Sei sulla pagina 1di 26

CompTIA Security

Chapter1: Network Device and Cabling

Hub - uses up bandwidth(disad.) layer1
Switch - layer2; MAC Addresses; able to filter traffic
- filtering,
- Port mirroring/port monitoring, copy traffic from other ports to a sin
gle port
- Port Security, configure port to a specific MAC address
- Disable Ports,
-create multiple networks within the switch.
Router - layer3 device, create broadcast domain( receive one another's broadcast
message; destined for all systems)
Load Balancer - designed to split the load between components (servers and route
Firewall - controls what traffic is allowed to enter and leave a network.
Proxy Servers - control outbound communication; can perform high level of loggin
g(admin can track websites)
Default Gateway - in order to connect to the internet.
Class A
Class B
Class C
Class E

- 1Oct 1-126
SN: /8
- 1Oct 128-191 SN: /16
- 1Oct 192-223 SN: /24
- 1Oct 240-247

127 -loopback address; local system/local host
Illegal Address - not allowed to be assigned
127... - host ID portion set to 0; network ID - host ID portion set to 1; broadcast ID
Duplicate IP Add
TCP - transmission control protocol
-connection oriented protocol(reliable delivery);
sequence numbert - no assigned to each iece of data


end session with ack

end session impolite manner
force data on an application
urgent packet

TCP Header
1) Destination Port - 16bit destination
2) Sequence Number - 32bit sequence number
3) Acknowledment Number - 32bit acknowledging
4) Offset - 4bit; where data begins
5) Reserved - 6bit; always set to 0;
6) Flags - 6bit; TCP flags are stored
7) Windows Size - 16bit; amt of information that can be sent before ack is expec

8) Checksum - 16bit; verify the integrity of the header
9) Urgent Pointer - 16bit; used only for URG flag; last piece information that i
s urgent
10) Options - variable length field, any additional settings
UDP - User Datagram Protocol
-connectionless/unreliable; UDP Header (4)
UDP Ports:
53 - DNS
67 and 68 - DHCP
69 - TFTP, download files w/o authentication
137 and 138 - NetBios and Datagram services
161 - Simple Network Management Protocol
Internet Protocol - packet delivery to correct destination. (sends data only)
IP Header structure:
1) Version - 4bit; version of IP
2) Header Length - 4-bit; size of IP header
3) Type of Service - 8-bit; how packet should be handled(ex. low delay)
4) Total Length - 16bit; total
5) Identification - 16bit; identifies fragment of MTU (maximum transmission unit
6) IP Flags - 3bit; how fragments will be handled(ex. More Fragments, Don't Frag
7) Fragment Offset - 13bit; order of fragments
8) TTL = 8bit; packet to expire; when TTL=0, packet is discarded
9) Protocol - 8bit; TCP or UDP
10) Header Checksum - 16bit; integrity of IP header
11) Source Address - 32bit; ip address source
12) Destination - 32 bit; ip dest.
13) IP Oprtions - variable length; other settiings
ICMP - Internet COntrol Message Protocol
- enables TCP/IP Network to share status and error information (Ping and Tracert
ICMP Type 8 - echo request message (ping)
ICMP Type 0 - ping reply
1) Type - 8bit; ICMP Type
2) Code -8bit; code
3) Checksum - 16bit; integrity
4) Other - any data.
ARP reply

Address Resolution Protocol

logical address to physical address resolution
converting IP address to MAC address
ARP sends broadcast message(contains IP add) and thr system(owns IP) will
by sending MAC address.


1)HTTP - stateless protocol (webservers unaware)
cookies - small files stored in client PC.; webserver store data to the
2)DNS - quries DNS server over UDP port 53
3)SMTP - simple mail transfer protocol

- send and route mail over internet

- TCP port 25
4)POP3 - Post Office Protocol 3
- TCP port 110
- email is downloaded after client has been authenticated.; supports inb
ox, outbox, sent items
5)IMAP4 - Internet Message Access Protocol4
- TCP port 143
- allows additional folders (Ex. Public Folders)
6)SNMP - remotely managing any network device that support SNMP
- UDP port 161
- w/ the use of management systems (centralized network management)
7) FTP - upload and download files
8) TFTP - Trivial; supports read and write
- not support authentication
- use to copy router/switch configuration; or boot a device
9) SFTP - Secure
- encrypts all traffic; public key authentication
10)Telnet - TCP port 23
11)SSH - TCP port 22; remote system using secure connection
12)SCP - Secure Copy Protocol
- copying files from a remote server over a secure connection; uses SSH
13)NTP - Network Time Protocol
- use to sync clocks of PCs on a network.
14)LDAP - Lightweight Directory Access Protocol
- TCP/IP directory service access used by Novelle eDirectory and Microso
ft Active Directory
15)NetBIOS - an API used to make network calls to remote systems;
- used for session management functionality (session layer protocol)
2 communication modes:
A. Session Mode - connection orientedl with error detection and correcti
B. Datagram Mode - connetionless communition; used for any broadcast
16)Network Storage Protocols
Fibre Channel FCoE - Fible Channel over Ethernet network; runs at layer 2
iSCSI - internet small computer systems interface; IP based protocol;
IPV6 -128bit; hexadecimal format
1) Global Unicast - routable on the internet; must be unique
2) Site-local Unicast - always starts with FEC0
-private address
3) Link-local Unicast - FE80
-equivalent to APIPA address(IPv4)
-used to communicate with other nodes
Chapter2: Security Terminologies
Goals of Information Security CIA
1) Confidentiality - only required person can gain access to information. (ACL,E
ncryption, Steganography)
Steganography - hiding information in a graphic file.
2) Integrity - information is not altered in transit
Hashing - generates an answer (hash value)

file integrity program - for file in the storage

Uses of Data Integrity:
1) Downloading Files
2) Loaw enforcement - investigation/ evidence is not altered
3) Availability - available to the user
Permission, Backup,Fault Tolerance(Redunduncy), Clustering (multiple ser
vers in a unit), Patching (applying service packs, security hot fixes)
4) Accountability - accountable for their actions; implement auditing and loggin
g features
log files, audit files, firewalls and proxy servers, applicationg loggin
Types of Security
1) Physical Security 2) Communication Security - protecting informaton that is travelling by encrypt
3) Comuputer Security
4) Network Security Least Priviledge - user minimal permission
collusion - parties conspire together to commit fraudulent act
Layered Security -don't use one type of security solution alone.
Diversity of Defense - use of different products to increase level of security
Due Care - implementing the correct security controls; implementing an action
Due Diligence - identifying your risk; performing regular assesment
Vulnerability - weakness software/hardware
Exploit - use
Security Roles:
1) System and Data Owner - owner
2) Custodian - implements the security control
3) User
4) Security Officer - between owner and custodian; educate everyone on their rol
Chapter 3: Security Policies and Standards
Security Policy - security strategy; document rules to follow;
Overview - purpose of the policy
Scope - who the policy applies to
Policy - do's and dont's
Enforcement - disciplinary action
Definitions - terms used
Revision History -

