Security+ 4-2C All Slides

Domain 1
Cryptography
Domain Objectives
A Security+ candidate is expected to:
Given a scenario, utilize general cryptography concepts
Given a scenario, use appropriate cryptographic methods
Given a scenario, use appropriate PKI, certificate management
and associated components
General Concepts
Cryptology
The science of cryptography and cryptanalysis.
Cryptography
The process of converting intelligible text into unintelligible
characters or symbols.
Cryptanalysis
Exploiting cipher weaknesses
General Concepts
Plaintext
Information without any protections applied
Algorithm
Instructions how to transform data
Cipher
The style used to encode data
Ciphertext
Information that has been transformed
General Concepts
Key
A variable used to transform data
Ephemeral Key
Ad hoc key
Keyspace
Pool of values that a key can be chosen from
Initialization Vector (IV)

Random value
Cryptography Goals
Confidentiality
Secrecy of data
Integrity
Baseline of data trustworthiness
Authentication
Prove yourself
Non-repudiation
Theres no denying it
Digital Signatures
Steganography
Greek compound word
steganos means covered, or hidden; graphein, to write
Message inside a message

Least significant bits
Usage
Metadata
Covert channel
Ciphers
Substitution Cipher
Shift Cipher
Mono-alphabetic Cipher
Polyalphabetic Cipher
Transposition Cipher
Stream Cipher
Block Cipher
Substitution Cipher
Changes one character or symbol into another character or
symbol
Each character keeps its position in the message but
changes its identity
Shift Cipher
Mono-alphabetic Cipher
Poly-alphabetic Cipher
Substitution Cipher
Shift Cipher
Shifting of the alphabet
Caesars Shift Cipher, ROT13
Plain-text:
Cipher-text:
Plain
the
time
to
attack is
now
WKH WLPH WR DWWDFN LV QRZ
a b c d efgh i j k l m n o p q r s t u v w x y z
Cipher D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Frequency Analysis
Using frequently used characters to crack the remaining
ciphertext
Some plaintext letters (e, r, s, t) are more commonly found in
everyday language than others
SHE
? H E
? I M
THE
DIME
ELIME
? O
TIME
NO
?SO
? A C K
I S
TO ATTACK
? = T
N O W
Transposition Cipher
Changing the positions of plaintext letters
Example Scytale
Plain-text: the time to attack is now

Cipher-text: wonsikcattaotemiteht
Stream Cipher
Bit by bit encryption
Plaintext mixed with a keystream controlled by a key
Requires little to no resources

Minimal processing needs
Minimal memory needs
Low latency
A very fast mathematical operation
Example: RC4
Block Cipher
Encrypts fixed-size chunks of data at a time
Typical block sizes are either 64 bit or 128 bit
Requires more resources
Processing
Memory
Stronger than stream ciphers

Slower than stream ciphers
Cipher Suite
Negotiated package of algorithms, ciphers, and protocols
used to manage a conversation between two systems
Confidentially, integrity, authentication, nonrepudiation, and key
exchange options
Exclusive-OR (XOR) Mathematics

XOR Truth Table
If values are same, result is 0
If values are different, result is 1
Example
Converted Plaintext
0101 0001
Keystream
0111 0011
Output of XOR
0010 0010
1100
1010
0110
One-Time Pad (OTP)

A pad of random bits are XORed with plaintext to create
the ciphertext
Considered unbreakable if used correctly

Pad must be truly random and used only once
Pad must be at least as long as the message
Pad must be securely distributed and protected from compromise
1 XOR 0=1
Hello Mom,
Just
dropping a
note to say
hello.
1001101010100001
1010001010111001
0010101010010110
0101010001010101
0101010101000011
1111000101010101
0010101111010010
1000100111101100
0000001000111100
1111111000000000
1010000000110001
0101100000111111
1001000101111010
Ciphertext
0101111100110101
1000100111101100
0000001000111100
1111111000000000
1010000000110001
0101100000111111
1001000101111010
One-time pad
Message
10101111100110101
1101010110010100
0010101101010101
0010100010101010
1010101001010101
1111010101110010
1010100101101010
1011101010101000
01101010110010100
0010101101010101
0010100010101010
1010101001010101
1111010101110010
1010100101101010
1011101010101000
Ciphertext
11001101010100001
1010001010111001
0010101010010110
0101010001010101
0101010101000011
1111000101010101
0010101111010010
One-time pad
1 XOR 0=1
Hello Mom,
Just
dropping a
note to say
hello.
Message
One-Time Pad (OTP)

OTP Issues
Out of band distribution

Sender and receiver need to be synchronized
Needs to be truly random bits
One time use
Size constraints
Initialization Vector (IV)

Random values used in conjunction with algorithms
Applied to plaintext data, the key, or the ciphertext before
encryption is completed
Increases the strength of ciphertext

Mitigates exploitable patterns in the code
Harder to discover the encryption key
Synonyms:
Salt
Nonce
Key Stretching
The process of systematically making something longer so it
is harder to attack
Used on
Passwords before they get encrypted
Keys (cryptovariables)
Noteworthy protocols
bcrypt
PBKDF2
Key Exchange
Out-of-band Exchange
In-band Exchange
Occurs within the current

communication channel
More susceptible to
Eavesdropping
More susceptible to Man-inthe-Middle attacks
Secondary channel is used for

the exchange
Less likely to be monitored by
the attacker
Security by Obscurity
Perfect Forward Secrecy (PFS)

Making sure that keys being used for encrypting todays
data, cant be used by the attacker to crack future data, if
that key gets cracked later.
Compartmentalization
Damage control
Desirable goal for Key Exchange protocols
Example: Ephemeral keys
Branches of Cryptography
Hashing
Symmetric
Asymmetric
Quantum
Hashing
Algorithm that takes a variable-length input and generates
a fixed-length output
Public, one-way function
Primary purpose: data integrity baseline
Message Digests
Cryptographic checksums
Can be used for authentication

Password hashes
Hashing (MD5 Example)

- The following demonstrates a 43-byte ASCII input
and the corresponding MD5 hash:
MD5 ("The quick brown fox jumps over the lazy dog") =
9e107d9d372bb6826bd81d3542a419d6
- Even a small change in the message will result in a

completely different hash, due to the avalanche
effect. See
what happens when d gets changed to e:
MD5 ("The quick brown fox jumps over the lazy eog") =
ffd93f16876049265fbaef4da268dd0e
Name
Hash Length
MD4
MD5
Digest size: 128 bits

SHA (SHA-1)
SHA-2
SHA-224
SHA-256
SHA-384
SHA-512
Digest sizes:
224 bits
256 bits
384 bits
512 bits
SHA-3
SHA-224
SHA-256
SHA-384
SHA-512
Digest sizes:
224 bits
256 bits
384 bits
512 bits
RIPEMD
RIPEMD-160
Digest size: 128

Digest sizes: 160, 256, and 320 bits
HAVAL
Digest sizes: 128 bits, 160 bits, 192 bits, 224 bits, and
256 bits
Whirlpool
Hash Hardening Techniques

Use salt
Random value added to a value before the value is hashed
Key Stretching
Use algorithms with higher bit outputs

SHA-256 instead of SHA-1 (160 bits)
Establish clipping levels
Hashing Attacks
Hash Collision
Hashing Attacks
Birthday Attack
Based on the Birthday Paradox
Brute Force Attack

Exhausting all options
Dictionary Attack
List of words
Rainbow Table Attack

List of hashes
Symmetric Cryptography
Private Key Cryptography
Uses a single key to encrypt and decrypt

Key must be shared between parties
Must use out of band key distribution
Best for bulk data encryption
Faster than asymmetric
Synonyms for the key:

Session Key, Secret Key, Shared Key, Private Key, Single Key, Same
Key, Conventional Key
Symmetric Encryption Process
Advantages
Less computationally intensive
Produces smaller cipher sizes
Faster transmissions
Disadvantages
Key Distribution
Key Management
N (N 1) / 2
Lacks non-repudiation
Shared key: can you trust the other party?
Symmetric Algorithms
Data Encryption Standard (DES)
Block size:
64 bits
Key size: 64 bits (8 bits used for parity)
Effective key size: 56 bits
Comments:
Based on IBMs Lucifer algorithm
Data Encryption Algorithm (DEA)
Easily broken
Triple DES (3DES)
Block size:
64 bits
Key size: 168 bits*
Comments:
Uses DES three times in a row
Designed to mitigate some of the weaknesses of DES
Still used today
Advanced Encryption Standard (AES)
Block size:
Key size(s):
128 bits
128, 192, 256 bits
Comments:
Official replacement of DES
Based on the Rijndael algorithm
Blowfish
Block size:
Key size(s):
64 bits
variable (32 to 448 bits)
Comments
Fastest of the Symmetric algorithms
Used in SSH
Twofish
Block size:
Key size(s):
128 bits
128, 192, 256 bits
Comments:
One of the 5 finalists of the AES contest
CAST-128
Block size:
Key size(s):
64 bits
variable (40 to 128 bits)
CAST-256
Block size:
Key size(s):
128 bits
128, 160, 192, 224, 256 bits
International Data Encryption Algorithm (IDEA)
Block size:
64 bits
Key size: 128 bits
Comments
Developed by the Swiss
Prominently used in European countries
RC variants
RC4
Stream cipher
Key sizes:
variable (0-2048 bits)
RC5
Block sizes:
Key sizes:
32, 64, 128 bits

RC6
Block size:
Key sizes:
128 bits
Secure And Fast Encryption Routine (SAFER)
SAFER+
Block size:
128 bits
SAFER++
Block sizes:
64, 128 bits
Comments:
Used in Bluetooth for key derivation, not for encryption
Skipjack
Block size:
64 bits
Key size: 80 bits
Comments:
Created by NSA
Key Escrow
Clipper Chip
Whole Disk Encryption

Software or hardware that encrypts the disk or disk volume
Master Boot Record (MBR) may or may not be encrypted

AES is the algorithm of choice
Often used in conjunction with TPM
Crucial for mobile storage devices and databases
Examples: Bitlocker or FileVault
Asymmetric Cryptography
Public Key Cryptography
Each user is assigned a mathematically related key pair
Public Key is available to everyone
Private Key is kept secret
Comments:
Whatever is encrypted with one key, must be decrypted with the other key
Supports all 4 cryptographic goals: authentication, confidentiality, integrity,
and non-repudiation
Asymmetric Encryption Process
Advantages:
Key Management (N * 2)
Public key provides in-band distribution
Provides:
Confidentiality, integrity checks, digital signatures, key exchange,
authentication, and non-repudiation
Disadvantages:
Slower than symmetric cryptography
File size increases
Asymmetric Algorithms
Diffie-Hellman
Provides:
Key Exchange
Key Agreement
Comments:
Based on discrete logarithms
El Gamal
Provides:
Key Exchange
Confidentiality
Digital Signatures
Comments
Based upon Diffie-Hellman
Uses discrete logarithms
Significant performance degradation
RSA
Provides:
Key Exchange
Confidentiality
Variable block and key sizes:
2048-4096 bits considered secure
Digital Signatures
Comments:
Uses very large prime numbers
ECC
Provides:
Key Exchange
Confidentiality
Digital Signatures
Comments:
Uses two points on an elliptical curve
Uses smaller key sizes than RSA, with the same level of strength
Key Exchange Protocols

Diffie-Hellman Exchange (DHE)
Key exchanged over insecure network
Endpoints arent authenticated
Same Public Key is used for encrypting all other keys
Key Exchange Protocols

Elliptical Curve Diffie-Hellman Ephemeral (ECDHE)
Key exchanged over insecure network
Mutual authentication
A separate ephemeral Public Key is created for each session to
encrypt that sessions session key
Supports Perfect Forward Secrecy
Protection Mechanisms
Digital Signatures
MAC
HMAC
Digital Signatures
Digital version of someones paycheck signature
Provides:
Authentication
Integrity
Non-repudiation
Digital Signature Components

Three ingredients to a digital signature:
1.
Data to be signed (email, pdf file, device driver, or Java

applet)
Hashing algorithm (creates the hash)
2.
3.
Senders Asymmetric Private Key
Provides the integrity baseline

Provides authentication
Provides non-repudiation
Verification: decrypt with the senders Public Key
Digital Signature Process (example)

The Sender:
1.
2.
3.
4.
Creates an email message

Creates a message hash of the email
Uses the senders private key to encrypt the hash
The encrypted hash becomes the digital signature
and is sent with the email message to the
recipient
The Recipient:
1.
2.
3.
Hashes the received message

Uses the senders public key to decrypt the
message hash that was sent
Two hashes are compared; if the hashes match,
the received message is valid and the sender is
verified
Digital Signature Process
Signing
Sending
Receiving
GBe4YLe2
/////////////
/////////////
Senders
Public Key
Senders
Private Key
GBe4YLe2
Message
Digest
////////////
////////////
GBe4YLe2
Message
Digest
DSS / DSA
Digital Signature Standard / Digital Signature Algorithm
Established by NIST FIPS
Asymmetric Algorithm: RSA / ECC
Hashing algorithm: SHA
Two goals:
1.
2.
Validate the source

Validate the message
MAC
Message Authentication Code
Establishes message authenticity
Validate the source (data origin)
Validate the packet (integrity)
Packet data is encrypted with the session key using a symmetric algorithm
(DES, 3DES, RC4)
Requires sender and receiver to have an established shared secret key
Used in SSL, WPA
MAC
Sender
Message
Secret Key
Channel
Receiver
Message
Message
Symmetric
Algorithm
MAC
MAC
Secret Key
Symmetric
Algorithm
MAC
MAC
Y
MAC=Message Authentication Code
Message is
authentic
=?
N
Message has
been altered
HMAC
Hashed MAC
Establishes packet authenticity
Validate the source (data origin)
Validate the packet (integrity)
Packet data is concatenated with the session key, then hashed with a
hashing algorithm (MD5, SHA)
Requires sender and receiver to have an established shared secret key
Faster than a MAC
Used in various modern protocols: TLS, IPSec, Kerberos, Diameter, WPA2
HMAC
Sender
Secret Key +
1
Message
Hashing
Algorithm
HMAC 1
Message
Message
HMAC 1
Receiver
Channel
+ Secret Key
5
Hashing
Algorithm
HMAC 2
7
HMAC=Hashed Message
Authentication Code
HMAC 1
Hybrid Cryptography
Asymmetric Cryptography provides
Key Exchange
Key encryption
Digital Signatures
Symmetric Cryptography provides

Data encryption
Hashing can be used to provide data integrity

Examples: SSL, TLS, SSH, SMIME, PGP
Hybrid Cryptography
Send
Encrypt Message
w/Session Key
Generate
Hash
Header
Generate
Session Key
B3DF421A
TimeStamp
Session Key
Sign w/Senders
Private Key
ICV = Integrity Check Value
Signed ICV
Senders ID
Encrypt w/Recipient
Public Key
Hybrid Cryptography
Header
Decrypt Message
w/Session Key
Decrypt Auth. Block

w/Recipient Private Key
Session Key
Signed ICV
Senders ID
Session Key
Generate
Hash
Verify w/Senders
Public Key
& Separate the
Auth Block
B3DF421A
Equal?
ICV
B3DF421A
TimeStamp
ICV = Integrity Check Value
Quantum Cryptography
Uses photons and qubits instead of bits
Pulses of light, LEDs, and fiber optics
Based on the Heisenberg Principle
One cannot determine the finite position and the finite speed of an object
at the same time
The more precise the location, the less accurate speed measurement
If photons eavesdropped then photon polarity changes

Very expensive to implement
Quantum Cryptography
Trust Models
Common Trust models
Single-authority trust
Hierarchical trust
Bridge trust
Web of trust (Peer-to-Peer trust)
Single-Authority Trust
A third-party
central certifying
authority signs a
given key and
authenticates the
owner of the key.
CA
User trusts the

authority and,
by association,
trust all keys
issued by that
authority.
Trust is verified by the Digital

Signature attached to
the public key.
User
User
Hierarchical Trust
Multiple CAs deployed within
an inverted tree structure
Various levels of CAs are
subordinate to an overall root
CA
Root CA
Intermediate CAs
Leaf CAs
Bridge Trust
Two or more separate authorities establish a trust
relationship with each other
Often used between business partners
Two-way transitive trusts
Root CA
Intermediate CAs
Trust between Root CAs
Root CA
Intermediate CAs
Web of Trust
CA does not
exist to certify
owners
All parties involved

trust each other
equally
User
User
User
Also known as Peer-to-Peer trust
Certificate Management
Public Key Infrastructure (PKI)
Framework for creating, managing, issuing, distributing, and
storing:
Asymmetric private keys
X.509 Digital Certificates
Utilizes a Certificate Authority (CA)
Digital Certificate
Asymmetric Public Key digitally signed by a 3rd party
Typically a CA
A typical certificate contains the following:
Subjects name
Public Key
CAs Name
CAs Digital Signature
Periodicity: when is it usable
Certificate policy: what can it be used for
Serial Number
X.509 Digital Certificate

Standard developed by International Telecommunication
Union (ITU)
Defines the formats and fields for public keys
Defines procedures for distributing public keys
Current version: X.509 version 3

Version
Subject
Pub Key
Signature
Certificate Authority
The entity responsible for issuing, storing, revoking, and
distributing digital certificates
Houses the Certificate Revocation List (CRL)
Validates the certificates it issues by digitally signing them

with their asymmetric private key
Trusted Root CA
The root of the hierarchical trust model
Creates and signs keys for themselves
Creates and signs keys for intermediate CAs
Intermediate CAs sign for end users
Example Trusted Root CA = CA-2
Example Intermediate CA = CA-31
Trusted Root CAs create Asymmetric Private and Public keys for
themselves and Digitally Sign their own Public Keys.
CA Architecture
Root CA
Intermediate CAs
Leaf CAs
Registration Authority
Validates subjects
Middleman between subscribers and CA
Can distribute keys on behalf of the CA
Can accept registrations for the CA
RA does not issue certificates on their own
Enrollment
The subject must first prove their identity to the CA/RA
before a digital certificate is created
Proof comes from:
Physically appearing
Identification and authentication data within a web form
Once satisfied your certificate is made containing your ID info,

public key, etc.
CA then digitally signs the certificate with their asymmetric
private key
Certificate Policy
Dictates the circumstances a specific certificate can be used
Protects the CA from claims of loss if the certificate is
misused
Should identify the users community
Certificate Practice Statement

