- 30 Bird Media
Download
Report
Transcript - 30 Bird Media
CompTIA Security+
Exam SY0-401
Copyright © 2016 30 Bird Media LLC
CompTIA Security+
Correctly use fundamental security
terminology, plan an effective risk
management process, and perform
vulnerability assessments
Identify common attacks against security,
including social engineering, malware,
network attacks, and application attacks
How to secure informational assets, including
stored data, host computers, mobile devices,
web applications, and virtual and cloud
systems
continued…
Copyright © 2016 30 Bird Media LLC
CompTIA Security+
Identify core network components,
explain network addressing conventions
and protocols, and recognize common
transport and application layer protocols
Describe firewalls and other network
security components, effectively harden
networks against attack, and use network
monitoring tools
continued…
Copyright © 2016 30 Bird Media LLC
CompTIA Security+
Explain authentication factors and
processes, and describe popular network
authentication protocols
Describe access control models, and apply
account-based security
Understand the core technologies used in
digital cryptography, describe the public
key infrastructure model, and use
transport encryption protocols
continued…
Copyright © 2016 30 Bird Media LLC
CompTIA Security+
Apply organizational security through
developing sound security policies,
effectively training users, and securing the
physical facility
Preparing for disaster by making sound
business continuity plans, using fault
tolerance and backup systems, and
designing an incident response plan
Copyright © 2016 30 Bird Media LLC
Chapter 1: Security fundamentals
You will learn:
About basic security concepts
How to calculate and manage risks
How to find vulnerabilities
Copyright © 2016 30 Bird Media LLC
Module A: Security concepts
You will learn:
About the CIA triad
How to distinguish risks, threats, and
vulnerabilities
About security controls
How to distinguish events and incidents
Copyright © 2016 30 Bird Media LLC
The CIA triad
Copyright © 2016 30 Bird Media LLC
Risks, threats, and vulnerabilities
Risk: The chance of harm coming to an
asset
Threat: Anything that can cause harm to
an asset
Vulnerability: Any weakness an asset has
against potential threats.
Copyright © 2016 30 Bird Media LLC
Security standards organizations
CIS – Center for Internet security
IEEE – Institute of Electrical and Electronics
Engineers
IETF – Internet Engineering Task Force
ISO – International Organization for
Standardization
ISOC – Internet Society
ITU – International Telecommunication Union
NIST – National Institute of Standards and
Technology
NSA – National Security Agency
W3C – World Wide Web Consortium
Copyright © 2016 30 Bird Media LLC
Alice and Bob
Copyright © 2016 30 Bird Media LLC
Security controls
Management
– Organizational policies and training
Technical
– Technological solutions
Operational
– Day-to-day employee activities
Physical
– Physical safety and security devices
continued…
Copyright © 2016 30 Bird Media LLC
Security Controls
Preventive
– Proactive controls which act to prevent loss
Detective
– Monitoring controls that detect and/or record
Corrective
– Follow-up controls used to minimize the harm
caused and prevent recurrence
Deterrent
– Visible controls designed to discourage attack or
intrusion
Copyright © 2016 30 Bird Media LLC
Confidentiality controls
Least privilege
– Users are given only the permissions they need to perform their
actual duties
Need to know
– Data access is restricted to those who need it
Separation of duties
– Tasks broken into components performed by different people
Access controls
– Access restricted to authorized users
Encryption
– Data made unreadable without proper key
Steganography
– Secret messages concealed inside of ordinary ones
Copyright © 2016 30 Bird Media LLC
Integrity controls
Hashing
– Digital fingerprints used to detect file alteration
Digital signatures
– Hashing and encryption used to prove a file’s
origin
Backups
– Spare copies of data kept in safe storage
Version control
– Formal preservation and tracking of multiple file
versions
Copyright © 2016 30 Bird Media LLC
Availability controls
Redundancy
– Multiple or backup systems designed for
immediate or quick recovery
Fault tolerance
– Systems that continue functioning after
components fail
Patch management
– Application of software updates with minimal
service disruption
Copyright © 2016 30 Bird Media LLC
Defense in depth
Copyright © 2016 30 Bird Media LLC
Events and incidents
True positive
– Problem occurred and was detected
True negative
– No problem, and no alert
False positive
– Alert triggered by benign event
False negative
– Real problem went undetected
Copyright © 2016 30 Bird Media LLC
Assessment: Security concepts
Someone put malware on your computer
that records all of your keystrokes. What
aspect of security was primarily attacked?
A. Confidentiality
B. Integrity
C. Availability
A keylogger compromises confidentiality by
transmitting user input to an attacker.
Copyright © 2016 30 Bird Media LLC
Assessment: Security concepts
What type of control would a security
assessment procedure be?
A. Management
B. Operational
C. Physical
D. Technical
Functional activities by employees are
operational controls.
Copyright © 2016 30 Bird Media LLC
Assessment: Security concepts
Malware is a common example of a threat
vector. True or false?
A. True
B. False
True. The vector is the means by which an
attack is made. In this case, the threat itself
would be the damage the malware does.
Copyright © 2016 30 Bird Media LLC
Assessment: Security concepts
Which controls primarily protect data integrity?
Choose all that apply.
A. Backups
B. Encryption
C. Fault tolerance
D. Hashing
E. Need to know
Backups and hashing are both primarily integrity
controls.
Copyright © 2016 30 Bird Media LLC
Assessment: Security concepts
A security program alerts you of a failed logon
attempt to a secure system. On investigation, you
learn the system's normal user accidentally had
caps lock turned on. What kind of alert was it?
A. True positive
B. True negative
C. False positive
D. False negative
It was a false positive, since you were alerted of a
potential incident but there was no real threat.
Copyright © 2016 30 Bird Media LLC
Module B: Risk management
You will learn:
How to identify assets and threats
How to calculate risk
How to manage risk
Copyright © 2016 30 Bird Media LLC
Risk assessments
1.
2.
3.
4.
5.
Identify assets
Conduct threat assessment
Conduct business impact analysis
Calculate threat probability
Prioritize risks based on probability and
impact
6. Create a risk mitigation strategy
Copyright © 2016 30 Bird Media LLC
Threat assessments
Environmental accident
Natural disaster
Equipment failure
Human error
Malicious outsider
Malicious insider
Copyright © 2016 30 Bird Media LLC
Impact analysis
Replacement cost
Opportunity loss
Production loss
Reputation
Legal consequences
Copyright © 2016 30 Bird Media LLC
Threat probability
MTTF – Mean time to failure
– Used for non-servicable components
MTTR – Mean time to repair
MTBF – Mean time between failures
– Used for serviceable components
Copyright © 2016 30 Bird Media LLC
Risk assessment
Quantitative:
– Single loss expectancy
– Annual rate of occurrence
– Annual loss expectancy = SLE × ARO
Qualitative:
Copyright © 2016 30 Bird Media LLC
Risk management
Avoidance
– Avoiding risky activities
Transference
– Sharing risk with others
Mitigation
– Applying security controls to reduce risk
Deterrence
– Applying visible controls to discourage others
Acceptance
– Choosing not to act on risk
Residual risk
– Remaining risk after management strategy
Copyright © 2016 30 Bird Media LLC
Mitigation techniques
Technology controls
Policies and procedures
Routine audits
Incident management
Change management
Copyright © 2016 30 Bird Media LLC
Assessment: Risk management
Order the steps of a complete risk assessment
A. Analyze business impact
B. Conduct a threat assessment
C. Create a mitigation strategy
D. Evaluate threat probability
E. Identify assets at risk
F. Prioritize risks
The correct order is E, B, A, D, F, C.
Copyright © 2016 30 Bird Media LLC
Assessment: Risk management
Qualitative risk assessment is generally best
suited for tangible assets. True or false?
A. True
B. False
Quantitative risk assessments deal in
financial impact or other verifiable numbers.
Copyright © 2016 30 Bird Media LLC
Assessment: Risk management
You're shopping for a new A/C unit for your server
room, and are comparing manufacturer ratings.
Which combination will minimize the time you'll
have to go without sufficient cooling?
A.
B.
C.
D.
High MTBF and high MTTR
High MTBF and low MTTR
Low MTBF and high MTTR
Low MTBF and low MTTR
High MTBF means the unit will seldom fail, and low
MTTR means it will take less time to repair.
Copyright © 2016 30 Bird Media LLC
Assessment: Risk management
Your company has long maintained an email server, but
it's insecure and unreliable. You're considering just
outsourcing email to an external company who provides
secure cloud-based email services. What risk
management strategy are you employing?
A. Risk acceptance
B. Risk avoidance
C. Risk deterrence
D. Risk mitigation
E. Risk transference
You're employing risk transference, by giving
responsibility for the risk to another entity.
Copyright © 2016 30 Bird Media LLC
Assessment: Risk management
What element of your risk mitigation strategy
helps keep future additions to your network
from introducing new security vulnerabilities?
A. Change management
B. Incident management
C. Security audits
D. Technical controls
Change management policies make sure
organizational changes don't compromise
security.
Copyright © 2016 30 Bird Media LLC
Vulnerability assessment
You will learn:
About vulnerability testing
How to perform vulnerability scans
How to plan a penetration test
Copyright © 2016 30 Bird Media LLC
Vulnerability assessments
Baseline review
– The existing intended security configuration
Determining attack surface
– All of the software and services installed
which can be subject to attack
Reviewing code
Reviewing architecture
Reviewing design
Copyright © 2016 30 Bird Media LLC
Vulnerability scans
Intrusive vs. non-intrusive
Credentialed vs. non-credentialed
Goals
– Missing or misconfigured security controls
– Open ports
– Weak passwords or encryption
– Unsecured data
– Compromised systems
– Exploitable vulnerabilities
– Unpatched systems
Copyright © 2016 30 Bird Media LLC
Penetration tests
Black box
– No attacker knowledge of system
White box
– Full attacker knowledge of system
Gray box
– Partial attacker knowledge of system
Copyright © 2016 30 Bird Media LLC
Assessment: Vulnerability
assessments
A vulnerability scan can be intrusive or nonintrusive. True or false?
A. True
B. False
Intrusive scans are less invasive than
penetration tests, but still can raise alarms
or even cause system errors.
Copyright © 2016 30 Bird Media LLC
Assessment: Vulnerability
assessments
What steps might be taken as part of a vulnerability
scan? Choose all that apply.
A. Bypassing security controls
B. Exploiting vulnerabilities
C. Finding open ports
D. Identifying vulnerabilities
E. Passively testing security controls
Bypassing security controls and exploiting vulnerabilities
would only be part of a penetration test, while the
others can be part of a vulnerability scan.
Copyright © 2016 30 Bird Media LLC
Assessment: Vulnerability
assessments
What element of a vulnerability assessment
compares security performance to existing
security configuration documents?
A. Architecture review
B. Baseline review
C. Code review
D. Design review
The existing security configuration is your
current security baseline.
Copyright © 2016 30 Bird Media LLC
Assessment: Vulnerability
assessments
What kind of penetration test involves a tester
with full knowledge of your network
configuration?
A. Black box
B. Black hat
C. White box
D. White hat
White box tests give testers full knowledge of
the system, while black box tests require testers
to gather information themselves.
Copyright © 2016 30 Bird Media LLC
Assessment: Vulnerability
assessments
Vulnerability scanners are a good way to
determine a network's attack surface. True
or false?
A. True
B. False
Vulnerability scanners can methodically
check a network for possible points of
attack.
Copyright © 2016 30 Bird Media LLC
Summary: Security fundamentals
You learned:
About basic security concepts such as
assets, threats, risk, vulnerabilities,
security controls, and incidents
About the risk management process, from
conducting risk assessments to applying
risk management strategies
About the vulnerability assessment
process, including vulnerability scans and
penetration tests
Copyright © 2016 30 Bird Media LLC
Understanding attacks
You will learn about:
Social engineering
Malware
Network attacks
Application attacks
Copyright © 2016 30 Bird Media LLC
Module A: Social engineering
You will learn:
Why social engineering is effective
About impersonation
How social engineering can violate
physical security
How to minimize the risk of social
engineering attacks
Copyright © 2016 30 Bird Media LLC
Social engineering effectiveness
Authority
Intimidation
Consensus/Social proof
Scarcity
Urgency
Familiarity/Liking
Trust
Copyright © 2016 30 Bird Media LLC
Phishing
Copyright © 2016 30 Bird Media LLC
Phishing varieties
Spear phishing
– Targets specific users, might use personal
information
Whaling
– Singles out high-profile targets
Vishing
– Applies phishing techniques to voice calls
Copyright © 2016 30 Bird Media LLC
Physical intrusion
Shoulder surfing
– Eavesdropping on sensitive reading or
conversations
Tailgating
– Tagging behind someone into a secure area
Dumpster diving
– Stealing sensitive data from the trash
Copyright © 2016 30 Bird Media LLC
Social engineering defenses
User training
– Information sharing
guidelines
– Maintaining security
policies
– Recognize suspicious
behavior
Technical controls
–
–
–
–
Mantraps
Spam filters
Network controls
Surveillance systems
Policies
– Least privilege/need to
know
– Clean desk
– Logoff
– Data disposal
– Incident handling
Copyright © 2016 30 Bird Media LLC
Assessment: Social engineering
What kind of attack is most likely when you're
doing sensitive work on your laptop at a coffee
shop?
A. Piggybacking
B. Shoulder surfing
C. Smurfing
D. Wardriving
Shoulder surfing is a particular danger when
you're in public.
Copyright © 2016 30 Bird Media LLC
Assessment: Social engineering
Impersonation is a core element to most
social engineering attacks. True or false?
A. True
B. False
Most social engineering attacks involve an
attacker impersonating someone more
trustworthy.
Copyright © 2016 30 Bird Media LLC
Assessment: Social engineering
Several coworkers in the sales department received
email claiming to be from you. Each message was
personally addressed, and contained a link to a "test site"
and a request to log in with normal user credentials. You
never sent it, and on examination the supposed test site
is a phishing scam. Just what variant of phishing is this?
A. Pharming
B. Spear phishing
C. Vishing
D. Whaling
Spear phishing targets specific groups and often even
claims to be from specific people they know and trust.
Copyright © 2016 30 Bird Media LLC
Assessment: Social engineering
What security controls can protect against
tailgating? Choose all that apply.
A. Alarm systems
B. Clean desk policy
C. Mantraps
D. Security guards
E. Spam filters
Against tailgating, alarms, and spam filters or
clean desk policies won't help.
Copyright © 2016 30 Bird Media LLC
Assessment: Social engineering
Social engineering attacks are most
commonly either in person or over
electronic media rather than on the phone.
True or false?
True
False
False. In many ways, telephone attacks are
most dangerous, so they're very popular.
Copyright © 2016 30 Bird Media LLC
Module B: Malware
You will learn:
About malware varieties
How malware spreads
How malware damages infected systems
How malware avoids detection
Copyright © 2016 30 Bird Media LLC
Malware vectors
Virus
– Attaches malicious code to another file
Worm
– Replicates itself by exploiting system vulnerabilities
Trojan horse
– Masquerades as a useful program
Logic bomb
– Lies dormant until a specific condition is met
Watering hole
– Infection on a trusted site or service used by actual
targets
Copyright © 2016 30 Bird Media LLC
Malware payloads
Backdoor
– A hidden way into a system or application
Botnet
– Large number of centrally controlled sysems
Ransomware
– Attempts to extort money in order to undo
damage
Spyware
– Secretly records user activity
Adware
– Presents ads to the user
Copyright © 2016 30 Bird Media LLC
Hidden malware
Polymorphic malware
– Changes signatures
Armored virus
– Protected against heuristic analysis
Stealth malware
– Hides from antimalware programs
Rootkit
– Compromises boot or OS functions to avoid
detection
Copyright © 2016 30 Bird Media LLC
Malware defenses
Antimalware
– Antivirus and specialized scanners
System permissions
– Restricting user installation of applications
Security updates
– Browsers and addons as well as OS
Network security
– Firewalls, IDS, spam filters, and network
antivirus
Policies and training
– Unknown sites, phishing links, removable media
Copyright © 2016 30 Bird Media LLC
Assessment: Malware
A user complains that every time they open their
Internet browser, it no longer goes to their
preferred home page and advertisements pop up in
dialog boxes that they have to close. What is the
likely cause?
