Comp-Tia’s Security+ Certification Exam Notes

Comp-Tia’s Security+ Exam
Exam Number SY0-101
Number of Questions 100
Time Allotted 90 Minutes
Passing Score 764/900
Exam Objectives: Available at the CompTia Site

Access Control Models

MAC Mandatory Access Control – An Administrator createds a predefined set of permissions and assigns them to users and objects (labels)
DAC Discretionary Acess Control – The resource owner established who or what has rights to an object (ACL)
RBAC Role Based Access Control – Rights are assigned per user role, roles are ususaly based on organizational structure.

Authentication and Identification

Kerebos Kerebos uses a KDC Key Distribution Center to manage authentication. The KDC issues a ticket to a principle- the principle can use the ticket to authenticate against other principles.
CHAP Challenge Handshake Authentication Protocol – Client sends logon request. Server returns a challenge. The Client returns the challenge, encrypted. If the Server sees a match, authentication is granted.
MS CHAP Microsoft’s implementation of CHAP.
Certificates A Certificate authority issues a certificate to a client. Certificates can be revoked using a CRL Certificate Revokation List.
PAP Password Authentication Protocol – Username and Pass are clear text.
Tokens A token contains the rights of the token holder.
Multi-Factor Authentication Two or more access methods used in concert.
Biometrics Biometrics use physical characteristics such as retina scanning, fingerprint reading , face recognition or hand scanners.

Security Design Goals

The CIA Confidentiality, Integrity and Availibility
Confidentiality prevent unauthorized access.
Integrity The data is true and trustworthy.
Availability Protect data and prevent its lost.
Accountablity Who owns data and making sure it is accurate.

Security Topologies

Security Zones design system that isolates systems.
DMZ Demilitarized Zone – Area for public servers – keeps the local network unavailable to external requesters.
Intranet Private internal network
Extranet Including external partners in the Intranet Zone
VLAN Virtual Local Area Network – segements the local LAN to conrol access.
NAT Network Address Translation
VPN Virtual Private Network

Risk Identification

Asset Identification Places a value on information
Risk Assesment Evaluating the likelyhood of specific threats
Threat Identification Identifying specific threats

Security Types

Physical Security items that can be seen, touched or stolen
Operational Security Security of the business’ workflow; access control and authentication.
Management And Policies Poilicies outline what is approved access to resources. Management enforces the corporate policy.

Types of Policies

Administrative Policies Corporate guidelines for upgrades,monitoring backups and audits.
Software Design Requirements Policies that cover the requirements for functionality and auditing of custom code.
DRP Disaster Recovery Plan – Corporate document that explains the course of action for a business during a crisis.
Information Policies– Documentation about access to information, confidentiality, storage and destruction of data.
Security Policies– configuration of systems and networks.
Useage Policies– Spells out what is acceptable use of company equipment, data and resources. Consequences, monitoring and incident handling is also considered.
User Management Policies new user creation and deletion policy. Includes password changes.

Attack Types

Access Attacks the attacker’s goal is to gain unauthorized access to information or services.
Dumpster Diving Literally picking the corporate dumpster for information. Also called Information Diving
Eavesdropping Simply listening in in an effort to gain knowledge.
Snooping Peeking around for information.
Interception The attacker positions himself covertly, either physically or in a digital sense, in the middle of a transaction or conversation.
Modification Attacks The attacker’s goal is to alter information for gain.
Repudiation Attacks Modifying with the purpose of discrediting or invalidating information.
Back Doors by design or surreptiously inserted, allows the attacker a ‘back door’ into a system or application for purposes of control

Denial Of Service Attacks
DOS Denial of Service
DDOS Distributed Denial of Service
A DOS or DDOS attack seeks to deny legitimate users access to information, applications or services. A DDOS is distributed, meaning that multiple hosts participate in the attack. Reactive defense methods include “walking the path” back to the source up to the border router and working with that router’s owner, filtering, which may or may not be effective, and scaling up bandwidth and hardware in response to the attack. Unplugging is the option of last resort. Proactive defense can be provided in hardware and planning (such as having a backup range of IP addresses that can be cut over to.)
Common Types of DOS attacks
SYN Flood attempting to tie up resources with incomplete TCP connections
Smurf Attack A broadcast is sent to multiple machines with a forged source request – all the machines reply to the victim host, inundating it with responses.
Ping Flood The victim host is sent an overwhelming amount of ping traffic
Fraggle Attack A flood of UDP traffic is sent to a victim host.
Application Flood The attacker leverages a weakness in at the application level – IRC floods are a common example.

