Thursday, December 31, 2009

Protocol Analyzers

When studying the CompTIA Security+ exam (SY0-201) you'll come accross the following objective related to protocol analyzers:
2.3 Determine the appropriate use of network security tools to facilitate network security.

A protocol analyzer can be used to capture data packets as they travel across the network if the data is sent "in the clear" or unencrypted.

One of the early protocol analyzers was called Sniffer Network Analyzer and it became so popular protocol analyzers in general are commonly called "sniffers." Wireshark is a popular protocol analyzer that you can download for free today.

Because protocol analyzers are so readily available to attackers, network administrators need to carefully consider allowing any sensitve data (such as passwords) from being sent across the network in clear text.

Protocol analyzers can also be used by administrators to analyze traffic on the network. As an example, a protocol analyzer can detect malformed packets or other types of network attacks.

Good luck with your studies.

Darril Gibson

Wednesday, December 30, 2009

Security One of the Hottest Skills for 2010

Computerworld recently published a list of the six hottest skills for 2010.  Number 5 is Security.

An understanding of basic security issues is becoming mandatory across a wide range of jobs from programmers, networking professionals, IT managers, and project management professionals.  Companies want employees with basic cyber security skills.

Tom Silver, senior vice president for North America at Dice Holdings Inc., which operates and other careers Web sites was quoted as saying: "If you know how to help keep your company's information secure, there will be a home for you forever." "Security" he says. "is an evergreen skill."

Darril Gibson
Security+ Tip of day Tweets

Sunday, December 27, 2009

Environmental Controls Practice Question

When preparing for the Security+ exam, you'll come across this objective: "Explain the importance of environmental controls" including Shielding.  Here's a practice question
What is the purpose of a Faraday cage? (Choose all that apply.)

  A. To mitigate data emanation
  B. To detect attacks on host
  C. To detect network attacks
  D. To prevent interference

Answer below.

Over 375 practice test questions in this book:

Answer: A, D.
A Faraday cage is designed to mitigate data emanation and also prevents EMI/RFI from entering the enclosures. Network intrusion detection systems (NIDS) would be used to detect network attacks, and host-based intrusion detection systems (HIDS) would be used to detect attacks on a host.

Saturday, December 26, 2009

Faraday Cage

When preparing for the Security+ exam, you'll come across this objective:  "Explain the importance of environmental controls" including Shielding. 

Shielding is used to protect data from emanating out so that it can be intercepted, or prevent interference from getting in and corrupting data transmissions.  A Faraday cage can be used to prevent emissions and interference.

A Faraday cage prevents signals from emanating outside a room. It uses electrical features that cause RF signals that reach the boundary of the room to be reflected back. It can also also provide shielding to prevent outside interference such as electromagnetic interference (EMI) and radio frequency interference (RFI) from entering the room.

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Friday, December 25, 2009

Does Security+ Certification Expire?

CompTIA certifications are granted for life.  In other words, they never expire.  This is different than some other certifications which do expire (such as the CISSP certification). Part of the reason for this is that the CompTIA certifications are often considered to be a stepping stone to other certifications. 

However, even though the certifications don't expire, the knowledge becomes less relevant.  As an example, my transcript shows that I became certified in A+ in 1999. If I never took A+ again, I could continue to say I'm A+ certified.

Similarly, my Security+ certification (from the 2000 objectives) was relevant when I was teaching Security+ using the 2000 objectives.  However, when I began teaching the 2008 objectives, I took and passed the Security+ exam with the 2008 objectives. I didn't have to, but it helped me understand how to interpret the new objectives.

Some companies are encouraging employees to upgrade Security+ by taking the new exam, but this is an employer requirement, not CompTIA.  To make this path easier for test takers, CompTIA has created a bridge exam (BR0-001) that can be taken if you're Security+ certified using the older exam (SY0-101) based on the 2000 objectives. In other words, you can take the BR0-001 bridge exam instead of the SY0-201 exam.  The BR0-001 exam is only 50 questions (instead of 100 for SY0-201) and a passing score of only 560 is required to pass (instead of 750 for SY0-201).

