1	Security+ Certification
2	ITU / CISSP Two Classes Network Infrastructure Focuses on the technical items Threats Application, Operational and Organizational Plans, Polices & Procedures What to do to improve Security
3	About The Book Security_ Certification Has some Obsolete Links! CC: http://www.commoncriteria.org The International CC Project has discontinued the www.commoncriteria.org Information/Knowledge Management Portal. http://www.commoncriteria.com/cc.html NIST: http://www.csrc.nist.gov/publications Computer Security Resource Center RFC: http://www.icann.rfceditor.org (Does not exist, references are on the CD!)
4	The Security+ Certification Program The Security+ Certification is a testing program sponsored by the Computing Technology Industry Association (CompTIA) that certifies the knowledge of networking technicians who have accumulated 24 months of experience in the information technology (IT) industry. http://www.comptia.org/certification.
5	Course in Two Parts Chapter 1 , "General Networking and Security Concepts," Chapter 2 , "TCP/IP Basics," Chapter 3 , "Certificate Basics,“ encryption and certificates Public Key Infrastructure (PKI), and certification authorities. Chapter 4 , "Network Infrastructure Security," Chapter 5 , "Communications Security," describes ways to secure remote connections using a variety of
6	Part Two Chapter 6 , "Application Security," e-mail, Web browser, and File Transfer Protocol (FTP) clients Chapter 7 , "User Security," Chapter 8 , "Security Baselines," covers measures to increase the security of network and servers Chapter 9 , "Operational Security," Chapter 10 , "Organizational Security," Policies and procedures Chapter 11 , " Incident Detection and Response,"
7	The Security+ Exam Anyone can take the Security+ exam. There are no specific requirements or prerequisites, except payment of the fee. Individuals are permitted to take the exam as many times as they like. The exam is broken down into five sections, called objective domains.
8	Domain Area
9	Agenda Follow the Book – 5 Chapters Cover the examination topics – but will emphasis what works and what does not Some in Class Join Practice Test When Time Permits – Discussion of Sample Tests Why topics are important Homework – yes Skim the chapter do some projects do practice tests and discuss results Viewgraphs will be available at the end of the course.
10	Instructor Jim Bullough-Latsch jbl@4terrorism.com 818-775-1015 Security Experience Recent security assessments, plans, policies, procedures for Web Systems Worked on Classified Systems Architect for Multiple Systems with Sensitive Data Has plenty of Degrees and Lots of Years Currently Available for High Priced Consulting!
11	Why are you here? What do you know? What do you want to learn? Sign In Email contact etc.
12	Security Trends – Quick Summary On-line Business On-Line Information Access to Information Home Land Security Traditional Closed Systems – New DoD Business
13	Dollars! Security = $
14	Jim’s Definition of Computer Security “Protecting tomorrow systems against yesterday’s threats” Advice – Follow the Money
15	Resources http://commoncriteria.org http://csrc.nist.gov/ http://iase.disa.mil/policy.html#guides http://niap.nist.gov/ http://sepo.spawar.navy.mil/sepo/index2.html http://us.mcafee.com http://usa.visa.com/business/merchants/cisp_index.html http://v4.windowsupdate.microsoft.com/ http://www.cert.org http://www.criticalsecurity.com http://www.fas.org/irp/doddir/dod/5200-1r http://www.hq.nasa.gov/office/codeq/ns871913.htm http://www.isalliance.org/ http://www.microsoft.com/security http://www.nsa.gov http://www.pogner.demon.co.uk/mil_498 http://www.radium.ncsc.mil/tpep http://www.sans.org/top20/ http://www.symantec.com/ https://sans20.qualys.com/
16	General Networking and Security Concepts Corresponds to Chapter 1
17	Valuing Your Assets What is the loss to my company's assets if the company's data is compromised? What is the loss of intellectual property worth to my company? What is the loss in revenue or market share? What is the loss of privacy worth? What is the damage to my company's reputation worth?
18	Values Real value. Imagine you work for a company that makes tea. If your company has a formula for a special blend of tea and the yearly sales of that tea is $5 million, then you could say that formula has a value of $5 million. Five years from now, coffee might be more popular so the yearly sales of the tea might drop to $2 million. The value of the formula would have dropped from $5 million to $2 million. The information did not change, but the value of the information changed. Perceived value. The tea company you work for has a very smart management and marketing group. The management team has a plan for collaborating with a distribution company to increase the availability of the tea across the world. The marketing team has an idea for a marketing campaign that will make the tea more popular and could slow the rise in popularity of coffee.
19	Confidentiality Integrity Availability - CIA
20	Understanding the Goal of Security Confidentiality. Ensures that information is accessed only by authorized personnel. Integrity. Ensures that information is modified only by authorized personnel. Availability. Ensures that information and systems can be accessed when needed by authorized personnel.
21	Manage Risks
22	Risks, Threats, and Vulnerabilities Risk is the exposure to loss or possible injury. With information security, the risk is that your company's information will fall prey to outside forces and cause your company losses in time, money, and reputation. A threat, for information security, is any activity that represents possible danger to your information. Threats can take many forms, but any threat poses a danger to the C-I-A triad. In the example of the tea company, another company could steal the formula for the tea, or an employee could sell the formula to another company. A vulnerability is a weakness in your information security that could be exploited by a threat; that is, a weakness in your systems and network security, processes, and procedures. With the tea company, the formula for the tea is the valued information. People have to have access to the formula to make the tea and the formula has to be stored somewhere.