Types of Policies:
1) Standard Policy - needs to be follow
2) Guidelines - recommendations
3) Procedure Policy - step by step procedures in implementing solution
Regulations and Standards:
ISO17799 - information security management
HIPAA - privacy of health care records
PII - can identify a person; Personal Identification
Policies in the Organiztion
1) Acceptable Use Policy - what is acceptable to use by an employee (laptop,pc,e
mail etc)
2) Password Policy 3) Change Management Policy - change in network configuration
4) Service Level Agreement - contract betweeen your company and anyone providing
services to organization; sets maximum amount of downtime that is allowed
5) Privacy Policy - educate customers why information is collected
6) Information Classification Policy - define different classifications of infor
mation (top secret, secret, confidential, unclassified)
Chapter 4: Types of Attacks
1) Social Engineering
A) Impersonation
B) Phishing
C) Shoulder Surfing - view employee's desk or computer
D) Dumpster diving - victim's garbage
E) Tailgaiting
F) Hoaxes - giving false stories (email)
G) Whaling and Vishing - same as phishoing but intended to a specific pe
Vishing - trick people over the phone
2) Network Attacks
DOS -Denial of Service; overloading a sytem with request; network to per
form slowly and crash
DDOS - distributed; uses no. of systems(PC) to perform attack(zombie sys
Spoofing - alters the source address info (IP, MAC, email); fake
Software: Nemesis, Hping2, Macchanger
Eavesdropping/Sniffing - captures network traffi and view contents
Software(packetsniffing): wireshark,tcpdump, airodump-ng
Replay - resubmit the traffic on the network, to generate more traffic
ManInTheMiddle DNS Poisoning - having D
NS names point to incorrect IP addresses; altering DNS cache
Pharming - leading someone to the wrong site by modifying host file
ARP Poisoning - altering arp cache(stores IP on corresponding MAC addres
ses); for MITM attack
arp -a
Priviledge Escalation - userlevel access being able to elevate their pri
Port Scanning Attack 1) TCP connect scan, if they can do 3way handshake, port must be open
2) SYN scan, half open scan or stealth scan; doesnt send ACKs
3) XMAS scan, enable 3 of the six flags enabled. (PSH, URG, FIN)

SPIM - spam with instant messaging

Spear phishing - faking email(looks like from a trusted source, ex. fell
ow employee)
Antiquated Protocols - protocols developed w/o security like HTTP, FTP e
Session Highjacking - impersonates a person after kicking it in a commu
nication party.
Null Sessions - someone connects to win systems w/o providing any creden
Domain Name Kiting - obtain domain name for free(5day grace period)
Transitive Access - hyperlink to another windows shared folder to crack
account password
Client side attacks - through vulnerabilities within the software
Password Attacks 1) Dictionary Attack, list of usernames in one text file, list of passwo
rds in another file. ineffective
2) Brute Force Attack, password cracking software
3) Hybrid Attack, combination of the two
4) Birthday Attacks, 2 different data inputs generate the same hash valu
e; to speed up brute force attacks
note: password complexity for dictionary attack
account lockout policy for brute-force attack
PASSWORD CRACKING SOFTWARE: LC4, Cain&Abel, NAT, Brutus, JohntheRipper
Application Attacks 1) SQL Injection, manipulate database,
*protection against this attack = must validate the input before process
ing it
2) Butter Overflow, buffer(area of memort used to store infomation sent
to an application); hacker sends too much information to the buffer
3) Cross site Scripting, inseting script code into form of a web page
4) Directory Traversal/Command Injection, inject commands inside the HTT
P message. "../.." multiple times in the directory
5) LDAP injection,hacker fills out a web form; use to query a database.
6) XML injection, inserting XML code
7) Integer Overflow, mathematial function..result is larger than the spa
ce in memory allocated
8) Zero day, exploit in an application that is unknown to the developers
9) Cookies and Attachement, cookier(text files: preference)
10) Malicious Add-ons,
11) Header Manipulation, modifies the header
12) Arbitrary Code of Execution, extreme risk; worst. hack administrato
r account
13) URL Hijacking,
14) Watering Hole Attack, hacker determines sites you may want to use, a
ng plant virus and malicious code.
15) Locally Shared Objects, store infotmation on a user's computer
Chapeter 5: System Security Threats
Physical Threats
1) Snooping, dumpster diving, shred importand documents to be disposed
2) Theft/Loss of Assets
3) HUman Error
4) Sabotage

