of 56 /56
Security+ study guide Written by McCya mccya.webs.com Page 1 Security+ Concepts The Security+ exam is well-known to test heavily on concepts rather than on purely technical knowledge. Security+ concepts relate to the ideas that govern good information security practices. You can think of these core concepts as a sort of “constitution” or even a “charter” of information security. Any organization or practice will inevitably have some sort of governing ideology; for the Security+ exam (for information security), this ideology is always related to the acronym: CIA. What’s CIA? CIA (in this context, of course) stands for Confidentiality, Integrity, and Availability. These are the three tenets or cornerstones of information security objectives. Virtually all practices within the umbrella called “Information Security” are designed to provide these objectives. They are relatively simple to understand and common-sense notions, yet the Security+ exam writers love to test on CIA concepts. So, you should understand CIA very well in order to understand the reasoning behind later practices as well as to ace this portion of the exam. Confidentiality Confidentiality refers to the idea that information should only be accessible to its intended recipients and those authorized to receive the information. All other parties should not be able to access the information. This is a pretty common and straight-forward idea; the US government for example marks certain items “Top Secret,” which means that only those who are cleared to see that information can actually view it. In this way, the government is achieving information confidentiality. Another common example is the sharing of a secret between two friends. When the friends tell each other the secret, they usually whisper so that nobody else can hear what they are saying. The friends are also achieving confidentiality. Integrity


  • Author

  • View

  • Download

Embed Size (px)

Text of Security

Security+ study guide

Security+ ConceptsThe Security+ exam is well-known to test heavily on concepts rather than on purely technical knowledge. Security+ concepts relate to the ideas that govern good information security practices. You can think of these core concepts as a sort of constitution or even a charter of information security. Any organization or practice will inevitably have some sort of governing ideology; for the Security+ exam (for information security), this ideology is always related to the acronym: CIA.

Whats CIA?CIA (in this context, of course) stands for Confidentiality, Integrity, and Availability. These are the three tenets or cornerstones of information security objectives. Virtually all practices within the umbrella called Information Security are designed to provide these objectives. They are relatively simple to understand and common-sense notions, yet the Security+ exam writers love to test on CIA concepts. So, you should understand CIA very well in order to understand the reasoning behind later practices as well as to ace this portion of the exam.

ConfidentialityConfidentiality refers to the idea that information should only be accessible to its intended recipients and those authorized to receive the information. All other parties should not be able to access the information. This is a pretty common and straight-forward idea; the US government for example marks certain items Top Secret, which means that only those who are cleared to see that information can actually view it. In this way, the government is achieving information confidentiality. Another common example is the sharing of a secret between two friends. When the friends tell each other the secret, they usually whisper so that nobody else can hear what they are saying. The friends are also achieving confidentiality.


Written by McCya


Page 1

Security+ study guideIntegrity is the idea that information should arrive at a destination as it was sent. In other words, the information should not be tampered with or otherwise altered. Sometimes, secret information may be sent in a locked box. This is to ensure both confidentiality and integrity: it ensures confidentiality by assuring that only those with a key can open it; it ensures integrity by assuring that the information is not able to be altered during delivery. Similarly, government documents are often sealed with some sort of special stamp that is unique to an office or branch of government. In this way, the government ensures that the people reading the documents know that the document is in fact a government document and not a phony.

AvailabilityImagine that a terrorist blocks the entrance to the Library of Congress. Though he did not necessarily destroy the integrity of the books inside nor did he breach confidentiality, he did do something to negatively affect the security of the Library. We deem his actions a denial of service, or more appropriately, a denial of availability. Availability refers to the idea that information should be available to those authorized to use it. When a hacker floods a web server with erroneous requests and the web server goes down as a result of it, he denied availability to the users of the server, and thus, one of the major tenets of information security have been compromised.

Wrap UpWell, youve completed your first Security+ lesson! That wasnt so bad, now was it? As you can see, a lot of what is covered on the Security+ exam is actually commonsense. However, dont take CIA lightly it is heavily tested! Below are a few questions that should help you review what youve learned today:

Quick Review1. Which of the following are components of CIA? (Choose all that apply) a. Confidentiality b. Authentication c. Integration d. Integrity e. Availability f. Character

Written by McCya


Page 2

Security+ study guide2. A user encrypts an email before sending it. The only person that can decrypt the email is the recipient. By encrypting the email in this way, the user is attempting to preserve the: a. Confidentiality of the recipient b. Accessibility of the email server c. Confidentiality of the information d. Integrity of the information

3. A hooligan unplugs the power from the central data server at a large bank. Which of the following describe the effect on information security? a. Confidentiality has been breached b. Loss of availability c. The information has lost integrity

Answers1. The components of CIA are Confidentiality, Integrity, and Availability. The answer is (A,D,E) 2. This is a tough question that is sure to manifest itself on the exam. Dont be confused between confidentiality and integrity. Remember that confidentiality refers to the fact that only the recipient can receive the information, whereas integrity means that the information is basically in the same state that it was sent. Although the encryption may prevent others in the middle of the communication from understanding the email, it does nothing to prevent them from manipulating the email being sent. So, the answer is that it only ensures the confidentiality of the information and NOT the integrity of the information. ( C )

3. By unplugging the power, the punk is basically denying availability to the users of the server. He is not however actually changing the information stored on the server nor is he trying to read any sort of confidential information. The answer is therefore that his actions produce a loss of availability (B)

Access Control

Written by McCya


Page 3

Security+ study guide

One of the most crucial areas of information security that dates back to its origins is the idea of access control. Access control is the ability of a system to limit access to only certain users. When you think access control, think password. Of course, there are many ways to authenticate users than just passwords, but passwords are probably the most well-known way of controlling access to resources, especially to information security laymen. Well now look into the specifics of access control.

Types of Access Control FactorsOne of the key questions associated with access control is: How do you ensure that a user is in fact who he claims to be? There are many ways to do so, and so they have been categorized into three types of factors.

Type I: What you know Access control methods related to what you know include passwords, numeric keys, PIN numbers, secret questions and answers, and so forth. Basically, Type I access control depends on the user knowing something in order to access the information. Type II: What you have You probably use this access control method every day without realizing it. A physical key is used to open a door to your house through a lock a form of Type II access control. In information security terms, Type II access control methods may include physical keys or cards, smart cards, and other physical devices that might be used to gain access to something. Type III: What you are This form of access control is closely related to biometrics or authentication by biological factors. Some high-tech systems may use fingerprints, retinal scans, or even DNA to ensure that a user is who he claims to be. This type of access control is considered the most secure because it requires that a user be physically present whereas the other two can be compromised by theft of a password or a keycard.

The best authentication systems use more than one factor (Type) to ensure a users identity; this is known as multi-factor authentication.

Written by McCya


Page 4

Security+ study guide

The Workings behind Access ControlThere are essentially three steps to any access control process. 1. Identification: Who is the user? 2. Authentication: Is the user who he says he is? 3. Authorization: What does the user have permission to do? Authentication is achieved through the factors discussed above, but Authorization is actually achieved between the reference model and the Kernel of the operating system. The reference model is the system that directs the Kernel what it can and cannot access. A request to access information would be sent through the reference model to verify that the user requesting access should actually have access to what he is requesting. The kernel then acts only if the reference model directs it to do so.

Methods of Access ControlAnother very important question that should be raised when considering access control is: Who determines which users have access to information? The Security+ exam suggests three different methods of determining this:

MAC: Mandatory Access Control is the system in which a central administrator or administration dictates all of the access to information in a network or system. This might be used in high-security applications, such as with the label "top-secret government information". Under MAC, subjects (the user or process requesting access) and objects (the item being requested) are each associated with a set of labels. When a subject requests access to an object, access is granted if labels match, and denied if the labels do not match. DAC: Discretionary Access Control is the system in which the owners of files actually determine who gets access to the information. In this system, a user who creates a sensitive file determines (through his own discretion) who can access that sensitive file. This is considered far less secure than MAC. RBAC: Role-Based Access Control is related to a system in which the roles of users determine their access to files. For example, if Bob is a member of accounting, he should not be able to access the engineering files.

A Last WordAccess Control is a very important and highly-tested subject! It is, like CIA, highly conceptual but crucial to understanding information security. It is used to ensure both the confidentiality and the integrity of information and therefore plays a large role in the CIA picture. You should spend time understanding the Types and Methods of access control so that you can ace this portion of the exam.

