Transcript CIT 016 Review for Final

CIT 016
Review for Final
Security+ Guide to Network
Security Fundamentals
Second Edition
Defining Information Security

Three characteristics of information
must be protected by information
security:




Confidentiality
Integrity
Availability
Information security achieved
through a combination of three
entities
Importance of Information
Security

Information security is important to
businesses:





Prevents data theft
Avoids legal consequences of not securing
information
Maintains productivity
Foils cyberterrorism
Thwarts identity theft
Preventing Data Theft
Theft of data is single largest cause of
financial loss due to a security breach
 One of the most important objectives
of information security is to protect
important business and personal data
from theft

Developing Attacker Profiles

Six categories:






Hackers
Crackers
Script kiddies
Spies
Employees
Cyberterrorists
Developing Attacker Profiles
Hackers
Person who uses advanced computer
skills to attack computers, but not
with a malicious intent
 Use their skills to expose security
flaws
 Know that breaking in to a system is
illegal but do not intend on
committing a crime



“Hacker code of ethics”
Target should have had better security
Crackers
Person who violates system security
with malicious intent
 Have advanced knowledge of
computers and networks and the skills
to exploit them
 Destroy data, deny legitimate users of
service, or otherwise cause serious
problems on computers and networks

Script Kiddies
Break into computers to create
damage
 Not as skilled as Crackers
 Download automated hacking
software from Web sites and use it to
break into computers
 Tend to be young computer users with
large amounts of leisure time, which
they can use to attack systems

Spies
Person hired to break into a
computer and steal information
 Do not randomly search for
unsecured computers to attack
 Hired to attack a specific computer
that contains sensitive information
 Possess excellent computer skills
 Could also use social engineering to
gain access to a system
 Financially motivated

Employees


One of the largest information security
threats to business
Employees break into their company’s
computer for these reasons:





To show the company a weakness in their
security
Being overlooked, revenge
For money
Inside of network is often vulnerable
because security focus is at the perimeter
Unskilled user could inadvertently launch
virus, worm or spyware
Cyberterrorists
Experts fear terrorists will attack the
network and computer infrastructure
to cause panic
 Cyberterrorists’ motivation may be
defined as ideology, or attacking for
the sake of their principles or beliefs
 Targets that are high on the
cyberterrorists list are:



Infrastructure outages
Internet itself
Cyberterrorists (continued)

Three goals of a cyberattack:



Deface electronic information to spread
disinformation and propaganda
Deny service to legitimate computer users
Commit unauthorized intrusions into
systems and networks that result in
critical infrastructure outages and
corruption of vital data
Understanding Security Principles

Ways information can be attacked:





Crackers can launch distributed denial-ofservice (DDoS) attacks through the
Internet
Spies can use social engineering
Employees can guess other user’s
passwords
Hackers can create back doors
Protecting against the wide range of
attacks calls for a wide range of
defense mechanisms
Layering



Layered security approach has the
advantage of creating a barrier of
multiple defenses that can be
coordinated to thwart a variety of
attacks
Information security likewise must be
created in layers
All the security layers must be properly
coordinated to be effective
Layering (continued)
Limiting

Limiting access to information reduces the
threat against it



Only those who must use data should have
access to it
Access must be limited for a subject (a
person or a computer program running on
a system) to interact with an object (a
computer or a database stored on a
server)
The amount of access granted to someone
should be limited to what that person
needs to know or do
Limiting (continued)
Diversity
Diversity is closely related to layering
 You should protect data with diverse
layers of security, so if attackers
penetrate one layer, they cannot use
the same techniques to break through
all other layers
 Using diverse layers of defense means
that breaching one security layer does
not compromise the whole system




Not just perimeter security
Possibly using different vendors
Increased administrative overhead
Diversity (continued)

You can set a firewall to filter a
specific type of traffic, such as all
inbound traffic, and a second firewall
on the same system to filter another
traffic type, such as outbound traffic



Use application layer filtering by a Linux
box before traffic hits the firewall
Use one device as the firewall and
different device as the spam filter
Using firewalls produced by different
vendors creates even greater
diversity

This could add some complexity
Obscurity

Obscuring what goes on inside a
system or organization and avoiding
clear patterns of behavior make
attacks from the outside difficult