Detailed statement of the procedures and practices the CA
uses to manage the certificates it issues
How the CA is structured

How the certificate will be managed
How the subscribers identity is validated
How to request a certificate revocation
Which standards and protocols are used
Certificate Signing Request

Formal request sent to the CA asking for a certificate to be
generated.
Identifying information about the client must be included,
such as:
Drivers license
Social Security Number
Phone number
Email address
Certificate Revocation
Certificates are revoked due to:
Key theft
Loss
Illegal activity
Voluntary
Significant changes in the organization
Not revoked due to normal expiration
Certificate Revocation List (CRL)

A list housed by the CA that contains the serial numbers of
digital certificates that have been revoked
Queried using OCSP
OCSP
Online Certificate Status Protocol
Querying protocol that checks a CAs CRL file for bad digital
certificates
Server responds with either:
Good
Revoked
Unknown
Certificate Suspension
Certificates can be suspended
Ensures the key may be usable again in the future
Mandatory vacations
Policy acknowledgements incomplete yet
certificateHold status within the CRL
Certificate Expiration
If certificate expires, a new certification should be
requested
Expired certificates do not get added to the CRL
Certificate Renewal
Unexpired certificates can be renewed prior to the
certificate's expiration
Allows the same certificate to be used past the original expiration
time
Not a good practice!
Certificate Destruction
Have an established policy for destroying keys
Address data remanence issues
Deregistration
Update CAs CRL and OCSP servers
Key Management
Protecting private keys
The strength of asymmetric cryptography lies in the secrecy and
security of its private keys
If the private key is compromised:
The certificate must be revoked and a new key pair generated
If the private key is lost:

There needs to be a mechanism for recovering data and obtaining and new
key pairs
Key Management
Key Length
Use sufficiently long keys
The more valuable the data the longer the key should be
Crypto Period
Establish policies for setting key lifetimes
The more valuable the data, the shorter the lifetime of the key should be
Key Management
Centralized Key Management
A centralized entity is in charge of issuing keys
Users do not have control of their keys
The central authority keeps a copy of the key
Decentralized Key Management

The end user generates their own keys
Does not provide for key escrow, so key recovery is not possible
Key Storage
Software-based
Hardware-based
Easily destroyed
Subject to the security of the
software system
Provides highest assurances

of key protections
More expensive than
software
Relies more on physical
security
Flaws are exploitable
Subject to access violations

and intrusions
Key Escrow
3rd party under certain contractual circumstances has
access to the decryption keys
Recovery mechanism is external to the organization
Keys are stored outside of the organization
Allows for Key Recovery
Recovery Agent
Someone within the organization has access to the keys
Internal to the organization
Practice M of N control
Domain Objectives
Utilize general cryptography concepts
Use appropriate cryptographic methods
Use appropriate PKI, certificate management, and associated
components
Questions?
Review Question 1
Which of the following are valid cryptographic hash
functions : (choose three)
RIPEMD
RC4
SHA-512
MD5
Twofish
Review Question 2
Which of the following protocols would return an X.509
Digital Certificate status of good, revoked, or
unknown?
CRL
TLS
PKI
OCSP
HMAC
Review Question 3
A Certificate Authority takes which of the following actions
in PKI?
Signs and verifies all infrastructure messages

Issues and signs all private keys
Publishes key escrow lists to CRLs
Issues and signs all root certificates
Review Question 4
The security administrator wants each user to individually
decrypt a message but allow anybody to encrypt it. Which
of the following MUST be implemented to allow this type of
authorization?
Use of CA certificate
Use of public keys only
Use of private keys only
Use of public and private keys
Review Question 5
A security administrator must implement a system to allow
clients to securely negotiate encryption keys with the
companys server over a public unencrypted
communication channel. Which of the following would
satisfy the criteria? (Select TWO).
PBKDF2
ECDHE
Steganography
bcrypt()
Diffie-Hellman
Review Question 6
Which of the following algorithms has well documented
collisions? (Select TWO).
AES
MD5
SHA-256
RSA
SHA
Review Question 7
A company requires all internal messages to be digitally
signed. This is a form of which of the following security
goals?
Availability
Non-repudiation
Authorization
Cryptography
Confidentiality
Review Question 8
A web server that utilizes PKI needs a new X.509 Digital
Certificate. Which of the following should be submitted to
a CA?
CSR
CLR validation
Private key
OCSP request
Ephemeral key
Review Question 9
Which of the following algorithms would be capable of
using a 128-bit key? (Select TWO).
RSA
3DES
Twofish
DES
AES
SHA-2
Review Question 10
Which of the following symmetric algorithms would use a
block cipher of 128-bits?
RSA
3DES
AES
DES
ECC
Blowfish
Domain 2
Network Security
Domain Objectives
Implement security configuration parameters on

network devices and other technologies
Given a scenario, use secure network
administration principles
Explain network design elements and
components
Given a scenario, implement common protocols
and services
Given a scenario, troubleshoot security issues
related to wireless networking
Explain types of wireless attacks
OSI Model
OSI
Usage
Application Main interface between network and application

Presentatio Puts into a format all computers can understand
n
Encryption, translation, compression
No security
Session
Connection establishment between applications
Keeps track of segments
Transport
Handles error recovery and flow control
Creates packets
Network End-to-end communication across one or more
subnetworks
Transmission of frames over a single network
Data-Link
connection
Physical
Converts bits into voltage
OSI Model
User
Programs
Protocol Examples
Hardware
7-Application
FTP
Telnet
SMTP
HTTP
SIP
6-Presentation
JPG
MPEG
GIF
MP3
HTML
5-Session
RPC
SQL
NFS
NetBIOS
ASP
4-Transport
SCTP
TCP
UDP
NetBEUI
RTP
3-Network
IGMP
ICMP
IPX
IPv4, v6
IPsec
Router
2-Data Link
PPP
PPTP
L2TP
ARP
802.3
Switch, Bridge, NIC
1-Physical
USB
DSL
Firewire
ISDN
ATM
Hub, Modem, NIC
Cable
OSI and TCP/IP Model Comparison

OSI Model
7
6
5
4
3
2
1
Application
Presentation
Session
Transport
Network
Data Link
Physical
TCP/IP Model
Application
3
2
Host to Host
Internet
Network Interface
TCP/IP Protocol Suite

A suite of protocols working together to enable network
communications
The most widely used networking protocol suite
Key protocols in the suite include:
Transmission Control Protocol (TCP)

User Datagram Protocol (UDP)
Internet Protocol (IP)
Internet Control Message Protocol (ICMP)
Encapsulation
Networking Models
OSI Model
TCP/IP Model
Data chunks of upper layer is wrapped with data of the

lower layer
Headers
Footers
Encapsulation Example
PDUs
Application
HTTP
Presentation
HTML
Session
ASP.NET
Segment
Transport
Packet
Network
Frame
Data Link
Bits
Physical
SRC
MAC
SRC
Port
DST
Port
PDUs
SRC
IP
DST
IP
Protocol
Number
Segment
DST
MAC
Ethernet
Packet
FCS
10100010010101001101010110100110011010101
Common Definitions
Addresses
Identifies networks and devices on a network
Messages
Typically addressed to both the device and the port number of
the service
Port Numbers
Identifies specific services running on a device
Common Definitions
Socket
IP address:port number (147.63.12.2:8080)
Socket Pairs
Client IP address:port number and the Servers IP address:port
number
177.41.72.6:3022 communicating to 41.199.222.3:80
Half-duplex communication
Virtual circuit
Port Assignments
Assigned by IANA (Internet Assigned
Numbers Authority)
http://www.iana.org/assignments/port-numbers
Well-Known Ports: 0 1023
TCP or UDP ports that direct packets to the

appropriate application on the server
Registered Ports: 1024 49151

Dynamic and/or Private Ports: 49152 65535
Ephemeral Ports: Ports used when an application
service does not bind the socket to a specific port
number
Ports and Protocols

PORT
20/21
Service
PORT
Service
FTP Data/Control
161/162
SNMP
22
SSH/SFTP/SCP
389
LDAP
23
Telnet
443
HTTPS / SSTP
25
SMTP
465
SMTPS
53
49
67/68
DNS
TACACS+
DHCP
514
636
989/990
SYSLOG
LDAPS
FTPS (Implicit)
69
TFTP
993
IMAPS
80
HTTP
995
POP3S
88
Kerberos
1701
L2TP
110
POP3
1723
PPTP
123
NTP
1812
RADIUS
137-139, 445
NetBIOS
3389
RDP
143
IMAP v4
5060
SIP
Transport Layer Protocols

Manages data segments between nodes
UDP
User Datagram Protocol
TCP
Transmission Control Protocol
SCTP
Stream Control Transmission Protocol
UDP
Provides best effort delivery
Connectionless
Lacks flow control
Lacks error recovery
Has little overhead so it is faster than TCP

Streaming data
TCP
Reliable, connection-oriented protocol
3-way handshake
Provides flow control
Sliding window
Provides error detection

Provides error correction
Noteworthy status flags:
SYN, ACK, FIN, URG, PSH, RST
TCP 3-way Handshake
SYN
SYN
ACK
ACK
SCTP
Connection-oriented
Resources aren't allocated until 4-way handshake is completed
Multi-homing
Multiple NICS to transmit and receive with
Multi-streaming
Streaming data
Telephony
Network Congestion aware
SCTP 4-way Handshake
INIT
INIT
ACK
COOKIE
ECHO
COOKIE
ACK
Network Layer Protocols

ICMP
Internet Control Message Protocol
IPv4
Internet Protocol version 4
IPv6
Internet Protocol version 6
ICMP
Used for network troubleshooting
Reports errors and replies to requests
ping and traceroute use ICMP
Several different types
0- Echo Reply
3- Destination Unreachable
8- Echo
30- Traceroute
IP Addressing
Unique identifier to differentiate one host from another
host
A name indicates what we seek. An address indicates where it is. A route
indicates how to get there. The Internet Protocol deals primarily with
addresses.
Two addressing schemes for TCP/IP

IPv4
32-bit address
More common than IPv6
IPv6
128-bit address
IPv4 Addressing
Made up of a 32-bit address or four-octet address
Referred to as dotted decimal representation of a binary number
Example: the IP address of 195.143.67.2 is actually the following
binary:
11000011
195
10001111
143
01000011
67
00000010
2
IPv4 Public Classes
IP addresses are grouped into different classes

Can determine which class any IP address is in by examining the
first 4 bits of the IP address
Address classes supported by IPv4:
Class A: 0 to 127 decimal

Class B: 128 to 191 decimal
Class C: 192 to 223 decimal
Class D: 224 to 239 decimal (multicasting)
Class E: 240 to 254 decimal (experimental)
IPv4 Private Classes
RFC 1918: address allocation for private internets

Used for networks not connecting directly to the Internet
Internet Assigned Numbers Authority (IANA) set aside
addresses for intranets:
Class A
10.0.0.0 10.255.255.255
Class B
172.16.0.0 172.31.255.255
Class C
192.168.0.0 192.168.255.255
APIPA
Automatic Private Internet Protocol Address
Assigned by own operating system when a static or dynamic IP
address has not been assigned
169.254.0.0 169.254.255.255
Non-routable IP address
Allows peer-to-peer communications within a workgroup
Subnet Mask
Determines:
The network address from the host address

Whether a packet should be delivered to the internal LAN interface or
the external WAN interface at the gateway
192
168
10
20
IP Address: 11000000
10101000
00001010
00010100
Subnet Mask: 11111111
11111111
11111111
00000000
255
255
255
Network
Host
CIDR
Classless Inter-Domain Routing
CIDR is based on variable-length subnet masking (VLSM) to

allow allocation on arbitrary-length prefixes
Ignores classful addressing
CIDR notation example:
10.10.40.20/29 (subnet mask 255.255.255.248)
CIDR mask of /29 gives: 232-29 = 23 = 8 addresses

If /32: indicates this specific address and no others
IPv4 Subnetting
Used to divide large groups of hosts within a larger network
into smaller, manageable network collections
More efficiently manages traffic
Creates multiple, smaller broadcast domains
Allows an IP address to be split within 32 bits
IPv4 Subnetting
Example 192.168.10.20/24
IP address + subnet mask defines IP schema
IP Address:
Subnet Mask:
192
168
10
20
11111111
255
.
.
11111111
255
.
.
11111111
255
.
.
00000000
0
nnnnnnnn
nnnnnnnn
nnnnnnnn
hhhhhhhh
Network:
192
168
10
Host 1
192
168
10
Host + 1
192
168
10
h+1
Host 254
192
168
10
254
192
168
10
255
Broadcast:
IPv4 Subnetting
Example: from 192.168.10.20/24 to /26
IP Address:
192
168
10
20
Subnet Mask:
255
255
255
192
nnnnnnnn
nnnnnnnn
nnnnnnnn
nnhhhhhh
Network #1:
192
168
10
Broadcast #1:
192
168
10
63
Network #2:
192
168
10
64
Broadcast #2:
192
168
10
127
Network #3:
192
168
10
128
Broadcast #3:
192
168
10
191
Network #4:
192
168
10
192
Broadcast #4:
192
168
10
255
IPv4 Subnetting Advantages

Decreased network traffic
Broadcasts limited to individual subnets
Improved troubleshooting
Faster to trace a problem on a subnet
Improved utilization of addresses

Less IPs wasted
Flexibility
Customization of number of hosts on a subnet
IPv6 Addressing
Allows for growth of addresses

3.4 x 1038 address space
128 bits total: 8 sets (4 hexadecimal digits)
3FFE:0B00:0800:0002:0000:0000:0000:000C
Zero compression rule
Drop more than one grouping of zero octets
3FFE:B00:800:2::C
IPv6 Addresses
Global address
Link-local address
Local address
Loopback address
IPv6 Global Address

Equivalent to IPv4 public address
Internet routable
The address prefix used (first block) is 2000-3FFF.
IPv6 Link-Local Address

Similar to IPv4 APIPA address
169.254.0.0/16
Self-configured
Non-routable.
Begins with fe80 in the first block.
IPv6 Unique Local Addresses

Similiar to IPv4 private address.
Non-routable on the internet
They are routable between subnets on a private network
Begins with fd
IPv6 Loopback Address

Loopback address is used to talk to ones own machine
Used for troubleshooting
Loopback address is:

0000:0000:0000:0000:0000:0000:0000:0001
iSCSI
Internet Small Computer System Interface
IP-based protocol
Encapsulates SCSI commands into IP
Routable across networks
Provides links to storage warehouses

Storage Area Network (SAN)
Authentication
Uses CHAP by default
Eavesdropping issues
Use VLANs and IPsec
Fibre Channel
SAN communication protocol
High speed: 16 Gbps
Uses fiber optics or copper-based wiring
Expensive hardware and cabling
Fibre Channel switch
Natural isolation
Separate architecture isolates backup data from the rest of the network
FCoE
Fibre Channel over Ethernet
Ethernet and Fibre Channel standards are modified and then
merged into a single standard
Fibre Channel commands are encapsulated inside of modified Ethernet
frames
Can be used within the Ethernet LAN but is not routable by itself to other
networks
Supports 10Gbps Ethernet support
Network Name Resolution

Provides a way too convert a network address to a network
node name, and vice-versa
NetBIOS
DNS
NetBIOS
Network Basic Input Output Systems
15-character naming convention for resources within a LAN

Broadcast oriented network protocol
Uses ports 137, 138, 139, 445
Filter traffic on NetBIOS ports
Disable NetBIOS to reduce null sessions
DNS
Domain Name Service
IETF standard for FQDN to IP address lookups
Fully Qualified Domain Name
Uses a hierarchical, inverted tree structure

Root DNS server
Top-Level Domain (TLD) DNS servers
Root
.com, .gov, .edu, .org, .mil
Intermediate DNS servers
TLDs
Intermediates
DNS
Local host file
Stores information about nodes in a network
etc/hosts
Maps hostnames to IP addresses

The hosts file is used as a supplement to DNS
Can be poisoned
DNS
DNS Zones
The portion of the DNS domain namespace over which a DNS
server has authority
DNS servers zone can comprise:
A single domain
Some or all subdomains
Multiple separate domains
DNS queries: UDP port 53

Zone transfers: TCP port 53
ACME
Corp
Sales
Engr
QA
Acct
Retail
Web
Zone 1: ACME, Sales, Retail, Web

Zone 2: Engineering
Zone 3: Quality Assurance
Zone 4: Corporate, Accounting, HR
4 zones 9 domains
HR
DNS
DNS Zone Transfers
Publishes information about the domain and the name servers of
any domains subordinate
A hacker can gain sensitive information about all systems within
the domain
Footprinting
DNSSEC
DNS Security
Zone transfer tamper protection mechanism
Digital signatures
Mitigates
Man-in-the-Middle attacks between DNS servers
DNS poisoning
DNS Record Types

DNS implements a distributed, hierarchical, and redundant
database for information associated with Internet domain
names and addresses
Different record types are used for different

purposes
A- IPv4 address
MX- Email server
NS- authoritative name servers
AAAA - IPv6 Address
DNS Poisoning
Incorrect DNS data that is injected into a DNS namespace
Redirects traffic to incorrect sites
Can be also called DNS Cache poisoning
DNS Kiting
DNS Tasting
Legitimate 5-day grace period
DNS Kiting
Attacker cancels domain registration before 5-day grace period
ends, then later re-registers
Fraud: domain is never paid for
Ties up legitimate domain names from being hosted legitimately
Email
Email protocols
SMTP
POP3
IMAP
Email security standards
SSL/TLS
S/MIME
PGP
SMTP
Simple Mail Transport Protocol
Delivers email to an email server on TCP 25
Plaintext issues
Use SMTPS on TCP 465
SPAM issues
Disable HTML formatting, use text-based only
Avoid SMTP open relay
Implement blacklisting
Implement whitelisting
Malware issues
Use antivirus scanning
Downloading Email
POP3
Post Office Protocol version 3
TCP 110 plaintext issue
POP3S uses TCP 995
IMAP4
Internet Message Access Protocol version 4
TCP 143 plaintext issue
IMAPS uses TCP 993
Email Security Standards

S/MIME
Secure MIME
Centralized
PKI Hierarchical trust
CAs Digital Signature
PGP
Pretty Good Privacy
Decentralized
P2P Web of Trust
PGP-based Digital Certificates
Peers Digital Signatures
Built into most email programs Must be downloaded and

installed
Hybrid cryptosystem
Symmetric: AES, 3DES, DES, RC2 Hybrid cryptosystem
Symmetric: AES, 3DES, CAST,