In summary, if you earn the CompTIA Security+ certification, it is good for life.  You can update your certification by taking a newer exam with updated objectives, but this is not required by CompTIA.

Darril Gibson

Edited January 2010
At least this is the way it used to be. CompTIA announced a change in their policy in January 2010.  These two blogs talk about some of the changes.
CompTIA Certification Renewal Policy
Will Your Security+ Certification Expire?

Darril Gibson

Thursday, December 24, 2009

Symmetric vs Asymmetric

Cryptography covers 15 percent of the CompTIA Security+ (Exam SY0-201) objectives, and cryptographic algorithms are important to understand.

Algorithms are primarily characterized as either symmetric or asymmetric.  In short, symmetric encryption uses a single key to encrypt and decrypt. Asymmetric uses two keys.

Symmetric encryption:
  • Is about 1000 times faster than asymmetric encryption.
  • Uses the same key to encrypt as it does to decrypt.  For example, if the key 123 is used to encrypt data using the Advanced Encryption Standard (AES), then the same key of 123 is used to decrypt the data. (Encryption keys are actually much more complex than just a simple number like 123.)
  • The key is commonly called a session key, a shared key, a preshared key, or a shared secret.
  • The most popular encryption algorithm is AES which faster and more efficient than other encryption algorithms (such as DES and 3DES).
Asymmetric encryption:
  • Is extremely slow compared to symmetric encryption so only used to encrypt/decrypt a very small amount of data.
  • Is primarily used to privately share a symmetric key over a public network (such as the Internet).  Once the key is exchanged using asymmetric encryption, symmetric encryption is used to encrypt session data.
  • Uses two keys know as a public key and a private key (or public/private key pair).  The public key is freely shared but the private key is kept private for a single entity (such as a single server). 
  • Requires a public key infrastructure (PKI) to publish certificates. Public keys are published in a certificate and the certificate is freely shared to others.
  • If a public key encrypts data, only the private key can decrypt it. 
  • If a private key encrypts data, only the public key can decrypt it.
Other blogs on cryptography you might like:
And of course, this book CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide has a full chapter on the relevant cryptography concepts needed to pass the Security+ exam the first time.

 Good luck with your studies.

Darril Gibson

Monday, December 21, 2009

Cryptography practice

What would a CA do if a private key is considered compromised

  A. Cancel the certificate
  B. Publish the certificate
  C. Revoke the certificate
  D. Reissue the certificate

Answer below.

Over 375 practice test questions in this book:

Answer: C

If a private key is compromised the key is revoked by revoking the certificate that holds the matching public key. Revoked keys are published on the certificate revocation list (CRL). Certificates can’t be cancelled. The certificate is already published. It’s not appropriate to reissue a certificate with a compromised private key.

Sunday, December 20, 2009

What's in a CRL?

When studying for the Security+ exam, you may run across the following objective:

“Explain core concepts of public key cryptography.” This objective includes a listing of several related topics including Certification Revocation List (CRL)

This blog on SSL, OCSP and CRLs   talked about the relationship of SSL, OCSP and CRLs, but you may be wondering what a CRL actually is. In short, a CRL is a certificate that holds the serial numbers of revoked certificates.

As a little background, a certificate holds a public key but it holds a lot more. You can view one in Internet Explorer by clicking Tools, Internet Options, Content, Certificates, Trusted Root Certification Authority, selecting a certificate and clicking View. Click the Details tab and you can see all the contents.
The following figure shows the details on a Verisign root certificate. The public key is selected and the public key is shown in the bottom pane.  But notice also that the the first field showing is the serial number.  The serial number is used to uniquely identify a certificate. Select serial number and you can see the serial number (which is important for this conversation). Select the Public Key and you can view the actual Public Key.

This public key is part of a matched public/private key pair. When data is encrypted with the public key it can only be decrypted by the private key (which is commonly done with SSL).  When data is encrypted with the private key, it can only be decrypted with the public key (which is commonly done with digital signatures).

