Are you taking the Security+ exam within the next two weeks?  Here is a Last Minute Cram guide I wrote based on Darrel Gibson’s Security+ book that will help you pass the exam.  Don’t forget to look at the charts at the botton:

DARRIL GIBSON SECURITY+ 401 SUMMARY

Chapter 1 Exam Topic Review

When preparing for the exam, make sure you understand these key concepts covered in this chapter.

Understanding Core Security Goals

  • Confidentiality ensures that data is only viewable by authorized users. Encryption is the best choice to provide confidentiality. Access controls and steganography (hiding data inside other data) also protect the confidentiality of data.
  • Integrity provides assurances that data has not been modified, tampered with, or corrupted through unauthorized or unintended changes. Data can be a message, a file, or data within a database. Hashing is a common method of ensuring integrity.
  • Non-repudiation prevents entities from denying they took an action. Digital signatures and audit logs provide non-repudiation. Digital signatures also provide integrity for files and email.
  • Availability ensures that data and services are available when needed. A common goal is to remove single points of failure. Methods used to increase or maintain availability include fault tolerance, failover clusters, load balancing, backups, virtualization, HVAC systems, and generators.
  • Safety includes the safety of resources using physical security methods, such as fencing, lighting, door locks, and CCTV systems. It also includes the safety of personnel and can include escape plans, escape routes, and drills. Testing ensures these methods work as expected. Some electronic doors fail in an open state to ensure personnel safety.
  • Layered security (or defense in depth) employs multiple layers of security to protect against threats. As an example, a firewall, an intrusion detection system, content filtering, and antivirus software provide multiple layers of protection. Security and IT professionals constantly monitor, update, add to, and improve existing security controls.

Introducing Basic Risk Concepts

  • Risk is the possibility of a threat exploiting a vulnerability and resulting in a loss.
  • A threat is any circumstance or event that has the potential to compromise confidentiality, integrity, or availability.
  • A vulnerability is a weakness. It can be a weakness in the hardware, software, configuration, or users operating the system.
  • Risk mitigation reduces risk by reducing the chances that a threat will exploit a vulnerability or by reducing the impact of the risk.
  • Security controls reduce risks. For example, antivirus software is a security control that reduces the risk of malware infection.

Exploring Authentication Concepts

  • Authentication allows entities to prove their identity by using credentials known to another entity.
  • Identification occurs when a user claims or professes an identity, such as with a username, an email address, a PIV card, or by using biometrics.
  • Authentication occurs when an entity provides proof of an identity (such as a password). A second identity is the authenticator and it verifies the authentication.
  • Authorization provides access to resources based on a proven identity.
  • Five factors of authentication are:
    • Something you know, such as a username and password
    • Something you have, such as a smart card, CAC, PIV, or a token
    • Something you are, using biometrics, such as fingerprints or retina scans
    • Somewhere you are, such as your location using geolocation technologies
    • Something you do, such as gestures on a touch screen
  • The something you know factor typically refers to a shared secret, such as a password or a PIN. This is the least secure form of authentication.
  • Passwords should be strong and changed often. Complex passwords include multiple character types. Strong passwords are complex and at least eight characters long.
  • Administrators should verify a user’s identity before resetting the user’s password. When resetting passwords manually, administrators should configure them as temporary passwords that expire after the first use, requiring users to create a new password the first time they log on. Self-service password systems automate password recovery.
  • Account lockout policies lock out an account after a user enters an incorrect password too many times.
  • Smart cards are credit card-sized cards that have embedded certificates used for authentication. They require a PKI to issue certificates.
  • Common Access Cards (CACs) and Personal Identity Verification (PIV) cards can be used as photo IDs and as smart cards (both identification and authentication).
  • Tokens (or key fobs) display numbers in an LCD. These numbers provide rolling, one-time use passwords and are synchronized with a server. USB tokens include an embedded chip and a USB connection.
  • HOTP and TOTP are open source standards used to create one-time-use passwords. HOTP creates a one-time-use password that does not expire and TOTP creates a one-time password that expires after 30 seconds.
  • Biometric methods are the most difficult to falsify. Physical methods include fingerprints, retina scans, iris scans, and palm scans. Biometric methods can also be used for identification.
  • Single-factor authentication includes one or more authentication methods in the same factor, such as a PIN and a password. Dual-factor (or two-factor) authentication uses two factors of authentication, such as a USB token and a PIN. Multifactor authentication uses two or more factors. Multifactor authentication is stronger than any form of single-factor authentication.
  • Authentication methods using two or more methods in the same factor are single-factor authentication. For example, a password and a PIN are both in the something you know factor, so they only provide single-factor authentication.

Comparing Authentication Services

  • Password Authentication Protocol (PAP) uses a password or PIN for authentication. A significant weakness is that PAP sends passwords across a network in cleartext.
  • Challenge Handshake Authentication Protocol (CHAP) is more secure than PAP and uses a handshake process when authenticating clients. Both PAP and CHAP use PPP.
  • Kerberos is a network authentication protocol using tickets issued by a KDC or TGT server. If a ticket-granting ticket expires, the user may not be able to access resources. Microsoft Active Directory domains and Unix realms use Kerberos for authentication.
  • LDAP specifies formats and methods to query directories. It provides a single point of management for objects, such as users and computers, in an Active Directory domain or Unix realm. The following is an example of an LDAP string: LDAP://CN=Homer,CN=Users,DC=GetCertifiedGetAhead,DC=com
  • Secure LDAP encrypts transmissions with SSL or TLS.
  • Single sign-on (SSO) allows users to authenticate with a single user account and access multiple resources on a network without authenticating again.
  • SSO can be used to provide central authentication with a federated database and use this authentication in an environment with different operating systems (nonhomogeneous environment).
  • SAML is an XML-based standard used to exchange authentication and authorization information between different parties. SAML is used with web-based applications.

Authenticating RAS Clients

  • Remote access authentication is used when a user accesses a private network from a remote location, such as with a dial-up connection or a VPN connection.
  • PAP sends passwords in cleartext.
  • CHAP uses a challenge response authentication process.
  • MS-CHAP and MS-CHAPv2 are the Microsoft improvement over CHAP. CHAPv2 provides mutual authentication.
  • RADIUS provides central authentication for multiple remote access services. RADIUS relies on the use of shared secrets and only encrypts the password during the authentication process. It uses UDP.
  • Diameter is an improvement over RADIUS and it supports EAP. Diameter uses TCP.
  • XTACACS is a legacy protocol that is rarely used today.
  • TACACS+ is used by some Cisco remote access systems as an alternative to RADIUS.
  • TACACS+ uses TCP, encrypts the entire authentication process, and supports multiple challenges and responses.
  • RADIUS, Diameter, and TACACS+ are all authentication, authorization, and accounting (AAA) protocols.


 

Chapter 2 Exam Topic Review

  • When preparing for the exam, make sure you understand these key concepts covered in this chapter.

