Professional Documents
Culture Documents
Security+ Guide To Network Security Fundamentals - 2nd4p
Security+ Guide To Network Security Fundamentals - 2nd4p
• Security often associated with theft prevention • Theft of data is single largest cause of financial loss
due to a security breach
• Drivers install security systems on their cars to
prevent the cars from being stolen • One of the most important objectives of information
security is to protect important business and personal
• Same is true with information securityʊbusinesses
data from theft
cite preventing data theft as primary goal of
information security
• Businesses that fail to protect data may face serious • After an attack on information security, clean-up
penalties efforts divert resources, such as time and money
away from normal activities
• Laws include:
– The Health Insurance Portability and Accountability Act
• A Corporate IT Forum survey of major corporations
of 1996 (HIPAA) showed:
– The Sarbanes-Oxley Act of 2002 (Sarbox) – Each attack costs a company an average of $213,000
in lost man-hours and related costs
– The Cramm-Leach-Blilely Act (GLBA)
– One-third of corporations reported an average of more
– USA PATRIOT Act 2001 than 3,000 man-hours lost
• The challenge of keeping computers secure is • Information security has its own set of terminology
becoming increasingly difficult
• A threat is an event or an action that can defeat
• Attacks can be launched without human intervention security measures and result in a loss
and infect millions of computers in a few hours
• CompTIA has been working to advance the growth of
• Information security protects the integrity, the IT industry and those individuals working within it
confidentiality, and availability of information on the
• CompTIA is the world’s largest developer of vendor-
devices that store, manipulate, and transmit the
neutral IT certification exams
information through products, people, and
procedures
Objectives
Hackers Crackers
• Person who uses advanced computer skills to attack • Person who violates system security with malicious
computers, but not with a malicious intent intent
• Use their skills to expose security flaws • Have advanced knowledge of computers and
networks and the skills to exploit them
• Destroy data, deny legitimate users of service, or
otherwise cause serious problems on computers and
networks
• Break into computers to create damage • Person hired to break into a computer and steal
information
• Are unskilled users
• Do not randomly search for unsecured computers to
• Download automated hacking software from Web
attack
sites and use it to break into computers
• Hired to attack a specific computer that contains
• Tend to be young computer users with almost
sensitive information
unlimited amounts of leisure time, which they can use
to attack systems
Employees Cyberterrorists
• One of the largest information security threats to • Experts fear terrorists will attack the network and
business computer infrastructure to cause panic
• Employees break into their company’s computer for • Cyberterrorists’ motivation may be defined as
these reasons: ideology, or attacking for the sake of their principles
– To show the company a weakness in their security
or beliefs
– To say, “I’m smarter than all of you” • One of the targets highest on the list of
cyberterrorists is the Internet itself
– For money
• Easiest way to attack a computer system requires • Dumpster diving: digging through trash receptacles to
almost no technical ability and is usually highly find computer manuals, printouts, or password lists
successful that have been thrown away
• Social engineering relies on tricking and deceiving • Phishing: sending people electronic requests for
someone to access a system information that appear to come from a valid source
• Social engineering is not limited to telephone calls or
dated credentials
• Brute force: attacker attempts to create every • Software exploitation: takes advantage of any
possible password combination by changing one weakness in software to bypass security requiring a
character at a time, using each newly generated password
password to access the system – Buffer overflow: occurs when a computer program
• Dictionary attack: takes each word from a dictionary attempts to stuff more data into a temporary storage
and encodes it (hashing) in the same way the area than it can hold
computer encodes a user’s password
• Encryption: changing the original text to a secret • Algorithm is given a key that it uses to encrypt the
message using cryptography message
• Success of cryptography depends on the process • Any mathematical key that creates a detectable
used to encrypt and decrypt messages pattern or structure (weak keys) provides an attacker
with valuable information to break the encryption
• Process is based on algorithms
• Category of attacks in which the attacker attempts to • Make it seem that two computers are communicating
