI Use fiber optic cable if possible

Electromagnetic Interference (EMI) Radio Frequency Interference (RFI)
Interference caused by the electronic emissions of other devices and cables Electrical byproduct that is projected across the radio spectrum A device that reads proximity cards or fobs for restricted area
Proximity Reader authentication and entrance into a building or

A small area between two doors where that a
Mantrap person can not get past without authorization
What We Covered
Physical Security Fencing Mantraps Access List Proximity Readers Video Surveillance and Monitoring Hardware Locks Cable Locks Safe Locking Cabinets
HVAC Hot and Cold Aisles Environmental Monitoring and Controls Temperature and Humidity Controls Fire Suppression Power Systems Electromagnetic Emissions Interference and Shielding
Environmental Security
Authentication Services

Authentication Services CompTIA Security+ Training
In This Lesson:
Introduction to Authentication Services RADIUS TACACS+ TACACS and XTACACS Kerberos LDAP
Exam Objective:
5.1 Explain the function and purpose of authentication services Partial coverage of 5.2
Introduction to Authentication Services

Centralizes authentication Removes the need for multiple user databases Ease of maintenance Single Sign-on Allows users to log in from different places and through different means Internal clients Remote clients Mobile devices
Introduction to Authentication Services

Widely used Used by internet service providers (ISP) Every network access server relies on a central authentication server Used by corporate networks Every resource, storage, and application server uses a single authentication service Offers more than just authentication Who you are? (Authentication) What you are allowed to access? (Authorization) What you did? (Accounting)
RADIUS
Remote Authentication Dial-in User Service Does authentication, authorization, and accounting Authentication and authorization together Accounting separate Consolidates authentication of dispersed users onto a centralized server Flexible: works with varied systems and protocols Can use PPP, CHAP, PAP, EAP, and UNIX login UDP ports 1812 and 1813 (connectionless) 1812 for authentication and authorization 1813 for accounting Or the older standard of ports 1645 and 1646
RADIUS
Share a secret key
User initiates connection to NAS NAS asks user for credentials User replies with credentials
Access-Request sent to RADIUS Server

RADIUS Server responds with
Access-Accept or Access-Reject
RADIUS
Remote Authentication Dial-in User Service Security Concerns
Sniffing Entire payload of client/server communication not encrypted Client/user communication vulnerable depending on implementation
Mitigations
Harden the RADIUS server Use over other protocols like IPSec or SSL to layer on protection
Choose unique shared secrets for each NAS
Spoofing
Denial-of-Service Replay attacks MD5 associated vulnerabilities
TACACS+
Terminal Access Controller Access Control System Plus Newest protocol based on TACACS Does authentication, authorization, and accounting separately Encrypts not just the users password but the entire payload TCP port 49 (connection-oriented) Proprietary to Cisco Works well with router management and terminal services
TACACS+ Weaknesses
Accounting information is sent in clear text Limited integrity checking
TACACS and XTACACS

Older version of TACACS Considered end-of-maintenance TACACS Had authentication and authorization in a combined process Used connectionless UDP Did not offer accounting Did not support multifactor authentication XTACACS (Extended TACACS) Separated authentication and authorization Had less granular accounting processes Used connectionless UDP
Kerberos
Network authentication Works with multiple OSs Single Sign-on (SSO) A user signs on once and all resource access is based on that logon Mutual authentication possible All authentication transactions are secure 3 heads of mythical Kerberos Key Distribution Center (KDC) Authentication Server (AS) Ticket Granting Server (TGS) Tickets and sessions are time-sensitive
Kerberos
Principal presents credentials to AS and requests a Ticket Granting Ticket
AS AS responds with TGT and session key for TGS
TGS Principal uses TGT to request a Service Ticket for the application server
TGS responds with Service Ticket

Principal presents Service Ticket to Application Server Data transfer
LDAP
Lightweight Directory Access Protocol Directory services queries (and modifications) made over an IP network X.500 directory A set of objects with attributes Organized in a hierarchical structure Examples: Microsoft Active Directory Novell eDirectory TCP/UDP port 389 Other ports/services work with LDAP
LDAP Distinguished Names
dc=globomantics, dc=local
ou=locations
ou=chicago
ou=new york
ou=computers
ou=users
ou=computers
ou=users
cn=hackmann cn=eliberman DN: cn=hackmann, ou=users, ou=chicago, ou=locations, dc=globomantics, dc=local
LDAP
Lightweight Directory Access Protocol Security Concerns
No security by itself Simple authentication only adds clear text authentication
The Simple Authentication and Security Layer protocol (SASL) adds encrypted authentication Use SASL Use LDAP over SSL/TLS (LDAPS) Block port 389 at the border firewall (or 636 for LDAPS)
Mitigations
Harden LDAP servers

Term Definition
Remote Authentication Dialin User Service (RADIUS) Network Access Server/Remote Access Server (NAS/RAS) Terminal Access Controller Access Control System Plus (TACACS+) Extended Terminal Access Controller Access Control System (XTACACS)
A standard protocol for providing AAA services that uses UDP and combines authentication and authorization The client to the RADIUS or TACACS+. A user communicates with this server instead of direction with the authentication server A standard protocol for providing AAA services that uses TCP and separates authentication and authorization An older version of TACACS that had limited accounting functionality

Terminal Access Controller The original TACACS that used UDP and had Access Control System no accounting (TACACS) Kerberos protocol that offers a single sign-on for all
network resources A component of the Kerberos system that A strongly encrypted network authentication
Key Distribution Center includes the AS for authentication and TGS (KDC) for secure distribution of keys Authentication Server/Service A component of the Kerberos system that (AS) handles authentication

Ticket Granting A component of the Kerberos system that Server/Service (TGS) handles the secure distribution of keys Single Sign-on (SSO) credentials one time and can access all
authorized resources and applications A user only needs to enter one set of
Lightweight Directory Access and modify x.500 hierarchical directories Protocol (LDAP) across a TCP/IP network Distinguished Name (DN) based on its location in the hierarchy
A directory services protocol used to access
The unique name given to a directory object
What We Covered
Introduction to Authentication Services RADIUS TACACS+ TACACS and XTACACS Kerberos LDAP
User Account Management

User Account Management CompTIA Security+ Training
In This Lesson:
Privilege Management Password Policies User Assigned Privileges Complexity and Length Group Based Privileges Expiration User Account Policy Recovery Users with Multiple Accounts/Roles Lockout System/Administrator Accounts Logon Time Restrictions Temporary Access Account Disablement
Exam Objective:
5.3 Implement appropriate security controls when performing account management
Privilege Management
The administrating what resources and data that is available to users and groups within an organization User assigned privileges Privileges are granted specifically and individually for each user Not scalable Difficult to make global changes
Group based privileges User privileges are inherited from the group Can be as simple as locations or departments Can be very granular and have a group for each job role (Rolebased management)
Users can be members of multiple groups
Group Based Privileges

Accounting Department Group
Read Only
Accounts Payable
AP Resource
AR Resource
Accounts Receivable
Full Access
Accounting Managers
Group Based Privileges

Accounting Department Group
Read Only
Accounts Payable Group
AP Resource
AR Resource
Accounts Receivable Group

Full Access
Accounting Managers Group
User Account Policy

Users with multiple accounts/roles Create separate accounts for administration and regular use Only use an admin account for doing admin tasks The user must have different passwords for each account Even for accounts outside the company Multifactor authentication forces this When separation of duties is not needed Add users to multiple groups depending on their roles Understand how conflicting permissions are handled
User Account Policy

System/administrator accounts Do not have accounts that have company wide administrative privileges Give admin accounts only the privileges they need
Logon time restrictions Limits the amount of time that attackers can use accounts
Temporary Access Grant least privileges Set the expiration date
Microsoft Active Directory Users and Groups Demonstration

Add users to groups Assign permissions to groups Configure time of day restrictions Create a temporary account and set it to expire
User Account Policy

Account disablement Account expiration Temporary or guest accounts can be set to automatically expire Inactive accounts Accounts are configured to automatically enter a lock-out state if they are inactive for a period of time Even accounts that are not set to expire User account and data deletion policy Breaks the audit trail Transfer data first including encryption keys
Password Policies
Complexity and Length At least 8 characters (longer is better) Must include uppercase and lowercase letters Must include at least one number or special character
Expiration Passwords expire at a regular interval Require passwords to be different from the password history
Password Policies
Recovery/Reset Identification and/or authentication should happen as part of the reset process Lockout Account lockout threshold for failed logon attempts Thoroughly plan your lockout policy Cached credentials Service accounts Educate users on protecting their password and choosing strong passwords
User Best Practices for Passwords

Protecting Your Passwords Never tell your password to anyone Emails asking for your password are fraudulent Do not write passwords down If you must write them down, store the paper in a secure place (not tacked to your bulletin board) and destroy (not just throw away) it once you have memorized it Change your password immediately if you suspect it has been compromised Use a different password for every account Using the same password means that if someone gets the password for one of your accounts, it can be used on your other accounts too Do not let applications like web browsers store important passwords. If your computer is compromised then those passwords are available to the attacker Be sure you are entering your password into the real website (not a faked
version) every time Create strong passwords

Creating Strong Passwords Should be at least 8 characters in length longer for more important accounts Should include numbers and special characters Should not be numbers associated with you like your address Special characters are not numbers or letters. Examples are *, &, $, _ Consider placing your special characters in the middle of the password instead of the last character Dont just replace a letter with a common special character replacement like replacing S with $ or O with 0 If passwords are case sensitive, use a combination of upper and lowercase letters Put uppercase letters in the middle of the password, not just
as the first or last character

Creating Strong Passwords Should not be a single real (dictionary) word It should not include names of your pets or family members The best method to creating a seemingly random, strong password is to use a string of characters that corresponds with a phrase that helps you
remember Password: i8ccc&T4b Reminder Phrase: I ate chocolate chip cookies and tea for breakfast

Term Definition
User Assigned Privileges The data and resources that users are allowed to access and change are set on a user-by-user basis
Users are grouped together by a common criteria. Group Based Privileges Privileges are set for the group and the users inherit the group privileges
What We Covered
Privilege Management User Assigned Privileges Group Based Privileges User Account Policy Users with Multiple Accounts/Roles System/Administrator Accounts Logon Time Restrictions Temporary Access Account Disablement Password Policies Complexity and Length Expiration Recovery Lockout
Risk Management

Risk Management CompTIA Security+ Training
In This Lesson:
Risk Management Vocabulary Asset Vulnerability Threat Risk Impact Qualitative Assessment Quantitative Assessment Risk Calculation Impact Analysis Threat vs. Likelihood Annualized Loss Expectancy (ALE) Options for Handling Risk Risk-avoidance Transference Acceptance Mitigation Deterrence Control Types Technical Management Operational
Exam Objective:
2.1 (Partial) Explain risk related concepts 3.7 (Partial) Implement assessment tools and techniques to discover security threats and vulnerabilities
Risk Management Vocabulary

Asset What we are tying to protect: people, property, information, and reputation Vulnerability A flaw, weakness, or gap that can be exploited by threats to gain unauthorized access to an asset
Threat Something that can exploit a vulnerability and can potentially cause loss/harm to assets
Risk The possibility of damage, destruction, or theft of an asset
Risk Management Vocabulary