A. Spyware
B. Trojan
C. Virus
D. Worm
Spyware is most often used to monitor a user's
Internet activity, and is often also adware.
Copyright © 2016 30 Bird Media LLC
Assessment: Malware
A user logs into their computer and is presented with a screen
showing a Department of Justice logo indicating the computer has
been locked due to the operating system being in violation of federal
law. The screen gives several details of the violation and indicates
that the user must pay a fine of $500 within 72 hours or a warrant
will be issued for their arrest. The user cannot unlock their system.
What type of malware is likely infecting the computer?
A.
Keylogger
B.
Ransomware
C.
Rootkit
D.
Trojan
E.
Worm
Ransomware would lock the system and display messages demanding
payment in exchange for unlocking the system.
Copyright © 2016 30 Bird Media LLC
Assessment: Malware
What kind of malware can spread through a
network without any human interaction?
A. Polymorphic virus
B. Trojan horse
C. Virus
D. Worm
Viruses and trojans both rely on a user to launch
an infected file, while worms spread on their
own using system vulnerabilities.
Copyright © 2016 30 Bird Media LLC
Assessment: Malware
You've traced some odd network activity to malware
that's infected a whole department's computers. They're
processing a distributed task using spare CPU cycles,
communicating with a remote server, and sending email
to random targets. What kind of malware is it?
A. Botnet
B. Rootkit
C. Spyware
D. Trojan
Multiple infected systems controlled by a remote server
comprise a botnet. It might also be any of the others, but
that's not certain.
Copyright © 2016 30 Bird Media LLC
Assessment: Malware
You've found a computer infected by stealth malware.
The program installed itself as part of the computer's
boot process so that it can gain access to the entire
operating system and hide from antimalware software.
What kind of malware is it?
A. Armored virus
B. Backdoor
C. Rootkit
D. Spyware
Rootkits compromise boot systems and core operating
system functions to gain high-level access that can hide
them from most detection methods.
Copyright © 2016 30 Bird Media LLC
Module C: Network attacks
You will learn:
How to classify network attacks
About probing, spoofing, and redirection
techniques
About denial-of-service-attacks
About forced access and password cracking
About eavesdropping and man-in-the-middle
attacks
About wireless network attacks
Copyright © 2016 30 Bird Media LLC
Network probes
Xmas attack
– Too many flags set
Fuzzing
– Random data input
Banner grabbing
– Normal request used to gather return data
Copyright © 2016 30 Bird Media LLC
Spoofing
IP address
MAC address
Email address
Caller ID
Copyright © 2016 30 Bird Media LLC
Redirection
ARP poisoning
– Usually performed by inside attackers
DNS poisoning
– More difficult but works on large networks
Hosts file alteration
– Overrides DNS searches
Pharming
– Similar to phishing but with compromised DNS
VLAN hopping
– Bypasses VLAN segmentation
Copyright © 2016 30 Bird Media LLC
Denial of Service
Distributed DoS
Reflected DoS
Copyright © 2016 30 Bird Media LLC
DoS variants
Ping floods
Smurf attacks
Ping of death
– Oversized packets
– Malformed packets
SYN flood
Permanent DoS
Unintentional DoS
Copyright © 2016 30 Bird Media LLC
Transitive trust
Copyright © 2016 30 Bird Media LLC
Password cracking
Brute force
– Try all combinations in sequence
Dictionary attack
– Try entries from a list
Hybrid attack
– Dictionary attack plus common variations.
Birthday attack
– Finds hash collisions
Rainbow table
– Uses pre-compiled hash list
Copyright © 2016 30 Bird Media LLC
Eavesdropping
Packet sniffing
Circumventing segmentation
Plaintext protocols
Copyright © 2016 30 Bird Media LLC
Man-in-the-middle attacks
Replay attack
– Intercepts data to delay or resend it
Session replay
– Exploits TCP features to continue someone
else’s session
Session hijacking
– Takes over an ongoing session right after
login
Copyright © 2016 30 Bird Media LLC
Wireless attacks
Wardriving
– Searching for open
hotspots
Warchalking
– Public advertisement of
hotspots
Encryption attacks
– WEP, TKIP, WPS
Rogue AP
– Unauthorized hostpot
Evil Twin
– Rogue AP used for MitM
Jamming
– Radio interference
Bluejacking
– Sends unsolicited
messages
Bluesnarfing
– Theft of information
Bluebugging
– Creating backdoor access
NFC
– Steal information or
money
Copyright © 2016 30 Bird Media LLC
Assessment: Network attacks
Complex passwords that are combinations of upper and
lower case letters, numbers, and special characters
protect your system from which types of attacks? Choose
all that apply.
A. Birthday
B. Brute force
C. Dictionary
D. Man-in-the-middle
E. Zero-day
Complex passwords are one way to help protect your
system against brute force and dictionary attacks.
Copyright © 2016 30 Bird Media LLC
Assessment: Network attacks
As a user, what can you do to protect yourself from manin-the-middle attacks?
A. Avoid connecting to open WiFi routers.
B. Avoid following links in emails when possible.
C. Enable Firewall protection.
D. Install only the application software you need.
E. Use complex passwords that are combinations of
upper and lower case letters, numbers, and special
characters.
To protect your systems against MiTM attacks, on the
user side, avoid connecting to open WiFi routers.
Copyright © 2016 30 Bird Media LLC
Assessment: Network attacks
What tools let an individual attacker mount a DoS
attack on a powerful network? Choose all that
apply.
A. Bluesnarfing
B. Botnets
C. Malformed packets
D. Reflection
E. VLAN hopping
Botnets, malformed packets, and reflection are all
ways to amplify an attacker's network resources.
Copyright © 2016 30 Bird Media LLC
Assessment: Network attacks
Evil twins are mostly used as part of what
kind of attack?
A. Denial of service
B. Man-in-the-middle
C. Phishing
D. Trojan horse
The owner of the evil twin can intercept all
data passing through it.
Copyright © 2016 30 Bird Media LLC
Assessment: Network attacks
What kind of attack commonly uses a TCP
packet with Urgent, Push, and FIN flags set?
A. ARP poisoning
B. Pharming
C. Smurf
D. Xmas
Xmas attacks use packets with multiple flags set,
so that they're "lit up like a Christmas tree."
Copyright © 2016 30 Bird Media LLC
Module D: Application attacks
You will learn:
About application vulnerabilities
How application attacks do damage
About server-side injection attacks
About client-side attacks
Copyright © 2016 30 Bird Media LLC
Application exploits
Privilege escalation
Directory traversal
– Reaching additional folders on target computer
Arbitrary code execution
– Running malicious code on target computer
Buffer overflow
– Too much data sent in a fixed-length field
Integer overflow
– Setting a variable to an invalid value
Header manipulation
– Changing headers used by a protocol
Copyright © 2016 30 Bird Media LLC
SQL injection
Unfiltered escape characters
– Special characters used by SQL
Improper input types
– Placing wrong data types into fields
Stacked queries
– Appending additional queries onto one
Blind injection
– Gathering information through page output
changes
Signature evasion
– Hiding signs of attack from IDS
Copyright © 2016 30 Bird Media LLC
Other injection techniques
NoSQL injection
– Targets non-relational databases
LDAP injection
– Targets network directory services
XML injection
– Targets XML databases
Command injection
– Targets remote command shells
Copyright © 2016 30 Bird Media LLC
Client-side attacks
Application
vulnerabilities
Browser add-ons
– Exploitable
– Malicious
Cookies
Local Shared Objects
– “Flash cookies”
Attachments
Copyright © 2016 30 Bird Media LLC
Cross-site scripting
Stored/Persistent
– Script uploaded as permanent content
Reflected/Non-persistent
– Script temporarily placed in error field or
search response
DOM-based
– Script run entirely in the client browser
Copyright © 2016 30 Bird Media LLC
Assessment: Application attacks
An attack on your web application began with a
long string of numbers sent to a field that's only
supposed to hold a four-digit variable. What
kind of attack was it?
A. Buffer overflow
B. Integer overflow
C. LDAP injection
D. XSRF
A buffer overflow sends too much data into a
fixed-length buffer.
Copyright © 2016 30 Bird Media LLC
Assessment: Application attacks
What application attacks directly target the
database programs sitting behind web servers?
Choose all that apply.
A. Command injection
B. Cross-site scripting
C. Session hijacking
D. SQL injection
E. XML injection
Only SQL injection and XML injection directly
target databases.
Copyright © 2016 30 Bird Media LLC
Assessment: Application attacks
What SQL injection technique relies on
unfiltered semicolons?
A. Blind injection
B. Signature evasion
C. Stacked query
D. XSRF
A stacked query attack uses semicolons to
separate multiple SQL queries.
Copyright © 2016 30 Bird Media LLC
Assessment: Application attacks
Blocking and cleaning Flash cookies is much the
same as for any other browser cookies. True or
false?
A. True
B. False
False. Flash cookies are LSOs rather than normal
browser cookies. They're stored in a different
location and cleaned by different processes.
Copyright © 2016 30 Bird Media LLC
Assessment: Application attacks
What XSS techniques don't require anything to
actually be stored on the target server? Choose
all that apply.
A. DOM based
B. Persistent
C. Reflective
D. XSRF
DOM based and reflective attacks both rely on
scripts that aren’t stored on the server.
Copyright © 2016 30 Bird Media LLC
Summary: Understanding attacks
You now know:
About common types of social engineering, their
underlying mechanisms, and how to protect
against them.
How to identify malware according to its payload
and transmission vector, as well as how malware
hides from detection.
About common network attacks, including
probes, spoofing, redirection, DoS, password
cracking, eavesdropping, MiM, and wireless.
About web application attacks including
injection, overflow, and scripting techniques.
Copyright © 2016 30 Bird Media LLC
Chapter 3: Securing hosts and data
You will learn:
How to secure data
How to secure hosts and applications
How to secure mobile devices
How to secure web applications
About virtualization and cloud computing
risks
Copyright © 2016 30 Bird Media LLC
Module A: Securing data
You will learn:
About data classification and policies
About the data life cycle
How to control data access
How to apply encryption
Copyright © 2016 30 Bird Media LLC
Classification levels
Classified/Secret/Top Secret
– Damage that could be done to national
security
Compartmentalization
– Need to know
Common business classifications
– High/Medium/Low
– Confidential/Private/Public
Copyright © 2016 30 Bird Media LLC
Personally identifiable information
Can either distinguish an individual, or linked
to an individual
– Name/address/phone/email
– ID/bank numbers
– Biometric data
– Background information
HIPAA
– Health Insurance Portability and Accountability
Act
PCI-DSS
– Payment Card Industry Digital Security Standard
Copyright © 2016 30 Bird Media LLC
States of data
Data in transit
– Network data, protected by segmentation or
cryptography
Data at rest
– Data in persistent storage, protected by
physical security, host security, or encryption
Data in use
– Data in processing or non-persistent storage,
protected by OS security or system
encryption
Copyright © 2016 30 Bird Media LLC
The data life cycle
1.
2.
3.
4.
Creation/Acquisition
Use/Storage
Retention/Archival
Wiping/Disposal
Copyright © 2016 30 Bird Media LLC
Data loss prevention
Copyright © 2016 30 Bird Media LLC
Secure data erasure
Secure deletion software
Formatting tools
– Low level
– Multiple passes
– SSD-specific
Copyright © 2016 30 Bird Media LLC
NTFS file permissions
Permission
Effect on folder
Effect on file
Read
User can view the contents of a folder and
any subfolders.
User can view the contents of the file.
Write
Read permission, plus the user can add files Read permission, plus the user can make
and create new subfolders.
changes (write) to the file.
Read & Execute
Read permission, plus the user can run
executable files contained in the folder.
This permission is inherited by any
subfolders and files.
Read permission, plus the user can run a file if it
is executable.
List Folder Contents
Read permission, plus the user can run
executable files contained in the folder.
This permission is inherited by subfolders
only.
N/A
Modify
Read and Write permissions, plus the user
can delete the folder.
Read and Write permissions, plus the user can
delete the file.
Full Control
Read, Write, and Modify permissions and
the user can delete all files and subfolders.
Read, write, modify, and delete the file.
Copyright © 2016 30 Bird Media LLC
Linux file permissions
Permission types
Users
Read (r)
Owner
– User can view the contents of
a file
Write (w)
– User can write to (modify) the
contents of a file or directory
Execute (x)
– Responsible for the file
Group
– All members of the file’s group
Others
– All other users
– User can run an executable file
and view the contents of a
directory
Copyright © 2016 30 Bird Media LLC
File attributes
Read-Only (R)
– Cannot be written to
Archive (A)
– Should be backed up
System (S)
– System file, hidden by default
Hidden (H)
Directory (D)
Not content-indexed (I)
– Not included on search index
Compressed (C)
Encrypted (E)
Copyright © 2016 30 Bird Media LLC
Share permissions
Read
– View file names, subfolders, and data; run
programs
Change
– Read permissions plus adding, changing, and
deleting
Full control
– Change, plus can change NTFS permissions.
Copyright © 2016 30 Bird Media LLC
Storage encryption
Removable drive encryption
Archive file encryption
Transparent database encryption
File or full disk encryption
Copyright © 2016 30 Bird Media LLC
Encryption hardware
Hardware-based disk encryption
– Encryption chip on drive controller
Smart card
– Cryptographic chip on card
USB encryption
– Hardware dongles or flash drives
Trusted platform module (TPM)
– Chip on motherboard
Hardware security module (HSM)
– External device, frequently network-based
Copyright © 2016 30 Bird Media LLC
Windows encryption
Encrypting file system (EFS)
– Encrypts individual files and folders
– Controlled by individual user
– Intended for personal files
BitLocker
– Protects entire volumes or computers
– Controlled by administrator
– Intended for full-disk encryption
Copyright © 2016 30 Bird Media LLC
Encrypting files and folders
1. Right-click file to
choose Properties
2. Click Advanced
3. Check Encrypt
contents
4. Click OK twice.
Copyright © 2016 30 Bird Media LLC
BitLocker
Encrypts entire volumes
Uses TPM by default
Can be used without TPM
– Requires group policy
change
– Stores key on USB
Three authentication
methods
– Transparent operation
mode
– User authentication mode
– USB key mode
Copyright © 2016 30 Bird Media LLC
Assessment: Securing data
Which Windows encryption tool can protect
the entire system volume?
A. BitLocker
B. Encrypting File System
C. Both
D. Neither
BitLocker is a volume-based encryption
solution.
Copyright © 2016 30 Bird Media LLC
Assessment: Securing data
Your organization has a degausser in the basement.
What media can you use it to securely destroy?
Choose all that apply.
A. Backup tapes
B. CDs and DVDs
C. Hard drives
D. Paper documents
E. SSDs
Degaussers are magnets so only erase magnetic
media like tapes and hard drives. Optical, flash, and
print media are not affected.
Copyright © 2016 30 Bird Media LLC
Assessment: Securing data
What cryptographic tool is commonly built
into a motherboard?
A. FDE
B. DLP
C. HSM
D. TPM
A Trusted Platform Module is typically a chip
right on the motherboard.