Written by McCya


Page 5

Security+ study guide

Quick Review1. On an Active Directory network the group(s) that a user is in determines his access to files. This is a form of: a. MAC b. DAC c. Type II Authentication factor d. RBAC e. Type I Authentication factor

2. Which of the following is not a possible description of Type III authentication? a. Something you are b. Fingerprints c. Passwords d. Retinal scans

3. Which of the following is the correct order of the access control process? a. Identification, Authorization, Authentication b. Authorization, Identification, Confidentiality c. Identification, Authentication, Authorization d. Confidentiality, Integrity, Availability

Answers1. Because the group that the user is in determines his access to files, it is not a far step to say that his role really determines his access to those files. The answer is RBAC. (D)

2. Passwords are Type I (something you know) rather than Type III (something you are), so the answer is C

3. The correct order of the process is C.Written by McCya mccya.webs.com Page 6

Security+ study guide

Special Authentication MethodsThere are some authentication methods that merit their own coverage because they are specifically tested on the exam. Below is the information about each of them that you need to know in order to answer these kinds of questions correctly.


Kerberos is an open-source and widely-accepted method of authentication that works on a shared secret key system with a trusted third party. Before you begin to understand how Kerberos actually works, you should consider this analogy: two people are in love and want to deliver messages of their affection to each other. The problem is that they cannot express their love for each other openly because of a family feud. So, they entrust a mutual friend to deliver their secrets to each other. In essence, Kerberos does much of the same. If two users wish to communicate with each other, they must first contact a trusted Kerberos server to obtain a shared secret key. Only the users that have this key can communicate with each other because the key encrypts and decrypts messages. The logical part of the Kerberos server that governs key distribution is aptly called the Key Distribution Center, or KDC. Once keys have been distributed to the two parties wishing to communicate, Kerberos then issues what are known as tickets through the TGS or Ticket Granting Server. These tickets allow for the actual communication between the clients by storing authentication information. Kerberos has a wide variety of applications, especially in open source software, but is not without vulnerabilities. One is that Kerberos makes extensive use of that trusted third party. If the third party is compromised, information confidentiality and integrity may be breached. If the third party simply fails, availability is lost. Kerberos also uses time stamps in order to time out communications. Time stamps mitigate the threat of replay attacks and provide a small measure of integrity. If two hosts are on different times, communication will be impossible. Remember that Kerberos is associated with SSO (single sign-on) technology.

BiometricsWritten by McCya mccya.webs.com Page 7

Security+ study guideAs discussed before, biometric factors are factors of authentication that utilize the biological factors of a user. Biometric authentication and identification is considered the most secure. Typical biometric factors include fingerprint and retinal scans as well as photo-comparison technology.

Username / PasswordThe most common form of authentication system is a username and password system. This is a Type I system and therefore relies on the difficulty of guessing the password for effectiveness. There may be questions on the Security+ exam about what constitutes a good password. Use common sense here! A good password would obviously consist of numbers and letters, lower and upper case, and symbols. In other words, the general rule of thumb is that a good password is complex. Another rule of thumb is that a good password should be at least six characters and probably eight. In fact, eight or more is the standard at the moment. Systems that allow for lost password retrieval should not allow a malicious user to learn information about the users of a system; in addition, systems should not elaborate as to whether a username or password is incorrect as this would aid potential attackers.

MultifactorMultifactor authentication refers to using more than one factor to authenticate a user. Multifactor authentication is more secure than single factor authentication in most cases. An example of multifactor authentication would be an authentication system that required a user to have both a password and a fingerprint.

CHAPChallenge-Handshake Authentication Protocol, or CHAP, is an authentication protocol that uses username and password combinations that authenticate users. It is used in PPP, so its most common application is dial-up internet access user authentication. All you really need to know about it is that it uses a three-way handshake to prevent replay attacks. Microsoft has a version of CHAP known as MS-CHAP.

SSOSingle sign-on, or SSO, refers to the ability for a user to only be authenticated once to be provided authorization to multiple services.

Summing it upWritten by McCya mccya.webs.com Page 8

Security+ study guideYou will see a question on the Security+ exam on almost every one of these items. Kerberos will be tested with more than two questions. It would be to your benefit to carefully study each of these items individually to understand what each is all about.

Quick Review1. Which of the following would not be a form of multifactor authentication? a. Requiring an ATM card and a pin number b. Requiring a secret answer to a given question c. Requiring a fingerprint and a Kerberos ticket d. Requiring a USB key and a password

2. Which of the following is a true statement about Kerberos? a. It requires two distinct physical servers, one to give keys and the other to give tickets. b. It is only used in UNIX environments. c. Communication can only take place when both parties can utilize a trusted third party Kerberos server. d. It is a form of biometric identification and authorization.

3. A user complains that he has to use a separate login and password for his email, his domain account, his specialized software, and even for his computer. What would be a solution to his problems? a. Smart card b. SSO technology c. Biometrics d. CHAP

Answers:1. All of the choices use two factors for authentication with the exception of B, which requires only one factor (an answer to a question). (B)

Written by McCya


Page 9

Security+ study guide2. Be careful! Kerberos is often used in UNIX environments, but it is not exclusively used in UNIX environments. Also, the TGS and KDC servers are logically but not necessarily physically separate. Finally, choice D is totally without merit. The answer is ( C ).

3. Because SSO provides a single sign on for multiple services, the user would desire that as a solution as it could create fewer login screens. The answer is ( B )

Attacks and Malicious Users

(An example of a buffer-overflow attack)

A key aspect to any war is to know your enemy. If you consider the battle against malicious users a war, then understanding the attacks that they use is crucial. Below is a listing with descriptions of the most common kinds of attacks used by malicious hackers and other bad people.

Social EngineeringThis kind of attack is probably the most commonly successful and damaging of all attacks, yet it requires no technical ability. Social engineering is an attack by which the attacker manipulates people who work in a capacity of some authority so that the attacker can get those people to do something that he desires. For example, if an attacker calls into a business posing as a bank representative who is reporting foul activity on an account and then proceeds to ask for a routing number, that attacker is engaged in a social engineering attack. Remember, social engineering means manipulating people.

Dumpster DivingThis is another low-tech attack. All you have to remember about this attack is that the name is very indicative of the nature of this attack a dumpster diver would look through trash and other unsecured materials to find pertinent information to either launch an attack or carry out some other maliciously intended action.

Written by McCya


Page 10

Security+ study guide

Password CrackingThis is an attack by which the attacker wishes to gain authentication (and authorization) to network resources by guessing the correct password. There are three basic kinds of password cracking attacks:

Brute Force Every single possible combination of characters (aaa,aaA,aAA,AAA,aab) Dictionary Enter passwords from a text file (a dictionary) Hybrid - A variation of the Dictionary approach, but accounting for common user practices such as alternating character cases, substituting characters ("@" in place of "A", etc), using keyboard patterns ("1QAZ", etc), doubling passwords to make them longer, or adding incremental prefix/suffix numbers to a basic password ("2swordfish" instead of "swordfish, etc).

Attackers know that many users use the same or similar passwords for different systems. Using a sniffer to obtain a user's password on an unsecure platform will provide a good starting point for a quick hybrid attack on a different, more secure platform. For example, Yahoo Messenger transmits passwords in clear text. An attacker can easily obtain a user's Yahoo password, and then attempt to access their bank account, or other sensitive information, using that same password or a variant of that same password. Most of the time when password cracking is attempted, the cracker has some means of entering username and password combinations quickly. Usually this is through a cracking program such as Brutus. One way to defend against cracking attacks is to put a mandatory wait time before login attempts. Another way is to lock out the login system after a certain number of attempts. Finally, limiting the number of concurrent connections to a login system can slow down a cracking attack.

FloodingJust like a flood can overwhelm the infrastructure of a locale, a flooding attack can overwhelm the processing and memory capabilities of a network system or server. In a flooding attack, the attacker sends an inordinate amount of packets to a server or a group of hosts in order to overwhelm the network or server. This would, of course, cause a denial of service to the hosts who demand whatever network resource has been overwhelmed. Some special kinds of flooding attacks:

SYN Flood A flood of specially crafted SYN packets ICMP Ping Flood A flood of ICMP pings

SpoofingSpoofing is not always a form of attack but can be used in conjunction with an attack. Spoofing is any attempt to hide the true address information of a node and is usually associated with IP spoofing, or the practice of hiding the IP address of a node and replacing it with another (false) IP address. One implication of a successful spoof is that investigatorsWritten by McCya mccya.webs.com Page 11

Security+ study guidecannot trace the attack easily because the IP address is false. Spoofing can be achieved through proxy servers, anonymous Internet services, or TCP/IP vulnerabilities.

Birthday AttackAny attack based on favorable probability is known as a birthday attack. This comes from the statistical truth that it is far more likely in a room of 100 people to find two people who have the same birthday than it is to find a person with a specific birthday. For the exam, just associate birthday attack with probability.