Network Address Translation
Port Address Translation
Internal ports different from external
 External
port 80  Internal port 8080
Simplicity
Complex security systems can be
difficult to understand, troubleshoot,
and feel secure about
 The challenge is to make the system
simple from the inside but complex
from the outside

Using Effective
Authentication Methods

Information security rests on three key
pillars:



Authentication
Access control (Authorization)
Auditing (Accounting)
 Also
Known as AAA
Effective Authentication Methods

Authentication:



Process of providing identity
Can be classified into three main
categories: what you know, what you
have, what you are
Most common method: providing a user
with a unique username and a secret
password
Username and Password

ID management:



User’s single authenticated ID is shared
across multiple networks or online
businesses
Attempts to address the problem of users
having individual usernames and
passwords for each account (thus,
resorting to simple passwords that are
easy to remember)
Can be for users and for computers that
share data
Disabling Nonessential Systems
First step in establishing a defense
against computer attacks is to turn off
all nonessential services
 Disabling services that are not
necessary restricts attackers can use


Reducing the attack surface
Disabling Nonessential Systems

A service can be set to one of the
following modes:




Automatic
Manual
Disabled
Besides preventing attackers from
attaching malicious code to services,
disabling nonessential services blocks
entries into the system
Hardening Operating Systems
Hardening: process of reducing
vulnerabilities
 A hardened system is configured and
updated to protect against attacks
 Three broad categories of items should
be hardened:




Operating systems
Applications that the operating system
runs
Networks
Hardening Operating Systems

You can harden the operating system
that runs on the local client or the
network operating system (NOS) that
manages and controls the network,
such as Windows Server 2003 or
Novell NetWare
Applying Updates




Operating systems are intended to be
dynamic
As users’ needs change, new hardware is
introduced, and more sophisticated attacks
are unleashed, operating systems must be
updated on a regular basis
However, vendors release a new version of
an operating system every two to four years
Vendors use certain terms to refer to the
different types of updates.
Applying Updates (continued)
A service pack (a cumulative set of
updates including fixes for problems
that have not been made available
through updates) provides the
broadest and most complete update
 A hotfix does not typically address
security issues; instead, it corrects a
specific software problem

Applying Updates (continued)
Applying Updates (continued)

A patch or a software update fixes a
security flaw or other problem


May be released on a regular or irregular
basis, depending on the vendor or support
team
A good patch management system:
 Design
patches to update groups of
computers
 Include reporting system
 Download patches from the Internet
 Distribute patches to other computers
Securing the File System
Another means of hardening an
operating system is to restrict user
access
 Generally, users can be assigned
permissions to access folders (also
called directories in DOS and
UNIX/Linux) and the files contained
within them

Firmware Updates
RAM is volatile―interrupting the power
source causes RAM to lose its entire
contents
 Read-only memory (ROM) is different
from RAM in two ways:



Contents of ROM are fixed
ROM is nonvolatile―disabling the power
source does not erase its contents
Firmware Updates (continued)
ROM, Erasable Programmable ReadOnly Memory (EPROM), and
Electrically Erasable Programmable
Read-Only Memory (EEPROM) are
firmware (flash)
 To erase an EPROM chip, hold the
chip under ultraviolet light so the
light passes through its crystal
window
 The contents of EEPROM chips can
also be erased using electrical signals
applied to specific pins

Firmware Updates (continued)
To update a network device we copy
over a new version of the OS software
to the flash memory of the device.
 This can be done via a tftp server or a
compact flash reader/writer



Router# copy tftp flash:
Having the firmware updated ensures
the device is not vulnerable to bugs in
the OS that can be exploited
Network Configuration
You must properly configure network
equipment to resist attacks
 The primary method of resisting
attacks is to filter data packets as they
arrive at the perimeter of the network
 In addition to making sure the
perimeter is secure, make sure the
device itself is secure by using strong
passwords and encrypted connections


SSH instead of Telnet and console, vty
passwords
Configuring Packet Filtering



The User Datagram Protocol (UDP) provides
for a connectionless TCP/IP transfer
TCP and UDP are based on port numbers
Socket: combination of an IP address and a
port number

The IP address is separated from the port number
by a colon, as in 198.146.118.20:80
Network Configuration
Rule base or access control list (ACL):
rules a network device uses to permit
or deny a packet
(not to be confused with ACLs used in
securing a file system)
 Rules are composed of several settings
(listed on pages 122 and 123 of the
text)
 Observe the basic guidelines on page
124 of the text when creating rules