Copyright © 2016 30 Bird Media LLC
Assessment: Securing data
What might protect users from copying sensitive
files to external media?
A. FDE
B. DLP
C. HSM
D. TPM
Data loss prevention software is used to classify
and protect your organization's confidential and
critical data.
Copyright © 2016 30 Bird Media LLC
Assessment: Securing data
"Big data" shouldn't be confused with
"cloud storage“. True or false?
A. True
B. False
True. Big data is often stored on the cloud,
but it actually refers to data sets too large to
manage and secure by traditional methods.
Copyright © 2016 30 Bird Media LLC
Module B: Securing hosts
You will learn:
About security baselines
How to secure hosts
How to perform patch management
How to secure static and unconventional
systems
Copyright © 2016 30 Bird Media LLC
Security baselines
Copyright © 2016 30 Bird Media LLC
Hardening operating systems
Secure operating systems
– EAL
Account control
– User, administrator, guest types
Access control
– Local and network permissions
Unnecessary services
Directory services
Updates
Copyright © 2016 30 Bird Media LLC
Securing applications
Whitelisting vs. blacklisting
Secure applications
Network components
Browser security
Network protocols
Copyright © 2016 30 Bird Media LLC
Security software
Antivirus
Firewall
Anti-spyware
Pop-up blockers
Anti-spam
HIDS
Copyright © 2016 30 Bird Media LLC
Physically securing hosts
Copyright © 2016 30 Bird Media LLC
Software changes
Major vs. minor update
Patch
– Typically targets a single
problem
Hotfix
– Very specific, niche or
high urgency
Service pack
– Large compilation of
patches
Upgrade
– New software version
Maintenance release
– Smaller than a service
pack
Definition update
– Typically for security
software
Unofficial patch
– Released by third party
Rolling release
– Replaces discrete version
numbers
Copyright © 2016 30 Bird Media LLC
Planning software updates
1.
2.
3.
4.
Evaluate need
Consider impact
Plan update
Enact update
Copyright © 2016 30 Bird Media LLC
Static environments
Embedded devices
– Network appliances, printers, TVs, HVAC, Bluetooth
SCADA/ICS
– Industrial environments
Mainframes
– Seldom targeted but still vulnerable
Mobile devices
– Android, iOS
Game consoles
– Modern consoles are networked computers
In-vehicle computing systems
– Emerging field
Legacy systems
– No longer receiving updates
Copyright © 2016 30 Bird Media LLC
Alternative threat mitigation
Security layers
Control redundancy and diversity
Network segmentation
Application firewalls
Wrappers
Firmware version control
Copyright © 2016 30 Bird Media LLC
Assessment: Securing hosts
What was the first version of Windows to
include real-time antivirus scanning?
A. Windows XP Service Pack 2
B. Windows Vista
C. Windows 7
D. Windows 8
E. Windows 8.1
Before Windows 8, Windows Defender was only
anti-spyware.
Copyright © 2016 30 Bird Media LLC
Assessment: Securing hosts
In general, you should leave the Guest
account in Windows disabled. True or false?
A. True
B. False
True. While the Guest account has limited
permissions, attackers can try to exploit
them to gain more.
Copyright © 2016 30 Bird Media LLC
Assessment: Securing hosts
A company configures workstations only to
run software on an approved list. What is
this an example of?
A. Blacklisting
B. Hardening
C. Sandboxing
D. Whitelisting
This is an example of whitelisting.
Copyright © 2016 30 Bird Media LLC
Assessment: Securing hosts
A service pack is generally a more major update
than a maintenance release. True or false?
A. True
B. False
True. Both are compilations of patches and
hotfixes, but a maintenance release is a smaller
collection issued between service packs or
software releases.
Copyright © 2016 30 Bird Media LLC
Assessment: Securing hosts
Downgrades are often more difficult than
upgrades. True or false?
A. True
B. False
True. Most software is designed for easy
upgrades, but downgrading to a past version
without introducing problems might be
difficult or impossible.
Copyright © 2016 30 Bird Media LLC
Module C: Mobile device security
You will learn:
How to plan mobile device policies
About mobile authentication features
About mobile data protection
About security concerns with mobile
applications
Copyright © 2016 30 Bird Media LLC
BYOD policies
Permitted devices
Security baselines
Support ownership
App and data ownership
IP theft protection
Other legal concerns
Privacy
Network access
Acceptable use
Onboarding/offboarding
User acceptance
Copyright © 2016 30 Bird Media LLC
Profile security requirements
Passcode requirements
Encryption settings
Backups
Updates
Required/forbidden apps
Physical security
Acceptable use
Mobile Device Management
Copyright © 2016 30 Bird Media LLC
Screen lock options
Swipe screen
Password
Passcode/PIN
Pattern
Fingerprint
Face
Data wipe
Copyright © 2016 30 Bird Media LLC
Mobile data protection
Device location software
– Find my iPhone
– Android Device Manager
Remote wipe
Inventory control
Asset tracking
Full device encryption
– Enabled by default on iOS
– Available on Android
Storage segmentation
Copyright © 2016 30 Bird Media LLC
Mobile application security
Application whitelisting
Key and credential management
Geotagging
Encryption
Application permissions
Transitive trust authentication
Copyright © 2016 30 Bird Media LLC
Hardening mobile operating
systems
OS updates
App updates
Unused features
Antivirus software
Trusted sources
Firewalls
Wi-Fi security
Copyright © 2016 30 Bird Media LLC
Assessment: Mobile device
security
What kind of application centrally manages
security policy on all company mobile devices?
A. Asset tracking
B. BYOD
C. GPS
D. MDM
Mobile Device Management software is used by
organizations.
Copyright © 2016 30 Bird Media LLC
Assessment: Mobile device
security
Both iOS and Android include a built-in
feature to find and secure a lost device. True
or false?
A. True
B. False
True. Android Device Manager and Find My
iPhone let you ring, lock, or erase a lost
device if it's still connected to the network.
Copyright © 2016 30 Bird Media LLC
Assessment: Mobile device
security
Both iOS and Android enable data encryption on
most devices by default. True or false?
A. True
B. False
False. . iOS 8 and later enable encryption by
default, so most iOS devices today are
encrypted. Android has long included full
encryption as an optional feature, but only
some devices enable it by default.
Copyright © 2016 30 Bird Media LLC
Assessment: Mobile device
security
What are important security steps on all mobile
devices? Choose all that apply.
A. Configuring antivirus software
B. Configuring remote backup features
C. Installing a firewall app
D. Regularly applying operating system updates
E. Using biometric authentication
Updates and backups are always good ideas, but
the others may be unavailable or just not optimal.
Copyright © 2016 30 Bird Media LLC
Assessment: Mobile device
security
What kind of policy governs a user-owned
device on the corporate network?
A. Acceptable Use
B. BYOD
C. MDM
D. Offboarding
A Bring Your Own Device policy governs userowned devices, even if the other answers might
be involved too.
Copyright © 2016 30 Bird Media LLC
Assessment: Mobile device
security
What kind of policy governs removal of sensitive
data and credentials when a user device is no
longer used for company business?
A. Asset tracking
B. Offboarding
C. Onboarding
D. Storage segmentation
Offboarding policies govern leaving the network.
Copyright © 2016 30 Bird Media LLC
Module D: Securing applications
You will learn:
About secure coding principles
How to implement input validation
How to prevent common application
attacks
How to harden applications
Copyright © 2016 30 Bird Media LLC
Secure coding principles
Least privilege
– Restrict privilege of users and applications
Input validation
– Evaluate input before processing, and reject
unexpected content
Input sanitization
– Delete dangerous characters, or add escape
characters.
Error and exception handling
– Fail-safe error handling
– High-detail error logging, low-detail user error
messages
Copyright © 2016 30 Bird Media LLC
Input validation
Improper characters
– Character types or formats
Improper length
Improper values
SQL code
Browser code
Client-side vs. server-side validation
– Speed vs. security
– Can use both together
Copyright © 2016 30 Bird Media LLC
XSS prevention
1. Never insert untrusted data except in
allowed locations
2. HTML escapes
3. Attribute escapes
4. JavaScript escapes
5. CSS escapes
6. URL escapes
7. Sanitizing library
Copyright © 2016 30 Bird Media LLC
Fuzzing
Application fuzzing
– Tests I/O functions
Protocol fuzzing
– Tests network protocols
File format fuzzing
– Tests file reading/parsing functions
Copyright © 2016 30 Bird Media LLC
Hardening applications
1. Host and network hardening
– Updates, account security, security software
2. Secure configuration
– Secure coding, least privilege, server-side
validation
3. Testing
–
Human testing, fuzzing, outside tests
4. Maintenance
–
Audits, patch management, training
Copyright © 2016 30 Bird Media LLC
Assessment: Securing applications
What technique tests an application's
responses to random input?
A. Escaping
B. Fuzzing
C. Sanitization
D. Validation
Fuzzing software sends random input to an
application.
Copyright © 2016 30 Bird Media LLC
Assessment: Securing applications
What kind of attack do synchronizer tokens
help prevent?
A. Buffer overflow
B. SQL injection
C. XSS
D. XSRF
Synchronizer tokens help prevent XSRF
attacks.
Copyright © 2016 30 Bird Media LLC
Assessment: Securing applications
What does the software assurance process do?
A. Ensure applications are up to date.
B. Ensure applications are regularly audited.
C. Ensure applications are securely configured.
D. Ensure applications are securely designed.
Software assurance monitors the software
design process.
Copyright © 2016 30 Bird Media LLC
Assessment: Securing applications
You're reviewing a web application. Which of these features are
security warning signs? Choose all that apply.
A.
Input errors are logged and clearly displayed to users in
full detail.
B.
The web server and database software are on separate
physical servers, both similarly secured.
C.
Input validation is performed more rigorously on the
client side than the server side.
D. The HTTPOnly flag is set on session cookies.
E.
Secret cookies are used to prevent XSRF attacks.
Detailed errors sent to users are a security risk, client-side
validation is easier to bypass, and secret cookies don't protect
against XSRF attacks.
Copyright © 2016 30 Bird Media LLC
Assessment: Securing applications
Even just blocking or sanitizing the < and >
characters used by HTML tags can prevent
many attacks. True or false?
A. True
B. False
Those characters are essential to many XSS
attacks.
Copyright © 2016 30 Bird Media LLC
Module E: Virtual and cloud
systems
You will learn:
About virtual systems
About cloud services
Copyright © 2016 30 Bird Media LLC
Virtual machines
Host
– Physical computer
Virtual Machine (VM)
– Virtual computer on host
Hypervisor
– Software that coordinates VMs
– Bare metal or hosted
Copyright © 2016 30 Bird Media LLC
Virtual network devices
Copyright © 2016 30 Bird Media LLC
Virtual security benefits
Snapshots
– Allows easy reversion when problems occur
Sandboxing
– Isolated from outside host
Security control testing
Patch compatibility
Availability/elasticity
– Convenient for load balancing and
restoration
Copyright © 2016 30 Bird Media LLC
Securing virtual systems
Establish responsibility
Harden hosts
Understand single points of failure
Use appropriate security environments
Secure virtual network devices
Maintain host resources
Verify regulatory compliance
Copyright © 2016 30 Bird Media LLC
Cloud services
On-demand self-service
Broad network access
Resource pooling
Rapid elasticity
Measured service
Copyright © 2016 30 Bird Media LLC
Cloud models
Software-as-a-service
– Subscription-based access to applications or
databases
Platform-as-a-service
– Access to a computing platform that can be
used to develop and host applications
Infrastructure-as-a-service
– Access to computing and network resources
themselves
Continued…
Copyright © 2016 30 Bird Media LLC
Cloud models
Public
Private
Community
Hybrid
Copyright © 2016 30 Bird Media LLC
Assessment: Virtual and cloud
systems
What model would describe a cloud
accounting service?
A. IaaS
B. PaaS
C. SaaS
D. SDN
It would be an example of software as a
service.
Copyright © 2016 30 Bird Media LLC
Assessment: Virtual and cloud
systems
All else being equal, bare metal hypervisors
are more efficient than hosted ones. True or
false?
A. True
B. False
True. Hosted hypervisors are easier to set
up, but generally less efficient.
Copyright © 2016 30 Bird Media LLC
Assessment: Virtual and cloud
systems
As long as the host machine has
antimalware protection, VMs are protected
as well. True or false?
A. True
B. False
False. VMs all need to be protected
individually as well as securing the host.
Copyright © 2016 30 Bird Media LLC
Assessment: Virtual and cloud
systems
What cloud model is likely to provide access to a
software environment you can use to develop and host
web-based applications, but not the applications
themselves?
A. IaaS
B. PaaS
C. SaaS
D. Any of the above
Platform as a service typically provides a development
environment but not a ready application.
Copyright © 2016 30 Bird Media LLC
Assessment: Virtual and cloud
systems
When you use a cloud service, the security
controls used by fellow customers could
endanger your own security. True or false?
A. True
B. False
True. Attacks on public cloud services can affect
several or even all customers at a time, so a
successful attack against another customer
could endanger you.
Copyright © 2016 30 Bird Media LLC
Summary: Securing hosts and data
You now know:
How to secure data at rest through
classification, file permissions, and storage
encryption.
How to secure hosts, whether they're ordinary
workstations, servers, or static devices.
How to secure mobile devices and their data.
How to secure web applications.
About virtual and cloud systems, along with
their specific security concerns.
Copyright © 2016 30 Bird Media LLC
Chapter 4: Network fundamentals
You will learn:
About network components
About IP addresses
About network ports and applications
Copyright © 2016 30 Bird Media LLC
Module A: Network components
You will learn:
About the OSI and TCP/IP models
About Data Link layer technologies and
devices
About Network layer protocols and
devices
About non-IP networks and network
convergence
Copyright © 2016 30 Bird Media LLC
Network models
Open Systems Interconnect (OSI)
– Created by ISO
– Protocols never widely adopted
– Important educational and theoretical tool
TCP/IP (Internet Protocol Suite)
– Designed by US DoD, maintained by IETF
– Dominant standard of internet
– More a network standard than a network
model
Copyright © 2016 30 Bird Media LLC
The OSI model
Copyright © 2016 30 Bird Media LLC
OSI communications
Vertical
– Between layers
Horizontal
– Between hosts
SDU
– The payload of a relevant level
PDU
– SDU + header
PDU names
– Layer 2 frames
– Layer 3 packets
– Layer 4 segments or
datagrams
Copyright © 2016 30 Bird Media LLC
The TCP/IP model
Copyright © 2016 30 Bird Media LLC
TCP/IP communications
Based on concrete interaction between
protocols
Robustness principle
– Send data strictly
– Receive data flexibly
– Vulnerability to attacks
Copyright © 2016 30 Bird Media LLC
The Data Link Layer
Combined with physical layer in TCP/IP
Contains technologies that can handle
addresses, traffic direction, and security
– MAC addresses
– Switches
– Collision and broadcast domains
– VLANs
– Wireless access points
Copyright © 2016 30 Bird Media LLC
MAC addresses
AKA physical addresses
Represent physical devices
Used for address filtering
MAC-48 vs EUI-64
Copyright © 2016 30 Bird Media LLC
Switches
Direct local traffic
Track addresses with a MAC table
Can relay broadcast packets to entire broadcast
domain
Vulnerable to MAC spoofing
Copyright © 2016 30 Bird Media LLC
VLANs
Separate broadcast
domains on same
physical switch
Collection of methods
rather than single
standard
– Port-based
– Dynamic
– Protocol-based
Copyright © 2016 30 Bird Media LLC
VLAN trunking
Copyright © 2016 30 Bird Media LLC
Wireless access points
Copyright © 2016 30 Bird Media LLC
The Network layer
Extends beyond broadcast domain
Allows larger networks
– Reduces congestion
– Prevents switching loops
Uses more intelligent protocols
– Routing protocols
– Logical addresses
Copyright © 2016 30 Bird Media LLC
Routers
Join two broadcast
domains
Separate subnets
Can be specialized
devices or generalpurpose computers
Aware of surrounding
network structure
Communicate with
other routers
Copyright © 2016 30 Bird Media LLC
IP Packets
Time-to-live (TTL)
Copyright © 2016 30 Bird Media LLC
ICMP
Used for control and error messages
Needed for core network functions
Used for many attacks
Includes several message types
– Echo request and reply (ping)
– Host unreachable
– Source quench
– Redirect
– Time exceeded
– Router advertisement and solicitation
Copyright © 2016 30 Bird Media LLC
Network convergence
Telephony
Industrial systems
Surveillance
HVAC
Data storage networks
Copyright © 2016 30 Bird Media LLC
Voice over IP
Copyright © 2016 30 Bird Media LLC
Industrial control systems
SCADA
– Large scale distribution
systems
– Information gathering
with limited control
DCS
– Process control systems
– Direct control with
limited information
gathering
Neither designed for
security
Copyright © 2016 30 Bird Media LLC
Network storage
Copyright © 2016 30 Bird Media LLC
SAN architecture
Copyright © 2016 30 Bird Media LLC
Assessment: Network components
Order the OSI layers from bottom to top.