assume the identity of a valid user with each other, when actually they are sending and
receiving data with a computer between them
• Can be active or passive:
– Passive attack: attacker captures sensitive data being
transmitted and sends it to the original recipient without
his presence being detected
– Active attack: contents of the message are intercepted
and altered before being sent on
• Similar to an active man-in-the-middle attack • With wired networks, TCP/IP hijacking uses spoofing,
which is the act of pretending to be the legitimate
• Whereas an active man-in-the-middle attack changes
owner
the contents of a message before sending it on, a
replay attack only captures the message and then • One particular type of spoofing is Address Resolution
sends it again later Protocol (ARP) spoofing
• Takes advantage of communications between a • In ARP spoofing, each computer using TCP/IP must
network device and a file server have a unique IP address
• Certain types of local area networks (LANs), such as • Denial of service (DoS) attack attempts to make a
Ethernet, must also have another address, called the server or other network device unavailable by
media access control (MAC) address, to move flooding it with requests
information around the network
• After a short time, the server runs out of resources
• Computers on a network keep a table that links an IP and can no longer function
address with the corresponding address
• Known as a SYN attack because it exploits the
• In ARP spoofing, a hacker changes the table so SYN/ACK “handshake”
packets are redirected to his computer
• Programs that secretly attach to another document or • Antivirus software defends against viruses is
program and execute when that document or
• Drawback of antivirus software is that it must be
program is opened
updated to recognize new viruses
• Might contain instructions that cause problems
• Updates (definition files or signature files) can be
ranging from displaying an annoying message to
downloaded automatically from the Internet to a
erasing files from a hard drive or causing a computer
user’s computer
to crash repeatedly
• Although similar in nature, worms are different from • Worms are usually distributed via e-mail attachments
viruses in two regards: as separate executable programs
– A virus attaches itself to a computer document, such • In many instances, reading the e-mail message starts
as an e-mail message, and is spread by traveling along the worm
with the document
• If the worm does not start automatically, attackers
– A virus needs the user to perform some type of action,
can trick the user to start the program and launch the
such as starting a program or reading an e-mail
worm
message, to start the infection
• Defend against Trojan horses with the following • Secret entrances into a computer of which the user is
products: unaware
– Antivirus tools, which are one of the best defenses • Many viruses and worms install a back door allowing
against combination programs a remote user to access a computer without the
– Special software that alerts you to the existence of a legitimate user’s knowledge or permission
Trojan horse program
– Anti-Trojan horse software that disinfects a computer
containing a Trojan horse
• Six categories of attackers: hackers, crackers, script • Identity attacks attempt to assume the identity of a
kiddies, spies, employees, and cyberterrorists valid user
• Password guessing is a basic attack that attempts to • Denial of service (DoS) attacks flood a server or
learn a user’s password by a variety of means device with requests, making it unable to respond to
valid requests
• Cryptography uses an algorithm and keys to encrypt
and decrypt messages • Malicious code (malware) consists of computer
programs intentionally created to break into
computers or to create havoc on computers
• Diversity is closely related to layering • You can set a firewall to filter a specific type of traffic,
such as all inbound traffic, and a second firewall on
• You should protect data with diverse layers of
the same system to filter another traffic type, such as
security, so if attackers penetrate one layer, they
outbound traffic
cannot use the same techniques to break through all
other layers • Using firewalls produced by different vendors creates
even greater diversity
• Using diverse layers of defense means that
breaching one security layer does not compromise
the whole system
Obscurity Simplicity
• Obscuring what goes on inside a system or • Complex security systems can be difficult to
organization and avoiding clear patterns of behavior understand, troubleshoot, and feel secure about
make attacks from the outside difficult
• The challenge is to make the system simple from the
inside but complex from the outside
– Attempts to address the problem of users having • Passwords are based on what you know, tokens are
individual usernames and passwords for each account based on what you have