Understanding Basic Control Types

  • The three primary security control types are technical (implemented with technology), management (using administrative methods), and operational (for day-to-day operations).
  • A technical control is one that uses technology to reduce vulnerabilities. Encryption, antivirus software, IDSs, firewalls, and the principle of least privilege are technical controls.
  • Management controls are primarily administrative and include items such as risk and vulnerability assessments.
  • Operational controls help ensure that day-to-day operations of an organization comply with their overall security plan. Some examples include security awareness and training, configuration management, and change management.
  • Preventive controls attempt to prevent security incidents. Examples include system hardening, user training, guards, change management, and account disablement policies.
  • Detective controls attempt to detect when a vulnerability has been exploited. Examples include log monitoring, trend analysis, security audits (such as a periodic review of user rights), video surveillance systems, and motion detection systems.
  • Corrective controls attempt to reverse the impact of an incident or problem after it has occurred. Examples include active intrusion detection systems, backups, and system recovery plans.
  • Deterrent controls attempt to prevent incidents by discouraging threats.
  • Compensating controls are alternative controls used when it isn’t feasible or possible to use the primary control.

 

Comparing Physical Security Controls

  • Door access control systems should allow personnel to exit without any form of authentication, especially if the systems lose power such as during a fire.  Controlled areas such as data centers and server rooms should only have a single entrance and exit point.
  • Cipher locks require users to enter a code to open doors. Shoulder surfers can discover the code by watching users enter it, and uneducated users might give out the code to unauthorized personnel. Training reduces these risks.
  • A proximity card can electronically unlock a door and helps prevent unauthorized personnel from entering a secure area. By themselves, proximity cards do not identify and authenticate users. Some systems combine proximity cards with PINs for identification and authentication.
  • Tailgating occurs when one user follows closely behind another user without using credentials. A mantrap can prevent tailgating. Security guards should be especially vigilant to watch for tailgating in high-traffic areas.
  • Security guards are a preventive physical security control and they can prevent unauthorized personnel from entering a secure area. A benefit of guards is that they can recognize people and compare an individual’s picture ID for people they don’t recognize.
  • Closed-circuit television (CCTV) systems provide video surveillance. They provide reliable proof of a person’s identity and activity, and can be used to identify individuals entering and exiting secure areas.
  • Barricades provide stronger physical security than fences and attempt to deter attackers.
  • Bollards are effective barricades that allow people through, but block vehicles.
  • Physical security also includes basic locks. Cable locks secure mobile computers such as laptop computers in a training lab. Server bays include locking cabinets as an additional security measure within a server room. Small devices can be stored in safes or locking office cabinets to prevent the theft of unused resources.

 

Implementing Logical Access Controls

  • The principle of least privilege is a technical control that uses access controls. It specifies that individuals or processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more.
  • Group Policy manages users and computers in a domain, and it is implemented on a domain controller within a domain. Administrators use it to create password policies, lock down the GUI, configure host-based firewalls, and much more.
  • Password policies provide a technical means to ensure users employ secure password practices:
    • Password length specifies the minimum number of characters in the password.
    • Password complexity ensures passwords are complex and include at least three of the four character types, such as special characters.
    • Password history remembers past passwords and prevents users from reusing passwords.
    • Minimum password age is used with password history to prevent users from changing their password repeatedly to get back to the original password.
    • Maximum password age or password expiration forces users to change their password periodically. When administrators reset user passwords, the password should be immediately expired.
  • Password policies should apply to any entity using a password. This includes user accounts and accounts used by services and applications. Applications with internally created passwords should still adhere to the organization’s password policy.
  • An account disablement policy ensures that inactive accounts are disabled. Accounts for employees who either resign or are terminated should be disabled as soon as possible. Configuring expiration dates on temporary accounts ensures they are disabled automatically.
  • Time restrictions can prevent users from logging on or accessing network resources during specific hours.
  • Account logon events include when a user logs on locally, and when the user accesses a resource such as a server over the network. These events are logged and can be monitored.

 

Comparing Access Control Models

  • The role-based access control (role-BAC) model uses roles to grant access by placing users into roles based on their assigned jobs, functions, or tasks. A matrix matching job titles with required privileges is useful as a planning document when using role-BAC.
  • Group-based privileges are a form of role-BAC. Administrators create groups, add users to the groups, and then assign permissions to the groups. This simplifies administration because administrators do not have to assign permissions to users individually.
  • The rule-based access control (rule-BAC) model is based on a set of approved instructions, such as ACL rules in a firewall. Some rule-BAC implementations use rules that trigger in response to an event, such as modifying ACLs after detecting an attack.
  • In the discretionary access control (DAC) model, every object has an owner. The owner has explicit access and establishes access for any other user. Microsoft NTFS uses the DAC model, with every object having a discretionary access control list (DACL). The DACL identifies who has access and what access they are granted. A major flaw of the DAC model is its susceptibility to Trojan horses.
  • Mandatory access control (MAC) uses security or sensitivity labels to identify objects (what you’ll secure) and subjects (users). It is often used when access needs to be restricted based on a need to know. The administrator establishes access based on predefined security labels. These labels are often defined with a lattice to specify the upper and lower security boundaries.

Chapter 3 Exam Topic Review

Reviewing Basic Networking Concepts

  • TCP and UDP default ports identify specific protocols.
  • ARP resolves MAC addresses to IPv4 addresses. NDP performs similar functions on IPv6.
  • Several encryption protocols encrypt data in transit to protect its confidentiality. They include SSH, FTPS, SFTP, SCP, IPsec, SSL, and TLS.
  • SSH uses TCP port 22. SSH encrypts SFTP traffic, SCP traffic, and TCP Wrappers. SSH uses port 22 when encrypting other protocols.
  • SSL and TLS can encrypt many protocols, including HTTPS, SMTP, and LDAP. They both utilize certificates. TLS is the designated replacement for SSL.
  • HTTP uses port 80 for web traffic. HTTPS encrypts HTTP traffic in transit, and uses port 443.
  • FTP can upload and download large files and it uses TCP port 20 for data and TCP port 21 for control signals. It can be secured with SSH (as SFTP) or with SSL (as FTPS).
  • Telnet uses TCP port 23. SSH is a more secure alternative than Telnet.
  • SNMP is used to monitor and configure network devices and uses notification messages known as traps. SNMP uses UDP ports 161 and 162.
  • NetBIOS uses ports 137–139. Kerberos uses UDP port 88.
  • Microsoft SQL Server is database software and it uses port 1433.
  • RDP is used to remotely connect to systems and it uses port 3389.
  • SMTP sends email using TCP port 25. POP3 receives email using TCP port 110. IMAP4 uses TCP port 143.
  • IPv6 uses 128-bit addresses and is displayed as eight groups of hexadecimal characters. It provides a significantly larger address space than IPv4 and natively supports IPsec.
  • DNS zones include A records for IPv4 addresses and AAAA records for IPv6 addresses. Zone data is updated with zone transfers and secure zone transfers help prevent unauthorized access to zone data. DNS uses TCP port 53 for zone transfers and UDP port 53 for DNS client queries. Most Internet-based DNS servers run BIND software on Linux or Unix servers.