Impact The result of a risk Qualitative Assessment An assessment based on the sensitivity of an asset Assigns a weight, grade, or class to an asset instead of a dollar amount Quantitative Assessment An assessment based on the monetary worth of an asset Calculates the cost impact of an incident
Asset Identification
Threat and Vulnerability Assessment
Risk Calculation
Mitigation and Deterrence
Evaluation
Risk Management Steps
Asset Identification
What properties, belongings, resources, data, systems, and people does a company possess? Inventory and prioritize Which assets have the most value? (Quantitative) Which assets are most important? (Qualitative) Mission critical Irreplaceable Once assets are identified and it can be determined what risks could affect them and what the impact would be
Threat and Vulnerability Assessment
Methods Interviews Evaluations Penetration testing Vulnerability scanning Prioritize Coordinate with business impact analysis
Impact Analysis
Determine the impact of a successful exploitation of a vulnerability For all assets Theft, loss, damage of asset For IT systems Loss of confidentiality, integrity, and/or availability
Impact Level Low High Tangible Intangible: Assets and Mission, Reputation, Interest Resources Some Very costly Notable Violate, harm, or impede Significantly violate, harm, or impede
Risk Calculation
Human Assets -Injury Serious injury or death
Moderate Costly
Risk Calculation
Risk Calculation
Threat
An event that intentionally or accidentally exploits a vulnerability Steals, damages, or destroys an asset
Likelihood
vs.
What are the chances that a threat will take place? High, moderate, or low Annualized rate of occurrence
Risk Calculation
Asset Value Exposure Factor Single Loss Expectancy AV x EF = SLE Annualized Rate of Occurrence Annualized Loss Expectancy AV EF SLE
Risk Calculation
How much money something is worth A frequency rate, measure of magnitude, or other multiplier specific to each asset How much is estimated to be lost on a signal occurrence of a given risk
Probability of a SLE happening or ARO how many times a SLE is expected to happen in a given year ALE How much is estimated to be lost each year to a given risk
Risk Calculation
Annualized Loss Expectancy Example
Risk Calculation
ARO
A web server for an e-commerce business generates $5,000 per hour. This web servers probability of failing within one year is AV back 10%. If the web server goes down, it takes 2 hours to get up and running again.
EF
AV x EF = SLE 5,000 x 2 = $10,000
SLE x ARO = ALE 10,000 x .1 = $1000
Risk Calculation
Annualized Loss Expectancy Example
Risk Calculation
A web server for an e-commerce business generates $5,000 per hour. This web servers probability of failing within one year is 10%. If the webs server goes down, it takes 2 hours to get back up and running again. The estimated cost to replace failed components in the server is $200. AV x EF = SLE 5,000 x 2 + 200 = $10,200 SLE x ARO = ALE 10,200 x .1 = $1020
Options for Handling Risk

Risk-avoidance Transference Mitigation Deterrence
Acceptance
Avoid the risk by no longer having or doing what is associated with the risk
Share some of the burden of the risk with another entity like an insurance company
Take action to try to reduce the likelihood or impact of the risk Make the risk less enticing to attackers with threat of prosecution or other public safeguards Retain a risk if the cost to mitigate is more costly than the impact of an attack
Control Types
Management Assessment and Planning Technical Systems
Operational Actions
Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication 800-53 available at http://csrc.nist.gov/
Control Types
Management Assessment and Planning Technical Systems
Operational Actions
Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication 800-53 available at http://csrc.nist.gov/
Control Type Families

Control Type/Class
Management
Family
Security Assessment and Authorization
Planning Risk Assessment System and Services Acquisition Program Management Technical Access Control Audit and Accountability Identification and Authentication System and Communications Protection
Control Type Families

Control Type/Class
Operational
Family
Awareness and Training Configuration Management Contingency Planning Incident Response Maintenance Media Protection Physical and Environment Protection Personnel Security System and Information Integrity
Evaluation
Review the adequacy of security controls Did they eliminate the risk? Did they reduce risk? Is there any residual risk? Continue to look for new threats and vulnerabilities

Asset What we are tying to protect: people, property, information, and reputation
A flaw, weakness, or gaps that can be exploited Vulnerability by threats to gain unauthorized access to an asset Threat Risk Something that exploits a vulnerability and can potentially cause loss/harm to assets The possibility of damage, destruction, or theft of an asset

In terms of risk assessment, a quantitative Quantitative assessment is one based on the monetary value of an asset or the cost of a risks impact In terms of risk assessment, a qualitative Qualitative assessment is one based on the importance or sensitivity of an asset The outcome of a risk happening. The cost of a Impact risk or the damage or loss of assets cased by a risk Likelihood The probability that a risk with happen

Term Definition
Annualized Loss How much money is expected to be lost from a Expectancy (ALE) particular risk in one year Annualized Rate of The probability of a SLE happening or how many Occurrence (ARO) times a SLE is expected to happen in a year Single Loss How much money is expected to be lost from a Expectancy (SLE) single incident of a risk
How much an asset is worth. Based on how Asset Value (AV) much money it is making for the company as well as the cost to replace
Exposure Factor A frequency rate, measure of magnitude, or (EF) other multiplier specific to each asset

Risk-avoidance No longer using or doing something that is vulnerable
Transference Sharing a risk with a third party Deciding to tolerate the impact of a risk. Often Acceptance used with low level risks or residual risk after mitigation Mitigation Actively employing controls to lower the likelihood or impact of a risk
Deterrence Making a threat less attractive to attackers
Risk Management Vocabulary Asset
What We Covered
Options for Handling Risk Risk-avoidance Transference Acceptance Mitigation Deterrence Control Types Technical Management Operational
Vulnerability Threat Risk Impact Qualitative Assessment Quantitative Assessment Risk Calculation Impact Analysis Threat vs. Likelihood Annualized Loss Expectancy (ALE)
Threat and Vulnerability Assessment and Detection

Threat and Vulnerability Assessment and Detection CompTIA Security+ Training
In This Lesson:
Assessment Types Vulnerability Threat Risk Assessment Techniques Baseline Reporting Code Review Determine Attack Surface Architecture Design Review
In This Lesson:
Testing and Scanning Tools Protocol Analyzer / Sniffer Port Scanner Honeypot and Honeynet Vulnerability Scanning Penetration Testing Black, White, and Gray Box Testing
Exam Objective:
3.7 (Partial) Implement assessment tools and techniques to discover security threats and vulnerabilities 3.8 Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning
Assessment Types
Assessment Type Vulnerability Definition Finding security flaws
Determining what threats line up with the vulnerabilities for your particular systems Analyzing the tools and resources that attackers have Risk Determining what the risks are and the likelihood and impact of those risks
Benefits Baselines and ongoing security

Zero in on specific security implementations Prioritize security Help determine security budgeting
Threat
Assessment Techniques
Baseline Reporting First you need a baseline Compare the current to the baseline after changes or events Software can automatically generate reports about differences that dont match the baseline (change detection) Good for regulatory compliance
Code Review Looking at custom made code to find holes Injection or cross-site vulnerabilities Manual assessment A detailed reading through the source code (should be done by skilled developers)
Automated assessment Using tools to scan the code

Black Box White Box Gray Box
Determine Attack Surface The part of an application or system that is accessible or visible Can include interfaces, protocols, code, data, and more
Practice attack surface reduction (ASR) to limit potential damage Turn off unnecessary services and functions Allow only least privileges Strengthen authentication services
Architecture Reviews how a system or application is interconnected with the network architecture How it interacts with the users, databases, devices, browsers, and services How do those interconnections effect security
Design Reviews Application design review Done during the development process Looks at the attack surface of an application User inputs and interactions
Network design review Reviews the network and system design What ports and protocols are open? What rules and access controls are in place? What information models are used?
Testing and Scanning
Tools
Protocol Analyzer / Sniffer Captures packets in route and then analyzes them Resources, ports, and source/destination addresses Used for troubleshooting as well as security Malicious traffic Misconfigurations Network baselines Wired and wireless options Applications/appliances have GUIs and reports Wireshark Tcpdump (Linux command line) NAI Sniffer
Tools
Port Scanner Find out what ports are open, closed, or filtered Find ports you didnt know were open SYN packets are one way to test how ports respond
SYN Packet Response SYN/ACK Open RST Closed No response Filtered
Attackers use port scanning to find ports that provide services that can be exploited Applications Nmap Included with vulnerability scanners
Tools
Honeypot A system created for the purpose of letting attackers attack it and studying the results Honeynet More than one honeypot working together An entire network set up to invite attack Applications, services, and user accounts Uses virtualization Sometimes integrated with a larger IDS/IPS Uses Development and research Information gathering and decoy
Vulnerability Scanning
Tests for known vulnerabilities Passively tests security controls Performs scans that look for the latest vulnerabilities Many types of vulnerability scanners available Plan vulnerability scanning Backup first Do during off hours Once a month or once a quarter
Vulnerability Scanning
Applications/appliances have GUI interfaces and reports Nessus Retina SAINT Interpreting the results Reports from commercial scanners list open ports and vulnerabilities Identify false positives Identify vulnerabilities Identify lack of security controls Identify common misconfigurations
Penetration Testing
Using any and all methods to try to break in to your fully protected network An experienced tester uses a variety of tools and methods OSSTMM and NIST have standard penetration testing methodologies Actively test and try to bypass your security controls Verify a threat exists without exploiting vulnerabilities
Penetration Testing
Black, white, and gray box testing
Black Box Penetration Testing

Tester acts as an outside hacker Has no inside knowledge of the network prior to the test Typically, most of the IT staff does not know the test is taking place
Penetration Testing
White Box Penetration Testing

Tester acts as a malicious insider with full network understanding
Has knowledge of code, systems, topology, a user account, ect. IT staff knows about the test
Penetration Testing
Gray Box Penetration Testing

Tester acts as if he is an outsider working with a malicious insider

Vulnerability Finding and assessing the holes and Assessment weaknesses in applications and systems Threat Assessment
Finding and assessing the source and means of the attacks that our systems are vulnerable to
Risk Assessment Determining the impact and likelihood of risks Attack Surface visible, accessible, and therefore potentially
The area of an application or system that is vulnerable

Term Definition
Honeypot A computer that is intentionally left open to attack in order to study how attacks are carried out and lure attackers away from legitimate systems More than one honeypot connected together or an entire virtual network meant to be attacked
Honeynet
Using a database of known vulnerabilities to Vulnerability scan a system or network looking for Scanning weaknesses Actively testing your network security using any Penetration Testing and all methods to simulate what attacks from hackers or malicious insiders would use

Testing code or systems without any prior Black Box Testing information about the inner workings of that application or system White Box Testing Testing code or systems with full disclosure of the inner workings of that application or system
Testing code or systems from the outside with Gray Box Testing some understanding of the inner workings to help guide the test
Assessment Types Vulnerability Threat Risk
In This Lesson:
Baseline Reporting Code Review Determine Attack Surface Architecture Design Review
In This Lesson:
Testing and Scanning Tools Protocol Analyzer / Sniffer Port Scanner Honeypot and Honeynet Vulnerability Scanning Penetration Testing Black, White, and Gray Box Testing
Risk Mitigation and Deterrence

Risk Mitigation and Deterrence CompTIA Security+ Training
In This Lesson:
Mitigation Strategies Security Posture Initial Baseline Configuration Continuous Security Monitoring Remediation Manual Bypassing of Electronic Controls Failsafe vs. Failopen Change Management Implement Security Controls Based on Risk Detection vs. Prevention Controls Hardening Perform Routine Audits User Rights and Permissions Reviews Data Loss or Theft Prevention
In This Lesson:
Policies Security Policies Privacy Policies Acceptable Use Policies Other Policies
Exam Objective:
2.1 (Partial) Explain risk related concepts 2.2 Carry out appropriate risk mitigation strategies 3.6 (Partial) Analyze and differentiate among types of mitigation and deterrent techniques
Mitigation Strategies
Security Posture
The overall approach an organization takes to security Creating and maintaining your security posture Initial baseline configuration Take into account regulatory compliance Remember patch management Continuous security monitoring Utilize your monitoring systems Perform audits Keep up on the latest information with security organizations, websites, and blogs Remediation Quarantine that system until it meets the baseline Document and verify results
Manual Bypassing of Electronic Controls