23	Plan and Plan Place a value on the information. Identify as many risks as possible and their associated threats and vulnerabilities. Mitigate the identified risks. Be aware that there are always things that you overlooked.
24	Summary Understand what is to be protected Confidentiality is assuring information is secure, with access limited to appropriate persons. Integrity is ensuring information is not accidentally or maliciously altered or destroyed. Availability is assuring information and communication services will be ready for use when expected. To mitigate risks, you must determine a value for the information you are protecting and what the potential liability would be if that information were in the wrong hands. The C-I-A triad is a way to remember that the confidentiality, integrity, and availability of information is the concern of every IS specialist, and especially the security specialist.
25	Sources of Threat Is the threat due to a disaster of some sort, or is it due to an attack? If it is an attack, is it the threat coming from someone that works for the company, or from someone outside of the company? If the threat is from attack, is it a well-known attack? If the threat is an attack, are you able to identify it by reviewing audit files? If the threat is an attack, is it a business-related attack?
26	Threats from Disaster Natural disasters. To plan for a natural disaster, you must identity the types of natural disaster that are most likely, determine how often those events occur (historically), and then create a mitigation plan to minimize the impact on your company. The plan might not be implemented, but it should still be identified. Man-made disasters. Man-made or fabricated disasters that could affect the C-I-A triad include fire, loss of power, or a structural collapse. Because the meaning of disaster is a sudden or great misfortune, the event would be large and affect more than just information security. The concern and priority is for the safety of the people caught in the disaster, but good planning will help a company recover from the misfortune quicker. Mishap. A mishap is defined as an unfortunate accident. If a server fails and the specialists who repair and restore the server are all away, then the C-I-A triad is at risk. Consider the severity and likelihood of the event, whether it is a disaster of epic proportions, or a minor mishap so you can minimize risk.
27	Threats from Attack Threats based on the business. Some threats are directly related to the business your company is in; therefore, the attacks that are most likely to occur can be better identified. Threats that can be verified. Verifiable threats can be identified by data that is captured. Widely known threats. Some threats are widely known and you can simply read about them. Internal threats External threats
28	Attacks An attack is an attempt to bypass security controls on a computer. The attack could alter, release, or deny data. Attack types vary almost at the speed of light, but most have a name that describes the attack type well. Denial of service (DoS) Spoofing. Man-in-the-middle. Password guessing.
29	Malicious Code Virus. A virus is a program that can replicate, but not propagate, itself. It requires an installation vector, such as an executable file attached to an e-mail message or a floppy disk. A virus infects other programs on the same system and can be transferred from machine to machine through e-mail attachments or some form of media, such as a floppy disk. A virus can destroy data, crash systems, or it can be mostly harmless. Worm. A worm is a program that can replicate and propagate itself. It propagates itself by infecting other programs on the same system, and also spreading itself to other systems across a network, without the need for an installation vector. A worm can also destroy data, crash systems, or be mostly harmless. Trojan horse. Generally, a Trojan horse program looks desirable or harmless, but actually does damage. For instance, you might download what you think is a game, but when you run it, you find that it deletes all of the executable files on your hard disk.
30	Who Is Attacking? Hacker. The term hacker has two definitions, depending on to whom you are talking. To a programmer, a hacker can be someone who pounds out code that provides a quick solution to a difficult problem. The code might not be eloquently written, but it is functional and effective. To others, a hacker is someone who breaks security on an automated information system or a network. This type of hacker (also known as a cracker) is typically doing something mischievous or malicious, and although they might be trying to break into a system for what they consider a good and higher cause, they are still breaking into a system. Novice. A novice is someone who aspires to be a hacker, but does not have the technical skills. Typically, a novice will go to a Web site created by a hacker and run a program that attacks a network or computer system. Although a novice attack is usually easily identified and denied, it can provide enough "white noise" to hide evidence that a hacker is attempting a more serious attack on a system or network.
31	Threats Hackers (or crackers) trying to break into your network and computers Malicious code such as a computer virus or Trojan horse People who work for your company and are unhappy or are being paid to gather and sell your company's information Fire, flood, hardware failure, or natural disaster Threats can come from external sources, such as hackers and e-mail messages, but they can also come from sources internal to the company, as is the case with a disgruntled employee or someone who gains physical access to your computers.
32	Intrusion Points Intrusion points are areas that provide an access point to your company's information. Some of these are obvious, but others are not. For instance, you might realize that you need to install a firewall to protect the internal network and computers from hackers. If a hacker took a temporary job at your company, the firewall would be of little use. When identifying intrusion points, you must consider internal threats as well as external threats.
33	Some internal and external access points Internal access points Systems that are not in a secured room Systems that do not have any local security configured External access points Network components that connect your company to the Internet Applications that are used to communicate across the Internet Communications protocols
34	Network Infrastructure network infrastructure is all of the wiring, networking devices, and networking services that provide connectivity between the computers in a network. The network infrastructure also provides a way to connect to the Internet, allows people on the Internet to connect to your network, and provides people who work remotely with methods to connect to your network An external intruder would attack your connection to the Internet using an attack method, such as a DoS attack, or attempting a user name and password that allows them to authenticate. An internal intruder might connect to an open network jack and attempt to gain access to a server with shared resources that do not require a password.
35	Applications Used on the Internet An external intruder might place a virus or worm in an e-mail message and send the message to a user on your internal network. When opened, a virus might infect the system or provide the intruder with a way to control the system the e-mail was opened on. An internal intruder might use native operating system utilities to connect to other systems on your internal network that do not require a user name or password to gain access. They might also use an application such as a Web browser to access confidential information with limited access security.