Network Cable Plant
Cable plant: physical infrastructure of
a network (wire, connectors, and
cables) used to carry data
communication signals between
equipment
 Three types of transmission media:




Coaxial cables
Twisted-pair cables
Fiber-optic cables
Twisted-Pair Cables
Standard for copper cabling used in
computer networks today, replacing thin
coaxial cable
 Composed of two insulated copper wires
twisted around each other and bundled
together with other pairs in a jacket

Twisted-Pair Cables (continued)
Shielded twisted-pair (STP) cables
have a foil shielding on the inside of
the jacket to reduce interference
 Unshielded twisted-pair (UTP) cables
do not have any shielding
 Twisted-pair cables have RJ-45
connectors

Fiber-Optic Cables
Coaxial and twisted-pair cables have
copper wire at the center that
conducts an electrical signal
 Fiber-optic cable uses a very thin
cylinder of glass (core) at its center
instead of copper that transmit light
impulses
 A glass tube (cladding) surrounds the
core
 The core and cladding are protected
by a jacket

Hardening Standard Network Devices
A standard network device is a typical
piece of equipment that is found on
almost every network, such as a
workstation, server, switch, or router
 This equipment has basic security
features that you can use to harden
the devices

Switches and Routers

Switch



Most commonly used in Ethernet LANs
Receives a packet from one network device
and sends it to the destination device only
Limits the collision domain (part of network
on which multiple devices may attempt to
send packets simultaneously)
A switch is used within a single network
 Routers connect two or more single
networks to form a larger network

Hardening Network Security Devices
The final category of network devices
includes those designed and used
strictly to protect the network
 Include:




Firewalls
Intrusion-detection systems
Network monitoring and diagnostic
devices
Firewalls
Typically used to filter packets
 Designed to prevent malicious packets
from entering the network or its
computers (sometimes called a packet
filter)
 Typically located outside the network
security perimeter as first line of
defense
 Can be software or hardware
configurations

Firewalls (continued)

Software firewall runs as a program on
a local computer (sometimes known
as a personal firewall)


Enterprise firewalls are software firewalls
designed to run on a dedicated device and
protect a network instead of only one
computer
One disadvantage is that it is only as
strong as the operating system of the
computer
Firewalls (continued)

Filter packets in one of two ways:



Stateless packet filtering: permits or denies
each packet based strictly on the rule base
Stateful packet filtering: records state of a
connection between an internal computer
and an external server; makes decisions
based on connection and rule base
Can perform content filtering to block
access to undesirable Web sites
Designing Network Topologies
Topology: physical layout of the
network devices, how they are
interconnected, and how they
communicate
 Essential to establishing its security
 Although network topologies can be
modified for security reasons, the
network still must reflect the needs of
the organization and users

Security Zones

One of the keys to mapping the
topology of a network is to separate
secure users from outsiders through:



Demilitarized Zones (DMZs)
Intranets
Extranets
Demilitarized Zones (DMZs)
Separate networks that sit outside the
secure network perimeter
 Outside users can access the DMZ, but
cannot enter the secure network
 For extra security, some networks use
a DMZ with two firewalls
 The types of servers that should be
located in the DMZ include:



Web servers
Remote access servers
– E-mail servers
– FTP servers
Network Address Translation (NAT)
“You cannot attack what you do not
see” is the philosophy behind Network
Address Translation (NAT) systems
 Hides the IP addresses of network
devices from attackers
 Computers are assigned special IP
addresses (known as private
addresses)

Network Address Translation (NAT)
These IP addresses are not assigned
to any specific user or organization;
anyone can use them on their own
private internal network
 Port address translation (PAT) is a
variation of NAT
 Each packet is given the same IP
address, but a different TCP port
number

Virtual LANs (VLANs)
Segment a network with switches to
divide the network into a hierarchy
 Core switches reside at the top of the
hierarchy and carry traffic between
switches
 Workgroup switches are connected
directly to the devices on the network
 Core switches must work faster than
workgroup switches because core
switches must handle the traffic of
several workgroup switches

Virtual LANs (VLANs)
Virtual LANs (VLANs)
Segment a network by grouping
similar users together
 Instead of segmenting by user, you
can segment a network by separating
devices into logical groups (known as
creating a VLAN)