Spoofing The attacker attempts to appear to be someone else, usually a legitimate user.
Man In The Middle This interception attack relays communications between hosts who have a legitimate connection. The attacker may insert, delete or gather information. Wireless access is a common vector for this attack.
Replay Attack The attacker attempts to capture packets on its way from one host to another, and then replay them to a targeted host in an attempt to impersonate a legitimate user or system.

Password Cracking Attempting to gain a valid credential given a login prompt. Defense is to use account lockout, expiring passwords and to protect password hashes.
Brute Force trying a large amount of character combinations to break a password scheme.
Dictionary Attack Attempting to crack a password scheme using wordlists.
Guessing The attacker simply tries to guess a password, either using inside knowledge or commonly used passwords.

Virus Attack Malicious code designed to further the attacker’s goals. May be custom written for the target. Antivirus software is the commonly employed defense.
Polymorphic Viruses The code can change to avoid signature based detection
Stealth Virus Code may attach itself to legitimate code in order to hide
Retrovirus Code attacks antivirus defense software
Multiparite Virus Code is designed to use multiple techniques to cause its havoc
Armored Virus Code is designed to stop the removal of the virus by stealth, encryption or obfuscation.
Companion Virus Code attaches itself to legitimate applications.
Phage Virus – This virus attempts to change other programs.
Macro Virus This code is written in Macro programming, common in Microsoft Office-like applications.
Trojan Horse A malicious program that misrepresents its true intentions, and attempts to trick the user as to its purpose.
Logic Bomb Malicious code that executes when a criteria is met, such as a date or a specified action is performed.
Worm Self replicating virus – the goal is to propagate.

Social Engineering The attacker attempts to con the victim into belief. The goal may be to obtain information or access to further the attacker’s cause. May occur over the Internet, email, phone or even in person. Almost impossible to defend against given the salesmanship of the perpetrator. Education of users is the most commonly cited defense strategy for Social Engineering attacks.
Phishing Type of social engineering that attempts to ruse the target by presenting a false link to a compromised or bogus login.
Spearphishing Using a Phishing attack on a very specific target.
Joe Job Spamming using a forged email address, that of the target. Spam recipients are fooled by the forgery and either target or discredit the victim.

Wireless

802.11 is the wireless standard (Wi-Fi) established by the IEEE (Institute of Electrical and Electronics Engineers). There are three types of common Wi-Fi technology in use today, and research and development continuously improves both bit rate and range.

802.11a
Operates in the 5 GHz spectrum, at speeds up to 54 Mbits/s. 802.11a was adopted by corporations specifically because of its better ability to use fewer access points for more users and speed boost was also a factor. Another factor that helped high-end technology adopt the standard was the use of the 5Ghz spectrum, which does not trip over other devices. 802.11a equipment carried an additional price increase, perhaps because of economies of scale. It also suffers from a shorter range then the 802.11b standard.

802.11b
uses the 2.4 Ghz spectrum. rates range 1 to 11 Mbits/s dependent on range and interference.. Sometimes interference is incurred by other devices in consumer environments. This was the first widely available consumer level wireless technology. Enhanced versions use techniques such as channel bonding and burst transmission to increase rates, but these are not part of the official standard – interoperability between vendors may suffer.

802.11g
2.4-GHz radio spectrum. Transfer for 11g is rated up to 54 Mbits/s. 802.11g is the current consumer level choice because of availability, compatibility with existing 802.11b equipment and price. The range at which 802.11g equipment can maintain its highest speeds is smaller then 802.11b.