Electronic controls can be bypassed Turning off or short circuiting the power Overloading or confusing sensors Failsafe vs. Failopen
Failsafe: Failure happens in a secure way Failopen: Failure happens in an unsecure way Failsafe Examples A failed electronic lock blocks any entry A failed application closes A failed firewall blocks all traffic Failopen Examples A failed electronic lock remains unlocked A failed application remains open A failed firewall allows all traffic
Change Management
Working within predefined procedures and timelines for change Evaluating, authorizing, testing, carrying out, and documenting changes
Changes to systems, configurations, what software is installed, etc. Configuration control of systems that have been baselined
New deployments, expansion, and reorganization also falls under change management
Change Management
Change Management Goals
Prevent new security vulnerabilities due to change Prevent loss of functionality due to change Schedule and stage change to minimize impact to users Communicate downtime in advance of implementing change Document change for communication and auditing purposes Allow changes to be reversed with a rollback strategy Require separation-of-duties through management oversight
Follow up with changes after they are implemented

Follow security minimum baselines and uncover changes to configuration baselines
Implement Security Controls Based on Risk

Risks are prioritized as a part of risk assessments and calculations The risks that will cost the most harm warrant the most resources to mitigate Security controls must be chosen and implemented in a systematic way The cost of the control must be less than the impact of the risk Risk-avoidance Including maintenance and monitoring The benefit of the control must be measurable or verifiable
Transference Mitigation
Deterrence
Acceptance
Detection vs. Prevention Controls

Detection controls watch for and issues alerts about possible attacks Prevention controls work to keep attacks from happening or take action to stop them once they start Examples: Intrusion detection systems vs. intrusion prevention systems Security camera vs. security guard

Intrusion Detection Systems vs. Intrusion Prevention Systems IDS Monitors network traffic and compares it to known attacks and network history Creates alerts when a possible attack or anomaly is detected Able to preform limited active controls IPS Does intrusion detection plus prevention Takes action in real time to stop attacks in progress

Security camera vs. security guard (have both for the most benefit)
Camera (Detection) Technical solution May deter some wrongdoing if cameras are visible Always running Records everything within range Footage can be replayed later Creates evidence for criminal cases Has no intelligence Less expensive Guard (Prevention) Non-technical solution Can proactively deter, prevent, and respond to issues Can have gaps in coverage Relies on memory Relies on memory Can collect evidence Flexible and can adapt to situations More expensive
Stationary with a limited field of view Able to move around
Hardening
Reducing the attack surface of a system or application Disabling unnecessary services Protecting management interfaces and applications Restrict access Change default passwords Encrypt remote connections Protecting passwords Disabling unnecessary accounts Keeping patches, updates, and hot-fixes up to date
Perform Routine Audits

Checking to make sure policies, procedures, and regulations are being followed Do on a routine schedule Often carried out by a third party
Plan Conduct Evaluate
Communicate Results Make Changes Document and Follow Up

User rights and permissions reviews Private audit Do users have the access and privileges that they should and no more? Who has administrative privileges?
Plan Conduct Evaluate Communicate Results Make Changes Document and Follow Up
Work with management to determine what the expected rights and permissions should be

Usage audit How are applications, systems, and resources being used? Often done after an incident
Plan Conduct Evaluate Communicate Results Make Changes Document and Follow Up
Log file audit Studying logs for trends and correlations

Making sure log files are not growing too large in size

Administrative audit Are all change management and documentation procedures being carried out? Escalation audit Are communication and procedures in place to deal with incidents and disasters? Regulatory compliance audit PCI HIPPA SOX
Plan Conduct Evaluate
Communicate Results Make Changes Document and Follow Up
Data Loss or Theft Prevention

Data loss policy A legal statement that gives an overview of how a company protects its data under normal circumstances Also includes a statement that the company is not responsible for data loss due to some situations Data loss procedures Secure data disposal DLP system Monitoring Information models Backup and high availability Encryption
Policies
Security Policies
How a company intends to secure its assets Includes expectations for employee behavior, physical access, technical security controls, digital certificate handling, data handling, and more Policy sub-types Standards Mandatory rules that must be followed Guidelines General rules and recommendations that may require judgment on how and when to follow Procedures Step-by-step methods for how standards are carried out
Privacy Policy
For consumers A legal statement of what personal information a company collects from customers and what, if any, of this info is shared with third parties For employees What information should not be shared outside the company A statement to employees about what a company can do with the stored data and transmissions that happen within its network Must comply with applicable laws and regulations Dictates how data is collected, stored, and transmitted
Acceptable Use Policy (AUP)

Outlines how employees can use company systems and resources Internet Email Software Telephones How and if personal software and devices are allowed Phones Tablets USB drives
Other Policies
Mandatory vacations Job rotation Separation of duties Least privilege Password policy Clean desk policy Due care Document disposal and destruction policy Incident response

Term Definition
Security Posture The overall approach a company takes to security Failsafe When a system or application fails, it does so in a secure way
When a system or application fails, it does so in an Failopen unsecure way leading to privilege escalation and bypassing of security controls Change A systematic approach to plan, approve, test, Management implement, and document change

Security controls that are designed to detect and alert Detection Controls you to possible security issues. Examples are IDS and security cameras
Prevention Controls Security Policy
Security controls that are designed to prevent security issues. Examples are IPS and security guards Standards, guidelines, and procedures that outline how a company secures its assets
States how customer information is collected and used Privacy Policy and if employee data and communications are subject to monitoring States how employees are allowed to use company Acceptable Use resources. It also lists rules for how or if personal Policy devices are allowed
What We Covered
Mitigation Strategies Security Posture Initial Baseline Configuration Continuous Security Monitoring Remediation Manual Bypassing of Electronic Controls Failsafe vs. Failopen Change Management Implement Security Controls Based on Risk Detection vs. Prevention Controls Hardening Perform Routine Audits User Rights and Permissions Reviews Data Loss or Theft Prevention
What We Covered
Policies Security Policies Privacy Policies Acceptable Use Policies Other Policies
Log Monitoring and Reporting

Log Monitoring and Reporting CompTIA Security+ Training
In This Lesson:
Reporting Alerts Alarms Trends Monitoring and Analyzing Logs Log Types Event Logs Audit Logs Security Logs Exam Objective: Access Logs 3.6 (Partial) Analyze and differentiate among types of Log Management mitigation and deterrent techniques
Reporting
Alerts Automated messages triggered by predetermined events Administrators set the alert triggers Low disk space Large number of failed login attempts Higher than normal CPU or memory usage Higher than normal network bandwidth use Patch/update failure Alert levels: green, yellow, or red Alarms A critical alert that needs immediate attention
Reporting
Trends Looking at events, alerts, and alarms over time can reveal many things Tendencies, underlying problems, equipment starting to fail, and more Graphs and reports make it easier to visualize trends False Positives Alerts that are not actual issues Reduce Tweaking metrics Looking for correlations
Monitoring and Analyzing Logs

Why Log? Keeps track of who, what, and when Accountability Intrusion detection Reconstruction after an incident Problematic trend detection Demonstrating compliance with policy or regulations Logs Are Created by Many Sources Routers, switches, firewalls, antimalware, IDS, authentication systems, and more
Monitoring and Analyzing Logs

Many Uses Machine health, network performance, user data, and more Security Incorrect login attempts Frequency of database access Number of active sessions Network traffic Automation and Consolidation Software Should Be Used Reporting Post-event analysis Real-time analysis
Log Types
Event logs Records system events Shutdowns, service starts, state changes, and more
Log Types
Event logs Records system events Shutdowns, service starts, state changes, and more Performance logs Records system performance CPU usage, memory usage, disk activity, and network usage
Log Types
Audit logs Records the activities of users and services Logins, object access, account changes, and configuration changes Holds users accountable Catches mistakes, reduces fraudulent activities, and tracks and logs network activity In accordance with the organization's security policies
Log Types
Security logs Logs from security devices, software, and services IDS/IPS, firewalls, antivirus software, authentication services Access logs Records access to resources Records physical access to buildings or secure areas
Logs Management
Generating, transferring, storing, analyzing, and disposing of logs Security of logs Contains info about your network and users Restrict access, encrypt, and hash (integrity) Protect your log files while at rest and in transit
Issues to Be Aware Of
Limited resources for log analysis and storage Lack of clear log analysis goals Incompatible or proprietary log formats
Inconsistent time stamps on logs
Logs Management
Storage and Backup Store logs separate from the devices you are monitoring Keep logs in a easy to access database for 60-90 days Ready for analysis, forensic investigations, and audits Log retention May be needed for regulatory compliance or legal reasons Logs can be compressed for log term storage Log Disposal Security destroy logs once the data retention period has ended

Alerts Error, warning, or information notifications Alarms Trends
The most severe alerts that need immediate attention Patterns of events that happen over time reveal trends that can point to underlying problems A reported security issue that once examined turns out to be a false alarm
False Positive
Reporting
What We Covered
Alerts Alarms Trends Monitoring and Analyzing Logs Log Types Event Logs Audit Logs Security Logs Access Logs Log Management
Business Continuity
Business Continuity CompTIA Security+ Training
In This Lesson:
Business Continuity vs. Disaster Recovery Business Continuity Planning (BCP) and Testing Business Impact Analysis IT Contingency Planning Removing Single Points of Failure Continuity of Operations Succession Planning
Exam Objective:
2.5 Compare and contrast aspects of business continuity
Business Continuity vs. Disaster Recovery

The continued operation of the organization Business Continuity
Disaster Recovery Recover from and rebuild the organization after a disaster has occurred
Business Continuity Planning (BCP) and Testing

Writing the policies and deciding on procedures for business continuity Identify the critical business functions (CBF) CBF are complex and interconnected Almost everything goes through IT Determine what threats are most likely to cause a disruption Create countermeasures that will minimize disruptions BCP involves Risk mitigation planning Business impact analysis Change management Recovery planning Testing Test your BCP before you need it!
Business Continuity Planning (BCP) and Testing

Business Impact Analysis
Maintenance
Develop Solutions
Document
Test
Implement and Train
Business Impact Analysis

Focuses on the impact of an event and recovering from that event Loss of asset or significant change to the business or market Not concerned with how the event was caused (threat and vulnerabilities) Steps 1. Define and prioritize what the critical business functions (CBF) are 2. Determine the impact of a disruption to a CBF 3. Calculate the amount of time that is acceptable for the disruption to last (recovery time objective) 4. Document the procedures for how to recover and what resources are needed for recovery
IT Contingency Planning
A part of the overall BCP that covers: Security threats System failure Disaster Implement preventative controls Remove single points of failure IT infrastructure, utilities, or facilities Implement redundancy and fault tolerance Use analysis calculations to decide which single points of failure to remove Document contingency strategies and procedures Perform and test backups
Continuity of Operations
Some refer to a continuity of operations plan (COOP) as the same as a BCP NIST refers to a COOP as a plan for how to restore essential functions at an alternative site Order of succession Order of functions to be brought back up Human resources management Budget
Succession Planning
Having individuals prepared to fulfill/replace key positions within the company Planned or unplanned A comprehensive succession plan funnels down the line Minimize disruption that a gap in leadership could cause What does that mean for IT? Digital certificate key management Account management

Analyzing, developing, implementing, training, testing, Business Continuity and maintaining the policies and processes that keep Planning critical business functions going day-to-day and minimizes the impact of disruptions Determines the most important critical business Business Impact functions, the impact of a disruption to those functions, Analysis and how to recover from the disruption
Single Point of A component of a system that, if fails, will cause the Failure entire system to fail
A process that is vital to the health of the business. If Critical Business this process were to sustain a long disruption the Functions (CBF) company would suffer great loss
Business Continuity vs. Disaster Recovery Business Continuity Planning (BCP) and Testing Business Impact Analysis IT Contingency Planning Removing Single Points of Failure Continuity of Operations Succession Planning
What We Covered
Disaster Recovery Planning

Disaster Recovery Planning CompTIA Security+ Training
In This Lesson:
Disaster Recovery Plan Service Level Agreement (SLA) Mean Time to Restore (MTTR) Mean Time Between Failures (MTBF) Recovery Time Objectives (RTO) Recovery Point Objectives (RPO) Utilities
In This Lesson:
Backup and Recovery Backup Types Backup Plans Backup Storage Options Recovering from Backups Backup and Recovery Considerations High Availability Redundancy Fault Tolerance RAID Load Balancing Clustering
Alternate/Backup Sites
Hot, Cold, and Warm Sites
Exam Objective:
2.7 Execute disaster recovery plans and procedures
Disaster Recovery Plan