A. Application
B. Data Link
C. Network
D. Physical
E. Presentation
F. Session
G. Transport
The correct order is D, B, C, G, F, E, A
Copyright © 2016 30 Bird Media LLC
Assessment: Network components
Which of the following devices would segment the
network into multiple collision domains? Choose all
that apply.
A. Gateway
B. Hub
C. Repeater
D. Router
E. Switch
Hubs and Repeaters are Layer 1 devices and don't
separate collision domains. The others do.
Copyright © 2016 30 Bird Media LLC
Assessment: Network components
What happens to a non-tagged frame on a VLAN
trunk?
A. It's flooded to all VLANs the trunk carries.
B. It's forwarded to the lowest-numbered
VLAN.
C. It's forwarded to the trunk's native VLAN.
D. It's dropped without an error message.
Echo request, or ping, is an ICMP packet type.
Copyright © 2016 30 Bird Media LLC
Assessment: Network components
Which storage option is just a refinement of
traditional file servers?
A. DAS
B. iSCSI
C. NAS
D. SAN
A NAS device is just a file server in a
compact appliance.
Copyright © 2016 30 Bird Media LLC
Module B: Network addressing
You will learn:
About IPv4 and IPv6 addresses
About address resolution protocols
About network address translation
Copyright © 2016 30 Bird Media LLC
IPV4 addresses
Copyright © 2016 30 Bird Media LLC
Classful vs. Classless addressing
Classful addressing
Class
First octet
First bits
# of subnets
# of hosts
Subnet mask
Mask prefix
A
0.-127.
0
128
16,777,216 255.0.0.0
/8
B
128.-191.
10
16,384
65,536
255.255.0.0
/16
C
192.-223.
110
2,097,152
256
255.255.255.0
/24
D
224.-239.
1110
*
*
*
*
E
240.-254.
1111
*
*
*
*
Classless Interdomain Routing
Copyright © 2016 30 Bird Media LLC
Special IPv4 addresses
0.0.0.0
Broadcast address
– 255.255.255.255
Loopback addresses
– 127.0.0.0
Private addresses
– 10.0.0.0 /8
– 172.16.0.0 /12
– 192.168.0.0 /17
APIPA
– 169.254.0.0 /16
Copyright © 2016 30 Bird Media LLC
IPv6
Massive address range
Easier network configuration
Increased efficiency
Enhanced security
Compatibility issues
Copyright © 2016 30 Bird Media LLC
IPv6 addresses
Copyright © 2016 30 Bird Media LLC
IPv6 address types
Loopback
– ::1 /128
Link-local
– fe80:: /10
– Equivalent to APIPA
Site-local
– Similar to IPv4 private
– Deprecated
Global
– 2000:: /3
Multicast
– Begin with ff
Copyright © 2016 30 Bird Media LLC
Address Resolution Protocol
Copyright © 2016 30 Bird Media LLC
Domain Name System
Copyright © 2016 30 Bird Media LLC
DNS resolution
Record
code
Common
name
Usage
A
Address
record
Maps a hostname to an IPv4 address.
AAAA
IPv6 address Maps a hostname to an IPv6 address.
record
CNAME
Canonical
Aliases one name to another, so multiple names can correspond to one
name record IP address.
MX
Mail
exchanger
Maps a domain name to a list of mail servers for that domain.
PTR
Pointer
record
Points to a canonical name. Can be used to perform a reverse DNS
lookup, discovering the host name of a known IP address.
SOA
Start of
authority
record
Provides authoritative information about a DNS zone, such as the
primary name server and contact information for its administrator.
Copyright © 2016 30 Bird Media LLC
Address translation
Copyright © 2016 30 Bird Media LLC
NAT methods
One-to-one
One-to-many
Copyright © 2016 30 Bird Media LLC
PAT
Copyright © 2016 30 Bird Media LLC
Assessment: Network addressing
What might a router using PAT change on packets
passing through? Choose all that apply.
A. Destination port for incoming packets
B. Destination port for outgoing packets
C. Destination address for incoming packets
D. Source address for incoming packets
E. Source port for incoming packets
F. Source port for outgoing packets
PAT only needs to change local addresses and ports:
the destination for incoming packets, and the
source for outgoing one
Copyright © 2016 30 Bird Media LLC
Assessment: Network addressing
What protocol is used to find the MAC
address of a given IP address?
A. ARP
B. DHCP
C. APIPA
D. DNS
Address Resolution Protocol finds the
physical address of a given logical address.
Copyright © 2016 30 Bird Media LLC
Assessment: Network addressing
For a local server, you might not need the
full domain name to perform a DNS lookup.
True or false?
A. True
B. False
True. If you're querying a local DNS server
you might just be able to use the host name
rather than the FQDN.
Copyright © 2016 30 Bird Media LLC
Assessment: Network addressing
Which IPv4 address might be valid on the
Internet?
A. 127.0.0.1
B. 150.50.101.32
C. 169.254.121.68
D. 192.168.52.52
150.50.101.32 is a valid public IP.
Copyright © 2016 30 Bird Media LLC
Assessment: Network addressing
What network attack can only be used on
local network segments?
A. ARP poisoning
B. DNS poisoning
C. DNS spoofing
D. Man in the middle
ARP doesn’t cross broadcast domains.
Copyright © 2016 30 Bird Media LLC
Module C: Network ports and
applications
You will learn:
About TCP and UDP
About network ports
About common network applications
Copyright © 2016 30 Bird Media LLC
Transport protocols
End-to-end communications
Uses ports or sockets for host-level
multiplexing
Two common protocols
– TCP: Transmission control protocol
– UDP: User datagram protocol
Copyright © 2016 30 Bird Media LLC
TCP
Connection-oriented
– Negotiates a dedicated two-way session
Reliable
– Verifies successful data delivery
Error correction
– Detects and resends corrupted data
Flow control
– Regulates data rate
Sequencing
– Keeps segments in order
Copyright © 2016 30 Bird Media LLC
TCP connections
Copyright © 2016 30 Bird Media LLC
UDP
Connectionless
Unreliable
Fast
Uses:
– Time-sensitive data
– Small data exchanges
– Applications with own sequencing and error
correction
Copyright © 2016 30 Bird Media LLC
Network ports
Copyright © 2016 30 Bird Media LLC
Port ranges
System ports
– Assigned to major TCP/IP standards or expected
standards
User ports
– Assigned to any application which registers for one
Private ports
– Used by private applications or for temporary
purposes
Copyright © 2016 30 Bird Media LLC
Common port assignments
Protocol Name
Description
Ports
HTTP
Hypertext Transfer
Protocol
Used to retrieve data from web servers.
TCP 80
HTTPS
HTTP over TLS/SSL
Used for secure web pages and sites. Includes
encryption services.
TCP 443
FTP
File Transfer Protocol
Used for transferring files between hosts.
Contains basic authentication features.
TCP 20 (data),
TCP 21 (control)
TFTP
Trivial File Transfer
Protocol
Simpler, less secure file transfer protocol.
Sometimes used for network boot software.
UDP 69
Telnet
Telnet
Used to log into remote systems via a virtual
TCP 23
terminal interface. Sends all communications in
plain text.
SSH
Secure Shell
Encrypted replacement for Telnet and FTP.
TCP 22
Includes Secure Copy Protocol (SCP) and Secure
Shell FTP (SFTP)
Continued
Copyright © 2016 30 Bird Media LLC
Common port assignments
Protocol Name
Description
Ports
SMTP
Simple Mail Transfer
Protocol
Sends email to and between mail servers.
UDP 25
POP
Post Office Protocol
Retrieves email from mail servers.
TCP 110
IMAP
Internet Message
Access Protocol
Retrieves email from mail servers.
TCP 143
SMB
Server Message Block
Used to share files and resources like printers.
TCP 445
RDP
Remote Desktop
Protocol
Used for remote logins to Windows systems.
TCP 3389
Provides name, datagram, and session services for
networks using the NetBIOS API.
UDP 137, 138;
TCP 137, 139
NetBIOS Network Basic
Input/Output System
SNMP
Simple Network
Management Protocol
Used to remotely manage and monitor network
devices.
UDP 161, 162
(Trap)
DNS
Domain Name System
Resolves domain names into IP addresses.
TCP and UDP 53
DCHP
Dynamic Host
Configuration Protocol
Dynamically assigns IP addresses and other network
configuration on joining a network.
UDP 67, 68
NTP
Network Time Protocol
Used to synchronize device clocks with time servers.
UDP 123
Copyright © 2016 30 Bird Media LLC
Application protocol security
Restrict plaintext protocols
Use secure replacements
Combine insecure protocols with others
that provide security
Use lower layer security
– VPN
– Wi-Fi encryption
Network segmentation
Copyright © 2016 30 Bird Media LLC
Remote access protocols
Telnet
– Insecure, text-based terminal connections
– TCP port 23
Secure Shell (SSH)
– Secure telnet replacement
– TCP port 22
Remote Desktop Protocol (RDP)
– Windows proprietary remote access protocol
– TCP port 3389
Simple Network Management Protocol (SNMP)
– V1 and v2 are insecure and obsolete, v3 is secure
– UDP ports 161-162
Copyright © 2016 30 Bird Media LLC
Resource sharing protocols
Lightweight Directory Access Protocol (LDAP)
– Directory service protocol on LAN
– LDAP is insecure and uses TCP port 389
– LDAPS is more secure and uses TCP port 636
NetBIOS
– Session-layer API used by multiple applications
– Uses TCP and UDP ports 137-139
Server Message Block (SMB)
– Allows Windows folder sharing on LAN
– Uses NetBIOS ports or TCP port 445
File Transfer Protocol (FTP)
– Allows file access on LAN or internet
– Insecure, replaced by FTPS and SFTP
– Uses TCP ports 20 and 21
Trivial File Transfer Protocol (TFTP)
– Simplified FTP protocol on UDP port 69.
Copyright © 2016 30 Bird Media LLC
Hypertext transfer protocol
Used by web browsers for nearly all
functions
Insecure plaintext protocol
Uses TCP port 80
HTTP Secure (HTTPS):
– Encrypted using SSL or TLS protocols
– Provides cryptographic security
– Uses TCP port 443
Copyright © 2016 30 Bird Media LLC
Email protocols
Simple Mail Transfer Protocol (SMTP)
– Only used to send email between servers or from clients to servers
– Uses TCP port 25
Post Office Protocol (POP)
– Used by clients to retrieve mail from servers
– Doesn’t store messages long on the server
– Uses TCP port 110
Internet Message Access Protocol (IMAP)
– Used by clients to retrieve mail from servers
– Stores messages permanently on the server
– Uses TCP port 143
Messaging Application Programming Interface (MAPI)
– Proprietary Microsoft Exchange protocol for sending and receiving
– Normally only used on LANs
SMTP, POP, and IMAP are insecure but can use SSL or TLS for
secure access. Secure versions may use different ports.
Copyright © 2016 30 Bird Media LLC
Assessment: Network ports and
applications
Which protocol lets you log securely into a
command line terminal interface?
A. FTP
B. LDAP
C. SSH
D. Telnet
SSH was designed to securely replace both
Telnet and FTP.
Copyright © 2016 30 Bird Media LLC
Assessment: Network ports and
applications
How many total packets need to be exchanged
for a TCP handshake?
A. 2
B. 3
C. 4
D. 5
It's called a three-way handshake because it
requires SYN, SYN+ACK, and ACK packets to be
exchanged.
Copyright © 2016 30 Bird Media LLC
Assessment: Network ports and
applications
What kind of communications would be suitable for
UDP? Choose all that apply.
A. DNS requests
B. File transfers
C. Online games
D. Streaming video
E. Website connections
DNS requests, online games, and streaming video
tend to be time-sensitive and individual packets are
disposable.
Copyright © 2016 30 Bird Media LLC
Assessment: Network ports and
applications
Your company's custom server software
application needs a TCP port to listen on. What
port range should it be configured to use?
A. Private
B. System
C. User
Private ports are usually for temporary
applications, and system ports for registered
IANA applications, so a user port is best.
Copyright © 2016 30 Bird Media LLC
Assessment: Network ports and
applications
What protocol would you use to connect to a
shared drive on another Windows system?
Choose the best answer.
A. AFP
B. FTP
C. SMB
D. SNMP
Server Message Block is the default file sharing
protocol used by Microsoft networks.
Copyright © 2016 30 Bird Media LLC
Assessment: Network ports and
applications
HTTPS adds security to HTTP and uses a
different port, but otherwise is
fundamentally the same. True or false?
A. True
B. False
True. HTTPS uses port 443 and SSL or TLS
security, but is otherwise unchanged.
Copyright © 2016 30 Bird Media LLC
Summary: Network fundamentals
You now know:
About network models, Data Link layer
technologies such as switches and VLANs,
Network layer technologies such as routing and
IP, and unconventional network devices like VoIP
and SANs.
About IPv4 and IPv6 address formats, address
resolution protocols, and network address
translation.
How transport layer protocols work, about
commonly used network ports, and how to
identify common network application protocols.
Copyright © 2016 30 Bird Media LLC
Chapter 5: Securing networks
You will learn:
About network security appliances
How to harden networks
How to monitor networks and detect
threats
Copyright © 2016 30 Bird Media LLC
Module A: Network security
components
You will learn:
About network ACLs
About firewalls
About IDS and IPS systems
About other security and optimization
devices
Copyright © 2016 30 Bird Media LLC
Network ACLs
Packet filtering
–
–
–
–
MAC address
IP address
Port number
Protocol
Implicit deny
Implicit allow
Copyright © 2016 30 Bird Media LLC
Firewalls
Copyright © 2016 30 Bird Media LLC
Filtering types
Stateless
Stateful
Application layer
Copyright © 2016 30 Bird Media LLC
DMZ Topology
Bastion hosts
Three-homed firewall
Dual firewall
Copyright © 2016 30 Bird Media LLC
Network access control
Guest network
– Separate access point with only internet
access
Posture assessment
– Ensures client meets security rules
– Quarantine network
Agents
– Persistent
– Non-persistent
Copyright © 2016 30 Bird Media LLC
Intrusion detection and prevention
Signature-based
– Looks for telltale signs of known attacks
Stateful protocol analysis
– Looks for abnormal protocol use
Anomaly-based/Heuristic
– Looks for unusual behavior patterns
Copyright © 2016 30 Bird Media LLC
IDS vs. IPS
Copyright © 2016 30 Bird Media LLC
Honeypots and honeynets
Decoy system
– No valuable resources
– Weak or flawed security
– Isolated from network
Honeynets
– Network of honeypots
Uses
– Testing
– Criminal investigations
Copyright © 2016 30 Bird Media LLC
Application layer security
Application layer firewall
– Web application firewall
Content filter
– Web filter
– Spam filter
Copyright © 2016 30 Bird Media LLC
Load balancing
Copyright © 2016 30 Bird Media LLC
Proxy servers
Copyright © 2016 30 Bird Media LLC
Unified threat management
Complete network security solutions
– Firewall
– IDS
– IPS
– Content filtering
– Network-based anti-malware
– DMZ interface
– NAT or proxy server
– VPN endpoint
– Network access control
– Posture assessment
– Industry-based regulatory compliance checking
Copyright © 2016 30 Bird Media LLC
Assessment: Network security
components
ACLs are based on which assumption?