IDEA, Twofish
Protecting Web Communications

Secure Socket Layer (SSL)
Enforces a secure channel between two TCP-based endpoints
Last version implemented was SSL 3.0
Hybrid cryptosystem
Provides Key Distribution of the symmetric session key
X.509v3 Digital Certificates
Mutual Authentication
MAC

Secures various protocols
HTTPS 443
SMTPS 465
LDAPS 636
IMAPS 993
Vulnerabilities
Smaller key sizes because no longer updated
Compromised root CAs
Outdated Digital Certificates

Transport Layer Security (TLS)
Enforces a secure channel between two TCP-based endpoints
Standard created by IETF to replace SSL
Hybrid cryptosystem
Provides Key Distribution of the symmetric session key
X.509v3 Digital Certificates
HMAC
HTTPS Process
CA
Client authenticates the servers

public key with the CA.
HTTPS request made

Server sends certificate
Browser generates session key,

encrypts it with server public key,
and sends to server
Server decrypts session

key using its private key
Secure Channel Using Session Key

Communications proceeds securely using the generated session key
HTTPS vs. S-HTTP

HTTPS
HTTP over SSL (port 443)
Encrypts communication channels (session)
S-HTTP (Secure HTTP)

Developed by Netscape to provide security over standard page
requests on port 80
Encrypts individual messages
Lacks Mutual Authentication
SSH
Secure Shell
Secures remote access and remote terminal communications
Secure replacement for Telnet and FTP
Protects against man-in-the-middle attacks and spoofing
SSH suite (SCP, SSH, SFTP, Slogin)
Uses TCP Port 22
OpenSSH, Putty
Hybrid Cryptosystem
Symmetric cryptography for encryption
PKC for connection/authentication
FTP
File Transfer Protocol
Used to transfer files between systems on the Internet

Ports TCP 20 and TCP 21
Active/Passive
Vulnerabilities:
Plaintext issues
Man-in-the-middle attacks
Bounce attacks
FTP Alternatives
File Transfer Protocol Secure (FTPS)
Session is encrypted using SSL/TLS protocols
TCP 989 and 990
Secure File Transfer Protocol (SFTP)

Tunneling protocol that uses SSH
TCP 22
Secure Copy (SCP)

Transfers the file using SSH
TCP 22
Telephony
Streaming data
Web conferencing
VoIP
Video chat
CCTV
Supporting protocols:
SIP
RTP
SCTP
VoIP
Voice over Internet Protocol
IP-based protocol that converts analog voice signals into digital
packets.
Uses SIP to manage session
Implement IEEE 802.1p QoS

Implement VLANs
Implement IPsec
Implement Voice Firewalls
Issues:
Eavesdropping
SPIT
VoIP Protocols
Session Initiation Protocol (SIP)
Decentralized, peer-to-peer, multimedia communication protocol
Based on HTTP, works at Application layer
Ports 5060 (plaintext), 5061 (TLS)
Real-time Transport Protocol (RTP)

Transfers streaming media over networks
NAC
Network Access Control
Evaluates system security status before allowing a connection to
the network
Anti-virus status
System update level
Configuration settings
Software firewall enabled
NAC
Quarantine Portal
Redirects to a web page with hyperlinks to fix parts of the system
that arent in compliance
Patch Management
Antivirus
Application Whitelisting
NAC
Captive Portal
Redirects to satisfy identification, authentication, authorization,
or policy requirements
Hotel network requiring the visitor to provide credentials
User gets redirected to the hotels login page to provide room number, last
name, and password
Coffee shop charges for internet access

User is redirected to login page and must provide a credit card number
Remote Administration
Network backbone administration ports
Console port (line con 0)
Auxiliary port (line aux 0)
Virtual terminals (line vty 0 4)
Remote administration protocols
SNMPv3
Telnet
SSH
RDP / Terminal Services
SNMP
Simple Network Management Protocol
Application Layer protocol that manages and monitors devices in
a network
Ports 161/162
No authentication capabilities prior to v.3

Community Strings
Versions 1 and 2 are vulnerable to packet sniffing
Vulnerable to IP spoofing attacks

Provides the ability to send traps
Vulnerabilities in trap handling and request handling
Telnet
Command line interface used for remote administration of
TCP/IP-based systems on a network
Application Layer protocol
Passes data in plaintext
Use either SSH or TLS instead
TCP port 23
RDP
Remote Desktop Protocol
Terminal Services
GUI-based service used for remote administration of

TCP/IP-based systems on a network
Desktop of the remote system
TCP port 3389
Block port at network firewall
Could be used as a backdoor
Tunneling
Virtual dedicated connection between two systems or
networks
Encapsulation within a routable protocol
Can send private network data across a public network by encapsulating
data into other packets
May or may not include protection mechanisms such as encryption
Why tunnel?
Make a higher layer, non-routable protocol routable

Make a physically distant system logically near
Make a foreign protocol routable through a network
Make a non-internet routable protocol, internet routable
Tunneling Protocols
Point-to-Point Protocol (PPP)
Used for establishing remote connections over a serial line or dialup connection
Allows TCP/IP traffic to be transmitted over telecommunication
lines
Dial-up modems
No encryption
EAP, CHAP, or PAP Authentication
Tunneling Protocols
Point-to-Point over Ethernet (PPPoE)
PPP encapsulated inside of Ethernet
IETF standard that works at the Data Link layer
Creates a direct, virtual point-to-point connection (PPP) between two
systems over a multipoint-aware network (Ethernet)
PPPoE Discovery
Provides:
Authentication
PAP, CHAP, EAP
Encryption
Compression
PPTP
Point-to-Point Tunneling Protocol
Encapsulates and encrypts PPP over IP packets
Negotiation in the clear
After negotiation is completed, channel is encrypted
Uses MPPE to encrypt data
Authentication: PAP, CHAP, MS-CHAP, or EAP-TLS

Operates at Layer 2
TCP port 1723
Tunneling Protocols
Layer 2 Forwarding (L2F)
Tunneling protocol created by Cisco to tunnel PPP frames
Provides authentication only
No data encryption
Layer 2 Data Link layer
UDP port 1701
L2TP
Layer 2 Tunneling Protocol
Combines L2F and PPTP at Layer 2
Message types
Control Messages: Establish, maintain, and tear down tunnels
Data Messages: Encapsulates PPP frames
No data encryption
Use IPsec
Authentication: PAP, CHAP, MS-CHAP, EAP-TLS
UDP port 1701
Virtual Private Network

Private network connections that traverse through a public
network
LAN through WAN back to LAN
Uses tunneling protocols to establish virtual circuits
Extends LAN
Provides cryptosystem protections
Examples:
PPTP
L2TP
SSH
IPsec
Virtual Private Networks
IPsec
IP Security
Most widely deployed VPN technology
Works at Layer 3 to protect IPv4 or IPv6 traffic
Authentication
Pre-shared keys
Kerberos
MAC/HMAC
Anti-replay services
Required to be part of the IPv6 protocol
IPsec Modes
Transport Mode
Designed for end-to-end encryption of data
Packet data is protected, but the header is left intact
Tunnel ModeIP
Data
Designed for link-to-link communications

Both the packet contents and the IP header are encapsulated
Transport on the LAN and Tunnel on the WAN

New IP header
IP
Data
IPsec Protocols
Authentication Header (AH)
Offers authentication and integrity services
HMAC
SHA or MD5
AH Transport Mode
IP Protocol #51
NAT issues
IP
HDR
NAT-T
AH
HDR
L4
HDR
L4
DATA
Integrity Check
AH Tunnel Mode
New IP
HDR
AH
HDR
Old IP
HDR
L4
HDR
Integrity Check
L4
DATA
IPsec Protocols
Encapsulating Security Payload (ESP)
Offers authentication, integrity, and confidentiality
Uses either AES, 3DES, or DES
IP protocol #50
IP
HDR
ESP Transport Mode

ESP
HDR
L4
HDR
L4
DATA
ESP
Trailer
ESP
AUTH
Encrypted
Integrity Check
ESP Tunnel Mode

New IP
HDR
ESP
HDR
Old IP
HDR
L4
HDR
L4
DATA
Encrypted
Integrity Check
ESP
Trailer
ESP
AUTH
IPsec Security Association

An agreement of security parameters between two IPsec
capable systems
Recorded in the Security Parameter Index (SPI)
Configured either manually by user or automatically by ISAKMP
Unidirectional
ISAKMP
Internet Security Association and Key Management
Protocol
Defines the framework of procedures and packet formats that
establish, negotiate, modify, and delete Security Associations
UDP port 500
IKE
Internet Key Exchange
Provides Key Management and Key Exchange
Standard automated method for creating and negotiating shared secret
keys in IPsec
Supports pre-shared keys and X.509 certificates for authenticating

VPN peers
Provides mutual authentication
Uses UDP port 500

Built upon two protocols: ISAKMP and Oakley
Physical Transmission Media

Interference issues
Eavesdropping
Wired media
Wireless media
Interference Issues
Electromagnetic Interference (EMI)
External interference source
Power cables, fluorescent lights
Crosstalk
Internal interference source
Compromising emanations
Shielding and twisted wire pairs (CAT5)
Radio Frequency Interference (RFI)

Infringing RF sources
Eavesdropping
Splicing Attack
Physical hacking of cable
Vampire taps
Packet Sniffing
Protocol Analyzer
Promiscuous Mode
Coaxial Cabling
BNC Connector
Vulnerabilities:
Sniffer attached to T connector or vampire tap

DoS through break in the cable
STP/UTP
Unshielded Twisted Pair (UTP) and Shielded Twisted Pair
(STP)
Easiest and cheapest to install
Most popular: CAT 5e/6
Vulnerabilities:
UTP is the more vulnerable of the two
Wire tapping
How and where wires are run in a building
Plenum: Fire safety
CAT Standards
Unshielded Twisted Pair (UTP)
Shielded Twisted Pair (STP)
Category Speed
Usage
CAT 1
Voice
POTS
CAT 2
4 Mbps
Token Ring
CAT 3
10 Mbps
10Base-T
CAT 4
16-20 Mbps 16 MB Token Ring
CAT 5
100 Mbps
10-, 100Base-T
CAT 5e
1000 Mbps
10-, 100- & 1000Base-T
CAT 6
1000 Mbps
High speed - broadband
Fiber Optic Cabling

Pulses of light
Expensive, used for backbone

Single mode (long distance)
Multi mode (short distances)
Cannot be tapped into easily
Fiber Taps
With a sharp bend in the strand, some light can escape
Fiber tap device captures light
Easy to detect due to the attenuation in the line
Wireless Networking
CSMA/CA
Carrier Sense Multiple Access with Collision Avoidance
802.11
Wireless Local Area Network (WLAN)
802.15
Wireless Personal Area Network (WPAN)
802.16
Wireless Metropolitan Area Network (WMAN)
802.11 Standards
Protocol
Frequency
Throughput
Modulation
802.11
2.4 GHz
2 Mbps
FHSS
802.11a
5 GHz
54 Mbps
OFDM
802.11b
2.4 GHz
11 Mbps
DSSS
802.11g
2.4 GHz
54 Mbps
OFDM / DSSS
802.11n
2.4 GHz / 5 GHz
*600 Mbps
OFDM / DSSS
802.11ac
5 GHz
*1.69 Gbps
OFDM / DSSS
*supports Multiple In Multiple Out (MIMO)
Modulation Types
FHSS
Frequency Hopping Spread Spectrum
DSSS
Direct Sequence Spread Spectrum
OFDM
Orthogonal Frequency Division Multiplexing
Wireless Terminology
Wi-Fi
Access Point
Association
Beacon Frame
SSID (Service Set ID)
BSSID (Basic Service Set ID)
ESSID (Extended Service Set ID)
WLAN Physical Security

Wireless Survey
Antennae
Placement
Directional Antenna
Omni-directional Antenna
YAGI
Transmitter Power
Attenuation
PARABOLIC (GRID)
PANEL
WLAN Logical Security

SSID Management
Disable and change SSID
Implement Guest Mode

AP Isolation
WLAN Authentication
Establish WLAN authentication requirements
Open
Pre-Shared Key (PSK)
IEEE 802.1X
Extensible Authentication Protocol (EAP)
MAC Filtering
WLAN Encryption: WEP

Wired Equivalent Privacy
Intended to provide the equivalent security of a wired network

Encrypts data using RC4 algorithm
Authentication:
Open System Authentication

Shared Key Authentication
WEP Issues
Static Keys
Small key sizes
Replay attacks
Evil Twin attacks
WLAN Encryption: WPA

Wi-Fi Protected Access
Designed to fix WEP flaws
Dynamic keys
Temporal Key Integrity Protocol
Larger IV space (48 bits)
Message Integrity Code (MIC)
Per-frame sequence counter
Still uses RC4 (better implementation though)
WLAN Encryption: WPA2

IEEE 802.11i standard
Mandatory to be Wi-Fi certified
National Institute of Standards and Technology (NIST) FIPS 140-2
compliant
Uses CCMP with AES encryption
CBC-MAC for packet authenticity and integrity checking
AES for message confidentiality
Supports Mutual Authentication

802.1X: PEAP, EAP-TTLS, EAP-TLS, EAP-FAST
PKI
WPA/WPA2 Modes
IEEE 802.11i Modes
Personal (WPA-PSK)
Pre-Shared Key grants access to WLAN
Residential WLANs
Enterprise (WPA-802.1X)
Centralized Key Management
Uses EAP-variant 802.1X authentication server
PEAP / EAP-TLS / EAP-TTLS / EAP-FAST
X.509 Digital Certificate installed on authentication server

Supports PKI
WAP
Wireless Application Protocol
Commonly used in small mobile devices such as cell phones that
have a web browser
Functions are equivalent to TCP/IP Suite
WAP 1.x uses WTLS
Gap in the WAP
WAP 2.0 uses TLS

Fixes WTLS decryption issue
Physical Devices
Layer 1 Physical
Layer 2 Data Link
Layer 3 Network
Upper layers
Layer 1
NIC
Connects host to the network (Layer 1)
MAC address stored in firmware (Layer 2)
Modem
Connects host to the telephone network
Modulate-Demodulate
Hub
Allows nodes to communicate with each other
No path determination
Layer 2
Switch
Connects multiple network segments
Trunking ports
Access ports
Improves network efficiency

Uses MAC addressing for delivery determination
Works at Layer 2
Loop Protection
Loops
More than one Layer 2 path between two endpoints
Affects network availability: can bring down the network
Broadcast Storm
Loop Protection
Manages switch ports automatically
Use Spanning Tree Protocol (STP) on switches
Prevent loops in the LAN
Selects the fastest network links
STP will failover to an alternate link if there is a failed link
Broadcast Storm
Frames are broadcast, received and rebroadcast by each
switch, resulting in the frame never being delivered
Can cause severe network congestion
Degrades switch processing
Switch memory depletion
Mitigation:
IEEE 802.1D STP
Subnetting
VLANs
VLAN
Virtual LAN
Devices on the same physical network are divided into multiple
logical networks
Segments users or groups on a network
Created using VLAN-capable switches
Benefits:
Decreases broadcast traffic
Reduces traffic interception
Better management of network assets
Within Same VLAN

VLAN4
192.168.1.0/24
VLAN3
172.16.2.0/24
.41
.22
.26
VLAN2
192.168.0.0/24
.3
.42
VLAN1
10.10.10.0/24
16-port Managed Switch
.43
Router
SRC:192.168.1.43
DST:192.168.1.42
Different VLANs
VLAN4
192.168.1.0/24
VLAN3
172.16.2.0/24
.41
.22
.26
VLAN2
192.168.0.0/24
.3
.42
VLAN1
10.10.10.0/24
.43
Router
SRC:192.168.1.43
DST:172.16.2.3
Modifying VLAN Membership

VLAN4
192.168.1.0/24
VLAN3
172.16.2.0/24
.41
.33
.3
.42
.22
.26
VLAN2
192.168.0.0/24
interface fastethernet 0/2

switchport mode access
switchport access vlan 4
VLAN1
10.10.10.0/24
.43
Router
SRC: 192.168.10.43
DST: 192.168.10.33
VTP
VLAN Trunking Protocol
Allows switches to see all the VLANs within the whole network
Birds eye view of nested VLANs
Layer 2 protocol
Aids in managing complex logical network backbones

A switch updated within the VTP domain propagates the update to the
remaining switches
IEEE 802.1Q VLAN Tagging
QinQ attacks
Layer 3
Router
Provides connectivity between two or more networks

Routes packets based upon IP addressing
Works at layer 3
Typical routing protocols:
RIP (Routing Information Protocol)
OSPF (Open Shortest Path First)
BGP (Border Gateway Protocol)
Secure Router Configuration

Document baseline configuration
Perform the initial configuration from the console and back it up
securely
Avoid using TFTP for image transfers
SSH
SSL/TLS
Change default settings

Password protect management interfaces
Change Control
Save each configuration change and document all modifications
ACL
Access Control List
Rule based access control configured on an interface to restrict
access to resources
Anti-spoofing filter
Last line is the implicit deny statement
Can be applied to inbound/outbound traffic

Usually simple packet filtering that blocks traffic by
Source and destination IP address
Ports
Protocol
ACL Standard vs Extended

Cisco Standard ACL example
access-list 1 permit 192.168.16.1 0.0.0.0
access-list 1 deny any
Cisco Extended ACL example

access-list 101 permit tcp any any eq http
access-list 101 deny tcp any any eq 23
access-list 101 deny ip any any
Firewall Rules
Firewall Rules
Allow a computer to send traffic to, or receive traffic from,
programs, system services, computers, or users
Inbound traffic (ingress)
Outbound traffic (egress)
Usually take one of two actions

allow/permit/accept
block/deny/reject
Network Design and Components

Security Zones
DMZ: contains public facing servers
Bastion hosts: any hardened system located in the DMZ (VPN Concentrator,
Web Server, email server, etc.)
Intranet: internal network (local and a way locations)

Extranet: segment of your network set aside for trusted partners,
organizations
Internet: unsecured security zone
Packet Filtering Firewall

