Top Banner
Security+ study guide Written by McCya mccya.webs.com Page 1 Security+ Concepts The Security+ exam is well-known to test heavily on concepts rather than on purely technical knowledge. Security+ concepts relate to the ideas that govern good information security practices. You can think of these core concepts as a sort of “constitution” or even a “charter” of information security. Any organization or practice will inevitably have some sort of governing ideology; for the Security+ exam (for information security), this ideology is always related to the acronym: CIA. What’s CIA? CIA (in this context, of course) stands for Confidentiality, Integrity, and Availability. These are the three tenets or cornerstones of information security objectives. Virtually all practices within the umbrella called “Information Security” are designed to provide these objectives. They are relatively simple to understand and common-sense notions, yet the Security+ exam writers love to test on CIA concepts. So, you should understand CIA very well in order to understand the reasoning behind later practices as well as to ace this portion of the exam. Confidentiality Confidentiality refers to the idea that information should only be accessible to its intended recipients and those authorized to receive the information. All other parties should not be able to access the information. This is a pretty common and straight-forward idea; the US government for example marks certain items “Top Secret,” which means that only those who are cleared to see that information can actually view it. In this way, the government is achieving information confidentiality. Another common example is the sharing of a secret between two friends. When the friends tell each other the secret, they usually whisper so that nobody else can hear what they are saying. The friends are also achieving confidentiality. Integrity
56
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Security

Security+ study guide

Written by McCya mccya.webs.com Page 1

Security+ Concepts

The Security+ exam is well-known to test heavily on concepts rather than on purely

technical knowledge. Security+ concepts relate to the ideas that govern good information

security practices. You can think of these core concepts as a sort of “constitution” or even a

“charter” of information security. Any organization or practice will inevitably have some sort

of governing ideology; for the Security+ exam (for information security), this ideology is

always related to the acronym: CIA.

What’s CIA?

CIA (in this context, of course) stands for Confidentiality, Integrity, and Availability.

These are the three tenets or cornerstones of information security objectives. Virtually all

practices within the umbrella called “Information Security” are designed to provide these

objectives. They are relatively simple to understand and common-sense notions, yet the

Security+ exam writers love to test on CIA concepts. So, you should understand CIA very

well in order to understand the reasoning behind later practices as well as to ace this portion

of the exam.

Confidentiality

Confidentiality refers to the idea that information should only be accessible to its intended

recipients and those authorized to receive the information. All other parties should not be

able to access the information. This is a pretty common and straight-forward idea; the US

government for example marks certain items “Top Secret,” which means that only those

who are cleared to see that information can actually view it. In this way, the government is

achieving information confidentiality. Another common example is the sharing of a secret

between two friends. When the friends tell each other the secret, they usually whisper so that

nobody else can hear what they are saying. The friends are also achieving confidentiality.

Integrity

Page 2: Security

Security+ study guide

Written by McCya mccya.webs.com Page 2

Integrity is the idea that information should arrive at a destination as it was sent. In other

words, the information should not be tampered with or otherwise altered. Sometimes, secret

information may be sent in a locked box. This is to ensure both confidentiality and integrity:

it ensures confidentiality by assuring that only those with a key can open it; it ensures

integrity by assuring that the information is not able to be altered during delivery. Similarly,

government documents are often sealed with some sort of special stamp that is unique to an

office or branch of government. In this way, the government ensures that the people reading

the documents know that the document is in fact a government document and not a phony.

Availability

Imagine that a terrorist blocks the entrance to the Library of Congress. Though he did not

necessarily destroy the integrity of the books inside nor did he breach confidentiality, he did

do something to negatively affect the security of the Library. We deem his actions a “denial

of service,” or more appropriately, a denial of availability. Availability refers to the idea

that information should be available to those authorized to use it. When a hacker floods a

web server with erroneous requests and the web server goes down as a result of it, he denied

availability to the users of the server, and thus, one of the major tenets of information security

have been compromised.

Wrap Up

Well, you’ve completed your first Security+ lesson! That wasn’t so bad, now was it? As you

can see, a lot of what is covered on the Security+ exam is actually commonsense. However,

don’t take CIA lightly – it is heavily tested! Below are a few questions that should help you

review what you’ve learned today:

Quick Review

1. Which of the following are components of CIA? (Choose all that apply)

a. Confidentiality

b. Authentication

c. Integration

d. Integrity

e. Availability

f. Character

Page 3: Security

Security+ study guide

Written by McCya mccya.webs.com Page 3

2. A user encrypts an email before sending it. The only person that can decrypt the

email is the recipient. By encrypting the email in this way, the user is attempting to

preserve the:

a. Confidentiality of the recipient

b. Accessibility of the email server

c. Confidentiality of the information

d. Integrity of the information

3. A hooligan unplugs the power from the central data server at a large bank. Which of

the following describe the effect on information security?

a. Confidentiality has been breached

b. Loss of availability

c. The information has lost integrity

Answers

1. The components of CIA are Confidentiality, Integrity, and Availability. The answer is

(A,D,E)

2. This is a tough question that is sure to manifest itself on the exam. Don’t be confused

between confidentiality and integrity. Remember that confidentiality refers to the fact that

only the recipient can receive the information, whereas integrity means that the information is

basically in the same state that it was sent. Although the encryption may prevent others “in

the middle of the communication” from understanding the email, it does nothing to prevent

them from manipulating the email being sent. So, the answer is that it only ensures the

confidentiality of the information and NOT the integrity of the information. ( C )

3. By unplugging the power, the punk is basically denying availability to the users of the

server. He is not however actually changing the information stored on the server nor is he

trying to read any sort of confidential information. The answer is therefore that his actions

produce a loss of availability (B)

Access Control

Page 4: Security

Security+ study guide

Written by McCya mccya.webs.com Page 4

One of the most crucial areas of information security that dates back to its origins is the idea

of access control. Access control is the ability of a system to limit access to only certain

users. When you think access control, think “password.” Of course, there are many ways to

authenticate users than just passwords, but passwords are probably the most well-known way

of controlling access to resources, especially to information security laymen. We’ll now look

into the specifics of access control.

Types of Access Control Factors

One of the key questions associated with access control is: How do you ensure that a user is

in fact who he claims to be? There are many ways to do so, and so they have been

categorized into three types of factors.

Type I: What you know – Access control methods related to “what you know”

include passwords, numeric keys, PIN numbers, secret questions and answers,

and so forth. Basically, Type I access control depends on the user knowing something

in order to access the information.

Type II: What you have – You probably use this access control method every day

without realizing it. A physical key is used to open a door to your house through a

lock – a form of Type II access control. In information security terms, Type II access

control methods may include physical keys or cards, smart cards, and other

physical devices that might be used to gain access to something.

Type III: What you are – This form of access control is closely related to biometrics

or authentication by biological factors. Some high-tech systems may use

fingerprints, retinal scans, or even DNA to ensure that a user is who he claims to

be. This type of access control is considered the most secure because it requires that a

user be physically present whereas the other two can be compromised by theft of a

password or a keycard.

The best authentication systems use more than one factor (Type) to ensure a user’s

identity; this is known as “multi-factor authentication.”

Page 5: Security

Security+ study guide

Written by McCya mccya.webs.com Page 5

The Workings behind Access Control

There are essentially three steps to any access control process.

1. Identification: Who is the user?

2. Authentication: Is the user who he says he is?

3. Authorization: What does the user have permission to do?

Authentication is achieved through the factors discussed above, but Authorization is

actually achieved between the reference model and the Kernel of the operating system.

The reference model is the system that directs the Kernel what it can and cannot access. A

request to access information would be sent through the reference model to verify that the

user requesting access should actually have access to what he is requesting. The kernel then

acts only if the reference model directs it to do so.

Methods of Access Control

Another very important question that should be raised when considering access control is:

“Who determines which users have access to information?” The Security+ exam suggests

three different methods of determining this:

MAC: Mandatory Access Control is the system in which a central administrator or

administration dictates all of the access to information in a network or system. This

might be used in high-security applications, such as with the label "top-secret

government information". Under MAC, subjects (the user or process requesting

access) and objects (the item being requested) are each associated with a set of

labels. When a subject requests access to an object, access is granted if labels match,

and denied if the labels do not match.

DAC: Discretionary Access Control is the system in which the owners of files

actually determine who gets access to the information. In this system, a user who

creates a sensitive file determines (through his own discretion) who can access that

sensitive file. This is considered far less secure than MAC.

RBAC: Role-Based Access Control is related to a system in which the roles of users

determine their access to files. For example, if Bob is a member of accounting, he

should not be able to access the engineering files.

A Last Word

Access Control is a very important and highly-tested subject! It is, like CIA, highly

conceptual but crucial to understanding information security. It is used to ensure both the

confidentiality and the integrity of information and therefore plays a large role in the CIA

picture. You should spend time understanding the Types and Methods of access control so

that you can ace this portion of the exam.

Page 6: Security

Security+ study guide

Written by McCya mccya.webs.com Page 6

Quick Review

1. On an Active Directory network the group(s) that a user is in determines his access to

files. This is a form of:

a. MAC

b. DAC

c. Type II Authentication factor

d. RBAC

e. Type I Authentication factor

2. Which of the following is not a possible description of Type III authentication?

a. Something you are

b. Fingerprints

c. Passwords

d. Retinal scans

3. Which of the following is the correct order of the access control process?

a. Identification, Authorization, Authentication

b. Authorization, Identification, Confidentiality

c. Identification, Authentication, Authorization

d. Confidentiality, Integrity, Availability

Answers

1. Because the group that the user is in determines his access to files, it is not a far step to say

that his role really determines his access to those files. The answer is RBAC. (D)

2. Passwords are Type I (something you know) rather than Type III (something you are), so

the answer is C

3. The correct order of the process is C.

Page 7: Security

Security+ study guide

Written by McCya mccya.webs.com Page 7

Special Authentication Methods

There are some authentication methods that merit their own coverage because they are

specifically tested on the exam. Below is the information about each of them that you need to

know in order to answer these kinds of questions correctly.

