Comptia Security+ Study Guide

Confidentiality, Integrity, Availability

Confidentiality, Integrity, Authentication, and Non-repudiation

Type of coding or ciphering system that changes one character or symbol into another.

Changing the positions of plaintext letters.

Binary Mathematical operation which compaires two bits to produce an output. Plaintext is XORed with a random keystream to generate ciphertext. If values are same, result is 0. If values are different, result is 1.

Considered unbreakable. Each pad in the scheme must meet the following requirements: - Made up of truly random values - Must be at least as long as the message - Used only once - Securely distributed to destination - Protected at sender's and receiver's sites

- Random values used w/algorithms to ensure patterns are not created during the encryption process - Used with keys - Do not need to be encrypted when being sent to the destination - If IVs are not used, an attacker can break the keyspace because of patterns resulting from thhe encryption process

- provides hackers with a method of hiding tools on a breached system and executing them without being detected - allow for compatibility with the Macintosh Hierarchical File System - used legitimately by a variety of programs - ADS executable appear to run as the original file, undetectable to process viewers like Windows Task Manager - not only possible to hide a file, but to also hide the execution of an illegitimate process

- a.k.a. Secret Key, Private Key, Shared Key, Same Key, Single Key, Session Key - Best suited for bulk encryption; much faster than asymmetric cryptography - Both parties share the same key - Stream cipher (Encrypted bit-by-bit or byte by byte) - Block cipher (Applied to a collection of bits or bytes) Require both ends of an encrypted message to have the same key and processing algorithms.

- usually implemented in software - Transforms fixed-length blocks of plaintext into cipher text of the same length - Data is encrypted block-by-block - Uses subsitution and transposition ciphers - Stronger than stream-based ciphers - Slow and resource intensive A method of encrypting text in which a cryptographic key and algorithm are applied to a block of data at once as a group, rather than to one bit at a time

- Data encrypted bit-by-bit - Plaintext mixed with a keystream controlled by a key - Usually implemented in hardware - Requires no memory - Data is encrypted on-the-fly - A very fast mathematical operation A method of encrypting text in which a cryptographic key and algorithm are applied to each binary digit in a data stream, one bit at a time.

In order to ensure secure communications between everyone in a population of n people, a total of n(n-1)/2 keys are needed.

- Based on IBM's Lucifer algorithm - 64-bit block (56-bit key + 8 bits for parity) - Algorithm: DEA (Data Encryption Algorithm) - Easily broken

- Updgrade of DES (still in use) - Applies DES three times - 168-bit key (+24 for parity)

- Current standard (replaced DES) - 128 bit block - Key sizes: 128, 192, and 256 bits - Algorithm: Rijndael

- 128-bit block cipher - Variable-length keys (128, 192, or 256-bits) - Finalist for AES

- developed by Carlisle Adams and Stafford Tavares (CAST)

- 64-bit block size - variable key lengths (40 to 128-bits)

- 128-bit block size - variable key lenths (128, 160, 192, 224, 256-bits)

- 64-bit block cipher - 128-bit key length - Developed by the Swiss - Used in PGP and other encryption software

- Used in Bluetooth for key derivation, not for encryption - SAFER+ - 128-bit block cipher - SAFER++ - 64 and 128-bit block cipher

- a.k.a Full disk encryption - software or hardware which encrypts every bit of data on a disk or disk volume - some software can leave the Master Boot Record (MBR) unencrypted - Some hardware-based encryption systems encrypt the entire boot disk, including the MBR - AES primarily used

- a.k.a Public Key Encryption - Based on mathematical number theory - Each user has two keys: Public/Private - Public key is available to everyone - Private key is kept secret - Both keys are mathematically related - Considered a key pair - Whatever is encrypted with one key, can only be decrypted with the other

- Encryption, Digital Signatures, Key Exchange - Based upon the Diffie-Hellman - Main drawback is performance (slower than other comparable algorithms)

- Provides compatibility with older Windows Systems (replaced with NTLM) - Weakes protocol and easiest to compromise - Converts lowercase to uppercase - 14 characters divided into two 7 character sets - With 7 character or less passwords, the second set of 7 of the hash value will be a null