When 802.11g and 802.11b clients share a network, 802.11g clients suffer because the two standards use different types of modulation. 802.11g clients use the same type of modulation as 802.11a clients, OFDM (Orthogonal Frequency Divison) Multiplexing. OFDM Breaks data into subsignals and transmits them simultaneously across different frequencies. 802.11b clients use DSSS Direct Sequence Spread Spectrum multiplexing. Direct Sequence Spread Spectrum sends a seperate high speed transmission containg the data in addition to the data- this allows reconstruction in case of a disruption.

802.11n
Pre-n technology is available now, but is not based on a shared ratified standard. Speeds are in the neighborhood of 100 to 540 Mbits/s. Early adopters may pay the price with incompatible hardware once a standard is ratified. The Pre-n is not limited to using the 2.4Ghz range, but commonly does for cost considerations. This technology typically uses a multiple path scheme called MIMO (Multiple In Multiple Out) to increase available bandwidth between clients and an access point. Some Pre-n equipment interferes with other wireless gear, rendering it inoperable in the Pre-n unit’s range.

Securing a 802.11x wireless network
Use a MAC filter- only registered and recognized MAC addresses are allowed to join the network.
Don’t broadcast the SSID, after setting it to be something unique.
Use RADIUS for centralized authentication.
Set the connection to require the strongest encryption available to both client and access point, with a key unique to the network.
Use a VPN for access over Wi-Fi.
Use a gateway/firewall between wireless clients and local LAN.

802.11 Encryption
WEP Wireless Equivalency Privacy – encryption with shared 40-bit or 128-bit keys. Very quickly crackable. Supported by legacy equipment.
WPA Wi-Fi Protected Access- Uses TKIP Temporal Key Integrity Protocol and MIC Message Integrity Check. TKIP changes the base key used to encode data after a set number of frames have been sent. As time passes, so does the key.
TSC TKIP Sequence Counter – blocks replay attacks
IV Initilization Vector – allows key changes.
WPA2 802.1x security and key-exchange to strengthen data encryption using AES.

Future Standards
RSN Robust Security Network
802.11i Uses AES Advanced Encryption Standard and CCMP Counter Mode CBC MAC Protocol. Addresses key management issues, using a master key to generate other keys, which are then used by clients.

Intrusions & prevention

IDS Intrusion Detection System monitors the system or network for anomalies.
IPS Intrusion Prevention System uses active responses to malicious traffic.

Network Monitoring Watching what is happening on the network, either by packet monitoring or device reporting.
Tap a device used to hook into the network and used to monitor network traffic.
Activity an item of interest to the operator.
Alert Message that indicates an activity has occurred.
Analyzer Collects data from sensors and checks it for activities.
Event suspicious activity occurrence.
Manager the console for the IDS/IPS
Sensor collects data for the analyzer.

MD-IDS Misuse IDS evaluates attacks on signatures and audit trails.
AD-IDS Anomaly detection IDS looks for patterns that do not match normal traffic baselines.
N-IDS Network Based IDS Sits on the network, at choice points looking at all traffic that passes by
H-IDS Host Based IDS runs on a host system and protects that system. Examines log files. Exposure to attacked log files, costly deployment. Can use checksums on files.
Active Response – Kill processes or sessions, change network configuration, implement deceptive responses
Passive Response -logging, notification and shunning (ignore)

Honey Pots a target machine designed for the purpose of bait for an attacker or to trap the attacker. Should misrepresent its purpose to an attacker as well.
Honey Net a network of honey pot computers, designed to fool the attacker.Can be run in software on a single host or be distributed over several hosts.
Enticement luring into a plan or trap.
Entrapment encouragement to commit a crime.

Incident Response The process of identifying, investigating, repairing and documenting procedures to understand and prevent an incident.
Escalation – using a predetermined path of responsibilities, moving ‘up the chain’.

Site Surveys listening in on a wireless network for data and signal intelligence.
Packet Sniffing monitoring data on the wire.
Signal analysis and Intelligence capturing and analyzing electronic signals- identify and evaluate a target, track communication patterns.
Footprinting/Fingerprinting Using signal analysis and intelligence to understand a network and its topology, its hosts and host operating systems. Common tools from Google searches or running nmap against an IP range are examples.
Vulnerability Scanning -runs a set of queries against a target looking for the signature of a known or unknown vulnerability in a service or system.