(thus, resorting to simple passwords that are easy to
• Proximity card: plastic card with an embedded, thin
remember)
metal strip that emits a low-frequency, short-wave
– Can be for users and for computers that share data radio signal
Certificates Kerberos
• The key system does not prove that the senders are • Authentication system developed by the
actually who they claim to be Massachusetts Institute of Technology (MIT)
• Certificates let the receiver verify who sent the • Used to verify the identity of networked users, like
message using a driver’s license to cash a check
• Certificates link or bind a specific person to a key • Typically used when someone on a network attempts
to use a network service and the service wants
• Digital certificates are issued by a certification
assurance that the user is who he says he is
authority (CA), an independent third-party
organization
• A more restrictive model • Instead of setting permissions for each user or group,
you can assign permissions to a position or role and
• The subject is not allowed to give access to another
then assign users and other objects to that role
subject to use an object
• Users and objects inherit all of the permissions for
the role
Auditing Information
Discretionary Access Control (DAC)
Security Schemes
• Least restrictive model • Two ways to audit a security system
• One subject can adjust the permissions for other – Logging records which user performed a specific
subjects over objects activity and when
• Type of access most users associate with their – System scanning to check permissions assigned to a
user or role; these results are compared to what is
personal computers
expected to detect any differences
Objectives
• Another means of hardening an operating system is • Microsoft Windows provides a centralized method of
to restrict user access defining security on the Microsoft Management
Console (MMC)
• Generally, users can be assigned permissions to
access folders (also called directories in DOS and – A Windows utility that accepts additional components
UNIX/Linux) and the files contained within them (snap-ins)
– After you apply a security template to organize security
settings, you can import the settings to a group of
computers (Group Policy object)
• Group Policy settings: components of a user’s • Just as you must harden operating systems, you
desktop environment that a network system must also harden the applications that run on those
administrator needs to manage systems
• Group Policy settings cannot override a global setting • Hotfixes, service packs, and patches are generally
for all computers (domain-based setting) available for most applications; although, not usually
with the same frequency as for an operating system
• Windows stores settings for the computer’s hardware
and software in a database (the registry)
• Harden servers to prevent attackers from breaking • Mail server is used to send and receive electronic
through the software messages
• Web server delivers text, graphics, animation, audio, • In a normal setting, a mail server serves an
and video to Internet users around the world organization or set of users
• Refer to the steps on page 115 to harden a Web • All e-mail is sent through the mail server from a
server trusted user or received from an outsider and
intended for a trusted user
• Print/file servers on a local area network (LAN) allow • Data repository: container that holds electronic
users to share documents on a central server or to information
share printers
• Two major data repositories: directory services and
• Hardening a print/file server involves the tasks listed company databases
on page 119 of the text
• Directory service: database stored on the network
• A DHCP server allocates IP addresses using the that contains all information about users and network
Dynamic Host Configuration Protocol (DHCP) devices along with privileges to those resources
• DHCP servers “lease” IP addresses to clients
• RAM is volatileʊinterrupting the power source • ROM, Erasable Programmable Read-Only Memory
causes RAM to lose its entire contents (EPROM), and Electrically Erasable Programmable
Read-Only Memory (EEPROM) are firmware
• Read-only memory (ROM) is different from RAM in
two ways: • To erase an EPROM chip, hold the chip under
– Contents of ROM are fixed
ultraviolet light so the light passes through its crystal
window
– ROM is nonvolatileʊdisabling the power source does
not erase its contents • The contents of EEPROM chips can also be erased
using electrical signals applied to specific pins
• You must properly configure network equipment to • Rule base or access control list (ACL): rules a
resist attacks network device uses to permit or deny a packet
(not to be confused with ACLs used in securing a
• The primary method of resisting attacks is to filter
file system)
data packets as they arrive at the perimeter of the
network • Rules are composed of several settings (listed on