36	Communications Protocols TCP/IP is the protocol suite used for communications on the Internet. Some attacks work by modifying the structure of the IP packet, but many successful intrusions occur at higher levels in the TCP/IP stack. For instance, an intruder can exploit a Web server using the Hypertext Transfer Protocol (HTTP). Communications protocols provide a common set of rules that computers use when communicating with each other. Some protocols offer no security, whereas others provide varying degrees of security. Intruders use their knowledge of communications protocols to compromise your C-I-A triad. The following are two examples: An external intruder might attack your company's presence on the Internet by using a DoS attack to disable your Web server. This would cause the information to be inaccessible to your customers. An internal intruder might disable an e-mail server by causing a flood of e-mail messages to be sent. This would disable the e-mail server so users could not retrieve their e-mail.
37	Building a Defense When building a defense, you should use a layered approach that includes securing the network infrastructure, the communications protocols, servers, applications that run on the server, and the file system, and you should require some form of user authentication. This is very similar to placing family heirlooms in a safe, in a cellar, in a house with a lock on the front door, with a large fence around the house. For someone to take the heirlooms, they would have to get past the fence, through the front door, to the cellar, and into the safe. This would be more difficult than if the heirlooms were placed just inside the fence. When you configure a strong, layered defense, an intruder has to break through several layers to reach his or her objective. For instance, to compromise a file on a server that is part of your internal network, a hacker would have to breach your network security, break the server's security, break an application's security, and break the local file system's security. The hacker has a better chance of breaking one defense than of breaking four layers of defense.
38	Layered Defense
39	Securing the Network Infrastructure Securing the network is the first step to creating a strong defense. When securing a network, minimize the number of access points to the network. For instance, if Internet access is required, configure a single access point and put a firewall in place.
40	Securing Systems System hardening. Includes removing unused services, ensuring that the latest security patches and service packs are installed, and limiting the number of people with administrative permissions. Hardening the system minimizes the risk of a security breach to the system. Application hardening. Includes applying the latest security patches and enforcing user-level security if available. Applications on a system can be client applications, such as a Web browser, or server applications, such as a Web server application. Hardening the applications on a system minimizes the chance of a security breach using an application. Enable local file security. Enabling local-level file security could include applying access control lists (ACLs) or an Encrypting File System (EFS); each would help ensure that only authorized people have access to the sensitive data stored in files on the hard disk.
41	Securing Securing Applications When you secure applications on a server, you ensure that the latest security patches and service packs are installed. You also enable any authentication methods available for the applications. User Authentication User authentication verifies that your company's information is being accessed only by authorized users. User authentication can take many forms, but typically employs a user name and password to access information. Smart Card Authentication Smart cards offer a two-factor authentication method. With smart cards, the system reads a chip that contains certain information, and then a password or personal identification number (PIN) must be provided to authenticate a user.
42	Preserving Data Forensics is applying science to law. For information security, forensics is the investigation and analysis of a computer for the purpose of gathering potential legal evidence. For this to occur, data has to be preserved, and a strict chain of custody protocol must be followed. Forensics specialists (typically working for law enforcement agencies) are called in to gather evidence. You must be aware of the nature of the evidence they are gathering so that you don't inadvertently destroy it. When electronic evidence is gone, it's gone.
43	Chain of Custody When you are preserving data in an attempt to prosecute someone who has breached your security, it is not only important to preserve the data, but also to identify the chain of custody for the evidence collected to ensure it is admissible and defendable in a court of law. Chain of custody procedures ensure the integrity of the information collected by tracking its handling and storage from the point of collection to final disposition of the evidence. This procedure is used after you have been attacked and are attempting to collect data that will be used to prosecute the attacker. For instance, if your company's Web site was hacked and the attackers downloaded an application that you sell, then you would need to collect as much data as possible to prosecute the thief. The data would have to be gathered, handled, and stored properly to be used as evidence. This includes limiting access to the evidence, documenting who handled the evidence, when it was handled, and why it was handled. Documentation of this process must include the date and purpose each time evidence is handled or transferred, and identification of each individual in the chain of custody.
44	Human Resource Concerns and Privacy Issues Managing information security also includes working with the Human Resources department of your company to ensure that when an employee leaves the company, his or her access to the company's data is terminated. You must be aware of your role in protecting the company by ensuring that you change the former employee's password and revoke his or her access rights. Privacy issues are a sensitive subject for some employees. These employees feel that what they do with the computer they use in the office is their own business, and believe the e-mail they receive is legally viewable by only them. According to a Privacy Rights Clearinghouse fact sheet on employee monitoring, employers can do the following: Monitor what is on a computer screen. Monitor and review e-mail. Monitor phone calls. Maintain and acquire phone records.
45	TCP/IP Basics Transmission Control Protocol/Internet Protocol (TCP/IP) as it relates to information security – Chapter 2 in the book
46
47	What Is TCP/IP? TCP/IP is the suite of protocols used to communicate on the Internet. Each protocol of the TCP/IP protocol suite is associated with a layer of the seven-layer OSI communications model, which is an International Organization for Standardization standard. The seven layers are the Physical layer, Data Link layer, Network layer, Transport layer, Session Layer, Presentation Layer, and the Application layer.