Kerberos

Kerberos is an open-source and widely-accepted method of authentication that works

on a shared secret key system with a trusted third party. Before you begin to understand

how Kerberos actually works, you should consider this analogy: two people are in love and

want to deliver messages of their affection to each other. The problem is that they cannot

express their love for each other openly because of a family feud. So, they entrust a mutual

friend to deliver their secrets to each other.

In essence, Kerberos does much of the same. If two users wish to communicate with each

other, they must first contact a trusted Kerberos server to obtain a shared secret key. Only the

users that have this key can communicate with each other because the key encrypts and

decrypts messages. The logical part of the Kerberos server that governs key distribution is

aptly called the Key Distribution Center, or KDC. Once keys have been distributed to the

two parties wishing to communicate, Kerberos then issues what are known as “tickets”

through the TGS or Ticket Granting Server. These tickets allow for the actual

communication between the clients by storing authentication information.

Kerberos has a wide variety of applications, especially in open source software, but is not

without vulnerabilities. One is that Kerberos makes extensive use of that trusted third

party. If the third party is compromised, information confidentiality and integrity may

be breached. If the third party simply fails, availability is lost. Kerberos also uses time

stamps in order to “time out” communications. Time stamps mitigate the threat of replay

attacks and provide a small measure of integrity. If two hosts are on different times,

communication will be impossible.

Remember that Kerberos is associated with SSO (single sign-on) technology.

Biometrics

Page 8: Security

Security+ study guide

Written by McCya mccya.webs.com Page 8

As discussed before, biometric factors are factors of authentication that utilize the biological

factors of a user. Biometric authentication and identification is considered the most secure.

Typical biometric factors include fingerprint and retinal scans as well as photo-comparison

technology.

Username / Password

The most common form of authentication system is a username and password system.

This is a Type I system and therefore relies on the difficulty of guessing the password for

effectiveness. There may be questions on the Security+ exam about what constitutes a good

password. Use common sense here! A good password would obviously consist of numbers

and letters, lower and upper case, and symbols. In other words, the general rule of thumb is

that a good password is complex. Another rule of thumb is that a good password should be at

least six characters and probably eight. In fact, eight or more is the standard at the moment.

Systems that allow for lost password retrieval should not allow a malicious user to learn

information about the users of a system; in addition, systems should not elaborate as to

whether a username or password is incorrect as this would aid potential attackers.

Multifactor

Multifactor authentication refers to using more than one factor to authenticate a user. Multifactor authentication is more secure than single factor authentication in most cases. An

example of multifactor authentication would be an authentication system that required a user

to have both a password and a fingerprint.

CHAP

Challenge-Handshake Authentication Protocol, or CHAP, is an authentication protocol that

uses username and password combinations that authenticate users. It is used in PPP, so

its most common application is dial-up internet access user authentication. All you really

need to know about it is that it uses a three-way handshake to prevent replay attacks.

Microsoft has a version of CHAP known as MS-CHAP.

SSO

Single sign-on, or SSO, refers to the ability for a user to only be authenticated once to be

provided authorization to multiple services.

Summing it up

Page 9: Security

Security+ study guide

Written by McCya mccya.webs.com Page 9

You will see a question on the Security+ exam on almost every one of these items. Kerberos

will be tested with more than two questions. It would be to your benefit to carefully study

each of these items individually to understand what each is all about.

Quick Review

1. Which of the following would not be a form of multifactor authentication?

a. Requiring an ATM card and a pin number

b. Requiring a secret answer to a given question

c. Requiring a fingerprint and a Kerberos ticket

d. Requiring a USB key and a password

2. Which of the following is a true statement about Kerberos?

a. It requires two distinct physical servers, one to give keys and the other to give tickets.

b. It is only used in UNIX environments.

c. Communication can only take place when both parties can utilize a trusted third party

Kerberos server.

d. It is a form of biometric identification and authorization.

3. A user complains that he has to use a separate login and password for his email, his

domain account, his specialized software, and even for his computer. What would be a

solution to his problems?

a. Smart card

b. SSO technology

c. Biometrics

d. CHAP

Answers:

1. All of the choices use two factors for authentication with the exception of B, which

requires only one factor (an answer to a question). (B)

Page 10: Security

Security+ study guide

Written by McCya mccya.webs.com Page 10

2. Be careful! Kerberos is often used in UNIX environments, but it is not exclusively used in

UNIX environments. Also, the TGS and KDC servers are logically but not necessarily

physically separate. Finally, choice D is totally without merit. The answer is ( C ).

3. Because SSO provides a single sign on for multiple services, the user would desire that as

a solution as it could create fewer login screens. The answer is ( B )

Attacks and Malicious Users

(An example of a buffer-overflow attack)

A key aspect to any war is to know your enemy. If you consider the battle against malicious

users a war, then understanding the attacks that they use is crucial. Below is a listing with

descriptions of the most common kinds of attacks used by malicious hackers and other bad

people.

Social Engineering

This kind of attack is probably the most commonly successful and damaging of all attacks,

yet it requires no technical ability. Social engineering is an attack by which the attacker

manipulates people who work in a capacity of some authority so that the attacker can get

those people to do something that he desires. For example, if an attacker calls into a business

posing as a bank representative who is reporting foul activity on an account and then

proceeds to ask for a routing number, that attacker is engaged in a social engineering attack.

Remember, social engineering means manipulating people.

Dumpster Diving

This is another low-tech attack. All you have to remember about this attack is that the name is

very indicative of the nature of this attack – a dumpster diver would look through trash

and other unsecured materials to find pertinent information to either launch an attack or

carry out some other maliciously intended action.

Page 11: Security

Security+ study guide

Written by McCya mccya.webs.com Page 11

Password Cracking

This is an attack by which the attacker wishes to gain authentication (and

authorization) to network resources by guessing the correct password. There are three

basic kinds of password cracking attacks:

Brute Force – Every single possible combination of characters

(aaa,aaA,aAA,AAA,aab…)

Dictionary – Enter passwords from a text file (a dictionary)

Hybrid - A variation of the Dictionary approach, but accounting for common user

practices such as alternating character cases, substituting characters ("@" in place of

"A", etc), using keyboard patterns ("1QAZ", etc), doubling passwords to make them

longer, or adding incremental prefix/suffix numbers to a basic password

("2swordfish" instead of "swordfish, etc).

Attackers know that many users use the same or similar passwords for different systems.

Using a sniffer to obtain a user's password on an unsecure platform will provide a good

starting point for a quick hybrid attack on a different, more secure platform. For example,

Yahoo Messenger transmits passwords in clear text. An attacker can easily obtain a user's

Yahoo password, and then attempt to access their bank account, or other sensitive

information, using that same password or a variant of that same password.

Most of the time when password cracking is attempted, the cracker has some means of

entering username and password combinations quickly. Usually this is through a cracking

program such as Brutus. One way to defend against cracking attacks is to put a mandatory

wait time before login attempts. Another way is to lock out the login system after a certain

number of attempts. Finally, limiting the number of concurrent connections to a login

system can slow down a cracking attack.

Flooding

Just like a flood can overwhelm the infrastructure of a locale, a flooding attack can

overwhelm the processing and memory capabilities of a network system or server. In a

flooding attack, the attacker sends an inordinate amount of packets to a server or a group of

hosts in order to overwhelm the network or server. This would, of course, cause a denial of

service to the hosts who demand whatever network resource has been overwhelmed. Some

special kinds of flooding attacks:

SYN Flood – A flood of specially crafted SYN packets

ICMP Ping Flood – A flood of ICMP pings

Spoofing

Spoofing is not always a form of attack but can be used in conjunction with an attack.

Spoofing is any attempt to hide the true address information of a node and is usually

associated with IP spoofing, or the practice of hiding the IP address of a node and replacing

it with another (false) IP address. One implication of a successful spoof is that investigators

Page 12: Security

Security+ study guide

Written by McCya mccya.webs.com Page 12

cannot trace the attack easily because the IP address is false. Spoofing can be achieved

through proxy servers, anonymous Internet services, or TCP/IP vulnerabilities.

Birthday Attack

Any attack based on favorable probability is known as a birthday attack. This comes

from the statistical truth that it is far more likely in a room of 100 people to find two people

who have the same birthday than it is to find a person with a specific birthday. For the exam,

just associate birthday attack with probability.

Buffer Overflow

A buffer overflow attack is a very specific kind of attack that is very common when attacking

Application level servers and services. Basically, a buffer is a memory stack that has a certain

holding size. Through a specifically and maliciously crafted packet, information can

overflow in that stack, causing a number of problems. Some buffer overflow attacks result

in a simple denial of service while others can allow for system compromise and remote

takeover of a system. Patches are usually issued to defend against specific buffer overflow

issues.

[edit section] Sniffing

A sniffing attack is one in which an attacker “sniffs” information, either off the media

directly or from regular network traffic, in order to compromise the confidentiality or

integrity of information. Un-switched Ethernet traffic can easily be sniffed when the NIC

operates in “promiscuous” mode, the mode in which the NIC reads all traffic regardless of the

destination IP address. Sniffing can be thwarted by careful attention to media security and

switched networks.

Overview

While there is certainly a dearth of space here to list all of the wonderful tricks that hackers

have up their collective sleeves, it is safe to say that the attacks that you will see on the

Security+ have been covered above. Study each one carefully and try to associate one word

with the attack that will help you remember what it’s all about; after a while, the distinction

between attacks will become more obvious and clear to you.