If the private key ever becomes compromized, the certificate needs to be revoked so that it is no longer used. How can the certficate be untiquely identified?  With the serial number.  A certificate authority (CA) issues the certificate and if the matching private key for the certificate becomes compromized, the certificate is published on a Certificate Revocation List (CRL pronounced as crill).

CA's commonly publish the CRL as a version 2 certificate as shown in the following figure.  This CRL has only one certificate, but it's much more common for a CRL to have multiple revoked certificates.

Hope this helps you with your studies.

Darril Gibson

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide
includes a full chapter on cryptography.
Over 375 practice test questions to help you pass Security+ the first time.

Tuesday, December 15, 2009

Identity proofing

When studying for the SY0-201 Security+ exam, you'll see this objective: "Explain the difference between identification and authentication."  This directly relates to identity proofing. 

Identity proofing is done during the identification process prior to issuing credentials. An account within a network isn't just given to anyone that asks for one, but instead a user must provide some type of identification first.  Within a company, identification is provided by the individual when they are hired.  The HR department may then introduce the new hire and ask for an account to be created.  

A second use of identity proofing is performed after credentials have been issued. For example, online banks often ask for more information on a user (such as street they grew up on, first pet's name, middle name of oldest sibling, and so on.) Later, if the user is doing online banking from a different compuer than they normally use, the Web site may recognize this and challenge the user to provide more than just their user name and password. 

Good luck with your studies.

Darril Gibson
Author CompTIA Security+: Get Certified Get Ahead

Not off the grid

I haven't been able to post or blog much recently so thought I'd mention why. Nothing's wrong, I'm just overwhelmed with two large writing projects. I hope to have some breathing room next year (which is only a couple of weeks away). I'm playing hookie for an hour or so now, but will be jumping back in soon.

CompTIA Security+: Get Certified Get Ahead is still selling (most notably on Amazon) and I've been receiving some very kind emails from readers who've used it and passed.

Good luck with your studies.

Darril Gibson

Monday, November 30, 2009


When preparing for the CompTIA Security+ (SY0-201) exam, you will run across the term RADIUS and you should understand what a RADIUS server provides.

The Remote Authentication  Dial-In User Service (RADIUS) is used to centrally authenticate users when remote access or network access is used.

Assume a large company has employees that regularly go on the road selling, consulting, teaching, or other reasons. However, they need access to the back end network. RADIUS provides authentication when the employees dial-in.

The company could have offices spread across the country and users are encouraged to dial-in to the closest office. For example, when they're in California, they should dial-in to a server in California. When in Florida, they should dial-in to a server in Florida. Each server could hold authentication details for each employee in a local database. However, if this is done, when an employee is added or removed from a database on one server, the database must be updated on every server in every region. This becomes too much work.

Instead, a RADIUS server is used for central authentication. All remote access servers send their authentication requests to the RADIUS server. In this way, only one authentication database (on the RADIUS server) needs to be maintained.

TACACS+ is a Cisco alternative to RADIUS. TACACS+ provides two significant benefits.
  • It is more secure than RADIUS since it encrypts the entire authentication process
    (RADIUS only encrypts the password)
  • It interacts with Kerberos allowing it to work with Microsoft networks.
Both RADIUS and TACACS+ are widely in use today.

Good luck with your studies.

Darril Gibson

Wednesday, November 25, 2009

Practice Question Email Sender

You want to ensure that a user that sent an email cannot later claim that he did not send it. What should be used?

A. Confidentiality
B. Integrity
C. Non-repudiation
D. Access control

Answer below.

Over 375 practice test questions in this book:

Answer: C. Non-repudiation can be used to prevent someone from later denying an action. Non-repudiation is commonly enforced with digital signatures. Confidentiality is used to prevent the unauthorized disclosure of information, often by encrypting the data. Integrity is used to verify that data has not been modified and is enforced with hashing or message authentication codes. Access control is one of many methods used to grant access to entities to resources after they have been authenticated.

Monday, November 23, 2009

Practice Question Implicit Deny

Which one of the following describes the principle of implicit deny?

