EVALUATION COPY - · PDF fileEVALUATION COPY Web Security Associate Student Guide Web Security Series CCL02-CAWSAA-PR-1012 • version 1.0 • rd011111 . EVALUATION COPY. EVALUATION

EVAL

UAT

ION

CO

PY

Web Security AssociateStudent Guide Web Security Series CCL02-CAWSAA-PR-1012 • version 1.0 • rd011111

EVAL

UAT

ION

CO

PY

EVAL

UAT

ION

CO

PY

Web Security Associate Student Guide

EVAL

UAT

ION

CO

PY

President/Chief Certification Architect James Stanger, Ph.D.

Vice President, Operations Todd Hopkins

Senior Content Developer Kenneth A. Kozakis

Managing Editor Susan M. Lane

Editor Sarah Skodak

Project Manager/Publisher Tina Strong

Customer Service Certification Partners, LLC 1230 W. Washington St., Ste. 111 Tempe, AZ 85281 (602) 275-7700

Copyright © 2011, All rights reserved.

EVAL

UAT

ION

CO

PY

Web Security Associate Developers

Timothy Crothers, James Stanger, Ph.D., Irina Heer and Kenneth A. Kozakis

Contributor Stephen Schneiter

Editor Susan M. Lane

Project Manager/Publisher Tina Strong

Trademarks Certification Partners is a trademark of Certification Partners, LLC. All product names and services identified throughout this book are trademarks or registered trademarks of their respective companies. They are used throughout this book in editorial fashion only. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with the book. Copyrights of any screen captures in this book are the property of the software's manufacturer.

Disclaimer Certification Partners, LLC, makes a genuine attempt to ensure the accuracy and quality of the content described herein; however, Certification Partners makes no warranty, express or implied, with respect to the quality, reliability, accuracy, or freedom from error of this document or the products it describes. Certification Partners makes no representation or warranty with respect to the contents hereof and specifically disclaims any implied warranties of fitness for any particular purpose. Certification Partners disclaims all liability for any direct, indirect, incidental or consequential, special or exemplary damages resulting from the use of the information in this document or from the use of any products described in this document. Mention of any product or organization does not constitute an endorsement by Certification Partners of that product or corporation. Data used in examples and labs is intended to be fictional even if actual data is used or accessed. Any resemblance to, or use of real persons or organizations should be treated as entirely coincidental. Certification Partners makes every effort to ensure the accuracy of URLs referenced in all its material, but cannot guarantee that all URLs will be available throughout the life of a course. When this course was published, all URLs were checked for accuracy and completeness. However, due to the ever-changing nature of the Internet, some URLs may no longer be available or may have been redirected.

Copyright Information This training manual is copyrighted and all rights are reserved by Certification Partners, LLC. No part of this publication may be reproduced, transmitted, stored in a retrieval system, modified, or translated into any language or computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual or otherwise without written permission of Certification Partners, 1230 W. Washington Street, Suite 111, Tempe, AZ 85281.

Copyright © 2011 by Certification Partners, LLC

All Rights Reserved

ISBN: 0-7423-2791-4

EVAL

UAT

ION

CO

PY

vi

© 2011 Certification Partners, LLC — All Rights Reserved. Version 1.0

EVAL

UAT

ION

CO

PY

vii


Table of Contents Course Description ............................................................................................................................... xiii Courseware ...........................................................................................................................................xiv Course Objectives .................................................................................................................................xvii Classroom Setup ..................................................................................................................................xvii System Requirements ...........................................................................................................................xvii Conventions and Graphics Used in This Book........................................................................................xxi Lesson 1: What Is Security? ........................................................................................................ 1-1

Pre-Assessment Questions ................................................................................................................1-2 Network Security Background ...........................................................................................................1-3 What Is Security? ..............................................................................................................................1-4 Hacker Statistics ...............................................................................................................................1-6 The Myth of 100-Percent Security......................................................................................................1-7 Attributes of an Effective Security Matrix...........................................................................................1-8 What You Are Trying to Protect..........................................................................................................1-8 Who Is the Threat? ..........................................................................................................................1-10 Security Standards..........................................................................................................................1-12 Case Study......................................................................................................................................1-16 Lesson 1 Review ..............................................................................................................................1-18

Lesson 2: Elements of Security ................................................................................................... 2-1 Pre-Assessment Questions ................................................................................................................2-2 Security Elements and Mechanisms ..................................................................................................2-3 The Security Policy............................................................................................................................2-3 Determining Backups........................................................................................................................2-9 Encryption ........................................................................................................................................2-9 Authentication ................................................................................................................................2-12 Specific Authentication Techniques .................................................................................................2-17 Access Control ................................................................................................................................2-19 Auditing ..........................................................................................................................................2-28 Security Tradeoffs and Drawbacks ..................................................................................................2-29 Case Study......................................................................................................................................2-30 Lesson 2 Review ..............................................................................................................................2-32

Lesson 3: Applied Encryption...................................................................................................... 3-1 Pre-Assessment Questions ................................................................................................................3-2 Reasons to Use Encryption................................................................................................................3-3 Creating Trust Relationships .............................................................................................................3-3 Symmetric-Key Encryption ................................................................................................................3-4 Symmetric Algorithms .......................................................................................................................3-5 Asymmetric-Key Encryption ............................................................................................................3-11 One-Way (Hash) Encryption ............................................................................................................3-12 Applied Encryption Processes..........................................................................................................3-15 Encryption Review...........................................................................................................................3-31 Case Study......................................................................................................................................3-32 Lesson 3 Review ..............................................................................................................................3-36

Lesson 4: Types of Attacks .......................................................................................................... 4-1 Pre-Assessment Questions ................................................................................................................4-2 Network Attack Categories.................................................................................................................4-3 Brute-Force and Dictionary Attacks...................................................................................................4-4 System Bugs and Back Doors............................................................................................................4-7 Malware (Malicious Software) ............................................................................................................4-8 Social Engineering Attacks ..............................................................................................................4-17 Denial-of-Service (DOS) Attacks.......................................................................................................4-21 Distributed Denial-of-Service (DDOS) Attacks..................................................................................4-24 Spoofing Attacks .............................................................................................................................4-31 Scanning Attacks ............................................................................................................................4-32 Man-in-the-Middle Attacks..............................................................................................................4-38 Bots and Botnets.............................................................................................................................4-43

EVAL

UAT

ION

CO

PY

viii


SQL Injection ..................................................................................................................................4-44 Auditing ..........................................................................................................................................4-45 Case Study......................................................................................................................................4-47 Lesson 4 Review ..............................................................................................................................4-50

Lesson 5: Recent Networking Vulnerability Considerations ......................................................... 5-1 Pre-Assessment Questions ................................................................................................................5-2 Networking Vulnerability Considerations ...........................................................................................5-3 Wireless Network Technologies and Security......................................................................................5-3 IEEE 802.11 Wireless Standards .......................................................................................................5-4 Wireless Networking Modes ...............................................................................................................5-6 Wireless Application Protocol (WAP)...................................................................................................5-9 Wireless Network Security Problems................................................................................................5-10 Wireless Network Security Solutions................................................................................................5-10 Site Surveys ....................................................................................................................................5-15 Convergence Networking and Security.............................................................................................5-23 Web 2.0 Technologies ......................................................................................................................5-26 Greynet Applications .......................................................................................................................5-31 Vulnerabilities with Data at Rest .....................................................................................................5-32 Security Threats from Trusted Users ...............................................................................................5-33 Anonymous Downloads and Indiscriminate Link-Clicking................................................................5-34 Case Study......................................................................................................................................5-36 Lesson 5 Review ..............................................................................................................................5-38

Lesson 6: General Security Principles.......................................................................................... 6-1 Pre-Assessment Questions ................................................................................................................6-2 Common Security Principles..............................................................................................................6-3 Be Paranoid ......................................................................................................................................6-3 You Must Have a Security Policy .......................................................................................................6-4 No System or Technique Stands Alone...............................................................................................6-4 Minimize the Damage ........................................................................................................................6-5 Deploy Companywide Enforcement....................................................................................................6-5 Provide Training ................................................................................................................................6-5 Use an Integrated Security Strategy...................................................................................................6-6 Place Equipment According to Needs .................................................................................................6-7 Identify Security Business Issues ......................................................................................................6-7 Consider Physical Security ................................................................................................................6-8 Case Study......................................................................................................................................6-16 Lesson 6 Review ..............................................................................................................................6-18

Lesson 7: Protocol Layers and Security ....................................................................................... 7-1 Pre-Assessment Questions ................................................................................................................7-2 TCP/IP Security Introduction ............................................................................................................7-3 OSI Reference Model Review..............................................................................................................7-3 Data Encapsulation...........................................................................................................................7-5 The TCP/IP Stack and the OSI Reference Model ................................................................................7-6 Link/Network Access Layer ...............................................................................................................7-7 Network/Internet Layer .....................................................................................................................7-8 Transport Layer...............................................................................................................................7-10 Application Layer ............................................................................................................................7-14 Protocol Analyzers ...........................................................................................................................7-23 Case Study......................................................................................................................................7-24 Lesson 7 Review ..............................................................................................................................7-26