Secure/MIME (S/MIME)
Protocol that adds digital signatures
and encryption to Multipurpose
Internet Mail Extension (MIME)
messages
 Provides these features:




Digital signatures – Interoperability
Message privacy – Seamless integration
Tamper detection
Pretty Good Privacy (PGP)
Functions much like S/MIME by
encrypting messages using digital
signatures
 A user can sign an e-mail message
without encrypting it, verifying the
sender but not preventing anyone from
seeing the contents
 First compresses the message



Reduces patterns and enhances resistance
to cryptanalysis
Creates a session key (a one-time-only
secret key)

This key is a number generated from
random movements of the mouse and
keystrokes typed
Pretty Good Privacy (PGP)
Uses a passphrase to encrypt the
private key on the local computer
 Passphrase:




A longer and more secure version of a
password
Typically composed of multiple words
More secure against dictionary attacks
Pretty Good Privacy (PGP)
Securing Web Communications
Most common secure connection uses
the Secure Sockets Layer/Transport
Layer Security protocol
 One implementation is the Hypertext
Transport Protocol over Secure
Sockets Layer

Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)

SSL protocol developed by Netscape to
securely transmit documents over the
Internet



Uses private key to encrypt data
transferred over the SSL connection
Version 20 is most widely supported
version
Personal Communications Technology
(PCT), developed by Microsoft, is similar
to SSL
Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)

TLS protocol guarantees privacy and
data integrity between applications
communicating over the Internet


An extension of SSL; they are often
referred to as SSL/TLS
SSL/TLS protocol is made up of two
layers
Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
TLS Handshake Protocol allows
authentication between server and client
and negotiation of an encryption
algorithm and cryptographic keys before
any data is transmitted
 FORTEZZA is a US government security
standard that satisfies the Defense
Messaging System security architecture


Has cryptographic mechanism that provides
message confidentiality, integrity,
authentication, and access control to
messages, components, and even systems
Secure Hypertext Transport
Protocol (HTTPS)

One common use of SSL is to secure Web
HTTP communication between a browser and
a Web server



This version is “plain” HTTP sent over SSL/TLS and
named Hypertext Transport Protocol over SSL
Sometimes designated HTTPS, which is the
extension to the HTTP protocol that supports
it
Whereas SSL/TLS creates a secure
connection between a client and a server
over which any amount of data can be sent
security, HTTPS is designed to transmit
individual messages securely
Tunneling Protocols

Tunneling: technique of encapsulating
one packet of data within another type
to create a secure link of
transportation
IEEE 8021x
Based on a standard established by
the Institute for Electrical and
Electronic Engineers (IEEE)
 Gaining wide-spread popularity
 Provides an authentication framework
for 802-based LANs (Ethernet, Token
Ring, wireless LANs)
 Uses port-based authentication
mechanisms


Switch denies access to anyone other than
an authorized user attempting to connect
to the network through that port
IEEE 8021x (continued)

Network supporting the 8021x
protocol consists of three elements:



Supplicant: client device, such as a
desktop computer or personal digital
assistant (PDA), which requires secure
network access
Authenticator: serves as an intermediary
device between supplicant and
authentication server
Authentication server: receives request
from supplicant through authenticator
802.1x


802.1x is a standardized framework defined by
the IEEE that is designed to provide port-based
network access.
The 802.1x framework defines three roles in
the authentication process:
1.
2.
3.

Supplicant = endpoint that needs network access
Authenticator = switch or access point
Authentication Server = RADIUS, TACACS+, LDAP
The authentication process consists of
exchanges of Extensible Authentication
Protocol (EAP) messages between the
supplicant and the authentication server.
802.1x Roles
Supplicant
Authenticator
Authentication Server
Microsoft Windows XP includes 802.1x supplicant support
Remote Authentication Dial-In
User Service (RADIUS)
Originally defined to enable centralized
authentication and access control and
PPP sessions
 Requests are forwarded to a single
RADIUS server
 Supports authentication,
authorization, and auditing functions
 After connection is made, RADIUS
server adds an accounting record to its
log and acknowledges the request
 Allows company to maintain user
profiles in a central database that all
remote servers can share

Terminal Access Control Access
Control System (TACACS+)
Industry standard protocol
specification that forwards username
and password information to a
centralized server (TACACS)
 Whereas communication between a
NAS and a TACACS+ server is
encrypted, communication between a
client and a NAS is not
 TACACS+ utilizes TCP port 49.
 It is a Cisco proprietary enhancement
to original TACACS protocol.

