Security+ Guide to Network Security Fundamentals - 2nd4p

Chapter 1: Information Security Fundamentals

Security+ Guide to Network Security Fundamentals

Second Edition

Security+ Guide to Network Security Fundamentals, 2e

2

Objectives

• Identify the challenges for information security

• Define information security

• Explain the importance of information security


3

Objectives

• List and define information security terminology

• Describe the CompTIA Security+ certification exam

• Describe information security careers


4

• Challenge of keeping networks and computers secure has never been greater

• A number of trends illustrate why security is becoming increasingly difficult

• Many trends have resulted in security attacks growing at an alarming rate

Identifying the Challenges for Information Security


5

• Computer Emergency Response Team (CERT) security organization compiles statistics regarding number of reported attacks, including:

– Speed of attacks

– Sophistication of attacks

– Faster detection of weaknesses

– Distributed attacks

– Difficulties of patching

Identifying the Challenges for Information Security (continued)


6



7



8

• Information security:

– Tasks of guarding digital information, which is typically processed by a computer (such as a personal computer), stored on a magnetic or optical storage device (such as a hard drive or DVD), and transmitted over a network spacing

Defining Information Security


9

• Ensures that protective measures are properly implemented

• Is intended to protect information

• Involves more than protecting the information itself

Defining Information Security (continued)


10



11

• Three characteristics of information must be protected by information security:

– Confidentiality

– Integrity

– Availability

• Center of diagram shows what needs to be protected (information)

• Information security achieved through a combination of three entities



12

Understanding the Importance of Information Security

• Information security is important to businesses:

– Prevents data theft

– Avoids legal consequences of not securing information

– Maintains productivity

– Foils cyberterrorism

– Thwarts identity theft


13

Preventing Data Theft

• Security often associated with theft prevention

• Drivers install security systems on their cars to prevent the cars from being stolen

• Same is true with information security businessescite preventing data theft as primary goal of information security


14

Preventing Data Theft (continued)

• Theft of data is single largest cause of financial loss due to a security breach

• One of the most important objectives of information security is to protect important business and personal data from theft


15

Avoiding Legal Consequences

• Businesses that fail to protect data may face serious penalties

• Laws include:

– The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

– The Sarbanes-Oxley Act of 2002 (Sarbox)

– The Cramm-Leach-Blilely Act (GLBA)

– USA PATRIOT Act 2001


16

Maintaining Productivity

• After an attack on information security, clean-up efforts divert resources, such as time and money away from normal activities

• A Corporate IT Forum survey of major corporations showed:

– Each attack costs a company an average of $213,000 in lost man-hours and related costs

– One-third of corporations reported an average of more than 3,000 man-hours lost


17

Maintaining Productivity (continued)


18

• An area of growing concern among defense experts are surprise attacks by terrorist groups using computer technology and the Internet (cyberterrorism)

• These attacks could cripple a nation’s electronic and commercial infrastructure

• Our challenge in combating cyberterrorism is that many prime targets are not owned and managed by the federal government

Foiling Cyberterrorism


19

Thwarting Identity Theft

• Identity theft involves using someone’s personal information, such as social security numbers, to establish bank or credit card accounts that are then left unpaid, leaving the victim with the debts and ruining their credit rating

• National, state, and local legislation continues to be enacted to deal with this growing problem

– The Fair and Accurate Credit Transactions Act of 2003 is a federal law that addresses identity theft


20

Understanding Information Security Terminology


21

Exploring the CompTIA Security+ Certification Exam

• Since 1982, the Computing Technology Industry Association (CompTIA) has been working to advance the growth of the IT industry

• CompTIA is the world’s largest developer of vendor-neutral IT certification exams

• The CompTIA Security+ certification tests for mastery in security concepts and practices


22

Exploring the CompTIA Security+ Certification Exam (continued)

• Exam was designed with input from security industry leaders, such as VeriSign, Symantec, RSA Security, Microsoft, Sun, IBM, Novell, and Motorola

• The Security+ exam is designed to cover a broad range of security topics categorized into five areas or domains


23

Surveying Information Security Careers

• Information security is one of the fastest growing career fields

• As information attacks increase, companies are becoming more aware of their vulnerabilities and are looking for ways to reduce their risks and liabilities


24

Surveying Information Security Careers (continued)

• Sometimes divided into three general roles:

– Security manager develops corporate security plans and policies, provides education and awareness, and communicates with executive management about security issues

– Security engineer designs, builds, and tests security solutions to meet policies and address business needs

– Security administrator configures and maintains security solutions to ensure proper service levels and availability


25

Summary

• The challenge of keeping computers secure is becoming increasingly difficult

• Attacks can be launched without human intervention and infect millions of computers in a few hours

• Information security protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures


26

Summary (continued)

• Information security has its own set of terminology

• A threat is an event or an action that can defeat security measures and result in a loss

• CompTIA has been working to advance the growth of the IT industry and those individuals working within it

• CompTIA is the world’s largest developer of vendor-neutral IT certification exams

Chapter 2: Attackers and Their Attacks


Second Edition


2

Objectives

• Develop attacker profiles

• Describe basic attacks

• Describe identity attacks

• Identify denial of service attacks

• Define malicious code (malware)


3

Developing Attacker Profiles• Six categories:

– Hackers

– Crackers

– Script kiddies

– Spies

– Employees

– Cyberterrorists


4

Developing Attacker Profiles (continued)


5

Hackers

• Person who uses advanced computer skills to attack computers, but not with a malicious intent

• Use their skills to expose security flaws


6

• Person who violates system security with malicious intent

• Have advanced knowledge of computers and networks and the skills to exploit them

• Destroy data, deny legitimate users of service, or otherwise cause serious problems on computers and networks

Crackers


7

• Break into computers to create damage

• Are unskilled users

• Download automated hacking software from Web sites and use it to break into computers

• Tend to be young computer users with almost unlimited amounts of leisure time, which they can use to attack systems

Script Kiddies


8

• Person hired to break into a computer and steal information

• Do not randomly search for unsecured computers to attack

• Hired to attack a specific computer that contains sensitive information

Spies


9

• One of the largest information security threats to business

• Employees break into their company’s computer for these reasons:

– To show the company a weakness in their security

– To say, “I’m smarter than all of you”

– For money

Employees


10

• Experts fear terrorists will attack the network and computer infrastructure to cause panic

• Cyberterrorists’ motivation may be defined as ideology, or attacking for the sake of their principles or beliefs

• One of the targets highest on the list of cyberterrorists is the Internet itself

Cyberterrorists


11

• Three goals of a cyberattack:

– Deface electronic information to spread disinformation and propaganda

– Deny service to legitimate computer users

– Commit unauthorized intrusions into systems and networks that result in critical infrastructure outages and corruption of vital data

Cyberterrorists (continued)


12

• Today, the global computing infrastructure is most likely target of attacks

• Attackers are becoming more sophisticated, moving away from searching for bugs in specific software applications toward probing the underlying software and hardware infrastructure itself

Understanding Basic Attacks


13

• Easiest way to attack a computer system requires almost no technical ability and is usually highly successful

• Social engineering relies on tricking and deceiving someone to access a system

• Social engineering is not limited to telephone calls or dated credentials

Social Engineering


14

• Dumpster diving: digging through trash receptacles to find computer manuals, printouts, or password lists that have been thrown away

• Phishing: sending people electronic requests for information that appear to come from a valid source

Social Engineering (continued)


15

• Develop strong instructions or company policies regarding:

– When passwords are given out

– Who can enter the premises

– What to do when asked questions by another employee that may reveal protected information

• Educate all employees about the policies and ensure that these policies are followed

Social Engineering (continued)


16

Password Guessing

• Password: secret combination of letters and numbers that validates or authenticates a user

• Passwords are used with usernames to log on to a system using a dialog box

• Attackers attempt to exploit weak passwords by password guessing


17

Password Guessing (continued)


18

• Characteristics of weak passwords:

– Using a short password (XYZ)

– Using a common word (blue)

– Using personal information (name of a pet)

– Using same password for all accounts

– Writing the password down and leaving it under the mouse pad or keyboard

– Not changing passwords unless forced to do so



19

• Brute force: attacker attempts to create every possible password combination by changing one character at a time, using each newly generated password to access the system

• Dictionary attack: takes each word from a dictionary and encodes it (hashing) in the same way the computer encodes a user’s password



20

• Software exploitation: takes advantage of any weakness in software to bypass security requiring a password

– Buffer overflow: occurs when a computer program attempts to stuff more data into a temporary storage area than it can hold



21

• Policies to minimize password-guessing attacks:

– Passwords must have at least eight characters

– Passwords must contain a combination of letters, numbers, and special characters

– Passwords should expire at least every 30 days

– Passwords cannot be reused for 12 months

– The same password should not be duplicated and used on two or more systems



22

• Cryptography:

– Science of transforming information so it is secure while being transmitted or stored

– Does not attempt to hide existence of data; “scrambles” data so it cannot be viewed by unauthorized users

Weak Keys


23

• Encryption: changing the original text to a secret message using cryptography

• Success of cryptography depends on the process used to encrypt and decrypt messages

• Process is based on algorithms

Weak Keys (continued)


24

• Algorithm is given a key that it uses to encrypt the message

• Any mathematical key that creates a detectable pattern or structure (weak keys) provides an attacker with valuable information to break the encryption

Weak Keys (continued)


25

• Cryptanalysis: process of attempting to break an encrypted message

• Mathematical attack: analyzes characters in an encrypted text to discover the keys and decrypt the data

Mathematical Attacks


26

• Birthday paradox:

– When you meet someone for the first time, you have a 1 in 365 chance (0.027%) that he has the same birthday as you

– If you meet 60 people, the probability leaps to over 99% that you will share the same birthday with one of these people

• Birthday attack: attack on a cryptographical system that exploits the mathematics underlying the birthday paradox

Birthday Attacks


27

• Category of attacks in which the attacker attempts to assume the identity of a valid user

Examining Identity Attacks


28

• Make it seem that two computers are communicating with each other, when actually they are sending and receiving data with a computer between them

• Can be active or passive:

– Passive attack: attacker captures sensitive data being transmitted and sends it to the original recipient without his presence being detected

– Active attack: contents of the message are intercepted and altered before being sent on

Man-in-the-Middle Attacks


29

• Similar to an active man-in-the-middle attack

• Whereas an active man-in-the-middle attack changes the contents of a message before sending it on, a replay attack only captures the message and then sends it again later

• Takes advantage of communications between a network device and a file server

Replay


30

TCP/IP Hijacking

• With wired networks, TCP/IP hijacking uses spoofing, which is the act of pretending to be the legitimate owner

• One particular type of spoofing is Address Resolution Protocol (ARP) spoofing

• In ARP spoofing, each computer using TCP/IP must have a unique IP address


31

TCP/IP Hijacking (continued)

• Certain types of local area networks (LANs), such as Ethernet, must also have another address, called the media access control (MAC) address, to move information around the network

• Computers on a network keep a table that links an IP address with the corresponding address

• In ARP spoofing, a hacker changes the table so packets are redirected to his computer


32

Identifying Denial of Service Attacks

• Denial of service (DoS) attack attempts to make a server or other network device unavailable by flooding it with requests

• After a short time, the server runs out of resources and can no longer function

• Known as a SYN attack because it exploits the SYN/ACK “handshake”


33

Identifying Denial of Service Attacks (continued)

• Another DoS attack tricks computers into responding to a false request

• An attacker can send a request to all computers on the network making it appear a server is asking for a response

• Each computer then responds to the server, overwhelming it, and causing the server to crash or be unavailable to legitimate users


34



35


• Distributed denial-of-service (DDoS) attack:

– Instead of using one computer, a DDoS may use hundreds or thousands of computers

– DDoS works in stages


36

Understanding Malicious Code (Malware)

• Consists of computer programs designed to break into computers or to create havoc on computers

• Most common types:

– Viruses

– Worms

– Logic bombs

– Trojan horses

– Back doors


37

• Programs that secretly attach to another document or program and execute when that document or program is opened

• Might contain instructions that cause problems ranging from displaying an annoying message to erasing files from a hard drive or causing a computer to crash repeatedly

Viruses


38

Viruses (continued)

• Antivirus software defends against viruses is

• Drawback of antivirus software is that it must be updated to recognize new viruses

• Updates (definition files or signature files) can be downloaded automatically from the Internet to a user’s computer


39

Worms

• Although similar in nature, worms are different from viruses in two regards:

– A virus attaches itself to a computer document, such as an e-mail message, and is spread by traveling along with the document

– A virus needs the user to perform some type of action, such as starting a program or reading an e-mail message, to start the infection


40

Worms (continued)

• Worms are usually distributed via e-mail attachments as separate executable programs

• In many instances, reading the e-mail message starts the worm

• If the worm does not start automatically, attackers can trick the user to start the program and launch the worm


41

Logic Bombs

• Computer program that lies dormant until triggered by a specific event, for example:

– A certain date being reached on the system calendar

– A person’s rank in an organization dropping below a specified level


42

Trojan Horses• Programs that hide their true intent and then reveals

themselves when activated

• Might disguise themselves as free calendar programs or other interesting software

• Common strategies:

– Giving a malicious program the name of a file associated with a benign program

– Combining two or more executable programs into a single filename


43

Trojan Horses (continued)

• Defend against Trojan horses with the following products:

– Antivirus tools, which are one of the best defenses against combination programs

– Special software that alerts you to the existence of a Trojan horse program

– Anti-Trojan horse software that disinfects a computer containing a Trojan horse


44

Back Doors

• Secret entrances into a computer of which the user is unaware

• Many viruses and worms install a back door allowing a remote user to access a computer without the legitimate user’s knowledge or permission


45

Summary

• Six categories of attackers: hackers, crackers, script kiddies, spies, employees, and cyberterrorists