Filters traffic to specific addresses based on the IP header
of each packet that it receives
Network Perimeter
Works at layer 3
Packets are compared against the ACL and will either be

forwarded or dropped

Network Border
Anti-spoofing (limited)
Implicit Deny
Internet
Source IP:
Dest IP:
192.168.1.1
9.8.7.6
deny 127.0.0.0 0.255.255.255

deny 10.0.0.0 0.255.255.255
deny 172.16.0.0 0.15.255.255
deny 192.168.0.0 0.0.255.255
deny 169.254.0.0 0.0.255.255
permit any
deny any
LAN
RTR
Client Client Client

Access Control List
Destination IP
Source IP
Destination port
Source port
Flag (TCP only)
Access Control List
Destination IP
Source IP
Destination port
Source port
Flag (TCP only)
SPI Firewall
Stateful Packet Inspection Firewall
Tracks each TCP connection in a state table
May examine the header information and/or the contents of the
packet
Filtering is based on rules and on context that has been
established by prior packets
Works at Layers 3 and 4
SPI Firewall
Stateful Inspection Firewall
Active Sessions Table
Access Control List
Destination IP
Source IP
Destination port
Source port
Flag (TCP only)
Access Control List
Destination IP
Source IP
Destination port
Source port
Flag (TCP only)
Circuit Level Proxy Firewall

Circuit Level Proxy
Monitors traffic between trusted and un-trusted hosts via virtual
circuits or sessions
Filtering is based on sessions rather than content of packets
Works at Layer 5
SOCKS
Network service/protocol designed to allow clients to
communicate with Internet servers through firewall
Often uses encryption
Proxy configuration option in popular Web browsers and

instant messaging programs
Example: PuTTY (similar)
Proxy Server
Proxy Server
A border device used to protect security zones
Can be configured to:
Improve performance by caching content locally
Use ACLs to filter content for inbound/outbound traffic
Application Proxy Firewall

Application Level Gateway
Acts as an Application Proxy
Works at Layer 7
Traffic is evaluated by user, group policies, and

content/protocol/application
Slowest form of a firewall
NAT
Network Address Translation (NAT)
Translates a private address into a public address
Allows sharing of a single public IP address or a pool of public IP
addresses at the network gateway
SNAT
DNAT
PAT/overloaded NAT
Hides internal network address from an external network

IPsec issues
NAT-T
NAT
147.51.217.1
147.51.217.2
147.51.217.3
Dynamic: outside addresses are pooled

and selected for each inside address
when needed.
Static: each
outside address
configured for a
specific inside
address.
192.168.10.10
INTERNET
example.com
Original Request
192.168.10.12
example.com
example.com
147.51.217.1
Packets destined for the original Source IP

are remapped based on the NAT Table.
Rewritten Response
192.168.10.12
147.51.217.1
NAT Table stores the original Source IP and

associates it with the rewritten Source IP.
192.168.10.12
192.168.10.11
Rewritten Request
192.168.10.12
example.com
Original Response
147.51.217.1
One-to-One Address Mapping
example.com
PAT
Port Address Translation (PAT)
Allows many hosts to share a single IP address by multiplexing
streams differentiated by TCP/UDP port numbers
Ports are selected at random for each inside address which generates a
request
Also known as NAT Overloading
PAT
147.51.217.1:58753
INTERNET
example.com
Original Request
192.168.10.12
192.168.10.10
example.com
example.com
147.51.217.1:58753
Packets destined for the original Source IP

are remapped based on the PAT Table.
Rewritten Response
192.168.10.12
192.168.10.12
147.51.217.1:58753
PAT Table stores the original Source IP and

associates it with the rewritten Source IP.
192.168.10.12
192.168.10.11
Rewritten Request
example.com
Original Response
147.51.217.1:58753 example.com
Many-to-One Address Mapping
VPN Concentrator
Device that handles inbound VPN tunnels
Primarily used for remote access VPNs

DMZ bastion host
usually two flavors; SSL or IPsec (some can do both, ie. Cisco)
examples: Cisco, Netgear, Juniper
All-in-One Appliance
Device that combines numerous security functions into one
Example: Cisco Adaptive Security Appliances (ASA) 5500s
ASA combines the
PIX firewall (Routing, ACL, NAT)
4200 Series IPS (IPS functions)
3000 Series VPN concentrator (VPN management)
Also known as Unified Threat Management (UTM)
Flood Guards
A network device (firewall) designed to thwart DDoS attacks
Fraggle
Smurf
Syn Flood
Authentication DOS attacks
Examples: Ciscos floodguard
Load Balancers
Distributes workload across multiple computers or network
links
Can be used to implement failover
In the event of server or application failure, load balancers
facilitate automatic failover to ensure continuous availability
Can be hardware or software-based
Examples: Barracuda, Cisco, Foundry, F5
Server Clustering
Group of independent servers that work together to
increase the availability of applications and services
Failover cluster
Minimizes disruptions
Mitigates Single Point of Failure
Internet Content Filters

Filters content defined by a policy
Permits or denies by URLs and content
Designed to enforce the security policy
Prevents employees from viewing inappropriate websites
Can incorrectly block legitimate websites
Web Security Gateway

Combines various security solutions into one
Maximizes security by detecting, filtering and blocking web
threats
Inspects all content in transit while remaining transparent to users
Detects malicious code (viruses, spyware, adware)
Filters URL content
May provide data leakage protection (DLP)
Network Monitoring
Promiscuous Mode
Packet capture and analysis
Protocol Analyzers
NIDS / NIPS
HIDS / HIPS
Protocol Analyzer
Hardware or software utility for capturing and analyzing
network traffic
Establishing network traffic baselines

Logging real-time network traffic
Sniffing network traffic for policy violations
Network performance monitoring
Network troubleshooting
Wireshark, TCPDump, Kismet
IDS
Intrusion Detection Systems (IDS)
Monitoring system which collects and analyzes traffic
Used to Detect:
Attacks coming from outside the network
Attacks and misuse from within the network
IDS Types:
Network Based
Host Based
IDS Detection Methods

Signature
Evaluates attacks based on a database of signatures written by
the vendor
Anomaly (Heuristics)
Baseline
Must learn what activities are normal and acceptable
Looks for unexpected events
NIDS
Network-based IDS
Monitors network traffic in real time
Analyzes protocols and other relevant packet information
Particularly suited for detecting port scanning and DDoS attacks
Sensors are deployed and usually report back to a system running a
management console
Can send alerts or terminate connections
Systems with sensor application installed are usually dual homed
Cannot analyze encrypted traffic
NIDS Placement
Server
Server
Where would you place

your N-IDS?
Server
5
Switch
Router
3
Firewall
DMZ
Wireless AP
Computer
Workstation
Server
Modem
Internet
Mirroring Port
Allows network monitoring across a switch
Frames are duplicated and delivered to the mirroring port of the
switch
Ideal connection for a protocol analyzer or NIDS
Needs to be configured
Effects performance of the switch
HIDS
Host-based IDS
Installed on an individual hosts
Detects attacks against the host and the level of their success
Relies on the auditing and logging capabilities of the operating system
Is detectable and can be a target of attack
Passive IDS
Looks for security breaches, but effectively takes no action
Logs suspicious activity
Generates alerts if the attack is deemed to be severe
The network analyst interprets the degree of the threat and

responds accordingly
Active IDS
Can be configured to take specific actions
Can automate responses including dynamic policy
adjustment and reconfiguration of supporting network
devices
Might be too late
IPS
Intrusion Prevention System
Monitors network traffic for malicious activity and can block,
reject, or redirect traffic in real-time
Focuses on prevention as opposed to detection

Preventative control instead of merely a detective control
Anticipates the attack before it is successful
Can adjust security posture on the fly
Installed in-line
Dual-homed
Encrypted traffic is not inspected
IDS Evaluations
False Positives
IDS reports legitimate activity as an intrusion
Poorly tuned
bad/outdated baseline
False Negatives
IDS fails to detect malicious network activity
New attacks not yet identified by vendor

Poorly written signatures
Outdated signature files
Patient, stealthy attacks (low and slow scanning)
Clipping Levels
The set security threshold before a security service reacts
Examples:
IDS Tuning
Failed logon attempts to the admin account will not be reported, unless it
occurs three times in a row over a short period of time
Virtualization Technology
Multiple computers on one physical platform
Virtualized environments are used to help secure networks
Controlled by Hypervisor
Sandbox security model
Examples: VMware, Virtual PC, Java Applets
Sandbox Security Model

Ensuring a compromised entity cant cause harm to other
entities
A compromised VM isnt allowed to compromise other VMs or
the host machine
A form of compartmentalization
Handled by the Hypervisor
VM Escape attacks
Hypervisors
Type 1 Hypervisor (native or bare-metal)
Run directly on the host's hardware to control the hardware and
to monitor guest operating-systems
Examples: HyperV, ESXi
Type 2 (hosted)
Run within a conventional operating-system environment as a
separate application
Examples: Virtual PC, VMWare Player
Virtualization Benefits
Computing elasticity
Dynamic, on-demand allocation of systems
Compartmentalization
Partitioning in support of damage control
Containment
Natural isolation of potential compromises
Snapshots
VM rollback capability
Reduction of costs
Virtualization Vulnerabilities
Single point of failure
Physical host fails, they all fail
VM files are all in one spot
Insider Access
VM Escape exploits
Exploitable communication channels
Packet sniffing
Spyware
Cloud Computing
Computing is "in the cloud" (internet)
Software, data access, and storage services that do not require
user knowledge of the location and configuration of the system
delivering services
Three layers
Software as a Service (application)
Platform as a Service (platform)
Infrastructure as a Service (infrastructure)
Cloud Computing Architecture

Software as a Service
Software as a service over the Internet

Eliminates the need to install/run applications on
customer's computers
No local software applications needed (just web site
connectivity)
Platform as a Service
Facilitates deployment of applications reducing cost and

complexity
Vendors allow apps to be created and run on their
infrastructure
Infrastructure as a Service
Typically a platform virtualization environment

Clients purchase resources/services (servers, software,
certain network devices, data center space)
Cloud Computing Types

Private Cloud
The cloud infrastructure is provisioned for exclusive use by a
single organization comprising multiple consumer
Public Cloud
The cloud infrastructure is provisioned for open use by the
general public (Pay-as-you-go Model)
Community Cloud
The cloud infrastructure shared by several organizations which
supports a specific community
Cloud Computing Types

Hybrid Cloud
A combination of a private cloud combined with the use of public
cloud services where one or several touch points exist between
the environments.
The goal is to combine services and data from a variety of cloud
models to create a unified, automated, and well-managed
computing environment.
Cloud Computing Vulnerabilities

Single Point of Failure
Network Failure
Dos/DDoS
Third Party Access

Cloud service provider insider access
Inadequate Encryption
VPN Tunnel
Whole disk encryption
File-level encryption
Domain Objectives
Implement security configuration parameters on network devices
and other technologies
Apply and implement secure network administration principles
Explain network design elements and components
Implement common protocols and services
Implement wireless networks in a secure manner
Explain types of wireless attacks
Questions?
Review Question 1
Configuring the mode, encryption methods, and security
associations are part of which of the following?
IPsec
IEEE 802.1X
PKI
Review Question 2
A server is configured to interface with both VLAN1 and
VLAN16. VLAN1 communication works fine, however
VLAN16 communication fails. Which of the following MUST
be implemented?
The servers network switch port must be enabled for 802.11X on
VLAN16
The servers network switch port must use VLAN Q-in-Q for
VLAN16
The servers network switch port must be 802.1q untagged for
VLAN16
The servers network switch port must be 802.1q tagged for
VLAN16
Review Question 3
Which of the following protocols allows for secure transfer
of files? (Select TWO).
ICMP
SNMP
SFTP
SCP
TFTP
Review Question 4
Which of the following is a step in deploying a WPA2Enterprise wireless network?
Disable CCMP on all wireless devices

Install a DHCP server on the authentication server
Install TKIP on all wireless clients
Install a Digital Certificate on the authentication server
Install a symmetric ticket on each wireless client
Review Question 5
Which of the following BEST describes a common security
concern for cloud computing?
Data can be accessed by third parties who have compromised the
cloud platform
Antivirus signatures are not compatible with virtualized
environments
Network connections tend to experience latency issues
CPU and memory resources could be consumed by other servers
in the same cloud
Review Question 6
A security administrator is segregating all web-facing server
traffic from the internal network and restricting it to a
single interface on a firewall. Which of the following BEST
describes this new network?
VLAN
DMZ
VPN
Subnet
Extranet
Review Question 7
Which of the following must Jane, a security administrator,
implement to ensure all wired ports are authenticated
before a user is allowed onto the network?
Intrusion prevention system

Web security gateway
Network access control
IP access control lists
Review Question 8
Pete, the security administrator, wants to ensure that traffic
to the corporate intranet is secure using HTTPS. He
configures the firewall to deny traffic to port 80. Now users
cannot connect to the intranet even through HTTPS. Which
of the following is MOST likely causing the issue?
The web server is configured on the firewall's DMZ interface.
The VLAN is improperly configured.
The firewall's MAC address has not been entered into the
network ACL.
The firewall executes an implicit deny.
Review Question 9
Which of the following should a security administrator
implement to prevent users from disrupting network
connectivity if a user connects both ends of a network
cable to different switch ports?
VLAN separation
Access control
Loop protection
Split horizon
Review Question 10
A small company needs to invest in a new expensive
database. The company's budget does not include the
purchase of additional servers or personnel. Which of the
following solutions would allow the small company to save
money on hiring additional personnel and minimize the
footprint in their current datacenter?
Allow users to telecommute

Setup a load balancer
Infrastructure as a Service
Software as a Service
Domain 3
Access Control and Identity
Management
Domain Objectives
Compare and contrast the function and purpose of authentication
services
Given a scenario, select the appropriate authentication,
authorization, or access control
Install and configure security controls when performing account
management, based on best practices
Identification
Claim of who we are
User identification guidelines
Uniqueness
Non-descriptive
Issuance secure
Most common forms:

User Name, User ID, Account Number
Authentication
Proving your identity is true
Must maintain a 1:1 relationship between user and the
authentication mechanism
Authentication systems or methods are based on one or more of
these five factors:
Authentication Types
Examples
Something you know
Password or PIN
Something you have
Smart Card, Token, or Device
Something you are
Fingerprints or Retinal Pattern
Something you do
Keystroke Authentication
Somewhere you are
Location
Authentication
Something you know (Type 1)
Most common, cheapest, and easiest to implement
PINs, passwords, passphrases
One-time Passwords (OTP)
Self-service password resets
Strong passwords
Authentication
One-time Password (OTP)
Password is used for only one login instance
Temporary password
May use a salt that modifies the password

May require the password to be changed after a successful logon
Not vulnerable to Replay attacks
Authentication
Self-service password reset system
Users can reset their own password
Implement Identity Proofing
Implement Strong Authentication
Minimizes Insider Access threat

Rogue help desk
Reduces help desk burden
Authentication
Password Policy
Must be adhered to organization-wide

Make use of strong passwords
Define password period
Define password minimum length
8 characters
Establish account lockout procedures

Test for weak passwords
Authentication
Strong Passwords
Entropy/randomness
Uppercase and lowercase letters, numbers, and special characters
No part of username or e-mail
Number of Characters
Possibilities (in millions)
14
~ 920
10
8.4 x 1017
Authentication
Something you have (Type 2)
ATM card
Smart card
CAC / Fortezza card
Digital Certificates or Tokens
Authentication
Token-based Authentication
Small piece of data that holds a sliver of information about the
user
Used to identify and authenticate the user
May contain the rights and access privileges of the token bearer (access
token)
Similar to certificates
Could be a cookie
Authentication
Token-based Authentication categories
Static Token
Dynamic Token
Synchronous
Asynchronous
Authentication
Static Password Token
Passive Token
Swipe card, USB dongle
Password/cryptographic key remains on the device (hence the

static)
Usually used as identification devices, and not authentication
(would require an additional factor, PIN, password)
Authentication
Synchronous Dynamic Token
Active Token
User enters a password or PIN
Considered a one-time password
Two types:
Time-based
Synced with internal clock
Counter-based
Authentication service will advance to the next value
Authentication
Asynchronous Dynamic Token
Active Token
Considered a one-time password
Considered event tokens
1. User initiates logon and the system issues a

challenge
2. Token generates a response that the user
enters into the system with a PIN
3. Match allows the user access the system
Authentication
Smart Cards
Used for access control and security purposes
Usually contains a small amount of memory that can be used to
store permissions and access information.
Common Access Card (CAC) issued by DoD for ID/authentication
for military, contractors, and non-DoD employees
Personal Identification Verification (PIV) like the CAC for federal
employees and contractors
Authentication
Something you are (Type 3)
Biometrics
Inherent non-repudiation
Issues:
Performance
Difficulty
Reliability
Acceptance
Cost
Revocation
Authentication
Biometric Error Rates
Type I Error: False Reject Rate (FRR)
Type II Error: False Accept Rate (FAR)
Crossover Error Rate (CER)
The point at which the FRR equals the FAR
The smaller the value, the more accurate the system
Biometric Examples
Biometric
Fingerprints
(Physiological)
Iris
(Physiological)
Retina
(Physiological)
Face
(Physiological)
Hand
(Physiological)
Voice
(Behavioral)
Signature
(Behavioral)
Advantage
Disadvantage
Easy to use
Easy to steal and spoof
High Accuracy and

non-intrusive
High accuracy
Expensive
Intrusive and expensive
Easy to use
Accuracy issues
Easy to use
Accuracy issues
Inexpensive and non- Accuracy issues

intrusive
Inexpensive and non- Accuracy issues
intrusive
Authentication
Something you do
Action a person must take to complete the authentication process
Unlock Patterns (Mobile Devices)
Connecting the dots
Keystroke Authentication
Pattern Analysis that examines how you type.
Authentication
Somewhere you are
Geolocation Tracking (GPS)
Notify Credit Card companies when traveling.
System/Workstation only works within proximity of access badge.