Malicious Software - software the harms or misuses the system (deleteing files,
monitoring, slowing down)
1) Priviledge Escalation, hacker elevates his priviledge
Types: Vertical(raise to admin access);
Horizontal (same level of access, but resource is different); privilege de-escal
ation (admin to lower)
2) Viruses, infects the device, destroy system, prevent booting, slowing
the system.
Executable Virus - exe files
Boot Sector Virus - prevents from booting; attacks the boot sector code
Macro Virus - code using a micro language like VB; deleting files or ema
iling everyone; triggered when open
Logic Bomb - virus planted on the system;w/ specific date
Worm Virus - being able to replicate itself:
A) Network Protocol - ex. SQL Slammer
B) Email - ex. I love you virus
C) Flash Drives - Ex. Conficker
Trojan Virus - tricked into installing; modifies system by opening TCP/I
P port on the system
Troubleshooting Trojan:
netstat -na
listening - port is open and waiting for someone to connect
netstat -na -o >> with ProcessID(PID)
find PID
tasklist | find "PID"
taskill /PID 208 /F >> kill EXE
regedit>CurrentVersion>Run >> delete autostart programs
Other Malicious Software(Malware)
1)Spyware, hidden software that collects information about you; make changes to
the system; web redirection; slowing network connection
2)Adware, automatically loads ads on the screen; pop-up window.
3)Spam,unsolicited emails
protect it by: implementing filters on the email server an not posting email add
reses on the internet
4)Rootkits, gives hacker privileged access to the system(Types: ApplicationLevel
(trojan.exe); LibraryLevel(library of code dll); kernelLevel (replace device dri
ver files on the system); Virtualized(loads other OS); Firmware(not present in O
5)Botnets, collection of systems that has been xompromised by a hacker; zombie s
6)Keylogger, can be hardware or software; captures keystrokes
7)Backdoor, so that hackers can get access to the system at a later time
8)Ransomeware,virus takes over to your system; asking for credit card number
9)Polymorphic Malware, alters itself; mutated to avoid detection
10)Armored Virus, protects itelf by being analyzed; difficult to decompile and v

iew the code

Protection against Malware:
-update antivirus
-keep close eye on listening ports using netstat
-keep close eye on running process using tasklist
-good surfing habits
Threats against Hardware:
1)BIOS Settings-CMOS settings to boot only in harddrive
2)USB - disable
3)Cellphones Bluesnarfing, connect and retrieve data off the phone; unauthorized retr
Bluejacking, sending unsolicited messages usng BT
Bluebugging, hacker gaining access t the phone
4)Network Attached Storage(NAS)
- provides central location to share files;
Ward Dialing, calls various numbers hoping to locate a modem connected.
War Driving, use wireless scanner to locate a wireless network
Chapter 6: Mitigatiing Security Threats
System Hardeneing - removing unecessary software and features; reduce the attack
surface(hackable components); patching system and disbabling unused accounts;
1)Uninstalling Unnecessary Software
2)Disable Unnecessary Services
3)Protect Managament Intefaces and Applications
4)Disable Unnexessary Accounts/ or removed
Patch System - apply software fixes/bugs
Security Hot-fix, security update that must be applied ASAP; serious see
curity risk
Patch,not required to be applied immediately, not severe
Service Pack, all updates; patches and security hot fixes,
System Hardening Procedures:
1) Network Security Hardening
-update all firmware of networking device
PORT SECURITY, aka MAC limiting; listing specific MAC address to the por
802.1X, for controlling access to the network; authentication protocol t
o control who gains access to the network
ROUGE MACHINE DETECTION(machine connected to the network that does not b
rougue system- runs as packet sniffer; capture confidential info
rmation, password

rouge device- wireless router connected to the network(like our superlan

Tools for System Hardening:
1)Group Policies, enable/disable featuries in Windows
2)Patch Management,
3)Configuration Baseline, ensure change has not affected the security state of t
he system(port open)
*security baseline -standard configuration approve by the company
Security POsture and Reporting
Security Posture, stages of managing security baselines:
1) Initial Baseline Configuration imaging a system with preconfigured image; apply a security template
2) Continuous Sexurity MOnitoring - perform vulnerability scan(Nessus, MBSSA etc
3) Remediation - correct the problem/fault
4) Reporting a)Alarms,report/notify critical events
B)Alerts,no action may be require.
C)Trends, involves looking at log files or packet captures(ex. port scan
*fuzzing- puposely inputting invalid data inyto any data entry screens(for testi
ng purposes)
*runtime error- error that does not occur until the application is running. use
exception handling method
*input validation- must start withe the developer validating input; checks to en
sure that the information (typed) is appropriate
I. Application Security Issues
a) ActiveX controls - can manipulate your system(delete files)
b) Java - run in a sandbox(confined area w/ resources)
c) Scripting - can make modifications to your system.
d) Browser - some add-on installed in the browser
e) Crosssite Scripting XSS - browser reads the scripts and executes it
f) Cookies - logon information;n stored in a text file and viewed/used bu other
g) Instant Messaging - worms thru IM software
h) P2P - downloading files from untrusted source
i) Buffer Overflow - hacker sends too much data to an application
Prevention Techniques:
1) Application must be configured in the the most secured state(permissions)
2) Disable features of applications you do not want to use
3) Patch your applications
4) Do not use Remember ME, cookies must have expiration(for devs)
Chapter 7: Implementing System Security
Personal Firewalls - controls inbound and outbound communication to the system;

esp for system connected to an untrusted network

FEATURES: Block Incoming/Outgoing Traffic, Notification, Default Rule(deny all t
raffic), Create Rule
HIDS - host based instrusion detection system
-monitor activity of the system(installed on); alerting of suspicious activity
-can detect suspicious traffic by analyzing events in log files;
-involves encrypted communication to and from the system;
*baseline - normal activity
NIDS - network based; analyzing network traffic and comparing with signatures.
-unable to identify suspcious traffics when network is encrypted
Windows Server Update Services(WSUS) - for managing lots of systems; WSUS Server
retrieve updates from the internet(windows Update Site) and send these approved
updates to all systems(workstations)
Virus - malicious software;prevent pc from starting up;send unsolicited email to
all receipients in the address book
Spam - use all -in-one secuirity appliance;URL Filter, Content Inspection(payloa
d), Malware Inspection
Spyware - monitors internet activity
Adware - pop up with ads
*use Antispyware/Antiadware
Phish Filters/Pop-Up Blockers
- for physhing and pop ups
Hardware Base Encryption
1) TPM - Trusted Platform Module;computer chip that stores cryptographic keys, u
sed by BitLocker Windows
2) HSM - Hardware Security Module; card that is added to the system; contains cr
(Smart Cards)
BYOD (Bring your own device)
*onboarding - process of adding new device to the system; removing(offboarding)
Host-Based Security
1) OS Hardening and Anti-malware
2) Hardware and Software Security
Virtualization -run different OS in a virtual machine.(VMWARE)
-can run different OS; support clients/TS
-for managing servers;
-benefit: fewer systems
-issues: patch each virtual machines,consume disk space, less hardware to secure
-*sanboxing - restricted environments to control access of VMs
Cloud Computing
SaaS - software as a service;no need to install application; app provided in the
PaaS - platform as a service;requires software and hardware to run specific syst