Lesson 8: Securing Resources...................................................................................................... 8-1 Pre-Assessment Questions ................................................................................................................8-2 TCP/IP Security Vulnerabilities .........................................................................................................8-3 Implementing Security ......................................................................................................................8-4 Resources and Services .....................................................................................................................8-5 Protecting TCP/IP Services ................................................................................................................8-6 Simple Mail Transfer Protocol (SMTP) ..............................................................................................8-12 Physical Security.............................................................................................................................8-15 Testing Systems ..............................................................................................................................8-19

EVAL

UAT

ION

CO

PY

ix


Security Testing Software ................................................................................................................8-19 Security and Repetition ...................................................................................................................8-21 Case Study......................................................................................................................................8-21 Lesson 8 Review ..............................................................................................................................8-24

Lesson 9: Firewalls and Virtual Private Networks......................................................................... 9-1 Pre-Assessment Questions ................................................................................................................9-2 Access Control Overview....................................................................................................................9-3 Definition and Description of a Firewall .............................................................................................9-3 The Role of a Firewall ........................................................................................................................9-3 Firewall Terminology .........................................................................................................................9-4 Firewall Configuration Defaults .......................................................................................................9-10 Creating Packet Filter Rules ............................................................................................................9-11 Packet Filter Advantages and Disadvantages ...................................................................................9-13 Configuring Proxy Servers ...............................................................................................................9-22 URL Filtering...................................................................................................................................9-29 Remote Access and Virtual Private Networks (VPNs) ........................................................................9-30 Public Key Infrastructure (PKI) ........................................................................................................9-34 Case Study......................................................................................................................................9-36 Lesson 9 Review ..............................................................................................................................9-40

Lesson 10: Levels of Firewall Protection.................................................................................... 10-1 Pre-Assessment Questions ..............................................................................................................10-2 Designing a Firewall ........................................................................................................................10-3 Types of Bastion Hosts ....................................................................................................................10-4 Hardware Issues .............................................................................................................................10-5 Common Firewall Designs ...............................................................................................................10-7 Putting It All Together ................................................................................................................... 10-11 Case Study.................................................................................................................................... 10-17 Lesson 10 Review .......................................................................................................................... 10-19

Lesson 11: Detecting and Distracting Hackers........................................................................... 11-1 Pre-Assessment Questions ..............................................................................................................11-2 Proactive Detection..........................................................................................................................11-3 Distracting the Hacker ....................................................................................................................11-4 Deterring the Hacker..................................................................................................................... 11-10 Case Study.................................................................................................................................... 11-12 Lesson 11 Review .......................................................................................................................... 11-14

Lesson 12: Incident Response ................................................................................................... 12-1 Pre-Assessment Questions ..............................................................................................................12-2 Creating an Incident Response Policy ..............................................................................................12-3 Determining If an Attack Has Occurred ...........................................................................................12-4 Executing the Response Plan...........................................................................................................12-5 Analyzing and Learning ...................................................................................................................12-8 Case Study......................................................................................................................................12-9 Lesson 12 Review .......................................................................................................................... 12-12

Appendixes ................................................................................................................. Appendixes-1 Glossary ...........................................................................................................................Glossary-1 Index ................................................................................................................................... Index-1 Supplemental Files Contents.............................................................Supplemental Files Contents-1

List of Labs Lab 1-1: Causing a NetBus trojan infection...........................................................................................1-4 Lab 2-1: Viewing and modifying default access control settings in Windows Server 2003.....................2-21 Lab 2-2: Viewing the effects of hostile JavaScript in Mozilla Firefox .....................................................2-24 Lab 2-3: Configuring execution control lists in Windows Server 2003 ..................................................2-25 Lab 2-4: Creating an execution control list for the su command in Linux ............................................2-27 Lab 3-1: Using symmetric encryption algorithms...................................................................................3-9

EVAL

UAT

ION

CO

PY

x


Lab 3-2: Installing GPG4win 1.1.3 on Windows Server 2003 ...............................................................3-19 Lab 3-3: Generating a key pair using GPG4win ...................................................................................3-20 Lab 3-4: Exporting and signing public keys using GPG4win................................................................3-23 Lab 3-5: Exchanging encrypted messages using GPG4win ..................................................................3-26 Lab 3-6: Encrypting files with GPG4win..............................................................................................3-28 Lab 4-1: Using John the Ripper in Windows Server 2003 ......................................................................4-5 Lab 4-2: Conducting a virus scan in Windows to help thwart attacks ..................................................4-16 Lab 4-3: Sending fake e-mail messages ...............................................................................................4-19 Lab 4-4: Analyzing a SYN flood in a packet sniffer...............................................................................4-27 Lab 4-5: Identifying network-based attacks.........................................................................................4-31 Lab 4-6: Using Nmap to scan a system in Windows Server 2003 .........................................................4-35 Lab 4-7: Conducting a man-in-the-middle attack ................................................................................4-42 Lab 5-1: Installing a war-driving application and analyzing a site survey capture ................................5-19 Lab 5-2: Analyzing traffic captured from site survey software ..............................................................5-22 Lab 6-1: Conducting a physical attack against a Windows 2003 server ...............................................6-10 Lab 8-1: Securing an Apache2 Web server ............................................................................................8-8 Lab 8-2: Securing the FTP service .......................................................................................................8-10 Lab 9-1: Installing WinRoute Firewall in Windows Server 2003 ...........................................................9-14 Lab 9-2: Configuring packet filtering rules ..........................................................................................9-15 Lab 9-3: Configuring a proxy server in Windows Server 2003 ..............................................................9-25 Lab 10-1: Creating an internal network with WinRoute Firewall (instructor-led) ................................. 10-12 Lab 10-2: Denying HTTP access (instructor-led) ................................................................................. 10-14 Lab 10-3: Configuring an FTP packet-filtering rule for a specific host (instructor-led).......................... 10-16 Lab 11-1: Setting a logon tripwire script in Windows Server 2003 .......................................................11-6 Lab 11-2: Using Tripwire for Linux......................................................................................................11-8 Lab 12-1: Subscribing to security mailing lists....................................................................................12-7

List of Figures Figure i-1: Classroom configuration ........................................................................................................xx Figure 1-1: NetBus client interface........................................................................................................1-5 Figure 1-2: Client connected to loopback address..................................................................................1-5 Figure 1-3: Remote File Manager dialog box ..........................................................................................1-6 Figure 2-1: Elements of effective security ..............................................................................................2-3 Figure 2-2: Policy and technology..........................................................................................................2-6 Figure 2-3: American Express ExpressPay Web site ............................................................................2-14 Figure 2-4: Microsoft Fingerprint Reader Web page .............................................................................2-16 Figure 2-5: Properties dialog box — General tab..................................................................................2-21 Figure 2-6: Properties dialog box — Security tab .................................................................................2-22 Figure 2-7: Permissions dialog box for Lessons folder..........................................................................2-22 Figure 2-8: Lockup.html alert screen ..................................................................................................2-24 Figure 2-9: Viewing Microsoft Management Console settings ...............................................................2-26 Figure 3-1: Symmetric or single-key encryption.....................................................................................3-4 Figure 3-2: RSA Home Page ..................................................................................................................3-6 Figure 3-3: AxCrypt dialog box — Create passphrase ............................................................................3-9 Figure 3-4: AxCrypt dialog box — Enter passphrase............................................................................3-10 Figure 3-5: Encrypting information into ciphertext, using public key...................................................3-11 Figure 3-6: Asymmetric-key encryption...............................................................................................3-17 Figure 3-7: Asymmetric-key decryption ...............................................................................................3-17 Figure 3-8: PGP Corporation Web site .................................................................................................3-18 Figure 3-9: Gpg4win Welcome screen..................................................................................................3-20 Figure 3-10: GNU Privacy Assistant – Keyring Editor window ..............................................................3-21 Figure 3-11: New key pair ...................................................................................................................3-22 Figure 3-12: Key pair details ...............................................................................................................3-22 Figure 3-13: Export Public Keys To File dialog box ..............................................................................3-23 Figure 3-14: Public key in Notepad .....................................................................................................3-24 Figure 3-15: GPA window — Viewing imported key..............................................................................3-25 Figure 3-16: Encryption dialog box .....................................................................................................3-26 Figure 3-17: Message window with encrypted text...............................................................................3-27 Figure 3-18: Jetico Web site................................................................................................................3-29 Figure 3-19: Asymmetrically encrypted information passed through network ......................................3-30