Quick Review

Page 13: Security

Security+ study guide

Written by McCya mccya.webs.com Page 13

1. An attacker sends a series of malformed packets to a server causing him to gain

access to the server as the “root” user. Which attack is this most likely to be?

a. Ping

b. Birthday

c. Spoofing

d. Sniffing

e. Buffer Overflow

2. You notice a dramatic increase in the traffic going through your network. After a

close examination of the traffic, you realize that the majority of the new traffic is in the

form of empty broadcast packets sent from a single host. What is most likely

happening?

a. You are experiencing normal network activity

b. The network is revamping from under-utilization

c. The network is being flooded

d. The network is being spoofed

3. Which of the following courses of action would not prevent a social engineering

attack?

a. Mandatory security training for new computer users

b. Administrative approval for any major system changes

c. Hiring a dedicated operator to handle undirected phone calls and emails

d. Installing a firewall with NAT technology

4. You notice that there have been over a thousand login attempts in the last minute.

What might you correct in order to prevent a similar attack in the future?

a. Install Apache Web Server

b. Limit the timeout value

c. Mandate and configure a lockout time period

d. Change the access control method

Page 14: Security

Security+ study guide

Written by McCya mccya.webs.com Page 14

Answers:

1. In a buffer overflow attack, a malformed packet is sent to overflow the heap of memory

that a server application uses. Some attacks can actually gain access to the root account. So,

the answer is (E)

2. Since the network is experiencing a dramatic increase in basically meaningless traffic from

a single host, it is likely to be an attempt at a flood attack. ( C )

3. All of the choices would inhibit the ability of an attacker to use a social engineering attack

except for (D), which would not affect the ability of an attacker to manipulate people in any

way.

4. By configuring a lockout time period ( C ) you can ensure that after a certain number of

unsuccessful attempts, further logins are disabled.

Remote Access

One of the most ever-present and ancient uses of the Internet and networking has been to

provide remote access to networks or network resources. Since the early 1980’s, different

remote access protocols have existed to allow users to remotely “dial in” to a network of

choice; while some of these protocols have come and gone, many of them remain widely

in use even today in dial-up WAN access and business VPN networks. The Security+

examination will test you on your ability to identify the security features, benefits, and costs

of several types of remote access protocols and services.

RAS

RAS, or Remote Access Service, is a rarely-used, unsecure, and outdated Microsoft offering

in the area of remote access technology. You should know for the exam that RAS provides

dial-up access and once was the protocol of choice for connecting to the Internet.

PPP

RAS was eventually replaced by PPP, the most common dial-up networking protocol

today. PPP, or point-to-point protocol, utilizes a direct connection from a client to WAN over

TCP/IP. This is advantageous for dial-up networking services as most people today wish

to be able to use the Internet, which of course requires TCP/IP networking. When you think

dial-up access, think PPP.

Page 15: Security

Security+ study guide

Written by McCya mccya.webs.com Page 15

Secure Connections

The next group of technologies is considered “secure” in that the technologies set up an

encrypted, sometimes “tunneled,” and difficult-to-intercept connection. These are the

technologies typically employed in VPN (Virtual Private Network) applications and

corporate remote networks.

PPTP

Point-to-point tunneling protocol, or PPTP, is a tunneling protocol that can encapsulate

connection-oriented PPP packets (which are simple remote access packets) into

connectionless IP packets. In doing so, the data remains within the “IP capsule,” which

prevents sniffing and other outside manipulation. PPTP is a client-server system that requires

a PPTP client, a PPTP server, and a special network access server to provide normal PPP

service. PPTP is commonly used to set up “Virtual Private Networks,” which are like LAN’s

that are spread across the Internet so that multiple remote clients can connect to one logical

network.

L2TP

Like PPTP, L2TP (Layer 2 Tunneling Protocol) utilizes a tunneling protocol, but unlike

PPTP, L2TP utilizes IPSec (IP Security) to encrypt data all the way from the client to

the server. Because of this, L2TP data is difficult to intercept. L2TP can accommodate

protocols other than IP to send datagrams and is therefore more versatile; it is also common

in VPN applications.

Tunneling, VPN, and IPSec

In the last lesson we learned about some of the more common remote access protocols in use

today. You should recall that a remote access protocol allows remote access to a network

or host and is usually employed in dial-up networking. Alternatively, some remote access

technologies are involved in remote control of a host, such as through secure shell or Telnet.

However, another class of remote access technologies does exist. This class is related to two

of the fundamental aspects of information security: confidentiality and availability. This

type of remote access technology allows a user to securely dial in or otherwise access a

remote network over an encrypted and difficult-to-intercept connection known as a “tunnel.”

These protocols are therefore usually referred to as tunneling or secure remote access

protocols.

Page 16: Security

Security+ study guide

Written by McCya mccya.webs.com Page 16

VPN

A virtual private network is a pseudo-LAN that is defined as a private network that

operates over a public network. It allows remote hosts to dial into a network and join the

network basically as if it were a local host, gaining access to network resources and

information as well as other VPN hosts. The exam will test you on your ability to recognize

different applications of VPN networks. Use common sense here! Obviously, VPN networks

would likely be employed in settings in which information security is essential and local

access to the network is not available. For example, a VPN might be utilized by a

telecommuting employee who dials into the office network.

PPTP

PPTP, or Point-to-point tunneling protocol, is a commonly implemented remote access

protocol that allows for secure dial-up access to a remote network. In other words, PPTP

is a VPN protocol. PPTP utilizes a similar framework as PPP (point-to-point protocol) for the

remote access component but encapsulates data into undecipherable packets during

transmission. It is as its name implies: an implementation of PPP that utilizes tunneling

by encapsulating data.

IPSec

IPSec is a heavily tested area of the Security+ exam. You will inevitably see at least one

question on IPSec and probably around three, so it will be to your benefit to understand IPSec

well. IPSec allows for the encryption of data being transmitted from host-to-host (or router-

to-router, or router-to-host… you get the idea) and is basically standardized within the

TCP/IP suite. IPSec is utilized in several protocols such as TLS and SSL. You should

know that IPSec operates in two basic modes. We will now study these modes in greater

detail.

Transport Mode – Provides host-to-host security in a LAN network but cannot be

employed over any kind of gateway or NAT device. Note that in transport mode, only

the packet’s information, and not the headers, are encrypted.

Tunneling Mode – Alternatively, in tunneling mode, IPSec provides encapsulation of

the entire packet, including the header information. The packet is encrypted and then

allowed to be routed over networks, allowing for remote access. Because of this, we

are usually most interested (at least for exam purposes) in the Tunneling mode.

IPSec is comprised of two basic components that provide different functionality:

AH – Authentication Header (AH) can provide authentication of the user who sent

the information as well as the information itself

Page 17: Security

Security+ study guide

Written by McCya mccya.webs.com Page 17

ESP – Encapsulating Security Protocol (ESP) can provide actual encryption

services which can ensure the confidentiality of the information being sent.

IPSec implementation

L2TP

L2TP, or Layer 2 Tunneling Protocol, is an alternative protocol to PPTP that offers the

capability for VPN functionality in a more secure and efficient manner. Rather than

actually replacing PPP as a remote access protocol or IPSec as a security protocol, L2TP

simply acts as an encapsulation protocol on a very low level of the OSI model – the Data

Link layer. L2TP, therefore, commonly utilizes PPP for the actual remote access service and

IPSec for security. Note that L2TP operates on a client/server model with the LAC (L2TP

Access Concentrator) being the client and the LNS (L2TP Network Server) acting as the

server.

Quick Review

1. Your boss asks you to recommend a solution that meets the following requirements:

1) He wishes to access the company network remotely, and 2) The access must be as

secure as possible. Which would you implement?

a. A VPN using L2TP and IPSec

b. A PPP dial-in network

c. Telnet

d. SSH

2. Which of the following components of IPSec would allow a message to be traced back

to a specific user?

Page 18: Security

Security+ study guide

Written by McCya mccya.webs.com Page 18

a. L2TP

b. TLS

c. AH

d. ESP

3. Which of the following is a true statement regarding the difference between tunneling

and transport modes of IPSec?

a. Transport only works with remote hosts

b. Tunneling only works between remote hosts

c. Transport is more secure than tunneling

d. Transport only works between local hosts

Answers

1. Your boss is essentially asking for a solution that allows for secure remote access to the

network (as opposed to a network host, which you might recommend SSH for). The answer is

A because the VPN satisfies his basic requirements.

2. AH provides the essential service of authentication of users sending messages. This allows

a message to be traced back to a specific host. The answer is C.

3. Transport mode is exclusive to local host traffic because only the payload is encrypted.

Transport mode will not work between remote hosts; for this, you must employ tunneling.

The answer is D.

Introduction to Cryptography

In this Security+ study guide you will notice that we like to jump around from topic to topic.

This is intentional! We want you to keep different topics fresh in your mind as some topics in

the exam are particularly boring. In this lesson, we will learn about the basics of

cryptography, including common terminology, function, and applications. In later

lessons, we will take a look at the more technical aspects of cryptography.

What is Cryptography?

Cryptography is the science of hiding the meaning of a message. Even children are familiar

with the concept of cryptography as they learn to speak to each other in “code languages” that

adults cannot understand. Rap stars employ lyrics that have alternate and more explicit

Page 19: Security

Security+ study guide

Written by McCya mccya.webs.com Page 19

meanings. The British in World War II were able to crack the Enigma Machine, Nazi

Germany’s method of ciphering critical data.

For the purposes of the Security+ exam, however, we will usually speak of cryptography in

terms of IT information security. Computers are often employed in conjunction with

cryptographic services and protocols as many of these require complex calculations that only

computers can provide in a timely manner.