- Type of MAC calculated using a hash function and a symmetric key - Uses MD5 or SHA-1 - The shared symmetric key is appended to the data to be hashed - Used in Internet Protocols such as IPSec, SSL/TLS, and SSH

- Used to digitally sign documents - Performs an integrity check by use of SHA-1

- Hybrid cryptosystem can be construted using a combination of cryptosystems

Analyzing blocks of an encrypted message to determine if any common patterns exist: - Common occurrences in the English language: Letters: E, T; Words: the, and, that, it; Stand alone letters: A and I

A rainbow table is a lookup table used to recover an unknown password using its known cryptographic hash, making attacks against hashed passwords feasible. It allows recovering the plaintext password from a "password hash" generated by a hash function.

Provide the primary method of identifying that a given user is valid. - Enables the authentication of the parties involved in a secure transition - A typical certificate contains the following: - The certificates issuer's name - Valid from date/to date - The owner of the certificate (subject)

- A framework for managing private keys and certificates - Provides a standard for key generation, authentication, distribution, and storage - Establishes who is responsible for authenticating the identity of the owners of the digital certificates - Follows the X.509 standard

- Organization responsible for issuing, storing, revoking, and distributing certificates - Authenticates the certificates it issues by signing them with their private key Certificate Authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates. A certificate is nothing more than a mechanism that associates the public key with an individual. It contains a great deal of information about the user. Each user of a PKI system has a certiificate that can be used to verify their authenticity.

- Middleman between subscribers and CA - Can distribute keys, accept registrations for the CA, and validate identifies - RA does not issue certificates on their own Offloads some of the work from a CA. An RA systems operates as a middleman in thhe process: It can distribute keys, accept registrations for the CA, and validate identities. The RA doesn't issue certificates; that reponsibility remains with the CA.

- The subject must first prove their identity to the CA before a digital certifcate is created - Form data with an interview, physically appearing with an agen with ID, credit report data, etc. - Once satisfied your certificate is made containing your ID info, public key, etc. - CA then digitally signs the certificate with their private key

- Dictates the circumstances in which a certificate can be used - Protects the CA from claims of loss if the certificate is misused - Should identify the user's community, names of the CA and RA, and the object identifier Certificate polies define what certificates do. Certificate policies affect how a certificate is issued and how it's used. A CA would have policies regarding the interoperability or certificate of another CA site; the process of requiring interoperability is called cross certification.

- Detailed statement of the procedures and practices the CA uses to manage the certificates it issues - How the CA is structured - How the certificate will be managed - How the subscriber's identity is validated - How to request a certificate revocation - Which standards and protocols are used A detailed statement the CA uses to issue certificates and implement its policies of the CA. The CA provides the CPS to users of its services. These statement should discuss how certificates are issued, what measures are taken to protect certificates, and the rules CA users must follow in order to maintain their certificate eligibility. If a CA is unwilling to provide this information to a user, the CA itself may be untrustworthy, and the trustworthiness of that CA's users should be questioned.

- Certificates are revoked due to: - Key theft - Loss - Illegal activity - Significant changes in the organization - Not revoked due to normal expiration

- Identifies revoked certificates - Expired certificates are not on the CRL Certificate revocation is the process of revoking a certificate before it expires. A certificate may need to be revoked because it was stolen, an employee moved to a new company, or someone has had their access revoked. A certificate revocation is handled either through a CRL or by using the Online Certificate Status Protocol (OCSP). A repository is simply a database or database server where the certificates are stored.

- Checks for revoked certificates - OCSP queries a CA or RA that maintains a list of expired certificates - Server sends a response with a status of valid, suspended, or revoked OCSP allows for on-line checking of certificate validity, by sending a request to a web site containnig information on valid certificates. Thus, it tends to use more up-to-date data than the CRL.

