Comp-Tia's Security+ Certification Study Guide
Comp-Tia's Security+ Exam
Exam Number SY0-101
Number of Questions 100
Time Allotted 90 Minutes
Passing Score 764/900
Exam Objectives: Available at the CompTia Site
Access Control Models
MAC Mandatory Access Control - An Administrator createds a predefined set of permissions and assigns them to users and objects (labels)
DAC Discretionary Acess Control - The resource owner established who or what has rights to an object (ACL)
RBAC Role Based Access Control - Rights are assigned per user role, roles are ususaly based on organizational structure.
Authentication and Identification
Kerebos Kerebos uses a KDC Key Distribution Center to manage authentication. The KDC issues a ticket to a principle- the principle can use the ticket to authenticate against other principles.
CHAP Challenge Handshake Authentication Protocol - Client sends logon request. Server returns a challenge. The Client returns the challenge, encrypted. If the Server sees a match, authentication is granted.
MS CHAP Microsoft's implementation of CHAP.
Certificates A Certificate authority issues a certificate to a client. Certificates can be revoked using a CRL Certificate Revokation List.
PAP Password Authentication Protocol - Username and Pass are clear text.
Tokens A token contains the rights of the token holder.
Multi-Factor Authentication Two or more access methods used in concert.
Biometrics Biometrics use physical characteristics such as retina scanning, fingerprint reading , face recognition or hand scanners.
Security Design Goals
The CIA Confidentiality, Integrity and Availibility
Confidentiality prevent unauthorized access.
Integrity The data is true and trustworthy.
Availability Protect data and prevent its lost.
Accountablity Who owns data and making sure it is accurate.
Security Topologies
Security Zones design system that isolates systems.
DMZ Demilitarized Zone - Area for public servers - keeps the local network unavailable to external requesters.
Intranet Private internal network
Extranet Including external partners in the Intranet Zone
VLAN Virtual Local Area Network - segements the local LAN to conrol access.
NAT Network Address Translation
VPN Virtual Private Network
Risk Identification
Asset Identification Places a value on information
Risk Assesment Evaluating the likelyhood of specific threats
Threat Identification Identifying specific threats
Security Types
Physical Security items that can be seen, touched or stolen
Operational Security Security of the business' workflow; access control and authentication.
Management And Policies Poilicies outline what is approved access to resources. Management enforces the corporate policy.
Types of Policies
Administrative Policies Corporate guidelines for upgrades,monitoring backups and audits.
Software Design Requirements Policies that cover the requirements for functionality and auditing of custom code.
DRP Disaster Recovery Plan - Corporate document that explains the course of action for a business during a crisis.
Information Policies- Documentation about access to information, confidentiality, storage and destruction of data.
Security Policies- configuration of systems and networks.
Useage Policies- Spells out what is acceptable use of company equipment, data and resources. Consequences, monitoring and incident handling is also considered.
User Management Policies new user creation and deletion policy. Includes password changes.
Attack Types
Access Attacks the attacker's goal is to gain unauthorized access
to information or services.
Dumpster Diving Literally picking the corporate dumpster for
information. Also called Information Diving
Eavesdropping Simply listening in in an effort to gain knowledge.
Snooping Peeking around for information.
Interception The attacker positions himself covertly, either
physically or in a digital sense, in the middle of a transaction or conversation.
Modification Attacks The attacker's goal is to alter information
for gain.
Repudiation Attacks Modifying with the purpose of discrediting
or invalidating information.
Back Doors by design or surreptiously inserted, allows the attacker a 'back
door' into a system or application for purposes of control
Denial Of Service Attacks
DOS Denial of Service
DDOS Distributed Denial of Service
A DOS or DDOS attack seeks to deny legitimate users access to information, applications or services. A DDOS is distributed, meaning that multiple hosts participate in the attack. Reactive defense methods include "walking the path" back to the source up to the border router and working with that router's owner, filtering, which may or may not be effective, and scaling up bandwidth and hardware in response to the attack. Unplugging is the option of last resort. Proactive defense can be provided in hardware and planning (such as having a backup range of IP addresses that can be cut over to.)