pages 122 and 123 of the text)
• Observe the basic guidelines on page 124 of the text
when creating rules
• Shielded twisted-pair (STP) cables have a foil • Coaxial and twisted-pair cables have copper wire at
shielding on the inside of the jacket to reduce the center that conducts an electrical signal
interference
• Fiber-optic cable uses a very thin cylinder of glass
• Unshielded twisted-pair (UTP) cables do not have (core) at its center instead of copper that transmit
any shielding light impulses
• Twisted-pair cables have RJ-45 connectors • A glass tube (cladding) surrounds the core
• The core and cladding are protected by a jacket
– Communication devices
– Network security devices
• A second category of network devices are those that • Most common communication device
communicate over longer distances
• Broadband is increasing in popularity and can create
• Include: network connection speeds of 15 Mbps and higher
– Modems • Two popular broadband technologies:
– Remote access servers – Digital Subscriber Line (DSL) transmits data at
– Telecom/PBX Systems 15 Mbps over regular telephone lines
• A computer connects to a cable modem, which is • Set of technologies that allows a remote user to
connected to the coaxial cable that brings cable TV connect to a network through the Internet or a wide
signals to the home area network (WAN)
• Because cable connectivity is shared in a • Users run remote access client software and initiate a
neighborhood, other users can use a sniffer to view connection to a Remote Access Server (RAS), which
traffic authenticates users and passes service requests to
the network
• Another risk with DSL and cable modem connections
is that broadband connections are charged at a set
monthly rate, not by the minute of connect time
• Term used to describe a Private Branch eXchange • As cellular phones and personal digital assistants
(PDAs) have become increasingly popular, they have
• The definition of a PBX comes from the words that
become the target of attackers
make up its name:
– Private
• Some defenses against attacks on these devices use
real-time data encryption and passwords to protect
– Branch the system so that an intruder cannot “beam” a virus
– eXchange through a wireless connection
• The final category of network devices includes those • Typically used to filter packets
designed and used strictly to protect the network
• Designed to prevent malicious packets from entering
• Include: the network or its computers (sometimes called a
– Firewalls
packet filter)
– Watch network activity and report abnormal behavior – Collects and stores management information and
makes it available to SNMP
– Result in many false alarms
Security+ Guide to Network Security 40 Security+ Guide to Network Security 41
Fundamentals, 2e Fundamentals, 2e
• Topology: physical layout of the network devices, • One of the keys to mapping the topology of a network
how they are interconnected, and how they is to separate secure users from outsiders through:
communicate – Demilitarized Zones (DMZs)
• Essential to establishing its security – Intranets
• Although network topologies can be modified for – Extranets
security reasons, the network still must reflect the
needs of the organization and users
Intranets Extranets
• Networks that use the same protocols as the public • Sometimes called a cross between the Internet and
Internet, but are only accessible to trusted inside an intranet
users
• Accessible to users that are not trusted internal
• Disadvantage is that it does not allow remote trusted users, but trusted external users
users access to information
• Not accessible to the general public, but allows
vendors and business partners to access a company
Web site
• Protect e-mail systems • E-mail has replaced the fax machine as the primary
communication tool for businesses
• List World Wide Web vulnerabilities
• Has also become a prime target of attackers and
• Secure Web communications
must be protected
• Secure instant messaging
• Internet Mail Access Protocol (current version is • Three bytes from the binary file are extracted and
IMAP4) is a more advanced protocol that solves converted to four text characters
many problems
– E-mail remains on the e-mail server
• The amount of spam (unsolicited e-mail) that flows • According to a Pew memorial Trust survey, almost
across the Internet is difficult to judge half of the approximately 30 billion daily e-mail
messages are spam
• The US Congress passed the Controlling the Assault
of Non-Solicited Pornography and Marketing Act of • Spam is having a negative impact on e-mail users:
2003 (CAN-SPAM) in late 2003 – 25% of users say the ever-increasing volume of spam
has reduced their overall use of e-mail
– 52% of users indicate spam has made them less
trusting of e-mail in general
– 70% of users say spam has made being online
unpleasant or annoying
• Filter e-mails at the edge of the network to prevent • E-mail messages that contain false warnings or