  A. Denying all traffic between networks
  B. Denying all traffic unless it is specifically granted access.
  C. Granting all traffic to network unless it is explicitly granted.
  D. Granting all traffic unless it is explicitly denied.

Answer below.

Over 375 practice test questions in this book:

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Answer: B. Implicit deny indicates that unless something (such as traffic on a network) is explicitly allowed, it is denied. It isn’t used to deny all traffic, but instead used to deny all traffic that isn’t explicitly granted or allowed.

Saturday, November 21, 2009

SY0-201 Practice Exam Question

What would be used to control the traffic that is allowed into our out of a network?

  A. Hub
  B. ARP
  C. ACL
  D. ALE

Answer below.

Over 375 practice test questions in this book:

Answer: C. An access control list (ACL) is implemented to control inbound and outbound traffic on a network segment. A hub has no intelligence and will pass all traffic to all ports. Address Resolution Protocol (ARP) is used to resolve IP addresses to MAC addresses in a subnet. Annual Loss Expectancy (ALE) is used to identify how much money is expected to be lost in a quantitative analysis.

Thursday, November 19, 2009


When preparing for the CompTIA Security+ (SY0-201) exam, you should understand some basics about redundancy from redundant disks all the way to redundant sites.

Some key points to remember are:

  • RAID-0 does not provide any fault tolerance.
  • RAID-1 is also known as a mirror and includes two disks.
  • RAID-5 is also known as striping with parity and includes three or more disks with the equivalent of one drive dedicated to parity.
  • Hardware RAID solutions are more efficient than software RAID but generally cost more to implement.
  • Failover clusters can be used to provide redundancy for servers.
  • Redundant WAN links (such as T1 or partial T1 lines) can be used to provide redundant connections. A second ISP can be contracted to provide redundant connections to the Internet.
  • A hot site includes the equipment, software, and communications capabilities of the primary site with all the data up-to-date.
  • A hot site can take over for a failed primary site within minutes. It is the most effective disaster recovery solution for an alternate site, but it is also the most expensive to maintain.
  • A cold site includes only the very basic utilities and is the hardest to test.
  • A warm site is a compromise between a hot site and a cold site.
Good luck in your studies,

Darril Gibson

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Saturday, November 14, 2009


When preparing for the CompTIA Security+ (SY0-201) exam, you should understand different social engineering tactics such as phishing.

Phishing is the practice of sending unwanted email to users with the purpose of tricking them into revealing personal information (such as user account or bank account information) or clicking on a link.

As an example, I have an email account with and I often receive different phishing email’s from accounts that state they’re from (but they aren't). These follow a similar format of many phishing emails.
  • They state some fictitious problem. Some state they’ve noticed suspicious activity on my account, others state that my account has been discovered to be accessed from different computers, others state that they are upgrading security, and some just say they're upgrading their database.
  • They request personal information such as username, password, PIN, SSN and/or my date of birth.  This is supposed to be to be verify my account, but instead the purpose is access my account with an ultimate goal of stealing my identity.
  • They include a threat such as disabling my account if I don’t reply. Phishing emails often say this is to protect my privacy, but it’s really a “call to action.” They are trying to create some sense of urgency.
Most (if not all today) organizations will never follow this type of a format to request your personal information.  However, the emails are often pretty sophisticated.  They use images from the actual company and often look official.  If you think there may be a chance it's real, check out the message header. 

The following image shows the message options from one of these phishing messages in Microsoft Outlook.  You can access this page by right-clicking the message and selecting Message Options. 

While the From address may sometimes look official and at least have the address of the company (such as, the Reply-To address is the real destination.  When the From and Reply-To addresses are different with different domain names ( instead of, it's a real give away.  Don't trust it.

Links within email can also lead unsuspecting users to install malware.
Other common social engineering tactics are:

Good luck with your studies.
Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Thursday, November 12, 2009

Dumpster Diving

When preparing for the CompTIA Security+ (SY0-201) exam, you should understand different social engineering tactics such as dumpster diving.

Dumpster diving is exactly what it sounds like: searching through trash to gain information from discarded documents. Discarded papers can have written notes or important documents. On a personal basis this includes preapproved credit applications or blank checks given by credit card companies.