Common Types of DOS attacks
SYN Flood attempting to tie up resources with incomplete TCP
connections
Smurf Attack A broadcast is sent to multiple machines with a
forged source request - all the machines reply to the victim host, inundating
it with responses.
Ping Flood The victim host is sent an overwhelming amount of
ping traffic
Fraggle Attack A flood of UDP traffic is sent to a victim host.
Application Flood The attacker leverages a weakness in at the
application level - IRC floods are a common example.
Spoofing The attacker attempts to appear to be someone else, usually
a legitimate user.
Man In The Middle This interception attack relays communications
between hosts who have a legitimate connection. The attacker may insert,
delete or gather information. Wireless access is a common vector for this
attack.
Replay Attack The attacker attempts to capture packets on its way
from one host to another, and then replay them to a targeted host in an
attempt to impersonate a legitimate user or system.
Password Cracking Attempting to gain a valid credential given a
login prompt. Defense is to use account lockout, expiring passwords and
to protect password hashes.
Brute Force trying a large amount of character combinations to
break a password scheme.
Dictionary Attack Attempting to crack a password scheme using wordlists.
Guessing The attacker simply tries to guess a password, either
using inside knowledge or commonly used passwords.
Virus Attack Malicious code designed to further the attacker's goals.
May be custom written for the target. Antivirus software is the commonly
employed defense.
Polymorphic Viruses The code can change to avoid signature based
detection
Stealth Virus Code may attach itself to legitimate code in order
to hide
Retrovirus Code attacks antivirus defense software
Multiparite Virus Code is designed to use multiple techniques
to cause its havoc
Armored Virus Code is designed to stop the removal of the virus
by stealth, encryption or obfuscation.
Companion Virus Code attaches itself to legitimate applications.
Phage Virus - This virus attempts to change other programs.
Macro Virus This code is written in Macro programming, common
in Microsoft Office-like applications.
Trojan Horse A malicious program that misrepresents its true
intentions, and attempts to trick the user as to its purpose.
Logic Bomb Malicious code that executes when a criteria is met,
such as a date or a specified action is performed.
Worm Self replicating virus - the goal is to propagate.
Social Engineering The attacker attempts to con the victim into belief.
The goal may be to obtain information or access to further the attacker's
cause. May occur over the Internet, email, phone or even in person.
Almost impossible to defend against given the salesmanship of the perpetrator.
Education of users is the most commonly cited defense strategy for Social
Engineering attacks.
Phishing Type of social engineering that attempts to ruse the
target by presenting a false link to a compromised or bogus login.
Spearphishing Using a Phishing attack on a very specific target.
Joe Job Spamming using a forged email address, that of the target.
Spam recipients are fooled by the forgery and either target or discredit
the victim.
Wireless
802.11 is the wireless standard (Wi-Fi) established by the IEEE (Institute of Electrical and Electronics Engineers). There are three types of common Wi-Fi technology in use today, and research and development continuously improves both bit rate and range.
802.11a
Operates in the 5 GHz spectrum, at speeds up to 54 Mbits/s. 802.11a was adopted by corporations specifically because
of its better ability to use fewer access points for more users and speed boost was also a factor. Another factor that
helped high-end technology adopt the standard was the use of the 5Ghz spectrum, which does not trip over other devices.
802.11a equipment carried an additional price increase, perhaps because of economies of scale. It also suffers from a
shorter range then the 802.11b standard.
802.11b
uses the 2.4 Ghz spectrum. rates range 1 to 11 Mbits/s dependent on range and interference.. Sometimes
interference is incurred by other devices in consumer environments. This was the first widely available consumer level
wireless technology. Enhanced versions use techniques such as channel bonding and burst transmission to increase rates, but
these are not part of the official standard - interoperability between vendors may suffer.
802.11g
2.4-GHz radio spectrum. Transfer for 11g is rated up to 54 Mbits/s. 802.11g is the current consumer level choice
because of availability, compatibility with existing 802.11b equipment and price. The range at which 802.11g equipment can
maintain its highest speeds is smaller then 802.11b.