Buffer OverflowA buffer overflow attack is a very specific kind of attack that is very common when attacking Application level servers and services. Basically, a buffer is a memory stack that has a certain holding size. Through a specifically and maliciously crafted packet, information can overflow in that stack, causing a number of problems. Some buffer overflow attacks result in a simple denial of service while others can allow for system compromise and remote takeover of a system. Patches are usually issued to defend against specific buffer overflow issues.

[edit section] SniffingA sniffing attack is one in which an attacker sniffs information, either off the media directly or from regular network traffic, in order to compromise the confidentiality or integrity of information. Un-switched Ethernet traffic can easily be sniffed when the NIC operates in promiscuous mode, the mode in which the NIC reads all traffic regardless of the destination IP address. Sniffing can be thwarted by careful attention to media security and switched networks.

OverviewWhile there is certainly a dearth of space here to list all of the wonderful tricks that hackers have up their collective sleeves, it is safe to say that the attacks that you will see on the Security+ have been covered above. Study each one carefully and try to associate one word with the attack that will help you remember what its all about; after a while, the distinction between attacks will become more obvious and clear to you.

Quick ReviewWritten by McCya mccya.webs.com Page 12

Security+ study guide1. An attacker sends a series of malformed packets to a server causing him to gain access to the server as the root user. Which attack is this most likely to be? a. Ping b. Birthday c. Spoofing d. Sniffing e. Buffer Overflow

2. You notice a dramatic increase in the traffic going through your network. After a close examination of the traffic, you realize that the majority of the new traffic is in the form of empty broadcast packets sent from a single host. What is most likely happening? a. You are experiencing normal network activity b. The network is revamping from under-utilization c. The network is being flooded d. The network is being spoofed

3. Which of the following courses of action would not prevent a social engineering attack? a. Mandatory security training for new computer users b. Administrative approval for any major system changes c. Hiring a dedicated operator to handle undirected phone calls and emails d. Installing a firewall with NAT technology

4. You notice that there have been over a thousand login attempts in the last minute. What might you correct in order to prevent a similar attack in the future? a. Install Apache Web Server b. Limit the timeout value c. Mandate and configure a lockout time period d. Change the access control methodWritten by McCya mccya.webs.com Page 13

Security+ study guide

Answers:1. In a buffer overflow attack, a malformed packet is sent to overflow the heap of memory that a server application uses. Some attacks can actually gain access to the root account. So, the answer is (E) 2. Since the network is experiencing a dramatic increase in basically meaningless traffic from a single host, it is likely to be an attempt at a flood attack. ( C ) 3. All of the choices would inhibit the ability of an attacker to use a social engineering attack except for (D), which would not affect the ability of an attacker to manipulate people in any way. 4. By configuring a lockout time period ( C ) you can ensure that after a certain number of unsuccessful attempts, further logins are disabled.

Remote AccessOne of the most ever-present and ancient uses of the Internet and networking has been to provide remote access to networks or network resources. Since the early 1980s, different remote access protocols have existed to allow users to remotely dial in to a network of choice; while some of these protocols have come and gone, many of them remain widely in use even today in dial-up WAN access and business VPN networks. The Security+ examination will test you on your ability to identify the security features, benefits, and costs of several types of remote access protocols and services.

RASRAS, or Remote Access Service, is a rarely-used, unsecure, and outdated Microsoft offering in the area of remote access technology. You should know for the exam that RAS provides dial-up access and once was the protocol of choice for connecting to the Internet.

PPPRAS was eventually replaced by PPP, the most common dial-up networking protocol today. PPP, or point-to-point protocol, utilizes a direct connection from a client to WAN over TCP/IP. This is advantageous for dial-up networking services as most people today wish to be able to use the Internet, which of course requires TCP/IP networking. When you think dial-up access, think PPP.

Written by McCya


Page 14

Security+ study guide

Secure ConnectionsThe next group of technologies is considered secure in that the technologies set up an encrypted, sometimes tunneled, and difficult-to-intercept connection. These are the technologies typically employed in VPN (Virtual Private Network) applications and corporate remote networks.

PPTPPoint-to-point tunneling protocol, or PPTP, is a tunneling protocol that can encapsulate connection-oriented PPP packets (which are simple remote access packets) into connectionless IP packets. In doing so, the data remains within the IP capsule, which prevents sniffing and other outside manipulation. PPTP is a client-server system that requires a PPTP client, a PPTP server, and a special network access server to provide normal PPP service. PPTP is commonly used to set up Virtual Private Networks, which are like LANs that are spread across the Internet so that multiple remote clients can connect to one logical network.

L2TPLike PPTP, L2TP (Layer 2 Tunneling Protocol) utilizes a tunneling protocol, but unlike PPTP, L2TP utilizes IPSec (IP Security) to encrypt data all the way from the client to the server. Because of this, L2TP data is difficult to intercept. L2TP can accommodate protocols other than IP to send datagrams and is therefore more versatile; it is also common in VPN applications.

Tunneling, VPN, and IPSecIn the last lesson we learned about some of the more common remote access protocols in use today. You should recall that a remote access protocol allows remote access to a network or host and is usually employed in dial-up networking. Alternatively, some remote access technologies are involved in remote control of a host, such as through secure shell or Telnet. However, another class of remote access technologies does exist. This class is related to two of the fundamental aspects of information security: confidentiality and availability. This type of remote access technology allows a user to securely dial in or otherwise access a remote network over an encrypted and difficult-to-intercept connection known as a tunnel. These protocols are therefore usually referred to as tunneling or secure remote access protocols.

Written by McCya


Page 15

Security+ study guide

VPNA virtual private network is a pseudo-LAN that is defined as a private network that operates over a public network. It allows remote hosts to dial into a network and join the network basically as if it were a local host, gaining access to network resources and information as well as other VPN hosts. The exam will test you on your ability to recognize different applications of VPN networks. Use common sense here! Obviously, VPN networks would likely be employed in settings in which information security is essential and local access to the network is not available. For example, a VPN might be utilized by a telecommuting employee who dials into the office network.

PPTPPPTP, or Point-to-point tunneling protocol, is a commonly implemented remote access protocol that allows for secure dial-up access to a remote network. In other words, PPTP is a VPN protocol. PPTP utilizes a similar framework as PPP (point-to-point protocol) for the remote access component but encapsulates data into undecipherable packets during transmission. It is as its name implies: an implementation of PPP that utilizes tunneling by encapsulating data.

IPSecIPSec is a heavily tested area of the Security+ exam. You will inevitably see at least one question on IPSec and probably around three, so it will be to your benefit to understand IPSec well. IPSec allows for the encryption of data being transmitted from host-to-host (or routerto-router, or router-to-host you get the idea) and is basically standardized within the TCP/IP suite. IPSec is utilized in several protocols such as TLS and SSL. You should know that IPSec operates in two basic modes. We will now study these modes in greater detail.

Transport Mode Provides host-to-host security in a LAN network but cannot be employed over any kind of gateway or NAT device. Note that in transport mode, only the packets information, and not the headers, are encrypted. Tunneling Mode Alternatively, in tunneling mode, IPSec provides encapsulation of the entire packet, including the header information. The packet is encrypted and then allowed to be routed over networks, allowing for remote access. Because of this, we are usually most interested (at least for exam purposes) in the Tunneling mode.

IPSec is comprised of two basic components that provide different functionality:

AH Authentication Header (AH) can provide authentication of the user who sent the information as well as the information itselfmccya.webs.com Page 16

Written by McCya

Security+ study guide

ESP Encapsulating Security Protocol (ESP) can provide actual encryption services which can ensure the confidentiality of the information being sent.

IPSec implementation

L2TPL2TP, or Layer 2 Tunneling Protocol, is an alternative protocol to PPTP that offers the capability for VPN functionality in a more secure and efficient manner. Rather than actually replacing PPP as a remote access protocol or IPSec as a security protocol, L2TP simply acts as an encapsulation protocol on a very low level of the OSI model the Data Link layer. L2TP, therefore, commonly utilizes PPP for the actual remote access service and IPSec for security. Note that L2TP operates on a client/server model with the LAC (L2TP Access Concentrator) being the client and the LNS (L2TP Network Server) acting as the server.