 

Understanding Basic Network Devices

  • Switches are used for network connectivity and they map MAC addresses to physical ports.
  • Loop protection protects against switching loop problems, such as when a user connects two switch ports together with a cable. Spanning Tree Protocols protect against switching loops.
  • VLANs can logically separate computers or logically group computers regardless of their physical location.
  • Port security limits access to switch ports. It includes limiting the number of MAC addresses per port and disabling unused ports. You can also manually map each port to a specific MAC address or group of addresses.
  • An 802.1x server provides stronger port security with port-based authentication. It prevents rogue devices from connecting to a network, by ensuring that only authorized clients can connect.
  • Implicit deny indicates that unless something is explicitly allowed, it is denied. Firewalls often use implicit deny by explicitly allowing some traffic and then implicitly denying all other traffic that is not identified. Anything not explicitly allowed is implicitly denied.
  • A host-based firewall helps protect a single system from intrusions. Some Linux systems use iptables or xtables for firewall capabilities.
  • A network-based firewall controls traffic going in and out of a network.
  • A firewall controls traffic between networks using rules within an ACL. The ACL can block traffic based on ports, IP addresses, subnets, and some protocols.
  • Most firewalls use an implicit deny strategy by blocking all traffic that isn’t explicitly allowed. This is implemented with a deny all, or deny any rule at the end of the ACL.
  • A web application firewall (WAF) protects a web server against web application attacks such as buffer overflow and cross-site scripting attacks.

 

Protecting the Network Perimeter

  • A DMZ provides a layer of protection for servers that are accessible from the Internet.
  • NAT translates public IP addresses to private IP addresses, private back to public, and hides IP addresses on the internal network from users on the Internet.
  • A proxy server forwards requests for services from a client. It can filter requests based on URLs, cache content, and record users’ Internet activity.
  • A unified threat management (UTM) security appliance includes multiple layers of protection, such as URL filters, content inspection, and malware inspection.

 

Identifying OSI Relevance

  • Switches operate on Layer 2 and VLANs are defined on this layer.
  • Routers operate on Layer 3 and use ACLs to restrict traffic.
  • SCP is not defined in an RFC so you won’t find a source indicating which layer it operates on.
  • However, SCP uses SSH for data transfer and SSH operates on Layer 7. Similarly, RDP is a proprietary protocol and Microsoft doesn’t link it to an OSI layer. However, RDP is listed as an Application layer protocol on the TCP/IP model.

 


 

Chapter 4 Exam Topic Review

When preparing for the exam, make sure you understand these key concepts covered in this chapter.

Understanding IDSs and IPSs

  • Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) inspect traffic using the same functionality as a protocol analyzer.
  • A host-based IDS (HIDS) can detect attacks on local systems such as workstations and servers. The HIDS protects local resources on the host and can detect some malware that isn’t detected by traditional antivirus software.
  • A network-based IDS (NIDS) detects attacks on networks.
  • A signature-based IDS uses signatures to detect known attacks or vulnerabilities. Vendors create a number to identify each signature, or use the number in the Common Vulnerabilities and Exposures (CVE) list.
  • An anomaly-based (also called heuristic-based or behavior-based) IDS requires a baseline and detects attacks based on anomalies or when traffic is outside expected boundaries.
  • A false positive sends an alert indicating an attack when an attack is not active. False positives increase the workload of administrators. A false negative is when an attack is active, but not reported.
  • Honeypots and honeynets appear to have valuable data and attempt to divert attackers away from live networks. Security personnel use them to observe current attack methodologies and gather intelligence on attacks.
  • An intrusion prevention system (IPS) is similar to an active IDS except that it’s placed in-line with the traffic, and can stop attacks before they reach the internal network. An IPS can actively monitor data streams, detect malicious content, and mitigate the effect of malicious activity.
  • IDSs and IPSs can also protect internal private networks, such as private supervisory control and data acquisition (SCADA) networks.

 

Securing Wireless Networks

  • You can limit the coverage of a wireless access point (WAP) to a single room or a building by reducing the power level or modifying the placement of the antenna. This can help prevent unauthorized users from connecting to the wireless network. You can increase the wireless footprint by increasing power levels.
  • Most WAPs have omnidirectional antennas. A Yagi antenna is a high-gain directional antenna and you can connect two buildings with WAPs and Yagi antennas.
  • Site surveys identify the footprint of a wireless network and potential threats. Administrators perform site surveys during the planning stage, and perform periodic site surveys to identify threats.
  • Wired Equivalent Privacy (WEP) is an older wireless protocol that is not secure. Wi-Fi Protected Access (WPA) was an initial improvement over WEP and it uses Temporal Key Integrity Protocol (TKIP) with Rivest Cipher 4 (RC4), which is compatible with older hardware.
  • WEP implemented RC4 incorrectly using a small initialization vector (IV). IV attacks often use packet injection to generate traffic and crack the encryption key.
  • WPA cracking attacks capture the four-way authentication handshake and then perform a brute force attack to discover the passphrase.
  • Wi-Fi Protected Access II (WPA2) is the current standard and it supports Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP is based on the strong Advanced Encryption Standard (AES) encryption protocol.
  • WPA/WPA2 Personal mode uses a preshared key (PSK). It is easy to implement and is used in many smaller wireless networks.
  • WPA/WPA2 Enterprise mode is more secure than Personal mode because it adds authentication. It uses an 802.1x authentication server implemented as a RADIUS server.
  • 802.1x servers use one of the Extensible Authentication Protocol (EAP) versions, such as Protected EAP (PEAP), EAP-Tunneled Transport Layer Security (EAP-TTLS), EAP-TLS, or Lightweight EAP (LEAP).
  • The most secure EAP method is EAP-TLS, and it requires a certificate on the server and on each of the wireless clients. PEAP and EAP-TTLS require a certificate on the server, but not the client. PEAP is often implemented with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2). LEAP is proprietary to Cisco and does not require a certificate.
  • WAPs in hot spots often use Isolation mode to segment, or separate, wireless users from each other. Additionally, they disable security to make it easy for users to connect or use WEP with Open System Authentication.
  • You can restrict access to wireless networks with media access control (MAC) filtering. However, an attacker with a wireless sniffer can discover authorized MACs and perform a spoofing attack.
  • A wireless audit checks WAP power levels, antenna placement, wireless footprint, and encryption techniques. It often includes war driving techniques and can detect rogue access points.
  • Disabling the service set identifier (SSID) broadcast (the network name) hides a wireless network from casual users. However, an attacker with a wireless sniffer can easily determine the SSID even if SSID broadcasting is disabled.
  • A rogue access point is an unauthorized WAP. Attackers can use them to capture data on your network. Unauthorized users can access your network via a rogue access point.
  • An evil twin is a rogue access point using the same SSID as an authorized WAP.
  • Bluejacking involves sending unsolicited messages to a phone.
  • Bluesnarfing involves accessing data on a phone such as email and contact lists.