• Password guessing is a basic attack that attempts to learn a user’s password by a variety of means

• Cryptography uses an algorithm and keys to encrypt and decrypt messages


46

Summary (continued)

• Identity attacks attempt to assume the identity of a valid user

• Denial of service (DoS) attacks flood a server or device with requests, making it unable to respond to valid requests

• Malicious code (malware) consists of computer programs intentionally created to break into computers or to create havoc on computers

Chapter 3: Security Basics


Second Edition


2

Objectives

• Identify who is responsible for information security

• Describe security principles

• Use effective authentication methods

• Control access to computer systems

• Audit information security schemes


3

Identifying Who Is Responsible for Information Security

• When an organization secures its information, it completes a few basic tasks:

– It must analyze its assets and the threats these assets face from threat agents

– It identifies its vulnerabilities and how they might be exploited

– It regularly assesses and reviews the security policy to ensure it is adequately protecting its information


4

Identifying Who Is Responsible for Information Security (continued)

• Bottom-up approach: major tasks of securing information are accomplished from the lower levels of the organization upwards

• This approach has one key advantage: the bottom-level employees have the technical expertise to understand how to secure information


5



6


• Top-down approach starts at the highest levels of the organization and works its way down

• A security plan initiated by top-level managers has the backing to make the plan work


7


• Chief information security officer (CISO): helps develop the security plan and ensures it is carried out

• Human firewall: describes the security-enforcing role of each employee


8

Understanding Security Principles

• Ways information can be attacked:

– Crackers can launch distributed denial-of-service (DDoS) attacks through the Internet

– Spies can use social engineering

– Employees can guess other user’s passwords

– Hackers can create back doors

• Protecting against the wide range of attacks calls for a wide range of defense mechanisms


9

Layering

• Layered security approach has the advantage of creating a barrier of multiple defenses that can be coordinated to thwart a variety of attacks

• Information security likewise must be created in layers

• All the security layers must be properly coordinated to be effective


10

Layering (continued)


11

Limiting• Limiting access to information reduces the threat

against it

• Only those who must use data should have access to it

• Access must be limited for a subject (a person or a computer program running on a system) to interact with an object (a computer or a database stored on a server)

• The amount of access granted to someone should be limited to what that person needs to know or do


12

Limiting (continued)


13

Diversity

• Diversity is closely related to layering

• You should protect data with diverse layers of security, so if attackers penetrate one layer, they cannot use the same techniques to break through all other layers

• Using diverse layers of defense means that breaching one security layer does not compromise the whole system


14

Diversity (continued)

• You can set a firewall to filter a specific type of traffic, such as all inbound traffic, and a second firewall on the same system to filter another traffic type, such as outbound traffic

• Using firewalls produced by different vendors creates even greater diversity


15

Obscurity

• Obscuring what goes on inside a system or organization and avoiding clear patterns of behavior make attacks from the outside difficult


16

Simplicity

• Complex security systems can be difficult to understand, troubleshoot, and feel secure about

• The challenge is to make the system simple from the inside but complex from the outside


17

Using Effective Authentication Methods

• Information security rests on three key pillars:

– Authentication

– Access control

– Auditing


18

Using Effective Authentication Methods (continued)

• Authentication:

– Process of providing identity

– Can be classified into three main categories: what you know, what you have, what you are

– Most common method: providing a user with a unique username and a secret password


19

Username and Password (continued)

• ID management:

– User’s single authenticated ID is shared across multiple networks or online businesses

– Attempts to address the problem of users having individual usernames and passwords for each account (thus, resorting to simple passwords that are easy to remember)

– Can be for users and for computers that share data


20

Tokens

• Token: security device that authenticates the user by having the appropriate permission embedded into the token itself

• Passwords are based on what you know, tokens are based on what you have

• Proximity card: plastic card with an embedded, thin metal strip that emits a low-frequency, short-wave radio signal


21

Biometrics

• Uses a person’s unique characteristics to authenticate them

• Is an example of authentication based on what you are

• Human characteristics that can be used for identification include:– Fingerprint – Face

– Hand – Iris

– Retina – Voice


22

Biometrics (continued)


23

Certificates

• The key system does not prove that the senders are actually who they claim to be

• Certificates let the receiver verify who sent the message

• Certificates link or bind a specific person to a key

• Digital certificates are issued by a certification authority (CA), an independent third-party organization


24

Kerberos

• Authentication system developed by the Massachusetts Institute of Technology (MIT)

• Used to verify the identity of networked users, like using a driver’s license to cash a check

• Typically used when someone on a network attempts to use a network service and the service wants assurance that the user is who he says he is


25

Kerberos (continued)• A state agency, such as the DMV, issues a driver’s

license that has these characteristics:– It is difficult to copy

– It contains specific information (name, address, height, etc.)

– It lists restrictions (must wear corrective lenses, etc.)

– It expires on a specified date

• The user is provided a ticket that is issued by the Kerberos authentication server (AS), much as a driver’s license is issued by the DMV


26

Challenge Handshake Authentication Protocol (CHAP)

• Considered a more secure procedure for connecting to a system than using a password– User enters a password and connects to a server;

server sends a challenge message to user’s computer

– User’s computer receives message and uses a specific algorithm to create a response sent back to the server

– Server checks response by comparing it to its own calculation of the expected value; if values match, authentication is acknowledged; otherwise, connection is terminated


27

Challenge Handshake Authentication Protocol (CHAP) (continued)


28

Mutual Authentication

• Two-way authentication (mutual authentication) can be used to combat identity attacks, such as man-in-the-middle and replay attacks

• The server authenticates the user through a password, tokens, or other means


29

Mutual Authentication (continued)


30

Multifactor Authentication

• Multifactor authentication: implementing two or more types of authentication

• Being strongly proposed to verify authentication of cell phone users who use their phones to purchase goods and services


31

Controlling Access to Computer Systems

• Restrictions to user access are stored in an access control list (ACL)

• An ACL is a table in the operating system that contains the access rights each subject (a user or device) has to a particular system object (a folder or file)


32

Controlling Access to Computer Systems (continued)

• In Microsoft Windows, an ACL has one or more access control entries (ACEs) consisting of the name of a subject or group of subjects

• Inherited rights: user rights based on membership in a group

• Review pages 85 and 86 for basic folder and file permissions in a Windows Server 2003 system


33

Mandatory Access Control (MAC)

• A more restrictive model

• The subject is not allowed to give access to another subject to use an object


34

Role Based Access Control (RBAC)

• Instead of setting permissions for each user or group, you can assign permissions to a position or role and then assign users and other objects to that role

• Users and objects inherit all of the permissions for the role


35

Discretionary Access Control (DAC)

• Least restrictive model

• One subject can adjust the permissions for other subjects over objects

• Type of access most users associate with their personal computers


36

Auditing Information Security Schemes

• Two ways to audit a security system

– Logging records which user performed a specific activity and when

– System scanning to check permissions assigned to a user or role; these results are compared to what is expected to detect any differences


37

Summary• Creating and maintaining a secure environment

cannot be delegated to one or two employees in an organization

• Major tasks of securing information can be accomplished using a bottom-up approach, where security effort originates with low-level employees and moves up the organization chart to the CEO

• In a top-down approach, the effort starts at the highest levels of the organization and works its way down


38

Summary (continued)• Basic principles for creating a secure environment:

layering, limiting, diversity, obscurity, and simplicity

• Basic pillars of security:

– Authentication: verifying that a person requesting access to a system is who he claims to be

– Access control: regulating what a subject can do with an object

– Auditing: review of the security settings

Chapter 4: Security Baselines


Second Edition


2

Objectives

• Disable nonessential systems

• Harden operating systems

• Harden applications

• Harden networks


3

Disabling Nonessential Systems

• First step in establishing a defense against computer attacks is to turn off all nonessential systems

• The background program waits in the computer’s random access memory (RAM) until the user presses a specific combination of keys (a hot key), such as Ctrl+Shift+P

• Then, the idling program springs to life


4

Disabling Nonessential Systems (continued)

• Early terminate-and-stay-resident (TSR) programs performed functions such as displaying an instant calculator, small notepad, or address book

• In Microsoft Windows, a background program, such as Svchostexe, is called a process

• The process provides a service to the operating system indicated by the service name, such as AppMgmt


5


• Users can view the display name of a service, which gives a detailed description, such as Application Management

• A single process can provide multiple services


6



7



8


• A service can be set to one of the following modes:

– Automatic

– Manual

– Disabled

• Besides preventing attackers from attaching malicious code to services, disabling nonessential services blocks entries into the system


9


• The User Datagram Protocol (UDP) provides for a connectionless TCP/IP transfer

• TCP and UDP are based on port numbers

• Socket: combination of an IP address and a port number

– The IP address is separated from the port number by a colon, as in 19814611820:80


10



11

Hardening Operating Systems

• Hardening: process of reducing vulnerabilities

• A hardened system is configured and updated to protect against attacks

• Three broad categories of items should be hardened:

– Operating systems

– Applications that the operating system runs

– Networks


12

Hardening Operating Systems (continued)

• You can harden the operating system that runs on the local client or the network operating system (NOS) that manages and controls the network, such as Windows Server 2003 or Novell NetWare


13

Applying Updates• Operating systems are intended to be dynamic

• As users’ needs change, new hardware is introduced, and more sophisticated attacks are unleashed, operating systems must be updated on a regular basis

• However, vendors release a new version of an operating system every two to four years

• Vendors use certain terms to refer to the different types of updates (listed in Table 4-3 on page 109)


14

Applying Updates (continued)

• A service pack (a cumulative set of updates including fixes for problems that have not been made available through updates) provides the broadest and most complete update

• A hotfix does not typically address security issues; instead, it corrects a specific software problem


15



16


• A patch or a software update fixes a security flaw or other problem

– May be released on a regular or irregular basis, depending on the vendor or support team

– A good patch management system includes the features listed on pages 111 and 112 of the text


17

Securing the File System

• Another means of hardening an operating system is to restrict user access

• Generally, users can be assigned permissions to access folders (also called directories in DOS and UNIX/Linux) and the files contained within them


18

Securing the File System (continued)

• Microsoft Windows provides a centralized method of defining security on the Microsoft Management Console (MMC)

– A Windows utility that accepts additional components (snap-ins)

– After you apply a security template to organize security settings, you can import the settings to a group of computers (Group Policy object)


19

Securing the File System (continued)

• Group Policy settings: components of a user’s desktop environment that a network system administrator needs to manage

• Group Policy settings cannot override a global setting for all computers (domain-based setting)

• Windows stores settings for the computer’s hardware and software in a database (the registry)


20

Hardening Applications

• Just as you must harden operating systems, you must also harden the applications that run on those systems

• Hotfixes, service packs, and patches are generally available for most applications; although, not usually with the same frequency as for an operating system


21

Hardening Servers

• Harden servers to prevent attackers from breaking through the software

• Web server delivers text, graphics, animation, audio, and video to Internet users around the world

• Refer to the steps on page 115 to harden a Web server


22

Hardening Servers (continued)

• Mail server is used to send and receive electronic messages

• In a normal setting, a mail server serves an organization or set of users

• All e-mail is sent through the mail server from a trusted user or received from an outsider and intended for a trusted user


23



24


• In an open mail relay, a mail server processes e-mail messages not sent by or intended for a local user

• File Transfer Protocol (FTP) server is used to store and access files through the Internet

– Typically used to accommodate users who want to download or upload files


25



26


• FTP servers can be set to accept anonymous logons using a window similar that shown in Figure 4-8

• A Domain Name Service (DNS) server makes the Internet available to ordinary users

– DNS servers frequently update each other by transmitting all domains and IP addresses of which they are aware (zone transfer)


27



28


• IP addresses and other information can be used in an attack

• USENET is a worldwide bulletin board system that can be accessed through the Internet or many online services

• The Network News Transfer Protocol (NNTP) is the protocol used to send, distribute, and retrieve USENET messages through NNTP servers


29


• Print/file servers on a local area network (LAN) allow users to share documents on a central server or to share printers

• Hardening a print/file server involves the tasks listed on page 119 of the text

• A DHCP server allocates IP addresses using the Dynamic Host Configuration Protocol (DHCP)

• DHCP servers “lease” IP addresses to clients


30

Hardening Data Repositories

• Data repository: container that holds electronic information

• Two major data repositories: directory services and company databases

• Directory service: database stored on the network that contains all information about users and network devices along with privileges to those resources


31

Hardening Data Repositories (continued)

• Active Directory is the directory service for Windows

• Active Directory is stored in the Security Accounts Manager (SAM) database

• The primary domain controller (PDC) houses the SAM database


32

Hardening Networks

• Two-fold process for keeping a network secure:

– Secure the network with necessary updates

– Properly configure it


33

Firmware Updates

• RAM is volatile interrupting the power source causes RAM to lose its entire contents

• Read-only memory (ROM) is different from RAM in two ways:

– Contents of ROM are fixed

– ROM is nonvolatile disabling the power source does not erase its contents


34

Firmware Updates (continued)

• ROM, Erasable Programmable Read-Only Memory (EPROM), and Electrically Erasable Programmable Read-Only Memory (EEPROM) are firmware

• To erase an EPROM chip, hold the chip under ultraviolet light so the light passes through its crystal window

• The contents of EEPROM chips can also be erased using electrical signals applied to specific pins


35

Network Configuration

• You must properly configure network equipment to resist attacks

• The primary method of resisting attacks is to filter data packets as they arrive at the perimeter of the network


36

Network Configuration (continued)

• Rule base or access control list (ACL): rules a network device uses to permit or deny a packet (not to be confused with ACLs used in securing a file system)

• Rules are composed of several settings (listed on pages 122 and 123 of the text)

• Observe the basic guidelines on page 124 of the text when creating rules


37

Network Configuration (continued)