Quick Review1. Your boss asks you to recommend a solution that meets the following requirements: 1) He wishes to access the company network remotely, and 2) The access must be as secure as possible. Which would you implement? a. A VPN using L2TP and IPSec b. A PPP dial-in network c. Telnet d. SSH

2. Which of the following components of IPSec would allow a message to be traced back to a specific user?Written by McCya mccya.webs.com Page 17

Security+ study guidea. L2TP b. TLS c. AH d. ESP

3. Which of the following is a true statement regarding the difference between tunneling and transport modes of IPSec? a. Transport only works with remote hosts b. Tunneling only works between remote hosts c. Transport is more secure than tunneling d. Transport only works between local hosts

Answers1. Your boss is essentially asking for a solution that allows for secure remote access to the network (as opposed to a network host, which you might recommend SSH for). The answer is A because the VPN satisfies his basic requirements. 2. AH provides the essential service of authentication of users sending messages. This allows a message to be traced back to a specific host. The answer is C. 3. Transport mode is exclusive to local host traffic because only the payload is encrypted. Transport mode will not work between remote hosts; for this, you must employ tunneling. The answer is D.

Introduction to CryptographyIn this Security+ study guide you will notice that we like to jump around from topic to topic. This is intentional! We want you to keep different topics fresh in your mind as some topics in the exam are particularly boring. In this lesson, we will learn about the basics of cryptography, including common terminology, function, and applications. In later lessons, we will take a look at the more technical aspects of cryptography.

What is Cryptography?Cryptography is the science of hiding the meaning of a message. Even children are familiar with the concept of cryptography as they learn to speak to each other in code languages that adults cannot understand. Rap stars employ lyrics that have alternate and more explicitWritten by McCya mccya.webs.com Page 18

Security+ study guidemeanings. The British in World War II were able to crack the Enigma Machine, Nazi Germanys method of ciphering critical data. For the purposes of the Security+ exam, however, we will usually speak of cryptography in terms of IT information security. Computers are often employed in conjunction with cryptographic services and protocols as many of these require complex calculations that only computers can provide in a timely manner.

AES, one of many cryptographic algorithms

How Cryptography WorksThe basic concept of cryptography is very simple. In a typical cryptographic exchange, information that is meant to be hidden for whatever reason is encrypted, or ciphered into a difficult-to-interpret form. We call this conversion encryption because it involves the change of clear text, or understandable data, into cipher text, or difficult-to-interpret data. The encryption process is one-half of the entire cryptographic exchange. At the other end of the process is decryption, or the conversion of cipher text into clear text. Decryption is not always a part of encryption, however some algorithms are called hashes as they only apply encryption (that is, from clear to cipher text) and have no means of deciphering the information. We will cover more on this later.

Public Key and Private Key SystemsA key is the password of sorts used to encrypt and decrypt data.

When an encryption key is made available to any host, it's known as a public key. In contrast, a private key is confidentially shared between two hosts or entities. A symmetric encryption algorithm uses the same key for encryption and decryption. When a different key is used for encryption and decryption this is known as asymmetric encryption.Written by McCya mccya.webs.com Page 19

Security+ study guide

More complex systems require both a public key and a private key to operate. We will go into greater detail regarding these public key systems in later lessons but you should know of their existence.

Cryptanalysis and crackingCryptanalysis is the act of breaking the cipher or attempting to understand the cipher text. Cracking is often associated with cryptanalysis as cracking a shared key is often essential to cryptanalysis attempts. Not every cipher is decipherable for example, some encryption algorithms are mathematically unbreakable (they operate on randomness) and other encryption algorithms are hashes that do not provide one-to-one functionality (that is, more than one input can result in the same output, making reverse-encryption or cryptanalysis impossible). However, most cryptographic algorithms can theoretically be cracked but require extraordinary amounts of computational power to do so. For example, RSA can take millennia to crack, hardly the amount of time that a potential attacker or cryptanalyst has available.

Applications and Functions of CryptographyThe Security+ exam will test you on your ability to recognize situations in which cryptography might be employed. The general rule here is that cryptography is employed in settings in which data confidentiality and integrity are desirable. For example, you would not use cryptography when transferring MP3 files (unless those files were highly sensitive for some reason) but you would certainly employ cryptographic methods when transferring health information. In addition to data confidentiality and integrity, cryptography can provide non-repudiation, which is the idea that a sender of information would not be able to refute the fact that he or she did send that information or data. Here is a sample laundry list of some well-known functions of cryptography:

Tunneling protocols and VPN Email security (PGP et al.) Secure file transfer (S-FTP) Secure access to web pages (SSL) Kerberos Authentication Certificates Document security

Final Thoughts

Written by McCya


Page 20

Security+ study guideWe will continue to explore more on cryptography in the lessons to come. Cryptography is a heavily-tested portion of the Security+ exam; we will cover the subject accordingly. It is important that as you learn the specifics of cryptography protocols you understand the basic terminology that is employed in any discussion of them.

Quick Review1. Your manger asks you to employ a system in which the sender of a message would not be able to deny that he sent that message. Your manager is asking for: a. Certificate of authenticity b. Non-repudiation c. Authorization d. SSL over HTTP 2. What is the primary difference between asymmetric and symmetric encryption algorithms? a. The use of a public key b. Symmetric algorithms are one-way functions c. The relative strength of the algorithm d. The ability to perform man-in-the-middle attacks 3. Which of the following protocols does not employ cryptography? a. HTTPS b. SSH c. Telnet d. SFTP e. IPSec

Answers1. The idea that a sender would not be able to deny that he sent the information is called nonrepudiation. The answer is B.Written by McCya mccya.webs.com Page 21

Security+ study guide2. The primary difference between asymmetric (public key) and symmetric (private key) algorithms is that asymmetric algorithms use both a public and a private key. The answer is A. 3. All of the listed protocols with the exception of Telnet provide some encryption functionality. Telnet transfers all information in clear text. The answer is C.

Malicious Software: Viruses, Trojan Horses, WormsDespite all the hype about viruses and worms, the Security+ exam actually does not heavily test on viruses and the like. However, you will probably see at least a few questions on these topics and we will therefore go into some detail on the differences between different types of malicious programs and how they can be avoided or prevented from propagating.

VirusesA computer virus is malicious software that propagates itself upon the action of a user. For example, some viruses send emails promising great information on how to get rich quickly or pleasant images. The user then opens some sort of executable attachment (that is almost certainly not what is promised) and the virus either immediately acts or waits as a dormant drone to act, either upon the request of a master host or some sort of time period. Viruses typically inflict damage by either destroying files categorically or installing new files that drastically affect the performance of the computer. Most viruses also act to insert themselves into various executable files, increasing the likelihood that a user will rerun the malicious executable file.

One of the core tendencies of any computer virus is propagation. Most viruses include some mechanism for both local and network propagation, including the sending of instant messages, the setting up of web servers, and of course, emails. However, viruses are not truly self-propagating in the sense that the virus is actually incapable of forcing itself on another host machine in most cases. A virus typically needs user interaction to act (such as opening an attachment). This need for user interaction is usually seen as what separates a virus from a worm.

WormsUnlike the friendly creatures that crawl beneath the crust, computer worms can be extremely destructive and costly malicious programs that self-propagate to cause unbelievable damage to computer networks across the world. Alternatively, worms can help provide us the wonders of Google and Yahoo search engines. How can a worm be so good and yet so bad?

Written by McCya


Page 22

Security+ study guideActually, worms are not inherently evil. Worms are simply pieces of software that are able to (through various means) self-propagate about the Internet. In many cases, computer worms provide various services that we all love and utilize. One such worm is the World Wide Web Worm, which crawls the Internet to pick up data from web pages for categorization and indexing that we later utilize through popular search engines. Other friendly worms work to quickly patch software that is vulnerable to attacks by you guessed it other worms!

However, some worms also do irreparable damage to computers. Many of these worms, which carry malicious payloads, install self-destructive software or a backdoor into the PC. Remote control of infected hosts is often a primary goal of worm writers who seek to crash high-profile websites and services through Denial of Service attacks.

Trojan Horses and Backdoors

A Trojan horse or backdoor is any software that attempts to give a remote user unauthorized access to a host machine or user account. Some backdoors actually serve a legitimate purpose (SSH, for example, might be classified as a backdoor) but in general, the terms backdoor and especially Trojan horse are associated with malicious intent. Some popular Trojan horses include:

BackOrfice NetBus SubSeven VNC (can be used legitimately but also used for unauthorized access in conjunction with a worm)

Quick ReviewWritten by McCya mccya.webs.com Page 23

Security+ study guide1. What is a fundamental difference between a worm and a virus? a. Worms are less destructive b. Worms only act on the lower layers of the OSI model c. Worms do not require user intervention d. Worms are more destructive

2. You notice unusual network traffic on a port number whose function you cannot identify. This is probably the mark of a (an): a. NetBIOS session b. Trojan horse c. Exploit d. Telnet session

3. Which of the following is not true of viruses? a. They tend to carry malicious payloads b. They can be timed to attack c. They destroy hardware and software components of a PC d. They can overwhelm a network

Answers:1. Worms are truly self-propagating as they utilize exploits and other tricks to propagate without the use of user intervention. The answer is C. 2. Trojan horses usually employ unusual port numbers and traffic. The answer is B. 3. All of the choices are true except C, because a virus cannot actually destroy hardware. The answer is C.