AES, one of many cryptographic algorithms

How Cryptography Works

The basic concept of cryptography is very simple. In a typical cryptographic exchange,

information that is meant to be hidden for whatever reason is encrypted, or ciphered into a

difficult-to-interpret form. We call this conversion encryption because it involves the change

of clear text, or understandable data, into cipher text, or difficult-to-interpret data. The

encryption process is one-half of the entire cryptographic exchange.

At the other end of the process is decryption, or the conversion of cipher text into clear

text. Decryption is not always a part of encryption, however – some algorithms are called

“hashes” as they only apply encryption (that is, from clear to cipher text) and have no means

of deciphering the information. We will cover more on this later.

Public Key and Private Key Systems

A key is the password of sorts used to encrypt and decrypt data.

When an encryption key is made available to any host, it's known as a public key. In

contrast, a private key is confidentially shared between two hosts or entities.

A symmetric encryption algorithm uses the same key for encryption and decryption. When

a different key is used for encryption and decryption this is known as asymmetric encryption.

Page 20: Security

Security+ study guide

Written by McCya mccya.webs.com Page 20

More complex systems require both a public key and a private key to operate. We will go into

greater detail regarding these public key systems in later lessons but you should know of their

existence.

Cryptanalysis and cracking

Cryptanalysis is the act of breaking the cipher or attempting to understand the cipher

text. Cracking is often associated with cryptanalysis as cracking a shared key is often

essential to cryptanalysis attempts. Not every cipher is decipherable – for example, some

encryption algorithms are mathematically unbreakable (they operate on randomness) and

other encryption algorithms are hashes that do not provide one-to-one functionality (that is,

more than one input can result in the same output, making reverse-encryption or cryptanalysis

impossible). However, most cryptographic algorithms can theoretically be cracked but

require extraordinary amounts of computational power to do so. For example, RSA can take

millennia to crack, hardly the amount of time that a potential attacker or cryptanalyst

has available.

Applications and Functions of Cryptography

The Security+ exam will test you on your ability to recognize situations in which

cryptography might be employed. The general rule here is that cryptography is employed in

settings in which data confidentiality and integrity are desirable. For example, you would not

use cryptography when transferring MP3 files (unless those files were highly sensitive for

some reason) but you would certainly employ cryptographic methods when transferring

health information. In addition to data confidentiality and integrity, cryptography can provide

non-repudiation, which is the idea that a sender of information would not be able to

refute the fact that he or she did send that information or data. Here is a sample laundry

list of some well-known functions of cryptography:

Tunneling protocols and VPN

Email security (PGP et al.)

Secure file transfer (S-FTP)

Secure access to web pages (SSL)

Kerberos Authentication

Certificates

Document security

Final Thoughts

Page 21: Security

Security+ study guide

Written by McCya mccya.webs.com Page 21

We will continue to explore more on cryptography in the lessons to come. Cryptography is a

heavily-tested portion of the Security+ exam; we will cover the subject accordingly. It is

important that as you learn the specifics of cryptography protocols you understand the basic

terminology that is employed in any discussion of them.

Quick Review

1. Your manger asks you to employ a system in which the sender of a message would

not be able to deny that he sent that message. Your manager is asking for:

a. Certificate of authenticity

b. Non-repudiation

c. Authorization

d. SSL over HTTP

2. What is the primary difference between asymmetric and symmetric encryption

algorithms?

a. The use of a public key

b. Symmetric algorithms are one-way functions

c. The relative strength of the algorithm

d. The ability to perform man-in-the-middle attacks

3. Which of the following protocols does not employ cryptography?

a. HTTPS

b. SSH

c. Telnet

d. SFTP

e. IPSec

Answers

1. The idea that a sender would not be able to deny that he sent the information is called non-

repudiation. The answer is B.

Page 22: Security

Security+ study guide

Written by McCya mccya.webs.com Page 22

2. The primary difference between asymmetric (public key) and symmetric (private key)

algorithms is that asymmetric algorithms use both a public and a private key. The answer is

A.

3. All of the listed protocols with the exception of Telnet provide some encryption

functionality. Telnet transfers all information in clear text. The answer is C.

Malicious Software: Viruses, Trojan Horses, Worms

Despite all the hype about viruses and worms, the Security+ exam actually does not heavily

test on viruses and the like. However, you will probably see at least a few questions on these

topics and we will therefore go into some detail on the differences between different types of

malicious programs and how they can be avoided or prevented from propagating.

Viruses

A computer virus is malicious software that propagates itself upon the action of a user.

For example, some viruses send emails promising great information on how to get rich

quickly or pleasant images. The user then opens some sort of executable attachment (that is

almost certainly not what is promised) and the virus either immediately acts or waits as a

dormant drone to act, either upon the request of a master host or some sort of time period.

Viruses typically inflict damage by either destroying files categorically or installing new

files that drastically affect the performance of the computer. Most viruses also act to

“insert” themselves into various executable files, increasing the likelihood that a user will re-

run the malicious executable file.

One of the core tendencies of any computer virus is propagation. Most viruses include some

mechanism for both local and network propagation, including the sending of instant

messages, the setting up of web servers, and of course, emails. However, viruses are not

truly “self-propagating” in the sense that the virus is actually incapable of “forcing” itself on

another host machine in most cases. A virus typically needs user interaction to act (such as

opening an attachment). This need for user interaction is usually seen as what separates a

virus from a worm.

Worms

Unlike the friendly creatures that crawl beneath the crust, computer worms can be

extremely destructive and costly malicious programs that self-propagate to cause

unbelievable damage to computer networks across the world. Alternatively, worms can

help provide us the wonders of Google and Yahoo search engines. How can a worm be so

good and yet so bad?

Page 23: Security

Security+ study guide

Written by McCya mccya.webs.com Page 23

Actually, worms are not inherently evil. Worms are simply pieces of software that are able to

(through various means) self-propagate about the Internet. In many cases, computer worms

provide various services that we all love and utilize. One such worm is the World Wide Web

Worm, which “crawls” the Internet to pick up data from web pages for categorization and

indexing that we later utilize through popular search engines. Other “friendly” worms work

to quickly patch software that is vulnerable to attacks by – you guessed it – other

worms!

However, some worms also do irreparable damage to computers. Many of these worms,

which carry malicious payloads, install self-destructive software or a backdoor into the

PC. Remote control of infected hosts is often a primary goal of worm writers who seek to

crash high-profile websites and services through “Denial of Service” attacks.

Trojan Horses and Backdoors

A Trojan horse or backdoor is any software that attempts to give a remote user unauthorized

access to a host machine or user account. Some backdoors actually serve a legitimate purpose

(SSH, for example, might be classified as a “backdoor”) but in general, the terms

“backdoor” and especially “Trojan horse” are associated with malicious intent.

Some popular Trojan horses include:

BackOrfice

NetBus

SubSeven

VNC (can be used legitimately but also used for unauthorized access in

conjunction with a worm)

Quick Review

Page 24: Security

Security+ study guide

Written by McCya mccya.webs.com Page 24

1. What is a fundamental difference between a worm and a virus?

a. Worms are less destructive

b. Worms only act on the lower layers of the OSI model

c. Worms do not require user intervention

d. Worms are more destructive

2. You notice unusual network traffic on a port number whose function you cannot

identify. This is probably the mark of a (an):

a. NetBIOS session

b. Trojan horse

c. Exploit

d. Telnet session

3. Which of the following is not true of viruses?

a. They tend to carry malicious payloads

b. They can be timed to attack

c. They destroy hardware and software components of a PC

d. They can overwhelm a network

Answers:

1. Worms are truly self-propagating as they utilize exploits and other tricks to propagate

without the use of user intervention. The answer is C.

2. Trojan horses usually employ unusual port numbers and traffic. The answer is B.

3. All of the choices are true except C, because a virus cannot actually destroy hardware. The

answer is C.

Page 25: Security

Security+ study guide

Written by McCya mccya.webs.com Page 25

Implementation of L2TP, a popular tunneling protocol

SSL

SSL, or Secure Sockets Layer, is a technology employed to allow for transport-layer security

via public-key encryption. What you should know about this for the exam is that SSL is

typically employed over HTTP, FTP, and other Application-layer protocols to provide

security. HTTPS (HTTP over SSL) is particularly used by web merchants, credit card

validation companies, and banks to ensure data security (think: lock icon)

Kerberos

Kerberos is a *Nix (Unix-like) technology that is also being implemented in Microsoft

technology to allow for client-server authentication over a network based on a shared

key system. Kerberos is a public-key encryption technology and therefore is considered quite

modern.

Quick Review

1. You wish to implement VPN access so that an attorney can connect to the firm’s

network remotely. Which remote access protocol might you use?

a. LDAP

b. PPTP

c. PPP

d. SSL

Page 26: Security

Security+ study guide

Written by McCya mccya.webs.com Page 26

e. IPSec

2. A user complains that he cannot access a website because he does not have “some

protocol” enabled. What is this protocol most likely to be?

a. FTP

b. HTTP over SSL

c. FTP over SSL

d. PPTP

e. VPN

3. Your manager wants to make sure that when he dials in to a faraway corporate

network, his connection is very secure and reliable. Which of the following is the most

secure and reliable RAS?

a. RAS

b. PPP

c. PPTP

d. L2TP

e. HTTP

Answers

1. Of the choices, only PPTP can be used to implement VPN. Note that IPSec is a feature of

IP and not a remote access protocol in its own right, though it is used by L2TP. The answer is

B.

2. Websites are typically accessed through the HTTP protocol, so it is likely that the website

is SSL-enabled and that he does not have that technology enabled on his client PC. The

answer is B.