38

Summary

• Establishing a security baseline creates a basis for information security

• Hardening the operating system involves applying the necessary updates to the software

• Securing the file system is another step in hardening a system


39

Summary (continued)

• Applications and operating systems must be hardened by installing the latest patches and updates

• Servers, such as Web servers, mail servers, FTP servers, DNS servers, NNTP servers, print/file servers, and DHCP servers, must be hardened to prevent attackers from corrupting them or using the server to launch other attacks

Chapter 5: Securing the Network Infrastructure


Second Edition


2

Objectives

• Work with the network cable plant

• Secure removable media

• Harden network devices

• Design network topologies


3

Working with the Network Cable Plant

• Cable plant: physical infrastructure of a network (wire, connectors, and cables) used to carry data communication signals between equipment

• Three types of transmission media:

– Coaxial cables

– Twisted-pair cables

– Fiber-optic cables


4

Coaxial Cables• Coaxial cable was main type of copper cabling used

in computer networks for many years

• Has a single copper wire at its center surrounded by insulation and shielding

• Called “coaxial” because it houses two (co) axes or shafts the copper wire and the shielding

• Thick coaxial cable has a copper wire in center surrounded by a thick layer of insulation that is covered with braided metal shielding


5

Coaxial Cables (continued)

• Thin coaxial cable looks similar to the cable that carries a cable TV signal

• A braided copper mesh channel surrounds the insulation and everything is covered by an outer shield of insulation for the cable itself

• The copper mesh channel protects the core from interference

• BNC connectors: connectors used on the ends of a thin coaxial cable


6

Coaxial Cables (continued)


7

Twisted-Pair Cables• Standard for copper cabling used in computer

networks today, replacing thin coaxial cable

• Composed of two insulated copper wires twisted around each other and bundled together with other pairs in a jacket


8

Twisted-Pair Cables (continued)

• Shielded twisted-pair (STP) cables have a foil shielding on the inside of the jacket to reduce interference

• Unshielded twisted-pair (UTP) cables do not have any shielding

• Twisted-pair cables have RJ-45 connectors


9

Fiber-Optic Cables

• Coaxial and twisted-pair cables have copper wire at the center that conducts an electrical signal

• Fiber-optic cable uses a very thin cylinder of glass (core) at its center instead of copper that transmit light impulses

• A glass tube (cladding) surrounds the core

• The core and cladding are protected by a jacket


10

Fiber-Optic Cables (continued)• Classified by the diameter of the core and the

diameter of the cladding

– Diameters are measured in microns, each is about 1/25,000 of an inch or one-millionth of a meter

• Two types:

– Single-mode fiber cables: used when data must be transmitted over long distances

– Multimode cable: supports many simultaneous light transmissions, generated by light-emitting diodes


11

Securing the Cable Plant

• Securing cabling outside the protected network is not the primary security issue for most organizations

• Focus is on protecting access to the cable plant in the internal network

• An attacker who can access the internal network directly through the cable plant has effectively bypassed the network security perimeter and can launch his attacks at will


12

Securing the Cable Plant (continued)• The attacker can capture packets as they travel

through the network by sniffing– The hardware or software that performs such functions

is called a sniffer

• Physical security – First line of defense

– Protects the equipment and infrastructure itself

– Has one primary goal: to prevent unauthorized users from reaching the equipment or cable plant in order to use, steal, or vandalize it


13

Securing Removable Media• Securing critical information stored on a file server

can be achieved through strong passwords, network security devices, antivirus software, and door locks

• An employee copying data to a floppy disk or CD and carrying it home poses two risks:

– Storage media could be lost or stolen, compromising the information

– A worm or virus could be introduced to the media, potentially damaging the stored information and infecting the network


14

Magnetic Media• Record information by changing the magnetic

direction of particles on a platter

• Floppy disks were some of the first magnetic media developed

• The capacity of today’s 3 1/2-inch disks are 14 MB

• Hard drives contain several platters stacked in a closed unit, each platter having its own head or apparatus to read and write information

• Magnetic tape drives record information in a serial fashion


15

Optical Media• Optical media use a principle for recording

information different from magnetic media

• A high-intensity laser burns a tiny pit into the surface of an optical disc to record a one, but does nothing to record a zero

• Capacity of optical discs varies by type

• A Compact Disc-Recordable (CD-R) disc can record up to 650 MB of data

• Data cannot be changed once recorded


16

Optical Media (continued)• A Compact Disc-Rewriteable (CD-RW) disc can be

used to record data, erase it, and record again

• A Digital Versatile Disc (DVD) can store much larger amounts of data

– DVD formats include Digital Versatile Disc-Recordable (DVD-R), which can record once up to 395 GB on a single-sided disc and 79 GB on a double-sided disc


17

Electronic Media

• Electronic media use flash memory for storage

– Flash memory is a solid state storage deviceeverything is electronic, with no moving or mechanical parts

• SmartMedia cards range in capacity from 2 MB to 128 MB

• The card itself is only 45 mm long, 37 mm wide, and less than 1 mm thick


18

Electronic Media (continued)

• CompactFlash card

– Consists of a small circuit board with flash memory chips and a dedicated controller chip encased in a shell

– Come in 33 mm and 55 mm thicknesses and store between 8MB and 192 MB of data

• USB memory stick is becoming very popular

– Can hold between 8 MB and 1 GB of memory


19

Keeping Removable Media Secure

• Protecting removable media involves making sure that antivirus and other security software are installed on all systems that may receive a removable media device, including employee home computers


20

Hardening Network Devices

• Each device that is connected to a network is a potential target of an attack and must be properly protected

• Network devices to be hardened categorized as:

– Standard network devices

– Communication devices

– Network security devices


21

Hardening Standard Network Devices

• A standard network device is a typical piece of equipment that is found on almost every network, such as a workstation, server, switch, or router

• This equipment has basic security features that you can use to harden the devices


22

Workstations and Servers• Workstation: personal computer attached to a

network (also called a client)– Connected to a LAN and shares resources with other

workstations and network equipment

– Can be used independently of the network and can have their own applications installed

• Server: computer on a network dedicated to managing and controlling the network

• Basic steps to harden these systems are outlined on page 152


23

Switches and Routers• Switch

– Most commonly used in Ethernet LANs

– Receives a packet from one network device and sends it to the destination device only

– Limits the collision domain (part of network on which multiple devices may attempt to send packets simultaneously)

• A switch is used within a single network

• Routers connect two or more single networks to form a larger network


24

Switches and Routers (continued)

• Switches and routers must also be protected against attacks

• Switches and routers can be managed using the Simple Network Management Protocol (SNMP), part of the TCP/IP protocol suite

• Software agents are loaded onto each network device to be managed


25

Switches and Routers (continued)• Each agent monitors network traffic and stores that

information in its management information base (MIB)

• A computer with SNMP management software (SNMP management station) communicates with software agents on each network device and collects the data stored in the MIBs

• Page 154 lists defensive controls that can be set for switches and routers


26

Hardening Communication Devices

• A second category of network devices are those that communicate over longer distances

• Include:

– Modems

– Remote access servers

– Telecom/PBX Systems

– Mobile devices


27

Modems

• Most common communication device

• Broadband is increasing in popularity and can create network connection speeds of 15 Mbps and higher

• Two popular broadband technologies:

– Digital Subscriber Line (DSL) transmits data at 15 Mbps over regular telephone lines

– Another broadband technology uses the local cable television system


28

Modems (continued)

• A computer connects to a cable modem, which is connected to the coaxial cable that brings cable TV signals to the home

• Because cable connectivity is shared in a neighborhood, other users can use a sniffer to view traffic

• Another risk with DSL and cable modem connections is that broadband connections are charged at a set monthly rate, not by the minute of connect time


29

Remote Access Servers

• Set of technologies that allows a remote user to connect to a network through the Internet or a wide area network (WAN)

• Users run remote access client software and initiate a connection to a Remote Access Server (RAS), which authenticates users and passes service requests to the network


30

Remote Access Servers (continued)


31

Remote Access Servers (continued)

• Remote access clients can run almost all network-based applications without modification

– Possible because remote access technology supports both drive letters and universal naming convention (UNC) names

• Minimum security features are listed on page 158


32

Telecom/PBX Systems

• Term used to describe a Private Branch eXchange

• The definition of a PBX comes from the words that make up its name:

– Private

– Branch

– eXchange


33

Mobile Devices

• As cellular phones and personal digital assistants (PDAs) have become increasingly popular, they have become the target of attackers

• Some defenses against attacks on these devices use real-time data encryption and passwords to protect the system so that an intruder cannot “beam” a virus through a wireless connection


34

Hardening Network Security Devices

• The final category of network devices includes those designed and used strictly to protect the network

• Include:

– Firewalls

– Intrusion-detection systems

– Network monitoring and diagnostic devices


35

Firewalls

• Typically used to filter packets

• Designed to prevent malicious packets from entering the network or its computers (sometimes called a packet filter)

• Typically located outside the network security perimeter as first line of defense

• Can be software or hardware configurations


36

Firewalls (continued)

• Software firewall runs as a program on a local computer (sometimes known as a personal firewall)

– Enterprise firewalls are software firewalls designed to run on a dedicated device and protect a network instead of only one computer

– One disadvantage is that it is only as strong as the operating system of the computer


37

Firewalls (continued)• Filter packets in one of two ways:

– Stateless packet filtering: permits or denies each packet based strictly on the rule base

– Stateful packet filtering: records state of a connection between an internal computer and an external server; makes decisions based on connection and rule base

• Can perform content filtering to block access to undesirable Web sites


38

Firewalls (continued)

• An application layer firewall can defend against worms better than other kinds of firewalls

– Reassembles and analyzes packet streams instead of examining individual packets


39

Intrusion-Detection Systems (IDSs)• Devices that establish and maintain network security

• Active IDS (or reactive IDS) performs a specific function when it senses an attack, such as dropping packets or tracing the attack back to a source

– Installed on the server or, in some instances, on all computers on the network

• Passive IDS sends information about what happened, but does not take action


40

Intrusion-Detection Systems (IDSs) (continued)

• Host-based IDS monitors critical operating system files and computer’s processor activity and memory; scans event logs for signs of suspicious activity

• Network-based IDS monitors all network traffic instead of only the activity on a computer

– Typically located just behind the firewall

• Other IDS systems are based on behavior:

– Watch network activity and report abnormal behavior

– Result in many false alarmsSecurity+ Guide to Network Security Fundamentals, 2e

41

Network Monitoring and Diagnostic Devices

• SNMP enables network administrators to:

– Monitor network performance

– Find and solve network problems

– Plan for network growth

• Managed device:

– Network device that contains an SNMP agent

– Collects and stores management information and makes it available to SNMP


42

Designing Network Topologies

• Topology: physical layout of the network devices, how they are interconnected, and how they communicate

• Essential to establishing its security

• Although network topologies can be modified for security reasons, the network still must reflect the needs of the organization and users


43

Security Zones

• One of the keys to mapping the topology of a network is to separate secure users from outsiders through:

– Demilitarized Zones (DMZs)

– Intranets

– Extranets


44

Demilitarized Zones (DMZs)

• Separate networks that sit outside the secure network perimeter

• Outside users can access the DMZ, but cannot enter the secure network

• For extra security, some networks use a DMZ with two firewalls

• The types of servers that should be located in the DMZ include:– Web servers – E-mail servers– Remote access servers – FTP servers


45

Demilitarized Zones (DMZs) (continued)


46

Intranets

• Networks that use the same protocols as the public Internet, but are only accessible to trusted inside users

• Disadvantage is that it does not allow remote trusted users access to information


47

Extranets

• Sometimes called a cross between the Internet and an intranet

• Accessible to users that are not trusted internal users, but trusted external users

• Not accessible to the general public, but allows vendors and business partners to access a company Web site


48

Network Address Translation (NAT)

• “You cannot attack what you do not see” is the philosophy behind Network Address Translation (NAT) systems

• Hides the IP addresses of network devices from attackers

• Computers are assigned special IP addresses (known as private addresses)


49

Network Address Translation (NAT) (continued)

• These IP addresses are not assigned to any specific user or organization; anyone can use them on their own private internal network

• Port address translation (PAT) is a variation of NAT

• Each packet is given the same IP address, but a different TCP port number


50

Honeypots

• Computers located in a DMZ loaded with software and data files that appear to be authentic

• Intended to trap or trick attackers

• Two-fold purpose:

– To direct attacker’s attention away from real servers on the network

– To examine techniques used by attackers


51

Honeypots (continued)


52

Virtual LANs (VLANs)• Segment a network with switches to divide the

network into a hierarchy

• Core switches reside at the top of the hierarchy and carry traffic between switches

• Workgroup switches are connected directly to the devices on the network

• Core switches must work faster than workgroup switches because core switches must handle the traffic of several workgroup switches


53

Virtual LANs (VLANs)(continued)


54

Virtual LANs (VLANs)(continued)

• Segment a network by grouping similar users together

• Instead of segmenting by user, you can segment a network by separating devices into logical groups (known as creating a VLAN)


55

Summary

• Cable plant: physical infrastructure (wire, connectors, and cables that carry data communication signals between equipment)

• Removable media used to store information include:

– Magnetic storage (removable disks, hard drives)

– Optical storage (CD and DVD)

– Electronic storage (USB memory sticks, FlashCards)


56

Summary (continued)

• Network devices (workstations, servers, switches, and routers) should all be hardened to repel attackers

• A network’s topology plays a critical role in resisting attackers

• Hiding the IP address of a network device can help disguise it so that an attacker cannot find it

Chapter 6: Web Security


Second Edition


2

Objectives

• Protect e-mail systems

• List World Wide Web vulnerabilities

• Secure Web communications

• Secure instant messaging


3

Protecting E-Mail Systems

• E-mail has replaced the fax machine as the primary communication tool for businesses