Written by McCya


Page 24

Security+ study guide

Implementation of L2TP, a popular tunneling protocol

SSLSSL, or Secure Sockets Layer, is a technology employed to allow for transport-layer security via public-key encryption. What you should know about this for the exam is that SSL is typically employed over HTTP, FTP, and other Application-layer protocols to provide security. HTTPS (HTTP over SSL) is particularly used by web merchants, credit card validation companies, and banks to ensure data security (think: lock icon)

KerberosKerberos is a *Nix (Unix-like) technology that is also being implemented in Microsoft technology to allow for client-server authentication over a network based on a shared key system. Kerberos is a public-key encryption technology and therefore is considered quite modern.

Quick Review1. You wish to implement VPN access so that an attorney can connect to the firms network remotely. Which remote access protocol might you use? a. LDAP b. PPTP c. PPP d. SSL

Written by McCya


Page 25

Security+ study guidee. IPSec 2. A user complains that he cannot access a website because he does not have some protocol enabled. What is this protocol most likely to be? a. FTP b. HTTP over SSL c. FTP over SSL d. PPTP e. VPN

3. Your manager wants to make sure that when he dials in to a faraway corporate network, his connection is very secure and reliable. Which of the following is the most secure and reliable RAS? a. RAS b. PPP c. PPTP d. L2TP e. HTTP

Answers1. Of the choices, only PPTP can be used to implement VPN. Note that IPSec is a feature of IP and not a remote access protocol in its own right, though it is used by L2TP. The answer is B.

2. Websites are typically accessed through the HTTP protocol, so it is likely that the website is SSL-enabled and that he does not have that technology enabled on his client PC. The answer is B.

3. L2TP is most secure as it features both tunneling and encryption, which none of the other protocols listed can provide. The answer is D.

FirewallsWritten by McCya mccya.webs.com Page 26

Security+ study guideAs we continue to skip about in our lesson plans, we have now arrived at the subject of firewalls. Firewalls are one of the most thoroughly misunderstood concepts around in networking and security today. It is your duty to dispel some of the most common misconceptions about firewalls not just for the purpose of passing the Security+ exam but also for the sake of the information security community!

What is a Firewall?A firewall is any hardware or software designed to prevent unwanted network traffic. Some firewalls are simplistic in nature; in fact, many people use NAT devices as firewalls as they do effectively prevent direct incoming connections to hosts behind the NAT. Other firewalls are intricate operations, based on whitelists and blacklists, rules, and alerts. What all firewalls have in common, however, is an ability to block incoming traffic that may be deemed harmful.

Simple diagram of a firewall

Types of FirewallsBecause the definition of a firewall (at least as given above) is somewhat generalized, it is hard to define the general actions and methods of firewalls. Instead, we look at the ways different types of firewalls work. Each type of firewall has abilities, advantages, and drawbacks; to do well on the Security+ exam, you should understand these.

Packet Filtering FirewallA packet filtering firewall polices traffic on the basis of packet headers. IP, UDP, TCP, and even ICMP have enough header information for a packet filtering firewall to make anWritten by McCya mccya.webs.com Page 27

Security+ study guideinformed decision as to whether to accept or reject that packet. You can think of a packet filtering firewall as a bouncer at a party. The bouncer may have a list of people that are allowed to come in (a whitelist) or a list of people to specifically exclude (a blacklist). The bouncer may even check a guests identification to assure that the guest is above 18. Similarly, a packet filtering firewall simply inspects the source and destination of traffic in making a decision on whether to allow the packet to pass through. For example, some traffic may be addressed to a sensitive recipient and would therefore be blocked. A packet filtering firewall can also filter traffic on the basis of port numbers. For example, many companies now block traffic on port 27374 because it is well-known to be a port used by the Trojan horse SubSeven. Note that a packet filtering firewall basically operates through a special ACL (access control list) in which both the white and black list of IP addresses and port numbers are listed. In essence, this firewall operates at the Network and Transport layers of the OSI Model. This model is notable for its simplicity, speed, and transparency however, traffic is not inspected for malicious content. In addition, IP addresses and DNS addresses can be hidden or spoofed, as discussed in the Attacks lesson.

Circuit-Level GatewayA circuit-level gateway is a type of firewall that operates on the Session layer of the OSI model. Instead of inspecting packets by header/source or port information, it instead maintains a connection between two hosts that is approved to be safe. This is something akin to a parent who approves the people that their children can speak with on the phone once they trust those people. In this scenario, the parent does not have to listen into the conversation because they know they can trust the two communicating children. Similarly, a circuit-level gateway establishes a secure connection between two hosts that have been authenticated and trust each other.

Application-Level GatewayAs the name suggests, an application-level gateway operates in the Application layer of the OSI model and actively inspects the contents of packets that are passed through to the gateway. It is for this reason that application-level gateways are considered the most secure as they can actively scan for malformed packets or malicious content. Think of an application-level gateway as the eavesdropping parent. An eavesdropping parent has the most complete knowledge of his or her childs activities because he or she can listen into all of the childs conversations. An application-level gateway does have drawbacks, however, including speed and routing problems. Application-level gateways are notorious for the amount of time it can take to inspect packets. A special kind of application-level gateway is a proxy server, which is a server that serves as the middle man between two hosts that wish to communicate. In the proxy server model, the host wishing to communicate sends a packet to the application-levelWritten by McCya mccya.webs.com Page 28

Security+ study guidegateway (proxy server), which then makes the decision whether to forward the packet to the intended recipient or to deny the request to send the packet.

Quick Review1. Your manager wishes to implement some kind of device that would reject traffic from online gambling sites and other distractions. Which of the following devices would be most effective in achieving this solution? a. Packet Filtering Firewall with NAT b. Circuit-Level Gateway with ESP c. Application-Level Gateway in the form of a Proxy Server d. Circuit-Level Gateway with TLS 2. Which of the following is not a reason to implement a firewall? a. To limit the number of malicious packets sent to the network b. To reduce extraneous traffic that is deemed undesirable c. To limit a particular hosts access to the Internet d. To improve network throughput 3. Which of the following is true of a packet filtering firewall? a. It implements an ACL b. It inspects the contents of packets being filtered c. It does not read the headers d. None of the above

Answers1. Only an application-level gateway can actually inspect the contents of individual packets, so the answer must be C. 2. Although network throughput could ostensibly improve as a result of implementing a firewall, it would not typically be reason to implement one and in most cases, a firewall acts as a bottleneck to network traffic. The answer is D.Written by McCya mccya.webs.com Page 29

Security+ study guide3. In order for a packet filtering firewall to operate, it must have a list of all of the allowable or disallowable hosts to evaluate based on header information. The answer is A.

Networking OverviewIn subsequent chapters of this study guide, we will take a look at different security topologies or ways that networks can be set up with security in mind. Before we can do this, however, we must have a clear understanding of different networking devices and concepts. We will now very briefly describe different key networking components to help you understand how they are related to information security and the exam.

A cartoon-ish network

IP AddressAn IP address is a unique numeric identifier of a host machine within the scope of a TCP/IP network. Public IP addresses are unique and individual to each host in the world, while private IP addresses are often duplicated among different private networks. You can think of a public IP address as a sort of telephone number and the private IP address as a sort of extension system that operates in-house. All IP addresses are formed as four octets separated by a dot: for example, is a commonly-used private IP address.

NATNAT, or Network Address Translation, is a service in which a gateway can allow multiple private hosts to operate under the guise of a single public IP address. One of the implications of NAT is that hosts behind the NAT are effectively hidden from the rest of the Internet, with the NAT acting as a sort of packet filtering firewall.

RouterA router can forward packets of information based on the IP address of the header of the packet. Think of the header of the packet as a sort of shipping label for the packet in which the contents (the package) are contained. A router can quickly examine the shipping label and send it off to the appropriate destination.Written by McCya mccya.webs.com Page 30

Security+ study guide

GatewayA gateway serves as a sort of middle-man between two networks, usually the Internet and a private network. Many routers also serve as gateways, and many gateways have NAT functionality built into them.

MediaThe term media in networking refers to the physical medium of communication that the network utilizes. In many Ethernet networks CAT-5 cabling is employed. In high-speed applications, fiber optic media is used.

Applications and PortsApplications, in the networking sense, refer to specific Application-layer services that hosts provide over specific ports, or gateways into the system. For example, a web server is an application server that provides web pages over the port TCP 80. Other Application servers include FTP, Telnet, SSH, and Media servers.