Security Baseline A level of security that is expected
CC Common Criteria A standard developed by multiple nations. Breaks down into 7 EAL Evaluation Assurance Levels- these range from EAL1 where there are assurances the system operates correctly, security threats are not serious. The highest level is EAL7, for extreme levels of security. To acheive this level requires testing, measurement and independent auditing. Commercial systems should have a rating of EAL4. The Common Criteria can be found at
commoncriteriaportal.org.

TCSES Trusted Computer Systems Evaluation Criteria – the CC’s forefather. Has been replaced.

Hardening Ther process of securing a computing environment from attackers.
OS hardening can be acheived by removing unnded protocols and services, installing security patches
MS OS items of interest here are IIS, FTP and installing service packs.
Novell needs to have a properly configured NDS (Novell Directory Service) or eDirectory, remove unneeded NLMs NetWare Loadable Modules, and install Support Packs, the Novell version of service packs.
Unix/Linux- Install Patches, remove unneeded services.
Apple Mac systems- Ensue login at startup, remove unneeded protocols.

PBX security

Make sure remote access for maintenence is strong authentication.Turn off if possible when not in use
Insist on strong user passwords, do not contain the extension, repeating or sequential digits

Security Acronyms

Common services and Ports Used

DNS Domain Name System 53
POP3 Post Office Protocol 110
SMTP Simple Mail Transfer Protocol 25
SNMP Simple Network Management Protocol 160,161
NNTP Network News Transfer Protocol 119
FTP File Transfer Protocol 20,21
SSL Secure Sockets Layer 443
TELNET 23
TACACS authentication 49
HTTP 80
HTTPS 443
NetBIOS 137,138,139
IMAP 143
LDAP
389
LDAP SSL 636
SSH Secure Shell 22
AH, ESP ports 50 and 51

Common Routing Protocols
RIP Routing Information Protocol-broadcast, shortest path
BGP Border Gateway Protocol -ISP/intrasystem use, allows groups of routers to share information
OSPF Open Shortest Path First
IGRP Cisco’s Interior Gateway Routing Protocol
EIGRP Cisco’s Enhanced Interior Gateway Routing Protocol

Connectivity Terms
RAS Remote Access Service
RRAS Routing and Remote Access Service – Microsoft
POTS Plain Old Telephone Service
PSTN Public Switched Telephone Network
PBX Private Branch Exchange
VNC Virtual Network Computing
CO Central Office
CPE Cutomer Premise Equipment
NOC Network Operations Center
VoIP Voice Over IP
Modem – Modulate Demodulate
WAP Wireless Access Point (transceiver)
WEP Wired Equivalent Privacy
SSID Service Set Identifier
VPN Virtual Private Network
L2TP Layer 2 Tunneling Protocol
PPTP Point to Point Tunneling Protocol
RF Radio Frequency
NIC Network Interface Card
SSH Secure Shell
TLS Transport Layer Security
IPSEC IP Security Architecture
L2F Layer 2 Forwarding
CGI Common Gateway Interface

SLIP Serial Line Internet Protocol -No security, legacy remote access protocol
PPP Point to Point Protocol -works with a range of connectivity from POTS to a T1. No data security. Can use CHAP for authentication. Encapsulates traffic in NCP Network Control Protocol. Authenication provided by LCP Link Control Protocol
PPTP Point to Point Tunneling Protocol – encapsulates and encrypts PPP packets. Uses port 1723 on TCP.
L2F Layer 2 Forwarding – Authenticates, but no encryption. port 1701 on TCP
L2TP Layer 2 Tunneling Protocol – mix of PPTP and L2F. can be used with TCP and other protocols, therefore can be used to bridge networks. Information not encrypted. uses port 1701 on UDP.
SSH Secure Shell- Encrypted. Can tunnel apps such as telnet ftp ,etc. Port 22 on TCP.
IPSec Internet Protocol Security. Used on other tunneling protocols for encryption of both data and headers.Transport mode only encrypts data, tunneling mode gets both the data and headers.Uses AH Authentication Header and ESP Encapsulating Security Payload

RADIUS Remote Authentication Dial In USer Service – open standard. Central administration and authentication of remote users. Supports auditing and accounting over multiple systems.
TACACS+ Terminal Access Controller Access Control System. Accepts credentials from multiple sources to authenticae connections.