(RFID)
Both endpoints authenticate to each other
Mitigates Evil Twin attacks
Ensures client is authenticating to an authentic server
Mutual authentication protocols:
SSL / TLS
PEAP / EAP-TLS / EAP-TTLS, EAP-FAST, LEAP
Kerberos
IPSec
MS-CHAPv2
Single Factor Authentication

Only one type of authentication is checked
The most basic form of authentication
Traditional username/password combination
Lacks defense in depth
Logon process identifies you to the OS/Network
Strong Authentication
Uses multiple authentication requirements
Provides layered defense
Usually uses multiple instances of the same authentication factor
Often used in identity proofing
Multifactor Authentication
When two or more authentication methods are part of the
authentication process
A system that requires a smart card and a password/pin is
referred to as a two-factor authentication system
A multifactor system can consist of
two-factor system
three-factor system
Password + What is your mothers maiden name?
Password + PIN
PIN + smart card
PIN + smart card + iris scan
Iris scan + fingerprint

Iris scan + fingerprint + X.509 Digital Certificate + RFID card
Multi-factor
Two Factor
password
Strong
Authentication Scenario
Single Factor
Authentication
Authentication
Certificate-Based Authentication
More secure than password-based authentication
Can significantly reduce logon time for users
A certificate is mapped to a user account in one of two ways:
One-to-one Mapping
Many-to-one Mapping
Authentication Protocols
PAP
Password Authentication Protocol
Sends the username and password to the authentication server in
plain text
SPAP
Shiva Password Authentication Protocol
encrypts the username and password
CHAP
Challenge Handshake Authentication Protocol
Challenge / Response 3-way handshake
Minimizes password exposure
nonce
Minimizes man-in-the-middle attacks
Intermittent challenges
Peer
Request
Challenge (nonce)
Response
Authenticator
TOTP
Time-Based One-Time Password
Algorithm uses a time-based fact to create unique passwords
HOTP
HMAC-Based One-Time Password
Algorithm is based on using a HMAC algorithm
New Technology LANMAN (NTLM)
Challenge Response Authentication replacement for older
LANMAN protocol
Protocol used for authentication when Kerberos is not applicable /
available
Both versions lack mutual authentication

NTLM version 1
Uses DES for enciphering
NTLM version 2
Uses MD5 for enciphering
Available since NT4 Service Pack 4
SSO
Single Sign On
Mechanism that allows subjects to authenticate only once
Once authenticated, subjects can use the network/resources without
being challenged again
Purpose is to give users access to all the applications and systems they
need when they log on
If account is compromised, malicious subject has unrestricted

access
Examples: Kerberos, LDAP, SAML, TACACS+
Kerberos
Kerberos v5
Created by MIT
Enterprise architecture
Realm
Principals
Centralized authentication server
Key Distribution Center (KDC)
Authentication Service (AS)
Ticket-Granting Server (TGS)
Ticket-Granting Ticket (TGT)
Remote Ticket-Granting Server (RTGS)
UDP port 88
Kerberos Process
1.
2.
3.
4.
Request is made to AS
AS replies with a TGT and session key
TGT is sent to TGS along with an
authenticator generated by client and
encrypted with session key
TGS replies with a Ticket which is
encrypted with the secret key of the
service and a service session key
which is, in turn, encrypted with the

session key from step 2. (Ticket
expires after 10 hours by default)
Resource Server
5.
6.
KDC
Authentication
Server (AS)
(Processes)
Data
Ticket Granting
Server (TGS)
Ticket is submitted to resource server along

with a new authenticator encrypted with
resource server session key
Resource server replies to client with a
packet that proves requested server
Kerberos Benefits
Provides centralized SSO
Mutual authentication
Confidentiality of authentication credentials
Symmetric Key Cryptography
Anti-replay services
Encrypted timestamps (authenticators)
HMAC
Kerberos Vulnerabilities
KDC is a single point of failure
Tickets are cached
Malware
Spyware
Network traffic is not protected by Kerberos

Clocks need to be synchronized
5 minute skew times
Directory Services
Allows centralized security management
Provides a logical means of organizing resources (users, printers,
etc.)
Uses ACLs to control access to resources
Common Directory Services

X.500
LDAP
Microsoft's Active Directory
Novell's eDirectory
LDAP
Lightweight Directory Access Protocol
Standardized directory access protocol that allows queries to be
made of directories
Follows the X.500 standard light
Uses a hierarchical design with a root object at the top followed
by Organization and OU containers for logical organization
Port 389
Port 636 LDAP over TLS/SSL
LDAP
LDAP Authentication
Anonymous Authentication
Only a username is required to authenticate
Simple Authentication
Username and password in the clear
Uses port 389 by default; port 636 over SSL
Simple Authentication and Security Layer (SASL)

Can utilize Kerberos, MD5, S/Key, IPSec, TLS, and other authentication
mechanisms
LDAP
LDAP Vulnerabilities
Man-in-the-middle
Compromise of username/password
Deploy authentication with SSL or SASL
Employ strong passwords and educate users
Evil Twin and poisoning issues

Employ SASL for mutual authentication
Improper directory security settings

Tightly manage ACLs
Privilege auditing
Active Directory
Microsoft enterprise architecture
Based on LDAP
Uses Kerberos for enterprise authentication
Tree structure to allow sharing and control
Distinguished Name (DN)

Relative Distinguished Name (RDN)
User Principal Name (UPN)
Common Name (CN)
Naming Conventions
LDAP DN/RDN Naming
cn = common name
ou = organizational unit
dc = domain component
o = organization
c = country
Active Directory
cn = common name
ou = organizational unit
dc = domain component
(not supported)
(not supported)
Tree Structure
LDAP DN Name:
cn=William Gates, ou=NCIOC, ou=staff, dc=335sig, dc=army, dc=mil
Canonical Name:
335sig.army.mil/staff/NCOIC/William Gates
Federations
A collection of autonomous computer networks that agree
on a common set of operating standards
Federated Identity Management
Means of linking a users identity with their privileges in a manner
that can be used across business boundaries
Centralized
SAML
Security Assertion Markup Language
A scalable, open standard based on XML
Provides:
Identification
Authentication (SSO)
Authorization
Roles:
Principal
Identity Provider
Service Provider
Remote Access
Getting access to internal network resources from outside
the network
Create a Remote Access Policy
AAA Remote Authentication
Remote Access Servers
RADIUS
TACACS+
Diameter
Remote Access
Remote Access Policies
Outlines and defines acceptable methods for users remotely
connecting to the internal network
Should cover:
All available methods for remote access
When they can be accessed
By whom
Remote Access
Remote Authentication
Communication with a remote host through a dial-up connection
or VPN tunnel
Clients connect to a Remote Access Server (RAS) to gain access to
remote resources or a remote network
Can support modems, broadband, and VPN connections
Remote Access
Remote Access Servers (RAS)
Hardware/software that enables remote access to a network of IT
devices
Authentication protection
Callback / Caller ID
User-specific access control

Restrict access hours
Logging
RADIUS
Remote Authentication Dial-In User Service
Centralized system for authentication, authorization, and
accounting (AAA)
Supports PAP, CHAP, and EAP
Only password is encrypted
Authentication and Authorization combined
Uses UDP port 1812 for Authentication
Uses UDP port 1813 for Accounting
RADIUS
Uses IEEE 802.1X
Supplicant
RADIUS Client
Typically a network backbone access device
Dial-up Server, VPN Concentrator, switch, or WAP
RADIUS Server
Stores all user authentication and network service access information
Ability to implement auditing and accounting
TACACS+
Terminal Access Controller Access Control System
Replaced XTACACS
AAA performed separately
Allows use of multi-factor authentication
Allows a RAS to forward user credentials to an authentication
server
Encrypts entire body of authentication packet
Uses TCP port 49
DIAMETER
Replacement for RADIUS
Better performance and encryption
Security provided by TLS or IPSEC
32 bit billions of Attribute Value Pairs (AVP) can support
mobile remote users
Better for roaming support
Handles various LAN/WAN protocols
It uses TCP port 3868
Access Control Models

MAC
DAC
Rule-based
Role-based
MAC
Mandatory Access Control
Nondiscretionary method for information access
Reference Monitor: access to objects based on clearance and need to
know
Objects are assigned security labels
Subjects are assigned clearance levels
Considered the most secure security model
DAC
Discretionary Access Control
Creator / owner decides access
Network users have some flexibility regarding how information is accessed
Allows users to share information dynamically with other users
More flexibility with controlling access

Social Engineering
RBAC
Rule-Based Access Control
Uses preconfigured rules to grant access
ACLs
Normally found in firewalls and routers
Time of Day restrictions

Disk Quota Management
RBAC
Role-Based Access Control
Access granted by job function or by responsibility
Each employee may have one or more roles that allow access to
specific information
Moving from one role to another, access for the previous role will
no longer be available
Review frequently to avoid privilege creep
Comparison
Methods
Mandatory Access Control (MAC)
All access is predefined
Role-Based Access Control
Allows the users role to dictate access
Rule-Based Access Control
Limits the user to settings in preconfigured policies
Discretionary Access Control (DAC)
Incorporates some flexibility
Access Control
Best Practices
Explicit / Implicit Deny

Least Privilege
Need to Know
Separation of Duties
Job Rotation
Mandatory Vacations
Defense in Depth
Access Control
Logical Access Control Methods
Access Control List (ACL)
Group Policies
Usernames and Passwords
Password Policy
Domain Password Policy
Time of Day Restrictions

Account Expiration
Logical Tokens
Privilege Management
Least Privilege Management
Privileges
Given to an individual because of where they work or the group they
belong to
Rights
Assigned to an individual based upon their need-to-know
Permissions
Based upon users need-to-know
File Controls (ACEs)
Access Control Entries
File/Folder Permissions
Microsoft: Full Control , Modify, Read and Execute, Read, and Write
Linux/UNIX (R)Read, (W)Write, (X)Execute
(R,-, X) means allow Read, deny Write, allow Execute
Physical ACL
Network which traffic is permitted or denied
Physical who has access to a room or building
Privilege Escalation
The act of exploiting a bug or design flaw in a software application
to gain access
Vertical Privilege Escalation
Lower privilege user accesses functions or content reserved for higher
privilege users
Horizontal Privilege Escalation

Normal user accesses functions or content reserved for other users
Security Roles
Partitioning functionality and responsibility
Organizational Units (OU)
Security Groups
Multiple accounts
Generic Account Prohibition
Any account that is shared
Administrators use one account for administrative purposes and a different

account for personal purposes
Privilege Creep
An individual slowly gains more access than they normally need
Caused by activities such as:
Temporary access
Accidental access
Transferring from departments
Maintenance hooks left in software
Establish new access rights
Domain Objectives
Explain the function and purpose of authentication services
Explain the fundamental concepts and best practices related to
authentication, authorization and access control
Implement appropriate security controls when performing
account management
Questions?
Review Question 1
Which of the following is a valid server-role in a Kerberos
authentication system?
Token issuing system

Ticket granting server
Security assertion server
Authentication agent
Review Question 2
Sara, the IT Manager, would like to ensure that the router
and switches are only available from the network
administrator's workstation. Which of the following would
be the MOST cost effective solution to ensure that only the
network administrator can access these devices?
Restrict console ports

Time of day restrictions
Implement ACLs
Deploy an out-of-band administrative network
Review Question 3
Which of the following combinations represents
multifactor authentication?
Smart card and hard token

Cipher lock combination and proximity badge
Voice print analysis and facial recognition
Username and PIN
Review Question 4
Which of the following should Sara, a security
administrator, perform periodically to reduce an
organization's risk exposure by verifying employee access?
Incident management
Account revalidation
Qualitative analysis
Quantitative analysis
Review Question 5
An Organization has introduced token-based authentication
to system administrators due to risk of password
compromise. The tokens have a set of numbers that
automatically change every 30 seconds. Which of the
following type of authentication mechanism is this?
Smart Card
TOTP
CHAP
HOTP
Review Question 6
Which of the following concepts BEST supports the
identification of fraud?
Risk avoidance
Job rotation
ALE calculation
Clean desk policy
Review Question 7
Which of the following authentication services uses a ticket
granting system to provide access?
RADIUS
LDAP
TACACS+
Kerberos
Review Question 8
Jane, the security administrator for a company, needs to
assign permissions for users on her network. Which
concept would Jane follow to give ONLY the appropriate
permissions necessary?
Separation of duties
Job rotation
Privilege escalation
Least privilege
Review Question 9
Which of the following is based on the X.500 ITU standard
and can provide protected authentication through TLS or
Simple Authentication without any protections?
LDAP
SAML
RADIUS
TACACS+
Review Question 10
Which of the following authentication services uses AAA
architecture over TCP port 49?
LDAP
Kerberos
RADIUS
TACACS+
Domain 4
Threats and Vulnerabilities
Domain Objectives
Explain types of malware
Summarize various types of attacks
Summarize social engineering attacks and the associated
effectiveness with each attack
Explain types of application attacks
Analyze a scenario and select the appropriate type of mitigation
and deterrent techniques
Domain Objectives
Given a scenario, use appropriate tools and techniques to
discover security threats and vulnerabilities
Explain the proper use of penetration testing versus vulnerability
scanning
Malware
Malicious Code
Virus
Spam
Worm
Adware
Trojan Horse
Ransomware
Logic Bomb
Spyware
Rootkits
Zombies
Polymorphic Malware
Botnets
Malware
Virus
Replicates itself on a system
Goals:
Renders your system inoperable
Spreads to other systems
Symptoms:
Performance degradation
Unusual files appear or disappear
Program sizes change from the installed versions
Countermeasure: updated anti-virus
Virus Types
Armored
Makes itself difficult to detect or analyze
Contains protective code that stops debuggers or dissemblers
from examining the code
Retrovirus
Designed to avoid discovery by actively attacking the anti-virus
programs attempting to detect it
Virus Types
Stealth
Hides itself by intercepting disk access requests
When an anti-virus program tries to read files or boot sectors to
find the virus, the stealth virus feeds the anti-virus program a
clean image of file or boot sector
Virus Types
Boot Sector
Spreads by infecting boot sectors
File Infector Virus

Copies themselves into other programs
When an infected file is executed, the virus is loaded into memory
and tries to infect other executables
Virus Types
Macro Virus
Malware that is encoded as a macro embedded in a document
Multipartite
Propagates by using both the boot sector and file infector
methods (i.e. DOS executables)
Every part needs to be removed, to prevent re-infection
Virus Types
Companion
Runs instead of legitimate programs
Creates a program with a different file extension (.COM vs .EXE)
File may reside in your systems temporary directory
Virus Types
Polymorphic
Mutates by padding its own code to avoid detection
Makes pattern recognition hard
Metamorphic
Recompiles itself into a new form (directly, no encryption), so the
code is constantly changing
Much harder to discover, but are rare
Malware
Worms
Self contained
Computer program that propagates on its own
Does not need a host application to be transported
Countermeasures: anti-virus, patches
Logic Bomb
Malware inserted into a system which sets off an action when
specific conditions are met
Example: Michelangelo and Chernobyl
Malware
Trojan Horse
Social Engineering
A program that is disguised as a benign program
Tricks the user into installing it
May be included as an attachment or as part of an installation

program
Countermeasures:
Least privilege
User awareness training
Malware
Backdoors
Allows access to a system without having to authenticate
Maintenance or Programming Hooks
Can be spread via malware, such as a Trojan Horse
Remote Access Trojan (RAT)
Examples: Back Orifice or NetBus

Mitigation:
Up-to-date Anti-virus
IDS/IPS
Malware
Rootkits
Malware that has the ability to embed itself deep within the
operating system
Hides from spyware blockers, the anti-virus program, and system utilities
Goal is to subvert the operating system security kernel

Run at the root level or admin access
Malware
Adware
Frequently refers to any software which displays advertisements
Some are spyware or malware
Spyware
Malware that works on collecting information about the system
and what it is used for.
Malware
Ransomware
Software that encrypts key files and folders and demands
payment to a third party.
(By paying the ransom, a code is given to revert system to normal
operations.)
Often delivered through a Trojan
Network Attacks
DoS attacks
DDoS attacks
Man-in-the-Middle attacks
Redirection attacks
Spoofing attacks
Network Attacks
Denial of Service (DoS)
System/service is unavailable for use
Authorized users lack access
Affects Availability of CIA triad
Common Denial of Service attack techniques
Buffer overflow attacks

Ping-of-Death
Teardrop
Land attack
Network Attacks
Distributed Denial of Service (DDoS)
Multiple attackers prevents access to resources for authorized
users
Common Distributed Denial of Service techniques:
Amplification
Smurf attack
Fraggle attack
Massive armies
Botnet attack
SYN Flood attack
Network Attacks
Smurf attack
DDoS attack
Amplification attack
Attacker uses the router to broadcast the attack
Impersonation attack
Attack sets the source address to the victims IP address
ICMP
Network Attacks
Fraggle attack
DDoS attack
Amplification attack
Attacker uses the router to broadcast the attack
Impersonation attack
Attack sets the source address to the victims IP address
UDP
Network Attacks
Smurf / Fraggle attack
Internet
Attacker
ICMP echo (sent to broadcast address

ICMP echo reply
Victim
Network Attacks
TCP SYN Flood or TCP ACK Attack
Attacker(s) send(s) a succession of SYN requests to a target
Victim is left with half-open connections
Attacker
Network Attacks
Botnet Attack
Zombie
Compromised systems
Bot
Bots are programs that run automated tasks
Obeys a master or author of the code
Botnet
A network of compromised systems containing malware which acts as a
robot
Bot network
Command and control architecture
Handlers
Botnets Command and Control
Spammer Botnet
Network Attacks
Redirection attacks
Man-in-the-Middle attacks
Evil Twin attack
ARP Poisoning attacks

Session Hijacking
DNS Cache Poisoning
Network Attacks
Man-in-the-Middle attack
Occurs when someone/thing intercepts data and retransmits to
another entity
Network Attacks
ARP Poisoning
Victims ARP table is tricked into recording the attackers MAC
address for the legitimate system
C:\arp a
Interface: 172.20.200.220
Internet Address Physical Address
172.20.200.201
aa-13-77-77-78-20
172.20.200.1
00-24-e8-14-14-8e
172.20.200.199
00-13-3b-0f-d9-49
172.20.200.41
c8-4c-75-59-ba-8d
AA:13:77:77:78:20
Host: SQL-SRV-10
172.20.200.201
FF:12:34:56:78:90
Host: Admin-laptop
172.20.200.220
00:50:53:00:00:42
Network Attacks
Replay attack
Information (credentials) captured over a network and replayed
later
Countermeasures: Random sequence numbers,

encryption, mutual authentication
Network Attacks
Session Hijacking
Takes control of an active TCP session by using sequence number
guessing
192.168.0.1
192.168.0.100
Attacker
Sequence Numbers
Victim
Countermeasures: Random sequence numbers, encryption,

mutual authentication
Network Attacks
Spoofing
Impersonating someone/something else by falsifying data
Comes in many forms
IP spoofing
MAC spoofing
Web spoofing
Network Attacks
Typosquatting/URL Hijacking
Registering domains that are similar to those for a known entity
but based on a misspelling or typographical error.
Example: Yahooo.com or Gooogle.com
Best defense against typosquatting is to register those domains

with all deviations of the designated site.
Network Attacks
Watering Hole Attack
Attacker uses a strategy to identify a site that is visited by those
they are targeting, poisoning that site, and then waiting for the
results.
Systems Security Threats