EVAL

UAT

ION

CO

PY

xi


Figure 3-20: Viewing data recovery agent for Windows Server 2003 system.........................................3-34 Figure 4-1: Using John the Ripper in brute-force mode .........................................................................4-6 Figure 4-2: Selecting folder to be scanned ...........................................................................................4-17 Figure 4-3: Smurf attack.....................................................................................................................4-25 Figure 4-4: Inspecting SYN flood packets using Wireshark ..................................................................4-28 Figure 4-5: Add Counters dialog box ...................................................................................................4-29 Figure 4-6: Viewing Performance snap-in during SYN flood .................................................................4-30 Figure 4-7: Using Nmap to scan Windows system ...............................................................................4-34 Figure 4-8: Examining spoofed packet — Internet Protocol..................................................................4-37 Figure 4-9: Ettercap capturing dictionary attack on switched network ................................................4-39 Figure 5-1: Ad-hoc vs. infrastructure mode ...........................................................................................5-6 Figure 5-2: Configuration interface for common wireless AP..................................................................5-8 Figure 5-3: Creating MAC address filter ..............................................................................................5-11 Figure 5-4: Kismet, showing SSIDs obtained from war driving.............................................................5-17 Figure 5-5: War driving using AirSnort................................................................................................5-17 Figure 5-6: Network Stumbler.............................................................................................................5-18 Figure 5-7: Network Stumbler window ................................................................................................5-19 Figure 5-8: Viewing Network Stumbler capture file..............................................................................5-20 Figure 5-9: Network Stumbler showing traffic decrypted from channel ................................................5-21 Figure 5-10: Viewing network clients attached to wireless APs in Network Stumbler............................5-21 Figure 5-11: Using Wireshark to view WEP traffic captured and decrypted by Kismet ..........................5-23 Figure 5-12: Google Maps home page..................................................................................................5-27 Figure 5-13: Wikipedia home page ......................................................................................................5-28 Figure 5-14: RSS feed .........................................................................................................................5-29 Figure 6-1: Booting from the NT Password And Registry Editor CD......................................................6-11 Figure 6-2: Specifying the Windows partition ......................................................................................6-11 Figure 6-3: Registry files .....................................................................................................................6-12 Figure 6-4: Options for loaded hives....................................................................................................6-12 Figure 6-5: Editing a user account......................................................................................................6-14 Figure 6-6: Edit complete....................................................................................................................6-14 Figure 7-1: OSI model layers.................................................................................................................7-4 Figure 7-2: Headers added at each level of the OSI/RM.........................................................................7-5 Figure 7-3: OSI model and TCP/IP stack...............................................................................................7-6 Figure 7-4: IPv4 header.........................................................................................................................7-8 Figure 7-5: Establishing TCP connection.............................................................................................7-11 Figure 7-6: Terminating TCP connection .............................................................................................7-12 Figure 7-7: XAMPP Control Panel Application......................................................................................7-20 Figure 7-8: Using a browser FTP client................................................................................................7-21 Figure 7-9: Connecting using an FTP client.........................................................................................7-22 Figure 7-10: TCP/IP Filtering dialog box .............................................................................................7-22 Figure 8-1: XAMPP splash screen..........................................................................................................8-9 Figure 8-2: XAMPP Control Panel Application showing running services..............................................8-11 Figure 8-3: Users dialog box with new home directory.........................................................................8-11 Figure 8-4: Viewing permissions for C:\webfiles directory ...................................................................8-22 Figure 8-5: Viewing custom permissions for C:\webfiles directory .......................................................8-22 Figure 8-6: Viewing object permission entries for C:\webfiles directory................................................8-23 Figure 9-1: Implementing NAT in network.............................................................................................9-8 Figure 9-2: New Connection dialog box ...............................................................................................9-15 Figure 9-3: WinRoute Firewall Configuration window ..........................................................................9-16 Figure 9-4: WinRoute Firewall Interfaces window ................................................................................9-16 Figure 9-5: WinRoute Firewall Traffic Policy window............................................................................9-17 Figure 9-6: Editing new rule ...............................................................................................................9-17 Figure 9-7: New rule defined ...............................................................................................................9-18 Figure 9-8: Proxy server configuration.................................................................................................9-23 Figure 9-9: Proxy server settings .........................................................................................................9-26 Figure 9-10: URL Rule dialog box........................................................................................................9-27 Figure 9-11: Access denied message ...................................................................................................9-27 Figure 9-12: Add User dialog box ........................................................................................................9-28 Figure 9-13: Login Page dialog box......................................................................................................9-29 Figure 9-14: Understanding VPN connection.......................................................................................9-31 Figure 10-1: Triple-homed bastion host ..............................................................................................10-5

EVAL

UAT

ION

CO

PY

xii


Figure 10-2: Screening router configuration........................................................................................10-8 Figure 10-3: Single-homed bastion configuration ................................................................................10-9 Figure 10-4: Dual-homed bastion configuration ................................................................................ 10-10 Figure 10-5: Screened subnet firewall configuration.......................................................................... 10-11 Figure 10-6: Network interfaces ........................................................................................................ 10-12 Figure 10-7: Verifying NAT rule......................................................................................................... 10-13 Figure 10-8: Editing NAT rule ........................................................................................................... 10-13 Figure 10-9: Interfaces on Trusted/Local network............................................................................. 10-14 Figure 10-10: New rule to block HTTP traffic from network host ........................................................ 10-15 Figure 10-11: Modified HTTP rule ..................................................................................................... 10-15 Figure 10-12: Rule denying FTP and FTPS access to single host........................................................ 10-16 Figure 11-1: Creating logon tripwire script with Notepad.....................................................................11-7 Figure 11-2: Adding logon script to Administrator account..................................................................11-7 Figure 11-3: Alert message..................................................................................................................11-8 Figure 12-1: CERT home page.............................................................................................................12-7

List of Tables Table 1-1: Effective security system attributes ......................................................................................1-8 Table 1-2: "Hot spot" resources and potential threats ..........................................................................1-10 Table 1-3: Security services ................................................................................................................1-12 Table 2-1: Typical tri-level resource classification scheme .....................................................................2-5 Table 2-2: Benefits of educating employees ...........................................................................................2-8 Table 2-3: Functions of encryption......................................................................................................2-10 Table 2-4: Biometric authentication strategies ....................................................................................2-15 Table 2-5: Kerberos terms...................................................................................................................2-18 Table 2-6: Universal permissions ........................................................................................................2-20 Table 3-1: Security technology summary.............................................................................................3-31 Table 4-1: Network attack types............................................................................................................4-3 Table 4-2: Computer virus types ...........................................................................................................4-9 Table 4-3: Illicit servers.......................................................................................................................4-13 Table 4-4: Common flooding techniques..............................................................................................4-22 Table 4-5: Types of scanning attacks...................................................................................................4-32 Table 4-6: Common man-in-the-middle attacks ..................................................................................4-38 Table 5-1: Wireless Ethernet elements ..................................................................................................5-3 Table 5-2: Authentication types in wireless networks ............................................................................5-7 Table 5-3: Common wireless network security problems......................................................................5-10 Table 5-4: Issues to consider before site survey...................................................................................5-15 Table 5-5: Site survey issues after wireless implementation.................................................................5-16 Table 6-1: Security management terminology........................................................................................6-7 Table 7-1: OSI/RM layers .....................................................................................................................7-3 Table 7-2: ICMP message types .............................................................................................................7-9 Table 7-3: Services and well-known ports............................................................................................7-13 Table 8-1: Security implementation model ............................................................................................8-4 Table 8-2: Common physical vulnerabilities and solutions ..................................................................8-15 Table 8-3: Physical access control techniques .....................................................................................8-16 Table 8-4: Network equipment shielding methods ...............................................................................8-17 Table 9-1: Telnet packet filter..............................................................................................................9-11 Table 9-2: FTP packet filter .................................................................................................................9-12 Table 9-3: Packet filter for internal passive FTP clients........................................................................9-13 Table 11-1: Tools for responding to attacks ....................................................................................... 11-10

EVAL

UAT

ION

CO

PY

xiii


Course Description Web Security Associate teaches you how to secure your network from unauthorized activity. This course teaches you about security principles, such as establishing an effective security policy, and about the different types of hacker activities that you are most likely to encounter.

This course identifies security principles and techniques that enable you to stop a hacker by understanding how to implement access control lists, operating system hardening and firewall technology. It also teaches you how to personalize your network security system so you can create a solution that adheres to universal principles, but also conforms to your business needs in responding to specific hacker attacks.

You will learn about authentication procedures, encryption standards and implementations that help ensure proper user authentication. You will also learn about the specific ports and protocols that hackers manipulate, and about direct and indirect ways to protect your network operating systems. Finally, you will learn how to respond to and report hacker activity, engage in proactive detection, and always keep your company's needs in mind. Appendixes are included in the back of this coursebook to provide resources for you as you continue to learn about applying security measures to your network.

Guided, step-by-step labs provide opportunities to practice new skills. You can challenge yourself and review your skills after each lesson in the Lesson Summary and Lesson Review sections. Additional skill reinforcement is provided in Activities, Optional Labs, Lesson Quizzes and a Course Assessment that are available from your instructor.

This coursebook includes online materials containing the lab files used in class. To practice the skills presented in class or to perform any labs that were not completed, refer to the Classroom Setup section for information about system requirements and using the lab files.

Series The CIW Web Security series consists of one CIW course and corresponding CIW certification exam, plus advanced CIW credentials that you can obtain by earning additional certifications from third-party security-training providers. There are three levels of CIW Web Security certifications:

• CIW Web Security Associate

• CIW Web Security Specialist

• CIW Web Security Professional

Prerequisites There are no prerequisites for the Web Security Associate course. However, students should possess Internet and networking knowledge equivalent to what is presented in the CIW Web Foundations series courses. Web Security Associate builds upon this foundational knowledge to give students the skills and knowledge to manage and protect the security of online data, from a single computer to an entire corporate network.

Certification The Web Security Associate course prepares students to take the high-stakes CIW Web Security Associate certification exam. Those who pass the CIW Web Security Associate exam earn the CIW Web Security Associate certification, which is recognized throughout the industry as validating essential Internet skills for the workplace.