FirewallA firewall is a device that can selectively filter communications between two hosts. Although we have an entire article dedicated to firewalls, it never hurts to reinforce the concept of what a firewall is for your own extended understanding.

Switch/HubHosts are connected to each other via a switch or a hub. The difference between a switch and a hub is that a hub forwards all packets to all connected hosts whereas a switch forwards packets only to selected recipients, increasing information confidentiality.

DMZ HostA DMZ host is basically a catch-all host for requests on non-configured ports. Through a DMZ host, undesirable network traffic can be sent to single safe host rather than any host that would be in danger from malicious traffic.

Written by McCya


Page 31

Security+ study guide

Quick Review1. Which of the following can be used as a sort of packet filtering firewall? a. Proxy Server b. Switch c. NAT Device d. None of the above 2. Why cant a packet sniffer intercept switched network traffic? a. The packet sniffer can only work in promiscuous mode b. Switched networks direct traffic by MAC address c. The packet sniffer can only work in latent mode d. The port configuration is incorrect

3. Which of the following are not application services or servers? (Choose all that apply) a. Proxy Server b. Email Server c. Web Server d. DMZ Server e. ARP Server f. DHCP Server

Answers:1. Only an NAT device would actually block packets based on headers (the definition of a packet filtering firewall) because an NAT device would categorically block incoming traffic that has not established a session. The answer is C.

2. A switch only forwards traffic to the intended recipient via MAC address (just like a router only forwards traffic to the recipient via IP address), so the answer must be B.Written by McCya mccya.webs.com Page 32

Security+ study guide3. D, E, and F are all non-application servers. DMZ servers are non-existent, and DMZ hosts would nominally operate in the network layer of the OSI model. ARP servers would operate in the Data-Link layer of the OSI model, and DHCP servers would operate in the Network layer of the OSI model.

Symmetric (Private) Key CryptographyIn this lesson we will learn about different symmetric key algorithms and their key features. More importantly, we will learn about some more key concepts related to cryptography as it applies to both symmetric and asymmetric algorithms. Finally, we will learn the advantages and disadvantages of symmetric and asymmetric algorithms. First, lets learn a bit about the differences between block and stream ciphers.

Block v. Stream CiphersThe difference between a block and a stream cipher is rather simple. A block cipher would break up a clear text into fixed-length blocks and then proceed to encrypt those blocks into fixed-length ciphers. Because the blocks are of a fixed length, keys can be re-used, making key management a breeze. Typically, computer software uses block ciphers. Stream ciphers operate on continuous (read: non-discrete) portions of data that arrivesin real time. In other words, stream ciphers work on information bit-by-bit rather than block-by-block. Because the data does not need to broken down, stream ciphers are generally faster than block ciphers, but keys are not re-usable in stream ciphers, making key management a real pain. For this reason, stream ciphers are usually employed at the hardware level.

] End-to-End EncryptionEnd-to-End encryption refers to a situation in which data is encrypted when it is sent and decrypted only by the recipient. Of course, in order for the packets to be routed, the relevant TCP/IP headers must be present and unencrypted on the packet.

Link EncryptionIn Link encryption, every packet is encrypted at every point between two communicating hosts. In this formulation, information sent to one router is encrypted by the host and decrypted by the router, which then re-encrypts the information with a different key and sends it to the next point. Of course, in this formulation, the headers are also encrypted. The obvious drawbacks include speed and vulnerability to man-in-the-middle attacks.Written by McCya mccya.webs.com Page 33

Security+ study guide

Key StrengthA cryptovariable, or key, is the value applied to encrypted or clear text in order to decrypt or encrypt the text. The length of the key, in bits, is usually a good indicator of the strength of the key. A 128-bit key is, for example, much stronger than a 32-bit key.

Symmetric Key CryptographyIn a symmetric key cryptosystem, a single key is used to encrypt and decrypt data between two communicating hosts. In order to break the system, an attacker must either: A) discover the key through trial-and-error, or discover the key during the initial key agreement.

(From Navy) Symmetric Key Encryption Schema Symmetric key protocols are known to be faster and stronger than their asymmetric counterparts but do possess unique disadvantages that we will discuss later. We will now look at some common symmetric algorithms.

DESDES is an outdated 64-bit block cipher that uses a 56-bit key. It is a symmetric algorithm that splits the 64-bit block into two separate blocks under the control of the same key. It is considered highly insecure and unreliable and has been replaced by 3DES.

3DESWritten by McCya mccya.webs.com Page 34

Security+ study guideTriple DES or 3DES is the partial successor to DES but is still considered outdated and slow. It uses three separate 56-bit keys for an effective key length of 168 bits. However, a vulnerability exists that would allow a hacker to reduce the length of the key, reducing the time it would take to crack the key. In addition, 3DES is very slow by todays standards and would not be practical to use in encrypting large files.

AESAES is the true successor to DES and uses a strong algorithm with a strong key. It is based on the Rijndael Block Cipher. The Rijndael Block Cipher can utilize different block and key lengths (including 128, 192, and 256 bit keys) to produce a fast and secure symmetric block cipher. The Twofish algorithm, an alternative to Rijndael, utilizes 128-bit blocks for keys up to 256 bits.

IDEAAll you have to remember about IDEA is that:

PGP uses IDEA to ensure email security, and It operates using 64-bit blocks and a 128-bit key

RC5RSA Security developed RC5, a fast, variable-length, variable-block symmetric cipher. It can accommodate a block size of up to 128 bits and a key up to 2048 bits.

Symmetric v. AsymmetricHere is a quick run-down of the advantages of symmetric and asymmetric algorithms: Symmetric

Faster and easier to implement Lower overhead on system resources


Scalable and does not require much administration Easier for users to usemccya.webs.com Page 35

Written by McCya

Security+ study guide

Quick Review1. Which of the following symmetric ciphers is used in PGP for email security? a. IDEA b. PGP Security c. RC5 d. Blockfish

2. Which of the following is not an advantage of asymmetric algorithms? a. Scalability b. Multiple functionality c. Speed d. Provides confidentiality and authentication 3. Why is DES considered insecure? a. Buffer overflow exploit b. Man-in-the-middle attack potential c. Weak key length d. All of the above

Answers1. PGP (Pretty Good Privacy) uses IDEA for encryption. The answer is A. 2. Although asymmetric algorithms can be fast, they are generally slower than their symmetric counterparts, making Speed an issue for these algorithms. The answer is C. 3. DES is insecure because its key length is so short (56 bits). The answer is C.

Public Key CryptographyWritten by McCya mccya.webs.com Page 36

Security+ study guidePublic Key Cryptography is a widely-applied form of cryptography commonly utilized in many network transactions. The Security+ exam will test you on your both your understanding of how public key systems work as well as your ability to discern between different types of public key algorithms. The exam will also cover PKI, or public-key infrastructure.

The workings of Public Key CryptographyUnlike private key systems, in which two communicating users share a secret key for encryption and decryption, public key systems utilize widely-available and unique public keys, as well as private keys, to securely transmit confidential data. Heres how a public key transaction works: Assume we have two users, Pat and Jill, and that Pat wishes to send Jill a secret love note. Pat encrypts the love note using Jills public key. The message is sent via email to Jill. Jill then can read the message by decrypting the message with her private key. Note that in order for this transaction to take place, only Jill has to know her private key. This is the beauty of a public key (or asymmetric) system. Through this transaction, known as secure message format, the confidentiality of the message is assured: only Jill can read it! Public-key cryptography can also be applied to validate the authenticity of a message. In this formulation, Pat would send Jill a message using his private key (therefore encrypting the message). To read the message, Jill would use Pats public key. In doing so, Jill has affirmed that the message was in fact sent by Pat. This is known as open message format. In order to ensure both information authenticity and confidentiality, signed and secure message format may be employed. Extending the love note example, Pat would first encrypt the message with Jills public key and then encrypt that encrypted message with his own private key. When the message is sent to Jill, she can use Pats public key to verify the message was indeed from Pat. But the message is still encrypted! To overcome this, she can use her own private key to decrypt the message.

(From Navy) Public Key SchemaWritten by McCya mccya.webs.com Page 37

Security+ study guide

Public Key Protocols

RSA is an asymmetric key transport protocol that can be used to transmit private keys between hosts. The algorithm utilizes large prime numbers for effectiveness. The process can be explained very simply Pat encrypts the private key with Jills public key, and Jill decrypts the message with her private key to reveal the private key. Diffie-Hellman is a key agreement protocol that can be used to exchange keys. It uses logarithms to ensure security in the algorithm. In the Diffie-Hellman operation, Pat and Jill each use their own private keys with the public key of the other person to create a shared secret key. Note that Diffie-Hellman is vulnerable to man-in-themiddle attacks. El Gamal is an extension of Diffie-Hellman that includes encryption and digital signatures.