Drive-by-download
Automatically downloaded to your computer without your
consent or even your knowledge
Malware automatically downloaded to:
by visiting a Web site
by viewing an HTML e-mail message
along with a user-requested application
Network Attacks
Xmas Scan
Scans conducted with Xmas packets
Packet with every single option set for whatever protocol is in use
By observing how a host responds to the packet, assumptions can
be made regarding the host's operating system
Wireless Attacks
Wireless Vulnerabilities
The most common threat of a wireless network comes from
eavesdropping
Packet Sniffing
Promiscuous Mode
Monitor Mode
Tools:
Kismet, AirCrack, NetStumbler
Wireless Attacks
Rogue Access Point
Unauthorized AP installed on the private network
Unauthorized SSID, unauthorized BSSID (MAC)
Evil Twin
Unauthorized AP masquerading as one of the legitimate APs
Authorized SSID, unauthorized BSSID (MAC)
Wireless Attacks
War Driving
Driving around looking for Hotspots
Administrators performing a wireless audit
Hackers drive past businesses and residential areas looking for open
wireless access points.
Wireless Vulnerabilities
War Driving equipment
Mobility (car)
Mobile computer (laptop or smart phone)
Wireless NIC
Omnidirectional antenna
GPS receiver (optional)
Wireless sniffer
Kismet
NetStumbler
AirSnort
Flying Squirrel
Wireless Attacks
Wireless Attacks
Interference
Unintentional conflicting signals that degrade signal quality

Caused by:
Competing devices such as cordless phones, baby monitors, bleed over
from other wireless sources
Microwave ovens
Jamming
Intentional conflicting signals that degrade signal quality

Caused by attackers
Wireless Attacks
Mitigations
Perform Site Surveys
Site Survey before deployment
Wireless audits
Detect Rogue Access Points
Employ mutual authentication and encryption

Change default password
Use strong encryption
Implement WIDS / WIPS

Disable SSID Broadcast
Change default SSID
Bluetooth Attacks
Discovery Mode Attacks
Many devices are left in pairing/discoverable mode and default
PIN/code is not changed
Leaves device open and visible to other devices
Older Bluetooth systems (pre 2007) are equipped with "auto
pairing" and have a PIN that cannot be changed
Turn Discovery Mode off
Bluetooth Attacks
Bluebugging
Taking control of a Bluetooth device for personal gain (phone
calls, etc.)
Bluejacking
Sending of unsolicited messages over Bluetooth
Bluesnarfing
Theft of information from a wireless device through a Bluetooth
connection
Wireless Networking
Near-Field Communication (NFC)
Standard primarily used in mobile devices to facilitate easily
accessed communications between 2 or more devices
Performs a type of automatic synchronization and associations between
devices by touching them together
Device-to-device data exchanges

Essentially an emanation
Vulnerable to eavesdropping, MitM, data manipulation & replay attacks
Insider Access
Poses significant risk to an organization
Can lead to data disclosure
Loss of resources
Damage to the organizations reputation
Why does it happen?
Employees are already past the firewalls

Espionage
Disgruntled employee
Carelessness
Insider Access
Mitigating the Insider Access threat
Enforce Least Privilege Management
Enforce Separation of Duties
Enforce supervisory controls
Two-person rule
M of N control
Implement a Security Awareness Training program
Social Engineering
Exploits human psyche by convincing someone to reveal
information or perform an activity
People hacking
Principle techniques
Authority, intimidation
Perception of a group consensus
Scarcity, urgency
Familiarity / likability
Trust
Social Engineering
Spam
Unwanted, unsolicited email
SPIM = SPAM over Instant Messaging
SPIT = SPAM over Internet Telephony
Cost of Spam
Loss of productivity
Can be infected with viruses and worms
Countermeasures
Spam filter
Block HTML formatted emails
Social Engineering
Phishing
Tricking people into divulging PII and/or financial information
Delivered via email
Clicking the hyperlink redirects the victim to a malicious website
Social Engineering
Spear Phishing
Targets a specific group of people or a person
All employees of a company
Whaling
Targets upper management
Vishing
Voice Phishing
Using the telephone to scam people
Whaling
Social Engineering
Pharming Attack
Redirects the user to a malicious website
Countermeasures
Harden the DNS server
Strong authentication
User awareness
Social Engineering
Hoaxes
False virus warnings that entice victims to cause damage to their
own systems
Countermeasures:
Security awareness training
Dumpster Diving
Looking in the trash for sensitive information
Shoulder Surfing
Looking over the shoulder of someone working on a
laptop/PC
Piggybacking
Entering a secured building/area by following an authorized
employee
Tailgating
Impersonation
Pretending to be someone you are not in an attempt to
gain access to what you cant
Security Awareness Training

User Awareness Training
Ensure that information is conveyed to the appropriate people in
a timely manner
Security conscious staff are more likely to support, uphold, and strengthen
the security program
Security Awareness Education

Security Policy
Training
Documentation
Security Awareness Training

Areas to cover:
Compliance with regulations
Proper data labeling, handling, and disposal
Proper user habits:
Password etiquette
Clean desk policy
Personal devices
Mobile storage
Social engineering
Application Attacks
Buffer Overflow
More information is placed in a buffer (memory stack or heap)
than it can hold, which then overflows into the next buffer
DoS
Privilege escalation
Countermeasures:
Patch Management
Input validation
Code Review
Application Attack
Integer Overflow
Large number being place into a buffer designed for smaller
numbers
DoS
Data corruption
+ 1
1
= 254
+ 1
= 255
= 000
Application Security
Arbitrary Code Execution
Attackers ability to execute any commands on a target machine
or in a target process.
Used in arbitrary code execution vulnerability that gives an attacker a way
to execute arbitrary code.
Remote Code Execution

The ability to trigger arbitrary code execution from one machine
on another.
Cross-Site Scripting (XSS)
Vulnerability where an attacker can add comments/code to web
pages which allows code injection
Code could redirect valid data to the attacker
Safeguards:
Input validation
Set web apps to tie cookies to IP addresses
Cross-site Request Forgery (XSRF)
Involves unauthorized commands coming from a trusted user to
the website
Often done without the users knowledge
Safeguard:
Code review
Two-factor authentication
Proper cookie destruction
Transitive Access
A service that invokes another service to satisfy an initial request
An attack involving using a third party to gain access rights
Problem arises from a poor choice of access control mechanism,
one that uses authentication to make access decisions
Transitive Access
1.
2.
3.
A program run by Alice invokes a service run by Bob. In order

to satisfy Alice's request, Bob's invokes a service run by Carol.
Bob may have some rights not granted to Alice. Alice may
have some rights not granted to Bob.
If Bob's rights are used, he may do something on behalf of
Alice that she is not allowed to do. If Alice's rights are used,
Bob may take an action that Alice would not approve.
LDAP Injection:
Can occur anywhere that underlying code could use some type of
input for LDAP searches, queries, or any other LDAP function
Implementation of simple precautions during development
Controlling the types and numbers of characters that are accepted by input
boxes
Input validation
SQL Injection
Code injected into a database via a web form

Allows an attacker to query data from the database
DoS is the most common SQL attack
Example: User ID = or 1=1;
Safeguards:
Input validation
SQL Injection
XML Injection
Attack technique used to manipulate or compromise the logic of
an XML application or service
Injection can cause the insertion of malicious content into the
resulting message/document
The price of the widget is 500.00 for 1.
Malicious individual adds a string to

line 4 , with this input.
A parser interprets the input and resolves the second price, overriding the first. The widget now
costs 1.0
Command Injection Attack
Manipulating a web interface using command lines
netsh exec or net user
Directory Traversal Attack

Injecting command line navigation instructions into a web
interface
../../
These attacks exploit a lack of security as opposed to

exploiting a bug in the code
Cookies
Small text files stored on your hard drive from the web server
Transient cookies: are active only during a browsing session
Persistent cookies: store user identification information over an extended
period
Safeguards:
Delete cookies
Disable cookies
Mobile Code
ActiveX
Microsoft mobile code that runs on the client
Used in I.E., MS Office, MS Visual Studio, etc.
Authenticode
Code signing mechanism, identifying the publisher of signed
software
Ensures code has not been tampered with, before user
downloads software
Mobile Code
ActiveX Vulnerabilities
Controls are saved to the hard drive
Controls are executed within the security context of the current
user account
Once user accepts author, then it is always accepted (no reverification)
Mobile Code
ActiveX Safeguards
Deploy patches to fix vulnerabilities
Browser should be configured NOT to allow ActiveX to run by
default
Internet Explorer Options
Go to Security tab and choose the level of security to control how ActiveX
responds to enabling, disabling, or prompting
Domain 1.0 System Security
Mobile Code
Java Applets
Stand alone mobile code downloaded from a server to a client,
then runs from the browser
Platform independent (due to bytecode)
Sandbox
A virtual machine architecture
Limits the applets access to system resources
Digitally signed applets can run outside the sandbox
Mobile Code
Java Applet Vulnerabilities
Applets may perform malicious operations
Errors in the Java virtual machine may allow some unsigned
applets to run outside the sandbox
Java Applet Safeguards
Install the latest browser version

Deploy patches to fix vulnerabilities
Disable Java Applets
Limit browser plug-ins
Mobile Code
JavaScript
Scripting language used for web pages
Runs in a client's browser or web server and can be seamlessly
embedded into HTML documents and email
Uses
Opens new windows (controls size and position)
Detects users actions such as keystrokes
Changes images with mouse-move overs
Mobile Code
JavaScript Vulnerabilities
Runs within the web page security level of permission settings
Can allow remote execution of programs
Interfaces with an OS, so potentially can damage systems or be
used to send information to unauthorized persons
JavaScript Safeguards
Apply JavaScript patches for browsers
Disable JavaScripts
Mobile Code
Malicious Add-Ons
Software add-ons are downloaded from a web vendor and are
used to view certain web content/web pages
Toolbars, codecs
Some are created with malicious intent, such as exploiting a

vulnerability in a browser
Zero Day attacks

An exploitable vulnerability unknown to the software
developer
Vulnerability Window-time
1.
2.
3.
Attacker finds an exploit that was not previously known

Attacker writes and distributes the exploit while the vulnerability is
not known to the developer
Developer finds the vulnerability and starts developing a fix
Software Review
Code Review
Systematic examination of computer source code
Intended to find and fix mistakes overlooked in the initial
development phase
Can often find and remove common vulnerabilities
Program managers schedule meetings throughout the process
Development personnel walk through the code looking for
design/security flaws
Software Review
Design Reviews
Part of the development process for a secure system

Determine how various parts of the system will interoperate
Coding milestones are laid out by the design management team
Review meeting is conducted to ensure that everyone is in
agreement and the process is still on track
Security Controls
Manually bypassing security controls
Fail Secure
System that is able to resort to a secure state when an error or security
violation is encountered
Fail Safe
A device, in the event of failure, responds in a way that will cause no harm
to other devices or danger to personnel
Security Controls
Manually bypassing security controls
Fail Soft
A system designed to shut down any nonessential components in the
event of a failure, but keep the system and programs running on the
computer.
Fail Closed
When the control fails it denies everything
Consider personnel safety
Examples:
A firewall fails and rejects all packets
A door fails and cannot be unlocked
Monitoring System Logs

Logging Procedures
Any information possibly needed to reconstruct events should be
logged
Do not over audit
Retention policy should be in place
Hash the logs for integrity checking
Control access
Logging Procedures
Logging Types
Syslog
Windows Logs
Application/Software Logs
Network Device Logs
Firewalls
Routers
WAP/RADIUS
DNS
Domain Controller
Logging Procedures
Log Storage
Restrict access to all logs
Security Policy
Address the size of logs

How often they should be archived
Retention times
Storage Media
Physical Access Security

Keys and Locks
Most common form of access control

Key locks
Combination locks
Keypad/Cipher locks
Smart locks
Key Log
Physical access logs/lists

Man-trap
Controls access and authentication

Requires visual identification to gain access
Prevents Piggybacking/Tailgating
Dual locked door facility

Closed Circuit Television (CCTV)
Used as a deterrent and detective mechanism after an event
CCTV may introduce privacy concerns
Inform users they are being recorded

Closed Circuit Television (cont.)
Lighting
Adequate for the camera type (IR cameras)
Lenses
Fixed vs. Zoom lenses
Recording
Archive policy
Pan Tilt Zoom (PTZ)

Changes focal area
Human monitoring

Fencing
A perimeter security control
3 to 4 feet (deter casual trespassers)
6 to 7 feet (deter most intruders)
8 feet or > with barbed wire (deter determined intruders)
Wide range of construction materials
Chain link
Barbed wire
Concrete walls
Invisible (lasers)

Bollards
Can be used, either to control traffic intake size by limiting
movements, or to control traffic speed by narrowing the available
space

Proximity Readers
User has a card, when placed in proximity to the reader the card
is powered and transmits the cards ID to the reader, granting
access
Used for physical access
Contactless
Physical theft of card a concern
Port Security
MAC Filtering
Restricting access to a network via authorized MAC address
Can be used to strengthen security on a switch or AP
Can be circumvented, MACs can be spoofed
Port Security
Extensible Authentication Protocol (EAP) 802.1X
Authentication framework, not a specific authentication
mechanism
Used over PPP and Wireless LANs
Provides over 40 authentication methods
EAP with 802.1x

Request
authentication
Switch
Radius Client forwards

the request to the RADIUS
server
Supplicant
If allowed the supplicant is
allowed in the network
The RADIUS server

allows/disallows request
RADIUS
Server
Configuration Baselines
Establishes mandatory settings
Minimizes risk
Minimizes mistakes
Require management of controlled changes

Hardware
Software
Firmware
Domain Objectives
Explain types of malware
Summarize various types of attacks
Summarize social engineering attacks and the associated
effectiveness with each attack
Explain types of application attacks
Select the appropriate type of mitigation and deterrent
techniques
Questions?
Review Question 1
When an attack using a publicly unknown vulnerability
compromises a system, it is considered to be which of the
following?
IV attack
Zero day attack
Buffer overflow
Malicious insider threat
Review Question 2
Which of the following is BEST utilized to actively test
security controls on a particular system?
Port scanning
Penetration test
Vulnerability scanning
Grey/Gray box
Review Question 3
Which of the following is Jane, a security administrator,
MOST likely implementing when deleting all the unneeded
files and modules of a newly installed application?
Exception handling
Patch management
System file clean up
Application hardening
Review Question 4
A user downloads a keygen to install pirated software. After
running the keygen, system performance is extremely slow
and numerous antivirus alerts are displayed. Which of the
following BEST describes this type of malware?
Logic bomb
Worm
Trojan
Adware
Review Question 5
Matt, the Chief Information Officer (CIO), wants to protect
laptop users from zero day attacks. Which of the following
would BEST achieve Matt's goal?
Host based firewall

Host based IDS
Anti-virus
Anti-spyware
Review Question 6
Matt, an administrator, captures malicious DNS traffic on
the network. Which of the following tools would be used to
analyze the nature of this traffic?
Sniffer
Zone transfer
Network tap
Application firewall
Review Question 7
The IT administrator wants to make sure that only certain
devices can connect to the wireless network. Which of the
following can she implement to accomplish this task?
MAC filtering
Increase the power levels of the WAP
Dynamic DHCP
Disable SSID broadcast
Review Question 8
A company is installing a new security measure that would
allow one person at a time to be authenticated to an area
without human interaction. Which of the following does
this describe?
Fencing
Mantrap
A guard
Video surveillance
Review Question 9
Which of the following should Sara, a technician, apply to
prevent guests from plugging in their laptops and accessing
the company network?
Secure router configuration

Port security
Sniffers
Implicit deny
Review Question 10
Sara, a student, is interested in learning about distributed
denial of service attacks. Which of the following types of
malware is MOST likely the primary focus of her study?
Botnets
Logic bombs
Spyware
Trojans
Domain 5
Compliance and Operational Security
Domain Objectives
Explain the importance of risk related concepts
Summarize the security implications of integrating systems and
data with third parties
Given a scenario, implement appropriate risk mitigation strategies
Given a scenario, implement basic forensic procedures
Summarize common incident response procedures
Domain Objectives
Explain the importance of security related awareness and training
Compare and contrast physical security and environmental
controls
Summarize risk management best practices
Given a scenario, select the appropriate control to meet the goals
of security
Risk Management
The process of identifying, monitoring, and reducing risk to
an acceptable level
Residual risk
Risk management components:

Due diligence
Risk Analysis
Evaluate safeguards
Cost Benefit Analysis
Due care
Implement safeguards
Risk Management
Risk factors
Likelihood
How likely could this risk happen in our environment?
Impact
What will this risk do to my companys reputation, recovery time etc.
Annualized Loss Expectancy (ALE)

If the risk happened, how much would it cost us a year to recover from it.
Risk Management
Risk Management Outline
Conduct a resource inventory
Carry out assessments
Threat Assessment
Business Impact Assessment (BIA)
Vulnerability Assessment
Contingency planning
Business Continuity Plan (BCP)

Continuity of Operations Plan (COOP)
Succession Planning
Disaster Recovery Plan (DRP)
Risk Management
Responses to risk
Risk avoidance
Not performing the risky activity
Risk transference
Burden of loss is shifted to a 3rd party
Risk acceptance
Risk is acknowledged and safeguard is too expensive
Risk deterrence
Discourage the attacker
Risk mitigation
Implement safeguards
Risk Analysis
Qualitative Risk Analysis
Analyses likelihood and impact
Based on someones judgment, opinion, or emotional attachment
Does not use hard numbers
Qualitative risk formula:

Factors are rated such as a 1, 5, or 10
Low, medium, high
Risk = Likelihood x Impact
Risk Analysis
Quantitative Risk Analysis
Assigns "real" numbers
Used in a cost benefit analysis
Used to identify estimated cost in dollars
Incorporates statistics
Quantitative Analysis Process