- A central repository for storing certificates - Allows administrators to set policies in one location and to centrally manage all users certificates

- If a certificate expires, a new certificate must be issued - Expired certificates are NOT added to the CRL

- Certificates can be suspended - Ensures the key is unusable for a period of time - Suspend rather than expire certificates to make them temporarily invalid - Particularly when you anticipate that the certificate holder will return to their normal course of duties

- Unexpired certificates can be renewed close to the end of the expiring certificate's lifetime - Allows the same certificate to be used past the original expiration time - Not a good practice

- Establish policies for destroying old keys - When a key or certificate is no longer useful, destroy and remove from the system - When destroyed, notify the CA so the CRL and OCSP servers can be updated - Deregistration should occur when a key is destroyed, especially if the key owner no longer exists (such as company out of business)

- Received certificates are sometimes revoked or suspended, so the certificate status must be checked - The certificate server can be accessed via the Online Certificate Status Protocol (OCSP) - No guarantee that this real-tim service is providng an up-to-the-moment status - Many browsers fail to constantly check CRLs

- Trust models explain how users can establish a certificate's validity - Common models: Single-Authority Trust Hierarchical Trust Bridge Trust Web of Trust

A third-party central certifying authority signs a given key and authenticates the owner of the key. User trusts the authority and, by association, trust all keys issued by that authority.

A root CA at the top provides all the information. The intermediate CAs is next in the hierarchy, and they only trust information provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren't. This arrangement allows a high level of control at all levels of the hierarchical tree. Root CA systems can have trusts between them, and there can be trusts between intermediate and leaf CAs. A leaf is any CA that is at the end of a CA network or chain.

- Two or more separate authorities establish a trust relationship amongst each other - Best suited for peer-to-peer relationships, such as business partners In a bridge trust model, a peer-to-peer relationship exists between the root CAs. The root CAs can communicte with each other, allowing cross certification. This arrangement allows a certification process to be established between organizations or departments. Each intermediate CA trusts only CAs above and below it, but the CA structure can be expanded without creating additional layers of CAs.

All parties involved trust each other equally. CA does not exists to certify owners.

The process of working with keys from the time they are created until the time they are retired or destroyed. It is one of the key aspects of an effective cryptographic system. Keys are the unique passwords or pass codes used to encrypt or decrypt messages.

- Use sufficiently long keys to protect against attacks aimed at discovering the private key - The more valuable the data, the longer the key should be

- Establish policies for setting key lifetimes - The more valuable the data, the shorter the key lifetime should be

- A centralized entity is in charge of issuing keys (users do not have control of their keys) - The central authroity keeps a copy of the key Centralized key generation allows the key-generating process to take advantage of large-scale system resources. Key-generating algorithms tend to be extremely processor intensive. Using a centralized server, this process can be managd with a large single system. However, problems arise when the key is distributed.

- The end user generates the keys and submits them to the CA for validation - Does not provide for key escrow, so key recovery is not possible

- The private key must be safely stored to protect it from being compromised or damaged - There are two methods for key storage: Software-based: Subject to access violations and intrusions, easily destroyed, and subject to the security of the access control system Hardware-based: The most secure form of digital certificate storage, more expensive than software solutions, relies on physical security, smart cards or flash drives

- The storage of keys and certificates for an extended period of time - Essential element of business continuity and disaster recovery planning - Addresses the problem of lost keys and recovery of encrypted data from previous keys - Normally done by the CA, a trusted third party, or the key holder

- Keys needed to decrypt ciphertext are held in escrow so that, under certain circumstances, and authorized third party may gain access to those keys - Allows for key recovery - Keys must be secured on the Key Escrows network/systems

- Someone with authority to remove keys from escrow

- Requires two or more recovery agents - There must be multiple key escrow recovery agents (N) in any given environment - A minimum number of agents (M) must work together to recover a key

- Conducted when the keys are compromised, the authentication process has malfunctioned, people are transferred, or other security risks occur - Revoking a key keeps it from being misused. A revoked key must be assumed to be invalid or possibly compromised

- Temporary situation - Ensures the key is unusable for a period of time

- Defines the process of enabling a key for use after its scheduled expiration data - A key would be reissued for a certain time - Bad practice and should not be performed

- Process of destroying keys that have become invalid

- The process of identifying, reducting, and controlling risks to an acceptable leve - Includes: Risk Analysis Evaluation of Safeguards Cost Benefit Analysis Implementation of Safeguards

- Process to identify threats, vulnerabilities, and impacts - Determine relative risk for each threat against each asset - a.k.a. Risk Assessment - Risk Formula Risk = Threat x Vulnerability x Asset Value All given a numerical rating Ex: On a scale of 1 to 5, (5 is a severe value)