Message DigestingA message digest is something of an unreadable, condensed version of a message. More specifically, a message digest utilizes a one-way hash function to calculate a set-length version of a message that cannot be deciphered into clear text. Message digests are usually employed in situations in which it would be undesirable to be able to decrypt the message. One such application is in modern username/password systems, in which the password is stored using a hash function or digest. After the password has been hashed, it cannot be unhashed. When a user attempts to login with a password, the password he types is also hashed so that the two hashes (rather than the two passwords) are compared against each other. Note that the hash assumes that a hashed value cannot be deciphered and that no two messages will produce the same hash.

Hashing Protocols

MD5 is the most commonly-used hash protocol and uses a 128-bit digest. It is very fast in hashing a message and is also open-source. SHA-1 is a more secure implementation of a hashing protocol that uses a 160-bit digest and pads a message to create a more difficult-to-decipher hash.

Quick Review1. Which of the following ensures message confidentiality, but not authenticity? a. Secure message format b. Open message format c. Signed and secure message format

Written by McCya


Page 38

Security+ study guided. Symmetric cryptography

2. Which of the following is not an asymmetric protocol? a. Diffie-Hellman b. El Gamal c. 3DES d. RSA

3. Why is a hash more difficult to decipher than a standard encryption protocol? a. It is a one-way function b. It uses strong encryption techniques c. It uses large prime numbers d. It uses discrete logarithms

Answers1. Secure message format works by encrypting a message with the public key of the intended recipient, ensuring confidentiality but not integrity. The answer is A.

2. 3DES is the only listed protocol that does not utilize a public key system. The answer is C.

3. Because a hash is a one-way function, the only way to decipher it is to try a large number of hashes of cleartext until one matches the original hash. The answer is A.

Organizational SecurityThus far, we have learned the tough stuff the technically-oriented portions of the exam. We havent finished learning all of the technical items yet, either! However, we will take a short break from the technical aspects of the exam to take a look at organizational security, a relatively simple and common-sense portion of the exam you should do quite well on.

Written by McCya


Page 39

Security+ study guide

Physical SecurityPhysical security refers to the aspects of information security that are related to physical threats, such as fire or natural disasters. We will cover some basic physical security threats below:

] FireRemember that fire needs heat, oxygen, and fuel to burn. Also remember that there are four classes of fires:

A, which includes common combustibles B, which includes burnable fuels C, which includes electronics D, which includes chemical and other fires

There are also three common methods of fire detection:

Heat-sensing, which detects fires by temperature Flame-sensing, which detects fires by the flicker of a flame or infrared detection Smoke-sensing, which detects fires by variations in light intensity or presence of CO2

There are also a number of different systems to suppress fire:

Water: Traditional method and effective against Class A fires CO2: Suppresses by removing O2 element. Useful against Class B and C fires Soda acid: Combination of chemicals used to eliminate Class A, B fires

Written by McCya


Page 40

Security+ study guide

Halon: Useful against A,B, and C fires but illegal by Montreal Protocol (ozone depleting)

HVACYou should note that HVAC (heating, ventilation, and air conditioning) simply refers to the typical environmental controls that we would call air conditioning. For the purposes of the exam, you should use common sense and note that:

High temperatures can cause computer equipment, especially processors, to overheat and perform poorly High humidity can cause corrosion in equipment due to water damage Low humidity creates an environment suited for too much static electricity (ESD)

Electricity and PowerRemember that electrical power originates from a utility substation or a power grid and that it would be to your best interest to have access to electric distribution panels (circuit breakers and so forth). Also note some of the following information on electric power:

EPO (Emergency power-off) switches are used to shut down power immediately Backup power sources can be used to ensure continuity in the case of a disaster Backup sources should be used in critical applications, such as servers and physical access equipment

ESD is also covered on the exam, so you should know that:

ESD is electrostatic discharge, a convoluted term for static electricity build-up and release ESD can be prevented by 40 to 60 percent humidity levels, grounding, and antistatic floor mats (and other antistatic material)

Electric noise is the crossover or interference that occurs in electrical wires due to highenergy electrons crossing over into another wire or signal. To avoid this, you should:

Use power line conditioners and surge protectors Grounding and shielded cabling

Business Continuity and Disaster Recovery PlanningThe idea of business continuity revolves around the premise that your business should continue to operate in the face of a disaster. Disaster recovery planning, in contrast, is related to the effort to recover infrastructure that fails as the result of a disaster.

Written by McCya


Page 41

Security+ study guide

Quick Review1. Which of the following fires can be put out easily with water? a. Class A b. Class B c. Class C d. Class D

2. Which of the following conditions would have little effect on the ability for systems to continue functioning? a. 80% humidity b. 15% humidity c. -10 degrees Celsius temperature d. 100 degrees Celsius temperature e. 0% humidity

3. Which of the following should be included in a BCP (business continuity plan)? a. How information on servers that come down will later be retrieved b. How to salvage existing equipment c. How to shift the load of processing to backup emergency servers d. How to mitigate the risk of a network attack

Answers1. Only Class A fires can be effectively extinguished with water. The answer is A.

2. While mild humidity, dryness, or high temperatures can result in equipment failure, slightly uncomfortable low temperatures will rarely result in equipment failure. The answer is C.

3. Answers A and B are concerned with how to recover assets that had been lost after theWritten by McCya mccya.webs.com Page 42

Security+ study guidedisaster. Answer D is not concerned with continuity planning, but rather, risk mitigation. The answer is C.

Email and Application SecuritySome of the Security+ exam will test you on your knowledge of some basic email, Internet, and application security issues. Although the amount of detail of knowledge that is required is quite minimal, you must still have a working knowledge of some simple email and application security concepts.

Email SecurityEmail is a wonderful tool, no doubt, but it is not without security issues. Typical email configurations allow for senders of email to spoof their addresses and send email messages in plain text. Even worse, it is difficult for a recipient of an email to verify that the sender is actually who sent the message! Thankfully, we have a few security tools at our disposal to ensure confidentiality (through encryption) and integrity (through encryption, digital signatures, and strong passwords). Here are some of those tools:

S/MIME, or Secure Multipurpose Internet Mail Extensions, provides basic cryptographic services for email sent via the Internet. Most popular browsers and email clients support S/MIME, making it among the more popular cryptographic email security services available. MOSS, or MIME Object Security Services, is a less-common, more extensive suite of security services for email. PEM, or Privacy Enhanced Mail, provides 3DES encryption for email. PGP, or Pretty Good Privacy, is an open-source and extremely popular email security suite that uses IDEA to encrypt email and validate signatures.

Email also has a few security vulnerabilities:

Spam is one of the most commonly mentioned nuisances, but did you know it is actually considered a security threat? By clogging the email server, widespread spam denies to the user availability, a key component of the CIA triangle. Some spam solutions include user education, email filtering, and reporting of Spam to the proper authorities (where necessitated by law)mccya.webs.com Page 43

Written by McCya

Security+ study guide

Open relays are email servers that forward email without any kind of authentication. In other words, open relays allow malicious users to send bulk email without logging into an email server. A good email security setup always includes a non-open relay server (or authenticated relay server). Malicious Software: Obviously, viruses and worms are a large problem. Many propagate via email messages that are automatically sent by infected hosts. One of the more common solutions is to virus scan and filter incoming email.

Internet SecurityThe Internet can be a dangerous place, and so, we are interested in protecting users from malicious web sites (with browser scripts) as well as protecting the information that users send to web sites.

SSL is a connection-oriented standard designed to allow for secure cryptographic communication between two hosts via the Internet. TLS is the newest version of SSL. S-HTTP is a connectionless standard that provides for symmetric encryption, message digests, and client-server authentication. Browser Scripts/Vulnerabilities are controls, scripts, programs, or other software that can run from the browser and cause damage to a host. In particular, ActiveX controls are well-known for their often malicious content. The best way to protect against browser buffer overflows is to remain vigilant and updated on the latest patches.

Quick Review1. Which of the following is not a program or tool used to ensure email security? a. S/MIME b. MOSS c. SSH d. PGP

2. You notice that many users are complaining that their emails are being rejected by the servers that they send the emails to. You also notice that the reason that they are being rejected is because those servers have supposedly received bulk email from your domain. Assuming that your users are innocent of spamming others, the most likely cause of this is: a. A man-in-the-middle attack is changing all of the users messages to spam b. A spoof attack is falsely identifying the emails as originating from your domain name

Written by McCya


Page 44

Security+ study guidec. A worm has spread to your network d. Your email server is configured for open relay

3. Which of the following is least likely to be associated with browser security? a. ActiveX controls b. Javascripts c. Birthday attacks d. Buffer overflows e. Malicious CGI code

Answers1. SSH is used to maintain a secure remote access connection between two hosts. The answer is C.