1.
2.
Identify threats, threat vectors, vulnerabilities, asset values,

and impacts
Determine relative risk for each threat against each asset
Risk Analysis
Cost-Benefit Analysis
Countermeasure cost might outweigh the cost of the targeted risk
If the safeguard cost is less than the ALE, implement the safeguard
If the safeguard cost is more than the ALE, accept the risk
Risk Analysis
Single Loss Expectancy (SLE)
Asset Value
Exposure Factor
SLE = (Asset Value) x (Exposure Factor)
Annualized Loss Expectancy (ALE)

Single Loss Expectancy (SLE)
Annual Rate of Occurrence (ARO)
ALE = (SLE) x (ARO)
Risk Mitigation
Conduct a Threat Assessment
Perform a Cost Benefit Analysis
Sometimes, the cost of some countermeasures may outweigh the
cost of their targeted risks
Implement countermeasures to protect against potential

risks
Risk Mitigation
Identify Threats
Natural
Environmental threats
Manmade
New malware
Social engineering
Social media
P2P file sharing
Social networking sites
Zero-day exploits
Risk Mitigation
Threat Motivations
Disgruntled employee
Espionage
Political agenda
Threat Capabilities
Script Kiddies
Organized Crime
Terrorism
Risk Mitigation
Security Control Categories
Preventive
Stop unwanted / unauthorized activity
Deterrent
Discourage a potential attacker
Detective
Identify an incidents activities
Corrective
Fix systems after an incident
Recovery
Restores resources and capabilities
Directive
Controls put in place due to regulation or environmental requirement
Compensating
Provide alternatives to other controls (security policy, personnel supervision
Risk Mitigation
Security Control Types
Several methods used to classify controls
Based on:
Nature of control
Objective of the control
Three popular categories

Technical
Managerial (Administrative)
Operational (Physical)
Risk Mitigation
Technical Controls
Technical measures within the organization to enhance security of
a network or system
Strong User authentication

Firewall technologies (hardware and software)
Antivirus protection
IDS/IPS implementation
ACLs on routers
Filtering of content
Encryption technologies
Risk Mitigation
Management Controls
Policies and procedures put into place to define and guide
employee actions in dealing with sensitive information:
Security Policies
Proper data classification
Security Awareness program
Configuration management
Risk Mitigation
Management Controls
Security Policy
Establishes the goals of the security program how it is organized, and the
responsibilities, etc.
To be effective; security policy must be:
Planned
Implemented
Maintained
Risk Mitigation
Management Controls
Security Policy
Should address the following:
Mandatory Vacations
Job Rotation
Least privilege
Need to Know
Risk Mitigation
Management Controls
Privacy Policy
Organization must clearly state what information can and cant be
disclosed
State who is entitled to ask for information within the organization
Policy should clearly state to employees that they should have no
expectations of privacy
Desks, files and other items may be searched
E-mail, voice communications are monitored
Risk Mitigation
Management Controls
Acceptable Use Policy (AUP)
Stipulates which actions are allowed or not allowed with company
resources
Must be enforced and adhered by all to be effective
Some of the areas covered:
Web access
Telephone usage (including company-issued cell phones)
Information usage
System usage
Risk Mitigation
Management Controls
Clean Desk Policy
Sanitize common areas
Devices and sensitive information needs to be locked up to minimize theft
or other security incidents
Mitigates browsing attacks
Unlocked or open filing cabinets and safes

Printed sheets left at printer
Papers that contain PII
Proximity cards, badges, or keys
Information Classification
Military Scheme
Business Scheme
High
Confidential
Restricted
Serious damage
Medium
Internal
Significant damage
Low
Internal
Minimal damage
Sensitive
Private
Limited distribution
Public
Full Distribution
Risk Mitigation
Operational Controls
Operational controls define how people in the organization
should handle data, software and hardware
They are mechanisms and daily procedures that provide
protection for systems
Should be transparent to users
Risk Mitigation
Physical Security
Protection of computing facilities

Physical protection for end-user systems:
Media access control and disposal procedures
Backup systems and provisions for offsite backup storage
Environmental Security
Fire protection system
Temperature and humidity control systems:
Emergency backup power
Risk Mitigation
Environmental Controls
Building location and construction

Environmental monitoring
Temperature and humidity controls
HVAC
Hot and cold aisles
Fire suppression
EMI shielding
Risk Mitigation
Building location and construction
Location Considerations
Visibility
Accessibility
Propensity for environmental problems
Risk Mitigation
Environmental monitoring
HVAC
Dedicated
Temperature controls
Between 60 and 75 degrees Fahrenheit
Possible heat damage (>75 degrees)
Humidity controls
Between 40% and 60%
Electrostatic damage (<40%)
Condensation/corrosion (>60%)
Risk Risk Mitigation

Hot and cold aisles
Risk Mitigation
Fire suppression
Fixed or portable
Water-based or clean-agent based
Class
Type
Suppression Medium
A
B
Combustibles
Liquids
Water or foam
CO2, FM-200, foam, or dry powder
Electrical
CO2, FM-200, or dry powder
Metal
Dry powder
Risk Mitigation
Shielding
Prevent compromising emanations
Radio Frequency Interference (RFI)
Properly shielded wires should be used in local area networks

Fiber optics is immune to EMI
TEMPEST \ Faraday Cage
Vulnerability Assessments
Process of identifying, quantifying, and prioritizing
vulnerabilities in a system
Accomplished by:
System Scanning: effectiveness of an organization's security policy, security
mechanism implementations, and deployed countermeasures
Footprinting: accumulating data regarding a specific network environment
Fingerprinting: discovering the underlying operating system on a device
Audit should give detailed information on tools used, when
scan was conducted, and vulnerabilities found with risk
levels
Senior management approval needed
Tools
Protocol Analyzers
Vulnerability Scanners
Port Scanners
Network Mappers
Password Crackers
Packet Sniffers
Hardware or software that gathers packet-level traffic across the
network
Protocol Analyzers
Placed in-line or between devices

Used for logging, sniffing, network monitoring, troubleshooting,
etc
Tools:
Wireshark
Snort
Kismet
Packet Sniffing on the Network
When a wired NIC (Network Interface Card) is put in promiscuous
mode, the NIC captures all traffic on the network segment it is
installed
When a wireless Interface Card (WIC) is put in monitor mode, the
WIC captures all traffic on the frequencies it monitors
Network Mappers
Used to create network maps
Tools:
ICMP
Nmap
SolarWinds
Whats Up Gold
Mapping Techniques:
Active Probing
Route Analytics
SNMP
Port Scanners
Probes for all enabled TCP/UDP ports
Used by system administrators or attackers
Tools:
SuperScan
IPScan
Pscan
Vulnerability Scanners
Running software which contains a database of known
vulnerabilities against a system
Detects potential vulnerabilities
Tools:
Nessus
SATAN
SAINT
MBSA
Open Vulnerability and Assessment Language (OVAL)
Sponsored by the US Department of Homeland Security
Standardizes vulnerability testing
How described and reported
An XML schema and repository of vulnerabilities
Password Crackers
Software utility that allows direct testing of a users logon
password strength
Brute force decryption
Dictionary look-up
Rainbow Tables
Examples:
Cain and Abel

L0phtCrack
John the Ripper
Ophcrack
Penetration Testing
An attempt to break into your own secured network

Third party is preferred
Typically performed from the internet
Get written approval prior to conducting tests
Penetration Testing
Looks for vulnerabilities such as:
Poor or improper system configuration

Known or unknown hardware or software flaws
Application weaknesses
Can involve active exploitation of vulnerabilities
Report presented to system owner:

Lists vulnerabilities discovered
An assessment of impact vs. probability
A proposal for mitigation or a technical solution
Three types of penetration testing
Black Box
Examines a program from a hackers perspective
Testers do not have access to internal code
Gray Box
Basic information about the organization is provided
Footprinting
White Box
Examines the internal logical structures of a program, line by line, for errors
Honey Pots
A bogus system that appears to be a production server
Configured with pseudo flaws
Can be used to learn the hacking techniques and methods that
hackers employ
Padded Cell
Honeynet
Enticement vs. Entrapment
Business Continuity
Business Continuity Plan (BCP)
Maintaining business operations even under reduced capabilities

Business Impact Assessment (BIA)
Risk assessments
Eliminate any single point of failures
Business Continuity
Business Impact Analysis (BIA)
Identify critical business functions

Prioritize critical business functions
Establish a timeframe of critical systems loss
Estimate tangible and intangible impact
Assessing Risk
Identify exposed risks to the organization
Identify risks that need to be addressed
Coordinate with BIA
Business Continuity
Succession Planning
Process of identifying and developing internal people to fill key
leadership positions
Continuity of Operations Plan (COOP)

Measures designed to ensure that the organization processes
continue operating
Alternate sites
Hot site
Warm site
Cold site
Business Continuity
Redundancy
Systems that are either duplicated or that fail-over to other
systems in the event of malfunction
Fail-Over
Process of reconstructing a system or switching to other systems when a
failure is detected
Allows services to continue uninterrupted until the primary can be
restored
Fault Tolerance
Fault Tolerance
The ability of a system to sustain operations in the event of a
component failure
Continues operations even though a critical component has failed
(by switching over)
Addition of redundant components
Hardware
Utilities
Backups
Business Continuity
High Availability
The process of keeping services and systems operational during
an outage
Goal: Five nines availability (99.999%)
Need to implement:
Fault tolerant systems
Redundant technology
Backup communication channels
Business Continuity
Data Backup Types
Type
Full
Backup Process
Backs up all files regardless of the archive bit
Archive
Bit
Reset
Yes
Backs up files on which the archive bit is set to 1

Incremental Backs up all newly created or modified files
since last full or incremental backup
Yes
Backs up files on which the archive bit is set to 1

Backs up all newly created or modified files
since last full backup
No
Backs up all files regardless of the archive bit

status
No
Differential
Copy
Business Continuity
Full Backup
Backup Characteristics
May Require large tapes for each backup
May take a long time to perform each backup
Restore Characteristics
Restore only the last backup
Takes the longest to make a backup, but is the fastest method to make a
complete restore
Business Continuity
Full + Incremental
Fastest backup method
Restore the last full backup, then every subsequent incremental backup
Provides a good balance between backup and restore time
Business Continuity
Full + Differential
Takes progressively longer to complete, as time elapses since the last full
backup
Restore the last full backup, then the last differential backup
Next to a full backup, this is the fastest restore method
Business Continuity
Grandfather, Father, Son method
Full backups occur at regular intervals
Most recent backup after the full backup is the son
Full Archival method

Works on the assumption that any information created on any
system is stored forever
Backup Server method

A server with large amounts of disk space to back up data
Business Continuity
Onsite storage
Location on site at the computer center
Containers designed and rated for fire, moisture, and pressure
resistance
Offsite Storage
Prevents the same disaster from affecting the network and the
backup media
Business Continuity
Data Restoration/Secure Recovery
Regularly test backups to ensure necessary data has been saved
and can successfully restore
Backup plan should include procedures for proper restoration of
the data
Training should be conducted where backups are actually
restored to a system
Validates the backup and recovery procedures and keeps personnel trained
Business Continuity
RAID Level Description Strengths
0
0+1
(RAID 01
1
1+0
(RAID 10)
3&4
Weaknesses
Minimum disks
Striping
Highest performance
No redundancy;
1 fail = all fail
2 disks needed to stripe

data
Mirroring &
Striping
Mirror of
Stripes
Very high performance
No scalability
3 disks needed
Mirroring
Duplicates data on other disks
Expensive; double cost

of storage
2 disks needed to mirror

data
Highest performance, highest data

protection (can tolerate multiple drive
failures)
Expensive; double cost

of storage
4 disks: stripe and mirror

to 2 sets
Excellent performance; fault tolerance,

made obsolete by RAID 5
Write requests suffer

from same single paritydrive
3 disks: 2 for striping and

one dedicated parity disk
Best cost/performance for networks;

high performance; high data protection
Write performance is
slower than RAID 0 or
RAID 1

one dedicated parity disk
Best for high availability systems and

large storage capacity
Increased cost of
additional drives and
parity drives

2 for parity: can handle 2
drive failures
Striping &
Mirroring
Stripe of
Mirrors
Striped with
dedicated
parity
Block-level
striping with
distributed
parity
Block-level
striping with
double
distributed
parity
Business Continuity
RAID Level
0
0+1
(RAID 01)
1
1+0
(RAID 10)
3&4
Recommended Implementation
Used to boost server performance; high end workstations, real time rendering, transitory data
Mirrored array with high performance but no scalability; operating systems, transaction databases
Used to provide fault tolerance, lower performance; operating systems, transaction databases
Fast databases, application servers, virtualizations
Made obsolete by RAID 5 but may be used in very specialized situations
Data storage, web servers, web and file archiving
Data archives, backups to disk, high availability systems, servers with large capacity and access
requirements
Business Continuity
RAID 3 is no longer used because its performance degraded
when a lot of small requests were made to the disk, as with
databases
RAID 5 is most commonly used today because it strikes a
balance between redundancy and performance
Hardware implementation will run faster than software
implementation
Business Continuity
Redundant (Clustered) Servers
The use of multiple computers and redundant interconnections to
form what appears to be a single highly available system
Provides fail-over capabilities
Ensures if one system fails then another in the cluster will take over
Can provide load balancing

Active/Active Clustering vs. Active/Passive Clustering
Business Continuity
Redundant ISPs
Allows another path through a different backbone in case of
disruption
Provides an alternative way for the organization to maintain their
connection
Costly due to number of systems involved
Business Continuity
Basic utilities such as electricity, water, and gas are key
aspects of business continuity
Power Considerations
Uninterruptible Power Supply (UPS)

Backup generator
Surge protectors
Power conditioners
Redundant power source
Business Continuity
Alternate Sites
Business function restoration in the event of a large-scale loss
Cost of a site should be considered
Geographically distant
Hot / Warm / Cold / Mobile
Service Bureau
Reciprocal Agreement
Business Continuity
Hot Site
A fully configured and functional facility
Maximum Tolerable Downtime- Hours
Necessary when an organization cannot tolerate any downtime
Requires constant maintenance

Expensive to maintain
Business Continuity
Warm Site
Facility with power, A/C, and partially configured systems
Maximum Tolerable Downtime
Example 1-3 days
Adequate when an organization's Maximum Tolerable Downtime (MTD) or
Recovery Time Objective (RTO) is a short time period
Less expensive than a hot site

Lower administrative and maintenance resources consumed
Business Continuity
Cold Site
Basic facility with wiring, ventilation, plumbing, and flooring
No hardware infrastructure
Maximum Tolerable Downtime

Example 1-2 weeks
Relatively low cost

Useful if there is some forewarning of a potential problem
Business Continuity
Service Bureau
A contracted site that provides all alternate backup processing
services
Quick response and availability
Testing may be possible
Expense and may be resource contention during a large
emergency
Common for the service provider to oversell its processing capabilities
Business Continuity
Reciprocal / Mutual Aid Agreements
Agreement with another organization
Both parties back up and store each others data
Cost effective
Contract should be detailed
Equipment availability, facility repair, security, etc.
Companies should not be in the same geographic area that can be

affected by the same disaster
Short term fix
Business Continuity
Disaster Recovery Plan (DRP)
Goal is to recover from the disaster and restore critical functions
to normal operations
Recovery Time Objective (RTO)
Recovery Point Objective (RPO)
Anticipates a major and very disruptive event

Practice recovery procedure scenarios
Business Continuity
Recovery Time Objective (RTO)
Acceptable amount of downtime for critical services
What an organization determines is an "acceptable loss limit" in a
disaster situation
If the RTO of a company is two hours
All data must be restored to within two hours of the disaster
The company has acknowledged that data in the two hours immediately
preceding the disaster may be lost
Business Continuity
Recovery Point Objective (RPO)
The milestone of acceptable recovery
What an organization determines is an "acceptable loss limit" in a
disaster situation
Interoperability Agreements
On-boarding versus Off-boarding
Determine if security policies of partner networks are compatible

Ownership of the data
Data backups and Data sharing
Privacy Concerns
Social Media and/or Business Applications
Aware/Assess Risk to systems
Compliance and Performance Standards
Blanket Purchase Agreement/Order (BPA/BPO)
Government Agency and Private Company for ongoing purchases
of goods or services
Interconnection Security Agreement (ISA)

Documents the technical requirements between two
organizations that have connected systems
Memorandum of Understanding (MOU)

Documents responsibility for work between companies
Service Level Agreement (SLA)
An agreement between you or your company and a service
provider, typically a technical support provider
Can include guarantees for:
Mean Time Between Failures (MTBF)

Mean Time To Failure/Repair (MTTF/MTTR)
System utilization rates
System up-times
Volume of transactions
Service Level Agreement (SLA)

Service Level Agreement
The Mean Time Between Failure (MTBF)
The Mean Time to Repair (MTTR)
The Mean Time to Failure (MTTF)
Maximum Tolerable Downtime (MTD)
Maximum time before loss is incurred
Recovery Time Objectives (RTO)

Decision point compared to MTD
Recovery Point Objectives (RPO)
The point in operation before a disruption occurred
Risk Mitigation Strategies

Change Management
Ensure changes do not reduce security
Incident Management
Incidents are handled in the accordance with your Incident
Response policy/plan
User Rights and Permission Reviews

Prevents users from having elevated privileges
Risk Mitigation Strategies

Routine Audits
Discovers fraud within the organization
Data Loss or Theft Prevention Policy

Mitigates the chances of data from an organization being lost or
stolen
Incident Response
Incident Response Policy
Defines how an organization will respond to an incident
Develop procedures to respond to incidents before they occur
Due diligence up front will help the business survive in the event
of a disaster
Incident Response Policy

At a minimum, establish the following:
Policies and procedures regarding how to handle the incident
Procedures to gather and secure evidence
List of information that should be collected about the incident
Outside agencies that should be contacted or notified in case of
an incident
Outside experts who can be used to address issues if needed
Steps to Incident Response

Preparation
Identification (Detection)
Containment/Quarantine/Removal from Network
Eradication
Recovery
Follow-up/Document
Types of Evidence
Best
Secondary
Direct
Conclusive
Opinion
Circumstantial
Hearsay
Evidence Life Cycle

Ensures data integrity
Identification
Preservation
Transportation
Presentation in court
Return to owner, destroy, permanent archive
Basic Forensic Procedures