spam from entering the SMTP server fraudulent offerings
• Use a backlist of spammers to block any e-mail that • Unlike spam, are almost impossible to filter
originates from their e-mail addresses
• Defense against hoaxes is to ignore them
• Sophisticated e-mail filters can use Bayesian filtering
– User divides e-mail messages received into two piles,
spam and not-spam
• Any e-mail message that appears as though it could • Two technologies used to protect e-mail messages
not be true probably is not as they are being transported:
• E-mail phishing is also a growing practice – Secure/Multipurpose Internet Mail Extensions
• Harden wireless local area networks (WLAN) • FTP servers can be configured to allow
unauthenticated users to transfer files (called
anonymous FTP or blind FTP)
• Both Authentication Header (AH) and Encapsulating • Takes advantage of using the public Internet as if it
Security Payload (ESP) can be used with Transport were a private network
or Tunnel mode, creating four possible transport
• Allow the public Internet to be used privately
mechanisms:
– AH in transport mode
• Prior to VPNs, organizations were forced to lease
expensive data connections from private carriers so
– AH in tunnel mode employees could remotely connect to the
– ESP in transport mode organization’s network
– ESP in tunnel mode
• A WLAN shares same characteristics as a standard • In September 1999, a new 80211b High Rate was
data-based LAN with the exception that network amended to the 80211 standard
devices do not use cables to connect to the network • 80211b added two higher speeds, 55 and 11 Mbps
• RF is used to send and receive packets • With faster data rates, 80211b quickly became the
• Sometimes called Wi-Fi for Wireless Fidelity, network standard for WLANs
devices can transmit 11 to 108 Mbps at a range of • At same time, the 80211a standard was released
150 to 375 feet
• 80211a has a maximum rated speed of 54 Mbps and
also supports 48, 36, 24, 18, 12, 9, and 6 Mbps
transmissions at 5 GHz
• Each network device must have a wireless network • An access point (AP) consists of three major parts:
interface card installed
– An antenna and a radio transmitter/receiver to send
• Wireless NICs are available in a variety of formats:
and receive signals
– Type II PC card – Mini PCI
– An RJ-45 wired network interface that allows it to
– CompactFlash (CF) card – USB device connect by cable to a standard wired network
– USB stick – Special bridging software
• Basic WLAN security uses two new wireless tools – Independent Basic Service Set (IBSS)
and one tool from the wired world: – Basic Service Set (BSS)
– Service Set Identifier (SSID) beaconing – Extended Service Set (ESS)
– MAC address filtering • Each WLAN is given a unique SSID
– Wired Equivalent Privacy (WEP)
Summary (continued)
• Authenticating a transmission to ensure it came from
the sender can provide increased security for remote
access users
• SSH is a UNIX-based command interface and
protocol for securely accessing a remote computer Chapter 8: Scrambling Through
• A directory service is a database stored on the Cryptography
network itself and contains all the information about
users and network devices
Security+ Guide to Network Security
• Digital cellular telephony provides various features to
operate on a wireless digital cellular device Fundamentals
• WLANs have a dramatic impact on user access to Second Edition
data
Security+ Guide to Network Security 54
Fundamentals, 2e
Objectives Cryptography Terminology
• Unlike RSA, the Diffie-Hellman algorithm does not • First proposed in the mid-1980s
encrypt and decrypt text
• Instead of using prime numbers, uses elliptic curves
• Strength of Diffie-Hellman is that it allows two users
• An elliptic curve is a function drawn on an X-Y axis as
to share a secret key securely over a public network
a gently curved line
• Once the key has been shared, both parties can use
• By adding the values of two points on the curve, you
it to encrypt and decrypt messages using symmetric
can arrive at a third point on the curve
cryptography
Understanding Cryptography
Objectives
Strengths and Vulnerabilities
• Explain cryptography strengths and vulnerabilities • Cryptography is science of “scrambling” data so it
cannot be viewed by unauthorized users, making it
• Define public key infrastructure (PKI)
secure while being transmitted or stored
• Manage digital certificates
• When the recipient receives encrypted text or another
• Explore key management user wants to access stored information, it must be
decrypted with the cipher and key to produce the
original plaintext
• Digital documents that associate an individual with its • The owner of the public key listed in the digital
specific public key certificate can be identified to the CA in different
ways
• Data structure containing a public key, details about
the key owner, and other optional information that is – By their e-mail address