Scope IT backup and recovery procedures People Locations
Develop, test, train, maintenance, and document

Who sees the plan?
Service Level Agreement (SLA)

Mean Time to Restore (MTTR) Also called mean time to repair The average time it takes to repair a given component or system Mean Time Between Failures (MTBF) Estimation of how often an outage will happen Recovery Time Objectives (RTO) The longest acceptable duration of downtime What is the benchmark for what is considered uptime? Recovery Point Objectives (RPO) How much data loss or other loss is acceptable? Measured in hours
Utilities
Power, phones, and internet connectivity can be lost in a disaster Single points of failure outside of the company's control Know the backup policy for your ISP
Disaster recovery plans can have provisions for utilities Back up generators
Backup and Recovery
Backup Types
Backup Type Full Incremental
(Differential Incremental)
Description Backs up all files Backs up only the files that have changed since last incremental backup Backs up the files that have changed since last full backup A copy of all data Taking an copy of the entire system at a point in time
Archive Bit Cleared? Yes Yes
Differential
(Cumulative Incremental)
No No N/A
Copy Snapshot/Image
Backup Plans
What to backup? Databases, email database, user files, etc. What method and frequency of backups? Full Archival Method Grandfather, Father, Son Method (GFS) Progressive Paradigm (Incremental Forever) How long to retain backups? Short-term Long-term Do not confuse backups with archives
Backup Plans
Grandfather, Father, Son Method
January February
2010
2009 2008 2007 2006 2005 2004 Grandfather
March April
Week 1 Week 2 Week 3 Week 4 Week 5 Son
May
June July August September October November December Father
Backup Storage Options

Backup Media Tape Disk Optical Online Location of Backups Secure backup media wherever it is Onsite: less expensive, easier, but is not protected against local disasters Offsite: more expensive, requires more overhead, but data is protected against local disasters Both would be ideal
Recovering from Backups

Practice the restoration process Depending on the backup type you can restore individual files, mailboxes, databases, whole systems, etc. Be sure your backups are usable Configuration auditing Error detection Keep old backup hardware

Backup vs. Backout Backup: Used to restore data due to data corruption, data loss, or hardware failure Backout: Used to restore back to a previous point A way to undo a change that has been made Updates, configuration changes, software installs, migrations, and firmware updates A good backout policy prepares for this with images, snapshots, or other backups

Examples Incremental Backups to Tapes
Sun Full Mon Inc 1 Tues Inc 2 Wed Inc 3 Thur Inc 4 Fri Inc 5 Sat Inc 6 Tapes Needed for Full Restore Full, Inc 1, Inc 2, Inc 3, Inc 4
Differential Backups to Tapes

Sun Full Mon Tues Wed Thur Fri Sat Tapes Needed for Full Restore Full, Diff 4 Diff 1 Diff 2 Diff 3 Diff 4 Diff 5 Diff 6
Backup and Recovery Considerations Backup Challenges

Growing amount of data Remote office locations 24 hour business Regulatory and legal requirements
Backup and Recovery Best Practices

Have onsite or online backups for fast recovery Keep copies of backups and archives offsite Have point-in-time versions in case of accidental changes or deletions Include error checking to make sure backups were created correctly Continually revisit the organization's backup needs as technology changes Do practice recoveries to test your backups
High Availability (HA)
Redundancy
Having duplicate systems, devices, or data paths to failover to when a failure occurs Redundant servers can be clustered or load balanced Can also have redundant hardware like firewalls and routers Redundant components and spare parts Ensure functionality continues Might not be automatic failover (high availability)
Fault Tolerance
The ability for a device or system to remain operational in the event of a component failure Might have reduced functionality or efficiency Redundant hardware components
Backup power or at least an uninterruptable power supply (UPS)

Im Ok!
RAID: Redundant Array of Independent Disks

Also called redundant array of inexpensive disks Using multiple disks to provide fault tolerance and improve performance
RAID Level 0 1 5 6 10 (1+0) Disk Striping Disk Mirroring Disk Striping with Distributed Parity Disk Striping with Dual Parity Mirrored Stripe Set Name Redundant? No Yes Yes Yes Yes
Load Balancing
Distributes computing workload across multiple machines If one redundant server goes down the load balancer will compensate (availability)
Clients
Switch
Load Balancer
Clustering
A team of servers running the same applications or services Monitors and load balances themselves with the use of a heartbeat connection
Shared Storage
Secondary Node
Primary Node
When the active node does not respond to the heartbeat the passive node takes over
More complex clustering has all nodes active at the same time
Redundant Servers Clients
Real Time Replication
Main Site
Hot Site
Main Site
Cold Site
Main Site
Warm Site

Mean Time to Restore The average time required to repair a failed (MTTR) component or device
Mean Time Between The predicted time between failures of a system Failures (MTBF) during operation
The maximum amount of time a process must be Recovery Time Objective restored in before causing an unacceptable impact (RTO) to business continuity
Recovery Point Objective How many hours of data can be lost or how far back (RPO) in time is acceptable to recover to
The policies and procedures for preparing for and Backout Plan carrying out a backout. A backout is rolling back a system to a specific point in time

High Availability The approach and system implementation that ensures a high level of continued operations (uptime). What is considered an acceptable amount of downtime is decided on a case by case basis The duplication of critical components, systems, or functions to increase reliability and uptime The ability of a system to continue operation, rather than failing completely, when a component fails
Redundancy Fault Tolerance
Redundant Array of Using different configurations of disk drives and Independent Disks their data distribution to improve performance and (RAID) fault tolerance

Term Definition
Clustering Hot Site Using a group of linked computers working together to improve performance and availability A remote location with redundant systems and data that is updated in real time
A remote location that has no data or systems but is Cold Site available as a contingency location to rebuild systems from backups A remote location that has some infrastructure Warm Site and/or data ready but does requires some time and human effort before systems are up and running
Disaster Recovery Plan Service Level Agreement (SLA)
What We Covered
Mean Time to Restore (MTTR) Mean Time Between Failures (MTBF) Recovery Time Objectives (RTO)
Utilities
Recovery Point Objectives (RPO)
What We Covered
Backup Types Backup Plans Backup Storage Options Recovering from Backups Backup and Recovery Considerations Backup and Recovery Redundancy Fault Tolerance RAID Load Balancing Clustering Alternate/Backup Sites High Availability
Hot, Cold, and Warm Sites
Incident Response
Incident Response CompTIA Security+ Training
In This Lesson:
Incident Response Plan Damage and Loss Control Chain of Custody First Responder Basic Forensic Procedures Order of Volatility (OOV) Record Time Offset Capture System Image Document Network Traffic and Logs Collect Relevant Backups
Capture Video Take Hashes Capture Screenshots Interview Witnesses Track Man Hours and Expense
Exam Objective:
2.3 Execute appropriate incident response procedures
Incident Response Plan

Incident Polices and procedures Response procedures Incident response team Resources available Forensic policies Evidence gathering procedures Communication
Urgency
High Med Low
Priority
Impact
High Med Low
1 2 3
2 3 4
3 4 5
Incident Response Plan
Debrief
Document Lessons Learned Make Improvements
Resolve/Recover
Carry Out Test
Investigate
Diagnose Categorize and Prioritize Escalate Create Recovery Plan
Identify and Report

Detection Confirmation Log
Damage and Loss Control

Minimizing loss due to an incident Know how many and which systems are affected by the incident Disconnect the affected systems from the network Keep critical business functions available
Forensics
Chain of Custody
Maintain the CIA of the evidence Imperative for using evidence in a court of law Document and label when, where, who, and how each piece of evidence was collected Seal in tamper evident bags with evidence tags on the outside Log when and who touches or transports any piece of evidence Store long term under lock and key
First Responder
What to do if you are the first person to uncover or respond to an incident Assess the situation and contain the incident Unplug the affected systems from the network * If allowed by incident respond policies Dont disturb the environment if evidence needs to be collected Think about the chain of custody Follow the escalation policy Who to notify What policies and procedures to follow Negate all the above restrictions if human life is in danger
Basic Forensic Procedures

Order of Volatility (OOV) Collect the shortest living evidence first Record Time Offset Note how much time the clock on each affected system is off from the real time Important for reconstructing an accurate timeline Capture System Images Make duplicates of the exploited system to gather information from Some forensic polices require the original to stay intact (best evidence rule)

Document Network Traffic and Logs Useful to reconstruct the attack Look for trends Collect Relevant Backups Secure any backups created for the affected systems during and before the incident took place Capture Video Record the state of the physical environment While carrying out forensic procedures

Take Hashes A way to know if a file or image has changed A 128 bit MD5 hash Capture Screenshots Using screen snagging applications of the duplicate image Use a digital camera if on the exploited system Interview Witnesses Ask and document (record interview if possible) Sooner rather than later

Track Man Hours and Expense Keep track of how much an incident coasted to investigate and resolve Document the time it takes for each step and the cost of all resources used Document everything and maintain the chain of custody

First Responder
When referring to an IT incident response the first person to discover or respond to an incident attempts to contain the incident and notifies the proper personnel
Detailed documentation about the gathering, Chain of Custody custody, transfer, analysis, and disposing of evidence When referring to an IT incident respond the Order of Volatility information that will disappear like RAM should be gathered before less volatile info
Incident Response Plan Damage and Loss Control Chain of Custody First Responder Basic Forensic Procedures
What We Covered
Order of Volatility (OOV) Record Time Offset Capture System Image Document Network Traffic and Logs Collect Relevant Backups
Capture Video Take Hashes Capture Screenshots Interview Witnesses Track Man Hours and Expense
User Education
User Education CompTIA Security+ Training
In This Lesson:
Security Policy Training and Procedures Compliance with Laws, Best Practices, and Standards Threat Awareness New Viruses Phishing Attacks Zero Day Exploits Regulatory Compliance Personally Identifiable Information Social Networking Peer to Peer (P2P) File Sharing
In This Lesson:
User Habits Password Behaviors Data Handling Clean Desk Policies Personally Owned Devices Information Classification
Data Labeling, Handling ,and Disposal
Exam Objective:
2.4 Explain the importance of security related awareness and training
Security Policy Training and Procedures

Compliance with laws, best practices, and standards Communication and awareness Communicate the importance and rationale for the policies Foster user acceptance and buy-in Get feedback on user experience and concerns Education and training Expectations for behavior Types: On-the-job, mandatory meetings, classroom, online, CBT
Threat Awareness
Keep informed of the latest threats Zero day exploits Communicate with users about current threat topics Monthly email SharePoint Topics include: Phishing attacks remind users to not click on links in emails or IMs Social engineering tactics New viruses and zero day exploits remind users to keep their home computers patched and up to date
Regulatory Compliance
HIPAA: Health Insurance Portability and Accountability Act Heath and insurance institutions must keep patients health information secured PCI DSS: Payment Card Industry Data Security Standard Designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment SOX: Sarbanes-Oxley Act Mandates strict reporting requirements and internal controls of financial information
Regulatory Compliance
GLBA: Gramm-Leach-Bliley Act Requires banks and financial institutions to communicate their privacy polices about disclosing customer information FERPA: Family Educational Rights and Privacy Act Says that student information can not be disclosed without the student's permission A student must be given access to their own records if requested
Personally Identifiable Information (PII)

Information that can be used to identify an individual Social Security number, birth date, address, biometric info Information linked to an individual Medical records, financial information, employee file What PII that is and is not protected can be found in the company's privacy policy
Personally Identifiable Information (PII)

Users must safeguard customer and employee PII against identity theft Educate users on Regulatory policies and procedures concerning PII Examples of PII breaches in the news The latest scams that target PII to be aware of
Social Networking
Users should not post sensitive company information on social networking sites Malware, XSRF, phishing, and other attacks are common on social networking sites Shortened URLs can lead anywhere
Peer to Peer (P2P) File Sharing