IaaS - infastructure as a service;provides computers and data centers as a servi

ce; pays monthly fee
Private Cloud -cloud service internally
Public Cloud - provided by a service provider
Hybrid Cloud - combination
Community Cluoud - pools; for multiple organizations ;
Chapter8: Securing Network Infrastructure
Firewalls - protect systems on the other side
-protective controls(control what traffic can enter the network)
1) Packet Filtering Firewall - block/allow traffic based on source/destinatin IP
add and port number; aka stateless inspection firewall, based on the header of
the packet
2) Stateful Packet Inspection Firewall - can look at the context of the conversa
tion(correct context); know what packets are expected during certain phases of c
3)Application Firewall - packet filtering+stateful packet filt. + filter trafffi
c nbased on payload(application data) data of the packet.; control what type of
commands can be passed through the firewalls
Firewall Topologies
1) Dual-Homed Host Firewalls - single computer(acta as gateway) with two physica
l network interfaces;server routing capability is disabled
Ex. Internet <> Firewall <> Internal Network
2) Screened-Host Firewalls - more secured; witha added packetfiltering router in
front of firewall
Ex. Internet <> Screen Router <> Firewall <> INternal Network
3) Screened-Subnet Firewalls - wuth two screening router between the firewall.
Ex. Internet <> Screening ROuter <> Firewall <> Screening Router <> Internal Net
ZONES:(network segment)
1) Private LAN - controlled by netw. admin; ensure no other traffic from any oth
er network
2) DMZ - area between 2 firewalls(internal and external); allow selected traffic
from the internet to reach DNS. web servers, ftp, smtp etc.
DNS UDP port 53
HTTP TCP port 80
FTP TCP port 21 (control port) and port 20 (data port)
SMTP TCP port 25
3) Public Zone - internet;
Proxy Serveres - performs a function on behalf of another system; offers caching
(stores webpage, loads quickly) and filtering capabilities
Other security devices:
1) Web application firewall - control HTTP messages can reach your web server; p
rotect attacks agains web servers; HTTP traffic
2) Web Security Gateway - device or software; protection from malicious content
on the internet; can provide data loss prevention(DLP) - posting sensitive info;

pornography etc.
3) VPN Concentrator ncription
4) URL Filters - list
5) Content Inspection
6) Malware inspection

centralize your VPN access, configure authentication and e

of urls you want to allow or deny
- allow or deny content proxy servers
- check malware contents

Intrusion Detection System (IDS) - SNORT

-responsible for monitoring activity on a network; logging suspicious activity.
1) Signature-Based Systems
-list of considered suspicious activity; compares the ativity against the signat
ure database; few false positives/alarms
ex. PORT SCAN - no. of SYN messages are sent from a single IP to a number of por
ts within a short period of time
2) Anomaly-Based Systems
-system understands what is considered normal activity (BASELINE), others consid
-large no. of false alarms
-no need to configure a definition file of known suspicious activity
3) Heuristic
-identifies malicious act based on past experience(ex. Antivirus)
1)Host-Bases IDS
-installed on a single system
-must be installed to run
-monitor areas memory, system files, log flles, network connections etc.
2)Network-Based IDS
-analyze traffic that travels across the network. Components:
Sensor. piece of software/hardware placed on each network segment; resposible fo
r collecting traffic
Analysis Engine.receiving packets from the sensor and perfrming analysis on the
packets.Will determine method used.
Console.Wehere alerts and notifications are typically sent.
1)Passive IDS
-monitors, logs and notify suspicious activity only
2)Active IDS/IPS
-+may take action to protect the environment
-aka network intrsusion prevention system
- w/ corrective action
Honeypots - system placed in a a private network or DMZ; designed to lure the ha
Honeynets - entire network appear to be a production network, lure the hacker
Wireshark - Protocol Analyzer/Packet Sniffer
-capture all traffic
- must run in promiscuous mode(your network will receive all traffic_
-must also bypass the filtering feature of the switch using:
1) PORT Mirroring - connect monitoring station to the mirror ports

2) Network Tap - hardware connected to the network; has port available

/24 = =
... &
Segmentation - netowork segments
1) Multiple Collision Domain
-Bridge, Switch, Router. Group of systems that can have their data collide with
one another.
2) Multiple Broadcast Domains
-Routers. Use of ACL.
VLANs- divide your network into different broadcast domains w/o using multiple r
NAT - Network Access Translation
-used to hide the internal network and share a public address.
-use a private address range on the inside and then translated to a public addre
Private Addresses:,,
Major Types:
1) NAT Overloading - all clients inside network access the internet with ONE PUB
LIC ADDRESS. includes PAT, port address translation, translates port address inf
ormation to track different client request over one public IP.
2) Static NAT - single Public IP is mapped to a single Private address; used to
handle inbound requests to a server
NAC - Network Access Control. specify conditions that a system must meet to gain
access to the network.
1) Connecting to a Wireless Network: may require the client to accept the terms
of wireless network usage before they are given access
2) Patch Status: client's health is checked, antivirus, system patches
3) Connecting to a Switch: ensure client is authenticated by an authentication s
ervice such as RADIUS
Network Admin Principles:
1) Rule Based Management - test the rules that allow/deny traffic
2) Firewall Rules - deny all and add exceptions for all traffic pass through
3) VLAM Management
4) Secure Router Configuration - create ACL, setting password local access and r
emote, telnet or SSH
5) Port Security - enable a port and assign a mac addresss
6) 802.1x - authentication database such as a RADIUS
7) Flood Guards - Firewall and Router feature. control and block malicious traff
ic such as flood attack (SYN attacke, DoS).
8) Loop Protection - switches prevent loops by implementing STP(spanning tree pr
otocol, loop prevention protocol)
9) Implicit Deny - automatically deny traffic/permission on folder and files
10) Log Analysis -review log files on a regular basis.
11) UTM - Unified Threat Management systems, all in one security solution
==================================================================Chapter 9: Wir
eless Networking and Security