• Has also become a prime target of attackers and must be protected


4

How E-Mail Works

• Use two Transmission Control Protocol/Internet Protocol (TCP/IP) protocols to send and receive messages– Simple Mail Transfer Protocol (SMTP) handles

outgoing mail

– Post Office Protocol (POP3 for the current version) handles incoming mail

• The SMTP server on most machines uses sendmail to do the actual sending; this queue is called the sendmail queue


5

How E-Mail Works (continued)


6

How E-Mail Works (continued)• Sendmail tries to resend queued messages

periodically (about every 15 minutes)

• Downloaded messages are erased from POP3 server

• Deleting retrieved messages from the mail server and storing them on a local computer make it difficult to manage messages from multiple computers

• Internet Mail Access Protocol (current version is IMAP4) is a more advanced protocol that solves many problems– E-mail remains on the e-mail server


7

How E-Mail Works (continued)

• E-mail attachments are documents in binary format (word processing documents, spreadsheets, sound files, pictures)

• Non-text documents must be converted into text format before being transmitted

• Three bytes from the binary file are extracted and converted to four text characters


8

E-Mail Vulnerabilities

• Several e-mail vulnerabilities can be exploited by attackers:

– Malware

– Spam

– Hoaxes


9

Malware• Because of its ubiquity, e-mail has replaced floppy

disks as the primary carrier for malware

• E-mail is the malware transport mechanism of choice for two reasons:

– Because almost all Internet users have e-mail, it has the broadest base for attacks

– Malware can use e-mail to propagate itself


10

Malware (continued)

• A worm can enter a user’s computer through an e-mail attachment and send itself to all users listed in the address book or attach itself as a reply to all unread e-mail messages

• E-mail clients can be particularly susceptible to macro viruses– A macro is a script that records the steps a user

performs

– A macro virus uses macros to carry out malicious functions


11

Malware (continued)• Users must be educated about how malware can

enter a system through e-mail and proper policies must be enacted to reduce risk of infection

– E-mail users should never open attachments with these file extensions: .bat, .ade, .usf, .exe, .pif

• Antivirus software and firewall products must be installed and properly configured to prevent malicious code from entering the network through e-mail

• Procedures including turning off ports and eliminating open mail relay servers must be developed and enforced


12

Spam

• The amount of spam (unsolicited e-mail) that flows across the Internet is difficult to judge

• The US Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) in late 2003


13

Spam (continued)

• According to a Pew memorial Trust survey, almost half of the approximately 30 billion daily e-mail messages are spam

• Spam is having a negative impact on e-mail users:– 25% of users say the ever-increasing volume of spam

has reduced their overall use of e-mail

– 52% of users indicate spam has made them less trusting of e-mail in general

– 70% of users say spam has made being online unpleasant or annoying


14

Spam (continued)

• Filter e-mails at the edge of the network to prevent spam from entering the SMTP server

• Use a backlist of spammers to block any e-mail that originates from their e-mail addresses

• Sophisticated e-mail filters can use Bayesian filtering

– User divides e-mail messages received into two piles, spam and not-spam


15

Hoaxes

• E-mail messages that contain false warnings or fraudulent offerings

• Unlike spam, are almost impossible to filter

• Defense against hoaxes is to ignore them


16

Hoaxes (continued)

• Any e-mail message that appears as though it could not be true probably is not

• E-mail phishing is also a growing practice

• A message that falsely identifies the sender as someone else is sent to unsuspecting recipients


17

E-Mail Encryption

• Two technologies used to protect e-mail messages as they are being transported:

– Secure/Multipurpose Internet Mail Extensions

– Pretty Good Privacy


18

Secure/Multipurpose Internet Mail Extensions (S/MIME)

• Protocol that adds digital signatures and encryption to Multipurpose Internet Mail Extension (MIME) messages

• Provides these features:

– Digital signatures – Interoperability

– Message privacy – Seamless integration

– Tamper detection


19

Pretty Good Privacy (PGP)• Functions much like S/MIME by encrypting messages

using digital signatures• A user can sign an e-mail message without

encrypting it, verifying the sender but not preventing anyone from seeing the contents

• First compresses the message– Reduces patterns and enhances resistance to

cryptanalysis

• Creates a session key (a one-time-only secret key)– This key is a number generated from random

movements of the mouse and keystrokes typed


20

Pretty Good Privacy (PGP)(continued)

• Uses a passphrase to encrypt the private key on the local computer

• Passphrase:

– A longer and more secure version of a password

– Typically composed of multiple words

– More secure against dictionary attacks


21

Pretty Good Privacy (PGP)(continued)


22

Examining World Wide Web Vulnerabilities

• Buffer overflow attacks are common ways to gain unauthorized access to Web servers

• SMTP relay attacks allow spammers to send thousands of e-mail messages to users

• Web programming tools provide another foothold for Web attacks

• Dynamic content can also be used by attackers– Sometimes called repurposed programming (using

programming tools in ways more harmful than originally intended)


23

JavaScript

• Popular technology used to make dynamic content

• When a Web site that uses JavaScript is accessed, the HTML document with the JavaScript code is downloaded onto the user’s computer

• The Web browser then executes that code within the browser using the Virtual Machine (VM) a Java interpreter


24

JavaScript (continued)

• Several defense mechanisms prevent JavaScript programs from causing serious harm:– JavaScript does not support certain capabilities

– JavaScript has no networking capabilities

• Other security concerns remain:– JavaScript programs can capture and send user

information without the user’s knowledge or authorization

– JavaScript security is handled by restrictions within the Web browser


25

JavaScript (continued)


26

Java Applet

• A separate program stored on a Web server and downloaded onto a user’s computer along with HTML code

• Can also be made into hostile programs

• Sandbox is a defense against a hostile Java applet

– Surrounds program and keeps it away from private data and other resources on a local computer

• Java applet programs should run within a sandbox


27

Java Applet (continued)


28

Java Applet (continued)• Two types of Java applets:

– Unsigned Java applet: program that does not come from a trusted source

– Signed Java applet: has a digital signature proving the program is from a trusted source and has not been altered

• The primary defense against Java applets is using the appropriate settings of the Web browser


29

Java Applet (continued)


30

ActiveX

• Set of technologies developed by Microsoft

• Outgrowth of two other Microsoft technologies:

– Object Linking and Embedding (OLE)

– Component Object Model (COM)

• Not a programming language but a set of rules for how applications should share information


31

ActiveX (continued)• ActiveX controls represent a specific way of

implementing ActiveX

– Can perform many of the same functions of a Java applet, but do not run in a sandbox

– Have full access to Windows operating system

• ActiveX controls are managed through Internet Explorer

• ActiveX controls should be set to most restricted levels


32

ActiveX (continued)


33

Cookies

• Computer files that contains user-specific information

• Need for cookies is based on Hypertext Transfer Protocol (HTTP)

• Instead of the Web server asking the user for this information each time they visits that site, the Web server stores that information in a file on the local computer

• Attackers often target cookies because they can contain sensitive information (usernames and other private information)


34

Cookies (continued)• Can be used to determine which Web sites you view

• First-party cookie is created from the Web site you are currently viewing

• Some Web sites attempt to access cookies they did not create

– If you went to wwwborg, that site might attempt to get the cookie A-ORG from your hard drive

– Now known as a third-party cookie because it was not created by Web site that attempts to access the cookie


35

Common Gateway Interface (CGI)

• Set of rules that describes how a Web server communicates with other software on the server and vice versa

• Commonly used to allow a Web server to display information from a database on a Web page or for a user to enter information through a Web form that is deposited in a database


36

Common Gateway Interface (CGI)(continued)

• CGI scripts create security risks

– Do not filter user input properly

– Can issue commands via Web URLs

• CGI security can be enhanced by:

– Properly configuring CGI

– Disabling unnecessary CGI scripts or programs

– Checking program code that uses CGI for any vulnerabilities


37

83 Naming Conventions

• Microsoft Disk Operating System (DOS) limited filenames to eight characters followed by a period and a three-character extension (e.g., Filename.doc)

• Called the 83 naming convention

• Recent versions of Windows allow filenames to contain up to 256 characters

• To maintain backward compatibility with DOS, Windows automatically creates an 83 “alias” filename for every long filename


38

83 Naming Conventions (continued)

• The 83 naming convention introduces a security vulnerability with some Web servers– Microsoft Internet Information Server 40 and other Web

servers can inherit privileges from parent directories instead of the requested directory if the requested directory uses a long filename

• Solution is to disable creation of the 83 alias by making a change in the Windows registry database– In doing so, older programs that do not recognize long

filenames are not able to access the files or subdirectories


39

Securing Web Communications

• Most common secure connection uses the Secure Sockets Layer/Transport Layer Security protocol

• One implementation is the Hypertext Transport Protocol over Secure Sockets Layer


40

Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

• SSL protocol developed by Netscape to securely transmit documents over the Internet

– Uses private key to encrypt data transferred over the SSL connection

– Version 20 is most widely supported version

– Personal Communications Technology (PCT), developed by Microsoft, is similar to SSL


41


(continued)• TLS protocol guarantees privacy and data integrity

between applications communicating over the Internet

– An extension of SSL; they are often referred to as SSL/TLS

• SSL/TLS protocol is made up of two layers


42


(continued)• TLS Handshake Protocol allows authentication

between server and client and negotiation of an encryption algorithm and cryptographic keys before any data is transmitted

• FORTEZZA is a US government security standard that satisfies the Defense Messaging System security architecture

– Has cryptographic mechanism that provides message confidentiality, integrity, authentication, and access control to messages, components, and even systems


43

Secure Hypertext Transport Protocol (HTTPS)

• One common use of SSL is to secure Web HTTP communication between a browser and a Web server– This version is “plain” HTTP sent over SSL/TLS and

named Hypertext Transport Protocol over SSL

• Sometimes designated HTTPS, which is the extension to the HTTP protocol that supports it

• Whereas SSL/TLS creates a secure connection between a client and a server over which any amount of data can be sent security, HTTPS is designed to transmit individual messages securely


44

Securing Instant Messaging

• Depending on the service, e-mail messages may take several minutes to be posted to the POP3 account

• Instant messaging (IM) is a complement to e-mail that overcomes these

– Allows sender to enter short messages that the recipient sees and can respond to immediately


45

Securing Instant Messaging (continued)

• Some tasks that you can perform with IM:

– Chat

– Images

– Sounds

– Files

– Talk

– Streaming content


46

Securing Instant Messaging (continued)

• Steps to secure IM include:

– Keep the IM server within the organization’s firewall and only permit users to send and receive messages with trusted internal workers

– Enable IM virus scanning

– Block all IM file transfers

– Encrypt messages


47

Summary

• Protecting basic communication systems is a key to resisting attacks

• E-mail attacks can be malware, spam, or hoaxes

• Web vulnerabilities can open systems up to a variety of attacks

• A Java applet is a separate program stored on the Web server and downloaded onto the user’s computer along with the HTML code


48

Summary (continued)

• ActiveX controls present serious security concerns because of the functions that a control can execute

• A cookie is a computer file that contains user-specific information

• CGI is a set of rules that describe how a Web server communicates with other software on the server

• The popularity of IM has made this a tool that many organizations are now using with e-mail

Chapter 7: Protecting Advanced Communications


Second Edition


2

Objectives

• Harden File Transfer Protocol (FTP)

• Secure remote access

• Protect directory services

• Secure digital cellular telephony

• Harden wireless local area networks (WLAN)


3

Hardening File Transfer Protocol (FTP)

• Three ways to work with FTP:

– Web browser

– FTP client

– Command line

• FTP servers can be configured to allow unauthenticated users to transfer files (called anonymous FTP or blind FTP)


4

Hardening File Transfer Protocol (FTP) (continued)

• Vulnerabilities associated with using FTP

– FTP does not use encryption

– Files being transferred by FTP are vulnerable to man-in-the-middle attacks

• Use secure FTP to reduce risk of attack

– Secure FTP is a term used by vendors to describe encrypting FTP transmissions

• Most secure FTP products use Secure Socket Layers (SSL) to perform the encryption


5


• FTP active mode

– Client connects from any random port >1,024 (PORT N) to FTP server’s command port, port 21 (Step 1)

– Client starts listening to PORT N+1 and sends the FTP command PORT N+1 to the FTP server

• FTP passive mode

– Client initiates both connections to server

– When opening an FTP connection, client opens two local random unprivileged ports >1,024


6



7

Secure Remote Access

• Windows NT includes User Manager to allow dial-in access, while Windows 2003 uses Computer Management for Workgroup access and Active Directory for configuring access to the domain

• Windows 2003 Remote Access Policies can lock down a remote access system to ensure that only those intended to have access are actually granted it


8

Tunneling Protocols

• Tunneling: technique of encapsulating one packet of data within another type to create a secure link of transportation


9

Tunneling Protocols (continued)


10

Point-to-Point Tunneling Protocol (PPTP)

• Most widely deployed tunneling protocol

• Connection is based on the Point-to-Point Protocol (PPP), widely used protocol for establishing connections over a serial line or dial-up connection between two points

• Client connects to a network access server (NAS) to initiate connection

• Extension to PPTP is Link Control Protocol (LCP), which establishes, configures, and tests the connection


11

Point-to-Point Tunneling Protocol (PPTP) (continued)


12

Layer 2 Tunneling Protocol (L2TP)

• Represents a merging of features of PPTP with Cisco’s Layer 2 Forwarding Protocol (L2F), which itself was originally designed to address some of the weaknesses of PPTP

• Unlike PPTP, which is primarily implemented as software on a client computer, L2TP can also be found on devices such as routers


13

Authentication Technologies

• Authenticating a transmission to ensure that it comes from an approved sender can provide an increased level of security for remote access users


14

IEEE 8021x

• Based on a standard established by the Institute for Electrical and Electronic Engineers (IEEE)