2. Although choices A, B, and C are theoretically possible, they are unlikely. It would be cumbersome and counter-intuitive to an attacker to change every email message sent; if he had the ability to do this, he would just send his own messages. Similarly, although a spoof attack is possible, it would be difficult for the attacker to spoof his IP address without the use of a proxy; unless your server is a proxy server, he probably would not target your domain name. Finally, a worm might have spread to your network, but most worms do not send out unsolicited bulk (junk) email. The answer is D, because in most cases, open relays lead to spam and bulk email.

3. Birthday attacks are related to probability and therefore unlikely to be associated with browser security. The answer is C

Security TopologiesOne of the most essential portions of information security is the design and topology of secure networks. What exactly do we mean by topology? Usually, a geographic diagram of a network comes to mind. However, in networking, topologies are not related to the physical arrangement of equipment, but rather, to the logical connections that act between the different gateways, routers, and servers. We will take a closer look at some common security topologies.

Screening RouterWritten by McCya mccya.webs.com Page 45

Security+ study guideIn a screening router setup, the router acts as the sole gateway and gatekeeper between the un-trusted, outside network (i.e. the Internet) and the trusted network (i.e. LAN). The router maintains sole discretion on which traffic to allow in by implementing an ACL, or access control list. The router in this setup, which blocks traffic based on source, destination, and other header information, is analogous to Saint Peter, who acts as the gatekeeper into Heaven. Some of the advantages of screening routers include their transparency and simplicity. However, in the screening router setup, the router is the sole point of failure and depends heavily on the administrator to maintain a favorable ACL. Also, a screening router has difficulty in masking internal network structure.

Dual-Homed GatewayThe dual-home gateway is a screening router setup that implements a bastion host between the screening (external) router and the trusted network. A bastion host is a host that is configured to withstand most attacks and can additionally function as a proxy server. By adding the bastion host, no direct communication exists between the external network and the trusted network, masking the internal network structure and allowing for traffic to be screened twice. It is considered fail-safe in that if one of the components (bastion host, router) fails, the security system remains available. However, it is cumbersome and rather slow in comparison to other topologies.

Screened Host GatewayA screen host gateway is essentially a dual-homed gateway in which outbound traffic (from trusted to un-trusted) can move unrestricted. Incoming traffic must first be screened and then sent to the bastion host, like in a dual-homed gateway. This is a less secure but more transparent system than dual-homed gateway.


Written by McCya


Page 46

Security+ study guide

A screened-subnet setup works to employ a bastion host between two screening routers. What this provides is a special zone for publicly available services (around the bastion host) and transparent access for users on the trusted network. The zone around the bastion host that operates publicly and whose traffic to the trusted network is screened is known as a DMZ zone; for this reason, bastion hosts are sometimes referred to as DMZ hosts. Remember for the exam that a DMZ host would always be well-secured, just like a bastion host would be.

IDSAn intrusion detection system, or IDS, can track or detect a possible malicious attack on a network. For the exam, you will have to know about some division of IDS classifications:

Active v. Passive IDS: An active IDS will attempt to thwart any kind of detected attacks without user intervention. A passive IDS simply monitors for malicious activity and then alerts the operator to act, or in other words, requires their intervention. Passive IDS is less susceptible to attacks on the IDS system as it does not automatically act. Network v. Host IDS: A network-based IDS is one that operates as its own node on a network, while host-based IDS systems require agents to be installed on every protected host.* Knowledge v. Behavior IDS: A knowledge-based IDS works by assessing network traffic and comparing it with known malicious signatures, much like antivirus software. A behavior-based IDS analyzes baselines or normal conditions of network traffic; it then compares them to possibly malicious levels of traffic. Note that this type of IDS produces more false alarms.

Written by McCya


Page 47

Security+ study guide

HoneypotA honeypot is designed to lure attackers or malicious users into attempting an attack on a fictional or purposefully-weak host and then recording the patterns of their activity or the source of the attack. A honeypot can also act as bait for the rest of the network by luring attackers to an easy target.

Quick Review1. Which of the following topologies features a demilitarized zone or DMZ? a. Active IDS b. Passive IDS c. Dual-Homed Gateway d. Screened-Subnet

2. Why would behavior-based IDS require less maintenance than knowledge-based IDS? a. Behavior-based systems necessarily work without user intervention b. Knowledge-based IDS can only work on a screened-subnet or screened host gateway topology. c. No DMZ host is required in a behavior-based IDS d. Behavior-based systems do not require signatures or libraries of attacks

3. Your company wishes to implement a web server, email server, and voice-over-IP server that are accessible to the rest of the Internet. However, it wants to ensure that the structure and hosts within the rest of the network are totally protected from outside access. Which of the following setups would provide this functionality? a. Dual-Homed Gateway b. Screened Host Gateway c. Screening Router d. Screened-Subnet

Written by McCya


Page 48

Security+ study guide

Answers1. The screened-subnet topology features a DMZ between two screening routers, effectively isolating the publicly-accessible zone from the rest of the trusted network. The answer is D.

2. Because behavior-based systems compare baseline use levels to current or potentially malicious levels, they do not require signatures of libraries, decreasing the amount of active administrator maintenance that is required. The answer is D.

3. A screened-subnet gateway provides a protected zone for public services. The answer is D.

Written by McCya


Page 49

Security+ study guide

Security+ Study Guide ReviewWe would like to wrap up some of the points that weve covered previously and introduce you to the kinds of questions that you will encounter on the real Security+ examination. Therefore, this review will feature questions that are sure to have you thinking; hopefully, you will be prepared from reading the guide to do well.

Questions1. Your manager asks you to implement a system that can filter out unwanted content, such as viruses and unproductive Internet content. The best way to accomplish this would be through a system that implements a: a. Circuit-level gateway b. Proxy server c. Packet filtering firewall d. DMZ host e. Bastion host

2. Which of the following is the function of PGP? a. Filter unwanted Internet traffic b. Create a buffered security zone c. Provide access control functionality d. Boot a *Nix server that is not operational as the result of an attack e. Provide message encryption services

3. How do mandatory access controls protect access to restricted resources? a. Sensitivity labeling b. User-level share permissions c. Server-level share permissions d. Role-oriented permissions e. ACL listsWritten by McCya mccya.webs.com Page 50

Security+ study guide4. You notice a rapid increase in the number of ICMP requests coming from a single host. The requests are continuous and have been occurring for minutes. What kind of attack are you likely experiencing? a. Ping flood b. Smurf c. Birthday d. Buffer overflow e. You are not experiencing an attack

5. Your company requires secure remote access through a terminal to a server. Which of the following would provide such secure access? a. Telnet b. SSH c. FTP d. SSL e. Ethernet

6. Which of the following is an advantage of symmetric-key cryptography in comparison to asymmetric-key cryptography? a. Symmetric keys are stronger than asymmetric keys b. Symmetric key systems are more scalable than asymmetric systems c. Symmetric key systems are faster than their asymmetric counterparts d. Symmetric key systems can operate in more than layers of the OSI model than can asymmetric systems e. None of the above

7. Which of the following is not a way that IDS systems are commonly classified? a. Active b. PassiveWritten by McCya mccya.webs.com Page 51

Security+ study guidec. Latent d. Knowledge-based e. Behavior-based

8. Which of the following provides tunneling over the data-link layer? a. IPSec b. L2TP c. PPP d. PPTP e. VPN

9. Which of the following authentication factors is considered the strongest? a. Type 1 b. Type 2 c. Type 3 d. Type 4 e. Type 5

10. You setup a packet-filtering firewall that accepts or rejects traffic based on the IP address of the source. What kind of attack is this firewall specifically vulnerable to? a. Buffer overflow b. Man-in-the-Middle attack c. Smurfing d. Spoofing e. Distributed denial of service

11. Your manager complains that he cannot remember his password. You have also lost your copy of the password, but the MD5 hash of the password is stored in the database. How can you use the MD5 hash to recover the password?Written by McCya mccya.webs.com Page 52

Security+ study guidea. Decrypt the hash using a shared secret key b. Decrypt the hash using a public encryption system c. Encrypt the hash using a shared secret key d. Encrypt the hash of the hash using a shared secret key e. You cannot recover the password from the hash

12. Which of the following parts of the CIA triangle are effectively ensured by cryptography? a. Confidentiality Only b. Integrity Only c. Accessibility Only d. Accessibility and Integrity Only e. Confidentiality and Integrity Only

13. Which