Ban and disable on company devices Train users on the dangers of personal use Why? Music or other file sharing sites are ripe with malware downloads Pirated software is not allowed on company assets An avenue for data breaches Accidently or by malicious insiders
User Habits
Password behaviors Dont use dictionary words or anything associated with the user Dont use the same password for multiple accounts Clean desk policies Employees are responsible for clearing their workspace of sensitive papers when they leave the office Have a clearly stated policy that users read and sign
User Habits
Data handling Encrypt data before emailing, putting on removable media, or using unsecured file transfer protocols Store files in the appropriate place on the network Take care that only authorized people see printouts and faxes Properly label and dispose of data Dont share credentials or ID badges with anyone Safe computing Connecting to wireless networks Being aware of spoofing and phishing Downloading files and attachments
User Habits
Personally owned devices The most secure method would be to not allow personal devices Proprietary data can be leaked Malware can be introduced If devices are allowed the acceptable use policy needs to clearly spell out rules and restrictions Extensive awareness training needs to be done Couple with data loss systems and other security controls
Information Classification
Sensitivity of data Different data is more sensitive that other data Hard vs. soft Use different classifications to label data sensitivity levels Government: Unclassified, Sensitive, Confidential, Secret, Top Secret Public, Internal, Confidential, Secret Data availability classifications Labels can also be created based on how imperative data is to critical business functions
Examples
Information Security Scheme

Public Viewable By Data Integrity Impact of Disclosure Impact of Loss Value to Competitor Everyone Desired Acceptable Acceptable Minimal Internal Select Employees Required Inconvenience Inconvenience Interesting Confidential Select Employees Required Damaging Damaging Significant Gain Secret Select Leadership Vital Catastrophic Catastrophic Significant Gain
Examples
Information Availability Scheme

Nice to Have Downtime Hours % Available 1 Week N/A 70% Important 2 Days 6 am 6 pm 85% Very Important 8 Hours 6 am 6 pm 95% Mission Critical 1 Hour 24h x 7d 99.99%
Data Labeling, Handling, and Disposal

Labeling Clearly label data media used for backup, archival, and transport Handling Have a clean desk policy and other hard data policies Users should not share their credentials Disposal Decommissioning devices What is data and information on the device worth? Physically destroy Deleting old data Secure wipe using a specialized utility Shred paper copies

Personally Identifiable Information that can be used to identify a person or Information (PII) be linked to a person A policy that states that employees must have their Clean Desk Policy workspace cleared of any sensitive company information before leaving the office
Peer to Peer (P2P) File Clients share media files through an interconnected Sharing network of nodes with no centralized server
What We Covered
Security Policy Training and Procedures Threat Awareness New Viruses Phishing Attacks Regulatory Compliance Personally Identifiable Information Social Networking Peer to Peer (P2P) File Sharing Zero Day Exploits Compliance with Laws, Best Practices, and Standards
What We Covered
User Habits Password Behaviors Data Handling Clean Desk Policies Information Classification Data Labeling, Handling, and Disposal Personally Owned Devices
Social Engineering
Social Engineering CompTIA Security+ Training
In This Lesson:
Social Engineering Overview Impersonation Tailgating Dumpster Diving Shoulder Surfing Phishing Vishing Spear Phishing Whaling Hoaxes Reverse Social Engineering
Exam Objective:
3.3 Analyze and differentiate among types of social engineering attacks
Social Engineering Overview

Manipulating people into performing actions or divulging information Varied techniques used by attackers Both technical and non-technical
Technical controls are useless if users can be convinced to bypass them for attackers
Social Engineering Overview

Why social engineering works Fear Laziness Desire to obtain free awards or money offered Wanting to be helpful Flattery or distraction Lack of awareness Awareness and education Policies and procedures Mandatory training Continued follow-up
Impersonation
On the phone Fellow employee or the boss Authority figure like a fire marshal Survey taker Customer Define what information should never be told over the phone In person Maintenance person Delivery person Train users to check credentials and verify that all outside people are allowed to enter. Escort non-employees while in the building
Tailgating Tailgating
Tailgating
A person follows someone past a security checkpoint without using their own credentials Also called piggybacking The term piggybacking sometimes accompanies consent while tailgating is done without consent Methods Confidently following the authorized person past the door after they have swiped in Blending in with a large crowd Having full hands so that someone will hold open the door Convincing an authorized person that the unauthorized person has forgotten or lost their ID Train employees to insist that every person authenticates
Dumpster Diving
Dumpster Diving
Someone looking through the trash or recycling to gain information Passwords Details an insider would know to use in future attacks Have a proper disposal policy Third-party disposal companies are available to securely throw away or recycle trash
Train users to follow the paper shredding and media/equipment disposal policy
Social Engineering Shoulder Surfing CompTIA Security+ Training
Shoulder Surfing
Directly observing unauthorized information Password Pin number Attacker must have physical access Eavesdropping Listening in on a conversation to gain information Snooping Looking through files and papers to gain information Looking under your keyboard or other obvious places for passwords
Train employees to be aware of their surroundings
Phishing
Trying to get personal information by pretending to be a trusted person, company, or website Often comes as email Reply to email with personal info Click on a link Call customer service representative on the phone Uses logos and color schemes to try to mimic the legitimate entity Tries to create a sense of urgency or fear Train users to never follow instructions in an email without verifying that it isn't a scam first
Phishing Example
Phishing
Sub-types of phishing
Spear Phishing
Using information specific to a person/company to make a phishing attempt seem more legitimate
Whaling Vishing
Phishing over VoIP
Spear phishing targeted at executives or people with access to especially sensitive information
>>>>>Hoaxes
Chain emails or social media that contain misinformation Wastes time and resources Lost productivity Email database space and backups Paper printouts Concerned and frightened users will notify IT staff Stay abreast of current hoaxes Use spam filters to filter hoax emails from getting to users Train users on how to check if a email is a hoax Snopes Antimalware vendors
Reverse Social Engineering

The attacker makes themselves interesting or available to the victim Most common example is offering help for a future problem The victim contacts the attacker and readily offers information The victim calls or emails the helper to ask for help to fix a problem Other social engineering methods or reconnaissance are done first to set up for the reverse attack Train users to verify that anyone that offers help does in fact work for the company

Social Engineering Impersonation Deceiving a person into revealing confidential information or performing a task In regards to social engineering, the attacker pretends to be someone who is authorized
A person follows an authorized person through a security Tailgating checkpoint (like a door with a scan card reader) without authenticating themselves Dumpster Diving Looking through trash for details about an organization

Term Definition
Shoulder Surfing Observing confidential information like a password being typed in
Misinformation that leads to wasting of time and Hoaxes resources. Normally comes in the form of emails or in social media The victim is lured into contacting the attacker resulting Reverse Social in a higher amount of trust for the attacker. This is Engineering normally done by offering help or gifts
Social Engineering Overview Impersonation Tailgating Dumpster Diving Shoulder Surfing Phishing Vishing Spear Phishing Whaling Hoaxes Reverse Social Engineering
What We Covered
Cryptography Concepts
Cryptography Concepts CompTIA Security+ Training
In This Lesson:
Cryptography Overview Symmetric vs. Asymmetric Encryption Digital Signatures Non-repudiation Encryption/Decryption Methods Block Cipher Stream Cipher Elliptic Curve Cryptography (ECC) Quantum Cryptography Cryptographic Hashing Transport Encryption Steganography Use of Proven Technologies
Exam Objective:
6.1 Summarize general cryptography concepts
Cryptography Overview
What is Cryptography? The science and study of hiding information Hiding information by converting plaintext into ciphertext (encryption) Then back from ciphertext to plaintext (decryption)
If you can dream and not make dreams your master; If you can think and not make thoughts your aim, If you can meet with Triumph and Disaster And treat those two impostors just the same: If you can
Key
ec40619a9ebccd6c e2b5ef1a256e03eb 697aaa34aad84ae9 d0fff1817e9a7bdda b3a5c8083dcf449bf 53b8f14c5f050065 76a223b26b36372 619e249509d1413 504fd67d878ee3e3 23cfdede6f2e41
Key
Plaintext
Encryption Algorithm
Ciphertext
Decryption Algorithm
If you can dream and not make dreams your master; If you can think and not make thoughts your aim, If you can meet with Triumph and Disaster And treat those two impostors just the same: If you can
Plaintext
Benefits of cryptography Confidentiality Protecting data in transit Protecting data at rest
Non-repudiation and authentication A message encrypted with your private key or signed with your digital signature had to come from you
Benefits of cryptography Access control With symmetric encryption only the secret key holder can decrypt the ciphertext With asymmetric encryption a digital certificate can be used for authentication and thus access control Integrity Message digests can be used to know if a message was tampered with during transit
How cryptography works A cipher and a key(s) An algorithm encrypts data by applying a key to plaintext Another algorithm decrypts data by applying a key to ciphertext Different ciphers/algorithms are stronger than others Longer keys make stronger encryption 40-bit key is not secure Classic ciphers Substitution ciphers Transposition ciphers
Substitution Cipher Example
Caesar Substitution Cipher
ROT6
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
Plaintext:
asparagus
Ciphertext: gyvgxgmay
Symmetric vs. Asymmetric Encryption

Symmetric Encryption The same secret key is used for encryption and decryption Key management is the biggest concern Getting the secret key securely to both parties Keeping the key a secret Generally faster than asymmetric encryption alone Strength is effected by Length of the key Number of iterations through the algorithm Vulnerable to brute force attacks
Symmetric vs. Asymmetric Encryption

Asymmetric Encryption A key pair is used: one key is used for encryption and the other for decryption Public key is publicly available Private key must be kept secret Either key can encrypt and either key can decrypt Encrypt with public decrypt with private Encrypt with private decrypt with public Messages encrypted with private cannot be decrypted with private Messages encrypted with public cannot be decrypted with public
Digital Signatures
Digitally sign data and messages Provides authenticity, non-repudiation, and integrity Confirms that the data or message you have received is from who it says it is from Confirms that the message was not altered during transit
Non-repudiation
Assuring that the author of a message can not later refute the fact that they sent that message Extra non-repudiation services can be built in to encryption and digital signatures Proof of origin Proof that the data has been received and received correctly Does not account for unauthorized physical access Sending a message from someone elses computer
Encryption/Decryption Methods
Block cipher Fixed length chunks of bits (blocks) are encrypted Blocks can be padded if the data is too short Result is the same sized blocks of ciphertext Use initialization vectors to avoid reusing symmetric keys A good block cipher does not allow someone to deduce the key from looking at the ciphertext
Secret Key
you can bear to hear the truth you've spoken Twisted by knaves to make a trap for fools, Or watch the
aim, If you can meet with Triumph and Disaster And treat those two impostors just the same: If
If you can dream and not make dreams your master; If you can think and not make thoughts your
03bab3582044 427ecc114c96 01acc97814c6 3096338f76e8 b290c8662c9f9 d7451270bd8b cfc2ace029a7f
429392221571 7bfc2f6c0fffab 1fb0e85a7826 d2a1d1bc19e8 18c420b9502e 59ace94bc5e3f c1f230ed90012
22945c54ec8b ad1f6e292c3c1 bbef4df8035ed 22e8a64be498 ad30302c741f7 9d56af4f70acf 90ccd80200eb
Block Cipher
Stream cipher Symmetric key A continuous stream of bits/bytes are encrypted one at a time Faster and uses less processing power than block ciphers Pseudorandom keyspace generators will repeat eventually The longer the period of time before a repeat the better
Secret Key
Stream Cipher
Elliptic curve cryptography (ECC) Asymmetric keys Has a compact mathematical design that allows stronger encryption with shorter keys Uses elliptical curves instead of integers as keys Used in many varied implementations including mobile devices
Quantum cryptography An emerging and expensive concept that is still being researched When we measure data we disturb the data When you inspect polarized photons you change their polarization Quantum cryptography allows us to tell if data was eavesdropped on during transit Polarize the photons in one direction for 0 and another direction for 1 One implementation is quantum key distribution
Cryptographic Hashing
Hashing algorithms create a unique numeric hash value that is a summary or digest of a message One way only You can not get plaintext from a hash Used for integrity: if data is modified then a different hash value will result Message digest (another name for the hash value) Digital signatures Message authentication codes (MAC) Used for password storage Allows passwords to be stored securely Check the hash of the entered password against the stored hash
A mathematical function that takes any sized blocks of data and returns fixed-sized bit streams
Digital Signatures and Hashing
#
Message Hash Function Hash
#
Encrypt with Senders Private Key Digital Signature Hash Function
Decrypt with Senders Public Key
Sent to Recipient Attach Signature to Message
#
Compare Hashes
Transport Encryption
Encryption is used to protect transmissions that pass over the public internet VPN IPSec Web browser / web server communication TLS/SSL HTTPS Data transfer and remote management SSH
Steganography
Hiding or embedding one message within another The main purpose is to not draw attention Text can be hidden in image, audio, or video files One method for image steganography involves using the last bit in the color code of each pixel to hide the message Can encrypt data before and/or after the message is hidden Sometimes called electronic watermarking when referring to labeling an image for anti-piracy purposes Steganography tools are readily available Often used for illicit activities like data theft
Use of Proven Technologies