3. L2TP is most secure as it features both tunneling and encryption, which none of the other

protocols listed can provide. The answer is D.

Firewalls

Page 27: Security

Security+ study guide

Written by McCya mccya.webs.com Page 27

As we continue to skip about in our lesson plans, we have now arrived at the subject of

firewalls. Firewalls are one of the most thoroughly misunderstood concepts around in

networking and security today. It is your duty to dispel some of the most common

misconceptions about firewalls not just for the purpose of passing the Security+ exam but

also for the sake of the information security community!

What is a Firewall?

A firewall is any hardware or software designed to prevent unwanted network traffic. Some firewalls are simplistic in nature; in fact, many people use NAT devices as firewalls as

they do effectively prevent direct incoming connections to hosts behind the NAT. Other

firewalls are intricate operations, based on whitelists and blacklists, rules, and alerts. What all

firewalls have in common, however, is an ability to block incoming traffic that may be

deemed harmful.

Simple diagram of a firewall

Types of Firewalls

Because the definition of a firewall (at least as given above) is somewhat generalized, it is

hard to define the general actions and methods of firewalls. Instead, we look at the ways

different types of firewalls work. Each type of firewall has abilities, advantages, and

drawbacks; to do well on the Security+ exam, you should understand these.

Packet Filtering Firewall

A packet filtering firewall polices traffic on the basis of packet headers. IP, UDP, TCP,

and even ICMP have enough header information for a packet filtering firewall to make an

Page 28: Security

Security+ study guide

Written by McCya mccya.webs.com Page 28

informed decision as to whether to accept or reject that packet. You can think of a packet

filtering firewall as a bouncer at a party. The bouncer may have a list of people that are

allowed to come in (a whitelist) or a list of people to specifically exclude (a blacklist). The

bouncer may even check a guest’s identification to assure that the guest is above 18.

Similarly, a packet filtering firewall simply inspects the source and destination of traffic in

making a decision on whether to allow the packet to pass through. For example, some traffic

may be addressed to a sensitive recipient and would therefore be blocked.

A packet filtering firewall can also filter traffic on the basis of port numbers. For example,

many companies now block traffic on port 27374 because it is well-known to be a port

used by the Trojan horse “SubSeven.”

Note that a packet filtering firewall basically operates through a special ACL (access

control list) in which both the white and black list of IP addresses and port numbers are

listed. In essence, this firewall operates at the Network and Transport layers of the OSI

Model. This model is notable for its simplicity, speed, and transparency – however, traffic is

not inspected for malicious content. In addition, IP addresses and DNS addresses can be

hidden or “spoofed,” as discussed in the Attacks lesson.

Circuit-Level Gateway

A circuit-level gateway is a type of firewall that operates on the Session layer of the OSI

model. Instead of inspecting packets by header/source or port information, it instead

maintains a connection between two hosts that is approved to be safe. This is something

akin to a parent who approves the people that their children can speak with on the phone once

they trust those people. In this scenario, the parent does not have to listen into the

conversation because they know they can trust the two communicating children. Similarly, a

circuit-level gateway establishes a secure connection between two hosts that have been

authenticated and trust each other.

Application-Level Gateway

As the name suggests, an application-level gateway operates in the Application layer of the

OSI model and actively inspects the contents of packets that are passed through to the

gateway. It is for this reason that application-level gateways are considered the most secure

as they can actively scan for malformed packets or malicious content. Think of an

application-level gateway as the eavesdropping parent. An eavesdropping parent has the most

complete knowledge of his or her child’s activities because he or she can listen into all of the

child’s conversations. An application-level gateway does have drawbacks, however,

including speed and routing problems. Application-level gateways are notorious for the

amount of time it can take to inspect packets.

A special kind of application-level gateway is a proxy server, which is a server that

serves as the “middle man” between two hosts that wish to communicate. In the proxy

server model, the host wishing to communicate sends a packet to the application-level

Page 29: Security

Security+ study guide

Written by McCya mccya.webs.com Page 29

gateway (proxy server), which then makes the decision whether to forward the packet to the

intended recipient or to deny the request to send the packet.

Quick Review

1. Your manager wishes to implement some kind of device that would reject traffic from

online gambling sites and other distractions. Which of the following devices would be

most effective in achieving this solution?

a. Packet Filtering Firewall with NAT

b. Circuit-Level Gateway with ESP

c. Application-Level Gateway in the form of a Proxy Server

d. Circuit-Level Gateway with TLS

2. Which of the following is not a reason to implement a firewall?

a. To limit the number of malicious packets sent to the network

b. To reduce extraneous traffic that is deemed undesirable

c. To limit a particular host’s access to the Internet

d. To improve network throughput

3. Which of the following is true of a packet filtering firewall?

a. It implements an ACL

b. It inspects the contents of packets being filtered

c. It does not read the headers

d. None of the above

Answers

1. Only an application-level gateway can actually inspect the contents of individual packets,

so the answer must be C.

2. Although network throughput could ostensibly improve as a result of implementing a

firewall, it would not typically be reason to implement one and in most cases, a firewall acts

as a bottleneck to network traffic. The answer is D.

Page 30: Security

Security+ study guide

Written by McCya mccya.webs.com Page 30

3. In order for a packet filtering firewall to operate, it must have a list of all of the allowable

or disallowable hosts to evaluate based on header information. The answer is A.

Networking Overview

In subsequent chapters of this study guide, we will take a look at different security topologies

or ways that networks can be set up with security in mind. Before we can do this, however,

we must have a clear understanding of different networking devices and concepts. We will

now very briefly describe different key networking components to help you understand how

they are related to information security and the exam.

A cartoon-ish network

IP Address

An IP address is a unique numeric identifier of a host machine within the scope of a

TCP/IP network. Public IP addresses are unique and individual to each host in the world,

while private IP addresses are often duplicated among different private networks. You can

think of a public IP address as a sort of telephone number and the private IP address as a sort

of extension system that operates “in-house.” All IP addresses are formed as four octets

separated by a dot: for example, 192.168.1.1 is a commonly-used private IP address.

NAT

NAT, or Network Address Translation, is a service in which a gateway can allow multiple

private hosts to operate under the guise of a single public IP address. One of the

implications of NAT is that hosts “behind” the NAT are effectively “hidden” from the rest of

the Internet, with the NAT acting as a sort of packet filtering firewall.

Router

A router can forward packets of information based on the IP address of the header of the

packet. Think of the header of the packet as a sort of shipping label for the packet in which

the contents (the package) are contained. A router can quickly examine the shipping label and

send it off to the appropriate destination.

Page 31: Security

Security+ study guide

Written by McCya mccya.webs.com Page 31

Gateway

A gateway serves as a sort of middle-man between two networks, usually the Internet and a

private network. Many routers also serve as gateways, and many gateways have NAT

functionality built into them.

Media

The term “media” in networking refers to the physical medium of communication that the

network utilizes. In many Ethernet networks CAT-5 cabling is employed. In high-speed

applications, fiber optic media is used.

Applications and Ports

Applications, in the networking sense, refer to specific Application-layer services that

hosts provide over specific ports, or gateways into the system. For example, a web server

is an application server that provides web pages over the port TCP 80. Other Application

servers include FTP, Telnet, SSH, and Media servers.

Firewall

A firewall is a device that can selectively filter communications between two hosts.

Although we have an entire article dedicated to firewalls, it never hurts to reinforce the

concept of what a firewall is for your own extended understanding.

Switch/Hub

Hosts are connected to each other via a switch or a hub. The difference between a switch

and a hub is that a hub forwards all packets to all connected hosts whereas a switch

forwards packets only to selected recipients, increasing information confidentiality.

DMZ Host

A DMZ host is basically a “catch-all” host for requests on non-configured ports. Through a

DMZ host, undesirable network traffic can be sent to single safe host rather than any host that

would be in danger from malicious traffic.

Page 32: Security

Security+ study guide

Written by McCya mccya.webs.com Page 32

Quick Review

1. Which of the following can be used as a sort of packet filtering firewall?

a. Proxy Server

b. Switch

c. NAT Device

d. None of the above

2. Why can’t a packet sniffer intercept switched network traffic?

a. The packet sniffer can only work in promiscuous mode

b. Switched networks direct traffic by MAC address

c. The packet sniffer can only work in latent mode

d. The port configuration is incorrect

3. Which of the following are not application services or servers? (Choose all that apply)

a. Proxy Server

b. Email Server

c. Web Server

d. DMZ Server

e. ARP Server

f. DHCP Server

Answers:

1. Only an NAT device would actually block packets based on headers (the definition of a

packet filtering firewall) because an NAT device would categorically block incoming traffic

that has not established a session. The answer is C.

2. A switch only forwards traffic to the intended recipient via MAC address (just like a router

only forwards traffic to the recipient via IP address), so the answer must be B.

Page 33: Security

Security+ study guide

Written by McCya mccya.webs.com Page 33

3. D, E, and F are all non-application servers. DMZ servers are non-existent, and DMZ hosts

would nominally operate in the network layer of the OSI model. ARP servers would operate

in the Data-Link layer of the OSI model, and DHCP servers would operate in the Network

layer of the OSI model.

Symmetric (Private) Key Cryptography

In this lesson we will learn about different symmetric key algorithms and their key features.

More importantly, we will learn about some more key concepts related to cryptography as it

applies to both symmetric and asymmetric algorithms. Finally, we will learn the

advantages and disadvantages of symmetric and asymmetric algorithms. First, let’s learn a bit

about the differences between block and stream ciphers.

Block v. Stream Ciphers

The difference between a block and a stream cipher is rather simple. A block cipher would

break up a clear text into fixed-length blocks and then proceed to encrypt those blocks

into fixed-length ciphers. Because the blocks are of a fixed length, keys can be re-used,

making key management a breeze. Typically, computer software uses block ciphers.