 

Exploring Remote Access

  • VPNs provide remote access to an internal network for mobile users. Firewall ACLs include rules to allow VPN traffic based on the tunneling protocol.
  • VPN concentrators provide secure remote access to a large number of remote users.
  • Some VPNs use IPsec to encrypt data in a secure tunnel during transit.
  • IPsec is a common tunneling protocol used with VPNs. It can secure traffic in a site-to-site tunnel and from clients to the VPN. IPsec uses Tunnel mode for VPNs. ESP encrypts VPN traffic and provides confidentiality, integrity, and authentication.
  • Firewalls identify IPsec ESP traffic with protocol ID 50 and AH traffic with protocol ID 51.
  • IKE creates the security association for the IPsec tunnel and uses port 500.
  • Other tunneling protocols include SSTP (using SSL over port 443), L2TP (over UDP port 1701), and PPTP (over TCP port 1723).
  • NAC inspects clients for specific health conditions such as up-to-date antivirus software, and can redirect access to a remediation network for unhealthy clients. NAC can be used with VPN clients and with internal clients.

 


 

Chapter 5 Exam Topic Review

When preparing for the exam, make sure you understand these key concepts covered in this chapter.

Implementing Host Security

  • Hardening servers and applications makes them more secure from their default installation and improves their overall security posture. Key hardening steps are disabling unnecessary services, protocols, and accounts.
  • Disabling unnecessary services and protocols reduces the attack surface. Disabling unnecessary accounts and changing default passwords helps prevent unauthorized access.
  • Baselines document the starting point for systems. Security baselines provide a secure starting point for systems and applications. System and application configuration baselines document proper configuration settings. Host software baselines (or application baselines) identify approved software along with software installed on systems.
  • Baseline reporting monitors current configurations with a baseline and reports discrepancies. Baselines should be updated when systems are modified to ensure accurate baseline reporting.
  • Administrators use baselines to identify anomalies by comparing settings, services, and applications in the baseline with settings, services, and applications on live computers.
  • Application whitelisting allows authorized applications to run, but blocks all other applications. Application blacklisting blocks unauthorized applications, but allows other applications to run.
  • Virtualization allows multiple servers to operate on a single physical host. They provide increased availability with various tools such as snapshots and easy restoration.
  • Sandboxing within virtual environments combined with snapshots provides a high level of flexibility for testing security controls and testing patches.
  • Virtual local area networks (VLANs) separate or segment traffic. You create them with physical switches on physical networks and with virtual switches on virtual networks.
  • Patch management procedures ensure operating systems and applications are kept up to date with current patches. This ensures they are protected against known vulnerabilities.
  • Static computing environments include supervisory control and data acquisition (SCADA) systems and embedded systems. A key method of protecting them is to use a combination of redundant controls and diverse controls. VLANs and network intrusion prevention systems (NIPS) protect networks holding static systems.

 

Securing Mobile Devices

  • You can protect mobile devices with encryption of data, screen locks, and remote wipe capabilities. Remote wiping removes all the data from a lost phone.
  • Disabling the use of removable media on mobile devices prevents users from saving data on USB thumb drives and other removable media.
  • GPS tracking can help locate lost or stolen mobile devices. Geo-tagging uses GPS features and adds geographical information to files such as pictures when posting them on social media sites.
  • Radio-frequency identification (RFID) provides automated inventory control and can detect movement of mobile devices.
  • Ensuring mobile devices are up to date with current patches and antivirus signature files is a primary concern. Mobile device management (MDM) tools can ensure that devices meet these requirements and block network access if devices do not meet these requirements.
  • Data security is one of the primary security concerns related to bring your own device (BYOD) policies.
  • VLANs can isolate mobile device traffic from the primary network.

 

Protecting Data

  • The primary method of protecting the confidentiality of data is with encryption and strong access controls. Encryption protects both data at rest (stored on a device) and data in motion (transmitted over a network).
  • You can encrypt individual columns in a database (such as credit card numbers), entire databases, individual files, entire disks, and removable media.
  • Whole disk encryption and full device encryption procedures protect all data on a disk and are useful when protecting data on USB flash drives. Many mobile devices and removable devices support full disk encryption. Encryption protects the data if the device is stolen.
  • Hardware encryption is faster and more efficient than software encryption.
  • A Trusted Platform Module (TPM) is a chip in a motherboard included with many laptops.  TPMs have a storage root key used to generate and protect other encryption keys. TPMs support full disk encryption.
  • A hardware security module (HSM) is a removable or external device used for encryption. An HSM generates and stores RSA encryption keys and can be integrated with servers to provide hardware encryption.
  • Network-based data loss prevention (DLP) devices reduce the risk of data leakage. They can analyze outgoing data, such as emails, and detect when employees send out confidential company data. Endpoint DLP can block users from copying or printing certain files.

Understanding Cloud Computing

  • Provider clouds provide increased capabilities for heavily utilized systems and networks.
  • Software as a Service (SaaS) includes web-based applications such as web-based email.
  • Infrastructure as a Service (IaaS) provides hardware resources via the cloud. It can help an organization limit the size of their hardware footprint and reduce personnel costs.
  • Platform as a Service (PaaS) provides an easy-to-configure operating system and on-demand computing for customers.
  • Physical control of data is a key security control an organization loses with cloud computing.

 


 

Chapter 6 Exam Topic Review

When preparing for the exam, make sure you understand these key concepts covered in this chapter.

 

Understanding Malware Types

  • Malware includes several different types of malicious code, including viruses, worms, ransomware, logic bombs, rootkits, backdoors, and more.
  • An armored virus uses one or more techniques to make it difficult to reverse engineer.
  • Polymorphic malware changes to make it difficult to detect.
  • A worm is self-replicating, unlike a virus, which must be executed.
  • A logic bomb executes in response to an event, such as a day, time, or condition. Malicious insiders have planted logic bombs into existing systems, and these logic bombs have delivered their payload after the employee left the company.
  • Backdoors provide another way of accessing a system. Malware often inserts backdoors into systems, giving attackers remote access to systems.
  • A Trojan appears to be one thing, such as pirated software or free antivirus software, but is something malicious. Drive-by downloads attempt to infect systems with Trojans.
  • A botnet is group of computers called zombies controlled through a command-and-control server. Attackers use malware to join computers to botnets.
  • Ransomware is a type of malware that takes control of a user’s system or data. Criminals attempt to extort payment as ransom combined with threats of damaging a user’s system or data if the user doesn’t pay.
  • Rootkits take root-level or kernel-level control of a system. They hide their processes to avoid detection. They can remove user privileges and modify system files.
  • Adware often causes pop-up windows to appear with advertisements.
  • Spyware is software installed on user systems without the user’s knowledge or consent and it monitors the user’s activities. It can result in the loss of confidentiality as it steals user secrets.

 

Recognizing Common Attacks

  • Social engineering is the practice of using social tactics to gain information or trick users into performing an action they wouldn’t normally take.
  • Social engineering attacks can occur in person, over the phone, while surfing the Internet, and via email. Many social engineers attempt to impersonate others.
  • Shoulder surfing is an attempt to gain unauthorized information through casual observation, such as looking over someone’s shoulder, or monitoring screens with a camera.
  • Tailgating is the practice of one person following closely behind another without showing credentials. Mantraps help prevent tailgating. Cameras with recording capabilities are a cheaper substitute to deter tailgating.
  • Dumpster divers search through trash looking for information. Shredding or burning documents reduces the risk of dumpster diving.
  • Spam is unwanted or unsolicited email. Attackers often use spam in different types of attacks.
  • Phishing is the practice of sending email to users with the purpose of tricking them into revealing sensitive information, installing malware, or clicking on a link.
  • Spear phishing and whaling are types of phishing. Spear phishing targets specific groups of users and whaling targets high-level executives.
  • Vishing is a form of phishing that uses voice over the telephone and often uses Voice over IP (VoIP). Some vishing attacks start with a recorded voice and then switch over to a live person.