48	Layers
49	7 Layers Physical layer. The Physical layer (Layer 1) is typically implemented in hardware and is responsible for placing data bits on and receiving bits from the communications media, such as coaxial cable. Data Link layer. The Data Link layer (Layer 2) is responsible for converting data packets that are received from the network layer and encoding them into bits. It is also responsible for accepting bits from the physical layer and converting them into data packets. The data packets that are formed into groups of bits are known as frames. This layer is divided into two sub-layers: the Media Access layer (MAC) and the Logical Link Control layer (LLC). The MAC sub-layer controls how a computer on a network gains access to the data, and permission to transmit that data on the network. The LLC sub-layer manages frame synchronization, error checking, and flow control. Network layer. The Network layer (Layer 3) provides routing and switching capabilities, and creates logical paths between two computers to create virtual circuits. This layer is responsible for routing, forwarding, addressing, internetworking, error handling, congestion control, and packet sequencing. When packets are received from the Transport layer, the Network layer is responsible for ensuring that the packet is small enough to be a valid packet on the underlying network. If the packet is too large, this layer breaks the packet into several packets, and on the receiving computer, this layer places the packets in the proper sequence to reassemble the packet. If the interconnecting devices cannot handle the amount of traffic being generated, this layer also provides congestion control. Transport layer. The Transport layer (Layer 4) transfers data between end systems or hosts, and is responsible for end-to-end error recovery and flow control between the two end systems. This layer ensures complete data transfer between the two systems. Session layer. The Session layer (Layer 5) establishes, manages, and terminates connections between applications on two computers. The session layer sets up, coordinates, and terminates all interchanges between applications on both computers. This layer manages session and connection coordination. Presentation layer. The Presentation layer (Layer 6) provides a heterogeneous operating environment by translating from the application's data format to the underlying network's communications format. This layer is also known as the syntax layer. Application layer. The Application layer (Layer 7) support end-user and application processes. Communication partners and quality of service levels are identified, user authentication and privacy considered, and any constraints on data syntax identified.
50	Layers
51	Understanding Network Interface Frames
52	Header information Header information differs with different LAN technologies, but there are some things that are always contained in the header. There is always a preamble, or some other sequence of bits that identify the start of a valid frame. All Network Interface layer headers also have fields for the destination and source MAC address. For instance, Ethernet II header packets contain a series of alternating ones and zeros that is 7 bytes long, followed by the bit sequence 10101011. This signals the beginning of a valid Ethernet II packet, and the 6 bytes of data following are the destination MAC address.
53	IP Header
54	Bits Version (4 bits). Internet Header Length (4 bits). Type of Service (8 bits). Total Length (16 bits). Identifier (16 bits). Flags (3 bits). Fragment Offset (13 bits). Time-to-Live (8 bits). Protocol (8 bits). Header Checksum (16 bits). Source IP Address (32 bits). Destination IP Address (32 bits). IP Options and Padding (variable).
55	ICMP Header Fields The ICMP protocol reports errors and control conditions on behalf of the IP protocol. This is because the IP protocol provides end-to-end datagram delivery capabilities, but is not designed to be absolutely reliable. Type (8 bits). Code (8 bits). Checksum (16 bits). Optional Data.
56	Understanding Fragmentation
57	Datagram The TCP datagram is packaged into a frame. A frame is placed on the local network. An intermediary router fragments the datagram into three fragments. Three fragments are received by the destination computer. Destination computer reassembles the three fragments using information in the header
58	Transport Layer Communications The UDP and TCP protocols are used at the Transport layer of the four-layer DARPA communications model. Understanding the header information for the Transport layer protocols and how each initiates communications will help you understand how hackers and crackers take advantage of that information to compromise your C-I-A triad. When one computer communicates with another, applications must be running on both computers to send and receive the data. The UDP and TCP protocols provide a procedure that the applications use to accomplish this communication. Two pieces of information that allow computers to communicate are the IP address and the port address. The destination IP address identifies the destination computer, and the destination port helps identify the application that will receive the information.
59	3 Way
60	SYN / SYN-ACK / ACK SYN segment. This is the first segment of the three-way handshake. The information sent by computer1 includes source and destination port, starting sequence number, the receive buffer size, maximum TCP segment size, and the supported TCP options. SYN-ACK segment. This segment is the reply that computer2 returns to computer1. The information sent includes source and destination port, starting sequence number, acknowledgment number, receive buffer size, maximum TCP segment size, and an acknowledgment that computer2 supports the options that computer1 sends. When computer2 sends this message, it reserves resources to support this connection. ACK segment. This segment is sent by computer1 to establish the final TCP connection parameters that will be used between the two computers. The information sent includes the source and destination ports, sequence number, acknowledgment number, ACK flags, and window size.
61	Possible Network Interface Layer Attacks Media Access Control (MAC) address spoofing. The header contains the MAC address of the source and destination computers and is required to successfully send a directed message from a source computer to a destination computer. Attackers can easily spoof the MAC address of another computer. Any security mechanism based on MAC addresses is vulnerable to this type of attack. Denial of service (DoS). A DoS attack overloads a single system so that it cannot provide the service it is configured to provide. An ARP protocol attack could be launched against a computer to overwhelm it, which would make it unavailable to support the C-I-A triad. ARP cache poisoning. The ARP cache stores MAC addresses of computers on the local network that have been contacted within a certain amount of time in memory. If incorrect, or spoofed, entries were added to the ARP cache, then the computer is not able to send information to the correct destination.