Wireless Modes:
1) Ad Hoc Connection - peer to peer environment; laptop to other wireless device
2) Infrastructure Mode - w/ wireless access point(connected).
802.11a - 5GHz,54Mbps 150ft
802.11b - 2.4Ghz. 11 Mbps Wifi Standard 300ft
802.11g - 2.4Ghs. 54 Mbps Wifi Standard 300ft
802.11n - 2.4 of 5 GHz. 150 Mbps (600 Mbps) 300ft
Features of 802.11n
1) MIMO - use of multiple antennas to achieve more throughput
2) Channel Bonding - transmit data over two channels
Channel - each frequency in the range (13 Channels)
Authentication and Encryption
1)WEP -wireless equivalent privacy.input a wireless key/shared key/passphrase. 6
4/128 bit encryption keys that made up of 24 bit INITIALIZATION VECTOR and 40/10
4 bit key. Already cracked
2)WPA -Wifi Protected Access. 128 bit key and "TKIP"(Temporary Key Integrity Pr
otocol), use to change encryption keys for every paket sent.
Improbed Integrity Checking: EAP, Extensible Authentication Protocol, very secur
e authentication protocol supports Kerberos, Tokens, Certificated, Smartcards.
Variations of EAP: LEAP (Lightweight,Cisco Proprietary); PEAP (Protected)
WPA Modes:
1) WPA Personal - WPA PSK(Preshared Key). used by home and small business.
2) WPA Enterprise - WPA 802.1x. uses central authentication server such as RADIU
3)WPA2 - uses Counter Mode with Cipher Block Chaining Message Authentication Cod
e Protocol (CCMP) with Advanced Encryption Standard (AES, encryption for wireles
s traffic.
supports 128/192/256 bit encryption.
Security Best Practices
1) Change Admin Password
2) Service Set Identifier (SSID) - don't advertise your SSID; broadcasting disab
Kismet- Linux; can detect hidden SSID
3) MAC Address Filtering 4) Antenna Placement and Power Levels - routers must be placed in the center of
the building and not close to the outer walls
5) Captive Portal - need for authentication via web page
6) Encrypt Wireless Traffic -use WEP, WPA, WPA2
7) VPN Solutions - for high-security environments
1) Data Emanation - collect emissions from electrical components and pieces them
together into readable data
2) Jamming/Interference - such as cordless phones
3) Packet Sniffing - ensure to encrypt all wireless communication
4) War Driving - drives around with a laptop and locate wireless networks that t
hey can connect to.
5) War Chalking -drawing symbols on a building or sidewalk
6) WPS Attack - WiFi Protected Setup, allows user to enter a PIN to connect to a
wireless network; can perform brute force attack on the WPS PIN
7) Replay Attack - hacker can capture traffic with a sniffer and resend/replat,

the traffic.
8) Bluejacking - sending unsolicited messeges using BT
9) Bluesnarfing - exploiting a bluetooth enabled device by copying data from it.
10) Rogue Access Points - wireless router connected to the network
11) Evil Twins - make a laptop device appear to be a valid access poiint; to pro
tect: use VPN
Infrared - up to 4 Mbps.
Bluetooth - up to 10 meters away. 1 Mbps(transfer rate). f=2.6GHz range
Chapter 10: Authentication
Authentication - process of verifying the identity of the individual
Mutual Authentication - auth. scheme that involves both sides of the communicati
Authentication Factors:
1) Something you know - Password or PIN
2) Somting you have - Swipe Card/Token]
3) Something you are - biometrics, fingerprint, eyescanner
4) Somewhere you are - GPS location, IP subnet information
5) Something you do - newer authentication factor; based on the habits of the us
Single Factor Authentication - ex. User/Pass (know); retina scan or fingerprint
Two-Factor Authentication Scheme - ex. Pin + Card; smartcards; fingerprint+pin
Three-Factor Authentication - ex. biometrics+card+pin
Single Sign-on (SSO) - allows a user to authenticate once and access multipe sys
tems w/o providing additional credentials.
Access Tokens -logical tokens;contains all information required for resource val
idation, or user perform an operating system task.
Authentication Protocols:
1) Windows Authetication Protocols
Anonymous Authentication. no logon require. ex. websites/ftp servers
2) Basic Authentication. logon; user/pass sent to the server in clear text.(not
3) Integrated Windows Authentication. user/pass sent to the server in an encrypt
ed format.
4) Kerberos. used by Active Directory environments. uses a KEY DISTRIBUTION CENT
ER (KDC) SERVER for issuance of tickets(needed to access services on the network
---non microsoft-Remote Access Service (RAS) - using Point2Point connections (P2P Protocol,PPP)
used in telephony application
VPN - connects to a remote server using a secure channel over internet.
Authentication Protocols used by RAS/VPN:
5) Password Authentication Protocol (PAP) - same as w/ basic authentication
6) Challenge Handshake Authentication Protocol (CHAP) - server sends a challenge
to the client and used in the auth. process. uses MD5 hashing algo.
7) Microsoft-CHAP (MS-CHAP) - uses MD4 hashing algorithm; uses Microsoft Point t
o Point Encryption (MPPE) to encrypt traffic client to server.
8) MS-CHAP2 - extended to authenticate both client and server; uses strong encry
ption keys
9) Extensible Authentication Protocol (EAP) - allows multiple logon methos such