EVAL

UAT

ION

CO

PY

xiv


To earn the CIW Web Security Specialist certification, students must pass the CIW Web Security Associate certification exam, plus pass one additional exam from an approved vendor whose certification qualifies for the CIW Web Security program.

To earn the CIW Web Security Professional certification, students must pass the CIW Web Security Associate certification exam, plus pass two additional exams from approved vendors whose certifications qualify for the CIW Web Security program.

For information about taking the CIW Web Security Associate exam and other CIW exams, visit www.CIWcertified.com.

Target audience The CIW Web Security Associate course is for individuals who want to know how to secure networks from unauthorized activities. Individuals with these security skills can pursue or advance careers in many aspects of online and network security:

• Network server administrators

• Firewall administrators

• Systems administrators

• Application developers

• IT security officers

Courseware This coursebook was developed for instructor-led training and will assist you during class. Along with comprehensive instructional text and objectives checklists, this coursebook provides easy-to-follow hands-on labs and a glossary of course-specific terms. It also provides Internet addresses needed to complete some labs, although due to the constantly changing nature of the Internet, some addresses may no longer be valid. The student coursebook is organized in the following manner:

EVAL

UAT

ION

CO

PY

xv


course title

table of contents

list of labs

list of figures

list of tables

appendixes

lessons

lesson objectives

narrative text

supplemental movie clips

lesson review

lesson summary

warnings

tech notes

graphics

tables and figures

pre-assessment questions

glossary

index

case study

exam objective callouts

warnings

tech notes

graphics

tables and figures

exam objective callouts

labs

supplemental CD

When you return to your home or office, you will find this coursebook to be a valuable resource for reviewing labs and applying the skills you have learned. Each lesson concludes with questions that review the material. Lesson review questions are provided as a study resource only and in no way guarantee a passing score on the CIW Web Security Associate certification exam.

Coursebook versions The CIW Web Security courseware is designed for various classroom environments: academic, learning center and corporate. These coursebooks are available in both instructor and student versions. Student versions are available for both the academic environment and the learning center/corporate environment. Check your book to verify which version you have.

• Instructor (Academic, Learning Center and Corporate) — Example syllabi for 10-week, 16-week and 32-week instruction periods are included with the instructor supplemental files available on CIW Online. Learning centers can teach this series at an accelerated pace; consult the implementation tables that can be found on CIW Online. The supplemental online files also include an appendix listing the CIW Web Security Associate certification exam objectives and locations of corresponding material in the coursebook. The instructor version of this book includes Instructor Notes in the margin, which provide additional tips and commentary for the instructor to supplement course narrative. Margin callouts also direct instructors to material that relates directly to specified CIW Web Security objectives. The instructor book and supplemental online files contain all answers to Activities (pen-and-paper-based), Optional Labs (computer-based), Lesson Quizzes and the Course Assessment. The supplemental online files also include handout versions of all Activities, Optional Labs, Lesson Quizzes and the Course Assessment, which the instructor can print and assign during class or as

EVAL

UAT

ION

CO

PY

xvi


homework. Lesson Quizzes and Course Assessments are provided as study and course-grading resources only; success on these materials in no way guarantees a passing score on the CIW Web Security Associate certification exam.

• Student (Academic) — The student book and supplemental online files include Pre-Assessment and Lesson Review questions for each lesson. However, the student book does not provide answers to these questions. It also does not include any Activities, Optional Labs, Quizzes or the Course Assessment. Students can obtain these elements and answers only from the instructor. The student supplemental materials include appendixes and files used to perform many of the labs in the coursebook. The supplemental files also include an appendix listing the CIW Web Security Associate certification exam objectives and locations of corresponding material in the coursebook. Lesson Quizzes and Course Assessments are provided as study and course-grading resources only; success on these materials in no way guarantees a passing score on the CIW Web Security Associate certification exam.

• Student (Learning Center/Corporate) — Designed for the learning center/corporate environment, this student book includes Pre-Assessment and Lesson Review questions. The student supplemental online materials include appendixes; files used to perform many of the labs in the coursebook; and answers to the Pre-Assessment Questions, Lesson Review Questions, Course Assessment, Activities, Optional Labs and Lesson Quizzes. The supplemental files also include an appendix listing the CIW Web Security Associate certification exam objectives and locations of corresponding material in the coursebook. Lesson Quizzes and Course Assessments are provided as study and course-grading resources only; success on these materials in no way guarantees a passing score on the CIW Web Security Associate certification exam.

Online resources You can visit CIW Online at http://education.certification-partners.com/ciw/ to access supplemental course materials and to get help in preparing for the CIW Web Foundations Associate certification exam. CIW Online provides a variety of online tools you can use to supplement the Official CIW Courseware.

CIW Courseware Supplemental Files This coursebook includes supplemental material that can be accessed from CIW Online. Online materials are provided for both instructors and students, and include some elements required to complete the coursework and other optional elements that are provided for your interest or further study. Student materials include lab files used to complete the course labs, answers to student exercises and quizzes, and appendixes with related information (including the CIW Web Security Associate Objectives And Locations Appendix). Instructor materials include course syllabi and implementation tables, answers to students exercises and quizzes, and appendixes with related information (including the CIW Web Security Associate Objectives And Locations Appendix). See the CIW Supplemental Files section under Classroom Setup for information about accessing these files.

CIW Certification Practice Exams After you have mastered the Web Foundations course material, you are ready to prepare for the high-stakes CIW Web Foundations Associate certification exam. The online CIW Certification Practice Exams program helps you build confidence with your knowledge of the CIW exam objectives. This program provides you with:

• Timed practice exams that simulate the high-stakes testing environment and help predict actual performance on CIW certification exams.

• A feedback review mode that allows you to check answers while taking the practice exam and gain valuable feedback that relates each question to a CIW exam objective and a lesson in the Official CIW Courseware.

EVAL

UAT

ION

CO

PY

xvii


• Exam results that report on your mastery of each CIW exam objective.

• Personalized performance reports and study plans to track individual progress and view overall class trends.

Course Objectives After completing this class, you will be able to:

Define the significance of network security, and identify various elements of an effective security policy, including risk factors, security-related organizations, key resources to secure, general security threat types and access control.

Define encryption and the encryption methods used in internetworking.

Use universal guidelines and principles of effective network security to create effective specific solutions.

Apply security principles, and identify security attacks.

Identify firewall types, and define common firewall terminology.

Plan and deploy a firewall system that incorporates multiple levels of protection, including firewall system design, proactive detection, setting traps, security breach response, security alerting organizations.

Classroom Setup Your instructor has probably set up the classroom computers based on the system requirements listed below. Most software configurations on your computer are identical to those on your instructor's computer. However, your instructor may use additional software to demonstrate network interaction or related technologies.

Security disclaimer The code, examples and techniques found in this course are provided for the purposes of teaching about security concepts. Never, under any circumstances, use any of the software or techniques discussed in this course against any local or remote system that is not your own. Certification Partners, LLC, and its partners are not responsible or liable for illegal or unethical use of software or techniques discussed or used in this course.

System Requirements This section lists the hardware, software, and connectivity requirements to implement this course.

Hardware The following table summarizes the hardware requirements for all courses in the CIW program. Each classroom should be equipped with one instructor station and x number of student stations (i.e., in a classroom with 13 personal computers, set one up as the instructor station and the remaining 12 as student stations).

The CIW hardware requirements are similar to the minimum system requirements for Microsoft Windows Server 2003 Service Pack 2 Standard Edition implementation except that CIW requires increased hard disk space (20 GB).

EVAL

UAT

ION

CO

PY

xviii


CIW hardware specifications Greater or equal to the following

Processor 133-MHz processor required; 550-MHz or faster processor recommended; support for up to four processors on one server

L2 cache At least 256 KB

Hard disk At least 20 GB

RAM 128 MB of RAM required; 256 MB or more recommended; 4 GB maximum

CD-ROM At least 32X

Network Interface Card (NIC) 10BaseT or 100BaseTX (10 or 100 Mbps)

Sound card/speakers Required for instructor's station, optional for student stations

Video adapter At least 4 MB

Monitor VGA or hardware that supports console redirection required; Super VGA supporting 800 x 600 or higher-resolution monitor recommended

Network hubs Enough 10-port 10BaseT or 100BaseTX (10 or 100 Mbps) hubs to allow classroom computers to communicate

Router Multi-homed system with three NICs*

* Must meet universal CIW hardware requirements.

Software The recommended software configurations for computers used to complete the labs in this book are as follows.

To be installed before class:

• Microsoft Windows Server 2003 Service Pack 2, including:

• Microsoft Internet Explorer 7 or later.

• Microsoft Outlook Express 6 or later.

• Full installation of Ubuntu Linux 8.0, available at www.ubuntu.com. See Linux installation instructions for component detail. For multi-boot systems, you will need to repartition the disk. Ubuntu requires its own hard disk partitions. It cannot be installed on Windows or MacOS partitions. At the very least, you will need a dedicated partition for the Ubuntu root.

• MailEnable e-mail server, available at www.mailenable.com. You can use any e-mail server you prefer, as long as you know how to configure it so that students can send e-mail, and as long as you can configure the e-mail server to allow relaying to explain how fake e-mail works.

• Mozilla Firefox 3.0 or later, available at www.mozilla.com. If you prefer, you can use only Microsoft Internet Explorer (with Outlook Express).