- Responsible for creating codes, breaking codes, and coding systems for the U.S. government

- Involved in developing and supporting standards for the U.S. government

- Issued by NIST - Set of guidelines for the United States federal government information systems - FIPS publications are developed when NIST feels that no existing standards adequately address an area of technology that is useful to the government

- International community of IT professionals (network engineers, vendors, researchers, etc.) - Mainly interested in improving the internet

- Process used to propose a technical standard

- International organization focused on technology and related standards - Involved in development of PKC, wireless, and networking protocols

- Develops telecommunications and radio communications standards worldwide

A service that invokes another service to satisfy an initial request

- Resolves IP to MAC address - ARP Poisoning - Only works on the local segment - Forges replies to update the ARP cache - Packets are redirected to the wrong system, then forwarded

- Exploits human nature by convincing someone to reveal information or perform an activity

Most common threat comes from eavesdropping - War Driving NetStumbler Kismet AirSnort FlyingSquirrel

Hackers drive past businesses and residential areas looking for open wireless access points

Drawing symbols in public places to advertise an open Wi-Fi wireless network.

A wireless point that has either been installed on a secure company network without explicit authorization from a local network administrator, or has been created to allow a cracker to conduct a man-in-the-middle attack.

Manipulates a target phone into compromising its security, creates a backdoor attack before returning control of the phone to its owner

- Sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptops.

- Theft of information from a wireless device through a Bluetooth connection

- Degradation in range or throughput of your wireless device by something else in the footprint - Caused by: microwave ovens electrical sources such as power lines 2.4 GHz or 5 GHz phones A hacker Other devices operating in the 2.4/5 GHz range Certain building material Bleed over from other channels

Configuring a laptop as an access point in a public environment - usually set up near free hotspots - configured to pass data through to the legitimate access point while monitoring the traffic of the victim - attacker can eavesdrop, possibly collect usernames and passwords, etc...

- randomization is crucial for encryption schemes to achieve security - weakness in the IV process can lead to certain algorithms being more susceptible to attacks - Main weakness in WEP

- captures all of the data that pass through a given network interface - possible to capture both wireless and wired packets - can capture and read plaintext data Tools: Wireshark tcpdump ettercap Cain and Able Snoop netstumbler kismet

- Process of identifying an entity for authenticaton - User Identification Guidelines - Uniqueness - Non-descriptive - Issuance secure - Most Common forms: User Name, User ID, Account number

- Reconciliation of a user's identity - Accomplished by challenging the claim about who is accessing the resource - Authentication systems are based on one or more of these three factors: Something you know Something you have Something you are

- PINS or passwords - Secure passwords - Minimum length 8 characters - Complex Self-service password resets One-time passwords

- ATM card - Smart card - CAC/Fortezza card - Digital Certificates or Tokens

- Passive or Stored Value - Storage devices that store some type of key - Typically they will use a magnetic strip or an optical bar code Active Contains a processor that computes a one-time password

- Owner authenticates to the token by entering a PIN, password, or a biometric scan - Token then gives the user a complex password that is used to log onto the system - Least secure and not considered a one-time password

- User enteres a valid password with a PIN to authenticate - Considered a one-time password - Two types: Time-based: synced with internal clock Counter-based: authentication service will advance to the next value

- a.k.a. Challenge Response Token - Considered a one-time password Process: 1. User initiates logon and the system issues a challenge 2. User enters the challenge answer with a personal PIN 3. Token generates a response that the usr enters into the system 4. Match allows the user access to the system

- Authentication based on something intrinsic to the principal - Cannot be lent or stolen - Offers non-repudiation - Issues to consider Performance Difficulty Reliability Acceptance Cost

Both parties authenticate with each other before communicating

- More secure than password-based authentication - Can significantly reduce logon time for users - A certificate is mapped to a user account in one of two ways: One-to-one mapping Many-to-one mapping

- Password Authentication Protocol (PAP) - Challenge Handshake Authentication Protocol (CHAP) - Extensible Authentication Protocol (EAP)