all digitally signed by a trusted third party – By additional information that describes the digital
certificate and limits the scope of its use
• Revoked digital certificates are listed in a Certificate
Revocation List (CRL), which can be accessed to
check the certificate status of other users
• The web of trust model is based on direct trust • After a user decides to trust a CA, they can download
the digital certificate and public key from the CA and
• Single-point trust model is based on third-party trust
store them on their local computer
– A CA directly issues and signs certificates
• CA certificates are issued by a CA directly to
• In an hierarchical trust model, the primary or root individuals
certificate authority issues and signs the certificates
for CAs below it • Typically used to secure e-mail transmissions
through S/MIME and SSL/TLS
• Published set of rules that govern operation of a PKI • More technical document compared to a CP
• Begins with an opening statement outlining its scope • Describes in detail how the CA uses and manages
certificates
• Should cover at a minimum the topics listed on
page 325 of the text • Covers topics such as those listed on pages 325 and
326 of the text
• Typically divided into four parts: • Because keys form the very foundation of the
– Creation
algorithms in asymmetric and PKI systems, it is vital
that they be carefully managed
– Revocation
– Expiration
– Suspension
• Storing keys in hardware is an alternative to • If you desire more security than a single set of public
software-based keys and private (single-dual) keys can offer, you can
choose to use multiple pairs of dual keys
• Whether private keys are stored in hardware or
software, it is important that they be adequately • One pair of keys may be used to encrypt information
protected and the public key could be backed up to another
location
• The second pair would be used only for digital
signatures and the public key in that pair would never
be backed up
• Certain procedures can help ensure that keys are • One of the advantages of symmetric cryptography is
properly handled: that encryption and decryption using a private key is
– Escrow – Expiration
usually fast and easy to implement
Summary (continued)
– Dead-end corridors
• The best defenses against social engineering are a • Take steps to secure the environment itself to reduce
strong security policy along with adequate training the risk of attacks:
• An organization must establish clear and direct – Limiting the range of wireless data signals
policies regarding what information can be given out – Shielding wired signals
and under what circumstances
– Controlling the environment
– Suppressing the risk of fires
• Electromagnetic interference (EMI) may be caused • The source of near end crosstalk (NEXT) interference
by a variety of sources is usually from another data signal being transmitted
– A motor of another source of intense electrical activity • Loss of signal strength is known as attenuation
can create an electromagnetic signal that interferes
with a data signal • Two types of defenses are commonly referenced for
shielding a signal
– EMI can also be caused by cellular telephones,
citizens’ band and police radios, small office or – Telecommunications Electronics Material Protected
household appliances, fluorescent lights, or loose from Emanating Spurious Transmissions (TEMPEST)
electrical connections – Faraday cage
• Disruption of utilities should be of primary concern for • A UPS can complete the following tasks:
all organizations – Send a special message to the network administrator’s
• The primary utility that a BCP should address is computer, or page or telephone the network manager
electrical service to indicate that the power has failed
– Notify all users that they must finish their work
• An uninterruptible power supply (UPS) is an external
immediately and log off
device located between an outlet for electrical power
and another device – Prevent any new users from logging on
– Primary purpose is to continue to supply power if the – Disconnect users and shut down the server
electrical power fails
• A DRP is different from a business continuity plan • Major disasters may require that the organization
temporarily move to another location
• Typically addresses what to do if a major catastrophe
occurs that could cause the organization to cease • Three basic types of alternate sites are used during
functioning or directly after a disaster
• Should be a detailed document that is updated – Hot site
regularly – Cold site
• All DRPs are different, but they should address the – Warm site
common features shown in the outline on pages 367
and 368 of the text
Security+ Guide to Network Security 32 Security+ Guide to Network Security 33
Fundamentals, 2e Fundamentals, 2e
Identifying Secure Recovery
Protecting Backups
(continued)