62	Possible Internet Layer Attacks IP address spoofing. If the IP header fields and lengths are known, the IP address in the IP datagram can be easily discovered and spoofed. Any security mechanism based on the source IP address is vulnerable to this attack. Man-in-the-middle attacks. This attack occurs when a hacker places himself or herself between the source and destination computer in such a way that neither notices his or her existence. Meanwhile, the attacker can modify packets or simply view their contents. DoS. With a DoS attack at this level, simple IP-level protocols and utilities can be exploited to overload a computer, thus breaking the C-I-A triad. Incorrect reassembly of fragmented datagrams. For fragmented datagrams, the Offset field is used with packet reassembly. If the offset is changed, the datagram is reformed incorrectly. This could allow a datagram that would typically not pass through a firewall to gain access to your internal network, and could disrupt the C-I-A triad. Corrupting packets. Because IP datagrams can pass through several computers between the source and destination, the information in the IP header fields is read and sometimes modified, such as when the information reaches a router. If the packet is intercepted, the information in the header can be modified, corrupting the IP datagram. This could cause the datagram to never reach the destination computer, or it could change the protocols and payload information in the datagram.
63	Possible Transport Layer Attacks Manipulation of the UDP or TCP ports. By knowing the UDP and TCP header fields and lengths, the ports that are used for communications between a source and destination computer can be identified, and that information can be corrupted or exploited. DoS. With a DoS attack at this level, simple IP-level protocols and utilities can be exploited to overload a computer, thus breaking the C-I-A triad. For instance, by knowing the steps involved in a three-way TCP handshake, a hacker or cracker might send the packets in the incorrect order and disrupt the availability of one of your servers. An example of this is a SYN flood, where a hacker sends a large number of SYN packets to a server and leaves the session half open. The server leaves these sessions half-open for a prescribed amount of time. If the hacker is successful in opening all available sessions, legitimate traffic will be unable to reach the server. Session hijacking. This kind of attack occurs after a source and destination computer have established a communications link. A third computer disables the ability of one the computers to communicate, and then imitates that computer. Because the connection has already been established, the third computer can disrupt your C-I-A triad.
64	Possible Application Layer Attacks E-mail application exploits. Attachments can be added to e-mail messages and delivered to a user's inbox. The user can open the e-mail message and run the application. The attachment might do immediate damage, or might lay dormant and be used later. Similarly, hackers often embed malicious code in Hypertext Markup Language (HTML) formatted messages. Exploits of this nature might take advantage of vulnerability in the client's e-mail application or a lack of user knowledge about e-mail security concerns. Web browser exploits. When a client computer uses a Web browser to connect to a Web server and download a Web page, the content of the Web page can be active. That is, the content is not just static information, but can be executable code. If the code is malicious, it can be used to disrupt the C-I-A triad. FTP client exploits. File Transfer Protocol (FTP) is used to transfer files from one computer to another. When a client has to provide a user name and password for authentication, that information can be sent across the Internet using plain text. The information can be captured at any point along the way. If the client uses the same user name and password as they use to attach to your corporate servers, that information could be obtained by a hacker or cracker and used to access your company's information.
65	Certificate Basics Chapter 3 Certificate Basics
66	Understanding Cryptography Confidentiality. Confidential means private or secret. Confidentiality ensures that only authorized personnel access information. One way to provide confidentiality is to encrypt data. Integrity. Integrity means having an unimpaired condition. Integrity ensures that information is accessed and modified only by those people who are authorized. Nonrepudiation. Repudiate means to reject as unauthorized or nonbinding. Nonrepudiation prevents an individual or process from denying performing a task or sending data. Identification and authentication. Access control allows access only to those who should have it. This is accomplished through identification and authentication, which ensures that when data is received or accessed, the sender is authorized.
67	Understanding Cryptography and Keys
68	algorithm that is used to encipher the message could be represented as C = M + K
69	Secure Hash A hash of data can be compared to a person's fingerprint. The fingerprint is unique to the person and of a relatively fixed size, but it is not nearly as large as the entire person. A hash is a unique identifier that is virtually unable to be reproduced with different data, and it is part of all of the data it represents. Some of the characteristics of MD4, MD5, and SHA-1 are as follows: MD4. Produces a 128 bit message digest (hash), very fast, appropriate for medium security usage. MD5. Produces a 128 bit message digest (hash), fast (not as fast as MD4), more secure than MD4, and widely used. SHA-1. Produces a 160 bit message digest (hash), standard for the U.S. government, but slower than MD5.
70	Symmetric Algorithms There are advantages and disadvantages to using symmetric keys. Some of the advantages are as follows: Speed. The algorithms used with symmetric encryption are relatively fast, so they impact system performance less and are good for encrypting large amounts of data (for instance, data on a hard disk or data being transmitted across a remote access link). Strength. Symmetric algorithms are difficult to decipher without the correct algorithm; therefore they are not easy to break. Well-tested symmetric algorithms such as 3DES and AES are nearly impossible to decipher without the correct key. Also, a technique can be used in which encrypted data can be encrypted a second or even third time. This way, if someone does break the encryption, he or she will have access to only more encrypted information. Some of the disadvantages of using symmetric keys are as follows: Poor key distribution mechanism. There is no easy way to securely distribute a shared secret; therefore wide-scale deployment of symmetric keys is difficult. Single key. There is a single key (single shared secret); therefore if the secret is compromised, the impact is widespread. Because there is a single key that can be shared with some or many, symmetric keys are not suited to provide integrity, authentication, or nonrepudiation.
71	Symmetric Keys DES. 56-bit key, U.S. Government standard until 1998, but not considered strong enough for today's standards, relatively slow. Triple DES. Performs 3DES operations, equivalent of 168-bit keys, more secure than DES, widely used, relatively slow. AES. Variable key lengths, latest standard for U.S. Government use, replacing DES. IDEA. 128-bit key, requires licensing for commercial use. Blowfish. Variable key length, free algorithm, extremely fast. RC4. Variable key length, stream cipher, effectively in public domain.