- Weakest form of authentication - Username and password is sent 'in the clear' - Maintained primarily for interfacing with legacy systems

- Centralized system for authentication, authorization, and accounting (AAA) - Supports PAP, CHAP, and EAP - Authentication and Authorization combined Uses UDP port 1812 for Authentication Uses UDP port 1813 for Accounting RADIUS authenticates remote users, authorizes their access, and enables remote access servers to communicate with a central server. In RADIUS, the Authentication and Authorization checking are bundled together. When the client request authentication from the server; the server replies with the authentication attributes, as well as the authorization attributes. These functions cannot be performed separately. The IANA assigned ports for RADIUS are 1812 and 1813. Ports 1645 and 1646 are still used for backwards compatibility.

- Typically a network access server such as a Dial-up Sever, VPN server, or Wireless AP

- Store all user authentication and network service access information - Ability to implement auditing and accounting

- AAA protocol suite designed to handle broadband and other connections - Supports end-to-end encryption through IPSec, TLS, or both - Message tampering can be detected - Mutual authentication - Challenge/Response user authentication - Uses TCP port 3868

- Alternative to RADIUS - AAA performed separately - Supports PAP, CHAP, and EAP - Allows use of multi-factor authentication - Allows a RAS to forward user credentials to an authentication server - Uses TCP port 49 TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.

- Specifically deny a subject access

By not specfically allowing access, you have denied access

Users have only the permission they need to do thei work

- prevent employees from "burning out' - fraud detection

Prevents fraud by requiring more than one person to complete a critical process

Rotating critical jobs in an organization - Redundancy in skill sets for employees - Prevents one person from having to much control - Helps detect malicious activities that employees may be conducting

- Made up of a 32-bit address or four-octet address - Referred to as dotted decimal representation of a binary number

1.0.0.0 - 126.255.255.255

128.0.0.0 - 191.255.255.255

192.0.0.0 - 223.255.255.255

224.0.0.0 - 239.255.255.255

240.0.0.0 - 255.255.255.255

Loopback Address

- Used to divide large groups of hosts into smaller collections - Allows an IP address to be split within 32 bits - Controls traffic - Traffic between subnets can be monitored and restricted at the routers

- Decreased network traffic - broadcasts limited to individual subnets - improved troubleshooting - faster to trace a problem on a subnet - improved utilization of addresses - no wasted IPs - Flexibility - customization of number or hosts on a subnet

- CIDR is based on variable-length subnet masking (VLSM) to allow allocation on arbitrary-length prefixes - An IP address is composed of two parts: a network-identifying prefix a host identifier - Bitwise ANDing (logical ANDing) Bitwise ANDing (logical ANDing) is the function performed to get the network address from the IP address, by logically "ANDing" the subnet mask against the IP address.

- Used for networks not connecting directly to the Internet - Internet Assigned Numbers Authority (IANA) set aside addresses for intranets: Class A: 10.0.0.0 - 10.255.255.255 Class B: 172.16.0.0 - 172.31.255.255 Class C: 192.168.0.0 - 192.168.255.255

- Allows for growth of addresses - 79 octillion addresses - 128 bits total: 8 sets (4 hexidecimal digits) 3FFE:0B00:0800:0002:0000:0000:0000:000C 3FFE:B00:800:2:::C

0000:0000:0000:0000:0000:0000:0000:0001

- Proprietary suite of protocols developed by Apple for networking computers - Local protocol, not accessible through the internet - Now unsupported with the release of Mac OS X v10.6 - Uses TCP/IP

- Allows hosts to communicate with each other through the use of physical ports - connects segments of a LAN - Traffic is broadcast to all ports of the hub, so all segments of the LAN can see all packets - No path determination - Works at Layer 1

- Connects network segments - Analyzes the information from each Ethernet frame it receives to determine delivery - Looks at the MAC address - Works at Layer 2

- Connects mulitple network segments - Improves network efficiency - Uses MAC addressing for delivery determination - Works at Layer 2

- establishing and documenting a router's configuration is the first step - perform the initial configuration from the console and store it securely - change defaults - synch running config. with the startup config - avoid using TFTP - save each configuration change and document all modifications