IP Security (IPSec) (continued)
IPSec is a set of protocols developed to
support the secure exchange of packets
 Considered to be a transparent security
protocol
 Transparent to applications, users, and
software
 Provides three areas of protection that
correspond to three IPSec protocols:




Authentication
Confidentiality
Key management
IP Security (IPSec) (continued)
IP Security (IPSec) (continued)

Supports two encryption modes:


Transport mode encrypts only the data
portion (payload) of each packet, yet
leaves the header encrypted
Tunnel mode encrypts both the header
and the data portion
IPSec accomplishes transport and
tunnel modes by adding new headers
to the IP packet
 The entire original packet is then
treated as the data portion of the new
packet

IP Security (IPSec) (continued)
IP Security (IPSec) (continued)

Both Authentication Header (AH) and
Encapsulating Security Payload (ESP)
can be used with Transport or Tunnel
mode, creating four possible transport
mechanisms:




AH in transport mode
AH in tunnel mode
ESP in transport mode
ESP in tunnel mode
Virtual Private Networks (VPNs)
Takes advantage of using the public
Internet as if it were a private network
 Allow the public Internet to be used
privately
 Prior to VPNs, organizations were
forced to lease expensive data
connections from private carriers so
employees could remotely connect to
the organization’s network

Virtual Private Networks (VPNs)

Two common types of VPNs include:



Remote-access VPN or virtual private dialup network (VPDN): user-to-LAN
connection used by remote users
Site-to-site VPN: multiple sites can
connect to other sites over the Internet
VPN transmissions achieved through
communicating with endpoints

An endpoint can be software on a local
computer, a dedicated hardware device
such as a VPN concentrator, or even a
firewall
Basic WLAN Security

Two areas:



Basic WLAN security
Enterprise WLAN security
Basic WLAN security uses two new
wireless tools and one tool from the
wired world:



Service Set Identifier (SSID) beaconing
MAC address filtering
Wired Equivalent Privacy (WEP)
Service Set Identifier (SSID)
Beaconing
A service set is a technical term used
to describe a WLAN network
 Three types of service sets:





Independent Basic Service Set (IBSS)
Basic Service Set (BSS)
Extended Service Set (ESS)
Each WLAN is given a unique SSID
MAC Address Filtering
Another way to harden a WLAN is to
filter MAC addresses
 The MAC address of approved wireless
devices is entered on the AP
 A MAC address can be spoofed
 When wireless device and AP first
exchange packets, the MAC address of
the wireless device is sent in plaintext,
allowing an attacker with a sniffer to
see the MAC address of an approved
device

Wired Equivalent Privacy (WEP)
Optional configuration for WLANs that
encrypts packets during transmission
to prevent attackers from viewing
their contents
 Uses shared keys―the same key for
encryption and decryption must be
installed on the AP, as well as each
wireless device
 A serious vulnerability in WEP is that
the IV is not properly implemented
 Every time a packet is encrypted it
should be given a unique IV

Other Wireless Authentication Protocols

Wi-Fi Protected Access WPA


WPA2






The TKIP encryption algorithm was developed for WPA
to provide improvements to WEP
WiFi Alliance branded version of the final 802.11i
standard
WPA2 support EAP authentication methods using
RADIUS servers and preshared key (PSK) based
security
802.1X
LEAP
PEAP
TKIP
Untrusted Network
The basic WLAN security of SSID
beaconing, MAC address filtering, and
WEP encryption is not secure enough
for an organization to use
 One approach to securing a WLAN is
to treat it as an untrusted and
unsecure network
 Requires that the WLAN be placed
outside the secure perimeter of the
trusted network

Untrusted Network (continued)
Trusted Network (continued)
WPA encryption addresses the
weaknesses of WEP by using the
Temporal Key Integrity Protocol (TKIP)
 TKIP mixes keys on a per-packet basis
to improve security
 Although WPA provides enhanced
security, the IEEE 80211i solution is
even more secure
 80211i is expected to be released
sometime in 2004