A. Explicit Allow
B. Explicit Deny
C. Implicit Allow
D. Implicit Deny
Unless traffic is explicitly allowed, it's
implicitly denied.
Copyright © 2016 30 Bird Media LLC
Assessment: Network security
components
When configuring an IDS you might want to allow a
few false positives to make sure you never get any
false negatives, but not the opposite. True or false?
A. True
B. False
True. A false negative on an IDS is an attack you
never knew happened, and so is a worst-case
scenario. A false positive is just a false alarm, so it
costs a little time but doesn't compromise network
security.
Copyright © 2016 30 Bird Media LLC
Assessment: Network security
components
Compared to routing tables, ACLs allow you
to check a lot more properties of incoming
traffic. True or false?
A. True
B. False
True. Even the simplest ACLs let you check
source addresses, while routing tables are
focused on destination addresses.
Copyright © 2016 30 Bird Media LLC
Assessment: Network security
components
What kind of proxy would you use to mediate
communications between Internet-based clients
and LAN-based servers?
A. Anonymous
B. Forward
C. Reverse
D. Transparent
A reverse proxy is meant for that purpose. The
others are for LAN clients connecting outward.
Copyright © 2016 30 Bird Media LLC
Assessment: Network security
components
What DMZ topology is displayed?
A. Bastion Host
B. Dual firewall
C. Three-homed
firewall
D. UTM firewall
It is a three-homed firewall.
Copyright © 2016 30 Bird Media LLC
Assessment: Network security
components
NIST defines the standards for UTM devices.
True or false?
A. True
B. False
UTM isn't a defined standard, but a
marketing term for "comprehensive"
network security solutions.
Copyright © 2016 30 Bird Media LLC
Module B: Hardening networks
You will learn:
About network segmentation
How to harden network hosts and data
How to harden network infrastructure
devices
Copyright © 2016 30 Bird Media LLC
Segmenting networks
Collision domains
– No privacy without encryption/access control
– Mostly found in Wi-Fi hotspots
Broadcast domains
– Limited traffic control
– Vulnerable to eavesdropping
– Separated by routers, and optionally VLANs
Special network types
– Legacy devices
– Highly sensitive data
– Special devices
VPNs
Copyright © 2016 30 Bird Media LLC
Securing network data
Identify sensitive data
Harden hosts and devices
Use secure protocols
Identify information subject to regulatory
requirements
Copyright © 2016 30 Bird Media LLC
Hardening network hosts
Perform updates
Disable unnecessary services
Confgure firewalls
Configure antimalware
Disable unnecessary accounts
Disable or secure remote login
Secure network applications
Application policies
Policies for temporary network hosts
Monitoring
Copyright © 2016 30 Bird Media LLC
Securing network infrastructure
Harden devices like hosts
Secure management interfaces
– Change default username/password
– Physically secure interfaces
– Use secure protocols
Enable router and switch security
–
–
–
–
MAC filtering
DHCP snooping and ARP inspection
ACLs
Loop protection and flood guard
Deploy network security systems
Use redundant systems
Deploy access control technologies
Use strong encryption for WAN or VPN connections
Copyright © 2016 30 Bird Media LLC
Securing perimeter networks
Open only necessary ports
Never transmit data using insecure
protocols
Minimize value of perimeter and bastion
hosts
Ensure strong firewalls between DMZ and
interior
Monitor exposed systems
Copyright © 2016 30 Bird Media LLC
Securing wireless access points
Harden like other network appliances
Use strong encryption
Disable WPS
Use 802.1X
Use VPNs on open Wi-Fi
Choose a unique SSID
Disable SSID broadcast and use MAC filtering for
private networks
Use guest networks for untrusted clients
Configure captive portals on guest networks
Place WAP securely
Perform periodic site surveys
Copyright © 2016 30 Bird Media LLC
Assessment: Hardening networks
A perimeter network needs most of the same
security precautions as a trusted network, just
with a few extra concerns. True or false?
A. True
B. False
True. For example, perimeter networks have a
stronger need of secure protocols and should
have stricter host-level security.
Copyright © 2016 30 Bird Media LLC
Assessment: Hardening networks
It's a safe assumption that an attacker with
physical access to a system can compromise
any other security measures given time.
True or false?
A. True
B. False
True. This is why physical security for critical
devices is so important.
Copyright © 2016 30 Bird Media LLC
Assessment: Hardening networks
What's the most essential tool for segmenting
broadcast domains?
A. Bridges
B. Routers
C. Switches
D. VLANs
Routers are the primary tool to segment
broadcast domains, even if you're also placing
them on separate VLANs.
Copyright © 2016 30 Bird Media LLC
Assessment: Hardening networks
What feature primarily helps to protect
against DoS attacks?
A. Authentication systems
B. DMZ
C. Loop protection
D. SNMPv3
Use loop protection and flood guard
features to protect against DoS.
Copyright © 2016 30 Bird Media LLC
Assessment: Hardening networks
If there are two firewalls between the internet
and the interior network, they should be from
different vendors. True or false?
A. True
B. False
True. If they're from the same vendor, an
attacker who finds a vulnerability in one can
probably bypass both.
Copyright © 2016 30 Bird Media LLC
Module C: Monitoring and
detection
You will learn:
About system and network monitoring
tools
How to monitor network activity
Copyright © 2016 30 Bird Media LLC
Monitoring tools
Network analyzer
– Captures and analyses network traffic
Interface monitor
– Examines specific network interface
Port mirrors
– Copies traffic from a port
Top talkers/listeners
– Detects frequent transmitters and recipients
Wireless analyzers
– Tests wireless congestion and reception
Continued
Copyright © 2016 30 Bird Media LLC
Monitoring tools
SNMP management software
– Monitoring or remote management
Logs
Syslog
– Centrally managed logs
SIEM
– Monitors and reports on logs
Physical monitoring
– Environmental conditions
Copyright © 2016 30 Bird Media LLC
Network analyzers
Copyright © 2016 30 Bird Media LLC
SNMP
Copyright © 2016 30 Bird Media LLC
Syslog
Header
– Unique identification including timestamp and
generating device ID
Facility
– Type of program that generated the message
Severity level
– Ranges from 0 (Emergency) to 7 (debug)
Message
– Includes generating application name or service
Copyright © 2016 30 Bird Media LLC
System logs
Copyright © 2016 30 Bird Media LLC
Network security posture
1. Baseline configuration
2. Security monitoring
– Vulnerability assessments
– Security audits
3. Remediation policy
Copyright © 2016 30 Bird Media LLC
Vulnerability scanners
Protocol analyzer
– AKA Sniffer
Port scanner
– Finds open ports
Network mapper
– Finds subnet information
Password cracker
Vulnerability tester
– Web application
– Database
Wireless scanner
Copyright © 2016 30 Bird Media LLC
Security audits
Logs
Incident response reports
User activities
User accounts and permissions
Device configurations
Installed applications
Copyright © 2016 30 Bird Media LLC
Incident reports
Alarms
– High priority notifications
Alerts
– Lower priority notices of non-critical changes
Trends
– Aggregate reports of minor events
Copyright © 2016 30 Bird Media LLC
Network security troubleshooting
Changes and unusual behaviors
– Suspicious performance problems
– Unauthorized probing and eavesdropping
– Unauthorized users and devices
Security bypasses
– Only disable security measures during formal
troubleshooting
– Only disable immediately relevant controls
– Isolate systems during troubleshooting
– Re-enable after troubleshooting
Relaxing security only as necessary
Copyright © 2016 30 Bird Media LLC
Assessment: Monitoring and
detection
An interface monitor is likely to be one part
of a larger monitoring tool. True or false?
A. True
B. False
True. An interface monitor tracks the activity
of a specific interface, so is usually part of
some sort of broader application or device.
Copyright © 2016 30 Bird Media LLC
Assessment: Monitoring and
detection
What SNMP component is a database for a
particular device?
A. Agent
B. Manager
C. MIB
D. OID
A Management Information Base contains
all OIDs for a specific managed device.
Copyright © 2016 30 Bird Media LLC
Assessment: Monitoring and
detection
Even though Syslog has been around a very
long time, it hasn't always been a welldefined standard. True or false?
A. True
B. False
True. While it was developed in the 1980s,
until 2009 there was no unifying standard
and existing implementations could differ.
Copyright © 2016 30 Bird Media LLC
Assessment: Monitoring and
detection
What kind of tool is often called a sniffer?
A. Database vulnerability tester
B. Network mapper
C. Protocol analyzer
D. Wireless analyzer
Protocol analyzers are commonly called
sniffers.
Copyright © 2016 30 Bird Media LLC
Summary: Securing networks
You should now know:
About network security components,
including network ACLs, firewalls, IDS/IPS
systems, honeypots, content filters, load
balancers, proxy servers, and UTM solutions.
How to harden networks using segmentation
and a defense in depth strategy.
How to use monitoring and detection tools to
maintain network performance and security,
and how to evaluate network security posture
through a regular monitoring and incident
handling process.
Copyright © 2016 30 Bird Media LLC
Chapter 6: Authentication
You will learn:
About authentication factors and
principles
About authentication systems
Copyright © 2016 30 Bird Media LLC
Module A: Authentication factors
You will learn:
About the AAA process
About authentication factors and
credentials
About single sign-on
Copyright © 2016 30 Bird Media LLC
The AAA process
Security principals
Authentication
– Verified identification of a principal
Authorization
– Specifying accessible resources
Accounting
– Tracking user actions
Copyright © 2016 30 Bird Media LLC
Authentication factors
Knowledge
– Something you know
Possession
– Something you have
Inherence
– Something you are
Behavior
– Something you do
Location
– Somewhere you are
Copyright © 2016 30 Bird Media LLC
Multifactor authentication
Copyright © 2016 30 Bird Media LLC
Digital credentials
Digital certificate
– Verifiable cryptographic signature
One-time-password
– Generated by pseudorandom algorithm
Hardware token
– Stores OTP generator or certificate
Software token
Magnetic stripe card
– Not secure
Smart card
– Contains cryptographic chip
– Contact or contactless
– CAC, PIV, SIM
Copyright © 2016 30 Bird Media LLC
One-time password generation
Shared secret + moving factor
HMAC-based One-Time Password (HOTP)
– Uses hash-based message authentication
code plus a counter
Time-based One-Time Password (TOTP)
Copyright © 2016 30 Bird Media LLC
Single sign-on
Copyright © 2016 30 Bird Media LLC
Transitive trust and federations
Transitive trust
Federated identity
Multiple networks sharing
authentication standards
Makes SSO easier to
implement
Copyright © 2016 30 Bird Media LLC
Assessment: Authentication factors
What AAA element specifies the exact resources
a given principal is allowed to access?
A. Accounting
B. Authentication
C. Authorization
D. Identification
Authorization determines resource access for an
authenticated user.
Copyright © 2016 30 Bird Media LLC
Assessment: Authentication factors
You require your users to log on using a username,
password, and rolling 6-digit code sent to a keyfob
device. They are then allowed computer, network, and
email access. What type of authentication have you
implemented? Choose all that apply.
A. Basic single-factor authentication
B. Federated identity management
C. Multi-factor authentication
D. Principle of least privilege
E. Single sign-on
You have implemented single sign-on and multi-factor
authentication.
Copyright © 2016 30 Bird Media LLC
Assessment: Authentication factors
What are good examples of two-factor authentication?
Choose all that apply.
A. A credit card and a photo ID
B. A credit card and a security code
C. A credit card and a signature
D. A password followed by a security question
E. A password followed by a PIN texted to your phone
A credit card and security code, a credit card and
signature, and a password with proof of possessing your
phone all are two-factor authentication.
Copyright © 2016 30 Bird Media LLC
Assessment: Authentication factors
What authentication standard is used by active
duty US military personnel?
A. CAC
B. PIV
C. OTP
D. SIM
The Common Access Card is a smart card with
human-readable identification, barcodes, a chip
with strong cryptographic functions, and a
magnetic stripe for local security systems.
Copyright © 2016 30 Bird Media LLC
Assessment: Authentication factors
Federated identity management allows
authentication systems to be shared across
multiple directly associated systems or
networks. True or false?
A. True
B. False
False. Federations don't need to be directly
associated, only to share authentication
standards.
Copyright © 2016 30 Bird Media LLC
Module B: Authentication protocols
You will learn:
About PPP authentication systems
About network authentication systems
and protocols
Copyright © 2016 30 Bird Media LLC
Network authentication systems
Secure resources or restrict access
Authentication server
Uses:
– Authenticate remote connections
– Secure communications across unsecured
network
– Authenticate users joining LAN or WLAN
Copyright © 2016 30 Bird Media LLC
Point-to-point protocol
Copyright © 2016 30 Bird Media LLC
PPP authentication
PAP – Password Authentication Protocol
– Insecure, plaintext exchange
CHAP – Challenge-handshake Authentication
Protocol
– Somewhat secure but vulnerable
MS-CHAP – Microsoft CHAP
– Improved CHAP, still not very secure
EAP – Extensible Authentication Protocol
– Message format supporting a wide variety of
authentication methods
– EAP-TLS, EAP-SIM, WPA Enterprise, etc.
Copyright © 2016 30 Bird Media LLC
RADIUS
Designed for dial-in
Used for PPP and wireless
networks
Client-server system
– Client is remote access
server, not user workstation
PPP protocols used for
relaying credentials
Copyright © 2016 30 Bird Media LLC
RADIUS authentication
1.
2.
3.
4.
NAS requests authentication
NAS sends access request to server
Server evaluates credentials, replies to NAS
NAS responds to client
–
–
–
Accept
Reject
Challenge
Copyright © 2016 30 Bird Media LLC
TACACS+
Terminal Access Controller Access Control
System
Advantages over RADIUS
– TCP rather than UDP, improved scaling
– More complete encryption
– Fully separates all three AAA steps
– Supports non-IP protocols
Disadvantages vs. RADIUS
– Resource intensive
– Proprietary
– Primarily intended for network devices
Copyright © 2016 30 Bird Media LLC
RAS
Used by Windows Server
Server directly authenticates connection
RRAS includes routing capability
Allows Windows server to act as an ISP
Not to be confused with RDP
Copyright © 2016 30 Bird Media LLC
802.1X
Used mostly for WPA Enterprise
RADIUS server using EAP
Less secure for wired networks
Copyright © 2016 30 Bird Media LLC
Kerberos
Widely-used SSO system
– Authentication server is trusted third party
Realm
– Basic Kerberos network unit
Principal
– Node belonging to a realm
Key distribution center
– Authentication server
– Ticket-granting server
Copyright © 2016 30 Bird Media LLC
Kerberos authentication
1.
2.
3.
4.
5.
6.