• Gaining wide-spread popularity• Provides an authentication framework for 802-based

LANs (Ethernet, Token Ring, wireless LANs)• Uses port-based authentication mechanisms

– Switch denies access to anyone other than an authorized user attempting to connect to the network through that port


15

IEEE 8021x (continued)

• Network supporting the 8021x protocol consists of three elements:– Supplicant: client device, such as a desktop computer

or personal digital assistant (PDA), which requires secure network access

– Authenticator: serves as an intermediary device between supplicant and authentication server

– Authentication server: receives request from supplicant through authenticator


16



17


• Several variations of EAP can be used with 8021x:

– EAP-Transport Layer Security (EAP-TLS)

– Lightweight EAP (LEAP)

– EAP-Tunneled TLS (EAP-TTLS)

– Protected EAP (PEAP)

– Flexible Authentication via Secure Tunneling (FAST)


18

Remote Authentication Dial-In User Service (RADIUS)

• Originally defined to enable centralized authentication and access control and PPP sessions

• Requests are forwarded to a single RADIUS server

• Supports authentication, authorization, and auditing functions

• After connection is made, RADIUS server adds an accounting record to its log and acknowledges the request

• Allows company to maintain user profiles in a central database that all remote servers can share


19

Terminal Access Control Access Control System (TACACS+)

• Industry standard protocol specification that forwards username and password information to a centralized server

• Whereas communication between a NAS and a TACACS+ server is encrypted, communication between a client and a NAS is not


20

Secure Transmission Protocols

• PPTP and L2TP provide a secure mechanism for preventing eavesdroppers from viewing transmissions


21

Secure Shell (SSH)• One of the primary goals of the ARPANET (which

became today’s Internet) was remote access• SSH is a UNIX-based command interface and

protocol for securely accessing a remote computer • Suite of three utilities—slogin, ssh, and scp• Can protect against:

– IP spoofing

– DNS spoofing

– Intercepting information


22

Secure Shell (SSH) (continued)


23

IP Security (IPSec)

• Different security tools function at different layers of the Open System Interconnection (OSI) model

• Secure/Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP) operate at the Application layer

• Kerberos functions at the Session layer


24

IP Security (IPSec) (continued)


25


• IPSec is a set of protocols developed to support the secure exchange of packets

• Considered to be a transparent security protocol

• Transparent to applications, users, and software

• Provides three areas of protection that correspond to three IPSec protocols:– Authentication

– Confidentiality

– Key management


26


• Supports two encryption modes: – Transport mode encrypts only the data portion

(payload) of each packet, yet leaves the header encrypted

– Tunnel mode encrypts both the header and the data portion

• IPSec accomplishes transport and tunnel modes by adding new headers to the IP packet

• The entire original packet is then treated as the data portion of the new packet


27



28


• Both Authentication Header (AH) and Encapsulating Security Payload (ESP) can be used with Transport or Tunnel mode, creating four possible transport mechanisms:

– AH in transport mode

– AH in tunnel mode

– ESP in transport mode

– ESP in tunnel mode


29

Virtual Private Networks (VPNs)

• Takes advantage of using the public Internet as if it were a private network

• Allow the public Internet to be used privately

• Prior to VPNs, organizations were forced to lease expensive data connections from private carriers so employees could remotely connect to the organization’s network


30

Virtual Private Networks (VPNs)(continued)

• Two common types of VPNs include:– Remote-access VPN or virtual private dial-up network

(VPDN): user-to-LAN connection used by remote users

– Site-to-site VPN: multiple sites can connect to other sites over the Internet

• VPN transmissions achieved through communicating with endpoints– An endpoint can be software on a local computer, a

dedicated hardware device such as a VPN concentrator, or even a firewall


31

Virtual Private Networks (VPNs)(continued)


32

Protecting Directory Services

• A directory service is a database stored on the network itself and contains all information about users and network devices

• A directory service contains information such as the user’s name, telephone extension, e-mail address, and logon name

• The International Standards Organization (ISO) created a standard for directory services known as X500


33

Protecting Directory Services(continued)

• Purpose of X500 was to standardize how data was stored so any computer system could access these directories

• Information is held in a directory information base (DIB)

• Entries in the DIB are arranged in a directory information tree (DIT)


34

Protecting Directory Services(continued)

• The X500 standard defines a protocol for a client application to access the X500 directory called the Directory Access Protocol (DAP)

• The DAP is too large to run on a personal computer

• The Lightweight Directory Access Protocol (LDAP), or X500 Lite, is a simpler subset of DAP


35

Securing Digital Cellular Telephony• The early use of wireless cellular technology is

known as First Generation (1G)

• 1G is characterized by analog radio frequency (RF) signals transmitting at a top speed of 96 Kbps

• 1G networks use circuit-switching technology

• Digital cellular technology, which started in the early 1990s, uses digital instead of analog transmissions

• Digital cellular uses packet switching instead of circuit-switching technology


36

Wireless Application Protocol (WAP)

• Provides standard way to transmit, format, and display Internet data for devices such as cell phones

• A WAP cell phone runs a microbrowser that uses Wireless Markup Language (WML) instead of HTML

– WML is designed to display text-based Web content on the small screen of a cell phone

– Because the Internet standard is HTML, a WAP Gateway (or WAP Proxy) must translate between WML and HTML


37

Wireless Application Protocol (WAP)(continued)


38

Wireless Transport Layer Security (WTLS)

• Security layer of the WAP

• Provides privacy, data integrity, and authentication for WAP services

• Designed specifically for wireless cellular telephony

• Based on the TLS security layer used on the Internet

• Replaced by TLS in WAP 20


39

Hardening Wireless Local Area Networks (WLAN)

• By 2007, >98% of all notebooks will be wireless-enabled

• Serious security vulnerabilities have also been created by wireless data technology:– Unauthorized users can access the wireless signal

from outside a building and connect to the network– Attackers can capture and view transmitted data – Employees in the office can install personal wireless

equipment and defeat perimeter security measures– Attackers can crack wireless security with kiddie scripts


40

IEEE 80211 Standards

• A WLAN shares same characteristics as a standard data-based LAN with the exception that network devices do not use cables to connect to the network

• RF is used to send and receive packets• Sometimes called Wi-Fi for Wireless Fidelity, network

devices can transmit 11 to 108 Mbps at a range of 150 to 375 feet

• 80211a has a maximum rated speed of 54 Mbps and also supports 48, 36, 24, 18, 12, 9, and 6 Mbps transmissions at 5 GHz


41

IEEE 80211 Standards (continued)

• In September 1999, a new 80211b High Rate was amended to the 80211 standard

• 80211b added two higher speeds, 55 and 11 Mbps• With faster data rates, 80211b quickly became the

standard for WLANs• At same time, the 80211a standard was released


42

WLAN Components

• Each network device must have a wireless network interface card installed

• Wireless NICs are available in a variety of formats:– Type II PC card – Mini PCI

– CompactFlash (CF) card – USB device

– USB stick


43

WLAN Components (continued)

• An access point (AP) consists of three major parts:

– An antenna and a radio transmitter/receiver to send and receive signals

– An RJ-45 wired network interface that allows it to connect by cable to a standard wired network

– Special bridging software


44

Basic WLAN Security

• Two areas:

– Basic WLAN security

– Enterprise WLAN security

• Basic WLAN security uses two new wireless tools and one tool from the wired world:

– Service Set Identifier (SSID) beaconing

– MAC address filtering

– Wired Equivalent Privacy (WEP)


45

Service Set Identifier (SSID) Beaconing

• A service set is a technical term used to describe a WLAN network

• Three types of service sets:

– Independent Basic Service Set (IBSS)

– Basic Service Set (BSS)

– Extended Service Set (ESS)

• Each WLAN is given a unique SSID


46

MAC Address Filtering• Another way to harden a WLAN is to filter MAC

addresses

• The MAC address of approved wireless devices is entered on the AP

• A MAC address can be spoofed

• When wireless device and AP first exchange packets, the MAC address of the wireless device is sent in plaintext, allowing an attacker with a sniffer to see the MAC address of an approved device


47

Wired Equivalent Privacy (WEP)

• Optional configuration for WLANs that encrypts packets during transmission to prevent attackers from viewing their contents

• Uses shared keys the same key for encryption and decryption must be installed on the AP, as well as each wireless device

• A serious vulnerability in WEP is that the IV is not properly implemented

• Every time a packet is encrypted it should be given a unique IV


48

Wired Equivalent Privacy (WEP)(continued)


49

Untrusted Network

• The basic WLAN security of SSID beaconing, MAC address filtering, and WEP encryption is not secure enough for an organization to use

• One approach to securing a WLAN is to treat it as an untrusted and unsecure network

• Requires that the WLAN be placed outside the secure perimeter of the trusted network


50

Untrusted Network (continued)


51

Trusted Network

• It is still possible to provide security for a WLAN and treat it as a trusted network

• Wi-Fi Protected Access (WPA) was crafted by the WECA in 2002 as an interim solution until a permanent wireless security standard could be implemented

• Has two components:

– WPA encryption

– WPA access control


52

Trusted Network (continued)

• WPA encryption addresses the weaknesses of WEP by using the Temporal Key Integrity Protocol (TKIP)

• TKIP mixes keys on a per-packet basis to improve security

• Although WPA provides enhanced security, the IEEE 80211i solution is even more secure

• 80211i is expected to be released sometime in 2004


53

Summary• The FTP protocol has several security

vulnerabilities—it does not natively use encryption and is vulnerable to man-in-the-middle attacks

• FTP can be hardened by using secure FTP (which encrypts using SSL)

• Protecting remote access transmissions is particularly important in today’s environment as more users turn to the Internet as the infrastructure for accessing protected information


54

Summary (continued)• Authenticating a transmission to ensure it came from

the sender can provide increased security for remote access users

• SSH is a UNIX-based command interface and protocol for securely accessing a remote computer

• A directory service is a database stored on the network itself and contains all the information about users and network devices

• Digital cellular telephony provides various features to operate on a wireless digital cellular device

• WLANs have a dramatic impact on user access to data

Chapter 8: Scrambling Through Cryptography


Second Edition


2

Objectives

• Define cryptography

• Secure with cryptography hashing algorithms

• Protect with symmetric encryption algorithms

• Harden with asymmetric encryption algorithms

• Explain how to use cryptography


3

Cryptography Terminology

• Cryptography: science of transforming information so it is secure while being transmitted or stored

• Steganography: attempts to hide existence of data

• Encryption: changing the original text to a secret message using cryptography


4

Cryptography Terminology (continued)

• Decryption: reverse process of encryption

• Algorithm: process of encrypting and decrypting information based on a mathematical procedure

• Key: value used by an algorithm to encrypt or decrypt a message


5


• Weak key: mathematical key that creates a detectable pattern or structure

• Plaintext: original unencrypted information (also known as clear text)

• Cipher: encryption or decryption algorithm tool used to create encrypted or decrypted text

• Ciphertext: data that has been encrypted by an encryption algorithm


6



7

How Cryptography Protects

• Intended to protect the confidentiality of information

• Second function of cryptography is authentication

• Should ensure the integrity of the information as well

• Should also be able to enforce nonrepudiation, the inability to deny that actions were performed

• Can be used for access control


8

Securing with Cryptography Hashing Algorithms

• One of the three categories of cryptographic algorithms is known as hashing


9

Defining Hashing

• Hashing, also called a one-way hash, creates a ciphertext from plaintext

• Cryptographic hashing follows this same basic approach

• Hash algorithms verify the accuracy of a value without transmitting the value itself and subjecting it to attacks

• A practical use of a hash algorithm is with automatic teller machine (ATM) cards


10

Defining Hashing (continued)


11


• Hashing is typically used in two ways:

– To determine whether a password a user enters is correct without transmitting the password itself

– To determine the integrity of a message or contents of a file

• Hash algorithms are considered very secure if the hash that is produced has the characteristics listed on pages 276 and 277 of the text


12



13

Message Digest (MD)

• Message digest 2 (MD2) takes plaintext of any length and creates a hash 128 bits long – MD2 divides the message into 128-bit sections

– If the message is less than 128 bits, data known as padding is added

• Message digest 4 (MD4) was developed in 1990 for computers that processed 32 bits at a time– Takes plaintext and creates a hash of 128 bits

– The plaintext message itself is padded to a length of 512 bits


14

Message Digest (MD)(continued)

• Message digest 5 (MD5) is a revision of MD4 designed to address its weaknesses

– The length of a message is padded to 512 bits

– The hash algorithm then uses four variables of 32 bits each in a round-robin fashion to create a value that is compressed to generate the hash


15

Secure Hash Algorithm (SHA)

• Patterned after MD4 but creates a hash that is 160 bits in length instead of 128 bits

• The longer hash makes it more resistant to attacks

• SHA pads messages less than 512 bits with zeros and an integer that describes the original length of the message


16

Protecting with Symmetric Encryption Algorithms

• Most common type of cryptographic algorithm (also called private key cryptography)

• Use a single key to encrypt and decrypt a message

• With symmetric encryption, algorithms are designed to decrypt the ciphertext

– It is essential that the key be kept confidential: if an attacker secured the key, she could decrypt any messages


17

Protecting with Symmetric Encryption Algorithms (continued)

• Can be classified into two distinct categories based on amount of data processed at a time:

– Stream cipher (such as a substitution cipher)

– Block cipher

• Substitution ciphers substitute one letter or character for another

– Also known as a monoalphabetic substitution cipher

– Can be easy to break


18



19


• A homoalphabetic substitution cipher maps a single plaintext character to multiple ciphertext characters

• A transposition cipher rearranges letters without changing them

• With most symmetric ciphers, the final step is to combine the cipher stream with the plaintext to create the ciphertext