72	Asymmetric Algorithms Asymmetric algorithms use different keys to encrypt and decrypt data Public key. Provided to everyone who needs to send you encrypted data. Private key. This is the key that only you possess. When a plaintext message is encrypted using the public key, only the person with the private key can decrypt the cipher text. When a plaintext message is encrypted using the private key, it can be decrypted by everyone who possesses the public key, and that person can be certain the plaintext message originated with the person who possessed the private key
73	Asymmetric keys Some of the advantages are as follows: Provide a secure way to communicate with an individual. Because there is a public key and a private key, the public key can be provided to anyone that you want to send you encrypted information, but only you can decrypt that information. This helps ensure data confidentiality. Provide a method to validate an individual. You can use a private key to create a digital signature, which can be used to verify that you are who you claim to be. This helps provide an authentication method and nonrepudiation. Digital signatures are explained in Lesson 2 of this chapter. Some of the disadvantages of using asymmetric keys include the following: Asymmetric encryption is relatively slow. Asymmetric algorithms are generally slower than symmetric algorithms due to the increased computational complexity required to encrypt and decrypt data; therefore it is not suited to provide confidentiality for large amounts of data.
74	Specific Asymmetric Keys RSA. Variable-length key, de facto standard for public key encryption. Diffie-Hellman. Variable-length key, used to securely establish a shared secret. Elliptic curve cryptography. Variable-length key, currently too slow for widespread implementation.
75	Standards and Protocols For algorithms to be widely used and supported, protocols and standards are created and are maintained by various governing bodies. The National Institute of Standards and Technologies (NIST) and the National Security Agency (NSA) have available current information on cryptographic standards and specifications. The NIST provides measurements and standards for U.S. industries and creates Federal Information Processing Standards (FIPS) that detail computer security. The Internet Engineering Task Force (IETF) documents how cryptographic mechanisms are implemented with current communications protocols.
76	Summary Cryptography is encrypting and decrypting data to provide information security. The four goals of cryptography are to provide data confidentiality, data integrity, identification and authentication, and nonrepudiation. A key is a set of instructions that govern ciphering or deciphering messages. A secure hash function is a one-way mathematical function that creates a fixed-sized representation of data. A symmetric key is a single key used for encrypting and decrypting data, and everyone that is allowed to encrypt and decrypt the data has a copy of the key. An asymmetric key pair is made up of two keys that form a key pair; one key is used to encrypt data, and the other key is used to decrypt data. A public key is provided to many people and is used to validate that a message came from the private key holder or to encrypt data to send the private key holder. A private key is a secret key that only the private key holder has. It is used to decrypt information encrypted with the public key, and also to create a digital signature.
77	Confidentiality You provide information confidentiality by using symmetric algorithms. Because symmetric key encryption relies on a shared secret, everyone that needs access to a particular file need only have a copy of the encryption key that was used for encryption. Symmetric encryption is also a relatively fast encryption method, so it is suited for encrypting large amounts of data, such as files on a computer Distributing the symmetric key to the users who need access Securing the symmetric key against loss, theft, or distribution to unauthorized people Maintaining a list of people authorized to use the symmetric key and retrieving the key from people and computers no longer authorized to access the data Replacing the symmetric key in the event that it is compromised
78	Integrity Communications integrity with secure hash functions. When secure hash functions are used to create a message digest, the message digest can be saved and later compared to another message digest from the same data to ensure the data has not been tampered with. For instance, if you run a hash function on a file and then a few weeks later rerun the hash function and the two message digests do not match, the file has been modified. Encrypted data integrity with keyed hash functions. Keyed hash functions provide data integrity. When data is hashed, a key is used in the hashing algorithm. The recipient must use this key to validate the message. The hash value produced with the keyed hashing algorithm is called a message authentication code (MAC). The key operates much like a symmetric key in that it becomes a shared secret. This key is sometimes referred to as a magic number. When using this type of algorithm, the receiving application must also possess the session key to recompute the hash value so it can verify that the base data has not changed. This provides a mechanism to ensure that the encrypted data has not been tampered with. Communications integrity using an asymmetric algorithm. Asymmetric algorithms can provide integrity by being combined with hash functions to produce digital signatures. You create a digital signature by creating a message digest of a plaintext message using a hash algorithm. You then encrypt the hash value with your private key. The receiver decrypts the encrypted hash value using your public key and then generates a hash of the message. If the decrypted hash value from you matches the hash value the receiver generates, the message could only have originated from you and could not have been tampered with in transit.
79	Identification and Authentication Authentication with asymmetric algorithms. Asymmetric algorithms can provide authentication using a challenge-response protocol. When you want to access a system, the system sends a random number (called a nonce) that you encrypt with your private key. The system then verifies your credentials by decrypting the encrypted nonce using your public key. This type of authentication is ideally suited for use with remote access and physical access to restricted areas, such as the room where your servers are located. Authenticating users with symmetric algorithms. Symmetric algorithms can authenticate users. When you want to access a system, the system sends a nonce that you use as the key to use a symmetric algorithm to encrypt your password. The system then uses the nonce to decrypt your password. You are successfully validated if the decrypted password matches the password the system has for you.
80	Nonrepudiation Nonrepudiation using public key asymmetric algorithms. There are two keys (a public key and a private key), and only you possess your private key. The private key can be used to create a digital signature, and anyone with a copy of your public key can verify that the message is from you and has not been altered. This also provides proof that you sent the message.