Documentation with any type of Personally Identifiable Information (PII) should be shredded or burned.

Other social engineering tactics you should know about are:

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Wednesday, November 11, 2009

Piggybacking or Tailgating

When preparing for the CompTIA Security+ (SY0-201) exam, you should understand different social engineering tactics such as piggybacking or tailgating.

Piggybacking or tailgating occurs when one user follows closely behind another user without using valid credentials. Some organizations require access methods such as smart cards, or proximity cards to gain access to secure areas. Ideally, each person would use his access card and the door would close behind him. Often, what happens is that one person uses his card, and others follow behind without using their access card.

Piggybacking can be thwarted with the use of mantraps or security guards.

A mantrap can be as simple as a turnstile similar to what you’ve seen in subway stations or bus terminals. Only a single person can get through. Simple, but effective. Can you imagine two men trying to go through the same turnstile? Neither can I.

A turnstile that requires each person to provide credentials (such as swiping a smart card or proximity card) but will lock as soon as that person gets through. More sophisticated mantraps allow a person to walk through a revolving cage, and the cage can be locked after the person enters, but before the person is through. This effectively locks the person inside the mantrap.

Other social engineering tactics you should know about are:

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Tuesday, November 10, 2009


When preparing for the CompTIA Security+ (SY0-201) exam, you should understand different social engineering tactics such as impersonation.

Impersonation is a social engineering tactic where an attacker impersonates someone, such as a repair technician, to gain access to a secured area. A repair technician shows up at the door and says I’m here to work on the phones (or server, or routers, or whatever).

Once the attacker gains access, he can steal the hardware, install malware, or install other hardware such as a protocol analyzer connected to the network and broadcasting the captured packets via a wireless access point.

Identity verification methods can also be used to thwart impersonation attempts. In other words, employees should be trained to verify visitors are who they say are.

Other social engineering tactics you should be know about are:
  • Phishing
  • Piggybacking or tailgating
  • Dumpster diving
  • Shoulder surfing
Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Sunday, November 8, 2009

Social Engineering

When preparing for the CompTIA Security+ (SY0-201) exam, you should understand social engineering.
Social engineering is the practice of individuals to use flattery, conning, impersonation, and other methods to encourage uneducated users into giving up information.

It bypasses the best technology protections which makes it important for all users to understand. It’s often just people talking to one another - either directly, or via the phone - without using technology at all. It can also be done via email using phishing tactics.

Common social engineering tactics are:

You should be aware of each of these tactics. Some you may already know but others you may not. If not, use your favorite Internet search engine to dig a little deeper.

Or, check back here for some more posts on social engineering topics.
Good luck with your studies.
Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Thursday, November 5, 2009

Disk Redundancy using RAID

When studying for the CompTIA Security+ (SY0-201) exam, you'll come across using RAID for disk redundancy.

RAID is short for redundant array of independent (or inexpensive) disks. Redundancy provides fault tolerance. In other words, if a fault occurs in one drive, your system can tolerate the fault and continue to operate. Several different RAID types are available. When studying for Security+, you should be aware of the following topics.

  • RAID-0 (also known as striping) does not provide any fault tolerance but increased performance.
  • RAID-1 (also known as mirroring) uses two disks and provides fault tolerance.
  • RAID-5 (also known as striping with parity) uses at least three disks and provides fault tolerance while also providing increased performance. The equivalent of one drive is dedicated to parity.
  • RAID-10 (also called 1+0) combines RAID 1 and RAID-0. A variant is 0+1. Both provide fault tolerance and increased performance for specific applications.
Both hardware and software RAID solutions are avaialble. Hardware RAID is more expensive provides significantly better performance than sofware RAID.

Good luck in your studies


Monday, November 2, 2009

DoS and DDoS Attacks

When studying for the CompTIA Security+ (SY0-201) exam, you should know the difference between DoS and DDoS attaacks.

Both a Denial of Service attacks.  The difference is that a Denial of Service (DoS) attack comes from a single attacker, while a Distributed Denial of Service attack comes from multiple attacks.