- A network device, firewall/router, that has the ability to prevent some flooding DoS attacks - DoS attacks prevented could be Fraggle Smurf Syn Authentication DoS attacks

- hardware/software, application/networking - used to implement failover - In the even of server or application failure, load balancers facilitate automatic failover to ensure continuous availability - useful when dealing with redundant communications links

the use of virtual computing resources to enhance the scalability and eliminate the single points of failure that affect availability

can create redundancy in the infrastructure to increase availability

- maximizes security by detecting, filtering and blocking web threats - inspects all content in transit while remaining transparent to users - detects malware (viruses, spyware, adware) - filters URL content - some offer data leakage protection (DLP) - examples: Websense Bluecoat

any hardened system located in the DMZ

Internal network to include systems and workstations you do not want anyone ouside of your network to directly connect to

segment of your network set aside for trusted partners, organizations

unsecured security zone

- a single device that handles large number of VPN tunnels - primarily used for remote access VPN's - usually two flavors; SSL or IPSec - examples: Cisco Netgear Juniper

- software, data access, and storage services that do not require user knowledge of the location and configuration of the system delivering services - computing is "in the cloud" (internet) - three layers Software as a Service (application) Platform as a Service (platform) Infrastructure as a Service (infrastructure)

- software as a service over the Internet - eliminates the need to install/run applications on customer's computers

- facilitates deployment of appications reducing cost and complexity

- typically a platform virtualization environment - clients purchase resources/services (servers, software, certain network devices, data center space

- Looks for security breaches, but effectively takes no action - Logs suspicious activity - Generates alerts if the attack is deemed to be severe - The network analyst interprets the degree of the threat and responds accordingly

- Can be configured to take specific actions - Can automate responses including dynamic policy adjustment and reconfiguration of supporting network devices

- Signature-based a.k.a. Misuse-Detection MD-IDS, Knowledge-based, and Rule-based Evaluates attacks based on a database of signatures written by the vendor

- a.k.a. Behavior based on Statistical-based - Looks for unexpected events - Must learn what activities are normal and acceptable

- False Positives: IDS reports legitimate activity as an intrusion False Negatives - False Negatives: IDS fails to detect malicious network activity - Caused by: New attacks not yet identified by vendor Poorly written signatures Outdated signature files

- Monitors network traffic for malicious activity and can block, reject, or redirect traffic in real time - Focuses on prevention as opposed to detection - Encrypted traffic is not inspected

- Translates a private address into a public address - Hides devices in a private network - Allows sharing of a single public IP address or a pool of public IP addresses Dynamic Static NAT

- Evaluates system security status before connecting to the network - Anti-virus status - System update level - Configuration settings - Software firewall enabled

...

- Private Branch Exchange (PBX) - Allow users to connect voice, data, pagers, networks - Subject to the similar issues associated with network components - Phreaker - Network Design and Components

- VOIP services convert your voice into a digital signal that travels over the Internet - Voice Firewall VoIP converts the voice signal from your telephone into a digital signal that can travel over the internet. If you are calling a regular telephone number, the signal is then converted back at the other end.

Explicity allow, or explicitly block, inbound network traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly allow traffic secured by IPsec.

Explicitly allow, or explicitly block, network traffice orginiating from the computer that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to a computer (by IP address) through the firewall, but allow the same traffic for other computers.

- Tracks each TCP connection in a state table - May examine the header information and/or the contencts of the packet - Filtering is based on rules and on context that has been established by prior packets - Works at Layers 3 and 4 - a.k.a. Stateful packet filtering - Maintains a state table. It looks at its state table to see if the connection has already been made. If no previous connection, then it looks at its ACL, else allows it. - Once a connection has been allowed, stateful inspection continues to evaluate network packets to ensure that each packet is valid within the context of the connection - Statefule inspection tracks each connection traversing all interfaces of the firewall and makes sure they are valide - It also monitors the state of the connection and compiles the inforamtion in a state table

- Acts as an Application Proxy - Traffic is evaluated by user, group poicies, and content/protocol/application - Slowers form of a firewall - Works at Layer 7

- monitors traffic between trusted and un-trusted hosts via virtual circuits or sessions - Filtering is based on sessions rather than contents of packets - Works at Layer 5 - Evaluates the connections; doesn't deal with the contents of the packet