• A hot site is generally run by a commercial disaster • Data backups must be protected from theft and
recovery service that allows a business to continue normal environmental elements
computer and network operations to maintain
• Tape backups should be protected against strong
business continuity
magnetic fields, which can destroy a tape
• A cold site provides office space but customer must
• Be sure backup tapes are located in a secure
provide and install all equipment needed to continue
environment that is adequately protected
operations
• A warm site has all equipment installed but does not
have active Internet or telecommunications facilities
• Adequate physical security is one of the first lines of • Disaster recovery is focused on recovering from
defense against attacks major disasters that could potentially cause the
organization to cease operations for an extended
• Physical security involves restricting with access
period of time
controls, minimizing social engineering attacks, and
securing the environment and infrastructure • A DRP typically addresses what to do if a major
catastrophe occurs that could cause the organization
• Business continuity is the process of assessing risks
to cease functioning
and developing a management strategy to ensure
that business can continue if risks materialize
• An asset is any item with a positive economic value • After an inventory of assets has been created and
their attributes identified, the next step is to determine
• Many types of assets, classified as follows:
each item’s relative value
– Physical assets – Data
• Factors to be considered in determining the relative
– Software – Hardware
value are listed on pages 386 and 387 of the text
– Personnel
• Along with the assets, attributes of the assets need to
be compiled
• A threat is not limited to those from attackers, but • A valuable tool used in threat modeling is the
also includes acts of God, such as fire or severe construction of an attack tree
weather
• An attack tree provides a visual image of the attacks
• Threat modeling constructs scenarios of the types of that may occur against an asset
threats that assets can face
• The goal of threat modeling is to better understand
who the attackers are, why they attack, and what
types of attacks may occur
• To assist with determining vulnerabilities of hardware • Final step in identifying risks is to perform a risk
and software assets, use vulnerability scanners assessment
• These tools, available as free Internet downloads and • Risk assessment involves determining the likelihood
as commercial products, compare the asset against a that the vulnerability is a risk to the organization
database of known vulnerabilities and produce a
• Each vulnerability can be ranked by the scale
discovery report that exposes the vulnerability and
assesses its severity • Sometimes calculating anticipated losses can be
helpful in determining the impact of a vulnerability
• To create an effective security policy, two elements • When designing a security policy, you can consider a
must be carefully balanced: trust and control standard set of principles
• Three models of trust: • These can be divided into what a policy must do and
– Trust everyone all of the time
what a policy should do
• Term used frequently in legal and business settings • Key element in internal controls
• Defined as obligations that are imposed on owners • Means that one person’s work serves as a
and operators of assets to exercise reasonable care complementary check on another person’s
of the assets and take necessary precautions to
• No one person should have complete control over
protect them
any action from initialization to completion
• Policies of the organization that address human • Although passwords often form the weakest link in
resources information security, they are still the most widely
used
• Should include statements regarding how an
employee’s information technology resources will be • A password management policy should clearly
addressed address how passwords are managed
• In addition to controls that can be implemented
through technology, users should be reminded of
how to select and use passwords
• Privacy is of growing concern among today’s • A disposal and destruction policy that addresses the
consumers disposing of resources is considered essential
• Organizations should have a privacy policy that • The policy should cover how long records and data
outlines how the organization uses information it will be retained
collects
• It should also cover how to dispose of them
Summary (continued)
– Instead of keeping a repository of user credentials, • Access management software controls who can
password synchronization ensures the password is the access the network while managing the content and
same for every application to which a user logs on business that users can perform while online
• Responsibility for privilege management can likewise • Privileges can be assigned by:
be either centralized or decentralized – The user