File Systems
FAT32 File Allocation Table Win 95/98/ME
NTFS New Technology File System. Win NT/2K/XP/03
NFS NetWare File System Novell NetWare Specific
NSS NetWare Storage Services Novell NetWare Specific version 6 on
HFS Hierarchical Filesystem Unix
NFS Network File System -Unix can mount remote locations
AFS Apple File Sharing -Uses AppleTalk protocol

Encryption

Cryptography Concealing information
Plaintext unencrypted information
Ciphertext encoded information
Cryptanalysts Those who break crypto
Steganography hiding information in other information (such as a picture)
Cipher – a method used to encode information
Substitution cipher – changes one thing into another
Transposition Cipher scrambling information in a certain manner
Hashing using mathematical functions to encode information
Quantum Cryptography Encrypting data based on the properties of photons- fiber optic transmission of secret keys
Keyspace a representation of the amount of possible combinations of key transformations supported by a cipher
Perfect Secrecy – The number of possible keys is the same as the number of possible messages.

Code breaking techniques
Frequency Analysis Looking for patterns in the encrypted information
Algorithm Errors The crypto output becomes predictable and leads to compromise
Brute Force trying every combination until one works
Human Error Attack the weakest link
Codebook Attack Attacker attempts to build a book of all possible transformations between ciphertext and plaintext.

One Way Hash Message cannot be decoded back to the original value
Two Way Hash Message can be decoded back to original value
SHA Secure Hash Algorithm
MDA Message Digest Algorithm
Message Authentication The message is verified to be from the sender
Message Integrity The message has not been altered from its original content
MAC Message Authentication Code – Verifies message integrity and authentication, using a key and the data with a hashing algorithm.
Digital Signature Hash process using a key from the sender, who provides a copy to the receiver.

Symmetric Algorithms
Both sender and receiver must have the same key.
DES Data Encryption Standard, 56 bit key
AES Advanced Encryption Standard – Rijnadel algorithm- Key sizes are 128,192,and 256 bits
3DES Triple DES. Harder to break then DES
CAST Carlisle Adams and Stafford Tavares 40 to 128 bit key
RC Rivest Cipher Key up to 2048 bits
Blowfish 64 bit block cipher
Twofish 128 bit block cipher
IDEA International Data Encryption Algorithm.

Asymmetric Algorithms
Use public/private key pair to encrypt.
RSA works for encryption and digital signatures. SSL uses RSA
Diffie-Hellman used to transmit keys securely
ECC Elliptic Curve Cryptography -smaller, lighter then RSA. Leveraged by mobile devices.

PKI Public Key Infrastructure -Asymmetric system that attempts to provide a framework for end to end security covering messages and transactions, across different infrastructures.
CA Certificate Authority -issues, distributes and revokes certificates.
Certificate associates a public key with a user
RA Registration Authority Works with a CA to offload work, can do everything except issue certificates.
LRA Local Registration Authority Can identify users and proxy to the CA
CRL Certificate Revocation List – Process to expire a certificate early. Published by CA.
X.509 ITU standard certificate format. Version 2 for CRL and version 3 for certificates.
CMP Certificate Management Protocol -allows PKI entities to communicate.
XMKS XML Key Management Specifications allows XML programs to access PKI. Built on CMP

SSL establishes session using asymmetric and the session is in symmetric encryption. Clients must be able to accept the level of encryption (40 bit, 56 bit,128 bit,256 bit). Older browsers are limited.
TLS Transport Layer Security Expected to replace SSL. Updated version of SSL, also called SSL 3.1, inoperable with regular SSL
PGP Pretty Good Privacy – popular system for public domain crypto. Seen often in email.
S/MIME Secure Multipurpose Mail Extensions- Secure MIME for email. Uses asymmetric encryption and certificates for authentication.
SET Secure Electronic Transaction – Visa/MasterCard protocol for secure card transactions
PKIX Public Key Infrastructure X.509 IETF working group for X.509
PKCS Public Key Cryptography Standards Voluntary standards for vendors to implement PK crypto

More Learning- an Intro to Cryptology. Support this page, lots of great information.