Client authenticates with AS
AS gives a ticket-granting-ticket (TGT)
Client presents TGT to TGS
TGS gives resource ticket
Client requests resource
Resource server
grants access
Copyright © 2016 30 Bird Media LLC
LDAP
Simplified version of X.500 (Directory
Access Protocol)
Centralized access to database with
network information
Queries used in scripts or sent as URLs
Active Directory uses LDAP and Kerberos
Intended for trusted networks
Secure LDAP is more secure, but still not
considered safe on the internet.
Copyright © 2016 30 Bird Media LLC
SAML
XML-based SSO
– Google
– Salesforce
Principal contacts service provider first
– SP asks IP for identity verification
Allows many authentication mechanisms
Copyright © 2016 30 Bird Media LLC
Assessment: Authentication
protocols
Which protocol is more of a message framework
than an authentication method in itself?
A. CHAP
B. EAP
C. MS-CHAP
D. PAP
Extensible Authentication Protocol supports a
large number of different authentication
methods as extensions.
Copyright © 2016 30 Bird Media LLC
Assessment: Authentication
protocols
What kind of server is generally used as a
backend for an 802.1X WAP?
A. KERBEROS
B. RADIUS
C. TACACS+
D. TKIP
Most 802.1X implementations use RADIUS,
though Diameter and TACACS+ among others
are possible.
Copyright © 2016 30 Bird Media LLC
Assessment: Authentication
protocols
Compared to RADIUS, TACACS+ is ________.
Choose all that apply.
A. Better able to support non-IP protocols
B. Better suited to large networks
C. Less complicated to administer
D. More secure
E. Primarily intended for authentication
TACACS+ supports non-IP protocols, scales
better, and is more secure.
Copyright © 2016 30 Bird Media LLC
Assessment: Authentication
protocols
What protocol do Google and Salesforce use
for SSO?
A. Kerberos
B. LDAP
C. RADIUS
D. SAML
They use SAML.
Copyright © 2016 30 Bird Media LLC
Assessment: Authentication
protocols
Unlike LDAP, LDAPS ________? Choose all that apply.
A. Includes SSL or TLS encryption
B. Is compatible with Unix-based operating systems
C. Is safe for use on the public internet
D. Uses port 389
E. Uses port 636
LDAPS uses port 636 and encrypts traffic, but it's still not
considered very secure for internet use. Both are
compatible with a wide range of operating systems.
Copyright © 2016 30 Bird Media LLC
Summary: Authentication
You now know:
About the AAA process, authentication
factors, common digital credentials, and
how SSO and federated identities work.
About common network authentication
protocols, including PPP authentication
protocols, RADIUS and its relatives,
Kerberos, LDAP, and SAML.
Copyright © 2016 30 Bird Media LLC
Chapter 7: Access control
You will learn:
About access control principles
About account management
Copyright © 2016 30 Bird Media LLC
Module A: Access control principles
You will learn:
How to compare and contrast access
control models
About ACLs
About NTFS permissions and inheritance
Copyright © 2016 30 Bird Media LLC
Access control models
Discretionary access control (DAC)
– Object owner controls access
– Common in file systems
Mandatory access control (MAC)
– Administrators assign security labels
– Common for military and high-security environments
Rule-based access control (RBAC)
– Administrators define access rules
– Used by routers and firewalls
Role-based access control (RBAC)
– Administrators define permissions for roles which users can
belong to.
– Popular in commercial applications and military systems
Default permissions
– Implicit deny is more secure
Copyright © 2016 30 Bird Media LLC
Unix-like file permissions
Principals
– Owner
– Group
– Other users
Permission types
– Read
– Write
– Execute
Copyright © 2016 30 Bird Media LLC
NTFS file permissions
Principals
– Owner
– Any number of groups
SID
– Security identifier
– Identifies a principal
ACE
– Access control entry
– Permissions for a SID
DACL
– Dynamic access control list
– Contains all ACEs applying to
one principal
Copyright © 2016 30 Bird Media LLC
Mandatory access control
Supported by some operating systems
Bell-LaPadula model
– No read up
– No write down
Copyright © 2016 30 Bird Media LLC
Role-based access control
Elements of MAC and
DAC
No strict ownership
content
Permissions assigned
centrally
Roles are similar to
groups
Permissions typically
additive
Copyright © 2016 30 Bird Media LLC
Rule-based access control
Rules set by administrator
Simple and widely used
– Network ACLs
– Software whitelists or blacklists
Rule types
– Static
– Dynamic
Copyright © 2016 30 Bird Media LLC
Inherited permissions
NTFS copy
NTFS move
Copyright © 2016 30 Bird Media LLC
Stopping permissions inheritance
Copyright © 2016 30 Bird Media LLC
Propagating permissions
Copyright © 2016 30 Bird Media LLC
Assessment: Access control
principles
Secure access control models are based on
which assumption?
A. Explicit Allow
B. Explicit Deny
C. Implicit Allow
D. Implicit Deny
Secure systems disallow any access that isn't
explicitly allowed, meaning that if no rules apply
it's implicitly denied.
Copyright © 2016 30 Bird Media LLC
Assessment: Access control
principles
What access control model was popularized by
military usage?
A. Discretionary
B. Mandatory
C. Role-based
D. Rule-based
MAC using the Bell-LaPadula model was
popularized by military use.
Copyright © 2016 30 Bird Media LLC
Assessment: Access control
principles
What access control model is used by
network hardware such as routers?
A. Discretionary
B. Mandatory
C. Role-based
D. Rule-based
Network ACLs are rule-based access control.
Copyright © 2016 30 Bird Media LLC
Assessment: Access control
principles
What identifies a security principal in an NTFS
file system?
A. ACE
B. DACL
C. LBAC
D. SID
A security identifier is a principal. A SID's
permissions are defined by a DACL consisting of
individual ACEs.
Copyright © 2016 30 Bird Media LLC
Assessment: Access control
principles
What group permissions would a Linux file have
if its permissions displayed as -rwxrw-r--?
A. Read and write
B. Read only
C. Read, write, and execute
D. Write only
The group permissions are in the middle, so rwis read and write.
Copyright © 2016 30 Bird Media LLC
Module B: Account management
You will learn:
About Active Directory user management
How to create groups and other objects
About group policy objects
How to enforce account policies in
Windows
Copyright © 2016 30 Bird Media LLC
Active Directory objects
User
Contact
Computer
Printer
Shared folder
Group
– Security
– Distribution
Organizational Unit (OU)
Copyright © 2016 30 Bird Media LLC
Creating AD objects
Information needed
depends on type
Groups
– Type
– Scope
OUs
Copyright © 2016 30 Bird Media LLC
Group scopes
Domain local
–
–
–
–
Visible in own domain
Can contain most objects
Can belong only to other domain local groups
Best used to assign permissions
Global
–
–
–
–
Visible everywhere
Can contain objects in same domain
Can belong to any universal or domain local group
Best used to organize users
Universal
–
–
–
–
Visible everywhere
Can contain objects from any domain
Can belong to any universal or domain local group
Best used to nest global groups
Copyright © 2016 30 Bird Media LLC
Managing objects
Copyright © 2016 30 Bird Media LLC
Assigning special permissions
Copyright © 2016 30 Bird Media LLC
Group policy objects
Copyright © 2016 30 Bird Media LLC
Managing group policies
1. Local GPO (set
on the current
computer)
2. Site GPO
3. Domain GPO
4. Organizational
unit GPO
5. Child OU GPO
Copyright © 2016 30 Bird Media LLC
Setting GPO options
Password policy
Account lockout policy
Audit policy
Event log
User rights assignment
Security options
Copyright © 2016 30 Bird Media LLC
Managing user accounts
Define policies, then enforce them
– Strong but manageable passwords
– Lockout policy
– Credential management
– Disable unneeded accounts
– Assign group permissions
– Avoid generic accounts
– Two accounts for administrators
Continuous review
– Enable auditing logs
– Review user access settings
Copyright © 2016 30 Bird Media LLC
Assessment: Account management
What order does Windows process GPOs in?
A. Child OU GPO
B. Domain GPO
C. Local GPO
D. Organizational Unit GPO
E. Site GPO
The correct order is C, E, B, D, A.
Copyright © 2016 30 Bird Media LLC
Assessment: Account management
Where is the best place to assign permissions?
A. A domain local group
B. A global group
C. An individual user
D. A universal group
You should generally assign permissions to
domain local groups, then assign global groups
to the domain local group.
Copyright © 2016 30 Bird Media LLC
Assessment: Account management
When you enforce password complexity in
Windows, you can't edit the precise
complexity requirements True or false?
A. True
B. False
True. If it is enabled, it uses Windows’
definition of a complex password.
Copyright © 2016 30 Bird Media LLC
Assessment: Account management
Low account lockout thresholds are
__________.
A. Less secure, and less trouble for users
B. Less secure, but more trouble for users
C. More secure, but less trouble for users
D. More secure and more trouble for users
If it's very low, it's hard for an attacker to guess
passwords without getting locked out, but easy
for forgetful or careless users to lock themselves
out.
Copyright © 2016 30 Bird Media LLC
Assessment: Account management
Why would you set a minimum password age in the
GPO? Choose the best response.
A. To keep users from choosing simple passwords
B. To keep users from bypassing history
requirements
C. To prevent attackers from easily cracking
passwords
D. To make sure users change their passwords
regularly
Without a minimum password age, users can
bypass history requirements with rapid changes.
Copyright © 2016 30 Bird Media LLC
Summary: Access control
You should now know:
About access control models, including
DAC, MAC, and both interpretations of
RBAC. You should also be able to set and
interpret file access permissions and
inheritance.
How to manage user accounts, groups,
and OUs in Active Directory, and how to
secure systems and networks using Group
Policy Objects.
Copyright © 2016 30 Bird Media LLC
Chapter 8: Cryptography
You will learn:
About cryptographic concepts
About public key infrastructure
How to use transport encryption
Copyright © 2016 30 Bird Media LLC
Module A: Cryptography concepts
You will learn:
About cryptographic principles
About symmetric and asymmetric
encryption
About cryptographic hashing
Copyright © 2016 30 Bird Media LLC
About encryption
Message
– Plaintext
– Ciphertext
Key strength
– Work factor
Copyright © 2016 30 Bird Media LLC
Classical ciphers
Substitution ciphers
– Vulnerable to frequency-based attacks
– One-time pad
Transposition ciphers
– Vulnerable to partial solution attacks
Steganography
– Hides existence of secret message
– Digital variants
Copyright © 2016 30 Bird Media LLC
Digital encryption
Uses
– Transport
– Storage
– Memory
Methods
– Symmetric
– Asymmetric
– Hashing
XOR functions
Copyright © 2016 30 Bird Media LLC
Key strength
Key length n = 2n combinations
Key length vs. effective strength
– Advancing computing power requires
stronger encryption over time
– Varies by type of encryption
– Cryptographic vulnerabilities
Key security
Security vs. performance
– Legal restrictions
Copyright © 2016 30 Bird Media LLC
Stream vs. block cipher
Copyright © 2016 30 Bird Media LLC
Semantic security
Copyright © 2016 30 Bird Media LLC
Modes of operation
ECB
– Electronic Code Book
CBC
– Cipher Block Chaining
CFB
– Cipher FeedBack
OFB
– Output FeedBack
CTR
– Counter
Initialization vector / nonce
Copyright © 2016 30 Bird Media LLC
Symmetric algorithms
DES (Data Encryption Standard)
– Obsolete, 56-bit key
3DES (Triple DES)
– Three 56-bit keys, but effectively 80-bit
AES (Advanced Encryption Standard)
– NSA standard, 128 to 256-bit key
Blowfish
– First strong public domain cipher, variable key size
Twofish
– Improved Blowfish, AES competitor
Serpent
– AES finalist, powerful but slow
RC4 (Rivet Cipher/Ron’s Code)
– Stream cipher, old but common
CAST
– Popular family, includes CAST-128 and CAST-256
Copyright © 2016 30 Bird Media LLC
Key life cycles
Key duration
– Static
– Ephemeral
Key generation
Key exchange
– In-band
– Out-of-band
Perfect forward secrecy
Copyright © 2016 30 Bird Media LLC
Asymmetric encryption
Public and private keys
– One key encrypts, opposite decrypts
Uses
– Key exchange
– Authentication and non-repudiation
Drawbacks
– Longer keys
– Slower performance
Copyright © 2016 30 Bird Media LLC
Asymmetric algorithms
RSA (Rivest, Shamir, Adleman)
– Key generated from two prime numbers
– Up to 4096-bit key
– Widely used for digital signatures
ECC (Elliptic Curve Cryptography)
– Based on exotic mathematics
– Higher performance and shorter keys than RSA
DH (Diffie-Hellman)
– First openly published public-key system
– Many variants
Quantum cryptography
– Quantum key distribution
Copyright © 2016 30 Bird Media LLC
Cryptographic hashes
One-way functions
– Easy to verify, hard/impossible to recover
Data integrity
– Creates fingerprint of data
Data identification
– Hash table
Key generation
– Pseudorandom string
Password storage
– User password hashed and compared to stored hash
– Salting for added security
Copyright © 2016 30 Bird Media LLC
Hash-based authentication
1. Hash value alone
2. Keyed-hash message
authentication code
(HMAC)
3. Digital signature
Copyright © 2016 30 Bird Media LLC
Hash algorithms
MD5 (Message Digest 5)
– 128-bit, obsolete
SHA-1 (Secure Hash Algorithm 1)
– 160-bits, being phased out
SHA-2 (Secure Hash Algorithm 2)
– SHA-256, SHA-512
SHA-3 (Secure Hash Algorithm 3)
RIPEMD
Windows hashes
– LM hash, NTLM
Password hashes
– bcrypt, PBKDF2
Copyright © 2016 30 Bird Media LLC
Assessment: Cryptography concepts
Order the following encryption ciphers from
weakest to strongest.
A. 3DES
B. AES
C. Blowfish
D. DES
DES, 3DES, Blowfish, AES
Copyright © 2016 30 Bird Media LLC
Assessment: Cryptography concepts
Which of the following was originally designed
as a stream cipher?
A. AES
B. Blowfish
C. RC4
D. Twofish
RC4 is a stream cipher by design. The others are
block ciphers commonly used in stream mode.
Copyright © 2016 30 Bird Media LLC
Assessment: Cryptography concepts
What asymmetric algorithm uses complex new
mathematical approaches to create relatively short
but very secure and high-performance keys?
A. DH
B. ECC
C. RIPEMD
D. RSA
Elliptic Curve Cryptography uses algorithms based
on the difficulty of calculating certain properties of
elliptical curves.
Copyright © 2016 30 Bird Media LLC
Assessment: Cryptography concepts
According to NIST, what is the effective strength
of a 168-bit 3DES key? Choose the best
response.
A. 56-bit
B. 80-bit
C. 112-bit
D. 168-bit
Due to technical limitations and encryption
flaws, it's only as strong as an ideal 80-bit key.
Copyright © 2016 30 Bird Media LLC
Assessment: Cryptography concepts
What process gives integrity, authenticity, and
non-repudiation?
A. Diffie-Hellmann key exchange
B. Digital signature
C. Hashing
D. HMAC
A hash alone gives integrity, and an HMAC adds
authenticity, but a digital signature adds nonrepudiation.
Copyright © 2016 30 Bird Media LLC
Assessment: Cryptography concepts
What hash algorithm is available in 256- and
512-bit variants? Choose the best response.
A. MD5
B. RIPEMD
C. SHA-1
D. SHA-2
RIPEMD and SHA-2 both allow multiple lengths,
but RIPEMD only goes up to 320 bits.