• In a centralized structure, one unit is responsible for – The group to which the user belongs
all aspects of assigning or revoking privileges
– The role that the user assumes in the organization
• A decentralized organizational structure delegates
authority for assigning or revoking privileges to
smaller units, such as empowering each location to
hire a network administrator to manage privileges
• If privileges are assigned by user, the needs of each • Instead of assigning privileges to each user, a group
user should be closely examined to determine what can be created and privileges assigned to the group
privileges they need over which objects
• As users are added to the group, they inherit those
• When assigning privileges on this basis, the best privileges
approach is to have a baseline security template that
applies to all users and then modify as necessary
• Instead of setting permissions for each user or group, • You should regularly audit the privileges that have
you can assign permissions to a position or role and been assigned
then assign users and other objects to that role
• Without auditing, it is impossible to know if users
• The users inherit all permissions for the role have been given too many unnecessary privileges
and are creating security vulnerabilities
• Reviews privileges that have been assigned to a • Reviews of usage audits to determine if privileges
specific user, group, or role have unexpectedly escalated
• Begins by developing a list of the expected privileges • Privilege escalation attack: attacker attempts to
of a user escalate her privileges without permission
• Certain programs on Mac OS X use a special area in
memory called an environment variable to determine
where to write certain information
• Change management refers to a methodology for • Because changes can affect all users, and
making changes and keeping track of those changes uncoordinated changes can result in unscheduled
service interruptions, many organizations create a
• Change management involves identifying changes
Change Management Team (CMT) to supervise the
that should be documented and then making those
changes
documentations
• Duties of the CMT include those listed on page 427
• Seminars and workshops are a good means of • Identity management provides a framework in which
learning the latest technologies and networking with a single authenticated ID is shared across multiple
other security professionals in the area networks or online businesses
• Print media is another resource for learning content • Privilege management attempts to simplify assigning
and revoking access control to users
• The Internet contains a wealth of information that can
be used on a daily basis to keep informed about new • Change management refers to a methodology for
attacks and trends making and keeping track of changes
Responding to a Computer
Securing the Crime Scene
Forensics Incident
• Generally involves four basic steps similar to those of • Physical surroundings of the computer should be
standard forensics: clearly documented
– Secure the crime scene • Photographs of the area should be taken before
– Collect the evidence anything is touched
– Establish a chain of custody • Cables connected to the computer should be labeled
to document the computer’s hardware components
– Examine and preserve the evidence
and how they are connected
• Team takes custody of the entire computer along with
the keyboard and any peripherals
Security+ Guide to Network Security 6 Security+ Guide to Network Security 7
Fundamentals, 2e Fundamentals, 2e
Preserving the Data Preserving the Data (continued)
• Computer forensics team first captures any volatile • After retrieving volatile data, the team focuses on the
data that would be lost when computer is turned off hard drive
and moves data to a secure location
• Mirror image backup (or bit-stream backup) is an
• Includes any data not recorded in a file on the hard evidence-grade backup because its accuracy meets
drive or an image backup: evidence standards
– Contents of RAM • Mirror image backups are considered a primary key
– Current network connections to uncovering evidence; they create exact replicas of
the computer contents at the crime scene
– Logon sessions
• Mirror image backups must meet the criteria shown
– Network configurations on pages 452 and 453 of the text
– Open files
• Most industry experts agree security certifications • One of the most important skills is a strong
continue to be important knowledge of the foundation upon which network
communications rests, namely Transmission Control
• Preparing for the Security+ certification will help you Protocol/Internet Protocol (TCP/IP)
solidify your knowledge and skills in cryptography, • Understanding TCP/IP concepts helps effectively
firewalls, and other important security defenses troubleshoot computer network problems and
diagnose possible anomalous behavior on a network