• XAMPP 1.6.6a, available at www.apachefriends.org/en/xampp.html.

• FileZilla 3.0.11, available at http://filezilla-project.org/.

You will need to obtain the following third-party Linux software (all files are available with the supplemental materials):

• targa2.c, available at http://packetstorm.linuxsecurity.com.

• papasmurf-linux.c, available at http://packetstorm.linuxsecurity.com.

• Tripwire 2.x, available at www.tripwire.org/.

EVAL

UAT

ION

CO

PY

xix


To be installed by students during course labs (all files are available with the supplemental materials):

• NetBus 1.7, available at http://packetstormsecurity.org/.

• AxCrypt 1.6.4.4, available at www.axantum.com/AxCrypt/.

• GPG4win 1.1.3, available at www.gpg4win.org.

• John the Ripper 1.7.0.1, available at www.openwall.com/john/ or http://packetstorm.linuxsecurity.com.

• Wireshark 1.0.0, available at www.wireshark.org/.

• WinPcap 4.0.2, available at www.winpcap.org.

• Nmap 4.76, available at www.insecure.org.

• Ettercap NG 0.7.3, available at http://ettercap.sourceforge.net.

• NetStumbler 0.4.0, available at www.netstumbler.com.

• Windows NT Password And Registry Editor (also known as a Linux boot disk), available at http://home.eunet.no/~pnordahl/ntpasswd/.

• Kerio WinRoute Firewall 6.5.1, available at www.kerio.com.

Software necessary for the course but not included with the supplemental materials The following software is necessary for the course, but is not included with the supplemental materials:

• Spastic.exe (http://packetstorm.linuxsecurity.com or any other Packet Storm mirror) — Do not scan this file with an anti-virus program, as it contains a harmless trojan. Do not install this file on a workstation or server that you regularly use. This file is meant to be used in the classroom only. Do not allow students to conduct SYN floods against systems you do not own, or otherwise use this program illicitly. Students will use this in the local classroom for a lab in which they will discover that this file contains malware (some anti-virus applications call it a trojan), and students will then delete it from their systems.

Obtain the above software and place it on a CD before the course begins, especially if your classroom does not have Internet access.

Connectivity Due to the sensitive nature of some of the programs used, this course takes place in a special network classroom, closed off from the rest of the company network and from the Internet. The classroom is configured by the instructor. The instructor's computer must be able to communicate with all student computers, acting as a router. TCP/IP is the network protocol used in the course.

LAN requirements The course is designed for use with at least three physical networks, connected by an IP router (which can be a multi-homed computer). Network A (192.168.3.0) students will use odd-numbered IP addresses. Network B (192.168.4.0) students will use even-numbered IP addresses. The instructor will use a third network with the network address 192.168.2.0. The subnet mask is 255.255.255.0. Classroom configuration is illustrated in Figure i-1.

EVAL

UAT

ION

CO

PY

xx


Figure i-1: Classroom configuration

The instructor's computer must be able to communicate with all the others through a router. The instructor can use a multi-homed Windows Server 2003 server computer as the router. If the instructor does not have a Windows system acting as a router, he or she can use whatever router is available.

Again, due to the sensitive nature of the information presented in this course, Internet connectivity is not recommended. TCP/IP is the only network protocol used in this course. The instructor will find specific instructions on how to configure the three subnets in the Classroom Setup Guide.

CIW supplemental files Each coursebook includes supplemental materials that are referenced and used throughout the course. These supplemental materials are provided online at http://education.certification-partners.com/ciw/.

You will need to create a directory for all supplemental materials for the course. The default location is C:\CIW\[Course_Title]. To view or download the materials, go to CIW Online, click the link for each file and save to this directory. You can then create a shortcut to this directory on your Desktop. As you conduct the course labs, you can use this shortcut to quickly access your lab files.

EVAL

UAT

ION

CO

PY

xxi


Conventions and Graphics Used in This Book The following conventions are used in these coursebooks.

Terms Technology terms defined in the margins are indicated in bold the first time they appear in the text. However, not every word in bold is a term requiring definition.

Lab Text Text that you enter during a lab appears in italic bold type. Names of components that you access or change in a lab appear in bold type.

Notations Notations or comments regarding screenshots, labs or other text are indicated in italic type.

Program Code or Commands

Text used in program code or operating system commands appears in the Lucida Sans Typewriter font.

The following graphics are used in these coursebooks.

Tech Notes point out exceptions or special circumstances that you may find when working with a particular procedure. Tech Notes that occur within a lab are displayed without the graphic.

Tech Tips offer special-interest information about the current subject.

Warnings alert you about cautions to observe or actions to avoid.

This graphic signals the start of a lab or other hands-on activity.

Each lesson summary includes an Application Project. This project is designed to provoke interest and apply the skills taught in the lesson to your daily activities.

Each lesson concludes with a summary of the skills and objectives taught in that lesson. You can use the Skills Review checklist to evaluate what you have learned.

This graphic indicates a line of code that is completed on the following line.

EVAL

UAT

ION

CO

PY

xxii


EVAL

UAT

ION

CO

PY

1Lesson 1: What Is Security? Objectives By the end of this lesson, you will be able to:

1.1.1: Define security.

1.1.2: Identify the importance of network security.

1.1.3: Identify potential risk factors for data security, including improper authentication.

1.1.4: Identify security-related organizations, warning services and certifications.

1.1.5: Identify key resources that need specialized security measures.

1.1.6: Identify the general types of security threat/attacker.

1.2.6: Select security equipment and software based on ease of use.

EVAL

UAT

ION

CO

PY

1-2 Web Security Associate


Pre-Assessment Questions 1. What series of documents and procedures was developed by an international

consortium to serve as an international security standard that is used to help designate secure operating systems?

a. British Standard 7799 b. The Common Criteria c. The Orange Book d. A security matrix

2. Which term describes a mechanism that allows you to monitor and document your network's activities?

a. Threat identification b. Risk analysis c. Audit trail d. Event detection

3. To what kinds of attacks are network resources most vulnerable?

EVAL

UAT

ION

CO

PY

Lesson 1: What Is Security? 1-3


Network Security Background The media frequently relate sensational incidents concerning Internet-related security threats. From security problems with the popular Mozilla Firefox and Microsoft Internet Explorer browser applications to sophisticated attacks aimed at compromising e-commerce servers, computer and network administrators and users must contend with an increasingly complex security environment. Attacks by hackers, which include computer and e-mail viruses, have become increasingly common. Major online businesses have also proved vulnerable. Amazon.com and eBay, for example, have been victims of serious attacks.

Well-known hackers include Kevin Mitnick and John Draper (who is also known as Captain Crunch), but many more unknown hackers can wreak havoc across the Internet. Even though the following news passage reads like an excerpt from a spy novel, it actually did occur:

Hacker penetrates T-Mobile systems News Item: January 11, 2005 — SecurityFocus

A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned.

Twenty-one year-old Nicolas Jacobsen was quietly charged with the intrusions last October, after a Secret Service informant helped investigators link him to sensitive agency documents that were circulating in underground IRC chat rooms. The informant also produced evidence that Jacobsen was behind an offer to provide T-Mobile customers' personal information to identity thieves through an Internet bulletin board, according to court records.

The age of the preceding article is important. Consider that systems and software applications have become even more powerful and available. Also, now that the business community has embraced the Internet for commerce, communication and collaboration, the integrity of sensitive information and communication lines becomes an all-important concern. Responding to and countermanding threats such as viruses and hackers is an important part of any network administrator's job.

The Internet is available to anyone with a network connection and an Internet Service Provider (ISP) account. In fact, it was designed to be an open network, and therefore has little built-in capacity for securing information. From a security standpoint, the Internet is inherently unsecure. However, businesses and individuals now want to apply principles of security to the Internet, effectively using it in a way its inventors did not intend. For Internet users, the new challenge is to protect sensitive data while allowing authorized personnel to use it.

This course will introduce you to information security principles and teach you how to protect your systems from unauthorized access using the latest available technology. You will learn to deploy host-based solutions, along with network-based technologies, such as firewalls.

hacker An unauthorized user who penetrates a computer host or network to access and manipulate data.

OBJECTIVE 1.1.2: Importance of network security

open network A group of servers and computers, such as the Internet, which allows free access.

EVAL

UAT

ION

CO

PY



What Is Security? Put simply, security in a networking environment is the ability to identify and eliminate threats and vulnerabilities. A general definition of security must also address the need to safeguard organizational assets, including information and physical items such as the computers themselves.

The idea of security is also intertwined with the notions of appropriateness and subordination. A specific person must be designated as the security manager. This person will be in charge of security, and must determine who can take appropriate actions on specific items and when. All people who enforce security on the network must act in roles subordinate to this leader. Regarding company security, what is appropriate varies greatly from organization to organization, but any company with a network must have a security policy that addresses appropriateness, subordination and physical security.

This course discusses security as it relates to the Internet. With the advent of modern, sophisticated technologies such as local area networks (LANs), wide area networks (WANs), the Internet, wireless networks, Web 2.0 technologies and virtual private networks (VPNs), the idea and practice of security have become more complex than simply patrolling the network perimeter. With regard to networking, one could define security as a continuing process in which an administrator ensures that information is shared only among authorized users.