Stream ciphers operate on continuous (read: non-discrete) portions of data that arrives“in

real time.” In other words, stream ciphers work on information “bit-by-bit” rather than

“block-by-block.” Because the data does not need to broken down, stream ciphers are

generally faster than block ciphers, but keys are not re-usable in stream ciphers, making key

management a real pain. For this reason, stream ciphers are usually employed at the hardware

level.

] End-to-End Encryption

End-to-End encryption refers to a situation in which data is encrypted when it is sent and

decrypted only by the recipient. Of course, in order for the packets to be routed, the relevant

TCP/IP headers must be present and unencrypted on the packet.

Link Encryption

In Link encryption, every packet is encrypted at every point between two communicating

hosts. In this formulation, information sent to one router is encrypted by the host and

decrypted by the router, which then re-encrypts the information with a different key and

sends it to the next point. Of course, in this formulation, the headers are also encrypted. The

obvious drawbacks include speed and vulnerability to “man-in-the-middle” attacks.

Page 34: Security

Security+ study guide

Written by McCya mccya.webs.com Page 34

Key Strength

A cryptovariable, or key, is the value applied to encrypted or clear text in order to

decrypt or encrypt the text. The length of the key, in bits, is usually a good indicator of the

strength of the key. A 128-bit key is, for example, much stronger than a 32-bit key.

Symmetric Key Cryptography

In a symmetric key cryptosystem, a single key is used to encrypt and decrypt data between

two communicating hosts. In order to break the system, an attacker must either: A) discover

the key through trial-and-error, or discover the key during the initial “key agreement.”

(From Navy) Symmetric Key Encryption Schema

Symmetric key protocols are known to be faster and stronger than their asymmetric

counterparts but do possess unique disadvantages that we will discuss later. We will now

look at some common symmetric algorithms.

DES

DES is an outdated 64-bit block cipher that uses a 56-bit key. It is a symmetric algorithm that

splits the 64-bit block into two separate blocks under the control of the same key. It is

considered highly insecure and unreliable and has been replaced by 3DES.

3DES

Page 35: Security

Security+ study guide

Written by McCya mccya.webs.com Page 35

Triple DES or 3DES is the partial successor to DES but is still considered outdated and slow.

It uses three separate 56-bit keys for an effective key length of 168 bits. However, a

vulnerability exists that would allow a hacker to reduce the length of the key, reducing the

time it would take to crack the key. In addition, 3DES is very slow by today’s standards and

would not be practical to use in encrypting large files.

AES

AES is the true successor to DES and uses a strong algorithm with a strong key. It is based on

the Rijndael Block Cipher. The Rijndael Block Cipher can utilize different block and key

lengths (including 128, 192, and 256 bit keys) to produce a fast and secure symmetric block

cipher. The Twofish algorithm, an alternative to Rijndael, utilizes 128-bit blocks for keys up

to 256 bits.

IDEA

All you have to remember about IDEA is that:

PGP uses IDEA to ensure email security, and

It operates using 64-bit blocks and a 128-bit key

RC5

RSA Security developed RC5, a fast, variable-length, variable-block symmetric cipher. It can

accommodate a block size of up to 128 bits and a key up to 2048 bits.

Symmetric v. Asymmetric

Here is a quick run-down of the advantages of symmetric and asymmetric algorithms:

Symmetric

Faster and easier to implement

Lower overhead on system resources

Asymmetric

Scalable and does not require much administration

Easier for users to use

Page 36: Security

Security+ study guide

Written by McCya mccya.webs.com Page 36

Quick Review

1. Which of the following symmetric ciphers is used in PGP for email security?

a. IDEA

b. PGP Security

c. RC5

d. Blockfish

2. Which of the following is not an advantage of asymmetric algorithms?

a. Scalability

b. Multiple functionality

c. Speed

d. Provides confidentiality and authentication

3. Why is DES considered “insecure?”

a. Buffer overflow exploit

b. Man-in-the-middle attack potential

c. Weak key length

d. All of the above

Answers

1. PGP (Pretty Good Privacy) uses IDEA for encryption. The answer is A.

2. Although asymmetric algorithms can be fast, they are generally slower than their

symmetric counterparts, making Speed an issue for these algorithms. The answer is C.

3. DES is insecure because its key length is so short (56 bits). The answer is C.

Public Key Cryptography

Page 37: Security

Security+ study guide

Written by McCya mccya.webs.com Page 37

Public Key Cryptography is a widely-applied form of cryptography commonly utilized in

many network transactions. The Security+ exam will test you on your both your

understanding of how public key systems work as well as your ability to discern between

different types of public key algorithms. The exam will also cover PKI, or public-key

infrastructure.

The workings of Public Key Cryptography

Unlike private key systems, in which two communicating users share a secret key for

encryption and decryption, public key systems utilize widely-available and unique “public

keys,” as well as “private keys,” to securely transmit confidential data.

Here’s how a public key transaction works: Assume we have two users, Pat and Jill, and that

Pat wishes to send Jill a secret love note. Pat encrypts the love note using Jill’s public key.

The message is sent via email to Jill. Jill then can read the message by decrypting the

message with her private key. Note that in order for this transaction to take place, only Jill

has to know her private key. This is the beauty of a public key (or asymmetric) system.

Through this transaction, known as secure message format, the confidentiality of the message

is assured: only Jill can read it!

Public-key cryptography can also be applied to validate the authenticity of a message. In this

formulation, Pat would send Jill a message using his private key (therefore encrypting the

message). To read the message, Jill would use Pat’s public key. In doing so, Jill has affirmed

that the message was in fact sent by Pat. This is known as open message format.

In order to ensure both information authenticity and confidentiality, signed and secure

message format may be employed. Extending the love note example, Pat would first encrypt

the message with Jill’s public key and then encrypt that encrypted message with his own

private key. When the message is sent to Jill, she can use Pat’s public key to verify the

message was indeed from Pat. But the message is still encrypted! To overcome this, she can

use her own private key to decrypt the message.

(From Navy) Public Key Schema

Page 38: Security

Security+ study guide

Written by McCya mccya.webs.com Page 38

Public Key Protocols

RSA is an asymmetric key transport protocol that can be used to transmit private

keys between hosts. The algorithm utilizes large prime numbers for effectiveness. The

process can be explained very simply – Pat encrypts the private key with Jill’s public

key, and Jill decrypts the message with her private key to reveal the private key.

Diffie-Hellman is a key agreement protocol that can be used to exchange keys. It

uses logarithms to ensure security in the algorithm. In the Diffie-Hellman operation,

Pat and Jill each use their own private keys with the public key of the other person to

create a shared secret key. Note that Diffie-Hellman is vulnerable to man-in-the-

middle attacks.

El Gamal is an extension of Diffie-Hellman that includes encryption and digital

signatures.

Message Digesting

A message digest is something of an unreadable, condensed version of a message. More

specifically, a message digest utilizes a one-way hash function to calculate a set-length

version of a message that cannot be deciphered into clear text. Message digests are usually

employed in situations in which it would be undesirable to be able to decrypt the message.

One such application is in modern username/password systems, in which the password is

stored using a hash function or digest. After the password has been hashed, it cannot be un-

hashed. When a user attempts to login with a password, the password he types is also hashed

so that the two hashes (rather than the two passwords) are compared against each other. Note

that the hash assumes that a hashed value cannot be deciphered and that no two messages will

produce the same hash.

Hashing Protocols

MD5 is the most commonly-used hash protocol and uses a 128-bit digest. It is very

fast in hashing a message and is also open-source.

SHA-1 is a more secure implementation of a hashing protocol that uses a 160-bit

digest and “pads” a message to create a more difficult-to-decipher hash.

Quick Review

1. Which of the following ensures message confidentiality, but not authenticity?

a. Secure message format

b. Open message format

c. Signed and secure message format

Page 39: Security

Security+ study guide

Written by McCya mccya.webs.com Page 39

d. Symmetric cryptography

2. Which of the following is not an asymmetric protocol?

a. Diffie-Hellman

b. El Gamal

c. 3DES

d. RSA

3. Why is a hash more difficult to decipher than a standard encryption protocol?

a. It is a one-way function

b. It uses strong encryption techniques

c. It uses large prime numbers

d. It uses discrete logarithms

Answers

1. Secure message format works by encrypting a message with the public key of the intended

recipient, ensuring confidentiality but not integrity. The answer is A.

2. 3DES is the only listed protocol that does not utilize a public key system. The answer is C.

3. Because a hash is a one-way function, the only way to decipher it is to try a large number

of hashes of cleartext until one matches the original hash. The answer is A.

Organizational Security

Thus far, we have learned the tough stuff – the technically-oriented portions of the exam. We

haven’t finished learning all of the technical items yet, either! However, we will take a short

break from the technical aspects of the exam to take a look at organizational security, a

relatively simple and common-sense portion of the exam you should do quite well on.