as smartcard logon, certificates, PKI etc.; frequently used with RADIUS(central

authentication service for RAS and VPN solutions)
Authentication Services -AAA, Authentication(validating credentials), Authorizat
ion, Accounting(logging activity)
1) RADIUS - Remote Access Dial-In User Service; access to the network by dialing
into a RAS SERVER or making a connection to a VPN.
uses UDP ports:
1812 - Authentication and Authorization
1813 - Accounting Services
Network Client >> RAS/VPN Server *Radius Client >> Radius Server
2) DIAMETER - better than RADIUS. ; TCP Based. more secure
3) TACACS - Terminal Access Controller Access Control System; for UNIX systems;
uses TCP and UDP port 49
XTACACS - Exctended TACACS, for CISCO devices (proprietary)
4) TACACS+ - used by CISCO; uses same topology as RADIUS; encrypts all informati
on frm TACACS Server and Client unlike RADIUS, encrypts passwords only.
Other Authentication Protocols:
1)LDAP - Lightweigh Directory Access Protocol; access a directory service over T
CP port: 389
2)Secure LDAP -LDAP using SSL over TCP port:636
3)SAML - Security Assertion Markup Language;allows systems to exchange authentic
ation and authorization information.
4)TOTP -TimeBased One Time Password
5)HOTP -HMACbased One Time Password; HMAC based Algorithm
5)Implicit Deny -deny anyone acces until they are authenticated; DENY ALL
6)Trusted OS -a system that implements multiple layers of security...
7)Federation -used to authenticate and authorize users across organizations
8)Transitive Trust -based on a trust model. Ex. A Trust B, B Trust C, A Trust C
Identification -presenting information such as USERNAME
Authentication -providing that you are the person, by knowing the PASSWORD
1) Hardware Tokens. RSA TOkens, display random numbers. User use that random num
ber together with U/P.
2) Software Tokens. stored in a PC.
.3) Logical Tokens.Generated at Logons, contains SID, group SID, and priviledge
Enrollment Process -biometric data is onverted to a digital representation.
Error Types:
1) Type 1 - False Reject Rate (FRR). Biometric system fails to authenticate some
one who is authorized.
2) Type 2 - False Acceptance Rate(FAR). Allows someone whos is not authorized.
CER - Crossover Error Rate. The Lower the CER the better. Number of Type1 errors
is equal to no. of Type2 erros.
CAC - common access card for Military(grant access)
PIV - personal identification verification;stores informmation, biometrics, etc.


Chapter11: Access Control

Note: Authorization is implemented using Access Control Methods
Types of Security Controls: (Sec. Control. -used to protect asset)
1) Administrative Control - aka management control;written policy or guideline.\
Ex. Password Policy, Hiring Policy, Employee Screening, Mandatory Vacations, Sec
urity Awareness Training
2) Logical Control - aka Technical Control; responsible for controlling access t
o a partical resource; Implementation of a protection mechanism
Ex. Firewalls, Encryption, Password, IDS, etc.
3) Physical Control - physial facilities like doors, locks, fences, security gua
rds,cctv etc.
4) Operational Control - controls that are part of day-to-day activities like ba
Classes of Control:
1) Preventive -deterrent control; ex. cable lock laptop
2) Corrective -restore a system to its original state before the security incide
nt is occured.
3) Detectvie -detect a security incident like IDS
4) Deterrent - ex. security policy is not followed, termination of employment
5) COmpensating -control to compensate for residual risk(risk that may exist aft
False Positives - Test is Positive, but should be NEG. Ex. antivirus blocks a fi
le; email automatically goes to SPAM
False Negatives - Test is Negative, but it should be POS.
Implicit Deny- anything not in the list is forbidden to access.Ex.
1)Routel ACLs: specifies what traffic is leaving or entering the network
2)Permissions: NTFS permissions on a file - list who can gain access to the file
3)Firewall: default rule to deny all traffic from entering the network except...
Access Control Models:
1) Discretionary Access Control List (DACL) - listing of users who are granted a
ccess to a resource; permission assigned to a file; configuring permissions on a
Access Control Entry - each entry in DACL
2) Mandatory Access Control - employees gaining access to resources based ion th
(Public, Confidential, Secret, Top Secret, Unclassified)
Sensitivity Levels for Government Organizations:
1) Top Secret - grave damage to the national security if leaked
2) Secret - serious damage to national security
3) Confidential - damage
4) Restricted - may cause undesirable outcome
5) Unclassified - suitable for public release
for Business Sectors:
1) Confidential - cause grave damage
2) Private - serious damage

3) Sensitive - undesirable outcome

4) Public - public release
3) Role Based Access Control (RBAC) - placing users into groups(roles) and havin
g the roles assigned the priveleges to perform a task.
4) Rule Based Access Control - configuring rules that allow/disallow different a
ctions. Ex. ACL access lists, Firewall
USER goes into GROUP, and GROUP is assigned the PERMISSIONS
Right - priviledge to perform a task
Permission - level of access to a resource
Linux Permission:
Read R:4
Write W:2
Execute X:1
chmod 744 myfile.txt >> owner all, everyone read only
chmod 777 myfile.txt >> allow everyone
Chapter12: Introduction to Cryptography
Cryptography three core services:
1) Encryption - convering plain txt into cipher text.
Substitution Cipher -substituting one character for another
Transposition Cipher -shifting characters in the message
ex. GLEN >> ENGL
2) Hashing - used to maintain the integrity of the message.
3) Authentication
Ceaser Cipher - increment each character in the message by a KEY
same as w/ Substitution Cipher
Repeating Key - encryptions keys are words and phrase; ex. key:badbadbada, messa
Vigenere Cipher - use of Vigenere Table (ABC... X ABC...)
Other Terms:
1) Key Space - bits in encryption keys. 64/128/256/512) bit
2) Work Factor - time to break the encryption
3) One-Time Pads - encryption involves using a key only once.
4) Stream Ciphers - encrypts one bit at a time; executes faster; less prone to e
5) Block Ciphers - encryots data in blocks; more secure; takes longer
6) Padding - added to the last block to complete data stream (even)
7) XOR - exclusive OR
Symmetric Encryption - using same key to encrypt/decrypt; ex. wireless network e
Other Names: Shared Key, Secret Key, Session Key, Private Key
Advantage: performance benefit for large amount of information
Disadvantage: security sharing the keys, no of keys required