Cryptography Terminology
Cryptography: science of transforming
information so it is secure while being
transmitted or stored
 Steganography: attempts to hide
existence of data
 Encryption: changing the original text
to a secret message using
cryptography

Cryptography Terminology
Decryption: reverse process of
encryption
 Algorithm: process of encrypting and
decrypting information based on a
mathematical procedure
 Key: value used by an algorithm to
encrypt or decrypt a message

Cryptography Terminology
Weak key: mathematical key that
creates a detectable pattern or
structure
 Plaintext: original unencrypted
information (also known as clear text)
 Cipher: encryption or decryption
algorithm tool used to create
encrypted or decrypted text
 Ciphertext: data that has been
encrypted by an encryption algorithm

Cryptography Terminology
(continued)
Defining Hashing
Hashing, also called a one-way hash,
creates a ciphertext from plaintext
 Cryptographic hashing follows this
same basic approach
 Hash algorithms verify the accuracy of
a value without transmitting the value
itself and subjecting it to attacks
 A practical use of a hash algorithm is
with automatic teller machine (ATM)
cards

Defining Hashing (continued)

Hashing is typically used in two ways:



To determine whether a password a user
enters is correct without transmitting the
password itself
To determine the integrity of a message or
contents of a file
Hash algorithms are considered very
secure if the hash that is produced has
the characteristics listed on pages 276
and 277 of the text
Message Digest (MD)

Message digest 2 (MD2) takes
plaintext of any length and creates a
hash 128 bits long



MD2 divides the message into 128-bit
sections
If the message is less than 128 bits, data
known as padding is added
Message digest 4 (MD4) was
developed in 1990 for computers that
processed 32 bits at a time


Takes plaintext and creates a hash of 128
bits
The plaintext message itself is padded to a
length of 512 bits
Message Digest (MD)

Message digest 5 (MD5) is a revision
of MD4 designed to address its
weaknesses


The length of a message is padded to 512
bits
The hash algorithm then uses four
variables of 32 bits each in a round-robin
fashion to create a value that is
compressed to generate the hash
Secure Hash Algorithm (SHA)
Patterned after MD4 but creates a
hash that is
160 bits in length instead of 128 bits
 The longer hash makes it more
resistant to attacks
 SHA pads messages less than 512 bits
with zeros and an integer that
describes the original length of the
message

Protecting with Symmetric
Encryption Algorithms
A block cipher manipulates an entire
block of plaintext at one time
 The plaintext message is divided into
separate blocks of 8 to 16 bytes and
then each block is encrypted
independently
 The blocks can be randomized for
additional security

Data Encryption Standard (DES)
One of the most popular symmetric
cryptography algorithms
 DES is a block cipher and encrypts data
in 64-bit blocks
 The 8-bit parity bit is ignored so the
effective key length is only 56 bits
 DES encrypts 64-bit plaintext by
executing the algorithm 16 times
 The four modes of DES encryption are
summarized on pages 282 and 283

Triple Data Encryption Standard (3DES)
Uses three rounds of encryption
instead of just one
 The ciphertext of one round becomes
the entire input for the second
iteration
 Employs a total of 48 iterations in its
encryption
(3 iterations times 16 rounds)
 The most secure versions of 3DES use
different keys for each round

Advanced Encryption Standard (AES)
Approved by the NIST in late 2000 as
a replacement for DES
 Process began with the NIST
publishing requirements for a new
symmetric algorithm and requesting
proposals
 Requirements stated that the new
algorithm had to be fast and function
on older computers with 8-bit, 32-bit,
and 64-bit processors

Advanced Encryption Standard (AES)
Performs three steps on every block
(128 bits) of plaintext
 Within step 2, multiple rounds are
performed depending upon the key
size:




128-bit key performs 9 rounds
192-bit key performs 11 rounds
256-bit key uses 13 rounds
Hardening with Asymmetric
Encryption Algorithms
The primary weakness of symmetric
encryption algorithm is keeping the
single key secure
 This weakness, known as key
management, poses a number of
significant challenges
 Asymmetric encryption (or public key
cryptography) uses two keys instead
of one