Copyright © 2016 30 Bird Media LLC
Module B: Public key infrastructure
You will learn:
About digital certificates
About certificate authorities
About the certificate life cycle
Copyright © 2016 30 Bird Media LLC
Digital certificates
Also known as public key certificates
Contents
– Public key
– Owner identity
– Additional information
– Digital signatures attesting to authenticity
Not to be confused with digital signatures
– Signature proves authenticity of a message
– Certificate proves identity of a user or system
Copyright © 2016 30 Bird Media LLC
Trust models
Public key infrastructure (PKI)
Web of trust
Copyright © 2016 30 Bird Media LLC
Certificate formats
Copyright © 2016 30 Bird Media LLC
Certificate authorities
CA signs and revokes certificates
CAs must show themselves trustworthy
– Certificate practice statement
Root certificates
– Out-of-band distribution
Certificate generation
– Limited purpose
– Multi-domain
– Wildcard
– Extended Validation (EV)
Copyright © 2016 30 Bird Media LLC
Certificate revocation
Revoked vs. hold
Certificate revocation list (CRL)
– List of all revoked certificates
Online Certificate Status Protocol (OCSP)
– Shows status of a particular certificate
Copyright © 2016 30 Bird Media LLC
Assessment: Public key
infrastructure
What is true of a digital certificate, but not true of a
digital signature? Choose all that apply.
A. Has a valid starting and ending date
B. Proves the authenticity of a message
C. Proves the authenticity of a person or system
D. Provides non-repudiation
E. Requires both an asymmetric key pair and a
hashing algorithm
Only a digital certificate has a validity period and
proves the authenticity of a security principal.
Copyright © 2016 30 Bird Media LLC
Assessment: Public key
infrastructure
What defines an EV certificate?
A. It applies to more than one domain
B. It lasts longer than a normal certificate
C. It requires a stricter identity verification
process on application
D. It uses stronger cryptography
An extended validation certificate is backed by a
stricter identity validation process than the CA's
default.
Copyright © 2016 30 Bird Media LLC
Assessment: Public key
infrastructure
What's generally seen as the most modern and
flexible way to find out if a certificate has been
revoked?
A. ASN.1
B. CRL
C. CSR
D. OCSP
Online Certificate Status Protocol can save network
resources compared to Certificate Revocation Lists,
and always provides up-to-date answers.
Copyright © 2016 30 Bird Media LLC
Assessment: Public key
infrastructure
Your employer demands a copy of all private keys used
on devices you use for work, since regulatory
requirements require them to be able to decrypt any
official communications when legally requested.
A. Key escrow
B. Key recovery
C. PKI hierarchy
D. Revocation
Key escrow is storing private key with a third party,
especially when the third party is some sort of authority.
Copyright © 2016 30 Bird Media LLC
Assessment: Public key
infrastructure
What certificate formats commonly use the web
of trust model?
A. ASN.1
B. Bridge
C. OpenPGP
D. X.509
Unlike X.509 certificates, OpenPGP certificates
can either be issued by a CA or part of a web of
trust.
Copyright © 2016 30 Bird Media LLC
Module C: Transport encryption
You will learn:
How cryptography fits in the OSI model
About SSL and TLS
About secure application protocols
About Wi-Fi encryption standards
About VPN technologies
Copyright © 2016 30 Bird Media LLC
Cryptography in the OSI model
Model predates modern cryptography
Upper-layer encryption
Lower-layer encryption
Potential problems
– Network headers
– Traffic shapers
– Content filters
Copyright © 2016 30 Bird Media LLC
SSL and TLS
Upper layer protocols
– Secure Sockets Layer 1.0-3.0
– Transport Layer Security 1.0-1.2
Certificate-based
– Asymmetric key exchange
– Symmetric bulk encryption
– One-way or dual authentication
Cipher suites
Copyright © 2016 30 Bird Media LLC
SSL applications
HTTPS
– HTTP over SSL/TLS
FTPS
Email
– SMTP, POP, IMAP
SNMPv3
EAP-TLS
SSL VPN
Copyright © 2016 30 Bird Media LLC
Secure shell
Designed to replace Telnet and rlogin
Includes file transfer protocols
– SCP
– rsync
– SFTP
Uses public key cryptography
– X.509 is only one option
Copyright © 2016 30 Bird Media LLC
Secure email
Secures message text, not just transfer
S/MIME (Secure/Multipurpose Internet Mail
Extensions)
– Uses X.509 certificates
– Supported by most modern clients
– Only common in high-security enterprise
environments
PGP (Pretty Good Privacy)
– Uses OpenPGP certificates on web of trust
model
– Commercial and free support
Copyright © 2016 30 Bird Media LLC
Wireless encryption
Layer 2 encryption
WEP (Wired Equivalent privacy)
– Extremely weak due to serious flaws in RC4 IV.
WPA (Wi-Fi Protected Access)
– Based on draft 802.11i
– TKIP is a stronger but still flawed RC4 cipher
– AES-CCMP is considered secure
WPA2
– Based on draft 802.11i
– AES mode is strongest Wi-Fi encryption
Copyright © 2016 30 Bird Media LLC
WPA authentication
WPA-Personal
– Uses pre-shared password hashed with SSID to
create key
– Convenient, but only one key for whole hotspot
WPA-Enterprise
– 802.1X using authentication server
– EAP-TLS or PEAP authentication
– Allows individual credentials
WPS (Wi-Fi Protected Setup)
– Convenient, but insecure and should be disabled
Copyright © 2016 30 Bird Media LLC
Virtual private networks
Copyright © 2016 30 Bird Media LLC
VPN components
Copyright © 2016 30 Bird Media LLC
VPN solutions
GRE (Generic Routing Encapsulation)
– Tunneling but no security, used with other protocols
PPTP (Point-to-Point Tunneling Protocol)
– PPP packets over GRE, not very secure
L2TP/IPsec (Layer 2 Transfer Protocol/IP Security)
– Can be very secure, natively supported by most
operating systems
SSL/TLS
– Secure, but supported mostly via third-party solutions
– OpenVPN, SSTP
SSH
– Typically used to tunnel single applications
Copyright © 2016 30 Bird Media LLC
IPsec
IKE (Internet Key Exchange)
– Negotiates secure connections
Authentication Header (AH)
– Provides data integrity and source authentication
Encapsulating Security Payload (ESP)
– Encrypts packet payload itself
AH and ESP can be used separately or together
– AH has stronger source authentication
– Only ESP encrypts data
– Both together can be slow
Copyright © 2016 30 Bird Media LLC
IKE negotiation
Copyright © 2016 30 Bird Media LLC
IPsec traffic
ESP security
AH security
Copyright © 2016 30 Bird Media LLC
Assessment: Transport encryption
Order WAP encryption methods from most to
least secure.
A. WEP
B. WPA-AES
C. WPA-TKIP
D. WPA2-AES
E. WPA2-TKIP
Most to least secure is WPA2-AES, WPA-AES,
WPA2-TKIP, WPA-TKIP, and WEP.
Copyright © 2016 30 Bird Media LLC
Assessment: Transport encryption
Your WAP is currently secured with WPA Personal encryption,
using a shared key. Which of the following is true? Choose the
best response.
A.
Enabling WPS could increase security, but enabling 802.1X
would reduce it.
B.
Enabling 802.1X could increase security, but enabling WPS
would reduce it.
C.
Enabling either WPS or 802.1X could increase security.
D. Enabling either WPS or 802.1X would reduce security.
WPS has serious security vulnerabilities. 802.1X, or WPA
Enterprise, is potentially more secure than WPA Personal.
Copyright © 2016 30 Bird Media LLC
Assessment: Transport encryption
On an IPsec VPN, what protocol negotiates
security associations?
A. AH
B. ESP
C. IKE
D. L2TP
Internet Key Exchange creates SAs by
negotiating security settings and exchanging
keys.
Copyright © 2016 30 Bird Media LLC
Assessment: Transport encryption
What secure protocols add SSL/TLS security to
protocols which were insecure on their own?
Choose all that apply.
A. FTPS
B. HTTPS
C. SFTP
D. SNMPv3
E. SSH
FTPS, HTTPS, and SNMTPv3 all use SSL/TLS
tunneling under an insecure application protocol.
The others are separate secure protocols
Copyright © 2016 30 Bird Media LLC
Assessment: Transport encryption
What VPN type is secure, compatible with nearly
any application, and supported by most operating
systems?
A. L2TP/IPsec
B. PPTP
C. SSH
D. SSL/TLS
L2TP/IPsec is very common because it's secure,
broadly compatible, and well-supported. SSL/TLS
VPNs are an increasingly popular alternative, but
you'll likely need a third-party application.
Copyright © 2016 30 Bird Media LLC
Assessment: Transport encryption
You can use a VPN to securely encrypt all of
your network communication even on an
open Wi-Fi network. True or false?
A. True
B. False
True. While the L2 frames used by the
hotspot are still unencrypted, the VPN still
encrypts all your data above that.
Copyright © 2016 30 Bird Media LLC
Summary: Cryptography
You now know:
About the primary branches of modern cryptography,
including symmetric and asymmetric ciphers, hashes,
and steganography. You should also know how the
different types are used together for tasks one
couldn't perform alone, such as for key exchange and
digital signatures.
How digital certificates are created, used, and revoked
as part of a PKI structure.
How to apply secure transport encryption on multiple
layers of the network, including secure application
protocols, Wi-Fi encryption, and VPNs.
Copyright © 2016 30 Bird Media LLC
Chapter 9: Organizational security
You will learn:
How to design security policies
About user training practices
How to physically secure assets and
manage safety controls
Copyright © 2016 30 Bird Media LLC
Security policies
Multiple contributors
–
–
–
–
Administrators
Management
HR
Legal
Address organizational goals and technological details
Role-based policies
–
–
–
–
Business-level principles for administrators
Technical documentation for IT staff
Acceptable use policies for end users
Incident response policies for troubleshooters
Disaster planning and business continuity
Change management
Copyright © 2016 30 Bird Media LLC
Acceptable use policies
Internet use
Company account use
Hardware and software
Mobile devices
Privacy policy
Policy communication
– Notification of policy changes
Copyright © 2016 30 Bird Media LLC
Password policies
Length
– 8-12 characters recommended
Complexity
– Mix of letters, numbers, special characters
Duration
– 30-90 day replacement
History
– 12-24 prior passwords stored
Sharing and Storage
– Prohibit where possible, secure where not
Copyright © 2016 30 Bird Media LLC
Human resource policies
Hiring
Training
Enforcement
Termination
Ethics
Copyright © 2016 30 Bird Media LLC
Secure personnel policies
Least privilege
– Limits damage done by malice, error, or attacker
Mandatory vacations
– Uncovers fraud or ongoing mistakes
Rotation of duties
Separation of duties
– Enables employees to check each others’ work
Clean desk policy
– Prevents data loss or theft
Copyright © 2016 30 Bird Media LLC
Policy documents
Overview
– The risk being addressed and how the policy will
minimize it
Scope
– Defines where policy applies
Details
– Can refer to external documents
Enforcement and auditing
Definitions
Revision history
– Dates, and who authorized each change
Copyright © 2016 30 Bird Media LLC
Business agreements
Service-level agreement (SLA)
– A formal definition of a service provided to or by the
organization
Memorandum of understanding (MOU)
– A less formal agreement of mutual goals between two
or more organizations
Interconnection security agreement (ISA)
– A security-focused document that specifies the
technical requirements in forming a data connection
between two parties
Business partnership agreement (BPA)
– A written agreement defining the general relationship
between business partners.
Copyright © 2016 30 Bird Media LLC
Third-party security concerns
Onboarding/offboarding
Data ownership
Data sharing
Data backups
Security policies
Privacy considerations
Review processes
Copyright © 2016 30 Bird Media LLC
Assessment: Security policies
What policy document generally describes
mutual goals between organizations?
A. BPA
B. ISA
C. MOU
D. SLA
A memorandum of understanding may or may
not be legally binding depending on its terms,
but it should shape company policy as though it
were.
Copyright © 2016 30 Bird Media LLC
Assessment: Security policies
Which policy is focused on preventing data loss?
A. AUP
B. Clean desk policy
C. Mandatory vacation
D. Separation of duties
Clean desk policies keep sensitive documents
and other data from being lost, stolen, or
viewed by unauthorized people.
Copyright © 2016 30 Bird Media LLC
Assessment: Security policies
Experts agree that very demanding
password policies are the best way to
maintain security. True or false?
A. True
B. False
False. Strong passwords help security, but if
they're hard to remember users will cheat,
compromising overall security.
Copyright © 2016 30 Bird Media LLC
Assessment: Security policies
What are the benefits of a job rotation policy? Choose all
that apply.
A. Allows employees to discover each other's mistakes
in multi-step processes
B. Helps detect fraudulent activity over time
C. Minimizes permissions given to any one employee
D. Prevents data loss
E. Trains employees more broadly
A job rotation policy helps keep single employees from
long-term mistakes or fraudulent behavior, since their
replacement might notice what happened. It also has
cross-training benefits.
Copyright © 2016 30 Bird Media LLC
Assessment: Security policies
Your company has signed a BPA with a business partner.
What most likely isn't a part of it? Choose the best
response.
A. How liability is shared for a loss of shared assets
B. Technical requirements for secured data
connections between the two companies
C. What happens to informational assets when the
agreement is dissolved
D. Who is responsible for maintaining informational
assets
You'll probably need to create an ISA to specify technical
interconnection requirements.
Copyright © 2016 30 Bird Media LLC
Module B: User training
You will learn:
About role-based training
How to train employees in handling
sensitive data
How to apply training as an ongoing
process
Copyright © 2016 30 Bird Media LLC
Role-based training
End users
– Common threats and how to avoid them
Customer-facing employees
– Social engineering and public reputation
Administrators
– Detailed procedures and evolving threats
Incident response teams
– Response procedures and forensics
Management
– High-level view of assets and general threats
Copyright © 2016 30 Bird Media LLC
Handling data
Data should be classified by nature
– Labeling
– Storage
– Access permissions
Special data should be handled appropriately
– PII, HIPAAA, PCI-DSS
– Customer and partner data
Data transit
– Secure network protocols
– Mobile devices and removable storage
– Documents in or out of workplace
Data disposal
Copyright © 2016 30 Bird Media LLC
Ongoing training
Review training and compliance over time
Review technological changes and
evolving threats
Watch for and remediate bad habits and
oversights
– End users
– Technicians
Monitor for newly discovered threats
Copyright © 2016 30 Bird Media LLC
Assessment: User training
What kind of security training is most important for
a company executive?
A. Identifying malware symptoms
B. Overall awareness of the organization's assets
and threats to them
C. Recognizing social engineering attacks
D. Regular updates on evolving network threats
Executives most need to know the overall security
picture so that they can make sure the organization
creates solid policies and amply funds security
controls and procedures.
Copyright © 2016 30 Bird Media LLC
Assessment: User training
What standards do you need to use when
handling credit card data?
A. HIPAA
B. NIST
C. PCI-DSS
D. PKI
The Payment Card Industry Data Security
Standard governs credit card data, and users
who handle it need to be trained in their
responsibilities.
Copyright © 2016 30 Bird Media LLC
Assessment: User training
Users should have both permission and
need to access sensitive data, whether
technically able to or not. True or false?
A. True
B. False
True. This is a basic need to know policy.
Copyright © 2016 30 Bird Media LLC
Assessment: User training
What kind of employee is most likely to need
extra training about social engineering attacks?
A. Department manager
B. Maintenance technician
C. Network administrator
D. Receptionist
All of them should be aware of social
engineering threats, but jobs directly interfacing
with customers and the outside public are most
targeted.