- network protocol designed to allow clients to communicate with Internet servers through firewall - proxy configuration option in popular Web browsers and isntant messaging programs

- Expensive, used for backbone - Cannot be tapped into easily - Max length segment = 2 km

- 802.11: WIreless Local Area Netowrk (WLAN) - 802.15: Wireless Personal Area Network (WPAN) - Bluetooth is an implementation of WPAN - 802.16: WIreless Metropolitan Area Network (WMAN)

- Uses radio waves to transmit data - Other Methods: infrared, satellite - Wireless networking is not considered a form of remote access - Uses CSMA/CA

A station wishing to transmit has to first listen to the channel for a predetermined amount of time, so as to check for any activity on the channel. If the channel is sensed "idle", then the station is permitted to transmit. If the channel is sensed as "busy," the station has to defer its transmission

54 Mbps, 5 GHZ, 50-100ft

11 Mbps, 2.4 GHz, 150-300ft

54 Mbps, 2.4 GHz, 150-300ft

600 Mbps, 2.4/5 GHz, 300 - 600ft

- Created to address core issuese with WEP - WPA implements most of IEEE 802.11i

- Implements the full IEEE 802.11i standard - Mandatory to be Wi-Fi certified - National Institute of Standards and Technology (NIST) FIPS 140-2 compliant - Uses AES encryption Two versions: WPA2-Enterprise WPA2-Personal

- Functions are equivalent to TCP/IP suite - Uses Wireless Markup Language (WML) a smaller version of HTML - WAP-enabled devices can use WMLScript, Produces the opportunity for malware to be transported to WAP-enabled devices

- Wireless Application Environment (WAE) - Wirelss Session Protocl (WSP) - Wireless Transation Protocol (WTP) - Wireless Transport Layer Security (WTLS) - Wireless Datagram Protocol (WDP)

User cannot see names of files in the directory as they upload files to the server

- Gains access by using the login "anonymous" and a password usually in the form of an email address - Have limited privileges sufficient to allow you to transfer files from/to designated areas

Session is encrypted, but not the data

No security

- means of securely transferring files using Secure Shell (SSH) protocol - Part of the SSH suite (SSH, SCP, SFTP, Slogin) - program to perform secure copying - uses port 22 - used on Unix/Linux (scp) or Windows (Win SCP) - unlike rcp or FTP, scp encrypts both the file and any passwords exchanged

- Incorrect DNS data that is introduced into a primary DNS server - Redirects traffic to incorrect sites

- Process of registering for a domain name; using that registered name for a 5 day grace period; at the end of the 5 days, not paying A newly registered domain name can be deleted or dropped with a full refund of the registrations fee during the initial five-day window. DNS kiting referes to the practice of taking advantage of this five-day grace period to monopolize domain names wihtout ever paying for them.

- Allows a user to control a networked computer - software referred to as either: Remote Desktop Connection (RDC) or Terminal Services Client (TSC) - Port should always be blocked by the firewall rule for inbound traffic - Server listens by default on TCP port 3389

- Multiple instances of operating systems on one machine - Virtualized environments are used to help secure networks - controlled by Hypervisor - Examples: VMware, Virtual PC

- used to test for security problems in software or computer systems - used in large software development projects that employ black-box testing - and assurance of overall quality rather than a bug-finding tool - often finds odd oversights and defects which human testers would fail to find

Mechanism designed to handle the occurrence of exceptions that change the normal flow of program execution.

Refers to the anticipation, detection, and resolution of programming, application, and communications errors

- Establishes the mandatory settings that systems must have in place to be accepted for use in the network - May also mark an approved security confguration item, e.g. security templates, that have been signed off for execution

The process of baselining involves both the configuration of the IT environment to confirm to consistent standards levels, such as password security and the disabling of non-essential services, combined with the identification of what constitutes typical behavior on a network or computer system.

- Organization must clearly state what information can and can't be disclosed - State who is entitled to ask for information within the organization - covers what types of information are provided to employees - policy should clearly state to employees that they should have no expectations of privacy

- deal primarily with computers and information provided by the company - should clearly stipulate what activities are allowed and not allowed - must be enforced - areas covered; Web access Telephone usage Information usage System usage

A set if rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network site or system may be used.