When 802.11g and 802.11b clients share a network, 802.11g clients suffer because the two standards use different types of modulation. 802.11g clients use the same type of modulation as 802.11a clients, OFDM (Orthogonal Frequency Divison) Multiplexing. OFDM Breaks data into subsignals and transmits them simultaneously across different frequencies. 802.11b clients use DSSS Direct Sequence Spread Spectrum multiplexing. Direct Sequence Spread Spectrum sends a seperate high speed transmission containg the data in addition to the data- this allows reconstruction in case of a disruption.
802.11n
Pre-n technology is available now, but is not based on a shared ratified standard. Speeds are in the neighborhood of 100 to 540 Mbits/s. Early adopters may pay the price with incompatible hardware once a standard is ratified. The Pre-n is not limited to using the 2.4Ghz range, but commonly does for cost considerations. This technology typically uses a multiple path scheme called MIMO (Multiple In Multiple Out) to increase available bandwidth between clients and an access point. Some Pre-n equipment interferes with other wireless gear, rendering it inoperable in the Pre-n unit's range.
Securing a 802.11x wireless network
Use a MAC filter- only registered and recognized MAC addresses are allowed
to join the network.
Don't broadcast the SSID, after setting it to be something unique.
Use RADIUS for centralized authentication.
Set the connection to require the strongest encryption available to both
client and access point, with a key unique to the network.
Use a VPN for access over Wi-Fi.
Use a gateway/firewall between wireless clients and local LAN.
802.11 Encryption
WEP Wireless Equivalency Privacy - encryption with shared 40-bit or 128-bit
keys. Very quickly crackable. Supported by legacy equipment.
WPA Wi-Fi Protected Access- Uses TKIP Temporal Key Integrity Protocol and
MIC Message Integrity Check. TKIP changes the base key used to encode data
after a set number of frames have been sent. As time passes, so does the
key.
TSC TKIP Sequence Counter - blocks replay attacks
IV Initilization Vector - allows key changes.
WPA2 802.1x security and key-exchange to strengthen data encryption using
AES.
Future Standards
RSN Robust Security Network
802.11i Uses AES Advanced Encryption Standard
and CCMP Counter Mode CBC MAC Protocol. Addresses key management issues,
using a master key to generate other keys, which are then used by clients.
Intrusions & prevention
IDS Intrusion Detection System monitors the system or network for anomalies.
IPS Intrusion Prevention System uses active responses to malicious
traffic.
Network Monitoring Watching what is happening on the network,
either by packet monitoring or device reporting.
Tap a device used to hook into the network and used to monitor
network traffic.
Activity an item of interest to the operator.
Alert Message that indicates an activity has occurred.
Analyzer Collects data from sensors and checks it for activities.
Event suspicious activity occurrence.
Manager the console for the IDS/IPS
Sensor collects data for the analyzer.
MD-IDS Misuse IDS evaluates attacks on signatures and audit trails.
AD-IDS Anomaly detection IDS looks for patterns that do not match
normal traffic baselines.
N-IDS Network Based IDS Sits on the network, at choice points
looking at all traffic that passes by
H-IDS Host Based IDS runs on a host system and protects that
system. Examines log files. Exposure to attacked log files, costly deployment.
Can use checksums on files.
Active Response - Kill processes or sessions, change network
configuration, implement deceptive responses
Passive Response -logging, notification and shunning (ignore)
Honey Pots a target machine designed for the purpose of bait
for an attacker or to trap the attacker. Should misrepresent its purpose
to an attacker as well.
Honey Net a network of honey pot computers, designed to fool
the attacker.Can be run in software on a single host or be distributed
over several hosts.
Enticement luring into a plan or trap.
Entrapment encouragement to commit a crime.
Incident Response The process of identifying, investigating, repairing
and documenting procedures to understand and prevent an incident.
Escalation - using a predetermined path of responsibilities,
moving 'up the chain'.
Site Surveys listening in on a wireless network for data and
signal intelligence.
Packet Sniffing monitoring data on the wire.
Signal analysis and Intelligence capturing and analyzing electronic
signals- identify and evaluate a target, track communication patterns.
Footprinting/Fingerprinting Using signal analysis and intelligence
to understand a network and its topology, its hosts and host operating
systems. Common tools from Google searches or running nmap against an
IP range are examples.
Vulnerability Scanning -runs a set of queries against a target
looking for the signature of a known or unknown vulnerability in a service
or system.