Page 40: Security

Security+ study guide

Written by McCya mccya.webs.com Page 40

Physical Security

Physical security refers to the aspects of information security that are related to physical

threats, such as fire or natural disasters. We will cover some basic physical security

threats below:

] Fire

Remember that fire needs heat, oxygen, and fuel to burn. Also remember that there are four

classes of fires:

A, which includes common combustibles

B, which includes burnable fuels

C, which includes electronics

D, which includes chemical and other fires

There are also three common methods of fire detection:

Heat-sensing, which detects fires by temperature

Flame-sensing, which detects fires by the flicker of a flame or infrared detection

Smoke-sensing, which detects fires by variations in light intensity or presence of

CO2

There are also a number of different systems to suppress fire:

Water: Traditional method and effective against Class A fires

CO2: Suppresses by removing O2 element. Useful against Class B and C fires

Soda acid: Combination of chemicals used to eliminate Class A, B fires

Page 41: Security

Security+ study guide

Written by McCya mccya.webs.com Page 41

Halon: Useful against A,B, and C fires but illegal by Montreal Protocol (ozone

depleting)

HVAC

You should note that HVAC (heating, ventilation, and air conditioning) simply refers to

the typical environmental controls that we would call “air conditioning.” For the purposes of

the exam, you should use common sense and note that:

High temperatures can cause computer equipment, especially processors, to over-

heat and perform poorly

High humidity can cause corrosion in equipment due to water damage

Low humidity creates an environment suited for too much static electricity (ESD)

Electricity and Power

Remember that electrical power originates from a utility substation or a power grid and

that it would be to your best interest to have access to electric distribution panels (circuit

breakers and so forth). Also note some of the following information on electric power:

EPO (Emergency power-off) switches are used to shut down power immediately

Backup power sources can be used to ensure continuity in the case of a disaster

Backup sources should be used in critical applications, such as servers and physical

access equipment

ESD is also covered on the exam, so you should know that:

ESD is electrostatic discharge, a convoluted term for static electricity build-up and

release

ESD can be prevented by 40 to 60 percent humidity levels, grounding, and antistatic

floor mats (and other antistatic material)

Electric noise is the crossover or interference that occurs in electrical wires due to high-

energy electrons “crossing over” into another wire or signal. To avoid this, you should:

Use power line conditioners and surge protectors

Grounding and shielded cabling

Business Continuity and Disaster Recovery Planning

The idea of business continuity revolves around the premise that your business should

continue to operate in the face of a disaster. Disaster recovery planning, in contrast, is

related to the effort to recover infrastructure that fails as the result of a disaster.

Page 42: Security

Security+ study guide

Written by McCya mccya.webs.com Page 42

Quick Review

1. Which of the following fires can be put out easily with water?

a. Class A

b. Class B

c. Class C

d. Class D

2. Which of the following conditions would have little effect on the ability for systems to

continue functioning?

a. 80% humidity

b. 15% humidity

c. -10 degrees Celsius temperature

d. 100 degrees Celsius temperature

e. 0% humidity

3. Which of the following should be included in a BCP (business continuity plan)?

a. How information on servers that come down will later be retrieved

b. How to salvage existing equipment

c. How to shift the load of processing to backup emergency servers

d. How to mitigate the risk of a network attack

Answers

1. Only Class A fires can be effectively extinguished with water. The answer is A.

2. While mild humidity, dryness, or high temperatures can result in equipment failure,

slightly uncomfortable low temperatures will rarely result in equipment failure. The answer is

C.

3. Answers A and B are concerned with how to recover assets that had been lost after the

Page 43: Security

Security+ study guide

Written by McCya mccya.webs.com Page 43

disaster. Answer D is not concerned with continuity planning, but rather, risk mitigation. The

answer is C.

Email and Application Security

Some of the Security+ exam will test you on your knowledge of some basic email, Internet,

and application security issues. Although the amount of detail of knowledge that is required

is quite minimal, you must still have a working knowledge of some simple email and

application security concepts.

Email Security

Email is a wonderful tool, no doubt, but it is not without security issues. Typical email

configurations allow for senders of email to spoof their addresses and send email messages in

plain text. Even worse, it is difficult for a recipient of an email to verify that the sender is

actually who sent the message! Thankfully, we have a few security tools at our disposal to

ensure confidentiality (through encryption) and integrity (through encryption, digital

signatures, and strong passwords). Here are some of those tools:

S/MIME, or Secure Multipurpose Internet Mail Extensions, provides basic

cryptographic services for email sent via the Internet. Most popular browsers and

email clients support S/MIME, making it among the more popular cryptographic

email security services available.

MOSS, or MIME Object Security Services, is a less-common, more extensive suite

of security services for email.

PEM, or Privacy Enhanced Mail, provides 3DES encryption for email.

PGP, or Pretty Good Privacy, is an open-source and extremely popular email

security suite that uses IDEA to encrypt email and validate signatures.

Email also has a few security vulnerabilities:

Spam is one of the most commonly mentioned nuisances, but did you know it is

actually considered a security threat? By clogging the email server, widespread spam

denies to the user availability, a key component of the CIA triangle. Some spam

solutions include user education, email filtering, and reporting of Spam to the proper

authorities (where necessitated by law)

Page 44: Security

Security+ study guide

Written by McCya mccya.webs.com Page 44

Open relays are email servers that forward email without any kind of authentication.

In other words, open relays allow malicious users to send bulk email without logging

into an email server. A good email security setup always includes a non-open relay

server (or authenticated relay server). Malicious Software: Obviously, viruses and worms are a large problem. Many

propagate via email messages that are automatically sent by infected hosts. One of the

more common solutions is to virus scan and filter incoming email.

Internet Security

The Internet can be a dangerous place, and so, we are interested in protecting users from

malicious web sites (with browser scripts) as well as protecting the information that users

send to web sites.

SSL is a connection-oriented standard designed to allow for secure cryptographic

communication between two hosts via the Internet. TLS is the newest version of SSL.

S-HTTP is a connectionless standard that provides for symmetric encryption,

message digests, and client-server authentication.

Browser Scripts/Vulnerabilities are controls, scripts, programs, or other software

that can run from the browser and cause damage to a host. In particular, ActiveX

controls are well-known for their often malicious content. The best way to protect

against browser buffer overflows is to remain vigilant and updated on the latest

patches.

Quick Review

1. Which of the following is not a program or tool used to ensure email security?

a. S/MIME

b. MOSS

c. SSH

d. PGP

2. You notice that many users are complaining that their emails are being rejected by

the servers that they send the emails to. You also notice that the reason that they are

being rejected is because those servers have supposedly received bulk email from your

domain. Assuming that your users are innocent of spamming others, the most likely

cause of this is:

a. A man-in-the-middle attack is changing all of the users’ messages to spam

b. A spoof attack is falsely identifying the emails as originating from your domain name

Page 45: Security

Security+ study guide

Written by McCya mccya.webs.com Page 45

c. A worm has spread to your network

d. Your email server is configured for open relay

3. Which of the following is least likely to be associated with browser security?

a. ActiveX controls

b. Javascripts

c. Birthday attacks

d. Buffer overflows

e. Malicious CGI code

Answers

1. SSH is used to maintain a secure remote access connection between two hosts. The answer

is C.

2. Although choices A, B, and C are theoretically possible, they are unlikely. It would be

cumbersome and counter-intuitive to an attacker to change every email message sent; if he

had the ability to do this, he would just send his own messages. Similarly, although a spoof

attack is possible, it would be difficult for the attacker to spoof his IP address without the use

of a proxy; unless your server is a proxy server, he probably would not target your domain

name. Finally, a worm might have spread to your network, but most worms do not send out

unsolicited bulk (junk) email. The answer is D, because in most cases, open relays lead to

spam and bulk email.

3. Birthday attacks are related to probability and therefore unlikely to be associated with

browser security. The answer is C

Security Topologies

One of the most essential portions of information security is the design and topology of

secure networks. What exactly do we mean by “topology?” Usually, a geographic diagram of

a network comes to mind. However, in networking, topologies are not related to the physical

arrangement of equipment, but rather, to the logical connections that act between the

different gateways, routers, and servers. We will take a closer look at some common

security topologies.

Screening Router

Page 46: Security

Security+ study guide

Written by McCya mccya.webs.com Page 46

In a screening router setup, the router acts as the sole gateway and gatekeeper between

the un-trusted, outside network (i.e. the Internet) and the trusted network (i.e. LAN). The router maintains sole discretion on which traffic to allow in by implementing an ACL, or

access control list. The router in this setup, which blocks traffic based on source, destination,

and other header information, is analogous to Saint Peter, who acts as the gatekeeper into

Heaven. Some of the advantages of screening routers include their transparency and

simplicity. However, in the screening router setup, the router is the sole point of failure and

depends heavily on the administrator to maintain a favorable ACL. Also, a screening router

has difficulty in masking internal network structure.

Dual-Homed Gateway

The dual-home gateway is a screening router setup that implements a bastion host between

the screening (external) router and the trusted network. A bastion host is a host that is

configured to withstand most attacks and can additionally function as a proxy server. By

adding the bastion host, no direct communication exists between the external network and the

trusted network, masking the internal network structure and allowing for traffic to be

screened twice. It is considered fail-safe in that if one of the components (bastion host,

router) fails, the security system remains available. However, it is cumbersome and rather

slow in comparison to other topologies.

Screened Host Gateway

A screen host gateway is essentially a dual-homed gateway in which outbound traffic

(from trusted to un-trusted) can move unrestricted. Incoming traffic must first be

screened and then sent to the bastion host, like in a dual-homed gateway. This is a less secure

but more transparent system than dual-homed gateway.

Screened-Subnet

Page 47: Security

Security+ study guide

Written by McCya mccya.webs.com Page 47

A screened-subnet setup works to employ a bastion host between two screening routers.

What this provides is a special zone for publicly available services (around the bastion host)

and transparent access for users on the trusted network. The zone around the bastion host that

operates publicly and whose traffic to the trusted network is screened is known as a DMZ

zone; for this reason, bastion hosts are sometimes referred to as DMZ hosts. Remember for

the exam that a DMZ host would always be well-secured, just like a bastion host would be.

IDS

An intrusion detection system, or IDS, can track or detect a possible malicious attack on a

network. For the exam, you will have to know about some division of IDS classifications:

Active v. Passive IDS: An active IDS will attempt to thwart any kind of detected

attacks without user intervention. A passive IDS simply monitors for malicious

activity and then alerts the operator to act, or in other words, requires their

intervention. Passive IDS is less susceptible to attacks on the IDS system as it does

not automatically act.