Keys= P(P-1)/2
1) DES - Data Encryption Standard, 56bit
2) Blowfish - 1 to 448 bit encryption
3) Twofish - 128 bit encryption
4) Triple DES -168 bit encryption, BLOCK Cipher
5) Rivest Cipher (RC4/RC5) - used in SSL and WEP
6) AES - Advanced Encryption Standard, BLOCK Cipher; 128/192/256 bit encryption;
used by WPA2
7) AES256 - 256 bit encryption
Assymetric Encryption - 2 related keys to perform encryption and decryption. Poi
nts to remember:
(1) one key does, the other key undoes
(2) two keys are related, but you cannot derive one key from the other
* a message always encrypted with recepient's public key.
* to ensure nonrepudiation, message signed with sender's private key
Advatage:securely communicate the public key to other parties; key management (n
eed only key pair)
Disadvantage: slower
1) RSA - Rivest Shamir Adleman; first
2) Diffie-Hellman
3) Elliptic Curve -based on Diffie-Hellman and Digital Signaure Algorithm
Quantum Cryptography -w/ fiberoptic networks, sending encrypted information as p
hotons, then converted to binary data.
InBand Key Exchange -encryption key is exchange between the parties
OutBand Key Exchange -exchange keys n a separate communiction channel
Hashing Concepts
One-way Hash Values- impossible to do the reverse operation of taking the hash v
Hash Value - aka message digest; same size regardless how long is the message
Collision - twp different data calculate the SAME HASH VALUE
Hashing Algrithms:
1) **Message Digest - MD5 (128 bit hash value)
2) **Secure Hash Algorithm - SHA-1(160 bit hash value)
3) SHA-256/SHA-512
4) LANMAN - unsecure method of storing the password hashes;
5) NT LAN Manager (NTLM) - Windows NT, storing passwords and registry.; uses MD4
NTLMv2 uses HMAC-MD5
6) RACE INtegrity Primitive Evaluation Message Diges (RIPEMD), 128/160/256/320 b
7) Hash-based Message Authentication Code (HMAC) - using a secret key combined w
ith hashing algo.
Message Authentication Code - resulting hash value.
Encryption -encrypt data, communication

for Data:
1) Full Disk - Win7 or 8, BitLocker, encrypt contents of the entire hard drive
2) Database -encrypt credit card numbers, customer's passwords etc.
3) Individual Files - use Encrypting FIle System (EFS) in windows
4) Removable Media - encrypt flash drive
5) Mobile Device
Trusted Platform Module (TPM) -computer chip; store cryptographic keys to encryp
t data.; has a dictionary-attack prevention module built in.
for Communication:
1) HTTPS: uses SSL to encrypt communication to the Web server
2) **Secure Socket Layer/ Transport Layer Security - encrypting traffic for web
and email; TLS replacing SSL
3) Secure MIME (S/MIME) - encrypt email messages
4) Internet Protocol Security (IPSec) - encrypt ALL IP Traffic.
Transport Mode - only payload(data) is encrypted
Tunnel Mode - Header and the data is encrypted
5) Secure Shell (SSH)
6) Secre FTP (SFTP or FTPS)
7) Secure Copy Protocol (SCP) - used for transferring files
8) Wireless - use WEP, WPA or WPA2
Other Terms:
1) Ephemeral Key - temporary key used to encrypt single message
2) Perfect Forward Secrecy - a system that generates random ephemeral keys for e
ach session..
3) Key Stretching - aka key strenthening.used to convert weak password to a stro
ng passwords using 2 algorithms: PBKDF2 and Bcrypt
4) Cipher Suite - group of securoty algorithms used to provide authentication, e
ncryption, message authentication functionality
5) Pretty Good Privacy (PGP) - used to encrypt information using Assymetric Comm
unication; generate keys and share your public key using e-mail.
6) Steganohraphy - hiding of text files inside the graphic files.
Stegdetect - software used to detect steganography
Chapter13: Public Key Infrastructure p.534
1) Certificates - eletronic file store public key; Contains public key, algorith
m, serial number, subject, issuer, validity, thumbprint (hash value); CA - issue
s the certificate
2) Certifiacte Authorities
PUBLIC CA - in the business of selling certifiates to businesses like Ve
riSign, GoDaddy, Entrust
PRIVATE CA - when company decides to create its own PKI.
Root CA - selfsigned certificate, digital sign any certificates; usually
turned off

Subrdinate CA - issued and digitally signed by root CA

3) Registration Authority RA - responsible for accepting certificate requests &
validating the entity; Certificate application
4)Respository - database that stores the certificates and public keys
Certificate Life Cycle:
1) Request -send request to CA/RA; RA validates
2) Certificate - RA passes request to CA; CA create the certificate
3) Renewal
4) Suspension/Revocation - permanently unusable
5) Destruction
5) Certificate Revocation List (CRL)
-published by CA
6) Online Certificate Status Protocol (OSCP) -alternative to CRL, uses HTTP
7) Recovery Agent - individual who can decrypt information incase someone(w/ key
) leaves the organization.
-used by Microsofts Encrypting File System
8) Key archieving - backing up the cryptography keys to a secure location.
M of N Control,ex.
2 of 3 = 2 required in recovery process, 3 possible persons who can participate
in recovery process
9) Key Escrow - handling cryptographic keys to a third party(ex. government agan
cy, lw enforcement)
10) Trust Models and Trust Paths/ Cross Certificates - for sharing information w
ith another business
HOW SSL Works?
1) Client sends request for a web page. uses port 443(SSL)
2) Server sends PUBLIC KEY to Client
3) Client VALIDATES the certificate
4) Client created a random SYMMETRIC KEY/SESSION KEY to encrypt web page conten
t; encrypts symmetric key with the public key
5) Encrypted information is sent to the web server.
6) Web server decrypts the symmetric key and uses the symmetric key to encrypt i
nformation between client and server.
How Digital Signature works?
1) A sent digest(hash value) with the message to B
2) A encrypts digest with PRIVATE KEY and send to B
3) B uses A PUBLIC KEY to decrypt digest
4) B calculates a NEW DIGEST on the message received and COMPARE IT with UNCRYPT
Issues surrounding certificates
1) Renewal - certain period of time only. Creating your own CA means no cost for
2) Issuing CA - should be trusted like Entrust Verisign GoDaddy.
3) Subject Name - aka common name.; allows multiple alternative subject names to
be applied to a single certificate; name must match the URL address