Only use algorithms that, as of today, are considered strong Think about the tradeoff between security, speed, and ease of implementation Stay informed on cryptography news In the past widely used algorithms were broken New methods are being developed all the time Leverage strong encryption with good key management

Cryptography Cipher or Cypher Key
The science and study of the methods and procedures for encrypting and decryption data The pair of algorithms that encrypt and decrypt the data A string of bits used by a cryptographic algorithm during the encryption/decryption process
Plaintext The original unencrypted data or message Ciphertext or The data after it has been encrypted. Data is not Cyphertext useable in this form

Non-repudiation Symmetric Encryption Asymmetric Encryption Block Cipher Stream Cipher A method of assuring that the author of a message can not later refute the fact that they sent a message Encryption/decryption using a single shared secret key Encryption/decryption using a mathematically related key pair A symmetric encryption method that processes data in fixed-length blocks A symmetric encryption method that processes data one bit or byte at a time

Term Definition
An asymmetric encryption method that uses elliptical Elliptic Curve curves to achieve stronger and faster encryption with Cryptography shorter key lengths Quantum Cryptography An encryption method that uses physics instead of mathematics
Transport Encryption Encrypting data for protection during transit Hashing One way encoding that is used for data integrity Used to electronically sign a message so that the Digital Signature receiver can verify the senders identify and confirm that the message was not altered during transit
Cryptography Overview Symmetric vs. Asymmetric Encryption Digital Signatures Non-repudiation Encryption/Decryption Methods
What We Covered
Block Cipher Stream Cipher Elliptic Curve Cryptography (ECC) Quantum Cryptography Cryptographic Hashing Transport Encryption Steganography Use of Proven Technologies
Cryptography Tools
Cryptography Tools CompTIA Security+ Training
In This Lesson:
Symmetric Encryption DES 3DES AES RC4 Blowfish Twofish Asymmetric Encryption Diffie-Helman RSA ECC
In This Lesson:
Cryptographic Hashing SHA MD5 RIPEMD HMAC Transport Encryption SSL/TLS and HTTPS SSH IPSec
In This Lesson:
Wireless Encryption WEP vs. WPA/WPA2 Wi-Fi Authentication Other Encryption Tools PGP/GPG One-time Pads CHAP and PAP NTLM and NTLMv2 Whole Disk Encryption Comparative Strengths of Algorithms Data Confidentiality Algorithms Data Integrity Algorithms
Exam Objective:
6.2 Use and apply appropriate cryptographic tools and products
Symmetric Encryption
Block Size
64-bit
Key Length
64-bit
(8 bits of parity)
DES
Data Encryption Standard Used For Data confidentiality
How It Works Key is broken into 16 subkeys Each of the 16 rounds or Feistel cycles use a different subkey Each round has a substitution phase and a permutation (scrambling) phase
Block Size
64-bit
Key Length
64-bit
(8 bits of parity)
DES
Data Encryption Standard History One of the oldest encryption standards Selected to be the official U.S. encryption in 1979
Security Considerations Very vulnerable to brute force attacks Not secure by todays standards Can be cracked within a days time
Block Size
64-bit
Key Length
168-bit
3DES
Triple Data Encryption Standard Used For Data confidentiality How It Works Uses three rounds of DES Either three different keys or two alternating keys 3 times slower than DES History Created to increase the strength of DES Security Considerations Still in use but less secure than AES
Plaintext DES with Key 1
DES with Key 2

DES with Key 1
Ciphertext
Block Size
128-bit
Key Length
128-bit 192-bit 256-bit
AES
Advanced Encryption Standard Used For Data confidentiality WPA2 Can be used in low processing power implementations
How It Works The 128-bit block is broken into 4 parts Uses iterative rounds instead of Feistel rounds Number of rounds depends in the key size
Block Size
128-bit
Key Length
128-bit 192-bit 256-bit
AES
Advanced Encryption Standard History The Rijndael algorithm became the U.S standard for encryption in 2002
Security Considerations Considered strong by todays standards
Key Length
40 to 204-bit
RC4
Rivest Cipher 4 Used For Data confidentiality SSL and WEP How It Works Stream cipher
Key Length
40 to 204-bit
RC4
Rivest Cipher 4 History Developed by Ron Rivest in 1987 Ron Rivest has several different ciphers RC1-RC6 RC4 has been the most widely used stream cipher
Security Considerations Not in use much today Different implementations are more secure than others It all comes down to the key
Block Size
64-bit
Key Length
1 to 448-bit
Blowfish
Used For Multipurpose How It Works Fast block cipher Uses 16 Feistel rounds Very complex key schedule History Produced by Bruce Schneier Unpatented since its creation Security Considerations Fewer than 16 Feistel rounds are vulnerable to attack Considered strong if implemented correctly
Block Size
128-bit
Key Length
128 to 256-bit
Twofish
Used For Multipurpose How It Works Fast block cipher Uses 16 Feistel rounds Very complex key schedule History Also created by Bruce Schneier with help from other cryptographers Was in contention to become AES Security Considerations Fewer than 16 Feistel rounds are vulnerable to attack Considered strong if implemented correctly
Asymmetric Encryption
Key Length
Variable
Diffie-Hellman
Named for Whitfield Diffie and Martin Hellman Used For Key exchange Lets two (or more) parties that dont know each other to establish a jointly shared secret key How It Works Easy to compute but hard to reverse History The original public/private concept Security Considerations No authentication by itself
Key Length
1,024 to 4,096-bit
RSA
Named for Ron Rivest, Adi Shamir, and Leonard Adleman Used For Key exchange Data confidentiality and digital signatures How It Works Uses two large prime integers It is easy to find the product of the two primes but hard to find the primes from the product 100 times slower than DES History Published in the late 1970s Security Considerations Problems arise when using prime numbers that are too small
Key Length
Variable
ECC
Elliptic Curve Cryptography Used For Smaller less powerful devices like
How It Works An elliptic curve and one point of the curve is chosen and made public Multiplying the chosen point on the curve by a secret number will produce another point on the curve It is very difficult to find out what number was used
Key Length
Variable
ECC
Elliptic Curve Cryptography History A cryptography concept with many implementations Many companies have their own version of ECC
Security Considerations Still being studied but currently considered strong if parameters are chosen properly
Collisions
Example Collision for MD4
Input A
d131dd02c5e6eec4693d9a0698aff95c 55ad340609f4b30283e4888325f1415a d8823e3156348f5bae6dacd436c919c6 e99f33420f577ee8ce54b67080280d1e 2fcab50712467eab4004583eb8fb7f89 085125e8f7cdc99fd91dbd7280373c5b dd53e23487da03fd02396306d248cda0 c69821bcb6a8839396f965ab6ff72a70
Input B
d131dd02c5e6eec4693d9a0698aff95c 55ad340609f4b30283e488832571415a d8823e3156348f5bae6dacd436c919c6 e99f33420f577ee8ce54b67080a80d1e 2fcab58712467eab4004583eb8fb7f89 085125e8f7cdc99fd91dbdf280373c5b dd53e2b487da03fd02396306d248cda0 c69821bcb6a8839396f9652b6ff72a70
Same Hash Value

79054025255fb1a26e4bc422aef54eb4
Block Size
512-bit 1024-bit
Hash Length
256-bit 512-bit
SHA
Secure Hash Algorithm Used For Digital signatures
SHA-256 SHA-512
How It Works Breaks the message into words and groups the words into blocks before processing for 64 or 80 rounds SHA-2 is the current version that outputs a 256-bit hash length or longer The longer hash length version (SHA-512) accepts larger inputs and process larger block sizes
Block Size
512-bit
1024-bit
Hash Length
256-bit 512-bit
SHA
SHA-256 SHA-512
Secure Hash Algorithm History Designed and published by NSA and NIST SHA-1 used 160-bit hash and has been replaced with SHA-2 The SHA-3 algorithm has not been chosen from the finalists Security Considerations SHA-1 has been found to have collisions
Block Size
512-bit
Hash Length
128-bit
MD5
Message Digest 5 Used For Message digest
How It Works Breaks the message into 512-bit blocks with a mandatory 64-bits of padding Then breaks the blocks into 32-bit chunks Does 4 rounds of processing
Block Size
512-bit
Hash Length
128-bit
MD5
Message Digest 5 History Developed in 1991 Others in the series are MD2, MD4, and, MD6 MD5 is slightly slower but more secure than MD4 Security Considerations Collisions are possible and is not considered secure
Block Size
Variable
Hash Length
160-bit or 128-bit (unsecure)
RIPEMD
RACE Integrity Primitives Evaluation Message Digest Used For Message digest How It Works Three rounds of processing on block of variable sizes History RIPEMD is based on MD4 and RIPEMD-160 is based on MD5 Security Considerations The 128-bit version was found to have collisions Higher hash outputs than 160 are in use but are no stronger than the 160-bit version
HMAC
Hash-based Message Authentication Code Used For Message authentication codes Data integrity and authentication How It Works Use a hashing function with a secret key Can use MD5 or SHA Example: If SHA-256 is used the result is referred to as HMAC-SHA256
HMAC
Hash-based Message Authentication Code Security Considerations The strength of HMAC depends on the hashing function used and the length of the key The addition of the secret key makes HMAC stronger than the hashing function alone
SSL/TLS and HTTPS

Secure Sockets Layer / Transport Layer Security and Hypertext Transfer Protocol Secure Used For SSL/TLS allows HTTPS and other client/server applications to communicate securely across an unsecure network Offers protection from eavesdropping, tampering, and message forgery How It Works TLS uses a handshake for both parties to authenticate and agree on parameters including a symmetric key
SSL/TLS and HTTPS

Secure Sockets Layer and Transport Layer Encryption Security History SSL was created by Netscape TLS improved on and superseded SSL
Security Considerations Only as strong as the ciphers and hashing agreed upon by both sides
SSH
Secure Shell Used For Secure remote sessions, file transfers, tunneling, port forwarding, and more How It Works Uses a handshake to set up parameters and performs a key exchange Security Considerations Only as strong as the ciphers and hashing algorithms agreed upon by both sides
IPSec
Internet Protocol Security Authentication Header (AH) Digitally signs the packets for authentication and integrity Before a packet is sent hash is taken of the packet plus the shared secret key That hash is added to the header and the packet is sent
Original IP Header
AH
TCP
Payload
On the recipient's end the message payload and the secret key are hashed again
If the original hash and the new hash match we have authentication and integrity
IPSec
Internet Protocol Security Encapsulating Security Payload (ESP) Adds confidentiality and optionally integrity checking Adds a header, a trailer, and an integrity check value (ICV) Optional ICV works like the AH ESP Header includes properties for the packet like a sequence number ESP Trailer is for padding
Original IP Header
ESP Header
TCP
Payload
ESP Trailer
Authentication
ESP
Wireless Encryption
WEP vs. WPA/WPA2