81	Components of a Public Key Infrastructure (PKI)
82	PKI The PKI provides a framework of services, technologies, protocols, and standards that enable you to deploy and manage a strong and scalable information security system. With the PKI in place, companies can conduct business electronically and be assured of the following: The person or process sending a transaction is the actual originator. The person or process receiving a transaction is the actual receiver. The integrity of the data has not been compromised.
83	Components of PKI Digital certificates. An electronic credential used to authenticate users. Certification Authority (CA). A computer that issues digital certificates, maintains a list of invalid certificates, and maintains a list of invalid CAs. Registration authority (RA). An entity that is designed to verify certificate contents for a CA. Key and certification management tools. Tools for auditing and administering digital certificates. Certificate publication point. A location where certificates are stored and published. Public key-enabled applications and services. Applications and services that support using certificates.
84	What Are Certificates? Certificates are a digital representation of information that identifies you and are issued by CAs, which are often a TTP. A TTP is an entity trusted by other entities with respect to security-related services and activities
85	Uses for certificates Secure mail. Configure the Secure Multipurpose Internet Mail Extensions (S/MIME) protocol to ensure the integrity, origin, and confidentiality of e mail messages. Secure Web communications. Use certificates with Secure Sockets Layer (SSL) or TLS protocols for authenticating and encrypting communications between servers and clients. Secure Web sites. Use certificates to authenticate access to secure Web sites. Custom security solutions. Use certificates to provide confidentiality, integrity, authentication, and nonrepudiation for custom applications. Smart card logon process. Use certificates to authenticate users with smart card devices attached to their computers.
86	CA A CA is a computer that is recognized as an authority trusted by one or more users or processes to issue and manage X.509 public key certificates, a revocation list of CAs that are no longer valid, and a revocation list of certificates that have been revoked. Each CA creates and maintains a list of the certificates that it has issued, as well as a list of certificates that have been revoked. A CA can revoke a certificate for many reasons, for example: When the certificate owner's private key is lost When the owner leaves the company he or she works for When the owner changes names A CA must also maintain a list of CAs that are no longer valid. A certificate revocation list (CRL) is a signed, time-stamped list of server serial numbers of CA public key certificates that have been revoked. The CRL is necessary to allow CAs to accept and reject certificates that were issued by a different CA.
87	PKI can be compared to performing credit card transactions remotely
88	Network Infrastructure Security Chapter 4
89	Infrastructure Security Overview Physical sabotage; equipment destruction Packet sniffing; eavesdropping Network mapping and port scanning to identify targets for attack Reconfiguration or disabling of connectivity or security devices Use of your network devices to launch an attack on another network Use of your network devices to host unauthorized, illegal, or destructive services Erasing data
90	Securing Physical Equipment Hire security guards. Install sensors, alarms, and closed-circuit TV cameras and monitoring equipment. Use physical access badges and security cards. Install backup electrical power. Bury network cables (or enclose them in walls). Lock wiring closets and server rooms. Encase equipment in protective housings. Use tamper-proof seals on equipment casing. Install fences and parking lot gates. Maintain fire-extinguishing and detection systems appropriate for your equipment and facility. Ensure your facilities meet appropriate construction standards.
91	Securing Equipment Configuration Equipment configuration is another area in which your network infrastructure might be vulnerable to an attack. Attacks on device configuration can be physical, such as rerouting cables in a wiring closet, or logical, such as changing the routing table of a router. Physical security is required to protect equipment from physical configuration attacks. Logical security is required to secure your network infrastructure from attacks on device configuration that can take place remotely. For example, routers and switches maintain logical routing or switching tables, which allow them to correctly transfer network packets to their proper destination. An attacker might try to modify or corrupt those tables to redirect or stop normal network communication. To protect your routers, switches, and central servers, you can assign complex passwords to management consoles to help prevent someone from gaining unauthorized administrative access. Complex passwords have mixed case, alphanumeric, multiple characters, and special characters that are difficult to guess or crack with a password-cracking program. Secure passwords should be at least six characters in length, which is defined as a minimum by many operating system vendors and organizations. However, some are moving to seven or even eight character password minimums.
92	Coaxial Cable There are several different types and grades of coaxial (coax) cable, but the same basic structure applies to all of them. All coaxial cable has a center conductor, an outer conductor, and an outer sheath. Electronic transmissions (representing data) travel through the center conductor. Coaxial cable is more difficult to cut than the other types of cable discussed in this lesson, but a pair of wire cutters can quickly cut through it nevertheless. Cutting coaxial cable isn't necessary to disrupt communications on a coaxial network. A heat or energy source placed near coaxial cabling can also impede communications. Because coaxial cable is typically used in bus topologies, a cut wire or severe electromagnetic interference (EMI) or radio frequency interference (RFI) could bring down the entire network. To protect your coaxial network segments from sabotage, you should be sure to protect the physical cable. Any point along the network is vulnerable to compromise and sabotage due to the bus nature of a coaxial network segment.
93	Eavesdropping on Coaxial Networks Because coaxial networks utilize a bus topology, signals traverse the entire segment on their way to the destination host. Any connection along the coaxial network is susceptible to eavesdropping protect your network cable as much as possible by burying it underground, placing it inside walls, and protecting it with tamper-proof containers Document your cable infrastructure. Investigate all outages on your coaxial network. Physically inspect your cable infrastructure on a routine basis. Investigate all undocumented hosts and connections.