20



21


• A block cipher manipulates an entire block of plaintext at one time

• The plaintext message is divided into separate blocks of 8 to 16 bytes and then each block is encrypted independently

• The blocks can be randomized for additional security


22

Data Encryption Standard (DES)• One of the most popular symmetric cryptography

algorithms

• DES is a block cipher and encrypts data in 64-bit blocks

• The 8-bit parity bit is ignored so the effective key length is only 56 bits

• DES encrypts 64-bit plaintext by executing the algorithm 16 times

• The four modes of DES encryption are summarized on pages 282 and 283


23

Triple Data Encryption Standard (3DES)

• Uses three rounds of encryption instead of just one

• The ciphertext of one round becomes the entire input for the second iteration

• Employs a total of 48 iterations in its encryption (3 iterations times 16 rounds)

• The most secure versions of 3DES use different keys for each round


24

Advanced Encryption Standard (AES)

• Approved by the NIST in late 2000 as a replacement for DES

• Process began with the NIST publishing requirements for a new symmetric algorithm and requesting proposals

• Requirements stated that the new algorithm had to be fast and function on older computers with 8-bit, 32-bit, and 64-bit processors


25

Advanced Encryption Standard (AES) (continued)

• Performs three steps on every block (128 bits) of plaintext

• Within step 2, multiple rounds are performed depending upon the key size:

– 128-bit key performs 9 rounds

– 192-bit key performs 11 rounds

– 256-bit key uses 13 rounds


26

Rivest Cipher (RC)

• Family of cipher algorithms designed by Ron Rivest

• He developed six ciphers, ranging from RC1 to RC6, but did not release RC1 and RC3

• RC2 is a block cipher that processes blocks of 64 bits

• RC4 is a stream cipher that accepts keys up to 128 bits in length


27

International Data Encryption Algorithm (IDEA)

• IDEA algorithm dates back to the early 1990s and is used in European nations

• Block cipher that processes 64 bits with a 128-bit key with 8 rounds


28

Blowfish

• Block cipher that operates on 64-bit blocks

• Can have a key length from 32 to 448 bits


29

Hardening with Asymmetric Encryption Algorithms

• The primary weakness of symmetric encryption algorithm is keeping the single key secure

• This weakness, known as key management, poses a number of significant challenges

• Asymmetric encryption (or public key cryptography) uses two keys instead of one

– The private key typically is used to encrypt the message

– The public key decrypts the message


30

Hardening with Asymmetric Encryption Algorithms (continued)


31

Rivest Shamir Adleman (RSA)

• Asymmetric algorithm published in 1977 and patented by MIT in 1983

• Most common asymmetric encryption and authentication algorithm

• Included as part of the Web browsers from Microsoft and Netscape as well as other commercial products

• Multiplies two large prime numbers


32

Diffie-Hellman

• Unlike RSA, the Diffie-Hellman algorithm does not encrypt and decrypt text

• Strength of Diffie-Hellman is that it allows two users to share a secret key securely over a public network

• Once the key has been shared, both parties can use it to encrypt and decrypt messages using symmetric cryptography


33

Elliptic Curve Cryptography

• First proposed in the mid-1980s

• Instead of using prime numbers, uses elliptic curves

• An elliptic curve is a function drawn on an X-Y axis as a gently curved line

• By adding the values of two points on the curve, you can arrive at a third point on the curve


34

Understanding How to Use Cryptography

• Cryptography can provide a major defense against attackers

• If an e-mail message or data stored on a file server is encrypted, even a successful attempt to steal that information will be of no benefit if the attacker cannot read it


35

Digital Signature

• Encrypted hash of a message that is transmitted along with the message

• Helps to prove that the person sending the message with a public key is whom he/she claims to be

• Also proves that the message was not altered and that it was sent in the first place


36

Benefits of Cryptography

• Five key elements:

– Confidentiality

– Authentication

– Integrity

– Nonrepudiation

– Access control


37

Benefits of Cryptography (continued)


38

Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG)

• PGP is perhaps most widely used asymmetric cryptography system for encrypting e-mail messages on Windows systems

– Commercial product

• GPG is a free product


39

Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG) (continued)

• GPG versions run on Windows, UNIX, and Linux operating systems

• PGP and GPG use both asymmetric and symmetric cryptography

• PGP can use either RSA or the Diffie-Hellman algorithm for the asymmetric encryption and IDEA for the symmetric encryption


40

Microsoft Windows Encrypting File System (EFS)

• Encryption scheme for Windows 2000, Windows XP Professional, and Windows 2003 Server operating systems that use the NTFS file system

• Uses asymmetric cryptography and a per-file encryption key to encrypt and decrypt data

• When a user encrypts a file, EFS generates a file encryption key (FEK) to encrypt the data


41

Microsoft Windows Encrypting File System (EFS) (continued)

• The FEK is encrypted with the user’s public key and the encrypted FEK is then stored with the file

• EFS is enabled by default

• When using Microsoft EFT, the tasks recommended are listed on page 293 of the text


42

UNIX Pluggable Authentication Modules (PAM)

• When UNIX was originally developed, authenticating a user was accomplished by requesting a password from the user and checking whether the entered password corresponded to the encrypted password stored in the user database /etc/passwd

• Each new authentication scheme requires all the necessary programs, such as login and ftp, to be rewritten to support it


43

UNIX Pluggable Authentication Modules (PAM) (continued)

• A solution is to use PAMs

• Provides a way to develop programs that are independent of the authentication scheme


44

Linux Cryptographic File System (CFS)

• Linux users can add one of several cryptographic systems to encrypt files

• One of the most common is the CFS

• Other Linux cryptographic options are listed on pages 294 and 295 of the text


45

Summary

• Cryptography seeks to fulfill five key security functions: confidentiality, authentication, integrity, nonrepudiation, and access control

• Hashing, also called a one-way hash, creates a ciphertext from plaintext

• Symmetric encryption algorithms use a single key to encrypt and decrypt a message


46

Summary (continued)

• A digital certificate helps to prove that the person sending the message with a public key is actually whom they claim to be, that the message was not altered, and that it cannot be denied that the message was sent

• The most widely used asymmetric cryptography system for encrypting e-mail messages on Windows systems is PGP

Chapter 9: Using and Managing Keys


Second Edition


2

Objectives

• Explain cryptography strengths and vulnerabilities

• Define public key infrastructure (PKI)

• Manage digital certificates

• Explore key management


3

Understanding Cryptography Strengths and Vulnerabilities

• Cryptography is science of “scrambling” data so it cannot be viewed by unauthorized users, making it secure while being transmitted or stored

• When the recipient receives encrypted text or another user wants to access stored information, it must be decrypted with the cipher and key to produce the original plaintext


4

Symmetric Cryptography Strengths and Weaknesses

• Identical keys are used to both encrypt and decrypt the message

• Popular symmetric cipher algorithms include Data Encryption Standard, Triple Data Encryption Standard, Advanced Encryption Standard, Rivest Cipher, International Data Encryption Algorithm, and Blowfish

• Disadvantages of symmetric encryption relate to the difficulties of managing the private key


5

Asymmetric Cryptography Strengths and Vulnerabilities

• With asymmetric encryption, two keys are used instead of one

– The private key encrypts the message

– The public key decrypts the message


6

Asymmetric Cryptography Strengths and Vulnerabilities (continued)

• Can greatly improve cryptography security, convenience, and flexibility

• Public keys can be distributed freely

• Users cannot deny they have sent a message if they have previously encrypted the message with their private keys

• Primary disadvantage is that it is computing-intensive


7

Digital Signatures

• Asymmetric encryption allows you to use either the public or private key to encrypt a message; the receiver uses the other key to decrypt the message

• A digital signature helps to prove that:

– The person sending the message with a public key is who they claim to be

– The message was not altered

– It cannot be denied the message was sent


8

Digital Certificates

• Digital documents that associate an individual with its specific public key

• Data structure containing a public key, details about the key owner, and other optional information that is all digitally signed by a trusted third party


9

Certification Authority (CA)

• The owner of the public key listed in the digital certificate can be identified to the CA in different ways– By their e-mail address– By additional information that describes the digital

certificate and limits the scope of its use

• Revoked digital certificates are listed in a Certificate Revocation List (CRL), which can be accessed to check the certificate status of other users


10

Certification Authority (CA)(continued)

• The CA must publish the certificates and CRLs to a directory immediately after a certificate is issued or revoked so users can refer to this directory to see changes

• Can provide the information in a publicly accessible directory, called a Certificate Repository (CR)

• Some organizations set up a Registration Authority (RA) to handle some CA, tasks such as processing certificate requests and authenticating users


11

Understanding Public Key Infrastructure (PKI)

• Weaknesses associated with asymmetric cryptography led to the development of PKI

• A CA is an important trusted party who can sign and issue certificates for users

• Some of its tasks can also be performed by a subordinate function, the RA

• Updated certificates and CRLs are kept in a CR for users to refer to


12

The Need for PKI


13

Description of PKI• Manages keys and identity information required for

asymmetric cryptography, integrating digital certificates, public key cryptography, and CAs

• For a typical enterprise:– Provides end-user enrollment software

– Integrates corporate certificate directories

– Manages, renews, and revokes certificates

– Provides related network services and security

• Typically consists of one or more CA servers and digital certificates that automate several tasks


14

PKI Standards and Protocols

• A number of standards have been proposed for PKI

– Public Key Cryptography Standards (PKCS)

– X509 certificate standards


15

Public Key Cryptography Standards (PKCS)

• Numbered set of standards that have been defined by the RSA Corporation since 1991

• Composed of 15 standards detailed on pages 318 and 319 of the text


16

X509 Digital Certificates

• X509 is an international standard defined by the International Telecommunication Union (ITU) that defines the format for the digital certificate

• Most widely used certificate format for PKI

• X509 is used by Secure Socket Layers (SSL)/Transport Layer Security (TLS), IP Security (IPSec), and Secure/Multipurpose Internet Mail Extensions (S/MIME)


17

X509 Digital Certificates (continued)


18

Trust Models• Refers to the type of relationship that can exist

between people or organizations

• In the direct trust, a personal relationship exists between two individuals

• Third-party trust refers to a situation in which two individuals trust each other only because each individually trusts a third party

• The three different PKI trust models are based on direct and third-party trust


19

Trust Models (continued)


20

Trust Models (continued)

• The web of trust model is based on direct trust

• Single-point trust model is based on third-party trust

– A CA directly issues and signs certificates

• In an hierarchical trust model, the primary or root certificate authority issues and signs the certificates for CAs below it


21

Managing Digital Certificates

• After a user decides to trust a CA, they can download the digital certificate and public key from the CA and store them on their local computer

• CA certificates are issued by a CA directly to individuals

• Typically used to secure e-mail transmissions through S/MIME and SSL/TLS


22

Managing Digital Certificates (continued)


23

Managing Digital Certificates (continued)

• Server certificates can be issued from a Web server, FTP server, or mail server to ensure a secure transmission

• Software publisher certificates are provided by software publishers to verify their programs are secure


24

Certificate Policy (CP)

• Published set of rules that govern operation of a PKI

• Begins with an opening statement outlining its scope

• Should cover at a minimum the topics listed on page 325 of the text


25

Certificate Practice Statement (CPS)

• More technical document compared to a CP

• Describes in detail how the CA uses and manages certificates

• Covers topics such as those listed on pages 325 and 326 of the text


26

Certificate Life Cycle

• Typically divided into four parts:

– Creation

– Revocation

– Expiration

– Suspension


27

Exploring Key Management

• Because keys form the very foundation of the algorithms in asymmetric and PKI systems, it is vital that they be carefully managed


28

Centralized and Decentralized Management

• Key management can either be centralized or decentralized

• An example of a decentralized key management system is the PKI web of trust model

• Centralized key management is the foundation for single-point trust models and hierarchical trust models, with keys being distributed by the CA


29

Key Storage

• It is possible to store public keys by embedding them within digital certificates

• This is a form of software-based storage and doesn’t involve any cryptography hardware

• Another form of software-based storage involves storing private keys on the user’s local computer


30

Key Storage (continued)

• Storing keys in hardware is an alternative to software-based keys

• Whether private keys are stored in hardware or software, it is important that they be adequately protected


31

Key Usage

• If you desire more security than a single set of public and private (single-dual) keys can offer, you can choose to use multiple pairs of dual keys

• One pair of keys may be used to encrypt information and the public key could be backed up to another location

• The second pair would be used only for digital signatures and the public key in that pair would never be backed up


32

Key Handling Procedures

• Certain procedures can help ensure that keys are properly handled:

– Escrow – Expiration

– Renewal – Revocation

– Recovery – Suspension

– Destruction


33

Summary

• One of the advantages of symmetric cryptography is that encryption and decryption using a private key is usually fast and easy to implement

• A digital signature solves the problem of authenticating the sender when using asymmetric cryptography

• With the number of different tools required for asymmetric cryptography, an organization can find itself implementing piecemeal solutions for different applications


34

Summary (continued)

• PKCS is a numbered set of standards that have been defined by the RSA Corporation since 1991

• The three PKI trust models are based on direct and third-party trust

• Digital certificates are managed through CPs and CPSs

Chapter 10: Operational Security


Second Edition


2

Objectives

• Harden physical security with access controls

• Minimize social engineering

• Secure the physical environment

• Define business continuity

• Plan for disaster recovery


3

Hardening Physical Security with Access Controls

• Adequate physical security is one of the first lines of defense against attacks

• Protects equipment and the infrastructure itself

• Has one primary goal: to prevent unauthorized users from reaching equipment to use, steal, or vandalize


4

Hardening Physical Security with Access Controls (continued)

• Configure an operating system to enforce access controls through an access control list (ACL), a table that defines the access rights each subject has to a folder or file

• Access control also refers to restricting physical access to computers or network devices