WEP Algorithm Key Size RC4 64-bit or 128-bit WPA RC4 128-bit WPA2 AES 128 bit
Added Security Weakness Strength
None
TKIP
CCMP Denial of Service
Can be cracked in TKIP is vulnerable to a matter of hours spoofing
Cyclic redundancy check
Uses an IV and a 48-bit second key to produce initialization dynamic per-packet vector keys Message integrity check Yes No
Integrity Check
Backward N/A Compatible
Wi-Fi Authentication
Pre-shared Key (PSK) WPA-Personal Intended for personal or home networks A key must be configured on the client devices that matches the key on the access point All the clients share a key WEP: It is possible to derive the key from capturing packets WPA: Uses this key to generate the dynamic keys This method is still vulnerable especially if a weak passphrase is chosen as the pre-shared key
Wi-Fi Authentication
Enterprise Authentication WPA-Enterprise Uses 802.1x and a RADIUS or another authentication server to handle authentication
Other Encryption Tools
PGP/GPG
Pretty Good Privacy and GNU Privacy Guard Used For An encryption system most often used for email Data confidentiality, authentication, and digital signatures How It Works Uses several algorithms Both symmetric and asymmetric encryption Both ends of communication need a PGP/GPG client Creates a web of trust with certificates A certificate binds a key to its owner If you trust a person and their certificate you sign their cert You can trust the certs signed by the people you trust
PGP/GPG
Pretty Good Privacy and GNU Privacy Guard History PGP was introduced in the 1991 and is commercially available GPG was originally released in 1999 and does not use any restricted or patented algorithms by default Security Considerations Pretty good!
One-time Pads (OTP)

Used For Data confidentiality How It Works A shared secret key (pad) is used that is the same length as the message The key is a completely random string of text therefore the keyspace is infinite The characters in the key are added one by one to the message characters (numeric equivalents) The reverse is done for description
One-time Pads (OTP)

History An old concept that was described in the 1800s and patented in the early 1900s Used by the U.S. military as an early cryptography tool
Security Considerations Not vulnerable to brute force attacks
CHAP and PAP

Challenge-Handshake Authentication Protocol and Password Authentication Protocol Used For Authentication for PPP How PAP Works Usernames and passwords are sent in cleartext to be checked
CHAP and PAP

Challenge-Handshake Authentication Protocol and Password Authentication Protocol Used For Authentication for PPP How CHAP Works Uses a challenge response procedure to authenticate the client 1. The server sends a string of challenge text to the client 2. The client hashes the challenge string using a shared secret as a key and sends the result back to the server 3. The server compares the hash to a stored hash
CHAP and PAP

Challenge-Handshake Authentication Protocol and Password Authentication Protocol History CHAP was specified in RFC 1994 Microsoft has their own versions called MS-CHAP and MSCHAPv2 Security Considerations PAP has no encryption and is completely unsecure A weak password used as the secret key makes CHAP vulnerable to brute force and dictionary attacks Usernames and passwords may be stored in plaintext on the client or server side
NTLM and NTLMv2

NT LAN Manager and NT LAN Manager Version 2 Used For Windows authentication NTLM for early versions of Windows NT NTLMv2 after Windows NT SP4 How It Works Challenge response Uses MD4/MD5 hashing NTLMv2 takes additional steps for randomization and security
NTLM and NTLMv2

NT LAN Manager and NT LAN Manager Version 2 History A replacement for LANMAN Security Considerations NTLM is vulnerable to spoofing attacks Still in use for backward compatibility
Whole Disk Encryption

Used For Data confidentiality Protects an entire disk in the event a laptop or other mobile device is lost or stolen How It Works Uses a key to encrypt everything on the drive including the operating system Included on operating system, third party software, USB hardware, HSM, or built into some hard drives Some options require a TPM chip Security Considerations If you lose your key you lose your data Some enterprise systems have key recovery options
Comparative Strengths of Algorithms
Comparative Strength of Data Confidentiality Algorithms

Algorithm DES 3DES AES RC4 Blowfish Twofish One-time Pad Key Length 65-bit 168-bit 128-bit 192-bit 256-bit Variable 64-bit 128-bit Mode Block Block Block Stream Block Block Should I Use It?
K K
Message Length Block
Comparative Strength of Data Integrity Algorithms
Algorithm SHA-1 SHA-2 MD5 RIPEMD
Hash Length 160-bit 256-bit or more 128-bit Variable 80
Rounds
Should I Use It?
64 or 80 4 3 3 Dependent on hashing algorithm used
RIPEMD-160 160-bit HMAC Dependent on hashing algorithm used
What We Covered
Symmetric Encryption DES 3DES AES RC4 Blowfish Twofish
Diffie-Helman RSA ECC
Asymmetric Encryption
What We Covered
Cryptographic Hashing SHA MD5 RIPEMD HMAC
SSL/TLS and HTTPS SSH IPSec
What We Covered
Wireless Encryption WEP vs. WPA/WPA2 Wi-Fi Authentication Other Encryption Tools
Data Confidentiality Algorithms Data Integrity Algorithms
Comparative Strengths of Algorithms
PGP/GPG One-time Pads CHAP and PAP NTLM and NTLMv2 Whole Disk Encryption
Public Key Infrastructure (PKI) Concepts

Public Key Infrastructure (PKI) Concepts CompTIA Security+ Training
In This Lesson:
Public Key Infrastructure (PKI) Overview The Public and Private Key Pair Digital Certificates Certificate Authorities (CA) How PKI Works Registration Authorities (RA) Certificate Revocation Lists (CRL) Recovery Agent: What if a Key Gets Lost? Key Escrow
Exam Objective:
6.3 Explain the core concepts of public key infrastructure
Public Key Infrastructure (PKI) Overview

A two key (asymmetric) encryption system for communication A framework not a specific technology Universal infrastructure that can work across multiple systems and vendors Provides authentication and confidentiality Authentication: Confirms the owner of the keys using Digital Certificates Confidentiality: Encrypts data transmissions
The Public and Private Key Pair

You request Alices public key
Alice sends her public key
You use Alices public key to encrypt the message You send the encrypted message to Alice
Alice uses her private key to decrypt the message and read it
Public Key Infrastructure (PKI) Concepts CompTIA Security+ Training x.509 Certificate
Digital Certificates
Helps with authentication Associates a public key with an individual/company Issued by a Certificate Authority
Version Serial Number Algorithm ID Issuer Validity Not Before Not After Subject Subject Public Key Info Public Key Algorithm Subject Public Key Issuer Unique Identifier (optional) Subject Unique Identifier (optional) Extensions (optional) Certificate Signature Algorithm Certificate Signature
Certificate Authorities (CA)

Responsible for issuing, revoking, and distributing certificates Often a trusted third-party organization. Examples: DigiCert VeriSign
Companies or organizations can have an in-house CA

Stores the public key in a directory that is available to anyone that wants to verify your certificate
How PKI Works
CA
You encrypt your message using Alices verified public key contained within the certificate
You send the encrypted message to Alice Alice decrypts the message with her private key
Registration Authorities (RA)

The front end entity that you actually interact with You provide the RA with your information (and payment) Verifies identity documentation before confirming that the CA can issue the certificate Does not sign the certificate
CA
RA
Certificate Revocation Lists (CRL)

The CA publishes a list of certificates that can no longer be used Reasons a cert might be on the CRL Certificate Expiration Certificate Revocation (Permanent) Compromised private key Human Resources reasons Company changes names, physical address, DNS Any reason prior to expiration Certificate Suspended Will say Certification Hold as the reason for revocation Certificate owner/administrator can request the cert be revoked
Recovery Agent: What if a Key Gets Lost?

A live person! Has access to the key recovery server Normally used by in-house CA implementations Sometimes two different recovery agents are both needed to recover one key Key recovery information (KRI) Proof that the request is from an authorized recovery agent Name of key owner Time key was created Issuing CA server
Key Escrow
A copy (or copies) of your private key is kept in a key escrow agency or key archival system Sometimes there are multiple databases with only part of the private key is kept in each Used for law enforcement (with a warrant)

Term Definition
Public Key PKI is the framework for encryption that associates a Infrastructure public key with a verified person/system Public Key Private Key The part of the key pair that is available and distributed to the public The part of the key pair that is secret and used only by the key owner
Certificate CAs are responsible for issuing, revoking, and Authorities distributing digital certificates Digital A certificate that verifies whom the public key belongs Certificates to

Registration The RA verifies the prospective key owners identify and Authority sends it to the CA to issue a certificate Certificate A list of certificates that are no longer useable. The list Revocation Lists is frequently published Recovery Agent A person who is authorized to recover lost private keys Key Escrow Keeping secured copies of private keys for law enforcement purposes
What We Covered
Public Key Infrastructure (PKI) Overview The Public and Private Key Pair Digital Certificates Certificate Authorities (CA) How PKI Works Registration Authorities (RA) Certificate Revocation Lists (CRL) Recovery Agent: What if a Key Gets Lost? Key Escrow
xes nt
he k
PKI Implementation
PKI Implementation CompTIA Security+ Training
In This Lesson:
Publicly Trusted Certificate Authorities Internal Certificate Authorities Working with Registration Authorities Key Management Certificate Management Trust Models Hierarchical Bridge Mesh Hybrid
Exam Objective:
6.4 Implement PKI, certificate management, and associated components
Publicly Trusted Certificate Authorities

A trusted third party (TTP) issues and signs your digital certificate Web browsers already trust these TTP CAs Available commercially VeriSign, Go Daddy, DigiCert Best used for publicly facing websites A self signed cert will confuse and alarm customers Pros Publically trusted Very little management overhead Cons Expensive to purchase multiple certificates
Internal Certificate Authorities

Used for intranets and other internal uses Hard drive and file encryption Digitally signing documents Email Pros Lower cost Greater control Cons Intensive management overhead Configuring and troubleshooting support for the protocols, systems, and applications at your company What trust model to use and its scalability Interoperability with business partners
Internal Certificate Authorities

Server operating systems can be configured to provide PKI services Microsoft Stand-alone CAs vs. Enterprise CAs Stand-alone CAs do not need Active Directory directory services to function There can still be subordinate CAs Enterprise CAs rely on Active Directory for its directory services
Working with Registration Authorities

Great for verifying user credentials in person Local registration authorities (LRA) Useful for internal PKIs that have distributed locations
LRA
CA
New York Central Office
Chicago Branch Office
Key Management
Key generation and signing Centralized keys Created and stored by the CA Decentralized keys Created by the user and submitted to the CA to sign Key repository Public keys can be centrally located in a key repository
Key Management
Key recovery Key archiving Configure tools built in to your internal PKI to do this automatically Assign users to be recovery agents M of N control M number of employees out of N number of recovery agents need to be involved in key recovery
Certificate Management
Created and handled PKI certs in accordance with the organization's overall security policy Certificate policies Policies for certificate issuing, usage, renewal, and archiving
Security Policy
Certificate Policies
Certificate Practice Statement (CPS) The procedures that a CA will follow and expects its users to follow
Certificate Practice Statement
Certificate Management: Life Cycle
Destruction
Request or Renewal
Expiration or Revocation
Issuing
Use
Request or Renewal A request is sent to the RA or directly to the CA if a RA does not exist A renewal request is made prior to an existing certificates expiration The requesters identity is verified
Destruction
Request or Renewal
Issuing
Use
Issuing A key pair is generated The corresponding cert is created, signed, and sent to the requester
Destruction
Request or Renewal
Issuing
Use
Certificate Use The certificate is used by its owner until its expiration date If the private key is compromised the owner must notify the CA
Destruction
Request or Renewal
Issuing
Use
Expiration or Revocation The user must notify the CA/RA immediately if a private key was lost or compromised An expired or revoked certificate is placed on the CRL The CRL is published and the information is disseminated
Destruction
Request or Renewal
Issuing
Use
Destruction Permanently removing keys/cert that are no longer needed Only the private key needs to be deleted because the public key is useless without its private counterpart
Trust Models
Single CA A small PKI implementation with only one root CA Hierarchical A top down trust structure The higher CAs sign the certificate of their subordinate CAs Mesh Two way trust (cross certification) happens between all CAs Each CA is both the root and the subordinate Bridge A two way trust exists between two hierarchical PKIs Hybrid A mix of two or more of models for the most flexible structure
Hierarchical Trust Model