Security Baseline A level of security that is expected
CC Common Criteria A standard developed by multiple nations.
Breaks down into 7 EAL Evaluation Assurance Levels- these range
from EAL1 where there are assurances the system operates correctly,
security threats are not serious. The highest level is EAL7, for extreme
levels of security. To acheive this level requires testing, measurement
and independent auditing. Commercial systems should have a rating of
EAL4. The Common Criteria can be found at
commoncriteriaportal.org.
TCSES Trusted Computer Systems Evaluation Criteria - the CC's
forefather. Has been replaced.
Hardening Ther process of securing a computing environment from attackers.
OS hardening can be acheived by removing unnded protocols and services,
installing security patches
MS OS items of interest here are IIS, FTP and installing service packs.
Novell needs to have a properly configured NDS (Novell Directory
Service) or eDirectory, remove unneeded NLMs NetWare Loadable
Modules, and install Support Packs, the Novell version of service packs.
Unix/Linux- Install Patches, remove unneeded services.
Apple Mac systems- Ensue login at startup, remove unneeded protocols.
PBX security
Make sure remote access for maintenence is strong authentication.Turn off if possible when not in use
Insist on strong user passwords, do not contain the extension, repeating or sequential digits
Security Acronyms
Common services and Ports Used
DNS Domain Name System 53
POP3 Post Office Protocol 110
SMTP Simple Mail Transfer Protocol 25
SNMP Simple Network Management Protocol 160,161
NNTP Network News Transfer Protocol 119
FTP File Transfer Protocol 20,21
SSL Secure Sockets Layer 443
TELNET 23
TACACS authentication 49
HTTP 80
HTTPS 443
NetBIOS 137,138,139
IMAP 143
LDAP 389
LDAP SSL 636
SSH Secure Shell 22
AH, ESP ports 50 and 51
Common Routing Protocols
RIP Routing Information Protocol-broadcast, shortest path
BGP Border Gateway Protocol -ISP/intrasystem use, allows groups
of routers to share information
OSPF Open Shortest Path First
IGRP Cisco's Interior Gateway Routing Protocol
EIGRP Cisco's Enhanced Interior Gateway Routing Protocol
Connectivity Terms
RAS Remote Access Service
RRAS Routing and Remote Access Service - Microsoft
POTS Plain Old Telephone Service
PSTN Public Switched Telephone Network
PBX Private Branch Exchange
VNC Virtual Network Computing
CO Central Office
CPE Cutomer Premise Equipment
NOC Network Operations Center
VoIP Voice Over IP
Modem - Modulate Demodulate
WAP Wireless Access Point (transceiver)
WEP Wired Equivalent Privacy
SSID Service Set Identifier
VPN Virtual Private Network
L2TP Layer 2 Tunneling Protocol
PPTP Point to Point Tunneling Protocol
RF Radio Frequency
NIC Network Interface Card
SSH Secure Shell
TLS Transport Layer Security
IPSEC IP Security Architecture
L2F Layer 2 Forwarding
CGI Common Gateway Interface
SLIP Serial Line Internet Protocol -No security, legacy remote access
protocol
PPP Point to Point Protocol -works with a range of connectivity
from POTS to a T1. No data security. Can use CHAP for authentication.
Encapsulates traffic in NCP Network Control Protocol. Authenication
provided by LCP Link Control Protocol
PPTP Point to Point Tunneling Protocol - encapsulates and encrypts
PPP packets. Uses port 1723 on TCP.
L2F Layer 2 Forwarding - Authenticates, but no encryption. port
1701 on TCP
L2TP Layer 2 Tunneling Protocol - mix of PPTP and L2F. can be
used with TCP and other protocols, therefore can be used to bridge networks.
Information not encrypted. uses port 1701 on UDP.
SSH Secure Shell- Encrypted. Can tunnel apps such as telnet ftp
,etc. Port 22 on TCP.
IPSec Internet Protocol Security. Used on other tunneling protocols
for encryption of both data and headers.Transport mode only encrypts
data, tunneling mode gets both the data and headers.Uses AH Authentication
Header and ESP Encapsulating Security Payload
RADIUS Remote Authentication Dial In USer Service - open standard.
Central administration and authentication of remote users. Supports
auditing and accounting over multiple systems.