 

 

 

Blocking Malware and Other Attacks

  • Antivirus software can detect and block different types of malware, such as worms, viruses, and Trojans. Antivirus software uses signatures to detect known malware.
  • When downloading signatures manually, hashes can verify the integrity of signature files.
  • Antivirus software typically includes a file integrity checker to detect files modified by a rootkit.
  • Pop-up blockers can block many pop-up windows used by adware.
  • Anti-spam software attempts to block unsolicited email. You can configure a spam filter to block individual email addresses and email domains.
  • Anti-spyware software helps protect users’ personal information while online by detecting and blocking spyware. Some antivirus software applications include anti-spyware elements.
  • Security-related awareness and training programs help users learn about new threats and security trends, such as new viruses, new phishing attacks, and zero-day exploits.
  • Zero-day exploits take advantage of vulnerabilities that aren’t known by trusted sources.
  • Social engineers and other criminals employ several principles to help increase the effectiveness of their attacks. They are authority, intimidation, consensus/social proof, scarcity, urgency, familiarity/liking, and trust.

 

Chapter 7 Exam Topic Review

 

Comparing Common Attacks

  • A DoS attack is an attack launched from a single system and attempts to disrupt services.
  • DDoS attacks are DoS attacks from multiple computers. DDoS attacks typically include sustained, abnormally high network traffic.
  • Smurf attacks spoof the source IP address and use a directed broadcast ping to flood victims with ping replies. Smurf attacks often use amplifying networks. Configuring routers to block directed broadcasts prevents a network from becoming an amplifying network.
  • Replay attacks capture data in a session with the intent of using information to impersonate one of the parties. Timestamps and sequence numbers thwart replay attacks.
  • Account lockout policies thwart online password attacks such as dictionary and brute force attacks that attempt to guess a password. Complex passwords thwart offline password attacks.
  • Password salting adds additional characters to passwords before hashing them, and prevents many types of attacks, including dictionary, brute force, and rainbow table attacks.
  • DNS poisoning attacks modify DNS data and can redirect users to malicious sites.
  • Pharming attacks often modify the hosts file to redirect web site traffic to a malicious web site.
  • Attackers buy domain names with minor typographical errors in the hopes of attracting traffic when users enter the incorrect URL. Attackers can configure the sites with malware to infect visitors or configure the site to generate ad revenue for the attacker.
  • Attackers exploiting unknown or undocumented vulnerabilities are taking advantage of zero-day vulnerabilities. The vulnerability is no longer a zero-day vulnerability after the vendor releases a patch to fix it.

 

 

 

 

Understanding Secure Coding Concepts

  • A common coding error in web-based applications is the lack of input validation.
  • Input validation checks the data before passing it to the application and prevents many types of attacks, including buffer overflow, SQL injection, command injection, and crosssite scripting attacks.
  • Server-side input validation is the most secure. Attackers can bypass client-side input validation, but not server-side input validation.
  • Error- and exception-handling routines within applications can prevent application failures and protect the integrity of the operating systems. Error messages shown to users should be generic, but the application should log detailed information on the error.

 

Identifying Application Attacks

  • Buffer overflows occur when an application receives more data, or unexpected data, than it can handle and exposes access to system memory.
  • Buffer overflow attacks exploit buffer overflow vulnerabilities. A common method uses NOP instructions or NOP sleds such as a string of x90 commands. Two primary protection methods against buffer overflow attacks are input validation and keeping a system up to date.
  • SQL injection attacks provide information about a database and can allow an attacker to read and modify data within a database from a web page. Input validation and stored procedures provide the best protection.
  • Client-side attacks originate from the client such as within a web browser. Transitive access attacks attempt to access resources via a transitive trust relationship. SQL injection is an example of a client-side transitive access attack.
  • Cross-site scripting (XSS) allows an attacker to redirect users to malicious web sites and steal cookies. It uses HTML and JavaScript tags with < and > characters.
  • Cross-site request forgery (XSRF) causes users to perform actions on web sites without their knowledge and allows attackers to steal cookies and harvest passwords.
  • XSS and XSRF attacks are mitigated with input validation techniques.
  • Lightweight Directory Application Protocol (LDAP) injection attacks attempt to access data on servers hosing a directory service, such as Microsoft Active Directory.
  • Transitive access attacks can attack back-end servers via a front-end server. For example, SQL injection attacks start as a client-side attack, but access back-end databases via a web server.
  • Fuzzing sends random data to an application to test the application’s ability to handle the random data. Fuzzing can cause an application to crash if proper input validation techniques are not used.

Chapter 8 Exam Topic Review

Identifying Risk

  • A risk is the likelihood that a threat will exploit a vulnerability. A threat is a potential danger that can compromise confidentiality, integrity, or availability of data or a system. A vulnerability is a weakness.
  • Risk management methods include risk avoidance, transference, acceptance, mitigation, and deterrence. You avoid a risk by not providing a service or not participating in a risky activity. Purchasing insurance, such as fire insurance, transfers the risk to another entity. Some controls such as security guards deter a risk.
  • You cannot eliminate risk. Risk management attempts to reduce risk to a level that an organization is able to accept, and the remaining risk is known as residual risk. Senior management is responsible for managing risk and the losses associated from residual risk.
  • Quantitative risk assessments use numbers, such as costs and asset values. The single loss expectancy (SLE) is the cost of any single loss. The annual rate of occurrence (ARO) indicates how many times the loss will occur annually. You can calculate the annual loss expectancy (ALE) as SLE × ARO.
  • Qualitative risk assessments use judgments to prioritize risks based on probability and impact. These judgments provide a subjective ranking.
  • Risk assessment results are sensitive. Only executives and security professionals should be granted access to risk assessment reports.

 

Checking for Vulnerabilities

  • A port scanner scans systems for open ports and attempts to discover what services and protocols are running.
  • An advanced persistent threat typically attacks from another country and can launch sophisticated and targeted attacks.
  • Vulnerability assessments determine the security posture of a system or network.
  • Vulnerability scanners passively test security controls to identify vulnerabilities, a lack of security controls, and common misconfigurations. They are effective at discovering systems susceptible to an attack without exploiting the systems.
  • A false positive from a vulnerability scan indicates the scan falsely detected a vulnerability, and the vulnerability doesn’t actually exist.
  • A penetration test is an active test that attempts to exploit discovered vulnerabilities. It starts with a vulnerability scan and then bypasses or actively tests security controls to exploit vulnerabilities.
  • Significant differences between vulnerability scans and penetration tests are that vulnerability scans are passive and less invasive, while penetration tests are active and more invasive.
  • A baseline review identifies changes from the original deployed configuration.
  • Code reviews are a type of assessment where a peer programmer goes through code line-byline looking for vulnerabilities, such as race conditions or susceptibility to buffer overflow attacks.
  • Design reviews ensure that systems and software are developed properly, following standard security best practices.
  • In black box testing, testers perform a penetration test with zero prior knowledge of the environment. White box testing indicates that the testers have full knowledge of the environment, including documentation and source code for tested applications. Gray box testing indicates some knowledge of the environment.
  • Black hat indicates a malicious attacker, whereas white hat identifies a security professional working within the law.
  • Penetration testers should gain consent prior to starting a penetration test. A rules-of engagement document identifies the boundaries of the test.
  • Continuous security monitoring helps an organization maintain its security posture, by verifying that security controls continue to function as intended.