Order of volatility: Should proceed from the most volatile to
the least
1)
2)
3)
4)
5)
Register Cache
Routing Table, Memory
Temporary File System
Disks or other storage media
Remote logging and monitoring data
Image Capturing
Data Acquisition:
Taking possession of or obtaining data and adding it to evidence
Data Duplication
Making a copy of data acquired to preserve the original
It is crucial that data is not lost during the acquisition process
Once acquired and duplicated, forensic work is done on the copies
(protects against malware threats, preserves the original)
Image Capturing
Common methods for acquiring data from a system
Bit-Stream Disk to Image File
Most common, image original disc to another disc
Can create numerous copies
Bit-Stream Disk to Disk Copy

Streaming programs that copy data from one disk to another
Sparse Data Copy

Data only pertinent to the case is copied (i.e. certain files or folders)
Image Capturing
Network Traffic and Logs
Ports used, last logged in, UserID used, URL accessed
Capture Any Video Evidence

Any surveillance video needs to be identified and secured
Record Time Offset

Systems clocks may be out of sync with local time
Image Capturing
Take Hashes
Used to verify the integrity of your digital evidence
Screenshots
Take pictures of any alarms generated, and pictures of the
desktop screen
Witnesses
Identified, initial interview, sign a witness consent form
Track man hours and expense
Basic Forensics
Data Breach
The intentional or unintentional release of secure information to
an untrusted environment
AKA: Spillage, Data Leak, Information Disclosure
Big Data Analysis

Often Terabytes in size (Thats 1000 GB)
Challenges: data capture, curation, storage, search, sharing,
transfer, analysis and visualization
Minimize the damage

Damage Control
Reducing damage to systems, damage to data, damage to
reputation
Bad PR
Loss Control
Minimizing the amount of data lost in an incident
Compliance Failure/Fines
Litigation
Damages awarded to victims
Damage and Loss Control

Powered off computers
If switched off, leave off
Do not want to change the state of the device
Powered on computers
Stop and think before taking any action
RAM may contain vital information, if powered off and it could be
lost
Take photos of screen if viewable
Chain of Custody
Process to keep track of individuals that have accessed
evidence
Improper evidence handling could result in legal
complications, which can consequently prevent prosecution
Carefully manage the chain of custody form during and
after the forensic investigation
Chain of Custody Form

Form should include:
Individuals that discovered the evidence

Exact location of evidence discovery
Date/time when the evidence was discovered
Individuals who initially processed the evidence
If the evidence changed possession, then the exchanging parties
should sign the document
Preservation of Evidence
Digital evidence must be handled with care
Placed in a container
Properly labeled (Use permanent marker)
Sealed
Signed / Dated (Use permanent ink)
Container should be locked
A copy of the evidence should be used for analysis
First Responder
The person who first arrives at the crime scene and
accesses the system once the incident has been reported
A network administrator
Law enforcement officer
Investigating officer
Person from the forensics lab
Conducts the initial investigation

Responsible for protecting, integrating and preserving the
evidence so it is acceptable in a court of law
Domain Objectives
Explain the importance of risk related concepts
Summarize the security implications of integrating systems and
data with third parties
Implement appropriate risk mitigation strategies
Implement basic forensic procedures
Summarize common incident response procedures
Domain Objectives
Explain the importance of security related awareness and training
Compare and contrast physical security and environmental
controls
Summarize risk management best practices
Select the appropriate control to meet the goals of security
Questions?
Review Question 1
Which of the following environmental controls would
BEST be used to regulate cooling within a datacenter?
Fire suppression
Video monitoring
EMI shielding
Hot and cold aisles
Review Question 2
Which of the following is a detective security control?
CCTV
Firewall
Design reviews
Bollards
Review Question 3
Select the formula you would need to
calculate SLE.
AV * EF
ARO * ALE
AV * ARO
EF * ARO
Review Question 4
Which of the following will help Matt, an administrator;
mitigate the risk of static electricity?
Lightning rods
EMI shielding
Humidity controls
Temperature controls
Review Question 5
Which of the following is a policy that would force all
users to organize their areas as well as help in reducing the
risk of possible data theft?
Password behaviors
Clean desk policy
Data handling
Data disposal
Review Question 6
A security administrator wants to determine what data is
allowed to be collected from users of the corporate
Internet-facing web application. Which of the following
should be referenced?
Privacy policy
Human Resources policy
Appropriate use policy
Security policy
Review Question 7
Risk can be managed in the following ways EXCEPT?
Mitigation
Acceptance
Elimination
Transference
Review Question 8
Which of the following is the technical implementation

of a security policy?
VLAN
Flood guards
Cloud computing
Firewall rules
Review Question 9
Which of the following is a reason to perform user

awareness and training?
To enforce physical security requirements by staff

To minimize the organizational risk posed by users
To comply with law and vendor software best practices
To identify the staff's personally owned electronic devices
Review Question 10
A company wants to have a backup site that is a good

balance between cost and recovery time objectives. Which
of the following is the BEST solution?
Hot site
Remote site
Cold site
Warm site
Domain 6
Application, Data, and Host Security
Domain Objectives
A Security+ candidate is expected to: expected to:
Explain the importance of application security controls and
techniques
Summarize mobile security concepts and technologies
Given a scenario, select the appropriate solution to establish host
security
Domain Objectives
Implement the appropriate controls to ensure data security
Compare and contrast alternative methods to mitigate security
risks in static environments
Fuzzing
Aids in evaluating the security and threshold capabilities of
software and firmware
Used in large software development projects that employ blackbox testing
Often finds odd oversights and defects which human testers often
fail to find
Buffer overflows
Reaction to abnormal data sizes
Performance capabilities
Secure Coding Concepts

Expect the unexpected
Exception handling
Managing alternate behavior
Error handling
Managing failure
Run-time error: occurs during program execution
Bad syntax, unauthorized fetches, race conditions
Mitigation:
Input validation
Error Handler statements
try{} catch(){} statements
Application Baselining
Configuration Baselines (CB)
Establishes the mandatory settings that must be configured for
applications, network devices, and systems on a network
Usually start with host, application, and network hardening
principles
May mark an approved security configuration item, e.g. security
templates, that have been signed off for execution
Application Hardening
Application Hardening
Remove all applications not being used
Restrict access to the application, provide access only to those
who must have it
Update all applications to the latest patches
Code-review internally developed applications for security
weaknesses
Proper input validation
Use encryption for application communications
Application Patch Management

Keep application patches current
Vendors post patches on regular basis
Large number of attacks today targets client systems
Clients do not manage application patches well
Patch Management
WSUS
SCCM
Database Architecture
NoSQL
SQL
Not relational
Scales well
Handles Big Data best
Disparate data
Relational
Table relationships
Highly structured
Easy to query
Server-side
Validation checks occur on
server
Must maintain state table
Minimum location for
validation
Client-side
End users interface makes
validation checks
Can be used to filter
legitimate input
Speedier validation
Device Security
Full device encryption
All information is unreadable without key
Backup of key is necessary
Remote wiping
Device is returned to initial factory settings
Lockout
Device is locked after a number on unsuccessful login attempts
Device Security
Screen locks
PIN is required to unlock screen
GPS
Tracks current locations and all the locations visited
Application control
Device manufacturer screens apps that can be downloaded to
device
Storage segmentation
Separate storage for work and personal data
Device Security
Asset tracking
Inventory control
Mobile device management
Device access control
Removable storage
Disabling unused features
Key management
Growing concern with as encryption requirements increase
Credential management
Increasing need for stronger methods of protecting and storing
user credentials
Authentication
Rising overhead for multifactor authentication requirements
Risks of automatic authentication
Geo-tagging
metadata
Encryption
Application white-listing
Only permits those on the list and denies everyone else
Transitive trust/authentication
BYOD
Data ownership
Support ownership
Patch management
Anti-virus management
Forensics
Privacy
BYOD
On-boarding / Off-boarding
Adherence to corporate policies
User acceptance
Architecture/infrastructure considerations
Legal concerns
Acceptable use policy
On-board camera/video
OS Security
Group Policies
Allows administrators to have more control over the system
settings
Allows for centralized control of all Windows operating system in
the enterprise environment
In Server 2008 they can be configured with the Group Policy
Management Console
OS Security
Domain GPO Design
Windows uses Group Policy Object (GPO) to manage the settings
on containers and objects
Types of containers
Site
Domains
Organizational Units (OUs)
GPO Inheritance
OS Security
Security Templates
Used to support the organizations system security policy
Can be used as a baseline configuration for all the systems on the
network
Can also be used to compare a systems settings to the baseline
settings
A group policy is normally used to create the template
OS Security
OS Security
Local Group Policies
Computer Configuration
Used to configure the settings on one system
User Configuration
Used to configure the settings that control what the users preferences are
and what they can and cannot do on that system
Examples: wallpaper, control panel, etc.
OS Security
OS Hardening
Process of securely configuring the system against security
vulnerabilities
Common methods
Remove unnecessary programs

Install anti-virus and anti-spyware
Install and configure firewalls
Update OS
Implement security policies
OS Hardening
Advanced methods
Reformatting hard disk

Disable guest accounts
Enable auditing
Rename administrators account
Secure passwords for all users
Patch Management
Applying patches, hotfixes, service packs
Hotfixes
Service Packs
Patches
Patch Management
WSUS
SCCM
Application White Listing

Exclusive allow list
List of specific applications authorized for use within an
organization
Deemed safe by upper management

Necessary for carrying out business tasks
Might only be usable if an authorized application baseline is enforced
Can be accessed based upon group membership
Application Black Listing

Exclusive deny list
List of applications specifically deemed unauthorized for use
within an organization
Denies installation based upon the name or signature of the
executable
An organization must be proactive
Vulnerability assessments
System monitoring
Least Privilege Management
Trusted OS
An operating system that meets the organization's
requirements for security
Most common set of standards to evaluate IT security is
Common Criteria (CC)
The CC standard outlines a comprehensive set of evaluation
criteria, broken down into seven Evaluation Assurance Levels
(EALs).
http://www.commoncriteriaportal.org/
Trusted OS
Designed, tested and evaluated
Common Criteria
Evaluation Assurance Level (EAL) 1 - 7
Examples
Apple OS X 10.6 (EAL3+)

Microsoft Windows 7 and Server 2008 R2 (EAL4+)
Oracle Solaris 11.1 (EAL4+)
VMware ESXi Server 3.5 (EAL4+)
PR/SM on IBM Systems (EAL5+)
Audits and System Security

Evaluation Assurance Levels (EALs)
EAL 1: Functionally Tested

EAL 2: Structurally Tested
EAL 3: Methodically Tested and Checked
EAL 4: Methodically Designed, Tested and Reviewed
EAL 5: Semi-formally Designed and Tested
EAL 6: Semi-formally Verified Design and Tested
EAL 7: Formally Verified Design and Tested
Host Software Baselining

OS version and configuration
Applications
Security
Production
Auditing system for verification
Three States of Data

Data In-Transit
Data moving between devices across an internal or external
network
Protect in a secure tunnel (TLS, SSH, IPSec)
Data At-Rest
Stored inactive digital data
Protect with strong encryption and access control
Data In-Use
Data hooked or being processed internally
Enforce strong authentication and access controls
Data Encryption
Full Disk (Whole Disk Encryption)
Disk cannot by read unless the key is provided

Requires Trusted Platform Module (TPM) or USB flash drive
Bitlocker encrypts Microsoft operating system
Other vendors (McAfee, Symantec, Checkpoint, Sophos) support
multiple operating systems
Data Encryption
Database
Choice between cell or full database encryption
TDE (Transparent Data Encryption) provides encryption for data
without user awareness
TDE programs account for the added overhead of encryption and
key management
Does not encrypt data in transit
Data Encryption
Individual Files
Microsoft EFS and Encrypt Stick
Back up the encryption key
Removable Media
USB
External hard drive
CD / DVD
Data Encryption
Mobile devices
Android
Built-in - Gingerbread 2.3.4 (28APR11) and newer
Apple iOS
Built-in
Third Party
Symantec
Hardware-Based Encryption
Trusted Platform Module (TPM)
Hardware Security Module (HSM)
USB encryption
Hard drive
TPM
Trusted Platform Module
A microcontroller that stores keys, passwords, and digital
certificates
Typically affixed to the motherboard of a PC
More secure from external software attack and physical theft
HSM
Hardware Security Module
Standalone devices the help provide a secure storage for
encryption keys on a network
Typically offer protection features like strong authentication and physical
tamper resistance
Traditionally have been used in the banking sector to secure large amounts
of bulk transactions
Other common usage areas are to secure CA keys in PKI deployments and SSL
acceleration
USB Encryption
Protect data if device is lost or stolen
Software examples
Bitlocker To Go
TrueCrypt
GiliSoft
Hardware examples
IronKey by Imation
Kanguru Defender
Kingston DataTraveler
Storage Area Network (SAN)

High-speed network of storage devices that also connects
those storage devices with servers.
Provides block-level storage that can be accessed by the
applications running on any networked servers
Comprised of redundant servers connected via FCoE or
iSCSI connections
Data Policies
Wiping
How is the data removed from media?
Disposing
How are media discarded when they are no longer needed?
Retention
How long must data be kept?
Storage
Where is data kept, and what security precautions are associated
with its access?
Environments
Supervisory Control and Data Acquisition (SCADA)
Manages automated equipment (factories, dams, power
generators, etc.)
Stuxnet virus attacked Iranian nuclear centrifuges
Embedded (Printers,Smart TVs, HVAC Controls, etc)

Possible attacks on storage, memory, OS, and firmware
Environments
Mobile Platforms
Android
iOS
Mainframe
Centralized large-scale computer (server)
Game Consoles
Xbox, Playstation, Wii, etc.
In-Vehicle Computing Systems

GPS, Bluetooth, onboard computers
Methods
Network Segmentation
DMZ, extranet, intranet, and internet.
Security Layers
Multiple network security devices protecting the network
segments
Application Firewalls
Protection application servers (web, SQL, email, etc)
Methods
Manual Updates
Automatic updates not possible for some devices (routers,
switches, WAP, etc.)
Firmware Version Controls

Same devices using the same version of firmware
Requires validation of updates for compatibility and security issues
Methods
Wrappers
Encapsulating sensitive systems with a specific control
Control Redundancy and Diversity

More than one of each security control
Controls from different vendors and/or differing platforms
Domain Objectives
Explain the importance of application security controls and
techniques
Summarize mobile security concepts and technologies
Select the appropriate solution to establish host security
Domain Objectives
Implement the appropriate controls to ensure data security
Compare and contrast alternative methods to mitigate security
risks in static environments
Questions?
Review Question 1
________ is used to test for or find odd oversights and
defects missed by human testers.
Snooping
Fuzzing
Hunting
Tracking
Shoulder Surfing
Review Question 2
Which of the following mitigation techniques is a technician
MOST likely to implement after the software has been
released to the public?
Error and exception handling

Fuzzing
Secure coding
Patch management
Input validation
Review Question 3
Which of the following has a programmer MOST likely failed
to consider if a user entering improper input is able to crash
a program?
SDLM
CRC
Data formatting
BYOD policy
Error handling
Review Question 4
Which of the following would an administrator do to ensure
that an application is secure and all unnecessary features
are disabled?
Baselining
Application hardening
Secure application coding
Patch management
Review Question 5
A vulnerability has been found in an unnecessary service.
Which of the following is the BEST mitigation technique?
Issue a hotfix to lower the vulnerability risk on the network
Issue a group policy to disable the service on the network.
Issue a service pack to ensure the service is current with all
available patches
Issue a patch to ensure the service has a lower level of risk if
compromised
Review Question 6
Which of the following allows a company to analyze data
stores that are measured in many petabytes?
Group Policy Objects

Cross-site scripting
Fuzzing
NoSQL
SQL
Review Question 7
Setting the web browser, email program, and media
handlers throughout the organization is referred to as:
Exception handling
Application whitelisting
Application patch management
Least Privilege
Implicit Deny
Review Question 8
Which of the following should be performed to ensure no
data can be retrieved from a smart phone after it is lost?
Device encryption
GPS tracking
Screen lock
Remote wipe
Strong Authentication
Review Question 9
Which of the following should be used to help prevent theft
of unused assets?
HSM device
Locking cabinet
Device encryption
GPS tracking
Review Question 10
Which of the following is a best practice for error and
exception handling?
Log detailed exception but display generic error message

Display detailed exception but log generic error message
Log and display detailed error and exception messages
Do not log or display error or exception messages

Security+ 4-2C All Slides

Uploaded by

Copyright:

Available Formats

Security+ 4-2C All Slides

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security+ 4-2C All Slides

Uploaded by

Copyright:

Available Formats

Domain 1

Initialization Vector (IV)

Message inside a message

WKH WLPH WR DWWDFN LV QRZ

Plain-text: the time to attack is now

Requires little to no resources

Stronger than stream ciphers

Exclusive-OR (XOR) Mathematics

One-Time Pad (OTP)

Considered unbreakable if used correctly

One-Time Pad (OTP)

Out of band distribution

Initialization Vector (IV)

Increases the strength of ciphertext

Occurs within the current

Secondary channel is used for

Perfect Forward Secrecy (PFS)

Desirable goal for Key Exchange protocols

Example: Ephemeral keys

Can be used for authentication

Hashing (MD5 Example)

- Even a small change in the message will result in a

Digest size: 128 bits

Digest size: 160 bits

Digest size: 128

Digest size: 512 bits

Hash Hardening Techniques

Use algorithms with higher bit outputs

Establish clipping levels

Brute Force Attack

Rainbow Table Attack

Uses a single key to encrypt and decrypt

Synonyms for the key:

Symmetric Encryption Process

32, 64, 128 bits

64, 128 bits

Whole Disk Encryption

Master Boot Record (MBR) may or may not be encrypted

Asymmetric Encryption Process

Significant performance degradation

Key Exchange Protocols

Key Exchange Protocols

Supports Perfect Forward Secrecy

Digital Signature Components

Data to be signed (email, pdf file, device driver, or Java

Senders Asymmetric Private Key

Provides the integrity baseline

Verification: decrypt with the senders Public Key

Digital Signature Process (example)

Creates an email message

Hashes the received message

Digital Signature Process

Validate the source

MAC=Message Authentication Code

Used in various modern protocols: TLS, IPSec, Kerberos, Diameter, WPA2

Symmetric Cryptography provides

Hashing can be used to provide data integrity

ICV = Integrity Check Value

Decrypt Auth. Block