- Uses scenarios to identify risks and responses - Does not produce hard numbers

- Assigns "real" numbers to the costs of damages and countermeasures - Assigns concrete probability pecentages to risk occurrence

- Ensures data integrity 1. Identification 2. Preservation 3. Transportation 4. Presentation in court 5. Return to owner, destroy, permanent archive

- Order of volatility Should proceed from the most volatile to the least Example: 1. Register Cache 2. Routing Table, Memory 3. Temporary File System 4. Disks or other storage media 5. Remote logging and monitoring data

- Data acquisition: Taking possession of or obtaining data and adding it to evidence - Data duplication: Making a copy of data acquired to preserve the original - it is crucial that data is not lost during the acquisition process - once acquired and duplicated, forensic work is done on the copies

1. Bit-stream disk to image file - most common, image original disc to another disc - can create numerous copies 2. Bit-stream disk to disk copy - Streaming programs that copy data from one disk to another 3. Sparse data copy - Data only pertinent to the case is copied

Common Combustible/water or foam

Liquids/CO2, Halon, foam, or dry powder

Electrical/CO2, Halon, or dry powder

Metal/Dry powder

Temperature - Between 60 and 75 degrees Fahrenheit - Possible heat damage (> 75 degrees) Humidity - Between 40% and 60% - Electrostatic damage (<40%) - Condensation/corrosion (>60%)

Backup Characterictics: - May require large tapes for each backup - May take a long time to perform each backup Restore Characteristics: - Restore only the last backup - Takes the longest to make backup, but is the fastest method to make a complete restore

Backs up all files on which the archive bit is set to 1. Backs up all newly created or modified files since last full or incremental backup (Archive Bit Reset)

Backs up files on which the archive bit is set to 1 Backs up all newly created or modified files since last full backup (No Archive Bit Reset)

Backs up all files regardless of the archive bit statues (No Archive Bit Reset)

Backup Characteristics: - Fastest backup method Restore Characteristics: - Restore the last full backup, then every subsequent incremental backup - Provides a good balance between backup and restore time

Backup Characteristics: - Takes progressively longer to complete, as time elapses since the last full backup Restore Characteristics: - Restore the last full backup, then the last differential backup - Next to a full backup, this is the fastest restore method

- acceptable amount of data loss measured in time - what an organization determines is an "acceptable loss" in a disaster situation

- Systems that are either duplicated or that fail-over to other systems in the event of malfunction Fail-Over - Process of reconstructing a system or switching to other systems when a failure is detected - Allows services to continue uninterrupted until the primary can be restored

- The proces of keeping services and systems operational during an outage - Goal Five nines availability (99.999%/5.36 minutes per year)

- A fully configured and functional facility - Available within hours - Necessary when an organization cannot tolerate any downtime - Requires constant maintenance - Expensive to maintain A hot site is a fully configured facility with power, A/C, phone lines, chairs, and fully functional server and clients that are up-to-date, mirroring the prodution system.

- Facility with power, A/C, and partially configured systems - Available within a couple days - Adequate when an organization's Maximum Tolerable Downtime (MTD) or Recovery Time Objective (RTO) is a short time period - Less expensive than a hot site - Lower administrative and maintenance resources consumed A warm site provides some of the capabilities of a hot site, but it requires the customer to do more work to become operational. Warm sites proved computer systems and compatible media capabilities. If a warm site is used, administrators and other staff will need to install and condifure systems to resume operations.

- Basic facility with wiring, ventilation, plumbing, and flooring - No hardware infrastructure - Not immediately available - Relatively low cost - Useful if there is some forewarning of a potential problem A cold site is useful if there is some forewarning of a potential problem: i.e. potential storm and would not need to be up and running in the facility for a day or 2; such as a regional office. Cold sites work well when an extended outage is anticipated. The major challeng is that the customer must provide all the capabilities and do all the work to get back into operation.

- An agreement between you or your company and a service provider, typically a technical support provider - Can include guarantees for: Mean Time Between Failures (MTBF) Mean Time To Repair (MTTR) System utilization rates System up-times Volume of transactions