Copyright © 2016 30 Bird Media LLC
Module C: Physical security and
safety
You will learn:
About location and facility constraints on
physical security
About surveillance systems
How to secure entryways and equipment
How to protect and personnel with
environmental controls
About fire suppression systems
Copyright © 2016 30 Bird Media LLC
Physical access control
Copyright © 2016 30 Bird Media LLC
Facility and location concerns
Location issues
– Crime
– Disaster
– Utilities
– Emergency
External barriers
– Fences
– Barricades
– Doors and windows
Visibility and accessibility
– Lighting
– Escape routes
Copyright © 2016 30 Bird Media LLC
Surveillance systems
Cameras
–
–
–
–
Night-vision
Wireless
Hidden
Motion-sensitive
Alarms/sensors
–
–
–
–
–
Motion
Window/door
Pressure
Glass break
Environmental
Security guards
Copyright © 2016 30 Bird Media LLC
Secure entryways
Conventional locks
Electronic locks
–
–
–
–
–
Passcode
ID badge
Electronic tokens
Biometrics
Fail-secure vs. fail-safe
Guards
Mantrap
Entry logging
Copyright © 2016 30 Bird Media LLC
Securing equipment
Network hardware rooms
Hardware locks
Wireless access points
Network outlets and cables
Social engineering
Copyright © 2016 30 Bird Media LLC
HVAC systems
Temperature range
Humidity range
– Electrostatic
discharge
HVAC settings
Air flow
– Hot and cold aisles
Sudden changes
Copyright © 2016 30 Bird Media LLC
EMI shielding
Electromagnetic interference
Radio frequency interference
Sources
–
–
–
–
Motors
Microwaves
HVAC
Industrial
equipment
Protections
– Shielded cables
– Faraday cage
– TEMPEST standards
Copyright © 2016 30 Bird Media LLC
Fire suppression
Fire extinguishers
–
–
–
–
Class A for solids
Class B for liquids
Class C for electrical equipment
Class D for metals
Fixed sytems
– Sprinklers
– Halon/inert gas
Copyright © 2016 30 Bird Media LLC
Coordinating security and safety
Consult building layout to compare secure
areas and fire escape routes
Use fail open locks to enable safe escape
Use alarmed one-way emergency exits
Use separate alert systems for security and
safety emergencies
Regularly conduct emergency drills with
employees
Coordinate safety drills with security
personnel
Copyright © 2016 30 Bird Media LLC
Assessment: Physical security
and safety
What class of fire extinguisher is most useful
next to the server closet?
A. Class A
B. Class B
C. Class C
D. Class D
Class C extinguishers are rated for electrical
fires.
Copyright © 2016 30 Bird Media LLC
Assessment: Physical security
and safety
What qualifies as both a preventive and a
detective control?
A. A locked door
B. A motion detector
C. A security guard
D. A surveillance camera
A security guard can both detect intruders in a
secure area, and block them from entering.
Copyright © 2016 30 Bird Media LLC
Assessment: Physical security
and safety
What are hot and cold aisles designed to assist?
Air circulation in the server room
Defining routes for evacuating employees and
incoming emergency workers
Preventing EMI
Preventing the spread of fires
Hot and cold aisles are used for outgoing and
incoming air in a server room.
Copyright © 2016 30 Bird Media LLC
Assessment: Physical security
and safety
If EMI is a concern, you can enclose
sensitive servers or even the whole server
room in a Faraday cage. True or false?
A. True
B. False
True. A Faraday cage is essentially a box
made out of fine, grounded metal mesh,
and blocks most EMI/RFI.
Copyright © 2016 30 Bird Media LLC
Assessment: Physical security
and safety
Fail-close door locks are _________.
A. Good for safety and security
B. Good for safety but bad for security
C. Bad for safety but good for security
D. Bad for safety and security
Fail-close systems are more secure but can
block escape routes.
Copyright © 2016 30 Bird Media LLC
Summary: Organizational security
You should now know:
How to design and document effective security
policies, including acceptable use, passwords,
personnel management, and change management.
You should also know how to plan business
agreements with security in mind.
How to enforce security policies and best practices
through role-based employee training, and how to
revise policies and training procedures over time.
How to choose appropriate physical security and
environmental controls to protect facilities,
equipment, and data, without endangering the safety
of employees.
Copyright © 2016 30 Bird Media LLC
Chapter 10: Disaster planning
and recovery
You will learn:
About business continuity planning
About fault tolerance and recovery
How to respond to security incidents
Copyright © 2016 30 Bird Media LLC
Module A: Business continuity
You will learn:
About continuity planning
How to create business continuity plans
How to create and test disaster recovery
plans
Copyright © 2016 30 Bird Media LLC
Continuity planning
Business continuity plan (BCP)
– Comprehensive plan with risk analysis, controls, and service
restoration procedures
Business impact analysis (BIA)
– Assessment of critical business functions
Disaster recovery plan (DRP)
– Technical plan for specific disaster type
IT contingency plan
– Restoration plan for IT systems
Continuity of operations plan (COOP)
– Procedure for temporary site during recovery
Crisis communications plan
– Internal and external
Succession plan
– Procedures for sudden changes of personnel
Copyright © 2016 30 Bird Media LLC
Creating a BCP
1. Perform a risk assessment, much like for
normal security planning.
2. Create a BIA.
3. Design the BCP and its supporting
recovery plans and controls.
4. Implement and test the plan.
5. Analyze the results to apply further
refinement.
Copyright © 2016 30 Bird Media LLC
Creating a BIA
1. Identify functions critical to sustained
business operations
2. Identify resources used by each critical
function
3. Prioritize critical functions
4. Identify threats to each function
5. Determine mitigation techniques for
each threat
Copyright © 2016 30 Bird Media LLC
Disaster recovery plans
System documentation
– Including user credentials and software keys
Reserve resources
– Replacement parts, redundant systems,
alternate sites
Vendor lists
– Procedures or contracts for rapid replacement
Backup policies
Recovery procedures
Personnel list
Emergency contacts
Copyright © 2016 30 Bird Media LLC
BCP and DRP testing
Checklist test
– Giving the plan to one or more people to
review and examine item by item
Tabletop exercise/Structured walkthrough
– Gathering the team to walk through a
theoretical disaster step by step
Simulation test
– Small or large scale response test under
controlled circumstances
Copyright © 2016 30 Bird Media LLC
Assessment: Business continuity
Which document is a business most likely to
have more than one of?
A. BCP
B. BIA
C. COOP
D. DRP
Businesses commonly have multiple disaster
recovery plans representing multiple services or
locations.
Copyright © 2016 30 Bird Media LLC
Assessment: Business continuity
What document specifically covers moving
operations to a temporary site?
A. BCP
B. BIA
C. COOP
D. DRP
A continuity of operations plan can apply to
general business functions as well as IT systems
in particular.
Copyright © 2016 30 Bird Media LLC
Assessment: Business continuity
What is also known as a "structured
walkthrough?" Choose the best response.
A. Checklist test
B. ISCP
C. Simulation text
D. Tabletop exercise
Tabletop exercises are gathering the team or
department together to review the plan and
walk through a theoretical disaster step by step.
Copyright © 2016 30 Bird Media LLC
Module B: Fault tolerance and
recovery
You will learn:
About recovery objectives
About fault tolerance and redundant
systems
About RAID
How to design backup policies
Copyright © 2016 30 Bird Media LLC
Recovery objectives
Recovery time objective (RTO)
– The maximum expected amount of down
time in case of a failure
– Includes troubleshooting, recovery itself, and
testing
Recovery point objective (RPO)
– The maximum expected period of time for
which data will be lost in the case of a
disaster
– Defined primarily by data backup frequency
Copyright © 2016 30 Bird Media LLC
Fault tolerance and redundancy
Reducing single points of failure
– Reinforced components
– Error correcting software or hardware
– Operation at reduced capacity
Backup or parallel components
– Backup power
– RAID storage
– Load balancing
– Clustering
– Alternate sites
Copyright © 2016 30 Bird Media LLC
Alternate sites and spare parts
Replacement parts
– Hot spare – ready to go
– Cold spare – ready to install
Hot site
– Fully equipped backup location
– Ready in hours
Cold site
– Space and utilities but no hardware
Warm site
– Some hardware, but not ready to go
Copyright © 2016 30 Bird Media LLC
RAID
RAID 0
– Disk striping
– No security benefit
RAID 1
– Disk mirroring
– No performance benefit
RAID 5
– Striping with parity, allows one
failed disk
RAID 6
– Striping with double parity,
allows two failed disks
RAID 1+0
– Nested striping and mirroring
Copyright © 2016 30 Bird Media LLC
RAID failures
Drive failure
– Mitigated by proper RAID level and quick
recovery
Controller failure
– Most RAID uses single controller
Power issues
Software issues
RAID rebuild stress
– Primary reason for RAID 6 vs RAID 5
Copyright © 2016 30 Bird Media LLC
Data backups
Archive bit
– Marks data needing backup
Full backup
– All data on volume
Incremental backup
– Backs up only files with a set archive bit, then clears
the bit
– Quick to make, slow to restore
Differential backup
– Backs up only files with a set archive bit, but does not
clear the bit afterward
– Slower to make, quicker to restore
Copyright © 2016 30 Bird Media LLC
Backup security
Media labeled and physically secure
Secure network transmission
Physical security for media transport
Off-site locations
Secure disposal
Copyright © 2016 30 Bird Media LLC
Creating backup policies
1. Identify what data is important to back
up
2. Determine retention requirements
3. Choose backup strategy and schedule
4. Plan data security
5. Assign personnel responsibilities
6. Create and apply a backup testing
schedule
Copyright © 2016 30 Bird Media LLC
Assessment: Fault tolerance and
recovery
Which of the following RAID levels incorporates
disk striping? Choose all that apply
A. RAID 0
B. RAID 1
C. RAID 5
D. RAID 10
Of the RAID levels listed, only RAID 1 does not
include disk striping.
Copyright © 2016 30 Bird Media LLC
Assessment: Fault tolerance and
recovery
The process of rebuilding a RAID drive from
parity data can cause a RAID drive to fail. True or
false?
A. True
B. False
True. The rebuild process is very I/O intensive
and places additional wear and tear on the
existing RAID drives to rebuilt a failed drive. This
can cause a drive to fail.
Copyright © 2016 30 Bird Media LLC
Assessment: Fault tolerance and
recovery
If you have a RAID implementation with
data parity, you don't need data backups.
True or false?
A. True
B. False
False. RAID protects against drive failures,
not other threats to data.
Copyright © 2016 30 Bird Media LLC
Assessment: Fault tolerance and
recovery
You have a critical database server that constantly backs its files
up to the cloud, but its software environment is so finicky that if
it encountered a critical failure it would take a long time to get it
working again. How would you describe your recovery plan for
that service?
A.
High RPO and high RTO
B.
High RPO and low RTO
C.
Low RPO and high RTO
D. Low RPO and low RTO
Since it won't lose any data in case of a failure, the recovery
point is low. Since it will take a long time to get back online, the
recovery time objective is high.
Copyright © 2016 30 Bird Media LLC
Assessment: Fault tolerance and
recovery
Clustering is similar to load balancing, but tends
to use tighter integration between redundant
systems. True or false?
A. True
B. False
True. Multiple servers in a cluster are aware of
each other and operate toward a common goal.
Copyright © 2016 30 Bird Media LLC
Assessment: Fault tolerance and
recovery
Your company rents a spare server room in a secondary
location. It has all necessary hardware, software, and
network services, and you just need to load the latest
backups to get it in operation. What is it?
A. Hot site
B. Hot spare
C. Cold site
D. Cold spare
A hot site is fully equipped and ready to go in hours or
less.
Copyright © 2016 30 Bird Media LLC
Assessment: Fault tolerance and
recovery
In terms of time, how does a differential backup plan generally
differ from an incremental backup plan?
A.
It's quicker both to create backups and to restore data
B.
It's quicker to create backups, but slower to restore data
C.
It's slower to create backups, but quicker to restore data
D. It's slower both to create backups and to restore data
Each differential backup between full backups takes longer to
create, but to restore data you only need the latest full and
latest differential backup. To restore from incremental backups
you need the entire set.
Copyright © 2016 30 Bird Media LLC
Module C: Incident response
You will learn:
How to collect forensic evidence
About incidents
How to respond to an incident
Copyright © 2016 30 Bird Media LLC
Forensic evidence
Evidence admissible in court
Testimony
– A sworn statement, oral or written
Real evidence
– A physical object relevant to the case
Demonstrative evidence
– A representation of an object or event
Digital evidence
– Evidence recorded in digital format
Copyright © 2016 30 Bird Media LLC
Collecting evidence
1.
2.
Secure access to systems and data
Classify evidence by order of volatility
–
3.
Capture evidence
–
–
–
–
4.
5.
6.
Memory, swap, files, firmware, archives
Logs and screenshots
Forensic backup tools
Time offsets
Witnesses
Take hashes
Analyze data
Assemble findings
Copyright © 2016 30 Bird Media LLC
Incident response teams
Leadership
– Both skill and authority in the organization
Technical knowledge
– Can be multiple people with specialized fields
Security principles
– Recognize attacks and use forensic principles
Legal advisor
– Answer policy questions about large scale events
Communications
– A single skilled spokesperson reduces confusion
First responders
Copyright © 2016 30 Bird Media LLC
The incident response process
1.
Preparation
–
2.
Tools and training
Identification
–
3.
Detect event, nature, and severity
Containment
–
4.
Stop continuing damage
Investigation
–
5.
Identify effects and root causes
Eradication
–
6.
Eliminate root cause
Recovery
–
7.
Restore services
Followup
–
Review information and take action
Copyright © 2016 30 Bird Media LLC
Assessment: Incident response
Order the steps of the incident response process.
A. Containment
B. Eradication
C. Followup
D. Identification
E. Investigation
F. Preparation
G. Recovery
Preparation, Identification, Containment,
Investigation, Eradication, Recovery, Followup
Copyright © 2016 30 Bird Media LLC
Assessment: Incident response
What is eDiscovery?
A. A process for identifying security incidents.
B. A process for sharing electronic forensic
data.
C. A standard for forensic backup software.
D. A software application used to track
security incidents.
It is a standard process for sharing electronic
forensic data between parties.
Copyright © 2016 30 Bird Media LLC
Assessment: Incident response
You should start choosing an incident response
team as soon as you've identified an incident.
True or false?
A. True
B. False
False. You might choose which members of your
team best fit a specific incident once it happens,
but you should have a team chosen and trained
before anything goes wrong.
Copyright © 2016 30 Bird Media LLC
Assessment: Incident response
After a security incident you rush to take a screenshot of
a telltale running process before you leisurely take a
backup of suspicious files on the hard drive. What
forensic principle are you exercising? Choose the best
response
A. Audit trail
B. Chain of custody
C. eDiscovery
D. Order of volatility
Order of volatility is the principle of preserving the most
time-sensitive data first. In this case, a running process is
more volatile than files on a hard drive.
Copyright © 2016 30 Bird Media LLC
Assessment: Incident response
Why is it important to record a time offset when
collecting evidence?
A. To compensate for logging systems that don't
record precise times
B. To compensate for time differences between
multiple systems
C. To document the precise order of events
D. To document the precise timing of events
Time offsets compensate for different clock settings
on multiple systems. Without it, the actual order of
logged network events could be unclear.
Copyright © 2016 30 Bird Media LLC
Summary: Disaster planning and
recovery
You now know:
How to create and test business continuity plans,
including business impact analysis and disaster
recovery plans, and how to test those plans.
How to identify recovery objectives, implement
fault tolerance and redundancy for critical
systems, and create sound data backup policies.
About the principles of digital forensics, and how
to design an effective incident response plan.
Copyright © 2016 30 Bird Media LLC