The private key typically is used to
encrypt the message
The public key decrypts the message
Hardening with Asymmetric
Encryption Algorithms
Rivest Shamir Adleman (RSA)
Asymmetric algorithm published in
1977 and patented by MIT in 1983
 Most common asymmetric encryption
and authentication algorithm
 Included as part of the Web browsers
from Microsoft and Netscape as well as
other commercial products
 Multiplies two large prime numbers

Diffie-Hellman
Unlike RSA, the Diffie-Hellman
algorithm does not encrypt and
decrypt text
 Strength of Diffie-Hellman is that it
allows two users to share a secret key
securely over a public network
 Once the key has been shared, both
parties can use it to encrypt and
decrypt messages using symmetric
cryptography

Elliptic Curve Cryptography
First proposed in the mid-1980s
 Instead of using prime numbers, uses
elliptic curves
 An elliptic curve is a function drawn on
an X-Y axis as a gently curved line
 By adding the values of two points on
the curve, you can arrive at a third
point on the curve

Understanding How to Use
Cryptography
Cryptography can provide a major
defense against attackers
 If an e-mail message or data stored
on a file server is encrypted, even a
successful attempt to steal that
information will be of no benefit if the
attacker cannot read it

Understanding Cryptography
Strengths and Vulnerabilities
Cryptography is science of
“scrambling” data so it cannot be
viewed by unauthorized users, making
it secure while being transmitted or
stored
 When the recipient receives encrypted
text or another user wants to access
stored information, it must be
decrypted with the cipher and key to
produce the original plaintext

Symmetric Cryptography
Strengths and Weaknesses
Identical keys are used to both
encrypt and decrypt the message
 Popular symmetric cipher algorithms
include Data Encryption Standard,
Triple Data Encryption Standard,
Advanced Encryption Standard, Rivest
Cipher, International Data Encryption
Algorithm, and Blowfish
 Disadvantages of symmetric
encryption relate to the difficulties of
managing the private key

Asymmetric Cryptography Strengths
and Vulnerabilities

With asymmetric encryption, two keys
are used instead of one


The private key encrypts the message
The public key decrypts the message
Digital Signatures
Asymmetric encryption allows you to
use either the public or private key to
encrypt a message; the receiver uses
the other key to decrypt the message
 A digital signature helps to prove that:




The person sending the message with a
public key is who they claim to be
The message was not altered
It cannot be denied the message was sent
Digital Certificates
Digital documents that associate an
individual with its specific public key
 Data structure containing a public key,
details about the key owner, and other
optional information that is all digitally
signed by a trusted third party

Certification Authority (CA)


The owner of the public key listed in
the digital certificate can be identified
to the CA in different ways

By their e-mail address

By additional information that describes
the digital certificate and limits the scope
of its use
Revoked digital certificates are listed
in a Certificate Revocation List (CRL),
which can be accessed to check the
certificate status of other users
Certification Authority (CA)

The CA must publish the certificates and
CRLs to a directory immediately after a
certificate is issued or revoked so users can
refer to this directory to see changes

Can provide the information in a publicly
accessible directory, called a Certificate
Repository (CR)

Some organizations set up a Registration
Authority (RA) to handle some CA, tasks
such as processing certificate requests and
authenticating users
Understanding Public Key
Infrastructure (PKI)
Weaknesses associated with
asymmetric cryptography led to the
development of PKI
 A CA is an important trusted party
who can sign and issue certificates for
users
 Some of its tasks can also be
performed by a subordinate function,
the RA
 Updated certificates and CRLs are kept
in a CR for users to refer to

The Need for PKI
Description of PKI
Manages keys and identity information
required for asymmetric cryptography,
integrating digital certificates, public
key cryptography, and CAs
 For a typical enterprise:






Provides end-user enrollment software
Integrates corporate certificate directories
Manages, renews, and revokes certificates
Provides related network services and
security
Typically consists of one or more CA
servers and digital certificates that
automate several tasks
PKI Standards and Protocols

A number of standards have been
proposed for PKI


Public Key Cryptography Standards
(PKCS)
X509 certificate standards
Public Key Cryptography
Standards (PKCS)
Numbered set of standards that have
been defined by the RSA Corporation
since 1991
 Composed of 15 standards detailed on
pages 318 and 319 of the text