Chapter14: Physical Security
Physical Access Control
1) Perimeter Fencing - recommended fence height 8ft plus barbwire at 45 degree a
2) Guards
3) Locks
Cipher Locks - Electronic Combination Locks
4) Access System
A) Fail Safe - Fail Open, when lock fails, unlocked
b) Fail Secure - Fail Close, lock fails, locked
5) Proximity Readers
A) User Activated - need to swipe the card to gain access
B) System Sensing - sends out interrogating signals
6) Mantraps - area between two doors, 2nd door do not open until Door1 is closed
HVAC - Heating, Ventillation and Air Conditioning
- reduce heat(temp), humidity, and outdoor air
Activities involved:
1) Environmental Monitoring - monitoring mechanism; detect issues related to hea
t, humidity, and air quality
2) Hot and Cold Aisles - fronts of the racks facing each other to create cold ai
3) Temperature and Humidity Control
Emanations - electrical signal emissions from computer components
Tempest System - a shielded environment; standard for securing a system from eav
Faraday Cage - enclosure designed to shield its contents; blocks electronic fiel
d or signals; shields a component from sending or receiving a signal.
Fire Supression
Classes of Fire:
Class A - common combustible fires like paper cloth etc.
Class B - liquid fires like gas, oild, tars, solvents
Class C - burning of electrical components; use HALON gas or CO2
Class D - combustible metals like Magnesium and Sodium; suppress it by using dry
Sprinkler System
1)Wet Pipe - water is in pipe all the time; pipe could freeze
2)Dry Pipe - water (reservoir); short delay; for colder climates
3)Preaction System - headlink mhas to be melted for the water to be released
Chapter15: Risk Analysis
-reduce and manage the risk of your organization
-identifiy the assests within the company and their value
-identify threats against those assets
-take countermeasures against those threats/mitigating the threat
-countermeasure value does not cost more than the value of the asset

Risk Analysis Process

1) Identify Assets
Company Informaton
Inventory and Cash
ComputerSystems and Services
Hidden Assets - Database server
2) Identify Threats for each Asset/ Threat Assessment
Common Vulnerabilities:
1) No system Hardening
2) No Physical Security
3) No Security Controls on data- threats relating to confidentiality and tamperi
ng of data
4) No Administrative Control- Having Policy and Procedure
Common Example of Threats:
1) Theft
2) System Hacked from inside
3) System hacked from outside
4) Natural Disasters
5) Hardware Failures
6) Fraud - employees tampering with information
3) Analyze Impact- identify the result of the threat. ex. server down for days
Tangible Impacts- Visible loss such as money
Revenue/Business Opportunity
Money due to cost to fixing the asset
Loss of Production - occuring to equipment and inventory
Employee Safety
Intangible ImpactsCompany Reputation
Failure to follow regulations
Loss of Customers Confidence
4) Prioritize Threats- based on their impacts and probability(aka likelihood)
of occurring
5) Identify Mitigation Techniques- protect asset from the risk/ how to reduce th
e tisg of threat occurring
6) Evaluate Residual Risks- remaining threats after reevaluating the asset.
Types of Risk Analysis
1) Qualitative- create a scale and rate each threat
Risk = Probability(Chance) X Loss(Impact)
2) Quantitative- calculate the dollar amount for each risk and impact of the thr
eat; determine how much you should invest in a security solution to protect the
Singe Loss Expectancy (SLE) -how much money the company will lose each time the
threat occurs

SLE = $value x %Exposure Factor(EF)

Exposre Factor = % ( percentage of assets value you expect to lose)
Annual Loss Expectancy (ALE) -how much money you will lose per year
ALE = SLE x Annual Rate of Occurence (ARO)
ex. of ARO, occured 3 times per year

Risk Mitigation Strategies

1) Mitigation - implementing a security control that protects the .asset;Ex. RAI
D solution for hard drive failure
2) Acceptance - do not implement any solution to protect
3) Transference - make the threat somebody else's problem; Ex. insurance
4) Risk Avoidance - do not perform the activity any more in torder to avoid the
5) Deterrence - threaten punishment to anyone who attacks the asset
Common Mitigation Strategies
1) Enforce Technology Security Controls - implement RAID, high availability solu
tions, firewalls, encryption, IDS, honeypots, patching, DLP
DLP - Data Loss Prevention, define rules for confidential information
2) Change management - change management procedures in your business
3) Incident Management - incident response procedures
4) User Rights and Permissions Review - review rights and priviledges given on a
system/ to data.; ensure priviledge of least principle is being followed
5) Perform Routune Audits
6) Enforce Poilices and Procedures
6: Disaster Recovery and Business Continuity
Continuity of Operations - ensuring the business can still operate when disaster
Creating Business Continuity Plan (BCP)
1) Projet Initiation. Make a Business Case. Create BCP committee and have a BCP
Coordinator/Project Leader.
2) Busineess Impact Analysis/ Assessment (BIA).Risk Assessment part:
IDENTIFY CRITICAL BUSINESS FUNCTIONS - loss of function that would resul
t in huge revenue loss.
IDENTIFY RESOURCES USED BY FUNCTIONS - resources like internet cinnectio
n, website etc.
IDENTIFY THREATS TO FUNCTION 1) Man-made Threats. ex. fires, employee strikes
2) Natural Disasters
3) Technical Threats. ex. Power Failure, System Failure, Communication/D

evice Failure
DETERMINE MITIGATION TECHNIQUE - for each threats. ex. backup, redundant
power and WAN links etc.
3) Develop the Plan. Disaster Recovery Plan.
4) Test the Plan.
Types of Testing:
1) Checklist review. - distributed to the representative for each depart
2) Tabletop exercise/Structured Walkthrough. - BCP reviews by the BCP Te
am; review procedures
3) Simulation Test. - put to test by simulating a scenario
4) Parallel Test. - ensuring ALTERNATIVE SITE is functioning
5) Ful Disruption Test. - shutting down original location and operating
solely from alternative site.
5) Maintain the Plan.
DISASTER RECOVERY PLAN (DRP) - steps to recover from different scenarios.
HOT SPARES. connected and powered on in the case the primary device should fail.
ready to work.
COLD SPARES. device must be connected and power up before it can take over.
HOT SITE. complete alternative location, data should be continously replicated.
COLD SITE. office space is ONLY available.
WARM SITE. middle ground between Hot and Cold Site.
EXCLUSIVE SITE. site is dedicated to your comapany/pays the full fee.
TIME-SHARED SITE. split the cost of an alternative site with another business. e
nsure site can handle both business at the same time.
Other Terms:
SUCCESION PLANNING. ensuring you have employees who can fill key leadership tole
s incase you lose key personnel.