5

Controlling Access with Physical Barriers

• Most servers are rack-mounted servers

• A rack-mounted server is 175 inches (445 cm) tall and can be stacked with up to 50 other servers in a closely confined area

• Rack-mounted units are typically connected to a KVM (keyboard, video, mouse) switch, which in turn is connected to a single monitor, mouse, and keyboard


6

Controlling Access with Physical Barriers (continued)


7



8


• In addition to securing a device itself, you should also secure the room containing the device

• Two basic types of door locks require a key:– A preset lock (key-in-knob lock) requires only a key for

unlocking the door from the outside

– A deadbolt lock extends a solid metal bar into the door frame for extra security

• To achieve the most security when using door locks, observe the good practices listed on pages 345 and 346 of the text


9


• Cipher locks are combination locks that use buttons you push in the proper sequence to open the door

• Can be programmed to allow only the code of certain people to be valid on specific dates and times

• Basic models can cost several hundred dollars each while advanced models can run much higher

• Users must be careful to conceal which buttons they push to avoid someone seeing the combination (shoulder surfing)


10


• Other physical vulnerabilities should be addressed, including:

– Suspended ceilings

– HVAC ducts

– Exposed door hinges

– Insufficient lighting

– Dead-end corridors


11

Controlling Access with Biometrics• Biometrics uses a person’s unique characteristics to

authenticate that person

• Some human characteristics used for identification include fingerprint, face, hand, iris, retina, and voice

• Many high-end biometric scanners are expensive, can be difficult to use, and can produce false positives (accepting unauthorized users) or false negatives (restricting authorized users)


12

Minimizing Social Engineering

• The best defenses against social engineering are a strong security policy along with adequate training

• An organization must establish clear and direct policies regarding what information can be given out and under what circumstances


13

Securing the Physical Environment

• Take steps to secure the environment itself to reduce the risk of attacks:

– Limiting the range of wireless data signals

– Shielding wired signals

– Controlling the environment

– Suppressing the risk of fires


14

Limiting Wireless Signal Range

• Use the following techniques to limit the wireless signal range:

– Relocate the access point

– Substitute 80211a for 80211b

– Add directional antenna

– Reduce power

– Cover the device

– Modify the building


15

Shielding a Wired Signal• The insulation and shielding that covers a copper

cable does not always prevent a signal from leaking out or having an even stronger signal affect the data transmission on the cable

• This interference (noise) can be of several types

• Radio frequency interference (RFI) refers to interference caused by broadcast signals from a radio frequency (RF) transmitter, such as from a commercial radio or television transmitter


16

Shielding a Wired Signal (continued)

• Electromagnetic interference (EMI) may be caused by a variety of sources

– A motor of another source of intense electrical activity can create an electromagnetic signal that interferes with a data signal

– EMI can also be caused by cellular telephones, citizens’ band and police radios, small office or household appliances, fluorescent lights, or loose electrical connections


17


• The source of near end crosstalk (NEXT) interference is usually from another data signal being transmitted

• Loss of signal strength is known as attenuation

• Two types of defenses are commonly referenced for shielding a signal

– Telecommunications Electronics Material Protected from Emanating Spurious Transmissions (TEMPEST)

– Faraday cage


18


• TEMPEST

– Classified standard developed by the US government to prevent attackers from picking up stray RFI and EMI signals from government buildings

• Faraday cage

– Metallic enclosure that prevents the entry or escape of an electromagnetic field

– Consists of a fine-mesh copper screening directly connected to an earth ground


19

Reducing the Risk of Fires

• In order for a fire to occur, four entities must be present at the same time:

– Sufficient oxygen to sustain the combustion

– Enough heat to raise the material to its ignition temperature

– Some type of fuel or combustible material

– A chemical reaction that is the fire itself


20

Reducing the Risk of Fires (continued)

• Refer to page 355 for the types of fires, their fuel source, how they can be extinguished, and the types of handheld fire extinguishers that should be used

• Stationary fire suppression systems that integrate into the building’s infrastructure and release a suppressant in the entire room are used


21

Reducing the Risk of Fires (continued)

• Systems can be classified as:

– Water sprinkler systems that spray the room with pressurized water

– Dry chemical systems that disperse a fine, dry powder over the fire

– Clean agent systems that do not harm people, documents, or electrical equipment in the room


22

Understanding Business Continuity

• Process of assessing risks and developing a management strategy to ensure that business can continue if risks materialize

• Business continuity management is concerned with developing a business continuity plan (BCP) addressing how the organization can continue in the event that risks materialize


23

Understanding Business Continuity (continued)

• The basic steps in creating a BCP:

– Understand the business

– Formulate continuity strategies

– Develop a response

– Test the plan


24

Maintaining Utilities

• Disruption of utilities should be of primary concern for all organizations

• The primary utility that a BCP should address is electrical service

• An uninterruptible power supply (UPS) is an external device located between an outlet for electrical power and another device

– Primary purpose is to continue to supply power if the electrical power fails


25

Maintaining Utilities (continued)

• A UPS can complete the following tasks:

– Send a special message to the network administrator’s computer, or page or telephone the network manager to indicate that the power has failed

– Notify all users that they must finish their work immediately and log off

– Prevent any new users from logging on

– Disconnect users and shut down the server


26

Establishing High Availability through Fault Tolerance

• The ability to endure failures (fault tolerance) can keep systems available to an organization

• Prevents a single problem from escalating into a total disaster

• Can best be achieved by maintaining redundancy

• Fault-tolerant server hard drives are based on a standard known as Redundant Array of Independent Drives (RAID)


27

Creating and Maintaining Backups

• Data backups are an essential element in any BCP

• Backup software can internally designate which files have already been backed up by setting an archive bit in the properties of the file

• Four basic types of backups: – Full backup

– Differential backup

– Incremental backup

– Copy backup


28

Creating and Maintaining Backups (continued)


29


• Develop a strategy for performing backups to make sure you are storing the data your organization needs

• A grandfather-father-son backup system divides backups into three sets:

– A daily backup (son)

– A weekly backup (father)

– A monthly backup (grandfather)


30



31

Planning for Disaster Recovery

• Business continuity is concerned with addressing anything that could affect the continuation of service

• Disaster recovery is more narrowly focused on recovering from major disasters that could cease operations for an extended period of time

• Preparing for disaster recovery always involves having a plan in place


32

Creating a Disaster Recovery Plan (DRP)

• A DRP is different from a business continuity plan

• Typically addresses what to do if a major catastrophe occurs that could cause the organization to cease functioning

• Should be a detailed document that is updated regularly

• All DRPs are different, but they should address the common features shown in the outline on pages 367 and 368 of the text


33

Identifying Secure Recovery

• Major disasters may require that the organization temporarily move to another location

• Three basic types of alternate sites are used during or directly after a disaster

– Hot site

– Cold site

– Warm site


34

Identifying Secure Recovery (continued)

• A hot site is generally run by a commercial disaster recovery service that allows a business to continue computer and network operations to maintain business continuity

• A cold site provides office space but customer must provide and install all equipment needed to continue operations

• A warm site has all equipment installed but does not have active Internet or telecommunications facilities


35

Protecting Backups

• Data backups must be protected from theft and normal environmental elements

• Tape backups should be protected against strong magnetic fields, which can destroy a tape

• Be sure backup tapes are located in a secure environment that is adequately protected


36

Summary

• Adequate physical security is one of the first lines of defense against attacks

• Physical security involves restricting with access controls, minimizing social engineering attacks, and securing the environment and infrastructure

• Business continuity is the process of assessing risks and developing a management strategy to ensure that business can continue if risks materialize


37

Summary (continued)

• Disaster recovery is focused on recovering from major disasters that could potentially cause the organization to cease operations for an extended period of time

• A DRP typically addresses what to do if a major catastrophe occurs that could cause the organization to cease functioning

Chapter 11: Policies and Procedures


Second Edition


2

Objectives

• Define the security policy cycle

• Explain risk identification

• Design a security policy

• Define types of security policies

• Define compliance monitoring and evaluation


3

Understanding the Security Policy Cycle

• First part of the cycle is risk identification

• Risk identification seeks to determine the risks that an organization faces against its information assets

• That information becomes the basis of developing a security policy

• A security policy is a document or series of documents that clearly defines the defense mechanisms an organization will employ to keep information secure


4

Understanding the Security Policy Cycle (continued)


5

Reviewing Risk Identification

• First step in security policy cycle is to identify risks

• Involves the four steps:

– Inventory the assets

– Determine what threats exist against the assets and by which threat agents

– Investigate whether vulnerabilities exist that can be exploited

– Decide what to do about the risks


6

Reviewing Risk Identification (continued)


7

Asset Identification

• An asset is any item with a positive economic value

• Many types of assets, classified as follows:– Physical assets – Data

– Software – Hardware

– Personnel

• Along with the assets, attributes of the assets need to be compiled


8

Asset Identification (continued)

• After an inventory of assets has been created and their attributes identified, the next step is to determine each item’s relative value

• Factors to be considered in determining the relative value are listed on pages 386 and 387 of the text


9

Threat Identification

• A threat is not limited to those from attackers, but also includes acts of God, such as fire or severe weather

• Threat modeling constructs scenarios of the types of threats that assets can face

• The goal of threat modeling is to better understand who the attackers are, why they attack, and what types of attacks may occur


10

Threat Identification (continued)

• A valuable tool used in threat modeling is the construction of an attack tree

• An attack tree provides a visual image of the attacks that may occur against an asset


11

Threat Identification (continued)


12

Vulnerability Appraisal

• After assets have been inventoried and prioritized and the threats have been explored, the next question becomes, what current security weaknesses may expose the assets to these threats?

• Vulnerability appraisal takes a current snapshot of the security of the organization as it now stands


13

Vulnerability Appraisal (continued)

• To assist with determining vulnerabilities of hardware and software assets, use vulnerability scanners

• These tools, available as free Internet downloads and as commercial products, compare the asset against a database of known vulnerabilities and produce a discovery report that exposes the vulnerability and assesses its severity


14

Risk Assessment

• Final step in identifying risks is to perform a risk assessment

• Risk assessment involves determining the likelihood that the vulnerability is a risk to the organization

• Each vulnerability can be ranked by the scale

• Sometimes calculating anticipated losses can be helpful in determining the impact of a vulnerability


15

Risk Assessment (continued)

• Formulas commonly used to calculate expected losses are:– Single Loss Expectancy

– Annualized Loss Expectancy

• An organization has three options when confronted with a risk:– Accept the risk

– Diminish the risk

– Transfer the risk


16

Risk Assessment (continued)


17

Designing the Security Policy

• Designing a security policy is the logical next step in the security policy cycle

• After risks are clearly identified, a policy is needed to mitigate what the organization decides are the most important risks


18

What Is a Security Policy?• A policy is a document that outlines specific

requirements or rules that must be met

– Has the characteristics listed on page 393 of the text

– Correct vehicle for an organization to use when establishing information security

• A standard is a collection of requirements specific to the system or procedure that must be met by everyone

• A guideline is a collection of suggestions that should be implemented


19

Balancing Control and Trust

• To create an effective security policy, two elements must be carefully balanced: trust and control

• Three models of trust:

– Trust everyone all of the time

– Trust no one at any time

– Trust some people some of the time


20

Designing a Policy

• When designing a security policy, you can consider a standard set of principles

• These can be divided into what a policy must do and what a policy should do


21

Designing a Policy (continued)


22

Designing a Policy (continued)

• Security policy design should be the work of a team and not one or two technicians

• The team should have these representatives:

– Senior level administrator

– Member of management who can enforce the policy

– Member of the legal staff

– Representative from the user community


23

Elements of a Security Policy

• Because security policies are formal documents that outline acceptable and unacceptable employee behavior, legal elements are often included in these documents

• The three most common elements:

– Due care

– Separation of duties

– Need to know


24

Elements of a Security Policy (continued)


25

Due Care

• Term used frequently in legal and business settings

• Defined as obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them


26

Separation of Duties

• Key element in internal controls

• Means that one person’s work serves as a complementary check on another person’s

• No one person should have complete control over any action from initialization to completion


27

Need to Know

• One of the best methods to keep information confidential is to restrict who has access to that information

• Only that employee whose job function depends on knowing the information is provided access


28

Types of Security Policies• Umbrella term for all of the subpolicies included

within it• In this section, you examine some common security

policies:– Acceptable use policy– Human resource policy– Password management policy– Privacy policy– Disposal and destruction policy– Service-level agreement


29

Types of Security Policies (continued)


30



31



32

Acceptable Use Policy (AUP)

• Defines what actions users of a system may perform while using computing and networking equipment

• Should have an overview regarding what is covered by this policy

• Unacceptable use should also be outlined


33

Human Resource Policy

• Policies of the organization that address human resources

• Should include statements regarding how an employee’s information technology resources will be addressed


34

Password Management Policy

• Although passwords often form the weakest link in information security, they are still the most widely used

• A password management policy should clearly address how passwords are managed

• In addition to controls that can be implemented through technology, users should be reminded of how to select and use passwords


35

Privacy Policy

• Privacy is of growing concern among today’s consumers

• Organizations should have a privacy policy that outlines how the organization uses information it collects


36

Disposal and Destruction Policy

• A disposal and destruction policy that addresses the disposing of resources is considered essential

• The policy should cover how long records and data will be retained

• It should also cover how to dispose of them


37

Service-Level Agreement (SLA) Policy

• Contract between a vendor and an organization for services

• Typically contains the items listed on page 403


38

Understanding Compliance Monitoring and Evaluation

• The final process in the security policy cycle is compliance monitoring and evaluation

• Some of the most valuable analysis occurs when an attack penetrates the security defenses

• A team must respond to the initial attack and reexamine security policies that address the vulnerability to determine what changes need to be made to prevent its reoccurrence