CA
Root CA
Intermediate CAs
CA CA CA
Subordinate CAs
Leaf CAs
RA CA CA CA
Mesh Trust Model
CA
CA
CA
Bridge Trust Model
Bridge CA

Local Registration A local authority used to identify an individual for Authority certificate issuance even if the CA is located elsewhere When referring to private key recovery: out of N total M of N Control recovery agents only M are needed to be present to recover a key
Certificate Policies
PKI certificate polies that align with the overall security policies for the organization. Incudes policies for certificate issuing, usage, renewal, and archiving certificates and keys
The procedures that a CA will follow and expects its Certificate Practice users to follow. These procedures are derived from the Statement PKI certificate policies

A top down trust model where each level of CAs sign Hierarchical Trust the certificate for the CAs directly below them except Model for the root CA which signs its own certificate Bridge Trust Model A bridge CA creates a cross-certification between two PKI trust structures
A cross-certification happens between pairs of CAs Mesh Trust Model creating a mesh structure. Every CA is both the root and the subordinate Hybrid Trust Model A combination of any two or more trust models
Publicly Trusted Certificate Authorities Internal Certificate Authorities Working with Registration Authorities Key Management Certificate Management Trust Models
What We Covered
Hierarchical Bridge Mesh Hybrid
Preparing for Your CompTIA Security+ SY0-301 Certification Exam

In This Lesson:
About the Exam Mapping Exam Objectives to This Course Studying for the Exam Test Day Tips
About the Exam

Exam code SY0-301 (replaced SY0-201) in December 2011 100 questions 90 minutes A passing score is 750 out of 900 points
Recommended experience: CompTIA Network+ certification Two years of technical networking experience, with an emphasis on security
Take the exam through Pearson VUE or Prometric
About the Exam

Accredited by International Organization for Standardization (ISO) American National Standards Institute (ANSI) Topic Domains Network security Compliance and operational security Threats and vulnerabilities Application, data, and host security Access control and identity management Cryptography
Mapping Exam Objectives to this Course

1.0 Network Security Course Lessons
1.1 Explain the security function and purpose of network devices and technologies 1.2 Apply and implement secure network administration principles 1.3 Distinguish and differentiate network design elements and compounds 1.4 Implement and use common protocols 1.5 Identify commonly used default network ports 1.6 Implement wireless networks in a secure manner
Network Device Security Secure Network Administration Secure Network Design TCP/IP Protocols and Port Security TCP/IP Protocols and Port Security Securing Wireless Networks

2.0 Compliance and Operational Security Course Lessons
2.1 Explain risk related concepts 2.2 Carry out appropriate risk mitigation strategies 2.3 Execute appropriate incident response procedures 2.4 Explain the importance of security related awareness and training 2.5 Compare and contrast aspects of business continuity 2.6 Explain the impact and proper use of environmental controls 2.7 Execute disaster recovery plans and procedures
Risk Mitigation and Deterrence Risk Management Risk Mitigation and Deterrence Incident Response User Education Business Continuity Physical and Environmental Security Disaster Recovery Planning
2.8 Exemplify the concepts of Introduction to IT Security confidentiality, integrity, and availability

3.0 Threats and Vulnerabilities Course Lessons
3.1 Analyze and differentiate among types of malware 3.2 Analyze and differentiate among types of attacks 3.3 Analyze and differentiate among types of social engineering attacks 3.4 Analyze and differentiate among types of wireless attacks
Malware Prevention and Cleanup Types of Attacks Social Engineering
Attacks on Wireless Networks

Securing Applications Secure Network Administration
3.5 Analyze and differentiate among types of application attacks

3.6 Analyze and differentiate among types of mitigation and deterrent techniques
Risk Mitigation and Deterrence Log Monitoring and Reporting Physical and Environmental Security

3.0 Threats and Vulnerabilities (cont.) Course Lessons
3.7 Implement assessment tools and techniques to discover security threats and vulnerabilities
Risk Management Threat and Vulnerability Assessment and Detection
3.8 Within the realm of vulnerability Risk Management assessments, explain the proper use of penetration testing versus vulnerability Threat and Vulnerability Assessment scanning and Detection
4.0 Application, Data, and Host Security Course Lessons
4.1 Explain the importance of application security 4.2 Carry out appropriate procedures to establish host security 4.3 Explain the importance of data security
Securing Applications Host Security Physical and Environmental Security Data Security

5.0 Access Control and Identity Management Course Lessons
5.1 Explain the function and purpose of authentication services 5.2 Explain the fundamental concepts and best practices related to authentication, authorization, and access control 5.3 Implement appropriate security controls when performing account management
Authentication Services Authentication Services Authentication, Authorization, and Access Control
User Account Management

6.0 Cryptography Course Lessons
6.1 Summarize general cryptography concepts 6.2 Use and apply appropriate cryptographic tools and products 6.3 Explain the core concepts of public key infrastructure 6.4 Implement PKI, certificate management, and associated components
Cryptography Concepts Cryptography Tools Public Key Infrastructure (PKI) Concepts PKI Implementation
Studying for the Exam

Rewatch lessons Transcender study materials Vocabulary document Acronym document
Test Day Tips

Arrive 15 - 30 min before the test is scheduled to begin You must bring two forms of identification One must be a current, government-issued photo ID Both must have your signature
Do not bring personal items into the testing center No notes, mobile phones, or calculators
Be prepared Study! Get a good night of sleep
Next Steps
Next Steps CompTIA Security+ Training
In This Lesson:
What We Have Covered in This Course My Favorite Supporting Resources Get Certified Continue Learning Join the Community We Value Your Opinion
What We Have Covered in This Course

Getting Started with CompTIA Security+ Training Introduction to IT Security Types of Attacks Malware Prevention and Cleanup Network Device Security Secure Network Administration Secure Network Design TCP/IP Protocols and Port Security

Attacks on Wireless Networks Securing Wireless Networks Host Security Securing Applications Data Security
Authentication, Authorization, and Access Control Physical and Environmental Security Authentication Services User Account Management

Risk Management Threat and Vulnerability Assessment and Detection Risk Mitigation and Deterrence Log Monitoring and Reporting Business Continuity Disaster Recovery Planning Incident Response User Education Social Engineering

Cryptography Concepts Cryptography Tools Public Key Infrastructure (PKI) Concepts PKI Implementation Preparing for your CompTIA Security + SY0-301 Certification Exam Next Steps
My Favorite Supporting Resources

Information About the Exam: http://certification.comptia.org/getCertified/certifications/security .aspx My Favorite Security+ Book: Dulaney, Emmett A. CompTIA Security+ Deluxe Study Guide: Exam SY0-301. Indianapolis: Wiley Technology Pub., 2011. National Institute of Standards and Technology Information Technology Portal: http://www.nist.gov/information-technology-portal.cfm
Get Certified
Aligned with This course CompTIA Security+ exam number SY0-301 Watch the lesson titled, Preparing for Your CompTIA Security+ SY0-301 Certification Exam Watch the Transcender lessons Entry Level Networking CompTIA Network+ Advanced Security Certifications CASP: CompTIA Advanced Security Practitioner CompTIA CISSP: Certified Information Systems Security Professional ISC2 Specific Security Specialization Certifications
Continue Learning: Specialized Certifications

Topic Acronym GSNA Auditing Techniques CISA Penetration Testing CEH Certification Name GIAC Systems and Network Auditor Certified Information Systems Auditor Certified Ethical Hacker Certified By GIAC ISACA ECCouncil
Wireless Security
Computer Forensics
CWSP
CHFI CSSLP GSSP
Certified Wireless Security Professional

Computer Hacking Forensic Investigator Certified Secure Software Lifecycle Professional GIAC Secure Software Programmer
CWNP
ECCouncil ISC2 GIAC
Secure Coding Practices
Continue Learning
Topics for Further Study Windows or other OS specific security Application security Auditing techniques
Penetration testing
Wireless security Computer forensics Mobile device security
Continue Learning
Blogs/Newsletters Schneier on Security: www.schneier.com Magazines Search Security: searchsecurity.techtarget.com SC MAGAZINE: www.scmagazineus.com Podcasts Network Security Podcast: netsecpodcast.com CyberSpeak's Podcast: cyberspeak.libsyn.com
Join the Community

Professional Organizations Information Systems Security Association (ISSA) www.issa.org/ Information Systems Audit and Control Association (ISACA) www.isaca.org/ Information Security Forum www.securityforum.org/ Connect with other IT security pros, organizations, and vendors through social media Forums Twitter
We Value Your Opinion

There are so many ways to reach us! Call us at 1-888-229-5055 (worldwide: 1-847-776-8800) Email us at feedback@trainsignal.com Post on our forums at http://forums.trainsignal.com/ Join the TrainSignal Conversation
Check Out Our Blog
http://www.trainsignal.com/blog http://www.facebook.com/trainsignal http://twitter.com/trainsignal http://twitter.com/Lisa_Spooner http://www.trainsignal.com http://www.youtube.com/trainsignalinc
Become a Fan on Facebook
Follow Us on Twitter
Follow Me on Twitter Find Info on IT Training
View Our YouTube Channels

Security+ Slides

Uploaded by

Copyright:

Available Formats

Security+ Slides

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security+ Slides

Uploaded by

Copyright:

Available Formats

CompTIA Security+ Training

Getting Started with CompTIA Security+ Training

Getting Started with CompTIA Security+ Training CompTIA Security+ Training

Getting Started with CompTIA Security+ Training CompTIA Security+ Training

About Your Instructor

Getting Started with CompTIA Security+ Training CompTIA Security+ Training

About This Course

Getting Started with CompTIA Security+ Training CompTIA Security+ Training

About This Course

About This Course

About This Course

About This Course

About This Course

Introduction to IT Security CompTIA Security+ Training

Introduction to IT Security CompTIA Security+ Training

Introduction to IT Security CompTIA Security+ Training

Key Terms You Should Know Term Definition

Introduction to IT Security CompTIA Security+ Training

Key Terms You Should Know Term Definition

The Information Security Triad CIA

Data And Services

The Information Security Triad CIA

Protects data and communications from being seen by unauthorized people

The Information Security Triad CIA

Data should not be able to be modified without being detected

The Information Security Triad CIA

What good is a service if its not up and running?

The AAA Protocol

The AAA Protocol

The AAA Protocol

Introduction to IT Security CompTIA Security+ Training

CompTIA Security+ Training

Types of Attacks CompTIA Security+ Training

Attacks on Data in Transit

Types of Attacks CompTIA Security+ Training

Types of Attacks CompTIA Security+ Training

Types of Attacks CompTIA Security+ Training

Types of Attacks CompTIA Security+ Training

Types of Attacks CompTIA Security+ Training

Types of Attacks CompTIA Security+ Training

Denial of Service (DoS)

Mitigation (just a little)

Intrusion Prevention System (IPS)

Types of Attacks CompTIA Security+ Training

Denial of Service (DoS)

TCP SYN Flooding Open too many TCP sessions to handle

Types of Attacks CompTIA Security+ Training

Distributed Denial of Service (DDoS)

Types of Attacks CompTIA Security+ Training

Types of Attacks CompTIA Security+ Training

Spoofed Ping Requests

ICMP Ping Replies

Types of Attacks CompTIA Security+ Training

Scanners and Sniffers

Attacks Via Email and Other Communications

Types of Attacks CompTIA Security+ Training

Types of Attacks CompTIA Security+ Training

Types of Attacks CompTIA Security+ Training

Types of Attacks CompTIA Security+ Training