 

Identifying Security Tools

  • Protocol analyzers (sniffers) can capture and analyze data sent over a network. Attackers use protocol analyzers to capture cleartext data sent across a network.
  • Administrators use protocol analyzers for troubleshooting communication issues by inspecting protocol headers to detect manipulated or fragmented packets.
  • Captured packets show the type of traffic (protocol), source and destination IP addresses, source and destination MAC addresses, and flags.
  • Routine audits help an organization verify they are following their own policies, such as the principle of least privilege and account management control best practices.
  • A user rights and permissions review ensures that users have only the access they need and no more. It also verifies that inactive accounts are either disabled or deleted.
  • Security logs track logon and logoff activity on systems. System logs identify when services start and stop.
  • Firewall and router logs identify the source and destination of traffic.
  • Centralized log management protects logs when systems are attacked or compromised.

 

Chapter 9 Exam Topic Review

When preparing for the exam, make sure you understand these key concepts covered in this chapter.

Adding Redundancy

  • A single point of failure is any component that can cause the entire system to fail if it fails.
  • RAID disk subsystems provide fault tolerance and increase availability. RAID-1 (mirroring) uses two disks, RAID-5 uses three or more disks and can survive the failure of one disk, and RAID-6 uses four or more disks and can survive the failure of two disks.
  • Server redundancies include failover clusters and load balancing. Failover clusters remove a server as a single point of failure. If one node in a cluster fails, another node can take over.
  • Load balancing spreads the processing load over multiple servers to ensure availability when the processing load increases. Many web-based applications use load balancing for higher availability.
  • A UPS system provides fault tolerance for power fluctuations and provides short-term power for systems during power outages. Generators provide long-term power for systems during extended power outages.

Protecting Data with Backups

  • Backup strategies include full, full/differential, and full/incremental strategies. A full backup strategy alone allows the quickest recovery time.
  • Full/incremental backup strategies minimize the amount of time needed to perform daily backups.
  • Test restores verify the integrity of backups. A test restore of a full backup verifies a backup can be restored in its entirety.
  • Backups should be labeled to identify the contents. A copy of backups should be kept off-site.

Comparing Business Continuity Elements

  • A business impact analysis (BIA) is part of a business continuity plan (BCP) and it identifies systems and components that are essential to the organization’s success.
  • The BIA identifies maximum downtimes for these systems and components, various scenarios that can affect these systems and components, and the potential losses from an incident.
  • Recovery time objective (RTO) identifies the maximum amount of time it should take to restore a system after an outage. The recovery point objective (RPO) refers to the amount of data you can afford to lose.
  • Continuity of operations planning (COOP) sites provide alternate locations for business functions after a major disaster.
  • A hot site includes everything needed to be operational within 60 minutes. It is the most effective recovery solution and the most expensive. A cold site has power and connectivity requirements and little else. It is the least expensive to maintain.
  • Warm sites are a compromise between hot sites and cold sites. Mobile sites do not have dedicated locations, but can provide temporary support during a disaster.
  • Disaster recovery planning is part of overall business continuity planning. A disaster recovery plan (DRP) includes the steps to return one or more systems to full operation. BCPs or DRPs include a hierarchical list of critical systems identifying the order of restoration.
  • BCPs and DRPs commonly include a communication plan. It identifies alternate methods of communication, such as a war room or push-to-talk phones. It also identifies who to contact, such as response team members, employees, suppliers, customers, media, and regulatory agencies.
  • Succession planning ensures that an organization can continue to operate even if key leaders are unavailable. Succession planning charts identify roles and responsibilities to follow during a disaster, along with a clear chain of command.
  • Periodic testing validates BCPs and DRPs. Disaster recovery exercises validate the steps to restore individual systems, activate alternate sites, and other actions documented within a plan. Tabletop exercises are discussion-based only. Functional exercises are hands-on exercises.

Implementing Environmental Controls

  • Heating, ventilation, and air conditioning (HVAC) systems control airflow for data centers and server rooms. Temperature controls protect systems from damage due to overheating.
  • Higher-tonnage HVAC systems provide more cooling capacity. You can increase the mean time between failures (MTBF) times and overall availability by keeping server rooms at lower operating temperatures.
  • Humidity controls protect against ESD damage by ensuring humidity isn’t too low. They also protect against water damage from condensation if humidity gets too high.
  • HVAC systems should be integrated with the fire alarm systems and either have dampers or the  ability to be turned off in the event of a fire.
  • EMI shielding prevents problems from EMI sources such as fluorescent lighting fixtures. It also prevents data loss

Chapter 10 Exam Topic Review

Providing Integrity with Hashing

  • Hashing verifies the integrity of data, such as downloaded files and email messages.
  • A hash (sometimes listed as a checksum) is a fixed-size string of numbers or hexadecimal characters.
  • Hashing algorithms are one-way functions used to create a hash. You cannot reverse the process to re-create the original data.
  • Passwords are often stored as hashes instead of the actual password. Salting the password thwarts many password attacks.
  • Common hashing algorithms are Message Digest 5 (MD5), Secure Hash Algorithm (SHA), and Hash-based Message Authentication Code (HMAC). HMAC provides both integrity and authenticity of a message.
  • Transport encryption protocols such as Internet Protocol security (IPsec) and Transport Layer Security (TLS) use HMAC-MD5 and HMAC-SHA1.