39

Incidence Response Policy

• Outlines actions to be performed when a security breach occurs

• Most policies outline composition of an incidence response team (IRT)

• Should be composed of individuals from:– Senior management – IT personnel

– Corporate counsel – Human resources

– Public relations


40

Incidence Response Policy (continued)


41

Ethics Policy

• Codes of ethics by external agencies have encouraged its membership to adhere to strict ethical behavior within their profession

• Codes of ethics for IT professionals are available from the Institute for Electrical and Electronic Engineers (IEEE) and the Association for Computing Machinery (ACM), among others

• Main purpose of an ethics policy is to state the values, principles, and ideals each member of an organization must agree to


42

Summary• The security policy cycle defines the overall process

for developing a security policy

• There are four steps in risk identification:

– Inventory the assets and their attributes

– Determine what threats exist against the assets and by which threat agents

– Determine whether vulnerabilities exist that can be exploited by surveying the current security infrastructure

– Make decisions regarding what to do about the risks


43

Summary (continued)

• A security policy development team should be formed to create the information security policy

• An incidence response policy outlines actions to be performed when a security breach occurs

• A policy addressing ethics can also be formulated by an organization

Chapter 12: Security Management


Second Edition


2

Objectives

• Define identity management

• Harden systems through privilege management

• Plan for change management

• Define digital rights management

• Acquire effective training and education


3

Understanding Identity Management

• Identity management attempts to address problems and security vulnerabilities associated with users identifying and authenticating themselves across multiple accounts

• Solution may be found in identity management

– A user’s single authenticated ID is shared across multiple networks or online businesses


4

Understanding Identity Management (continued)


5


• Four key elements:

– Single sign-on (SSO)

– Password synchronization

– Password resets

– Access management


6


• SSO allows user to log on one time to a network or system and access multiple applications and systems based on that single password

• Password synchronization also permits a user to use a single password to log on to multiple servers

– Instead of keeping a repository of user credentials, password synchronization ensures the password is the same for every application to which a user logs on


7


• Password resets reduce costs associated with password-related help desk calls

– Identity management systems let users reset their own passwords and unlock their accounts without relying on the help desk

• Access management software controls who can access the network while managing the content and business that users can perform while online


8

Hardening Systems Through Privilege Management

• Privilege management attempts to simplify assigning and revoking access control (privileges) to users


9

Responsibility

• Responsibility can be centralized or decentralized

• Consider a chain of fast-food restaurants– Each location could have complete autonomy it can

decide whom to hire, when to open, how much to pay employees, and what brand of condiments to use

– This decentralized approach has several advantages, including flexibility

– A national headquarters tells each restaurant exactly what to sell, what time to close, and what uniforms to wear (centralized approach)


10

Responsibility (continued)

• Responsibility for privilege management can likewise be either centralized or decentralized

• In a centralized structure, one unit is responsible for all aspects of assigning or revoking privileges

• A decentralized organizational structure delegates authority for assigning or revoking privileges to smaller units, such as empowering each location to hire a network administrator to manage privileges


11

Assigning Privileges

• Privileges can be assigned by:

– The user

– The group to which the user belongs

– The role that the user assumes in the organization


12

User Privileges

• If privileges are assigned by user, the needs of each user should be closely examined to determine what privileges they need over which objects

• When assigning privileges on this basis, the best approach is to have a baseline security template that applies to all users and then modify as necessary


13

Group Privileges

• Instead of assigning privileges to each user, a group can be created and privileges assigned to the group

• As users are added to the group, they inherit those privileges


14

Role Privileges

• Instead of setting permissions for each user or group, you can assign permissions to a position or role and then assign users and other objects to that role

• The users inherit all permissions for the role


15

Auditing Privileges

• You should regularly audit the privileges that have been assigned

• Without auditing, it is impossible to know if users have been given too many unnecessary privileges and are creating security vulnerabilities


16

Usage Audit

• Process of reviewing activities a user has performed on the system or network

• Provides a detailed history of every action, the date and time, the name of the user, and other information


17

Usage Audits (continued)


18

Privilege Audit

• Reviews privileges that have been assigned to a specific user, group, or role

• Begins by developing a list of the expected privileges of a user


19

Escalation Audits

• Reviews of usage audits to determine if privileges have unexpectedly escalated

• Privilege escalation attack: attacker attempts to escalate her privileges without permission

• Certain programs on Mac OS X use a special area in memory called an environment variable to determine where to write certain information


20

Planning for Change Management

• Change management refers to a methodology for making changes and keeping track of those changes

• Change management involves identifying changes that should be documented and then making those documentations


21

Change Management Procedures

• Because changes can affect all users, and uncoordinated changes can result in unscheduled service interruptions, many organizations create a Change Management Team (CMT) to supervise the changes

• Duties of the CMT include those listed on page 427


22

Change Management Procedures (continued)

• Process normally begins with a user or manager completing a Change Request form

• Although these forms vary widely, they usually include the information shown on pages 427 and 428 of the text


23

Changes That Should Be Documented

• Although change management involves all types of changes to information systems, two major types of security changes need to be properly documented

• First, any change in system architecture, such as new servers, routers, or other equipment being introduced into the network


24

Changes that Should Be Documented (continued)

• Other changes that affect the security of the organization should also be documented:

– Changes in user privileges

– Changes in the configuration of a network device

– Deactivation of network devices

– Changes in client computer configurations

– Changes in security personnel


25

Documenting Changes

• Decisions must be made regarding how long the documentation should be retained after it is updated

• Some security professionals recommend all documentation be kept for at least three years after any changes are made

• At the end of that time, documentation should be securely shredded or disposed of so that it could not be reproduced


26

Understanding Digital Rights Management (DRM)

• Most organizations go to great lengths to establish a security perimeter around a network or system to prevent attackers from accessing information

• Information security can also be enhanced by building a security fence around the information itself

• Goal of DRM is to provide another layer of security: an attacker who can break into a network still faces another hurdle in trying to access information itself


27

Content Providers• Data theft is usually associated with stealing an

electronic document from a company or credit card information from a consumer

• Another type of electronic thievery is illegal electronic duplication and distribution of intellectual property, which includes books, music, plays, paintings, and photographs

– Considered theft because it deprives the creator or owner of the property of compensation for their work (known as royalties)


28

Enterprise Document Protection

• Protecting documents through DRM can be accomplished at one of two levels

• First level is file-based DRM; focuses on protecting content of a single file

– Most document-creation software now allows a user to determine the rights that the reader of the document may have

– Restrictions can be contained in metadata (information about a document)


29

Enterprise Document Protection (continued)

• Server-based DRM is a more comprehensive approach

– Server-based products can be integrated with Lightweight Directory Access Protocol (LDAP) for authentication and can provide access to groups of users based on their privileges


30

Enterprise Document Protection (continued)


31

Acquiring Effective Training and Education

• Organizations should provide education and training at set times and on an ad hoc basis

• Opportunities for security education and training:– New employee is hired

– Employee is promoted or given new responsibilities

– New user software is installed

– User hardware is upgraded

– Aftermath of an infection by a worm or virus

– Annual department retreats


32

How Learners Learn

• Learning involves communication: a person or material developed by a person is communicated to a receiver

• In the United States, generation traits influence how people learn

• Also understand that the way you were taught may not be the best way to teach others


33

How Learners Learn (continued)


34


• Most individuals were taught using a pedagogical approach

• Adult learners prefer an andragogical approach


35



36

Available Resources

• Seminars and workshops are a good means of learning the latest technologies and networking with other security professionals in the area

• Print media is another resource for learning content

• The Internet contains a wealth of information that can be used on a daily basis to keep informed about new attacks and trends


37

Summary

• Identity management provides a framework in which a single authenticated ID is shared across multiple networks or online businesses

• Privilege management attempts to simplify assigning and revoking access control to users

• Change management refers to a methodology for making and keeping track of changes


38

Summary (continued)

• In addition to a security perimeter around a network or system, prevent attackers from accessing information by building a security fence around the information itself

• Education is an essential element of a security infrastructure

Chapter 13: Advanced Security and Beyond


Second Edition


2

Objectives

• Define computer forensics

• Respond to a computer forensics incident

• Harden security through new solutions

• List information security jobs and skills


3

Understanding Computer Forensics

• Computer forensics can attempt to retrieve information—even if it has been altered or erased—that can be used in the pursuit of the criminal

• The interest in computer forensics is heightened:

– High amount of digital evidence

– Increased scrutiny by legal profession

– Higher level of computer skills by criminals


4

Forensics Opportunities and Challenges

• Computer forensics creates opportunities to uncover evidence impossible to find using a manual process

• One reason that computer forensics specialists have this opportunity is due to the persistence of evidence

– Electronic documents are more difficult to dispose of than paper documents


5

Forensics Opportunities and Challenges (continued)

• Ways computer forensics is different from standard investigations:

– Volume of electronic evidence

– Distribution of evidence

– Dynamic content

– False leads

– Encrypted evidence

– Hidden evidence


6

Responding to a Computer Forensics Incident

• Generally involves four basic steps similar to those of standard forensics:

– Secure the crime scene

– Collect the evidence

– Establish a chain of custody

– Examine and preserve the evidence


7

Securing the Crime Scene

• Physical surroundings of the computer should be clearly documented

• Photographs of the area should be taken before anything is touched

• Cables connected to the computer should be labeled to document the computer’s hardware components and how they are connected

• Team takes custody of the entire computer along with the keyboard and any peripherals


8

Preserving the Data

• Computer forensics team first captures any volatile data that would be lost when computer is turned off and moves data to a secure location

• Includes any data not recorded in a file on the hard drive or an image backup:– Contents of RAM– Current network connections– Logon sessions– Network configurations– Open files


9

Preserving the Data (continued)

• After retrieving volatile data, the team focuses on the hard drive

• Mirror image backup (or bit-stream backup) is an evidence-grade backup because its accuracy meets evidence standards

• Mirror image backups are considered a primary key to uncovering evidence; they create exact replicas of the computer contents at the crime scene

• Mirror image backups must meet the criteria shown on pages 452 and 453 of the text


10

Establishing the Chain of Custody

• As soon as the team begins its work, must start and maintain a strict chain of custody

• Chain of custody documents that evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence


11

Examining Data for Evidence

• After a computer forensics expert creates a mirror image of system, original system should be secured and the mirror image examined to reveal evidence

• All exposed data should be examined for clues

• Hidden clues can be mined and exposed as well

• Microsoft Windows operating systems use Windows page file as a “scratch pad” to write data when sufficient RAM is not available


12

Examining Data for Evidence (continued)

• Slack is another source of hidden data• Windows computers use two types of slack• RAM slack: pertains only to the last sector of a file• If additional sectors are needed to round out the

block size for the last cluster assigned to the file, a different type of slack is created

• File slack (sometimes called drive slack): padded data that Windows uses comes from data stored on the hard drive


13



14



15



16

Hardening Security Through New Solutions

• Number of attacks reported, sophistication of attacks, and speed at which they spread continues to grow

• Recent attacks include characteristics listed on pages 457 and 458 of the text

• Defenders are responding to the increase in the level and number of attacks

• New techniques and security devices are helping to defend networks and systems

• The most recent developments and announcements are listed on pages 458 and 459 of the text


17

Exploring Information Security Jobs and Skills

• Need for information security workers will continue to grow for the foreseeable future

• Information security personnel are in short supply; those in the field are being rewarded well

• Security budgets have been spared the drastic cost-cutting that has plagued IT since 2001

• Companies recognize the high costs associated with weak security and have decided that prevention outweighs cleanup


18

Exploring Information Security Jobs and Skills (continued)

• Most industry experts agree security certifications continue to be important

• Preparing for the Security+ certification will help you solidify your knowledge and skills in cryptography, firewalls, and other important security defenses


19

TCP/IP Protocol Suite

• One of the most important skills is a strong knowledge of the foundation upon which network communications rests, namely Transmission Control Protocol/Internet Protocol (TCP/IP)

• Understanding TCP/IP concepts helps effectively troubleshoot computer network problems and diagnose possible anomalous behavior on a network


20

Packets

• No matter how clever the attacker is, they still must send their attack to your computer with a packet

• To recognize the abnormal, you must first understand what is normal


21

Firewalls

• Firewalls are essential tools on all networks and often provide a first layer of defense

• Network security personnel should have a strong background of how firewalls work, how to create access control lists (ACLs) to mirror the organization’s security policy, and how to tweak ACLs to balance security with employee access


22

Routers

• Routers form the heart of a TCP/IP network• Configuring routers for both packet transfer and

packet filtering can become very involved


23

Intrusion-Detection Systems (IDS)

• Security professionals should know how to administer and maintain an IDS

• Capabilities of these systems has increased dramatically since first introduced, making them mandatory for today’s networks

• One problem is that IDS can produce an enormous amount of data that requires checking


24

Other Skills

• A programming background is another helpful tool for security workers

• Security workers should also be familiar with penetration testing– Once known as “ethical hacking,” probes vulnerabilities

in systems, networks, and applications


25

Computer Forensic Skills

• Computer forensic specialists require an additional level of training and skills:

– Basic forensic examinations

– Advanced forensic examinations

– Incident responder skills

– Managing computer investigations


26

Summary

• Forensic science is application of science to questions of interest to the legal profession

• Several unique opportunities give computer forensics the ability to uncover evidence that would be extremely difficult to find using a manual process

• Computer forensics also has a unique set of challenges that are not found in standard evidence gathering, including volume of electronic evidence, how it is scattered in numerous locations, and its dynamic content


27

Summary (continued)

• Searching for digital evidence includes looking at “obvious” files and e-mail messages

• Need for information security workers will continue to grow, especially in computer forensics

• Skills needed in these areas include knowledge of TCP/IP, packets, firewalls, routers, IDS, and penetration testing

Security+ Guide to Network Security Fundamentals - 2nd4p

Documents