Disaster Recovery/Business Continuity

Disaster Recovery Plan A corporate plan to re-implement services in the event of an outage (reactive) Test ( and document test) at least yearly. The DR plan should include a complete inventory of all devices.
Business Continuity Plan Processes and methods to minimize business disruption (proactive) Should contain information about specific events, contracts and a contact list.
Redundancy Multiple components designed for fail-over
Clustering Strategy for redundancy and load balancing
Fault Tolerance Operation is continued if a fault occurs
Working Copy Backups Backups maintained onsite (shadow copies)
Onsite Storage Local information store
Alternate Site A secondary site for restoring network operations
Reciprocal Agreement Two entities agree to do best effort to provide services in the event of an emergency.
Hot Site A fully equipped and operational data processing facility- ready to go. Very expensive. Active backup model.
Warm Site Conditioned space with communications, environmental controls and power, Equipment is in place. Data may be near line or brought in via removeable media such as tape.(active/active model)
Cold Site Conditioned space, possibly with communications, environmental controls and power. No live data.
MTBF Mean Time Between Failures – anticipated time before a failure occurs.
MTTR Mean Time To Repair How long to repair a system
Code Escrow A third party holds code written in escrow to assure availability

Corporate Policies
Incident Response Policy How to respond to a security incident, including logging, notification chain of custody, information gathering, and contact lists.
Certificate Policy Policy for issuing and management of certificate, including use, storage
Data Retention Policy Defines life of data and how to properly dispose of data.
Separation Of Duty Policy Designed to reduce risk of fraud
Need to Know Policy limits information to those who require it for duties
Privacy/Confidentiality Policy State what information can or cannot be disclosed
Acceptable Use Policy Lays out what can and cannot be done with services and equipment.
Human Resource Policies – Hiring policy, Termination Policy, Ethics policy.
Best Practices Set of recommendations on how to implement or use a practice or product.
Security Policy Controls implemented to maintain security of systems users and networks
Change Documentation Log file that records changes to the computing environment
Auditing Making sure that policies and procedures are followed with regards to organizational policies.

Backup Technologies
Backups should be performed regularly, in accordance with the corporate disaster recovery plan. Popular backup strategies include:
GFS Grandfather- monthly tape, stored offsite. Father weekly tape. Son 4 daily tapes
Full Every file is backed up. Archive bit reset- offers the fastest restore, at the expense of time required to back up.
Incremental Backs up only files that have changed since the most recent Full back up was done. Resets the archive bit.
Progressive Incremental Assumes all backups, including the first full, are incremental.
Differential Backs up any files that are determined to have changed since the performance of the most recent full back up. Does not clear the archive bit.
Straight Copy Does not clear archive bit

Server Room Physical Security

Secure access to the server room and backup tapes
All doors should lock either by key of card, two factor locks if possible.
Server rack doors should lock
Remove trashcans from the server room (no need for cleaning personnel in there)
Access Control limiting access to computing environments, physically or logically.
Examples of biometrics include retina scanning, fingerprint reading and palm scanning. Good for two factor authentication.
Man Trap a two door system with a gap space between. May include a window for observation.
Physical Barriers Items such as perimeter walls, locking doors, motion detectors and burgular alarm systems.

Computer Forensics

Analyzing a computer system, looking at all files, including using hidden or deleted data, that may be used to understand an incident.
Root Cause Analysis The most basic cause or situation that allowed an incident to happen
Bit for bit copy – making an exact copy of computer media, which is created in a manner which is non-destructive to the source. The bit for bit copy will be analyzed, leaving the original unchanged.

Forensic Investigation Method (3 A’s)
Acquire the Evidence, gather data from machines
Authenticate the evidence Proving that the evidence is factual and untampered.
Analyze the evidence look for the trail of actions and operations related to the incident.

Chain Of Custody – log of the possession of evidence -should catalog every event since the time of evidence collection. Who, how and where. Date and time stamps are critical.
Preservation Of Evidence ( bag and tag) – make sure that physical control of evidence exists and is logged.

Security+ is © Comp-Tia.