Providing Confidentiality with Encryption

  • Confidentiality ensures that data is only viewable by authorized users. Encryption provides confidentiality of data, including data at rest (any type of data stored on disk) and data in transit (any type of transmitted data).
  • Symmetric encryption uses the same key to encrypt and decrypt data. As an example, Remote Authentication Dial-In User Service (RADIUS) uses a shared key for symmetric encryption.
  • Block ciphers encrypt data in fixed-size blocks. Advanced Encryption Standard (AES) and Twofish encrypt data in 128-bit blocks.
  • Stream ciphers encrypt data one bit or one byte at a time. They are more efficient than block ciphers when encrypting data of an unknown size, or sent in a continuous stream. RC4 is a commonly used stream cipher.
  • Data Encryption Standard (DES), Triple DES (3DES), and Blowfish are block ciphers that encrypt data in 64-bit blocks.
  • AES is a popular symmetric block encryption algorithm, and it uses 128, 192, or 256 bits for the key.
  • DES is an older, symmetric block encryption algorithm. 3DES was created as an improvement over DES and is used when hardware doesn’t support AES.
  • One-time pads provide the strongest encryption when compared with other encryption methods.
  • Asymmetric encryption uses public and private keys as matched pairs.
    • If the public key encrypted information, only the matching private key can decrypt it.
    • If the private key encrypted information, only the matching public key can decrypt it.
    • Private keys are always kept private and never shared.
    • Public keys are freely shared by embedding them in a certificate.
  • RSA is a popular asymmetric algorithm. Many cryptographic protocols use RSA to secure data such as email and data transmitted over the Internet. RSA uses prime numbers to generate public and private keys.
  • Elliptic curve cryptography (ECC) is an encryption technology commonly used with small wireless devices.
  • Diffie-Hellman provides a method to privately share a symmetric key between two parties.  Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) is a version of Diffie-Hellman that uses ECC to re-create keys for each session.
  • Steganography is the practice of hiding data within a file. You can hide messages in the white space of a file without modifying its size. A more sophisticated method is by modifying bits within a file. Capturing and comparing hashes of files can discover steganography attempts.
  • Transport encryption methods protect the confidentiality of data sent over the network. IPsec, TLS, and SSL are three examples.
  • IPsec uses HMAC for authentication and integrity and AES or 3DES for encryption.
  • TLS is the replacement for SSL. Both require certificates issued from a CA.

Using Cryptographic Protocols

  • When using digital signatures with email:
    • The sender’s private key encrypts (or signs).
    • The sender’s public key decrypts.
  • A digital signature provides authentication (verified identification) of the sender, nonrepudiation, and integrity of the message.
    • Senders create a digital signature by hashing a message and encrypting the hash with the sender’s private key.
    • Recipients decrypt the digital signature with the sender’s matching public key.
  • When encrypting email:
    • The recipient’s public key encrypts.
    • The recipient’s private key decrypts.
    • Many email applications use the public key to encrypt a symmetric key, and then use the symmetric key to encrypt the email contents.
  • When encrypting web site traffic with SSL or TLS:
    • The web site’s public key encrypts a symmetric key.
    • The web site’s private key decrypts the symmetric key.
    • The symmetric key encrypts data in the session.
  • S/MIME and PGP secure email with encryption and digital signatures. They both use RSA, certificates, and depend on a PKI. They can encrypt email at rest (stored on a drive) and in transit (sent over the network).
  • Two commonly used key stretching techniques are bcrypt and Password-Based Key Derivation Function 2 (PBKDF2). They protect passwords against brute force and rainbow table attacks.

Exploring PKI Components

  • A Public Key Infrastructure (PKI) is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. A PKI allows two entities to privately share symmetric keys without any prior communication.
  • Most public CAs use a hierarchical centralized CA trust model, with a root CA and intermediate CAs.
  • A CA issues, manages, validates, and revokes certificates. Wildcard certificates use a * for child domains to reduce the administrative burden of managing certificates.
  • Root certificates of trusted CAs are stored on computers. If a CA’s root certificate is not in the trusted store, web users will see errors indicating the certificate is not trusted or the CA is not recognized.
  • You request a certificate with a certificate signing request (CSR). You first create a private/public key pair and include the public key in the CSR.
  • CAs revoke certificates when an employee leaves, the private key is compromised, or the CA is compromised. A CRL identifies revoked certificates as a list of serial numbers.
  • The CA publishes the CRL, making it available to anyone. Web browsers can check certificates they receive from a web server against a copy of the CRL to determine if a received certificate is revoked.
  • User systems return errors when a system tries to use an expired certificate.
  • When users are issued new certificates, such as in a new smart card, they need to publish the new certificate. This is typically done by publishing it to a global address list.
  • A key escrow stores a copy of private keys used within a PKI. If the original private key is lost or inaccessible, the copy is retrieved from escrow, preventing data loss.
  • Recovery agents can recover data secured with a private key, or recover a private key, depending on how the recovery agent is configured.

 Chapter 11 Exam Topic Review

When preparing for the exam, make sure you understand these key concepts covered in this chapter.

Exploring Security Policies

  • Written security policies are management controls that identify an overall security plan for an organization and help to reduce overall risk. Other security controls enforce security policies.
  • An acceptable use policy defines proper system usage for users. It often specifically mentions unacceptable usage such as visiting certain web sites, and typically includes statements informing users that the organization monitors user activities. Users are required to read and sign an acceptable use policy when hired, and in conjunction with refresher training.
  • Mandatory vacation policies require employees to take time away from their job. These policies help to reduce fraud and discover malicious activities by employees.
  • A separation of duties policy separates individual tasks of an overall function between different entities or different people, and helps deter fraud. For example, a single person shouldn’t be able to approve bills and pay them, or print checks and then sign them.
  • Job rotation policies require employees to change roles on a regular basis. Employees might swap roles temporarily, such as for three to four weeks, or permanently. These policies help to prevent employees from continuing with fraudulent activities, and detect fraud if it occurs.
  • Clean desk policies require users to organize their desks and surrounding areas to reduce the risk of possible data theft and password compromise.
  • Account policies often require administrators to have two accounts to prevent privilege escalation and other attacks. Account disablement policies ensure that inactive accounts are disabled.
  • Change management policies define the process for making changes, and provide the accounting structure or method to document the changes. Change management helps reduce unintended outages from changes.
  • Third-party agreements typically include a non-disclosure agreement requiring all parties to recognize who owns the data and prohibiting unauthorized sharing of data.
  • A service level agreement (SLA) is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. A memorandum of understanding (MOU) is a looser agreement than an SLA.
  • An interconnection security agreement (ISA) specifies technical and security requirements for connections and ensures data confidentiality while data is in transit. An ISA is often used with an MOU.
  • Information classification practices help protect sensitive data by ensuring users understand the value of data. Data labeling ensures that users know what data they are handling and processing.
  • Degaussing a disk magnetically erases all the data. Physically destroying a drive is the most secure method of ensuring unauthorized personnel cannot access proprietary information.
  • Sanitization procedures ensure data is removed from decommissioned systems. Specialized applications erase disk drives by writing a series of 1s and 0s multiple times on the drive.  Cluster tip wiping erases file remnants in reclaimed space.
  • Storage and retention policies identify how long data is retained. They can limit a company’s exposure to legal proceedings and reduce the amount of labor required to respond to court orders.
  • Personally Identifiable Information (PII) is used to personally identify an individual. Examples include the full name, birth date, address, and medical information of a person.
  • PII requires special handling and policies for data retention. Many laws mandate the protection of PII, and require informing individuals when an attack results in the  c compromise of PII.
  • A privacy policy identifies what data is collected from users on a web site. Many laws require a privacy policy.