X509 Digital Certificates
X509 is an international standard
defined by the International
Telecommunication Union (ITU) that
defines the format for the digital
certificate
 Most widely used certificate format for
PKI
 X509 is used by Secure Socket Layers
(SSL)/Transport Layer Security (TLS),
IP Security (IPSec), and
Secure/Multipurpose Internet Mail
Extensions (S/MIME)

X509 Digital Certificates
Trust Models
Refers to the type of relationship that
can exist between people or
organizations
 In the direct trust, a personal
relationship exists between two
individuals
 Third-party trust refers to a situation in
which two individuals trust each other
only because each individually trusts a
third party
 The three different PKI trust models are
based on direct and third-party trust

Hardening Physical Security with
Access Controls
Adequate physical security is one of
the first lines of defense against
attacks
 Protects equipment and the
infrastructure itself
 Has one primary goal: to prevent
unauthorized users from reaching
equipment to use, steal, or vandalize

Hardening Physical Security with
Access Controls
Configure an operating system to
enforce access controls through an
access control list (ACL), a table that
defines the access rights each subject
has to a folder or file
 ACLs are also configured on network
devices to permit or deny packets to
the network.
 Access control also refers to restricting
physical access to computers or
network devices

Controlling Access with
Physical Barriers
Most servers are rack-mounted
servers
 A rack-mounted server is 175 inches
(445 cm) tall and can be stacked with
up to 50 other servers in a closely
confined area
 Rack-mounted units are typically
connected to a KVM (keyboard, video,
mouse) switch, which in turn is
connected to a single monitor, mouse,
and keyboard

Controlling Access with Physical
Barriers
In addition to securing a device itself,
you should also secure the room
containing the device
 Two basic types of door locks require a
key:




A preset lock (key-in-knob lock) requires
only a key for unlocking the door from the
outside
A deadbolt lock extends a solid metal
bar into the door frame for extra security
To achieve the most security when
using door locks, observe the good
practices listed on pages 345 and 346
of the text
Controlling Access with Physical
Barriers




Cipher locks are combination locks that use
buttons you push in the proper sequence to
open the door
Can be programmed to allow only the code
of certain people to be valid on specific dates
and times
Basic models can cost several hundred
dollars each while advanced models can run
much higher
Users must be careful to conceal which
buttons they push to avoid someone seeing
the combination (shoulder surfing)
Limiting Wireless Signal Range

Use the following techniques to limit
the wireless signal range:





Relocate the access point
Add directional antenna
Reduce power
Cover the device
Modify the building
Reducing the Risk of Fires

Systems can be classified as:



Water sprinkler systems that spray the
room with pressurized water
Dry chemical systems that disperse a fine,
dry powder over the fire
Clean agent systems that do not harm
people, documents, or electrical
equipment in the room
Types of Security Policies
Types of Security Policies
Acceptable Use Policy (AUP)
Defines what actions users of a system
may perform while using computing
and networking equipment
 Should have an overview regarding
what is covered by this policy
 Unacceptable use should also be
outlined

Understanding Identity
Management (continued)

Four key elements:




Single sign-on (SSO)
Password synchronization
Password resets
Access management
Understanding Identity
Management (continued)
SSO allows user to log on one time to
a network or system and access
multiple applications and systems
based on that single password
 Password synchronization also permits
a user to use a single password to log
on to multiple servers


Instead of keeping a repository of user
credentials, password synchronization
ensures the password is the same for
every application to which a user logs on
Understanding Identity
Management (continued)

Password resets reduce costs
associated with password-related help
desk calls


Identity management systems let users
reset their own passwords and unlock
their accounts without relying on the help
desk
Access management software controls
who can access the network while
managing the content and business
that users can perform while online
Auditing Privileges
You should regularly audit the
privileges that have been assigned
 Without auditing, it is impossible to
know if users have been given too
many unnecessary privileges and are
creating security vulnerabilities

Usage Audit
Process of reviewing activities a user
has performed on the system or
network
 Provides a detailed history of every
action, the date and time, the name of
the user, and other information

Usage Audits (continued)
Privilege Audit
Reviews privileges that have been
assigned to a specific user, group, or
role
 Begins by developing a list of the
expected privileges of a user

Escalation Audits
Reviews of usage audits to determine
if privileges have unexpectedly
escalated
 Privilege escalation attack: attacker
attempts to escalate her privileges
without permission
 Certain programs on Mac OS X use a
special area in memory called an
environment variable to determine
where to write certain information