By the end of this course, you will be familiar with the processes and technologies used to establish and limit behavior to what your organization considers appropriate. You will focus on the aspects of security that relate to connecting your organization to the Internet. Internet connectivity makes it extremely easy for unknown users to connect to exposed resources. You need to ensure that users can access only what you want them to access. This course will explore methods of controlling user and hacker access, and responding to events and minimizing damage when someone circumvents those controls.

The following lab gives an example of how a hacker can remotely control a vulnerable system through the use of an illicit server (service or daemon installed on a host that thwarts authentication by allowing remote users to avoid the password database). Suppose you are a security technician for the IT department of a midsize business. A user calls you to report that he is concerned about an e-mail he received. He opened the attached file before realizing he did not know the sender. Now he thinks his computer may have been infected with a virus of some sort. You can diagnose the security threat more quickly and easily if you are familiar with common exploits such as trojans, which are programs disguised as harmless applications that actually produces harmful results. Then you can begin to thwart this attempt to hack in to your company's systems. Although many hackers do not engage in such activities, you must understand that such practices can victimize an unsecured network.

Lab 1-1: Causing a NetBus trojan infection

In this lab, you will install NetBus and infect your machine with the NetBus server trojan program. NetBus is an example of a trojan that can remotely control your machine across the Internet. NetBus is often sent via an e-mail message, in hopes that an unsuspecting user will run the patch.exe program.

OBJECTIVE 1.1.1: Define security

network perimeter The outer limit of a network as defined by a firewall.

OBJECTIVE 1.1.3: Risk factors for data security

EVAL

UAT

ION

CO

PY



The NetBus version 1.7 file that is used in this lab is named is NetBus170.zip and was downloaded from the Packet Storm Web site at the following address: www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchtype=archives&counts=26&searchvalue=netbus++

1. Disable all anti-virus and personal firewall applications on your system.

2. Obtain the NetBus file from your instructor, decompress it, then double-click Patch.exe. It will appear as if nothing has occurred, but you have just infected your computer with the NetBus illicit server.

3. Double-click NetBus.exe to display the NetBus client interface shown in Figure 1-1.

Figure 1-1: NetBus client interface

4. In the Host Name/IP field, type 127.0.0.1, then click the Connect! button. The NetBus interface should resemble Figure 1-2.

Note: This address is the loopback address to your system and allows you to use the client interface on yourself.

Figure 1-2: Client connected to loopback address

5. Click the File Manager button to display the Remote File Manager dialog box. Click the Show Files button, then expand the C: drive. The dialog box should resemble Figure 1-3. You can use this dialog box to download, upload or delete files from the infected system (in this case, your own). Do not delete files at this time.

EVAL

UAT

ION

CO

PY



Figure 1-3: Remote File Manager dialog box

6. Click Close to return to the NetBus interface.

7. Click the Server Admin button, then click the Remove Server button. When you are asked if you are sure you want to remove the server, click Yes. This action will remove the NetBus illicit server from your system.

8. Close all dialog boxes and the NetBus interface.

If time allows, the instructor will lead a lab in which you will connect to a remote host.

Note: Connecting to a remote system without permission is illegal. This lab is presented for informational purposes only.

In this lab, you installed NetBus and infected your machine with the NetBus server trojan program. Consider how you can protect your network hosts from this threat. Anti-virus applications generally find NetBus, but variants of NetBus that avoid detection do exist. Intrusion detection (the use of internal network hosts to detect and track network transmissions) is another method. For your network, however, the first line of defense against remote NetBus use is to implement a firewall.

Hacker Statistics In spite of the romantic representations of hackers in movies such as Sneakers, Hackers and War Games, hacker activity is proving to be costly. According to the Computer Security Institute and Computer Emergency Response Team (CERT), hacking is on the rise and is becoming increasingly destructive. The CERT Web site (www.cert.org/stats) has released the following statistics regarding the increase of reported attacks to show the effects of hacker activity:

OBJECTIVE 1.1.2: Importance of network security

OBJECTIVE 1.1.4: Security-related organizations and certifications

EVAL

UAT

ION

CO

PY



• Reported incidents have risen steadily, from 252 in 1990 to 9,859 in 1999 to 137,529 in 2003 (2003 is the last year for which incident statistics were kept by CERT).

• Total vulnerabilities cataloged have also risen steadily from 417 in 1999 to 3,784 in 2003 to 7,236 in 2007.

According to a survey of 2,066 organizations conducted by the U.S. Federal Bureau of Investigation (www.fbi.gov) in January 2006, online crime in the United States alone caused $67.2 billion in damages in 2005. Yet, it is estimated that about 90 percent of the attacks that occur every year are not reported. In addition, 90 percent of the respondents said they had experienced some form of attack, intrusion or leakage of proprietary information in the previous 12 months.

Many networking professionals make the distinction between "white hat" (i.e., "good guy") hackers, and "black hat" hackers (sometimes called "crackers").

The IT community has responded to such attacks. Most companies have created security policies. Businesses, organizations and e-commerce sites now implement firewalls, intrusion-detection systems and programs to help track network activity. You will learn more about some of these solutions in this course.

SANS (SysAdmin, Audit, Network, Security) Institute The SANS (SysAdmin, Audit, Network, Security) Institute is dedicated to providing advice and information regarding common systems vulnerabilities. Among other things, the SANS home page (www.sans.org) provides a helpful Top 20 list to help administrators remain aware of the most important security vulnerabilities.

The Myth of 100-Percent Security Connectivity implies risk. If you allow legitimate users to access your computers or networks, the opportunity exists for abuse. One popular saying is that the only secure computer is one that has been disconnected from the network, shut off and locked in a safe with the key thrown away. Although this solution might make the computer secure, it also makes the computer useless.

Although you can never reach a point of complete security, you can achieve a level that prevents all but the most determined and skilled hackers from accessing your system. Proper security techniques can minimize the negative effects of hacker activity on your organization. They can deter even the most determined hacker. Regarding Internet security, you can usually restrict the network permissions of legitimate users so they can still accomplish their tasks, but have no more access than necessary. The result of this simple measure is that even if a hacker can steal a legitimate user's identity and enter into the system, he or she will be able to gain only the level of access authorized for that user. Such a restriction will confine any possible damage that the hacker may cause using the stolen user name and password.

Balance in security A key security principle is to use solutions that are effective, but that do not improperly burden legitimate users who want access to needed information. Finding ways to actually apply this principle is often a difficult balancing act. This need for balance applies especially to Internet security. It is quite easy to employ security techniques that become so onerous that legitimate users disregard and even circumvent your security protocols. Hackers are always ready to capitalize on such seemingly innocent activity. Thus, having

Computer Emergency Response Team (CERT) An organization devoted to dealing with computer-related security issues. CERT is a part of the Internet Society (ISOC), which establishes the protocols that govern the Internet. Maintains information about how to solve specific security problems and publishes security advisories.

OBJECTIVE 1.1.3: Risk factors for data security

EVAL

UAT

ION

CO

PY



an overzealous security policy could result in less effective security than if you had no security policy at all.

You always need to consider the effect that your security policy will have on legitimate users. In most cases, if the effort required by your users is greater than the resulting increase in security, your policy will actually reduce your company's effective level of security.

Attributes of an Effective Security Matrix Although the components and configurations of a security system vary from company to company, several characteristics remain constant. A reliable security matrix is necessary to ensure that all security measures are cost-effective and reasonable. A security matrix is composed of individual operating system security features, logging services and additional equipment including firewalls, intrusion-detection systems and auditing schemes.

Table 1-1 summarizes the most important aspects of an effective security system.

Table 1-1: Effective security system attributes

Attribute Description

Access control -You have achieved your goal of allowing access to only legitimate users. -You have maximized the ability to communicate while minimizing the possibility of hacker access. -You have minimized the possibility for damage in the event of hacker access.

Ease of use -If a security system is difficult to use, many employees will find ways to circumvent it. -You have ensured that the interface is intuitive.

Appropriate cost of ownership

-You have considered not only the initial purchase cost, but also the price of upgrades and service. -You have also considered the cost of administration. How many employees, at what skill level, are necessary to successfully implement and maintain the system?

Flexibility and scalability

-Your system allows your company to do business the way it wants to. -Your system can grow as the company grows.

Superior alarming and reporting

-In the event of a security breach, your system notifies the administrator quickly and in sufficient detail. -You have configured the system to alert you as efficiently as possible. Notification options include alerts by e-mail, computer screens, pagers and so forth.

What You Are Trying to Protect Now that you have learned about the general principles involved in a security system, we will discuss exactly what needs protection. As you construct the security profile for your network, it is helpful to classify your assets into four resource groups:

• End-user resources (Windows 2000/XP/2003, Linux or Macintosh hosts used by employees)

• Network resources (routers, switches, wiring closets, telephony)

• Server resources (including file, DNS, Web, FTP and e-mail servers)

security matrix All components used by a company to provide a security strategy. Includes hardware, software, employee training, security policy, etc.

OBJECTIVE 1.2.6: Selecting security equipment and software

OBJECTIVE 1.1.5: Key resources needing security

EVAL

UAT

ION

CO

PY



• Information-storage resources (including human resources and e-commerce databases)

End-user resources Be sure you have enabled the members of your organization to protect their workstations. Not all damage to your resources is the result of malicious user activity, nor of hacker entry into your system. Often, computers are damaged by simple user error.