TACACS+ Terminal Access Controller Access Control System. Accepts
credentials from multiple sources to authenticae connections.
File Systems
FAT32 File Allocation Table Win 95/98/ME
NTFS New Technology File System. Win NT/2K/XP/03
NFS NetWare File System Novell NetWare Specific
NSS NetWare Storage Services Novell NetWare Specific version
6 on
HFS Hierarchical Filesystem Unix
NFS Network File System -Unix can mount remote locations
AFS Apple File Sharing -Uses AppleTalk protocol
Encryption
Cryptography Concealing information
Plaintext unencrypted information
Ciphertext encoded information
Cryptanalysts Those who break crypto
Steganography hiding information in other information (such as
a picture)
Cipher - a method used to encode information
Substitution cipher - changes one thing into another
Transposition Cipher scrambling information in a certain manner
Hashing using mathematical functions to encode information
Quantum Cryptography Encrypting data based on the properties
of photons- fiber optic transmission of secret keys
Keyspace a representation of the amount of possible combinations
of key transformations supported by a cipher
Perfect Secrecy - The number of possible keys is the same as
the number of possible messages.
Code breaking techniques
Frequency Analysis Looking for patterns in the encrypted information
Algorithm Errors The crypto output becomes predictable and leads
to compromise
Brute Force trying every combination until one works
Human Error Attack the weakest link
Codebook Attack Attacker attempts to build a book of all possible
transformations between ciphertext and plaintext.
One Way Hash Message cannot be decoded back to the original
value
Two Way Hash Message can be decoded back to original value
SHA Secure Hash Algorithm
MDA Message Digest Algorithm
Message Authentication The message is verified to be from the
sender
Message Integrity The message has not been altered from its original
content
MAC Message Authentication Code - Verifies message integrity
and authentication, using a key and the data with a hashing algorithm.
Digital Signature Hash process using a key from the sender, who
provides a copy to the receiver.
Symmetric Algorithms
Both sender and receiver must have the same key.
DES Data Encryption Standard, 56 bit key
AES Advanced Encryption Standard - Rijnadel algorithm- Key sizes
are 128,192,and 256 bits
3DES Triple DES. Harder to break then DES
CAST Carlisle Adams and Stafford Tavares 40 to 128 bit key
RC Rivest Cipher Key up to 2048 bits
Blowfish 64 bit block cipher
Twofish 128 bit block cipher
IDEA International Data Encryption Algorithm.
Asymmetric Algorithms
Use public/private key pair to encrypt.
RSA works for encryption and digital signatures. SSL uses RSA
Diffie-Hellman used to transmit keys securely
ECC Elliptic Curve Cryptography -smaller, lighter then RSA. Leveraged
by mobile devices.
PKI Public Key Infrastructure -Asymmetric system that attempts to provide
a framework for end to end security covering messages and transactions,
across different infrastructures.
CA Certificate Authority -issues, distributes and revokes certificates.
Certificate associates a public key with a user
RA Registration Authority Works with a CA to offload work, can
do everything except issue certificates.
LRA Local Registration Authority Can identify users and proxy
to the CA
CRL Certificate Revocation List - Process to expire a certificate
early. Published by CA.
X.509 ITU standard certificate format. Version 2 for CRL and
version 3 for certificates.
CMP Certificate Management Protocol -allows PKI entities to communicate.
XMKS XML Key Management Specifications allows XML programs to
access PKI. Built on CMP
SSL establishes session using asymmetric and the session is in symmetric
encryption. Clients must be able to accept the level of encryption (40
bit, 56 bit,128 bit,256 bit). Older browsers are limited.
TLS Transport Layer Security Expected to replace SSL. Updated
version of SSL, also called SSL 3.1, inoperable with regular SSL
PGP Pretty Good Privacy - popular system for public domain crypto.
Seen often in email.
S/MIME Secure Multipurpose Mail Extensions- Secure MIME for email.
Uses asymmetric encryption and certificates for authentication.
SET Secure Electronic Transaction - Visa/MasterCard protocol
for secure card transactions
PKIX Public Key Infrastructure X.509 IETF working group for X.509
PKCS Public Key Cryptography Standards Voluntary standards for
vendors to implement PK crypto
More Learning- an Intro to Cryptology. Support this page, lots of great information.