94	Twisted-Pair Cables All twisted-pair cables have one or more pairs of wires that are twisted together inside a cable sheath Twisted-pair networks can also be sabotaged. The cables can be easily cut with a pair of wire cutters or regular office scissors, or a heat or energy source could disrupt communications. However, twisted-pair networks typically utilize a star configuration, so the loss of a single cable should not disrupt the entire network, unless the cable that was cut provided connectivity to the central server or gateway router you should be sure to protect the physical cables. Protecting central connectivity devices such as hubs and patch panels is more important than protecting individual twisted-pair segments
95	Eavesdropping on Twisted-Pair Networks and Countermeasures Physically attaching a protocol analyzer to a twisted-pair connection point. A protocol analyzer is a device or computer software program that allows its user to capture and decode network traffic. Other names for it are data sniffer, network sniffer, or packet sniffer. Splicing into the twisted-pair cable. Using escaping electromagnetic signals to eavesdrop on signals passing through the wire.
96	Fiber Optic Cable Fiber optic cable utilizes a glass or plastic filament that conducts light pulses to transfer data. Outside of the fiber optic core, there is a glass cladding, a plastic spacer, protective Kevlar fibers, and then a protective outer sheath. Fiber optic cable is the most secure cable because it cannot be affected by electromagnetic interference and does not leak electrical signals. Of the cable types discussed, fiber optic cable is the most expensive and most difficult to install.
97	Sabotaging a Fiber Optic Cable Sabotage of a fiber cable is easier than sabotage of any other cable type. Fiber cables can be crushed, bent, snapped, and often inadvertently damaged. Any damage to the fiber cable disrupts the signal between the two points to which the cable is attached. To protect your fiber optic cable from sabotage or the possibility of eavesdropping, protect the physical cable. If there is an outage between two points on the fiber cable, you must determine why that outage occurred to ensure that it was not due to sabotage. Eavesdrop on a fiber network you must disrupt the communications between two hosts. The fiber cable must be cut, the ends polished, and a fiber optic card inserted between the connection. During the insertion, the connection between the two hosts is unavailable.
98	Cabling Summary A power outage could also be used to insert rogue devices. Consider that an attacker might create a situation to insert a device. After a power outage, you should ensure that your network cables are still properly routed and that no rogue devices are present. Network cabling is a vulnerable part of your network infrastructure. An attacker or spy must have physical access to your cable (or at least be able to get close to the cable) to exploit or attack your network cable infrastructure
99	Hubs Compromising Hubs Hubs are simple to sabotage if the saboteur has physical access to the device. A hub can be disconnected or destroyed, or simply turned off, if it is an active hub. When a hub is disabled, the devices attached to it are unable to communicate. Eavesdropping through a hub is also possible. If there is an open hub port or one of the legitimately connected devices can be disconnected, an attacker or spy could use the port to gain information or attack another device on the network. The open or disconnected port could be used to place a hacking device (or another computer to which the hacker has full control) to gather information from the network or to attack other devices. Securing Hubs Because hubs are physical devices, they should be physically protected.. Managed hubs can be used to detect physical configuration changes. Managed hubs report hub statistics and connection information to management software.
100	Switches and Bridges Compromising Switches and Bridges As previously mentioned, switches and bridges maintain a table that contains MAC address mappings to each of their connection points. The table allows the switch or bridge to direct Layer 2 communications to the correct network segment or port, making it a potential target for attack. A central switch could also be the target of a saboteur. Destroying a central switch, disconnecting power, or disconnecting all of the network cables would disrupt all communications passing through the device. Along the lines of disrupting communication, there are scripts such as macof that can be used to flood bridges and switches with random MAC addresses. Assuming the switch or bridge is able to learn new addresses, such an attack could reduce the performance of the switching or bridging device and slow network traffic. Gaining Administrative Access If an attacker can gain administrative access to the switch or bridge, he or she can reroute network communications. These communications can be redirected to a host on the network under the control of the attacker, which could be the attacker's system or a system the attacker was able to gain control over using some other technique. If the attacker decides to sabotage communications on the network, he or she can do so at any time once administrative access is obtained. Of course, the attacker must gain administrative access to the bridge or switch first. A skilled attacker can do this by trying default administrative passwords or running a password attack against the device. Switches in particular often have a function called port mirroring, which allows an administrator to map the input and output from one or more ports on the switch to a single port. This is meant to help in troubleshooting communication problems on a network. However, if an attacker is configuring port mirroring, he or she could watch all network traffic that passes through the switch. The attacker might do this to gather information about other systems on the network or in hopes of decoding a password or other valuable information, such as trade secrets. Occasionally, connectivity devices might have software configuration problems or security vulnerabilities. For example, someone might discover that a switching table can be updated without any administrative authorization, meaning anyone could compromise your switch, if they had access to your network. Vendors usually resolve problems like these quickly once they are discovered. To protect your connectivity devices, be sure to keep track of vendor patches and install them when they are available. ARP Cache Poisoning Although switches and bridges segment the network, it might be possible for an attacker to use Address Resolution Protocol (ARP) cache poisoning (also known as ARP spoofing) to propagate traffic through a switch.
101	Securing Switches and Bridges Secure all physical connections on your network segments. Be sure that no unauthorized connections can be made. Also, limit physical access to your switch locations and use security personnel and monitoring devices to ensure connectivity devices are secure. Set complex passwords for administrative consoles. Restrict device administration to as few people as possible from as few locations as possible. Also, be sure to change administrative passwords routinely and whenever an administrator leaves the company. Manually enter ARP mappings on critical devices, such as central servers, switches, bridges, and so on. If you manually enter all necessary MAC addresses, prevent the switch or bridge from learning new a