For example, many employees are largely unaware of the hazards involved in downloading ActiveX files and using Java applets. Still others have not enabled password-protected screen savers to prevent snooping while they are away from their desks for even short periods of time. Users can also inadvertently download viruses and trojans, thereby compromising your network's ability to function. As you learned earlier, a trojan is a file or program that purports to operate in a legitimate way, but which also has an alternative, secret operation, such as sending sensitive company information to a hacker via e-mail.

However, employees can improve security by making sure their browsers are configured for maximum-security settings for ActiveX and Java. You should also make sure that each employee uses a virus checker and observes caution when downloading anything from the Internet.

Protecting local resources is largely a matter of educating individual users about easily applied security techniques. However, Internet security involves more than protecting individual resources.

Network resources Your networks are the primary communications medium for the entire company. If a skilled hacker gains access to or control of your networks, he or she will probably gain access to most or all company data. You must be aware that many hackers can imitate any Internet Protocol (IP) device that has an IP address. Called IP spoofing, this activity allows hackers to engage in various activities with impunity, because it helps them thwart detection via audit trails. Because no inherent protection is available in the current version (v4) of the Transmission Control Protocol/Internet Protocol (TCP/IP), a hacker can take advantage of any device that does not have specific mechanisms in place. As a result, users can take control of network resources and then move on to system snooping.

Server resources Your World Wide Web, e-mail and FTP servers are vulnerable to attacks designed to crash the server so that its services are unavailable, or attacks designed to allow the hacker to log on and obtain or alter information. Often, server resources become a target because compromising one of these resources generally allows hackers to move on to controlling other resources. Some servers provide backbone services (e.g., DNS), whereas others provide mission-critical services (e.g., Web, e-mail and so forth). Regardless of category, it is vital that you find ways to protect each as much as resources allow.

Information-storage resources The most vital function of any company is the way it organizes and disseminates information. These server types represent a hacker's ultimate goal, because these databases contain sensitive information (e.g., credit card numbers, employee payroll records and so forth). Hackers want information for many reasons. Some are merely

Transmission Control Protocol/Internet Protocol (TCP/IP) A suite of protocols that turns information into blocks of information called packets. These are then sent across networks such as the Internet.

system snooping The action of a hacker who enters a computer network and begins mapping the contents of the system.

EVAL

UAT

ION

CO

PY



curious, and others are malicious. Still others want to engage in theft or industrial espionage. Table 1-2 lists potentially vulnerable parts of a network.

Table 1-2: "Hot spot" resources and potential threats

"Hot Spot" Resource Potential Threat

End-user resources Viruses, trojans and applets can damage local systems. End users can also introduce problems through illicit activity.

Network resources IP spoofing, system snooping and obtaining information.

Server resources Unauthorized entry, interrupted service and trojans. Server resources are the primary targets in most cases.

Database and information resources

Obtaining trade secrets, customer data and so forth.

Who Is the Threat? Popular culture often represents the hacker as a brilliant, underachieving adolescent male who has a problem with authority. Although this description is sometimes accurate, categorizing hackers in terms of their attitude and motivation is probably more useful.

Malicious activity occurs for a number of reasons. However, such activity typically falls into four broad categories:

• The casual attacker

• The determined attacker

• The spy

• The end user

Perhaps the most important thing to consider when determining your company's security is to identify the type of attacker who will target your company and to anticipate that attacker's attitude.

Casual attackers The casual attacker is sometimes an information seeker, but most often he or she is a thrill seeker. The casual attacker has what might be called an "Everest mentality." In other words, the casual attacker is hacking into your system simply "because it is there." The vast majority of hackers fall into this category. They can be stopped with the proper application of security, especially if this security policy specifies that you find and respond to the hacker. Some casual attackers are teenage pranksters with access to a phone line. A large underground network of these attackers exists.

Determined attackers The determined hacker will gain access to your system, regardless of difficulty or consequence. This type of hacker is going to get in via the Internet, or by manipulating a careless or uninformed employee. These hackers have access to tested methods and tools specifically designed to allow access into your network. In spite of your effective equipment and clear security policy, this type of hacker's determination and willingness to employ any method will eventually lead him or her to success.

OBJECTIVE 1.1.6: General security threat types

EVAL

UAT

ION

CO

PY



Determined hackers will often break into highly sophisticated systems to prove their hacking prowess. Typically, these hackers are not out to destroy information, but will often obtain information about your company and network just because they can. Determined hackers have many motivations. One hacker might be a disgruntled employee, whereas another might be motivated by resentment toward large businesses or governments. Many attacks have occurred as the result of hackers' interest in removing the presence of what they consider to be objectionable or controversial content. Still others — the majority, perhaps — are motivated by financial gain.

Other hackers have more idiosyncratic motivations, which can be based upon an interest in achieving fame, a need to gain a sense of accomplishment, or a need to demonstrate their networking skills. Such motives may explain the majority of Web graffiti that has occurred over the past few years.

Spies and industrial espionage Spies have very specific targets and want to gain information or disrupt service. They are well-funded and have nearly unlimited access to resources. Primary motivations for spies include monetary gain and ideological beliefs. These hackers will stop at nothing to gain access to the networks they have targeted. Businesses interested in industrial espionage and various governments often fund spy groups, but some spies are mercenaries who will work for the highest bidder.

Later lessons discuss how to implement firewalls and offer specific ways to defend against hackers. For stopping a determined hacker, auditing is the most effective tool. With proper auditing, you can discover and stop a hacker as soon as possible. A more detailed discussion of auditing is presented in a later lesson, and another lesson offers a plan by which you might respond to the hacker and report such activity. Sometimes you need to contact law enforcement agencies, such as local authorities or possibly the U.S. Federal Bureau of Investigation (FBI).

End users End users constitute the first line of defense in network security. It is common for security professionals to blame specific vendors (e.g., Microsoft, Sun or Ubuntu), protocols (e.g., the fact that IPv4 does not require authentication) or operating systems (e.g., Windows Server 2003 or Solaris) for their security woes. However, most security breaches are caused by end users. End users may cause network security problems through ignorance, carelessness, or a lack of effective and continual awareness training.

End users may also cause network security problems because they are simply trying to do their jobs to the best of their abilities, using the tools they feel would best suit their needs. If end users feel that problems they encounter are not being addressed, they may try to start looking for their own solutions. Those "solutions" may end up circumventing network security policy, leading to security breaches.

To solve this problem, consider the following strategies:

• A short training session at the time of hire — This session can be led by an individual (e.g., an IT help desk worker, a security administrator or the employee's manager) or it can be self-paced. Such sessions should include a thorough review of the security policy.

• Continual training — Educate users at regular intervals so that they remain aware of the latest threats.

Web graffiti The act of defacing a Web site by replacing authorized content with illicit information.

auditing Reading and interpreting log files to identify hacker activity.

EVAL

UAT

ION

CO

PY



• Reminders — Issue e-mail reminders concerning standard practices, and have copies of the security policy readily available.

• Explain common procedures — Instruct end users not to click every attachment that they receive in e-mail, and that they should not try to repair their own systems when they perceive a threat. Show them steps that they can take to properly escalate a perceived problem, rather than trying to handle it themselves. You can also show them how to create client-side e-mail filters to avoid spam and dangerous attachments with the latest virus or worm on the Internet.

• Do not ignore end users — Solve the business needs of end users before they attempt to solve their own problems, to which they do not know the solutions. By so doing, you help end users accomplish their tasks without compromising network security.

With these strategies in mind, you can begin considering the end user as a security aid, rather than a liability.

Security Standards To complete our discussion of security basics, we must mention several standards that help provide security.

ISO 7498-2: Security Architecture The International Organization for Standardization (ISO) 7498-2 Security Architecture document defines security as minimizing the vulnerabilities of assets and resources. An asset is defined as anything of value. A vulnerability is any weakness that could be exploited to violate a system or the information it contains. A threat is a potential security violation.

ISO further classifies threats as either accidental or intentional, and active or passive. Accidental threats are those that occur with no premeditated intent. Such threats as natural disasters and system malfunctions fall within this group. Intentional threats may range from casual examination of computer or network data to sophisticated attacks using special system knowledge. Passive threats do not modify information contained in the systems; neither the operation nor the state of the system is changed. Alteration of information or changes to the system's state or operation is considered an active threat to the system.

Security services The ISO 7498-2 document further defines several security services, as summarized in Table 1-3. These services will be examined in more detail in upcoming lessons.

Table 1-3: Security services

Service Purpose

Authentication The process of proving identity. These services provide for the authentication of a communications peer entity and the source of data (origin).

Access control Determines what system resources a user or service may use, view or change. After a user has been authenticated, the access control service on an operating system determines where that authenticated user can go.

Data confidentiality

Protects data from unauthorized disclosure. Data confidentiality protects from passive threats, which include users who read data from the network wire using packet sniffers.

OBJECTIVE 1.1.4: Security-related organizations and certifications

EVAL

UAT

ION

CO

PY



Table 1-3: Security services (cont’d)

Service Purpose

Data integrity Protects against active threats (such as altering data) by verifying or maintaining the consistency of information.

Non-repudiation Allows all parties to provide proof of origin and/or proof of delivery concerning any service, process or piece of information. By contrast, repudiation is the ability to deny participation in all or part of a transaction. For networking, one can repudiate an e-mail message or a piece of data, such as a traceroute ping packet or SYN packet, by saying "I did not send that."