Network v. Host IDS: A network-based IDS is one that operates as its own node

on a network, while host-based IDS systems require agents to be installed on

every protected host.*

Knowledge v. Behavior IDS: A knowledge-based IDS works by assessing network

traffic and comparing it with known malicious signatures, much like antivirus

software. A behavior-based IDS analyzes baselines or normal conditions of network

traffic; it then compares them to possibly malicious levels of traffic. Note that this

type of IDS produces more false alarms.

Page 48: Security

Security+ study guide

Written by McCya mccya.webs.com Page 48

Honeypot

A honeypot is designed to lure attackers or malicious users into attempting an attack on a

fictional or purposefully-weak host and then recording the patterns of their activity or the

source of the attack. A honeypot can also act as bait for the rest of the network by luring

attackers to an “easy target.”

Quick Review

1. Which of the following topologies features a demilitarized zone or DMZ?

a. Active IDS

b. Passive IDS

c. Dual-Homed Gateway

d. Screened-Subnet

2. Why would behavior-based IDS require less maintenance than knowledge-based

IDS?

a. Behavior-based systems necessarily work without user intervention

b. Knowledge-based IDS can only work on a screened-subnet or screened host gateway

topology.

c. No DMZ host is required in a behavior-based IDS

d. Behavior-based systems do not require signatures or libraries of attacks

3. Your company wishes to implement a web server, email server, and voice-over-IP

server that are accessible to the rest of the Internet. However, it wants to ensure that the

structure and hosts within the rest of the network are totally protected from outside

access. Which of the following setups would provide this functionality?

a. Dual-Homed Gateway

b. Screened Host Gateway

c. Screening Router

d. Screened-Subnet

Page 49: Security

Security+ study guide

Written by McCya mccya.webs.com Page 49

Answers

1. The screened-subnet topology features a DMZ between two screening routers, effectively

isolating the publicly-accessible zone from the rest of the trusted network. The answer is D.

2. Because behavior-based systems compare baseline use levels to current or potentially

malicious levels, they do not require signatures of libraries, decreasing the amount of active

administrator maintenance that is required. The answer is D.

3. A screened-subnet gateway provides a protected zone for public services. The answer is D.

Page 50: Security

Security+ study guide

Written by McCya mccya.webs.com Page 50

Security+ Study Guide Review

We would like to wrap up some of the points that we’ve covered previously and introduce

you to the kinds of questions that you will encounter on the real Security+ examination.

Therefore, this review will feature questions that are sure to have you thinking;

hopefully, you will be prepared from reading the guide to do well.

Questions

1. Your manager asks you to implement a system that can filter out unwanted content,

such as viruses and unproductive Internet content. The best way to accomplish this

would be through a system that implements a:

a. Circuit-level gateway

b. Proxy server

c. Packet filtering firewall

d. DMZ host

e. Bastion host

2. Which of the following is the function of PGP?

a. Filter unwanted Internet traffic

b. Create a buffered security zone

c. Provide access control functionality

d. Boot a *Nix server that is not operational as the result of an attack

e. Provide message encryption services

3. How do mandatory access controls protect access to restricted resources?

a. Sensitivity labeling

b. User-level share permissions

c. Server-level share permissions

d. Role-oriented permissions

e. ACL lists

Page 51: Security

Security+ study guide

Written by McCya mccya.webs.com Page 51

4. You notice a rapid increase in the number of ICMP requests coming from a single

host. The requests are continuous and have been occurring for minutes. What kind of

attack are you likely experiencing?

a. Ping flood

b. Smurf

c. Birthday

d. Buffer overflow

e. You are not experiencing an attack

5. Your company requires secure remote access through a terminal to a server. Which

of the following would provide such secure access?

a. Telnet

b. SSH

c. FTP

d. SSL

e. Ethernet

6. Which of the following is an advantage of symmetric-key cryptography in

comparison to asymmetric-key cryptography?

a. Symmetric keys are stronger than asymmetric keys

b. Symmetric key systems are more scalable than asymmetric systems

c. Symmetric key systems are faster than their asymmetric counterparts

d. Symmetric key systems can operate in more than layers of the OSI model than can

asymmetric systems

e. None of the above

7. Which of the following is not a way that IDS systems are commonly classified?

a. Active

b. Passive

Page 52: Security

Security+ study guide

Written by McCya mccya.webs.com Page 52

c. Latent

d. Knowledge-based

e. Behavior-based

8. Which of the following provides tunneling over the data-link layer?

a. IPSec

b. L2TP

c. PPP

d. PPTP

e. VPN

9. Which of the following authentication factors is considered the strongest?

a. Type 1

b. Type 2

c. Type 3

d. Type 4

e. Type 5

10. You setup a packet-filtering firewall that accepts or rejects traffic based on the IP

address of the source. What kind of attack is this firewall specifically vulnerable to?

a. Buffer overflow

b. Man-in-the-Middle attack

c. Smurfing

d. Spoofing

e. Distributed denial of service

11. Your manager complains that he cannot remember his password. You have also lost

your copy of the password, but the MD5 hash of the password is stored in the database.

How can you use the MD5 hash to recover the password?

Page 53: Security

Security+ study guide

Written by McCya mccya.webs.com Page 53

a. Decrypt the hash using a shared secret key

b. Decrypt the hash using a public encryption system

c. Encrypt the hash using a shared secret key

d. Encrypt the hash of the hash using a shared secret key

e. You cannot recover the password from the hash

12. Which of the following parts of the CIA triangle are effectively ensured by

cryptography?

a. Confidentiality Only

b. Integrity Only

c. Accessibility Only

d. Accessibility and Integrity Only

e. Confidentiality and Integrity Only

13. Which of the following is not a parameter of a security association in IPSec?

a. SPI

b. Source IP Address

c. Destination IP Address

d. Security Protocol ID

14. Which of the following is not considered a physical security threat?

a. Fire

b. Water

c. Severe Weather

d. Electricity

e. Buffer Overflow

Page 54: Security

Security+ study guide

Written by McCya mccya.webs.com Page 54

15. Which of the following is a layer-3 device that connects two dissimilar network

segments?

a. Bridge

b. Switch

c. Hub

d. Router

e. Gateway

Answers

1. A proxy server is the best way to filter content because it prevents a direct connection

between a local and remote host and therefore can effectively filter incoming and outgoing

traffic. Answer: B

2. PGP, which stands for “Pretty Good Privacy,” is used to provide message signing and

encryption services. Answer: E

3. Mandatory is the key word in mandatory access control, which means that the sensitivity

of information is determined at the top of the decision-making tree rather than up to the user’s

discretion. To accomplish such a task, sensitivity labeling is necessary. Answer: A

4. Unusually large numbers of ICMP packets are usually employed in a ping flood attack. In

this attack, the number of packets is supposed to be so great that the system is overwhelmed

and succumbs to the attack, denying availability. Answer: A

5. Only SSH provides secure access through the Internet to a terminal. Telnet provides

remote access over cleartext. Answer: B

6. While symmetric key systems can prove difficult to manage and are cumbersome for many

users, they offer a greater degree of speed as fewer and less complex calculations are

involved in the process. Answer: C

7. IDS systems are not classified by latency, as such a concept makes no sense in that context.

Answer: C

Page 55: Security

Security+ study guide

Written by McCya mccya.webs.com Page 55

8. L2TP stands for “Layer 2 Tunneling Protocol.” This should help you remember that L2TP

indeed provides tunneling over Layer 2, or the Data Link layer of the OSI model. Answer: B

9. As Types 4 and 5 are fictitious types of authentication factors, we are left with a choice

between Types 1, 2, and 3. Although Types 1 and 2 can offer strong factors, biometric

identification (“what you are”) is usually considered the strongest, as it is difficult to

impersonate a fingerprint. Answer: C

10. Because the firewall discerns traffic by IP address, the best way to circumvent this

firewall would be to make it appear that your IP address is different than it really is. To do

this, you would have to “spoof” your IP address. Answer: D

11. A hash, by definition, is a one-way function that encrypts a message for digesting.

Therefore, it is impossible to actually “decrypt” the hash. Answer: E

12. Cryptography can both protect the contents of a message and ensure that a message

remains the same as when it was sent. Therefore, cryptography can be used to ensure

confidentiality and integrity. Availability, or the idea that systems should be available, is not

ensured by cryptography. Answer: E

13. Because the destination IP address is not a security interest in IPSec transmissions, it is

not included on the security association. Answer: C

14. A buffer overflow, while a serious threat to system stability, is a logical rather than a

physical vulnerability. Answer: E

15. A router operates in the Network layer of the OSI model and is typically used to adjoin

two dislike network segments together (and forward packets based on IP address). Answer:

D

Your Progress and Final Thoughts

If you scored between 0 and 7 questions correct, you need to study the entire guide again.

Obviously, you are lacking in mulitple areas of the security+ examination and could

therefore benefit from reading all of the subject areas in depth.

If you scored between 8 and 11 questions correct, you should take a close look at the subject

areas of the questions that you missed and carefully re-read and review the lessons in the

guide concerning those specific areas. If you took the exam today, you would probably not

pass with this sort of score.

Page 56: Security

Security+ study guide

Written by McCya mccya.webs.com Page 56

If you scored between 12 and 15 questions correct, great job! You should probably glance

over some of the questions that you missed and the corresponding guide article, but you are

most likely ready to move on to our cram sheet. If you took the exam today, you would

likely pass it.

We wish you the best of luck in your pursuit of Security+ certification. Be sure to check

out our Security+ Cram Sheet and take plenty of practice exams! We hope you do well.