Disaster Recovery/Business Continuity
Disaster Recovery Plan A corporate plan to re-implement services in the event of an outage (reactive) Test ( and document test) at least yearly. The DR plan should include a complete inventory of all devices.
Business Continuity Plan Processes and methods to minimize business disruption (proactive) Should contain information about specific events, contracts and a contact list.
Redundancy Multiple components designed for fail-over
Clustering Strategy for redundancy and load balancing
Fault Tolerance Operation is continued if a fault occurs
Working Copy Backups Backups maintained onsite (shadow copies)
Onsite Storage Local information store
Alternate Site A secondary site for restoring network operations
Reciprocal Agreement Two entities agree to do best effort to provide services in the event of an emergency.
Hot Site A fully equipped and operational data processing facility- ready to go. Very expensive. Active backup model.
Warm Site Conditioned space with communications, environmental controls and power, Equipment is in place. Data may be near line or brought in via removeable media such as tape.(active/active model)
Cold Site Conditioned space, possibly with communications, environmental controls and power. No live data.
MTBF Mean Time Between Failures - anticipated time before a failure occurs.
MTTR Mean Time To Repair How long to repair a system
Code Escrow A third party holds code written in escrow to assure availability
Corporate Policies
Incident Response Policy How to respond to a security incident,
including logging, notification chain of custody, information gathering,
and contact lists.
Certificate Policy Policy for issuing and management of certificate,
including use, storage
Data Retention Policy Defines life of data and how to properly
dispose of data.
Separation Of Duty Policy Designed to reduce risk of fraud
Need to Know Policy limits information to those who require it
for duties
Privacy/Confidentiality Policy State what information can or
cannot be disclosed
Acceptable Use Policy Lays out what can and cannot be done with
services and equipment.
Human Resource Policies - Hiring policy, Termination Policy,
Ethics policy.
Best Practices Set of recommendations on how to implement or
use a practice or product.
Security Policy Controls implemented to maintain security of
systems users and networks
Change Documentation Log file that records changes to the computing
environment
Auditing Making sure that policies and procedures are followed
with regards to organizational policies.
Backup Technologies
Backups should be performed regularly, in accordance with the
corporate disaster recovery plan. Popular backup strategies include:
GFS Grandfather- monthly tape, stored offsite. Father weekly
tape. Son 4 daily tapes
Full Every file is backed up. Archive bit reset- offers the fastest
restore, at the expense of time required to back up.
Incremental Backs up only files that have changed since the most
recent Full back up was done. Resets the archive bit.
Progressive Incremental Assumes all backups, including the first
full, are incremental.
Differential Backs up any files that are determined to have changed
since the performance of the most recent full back up. Does not clear
the archive bit.
Straight Copy Does not clear archive bit
Server Room Physical Security
Secure access to the server room and backup tapes
All doors should lock either by key of card, two factor locks if possible.
Server rack doors should lock
Remove trashcans from the server room (no need for cleaning personnel in there)
Access Control limiting access to computing environments, physically or logically.
Examples of biometrics include retina scanning, fingerprint reading and palm scanning. Good for two factor authentication.
Man Trap a two door system with a gap space between. May include a window for observation.
Physical Barriers Items such as perimeter walls, locking doors, motion detectors and burgular alarm systems.
Computer Forensics
Analyzing a computer system, looking at all files, including using hidden or deleted data, that may be used to understand an incident.Root Cause Analysis The most basic cause or situation that allowed an incident to happen
Bit for bit copy - making an exact copy of computer media, which is created in a manner which is non-destructive to the source. The bit for bit copy will be analyzed, leaving the original unchanged.
Forensic Investigation Method (3 A's)
Acquire the Evidence, gather data from machines
Authenticate the evidence Proving that the evidence is factual and untampered.
Analyze the evidence look for the trail of actions and operations related to the incident.
Chain Of Custody - log of the possession of evidence -should catalog every event since the time of evidence collection. Who, how and where. Date and time stamps are critical.
Preservation Of Evidence ( bag and tag) - make sure that physical control of evidence exists and is logged.
Security+ is © Comp-Tia.