Security mechanisms According to ISO, a security mechanism is a technology, a software program or a procedure that implements one or more security services. ISO classifies mechanisms as either specific or pervasive.

A specific security mechanism is a technology or software program that implements only one security service at a time. Encryption is an example of a specific security mechanism. Although you can use encryption to ensure data confidentiality, data integrity and non-repudiation (all services), the specific encryption technique you use requires various encryption mechanisms to implement each service.

You will learn more about the various uses of encryption throughout this course.

A pervasive security mechanism lists procedures that help implement one or more of the security services at a time. Another element that differentiates pervasive, or general, security mechanisms from specific mechanisms is that general mechanisms do not apply to any one layer of the Open Systems Interconnection reference model (OSI/RM). Examples of pervasive mechanisms include the following:

• Trusted functionality — any procedure that strengthens an existing mechanism. For example, when you update the TCP/IP stack or run some software to strengthen the ability of your Novell, Windows or UNIX system to authenticate, you are using a pervasive mechanism.

• Event detection — the ability to detect and report local and remote incidents.

• Audit trail — any mechanism that allows you to monitor and document your network's activities.

• Security recovery — the ability to react to an event, including creating short-term and long-term solutions to known vulnerabilities. Also includes the ability to repair damaged systems.

Additional security standards Many other government and industry standards exist in addition to ISO 7498-2. Although some standards may be falling out of favor in certain security circles, you will find that an awareness of past and present standards is useful, because some companies still apply these standards. A selected list of additional security standards includes:

• Trusted Computer Systems Evaluation Criteria (TCSEC) — also known as the "Orange Book" because of its color when first published. In an attempt to standardize levels of security, the U.S. government released a series of standards defining a

EVAL

UAT

ION

CO

PY



common set of security levels. These standards were released in a series of books commonly called the "Rainbow Series" because each book had a different color cover. The TCSEC standards begin with D (the lowest level) and continue through A1 (the most secure). TCSEC addresses data confidentiality concerns only. TCSEC has fallen out of favor with many in the networking industry because it does not address the specific business needs for using a network, which can lead to serious problems between the IT department and the rest of the company. However, some companies still apply standards from the Orange Book. You can learn more about the Orange Book at www.dynamoo.com/orange/.

• Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) — the Canadian implementation of TCSEC, focused on information integrity and availability. This and TCSEC began the push for the Common Criteria.

• European Information Technology Security Evaluation Criteria (ITSEC) — addresses the issues of integrity and availability, as well as confidentiality.

• The Common Criteria (CC) — created by European and American governments to unify various evaluation criteria documents. The Common Criteria supercedes TCSEC, CTCPEC and ITSEC. CC was adopted by ISO as ISO standard 15408. It is used to help designate secure operating systems, under specific circumstances. Whenever an operating system is certified according to the Common Criteria, it can then be used in government networks. You can learn more about the Common Criteria at www.commoncriteriaportal.org/.

• British Standard 7799 (BS 7799-3) — outlines specific "controls," such as the system access control, the use of a security policy and physical security measures. It was designed to help managers and IT professionals create procedures to keep information secure. BS 7799 describes how to plan, implement and correct network implementations. The latest document, published in 2005, is BS 7799-3, which also covers risk analysis and management.

• ISO 17799 — ISO adopted the BS 7799 document, making it an international standard formally known as BS ISO/IEC 17799. The ISO 17799 standard describes specific tasks and safeguards for IT professionals. This document is designed to provide a practical, operations-based approach to security. It is not designed to focus on specific issues, as are ITSEC and Common Criteria, nor was it enacted as a piece of country-specific legislation, as were HIPAA and GLBA (which are discussed next). You can obtain ISO documents (usually for a fee) at www.iso.ch.

• Health Insurance Portability and Accountability Act (HIPAA) — a law that affects health providers in the United States (e.g., doctors, dentists, health-care providers for senior citizens). Passed in 1996, HIPAA consists of two different sections: Title I (designed to protect workers and families so they can obtain health care) and Title II (which regulates how health-care providers and IT departments must secure patient information). Regulations include mandating standardized access to personal medical information by authorized parties, encrypting stored and transmitted information, and rules for how information can be passed from company to company. Whereas all of the previous standards are voluntary, HIPAA imposes fines and even jail time for those who break this law. For more information about HIPAA, visit www.hipaa.org and http://aspe.hhs.gov/admnsimp.

• Gramm-Leach-Bliley Act (GLBA) — an act passed by the U.S. government designed to ensure the privacy of financial information and other sensitive information such as Social Security numbers, phone numbers and bank account numbers. Also known as the Financial Services Modernization Act, GLBA was designed to control how financial service organizations store and transmit information, and it prohibits the

EVAL

UAT

ION

CO

PY



sharing of this information unless explicitly allowed by the customer. In many ways, GLBA is the financial services analog to HIPAA. Passed in 1999, GLBA was implemented in July 2001 for most banks, although some had a grace period until July 2003. Among other requirements, GLBA requires all financial service providers to implement a written, verified security policy designed to keep customer information safe from attackers and improper disclosure by companies. Fines of up to $500,000 are possible, by increments of $1000. For more information about GLBA, visit www.ftc.gov/privacy/privacyinitiatives/glbact.html or www.senate.gov/~banking/conf/confrpt.htm.

• Sarbanes-Oxley (SOX) — an act passed by the U.S. government in 2002 in response to a number of major corporate and accounting scandals, which took place between 2000 and 2002. Sarbanes-Oxley describes specific mandates and requirements for financial reporting, and establishes new or enhanced standards for all U.S. public company boards, management and public accounting firms. It does not apply to privately held companies. The act consists of 11 titles that are designed to improve the accuracy and reliability of corporate disclosure to reinforce investment confidence and protect investors. For more information about Sarbanes-Oxley, visit http://thecaq.aicpa.org/Resources/Sarbanes+Oxley/.

• Federal Information Security Management Act of 2002 (FISMA) — an act passed by the U.S. government in 2002 that mandates annual audits to bolster computer and network security within the federal government (and affiliated parties, such as contractors working on behalf of a U.S. government agency). FISMA mandates a set of processes that must be followed for all information systems used or operated by the federal government. These processes must follow a combination of the special publications SP-800 series issued by NIST, the Federal Information Processing standards (FIPS) documents, and other legislation pertinent to federal information systems, such as HIPAA and the Privacy Act of 1974. For more information about FISMA, visit www.compliancehome.com/topics/FISMA/.

Implementing the Common Criteria does not necessarily exclude implementation of standards such as ISO 17799, GLBA or HIPAA because the CC does not discuss planning and procedures in detail as ISO 17799 does. Also, GLBA, HIPAA, SOX and FISMA are examples of mandated laws, as opposed to being security standards.

EVAL

UAT

ION

CO

PY



Case Study Think Like a Hacker Andre is a system administrator who is responsible for securing the new LAN that he has set up for Coffees R Us, a coffee distributor that sells its products wholesale in bulk to grocery stores and restaurants. Andre ensures that the desktop computers are free of malware and spyware, and that the network servers and applications are as secure as possible. However, despite his efforts, Andre discovers that the network has become infected with a trojan that allows the servers to be controlled remotely by external sources.

* * *

As a class, discuss this scenario and answer the following questions:

• Consider the components of an effective security matrix. Did Andre create a matrix that encompassed all aspects of an effective security system?

• Andre's security measures effectively patrolled the network perimeter. Is this enough? If not, what else does Andre need to consider?

• From what or whom is Andre trying to protect the LAN? If a determined hacker has successfully infiltrated the LAN, what can Andre do to remove the trojan and ensure that the LAN is less vulnerable to future attacks?

EVAL

UAT

ION

CO

PY



Lesson Summary

Application project In this lesson, you learned about specific risks to your computer systems, as well as some of the standards used to measure network security. Every organization has different security concerns. Compile a list of potential security threats to your organization or school. Determine which security elements can most effectively provide a countermeasure to your potential security problems.

Skills review In this lesson, you were introduced to the concept of security, and you saw demonstrations of actual security threats. You also learned about the categories of resources that need protection, the attributes of an effective security system, and the types of people who make security systems necessary.

Now that you have completed this lesson, you should be able to:

1.1.1: Define security.

1.1.2: Identify the importance of network security.

1.1.3: Identify potential risk factors for data security, including improper authentication.

1.1.4: Identify security-related organizations, warning services and certifications.

1.1.5: Identify key resources that need specialized security measures.

1.1.6: Identify the general types of security threat/attacker.

1.2.6: Select security equipment and software based on ease of use.

EVAL

UAT

ION

CO

PY



Lesson 1 Review 1. What is an open network?

2. The advent of sophisticated networking technologies has required network protection to become more sophisticated than simply patrolling the network perimeter. Give an example of an attack that could allow a computer to be controlled remotely.

3. What is the Computer Emergency Response Team (CERT)?

4. What are the components of an effective security matrix?

5. To what kinds of attacks are server resources most vulnerable?

Documents

EVALUATION COPY - · PDF fileEVALUATION COPY Web Security Associate Student Guide Web Security Series CCL02-CAWSAA-PR-1012 • version 1.0 • rd011111 . EVALUATION COPY. EVALUATION