Responding to Incidents

    • An incident response policy defines an incident and incident response procedures.  Organizations review and update incidents periodically and after reviewing lessons learned after actual incidents.
    • Warning banners remind users of rules regarding access when the users log on.
    • The first step in incident response is preparation. It includes creating and maintaining an incident response policy and includes prevention steps such as implementing security controls to prevent malware infections.
    • Before taking action, personnel verify an event is an actual incident. Next, they attempt to contain or isolate the problem. Disconnecting a computer from a network will isolate it.
    • First responders are the first IT or security personnel on the scene of an incident. They often have access to toolkits along with contact information of other security personnel.
    • An incident response policy typically includes a list of personnel to notify after an incident. A data breach typically requires notifying outside entities, especially if the data breach compromises customer data.
    • Recovery or reconstitution restores a system to its original state. Depending on the scope of the incident, administrators might completely rebuild the system, including applying all updates and patches.
    • A review of lessons learned helps an organization prevent a reoccurrence of an incident.
  • The order of volatility for data from most volatile to least volatile is cache memory, regular RAM, swap or paging file, hard drive data, logs stored on remote systems, and archived media.
  • Forensic experts capture an image of the data before analysis to preserve the original and maintain its usability as evidence.
  • Hard drive imaging creates a forensic copy and prevents the forensic capture and analysis from modifying the original evidence. A forensic image is a bit-by-bit copy of the data and does not modify the data during the capture.
  • Hashing provides integrity for images, including images of both memory and disk drives.
  • Taking a hash before and after capturing a disk image verifies that the capturing process did not modify data. Hashes can reveal evidence tampering or, at the very least, that evidence has lost integrity.
  • A chain of custody provides assurances that personnel controlled and handled evidence properly after collecting it. It may start with a tag attached to the physical item, followed by a chain-of-custody form that documents everyone who handled it and when they handled it.

 Raising Security Awareness

  • Security awareness and training programs reinforce user compliance with security policies and help reduce risks posed by users.
  • Information security awareness programs help educate users about emerging threats such as techniques attackers are currently using, acceptable use policies, and policies related to social networking sites.
  • Role-based training ensures that personnel receive the training they need. For example, executives need training on whaling attacks.
  • Social media sites allow people to share comments with a wide group of people.
  • Improper use of social networking sites can result in inadvertent information disclosure.
  • Attackers gather information from these sites to launch attacks against users, such as cognitive password attacks to change users’ passwords. Training reduces these risks.
  • Banner ad malware (also known as malvertisements) look like ads but include malicious code. Organizations sometimes block access to some web sites to block banner ad malware.
  • Data breaches on social media sites can expose user passwords. If users do not have different passwords, or use the same credentials to access other web applications, a data breach on a social media site can impact much more than just that site.
  • P2P software is a source of data leakage. Organizations often block P2P software to prevent data leakage and to prevent P2P traffic from consuming network bandwidth.
  • Metrics can validate the success of a training program.

PORTS

 

PROTOCOL PORT
FTP data port (active mode) TCP 20
FTP control port TCP 21
SSH TCP 22
SCP (uses SSH) TCP 22
SFTP (uses SSH) TCP 22
Telnet TCP 23
SMTP TCP 25
TACACS+ TCP 49
DNS name queries UDP 53
DNS zone transfers TCP 53
TFTP UDP 69
HTTP TCP 80
Kerberos UDP 88
POP3 TCP 110
SNMP UDP 161
SNMP trap UDP 162
NetBIOS (TCP rarely used) TCP/UDP 137
NetBIOS UDP 138
NetBIOS TCP 139
IMAP4 TCP 143
LDAP TCP 389
HTTPS TCP 443
SMTP SSL/TLS TCP 465
IPSec (for VPN with IKE) UDP 500
LDAP/SSL TCP 636
LDAP/TLS TCP 636
IMAP SSL/TLS TCP 993
POP SSL/TLS TCP 995
L2TP UDP 1701
PPTP TCP 1723
Remote Desktop Protocol (RDP) TCP/UDP 3389
Microsoft SQL Server TCP 1433

 

 

 

OSI TABLE

LAYER NUMBER LAYER NAME DEVICES PROTOCOLS
1 Physical Cables, Hubs Ethernet, cabling protocols
2 Data Link Switches MAC, ARP, NDP, VLANs
3 Network Router, Layer 3 Switch IPV4, IPV6, IPSec, ICMP
4 Transport TCP, UDP
5 Session Web browser session, open email application – when you close the pages, the Session layer terminates the sesssion
6 Presentation ASCII, EBCDIC are two standards that define codes used to display chars on this layer
7 Application Proxies, application-proxy firewalls, web application firewalls, web security gateways, UTM security appliances DNS, FTP, FTPS, HTTP, HTTPS, IMAP4, LDAP, POP3, RDP, SCP, SFTP, SMTP, SNMP, SSH, Telnet, and TFTP

 

 

 

PERFORMANCE QUESTION

Security Controls Solution

Unsupervised Training Lab: Cable Locks

Employee Issued Laptops: Fingerprint Readers

Server Room: Mantrap, Proximity Reader, CCTV System, Locking Cabinets

Office: Safe, Proximity Reader, Fingerprint Reader

 

 

Cryptographic Algorithms and Protocols

Name Type Algorithm Method Key Size Strength Replaced By
DES Symmetric 64-bit block cipher 64 bit (56 + 8 parity)

56-bit encryption keys

Very weak 3DES
3DES Symmetric 64-bit block cipher 192 bit (168 bit + 24 parity) Moderate AES
Blowfish Symmetric 64-bit block cipher 32- to 448-bit key
AES Symmetric 128-bit block cipher 128-bit encryption keys

192-bit encryption keys

256-bit encryption keys

Strong N/A
Twofish Symmetric 128-bit block cipher 128-, 192-, or 256-bit key
RC4 – Rivest Cipher 4 Symmetric Stream mode cipher (one bit at a time) 40- to 2,048-bit key
RC5 Symmetric Block mode cipher Variable (up to 2048) Very Strong N/A
RSA Asymmetric Key transport 1024-bit keys Strong N/A
Diffie-Hellman Asymmetric Key exchange N/A Moderate El Gamal
El Gamal Asymmetric Key exchange N/A Very Strong N/A
MD5 Hashing – Integrity Rivest MD5 Block Hash 512 bit block processing

Creates 128-bit hashes / digest

Strong MD6, et. Al.
SHA-1 Hashing – Integrity Rivest SHA Hash 512-bit processing

Creates 160-bit hashes / digest

Very Strong N/A
SHA-2 Hashing – Integrity Hash Creates 224-, 256-, 384-, or 512-bit hashes
HMAC-MD5 Integrity -Authenticity Keyed Digest Creates 128-bit hashes Very Strong N/A
HMAC-SHA1 Integrity – Authenticity Creates 160-bit hashes
RIPEMD Hash Creates 128-, 160-, 256-, or 320-bit hashes

Remote Access Technologies

Name Type Features Protocol Replaced By
PPP RAS PAP, CHAP, EAP TCP/IP N/A
RADIUS RAS PAP, CHAP UDP N/A
TACACS RAS PAP, CHAP UDP TACACS+
TACACS+ RAS Many TCP N/A
PPTP VPN PPP tunneling, PAP, CHAP, EAP Layer 2 L2F, L2TP
L2F VPN Cisco Based Layer 2 N/A
L2TP VPN Combines PPTP and Cisco Layer 2 N/A
IPSec VPN Transport / Tunnel mode Layer 3 N/A

FORENSICS ORDER: CASPR

Collect

Analyze

Store

Present

Return – CASPR The friendly ghost