As an example, the SYN Flood attack is a DoS attack that attacks a single system by flooding it witth only two parts of the TCP three way handshake.  Normally, the TCP handshake is three packets. The client sends a SYN packet, the server replies with a SYN / ACK packet, and the client should reply with the ACK flag to complete the handshake. 

However, the client instead withholds the third packet and leaves the server hanging. If the client is able to do this enough times, the server's resources become consumed as it has perhaps hundres of unfinished sessions.  A SYN Flood attack can actually take servers down if not detected and stopped.

A DDoS attack often starts with malware taking control multiple computers.  These computers act as clones or zombies in a malware controlled botnet.  When the contoller sends the order, the zombies then launch a distributed attack.

Good luck with your studies.


Check out chapter 6 of this book (Predicting and Mitigating Threats) for more details on the different threats you may see covered on the Security+ exam, including over 375 practice questions.

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Sunday, November 1, 2009

SY0-201 Practice Exam Question Hashing

What is it called when the hash of two different files is the same?

A. Variation
B. Deviation
C. Collision
D. Conflict

Answer: C

Answer below.

A hash is simply a number that is created by performing a hashing algorithm on a file or a message. No matter how many times the hashing algorithm is calculated, it will always return the same number - unless the file or message has been modified.

When used in this context, a hash provides integrity. The hash is calculated at the source, and then again at the destination. If the hashes are different, the file or message has lost integrity.

However, what if someone could modify the message enough so that the new has is the same as the original hash. It would look like it has not lost integrity because the hashes are the same, but it has lost integrity. A secure hash (one of sufficient strength) cannot be recreated. In other words, someone should not be able to modify a file or message enough to reproduce the original hash.

Over 375 practice test questions in this book:
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

A hash collision occurs when two completely different files can produce the same hash when they are hashed using the same hashing algorithm. The other terms listed aren’t related to hashes.

Friday, October 30, 2009

Well-known ports

When studying for the CompTIA Security+ exam (SY0-201), you’ll come across information on ports. These are important to know and it’s also important to understand how they’re used. In this post, I want to cover some of the well-known ports and why they’re relevant when studying Security+.

First, you should understand how ports are used. This blog entry gives an overview.

Ports from 0 to 1023 are known as well-known ports. There are assigned by IANA and can be viewed here:

However, you don’t need to know them all. First, let’s discuss why are they relevant.

When doing basic packet filtering, a firewall can filter based on IP addresses and ports. However, what if you want to allow HTTP traffic (regular Internet traffic)? You can’t create packet filter rule to allow HTTP traffic (at least not directly). Instead, you create a packet filter rule to allow port 80 (the well-known port for HTTP).

What if you want to allow SMTP traffic? You would allow traffic using port 25. What if you want to allow DNS traffic? You allow traffic using port 53.

Routers and firewalls typically use an implicit deny implementation. What this means is that all traffic is blocked (implicitly denied) unless it is explicitly allowed. In other words, the only traffic that is allowed is the traffic that has an associated rule allowing it. Allowed traffic is sometimes referred to as an exception.

How does all this apply to Security+? You may need to know how to block, or how to allow certain traffic identified either by the protocol or by the port. The only way you can answer these types of questions is by knowing the well-known ports.

Here are some:
  • FTP 20, 21
  • SSH 22
  • Telnet 23
  • SMTP 25
  • DNS 53
  • HTTP 80
  • Kerberos 88
  • POP3 110
  • NNTP 119
  • IMAP4 143
  • LDAP 389
  • HTTPS 443
  • LDAP/TLS or LDAP/SSL 636
You can find more information on ports including some sample questions in this book: CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Good luck in your studies.


Thursday, October 29, 2009

Understanding Ports

When studying for the CompTIA Security+ exam (SY0-201), you’ll come across information on ports. These are important to know and it’s also important to understand how they’re used. In this post, I want to cover how ports are used by systems.

TCP/IP uses IP addresses (and MAC addresses) to get traffic from one host to another. However, when a packet arrives, how does the system know what service, process or protocol to send the packet to? The answer is the port.

Imagine that Sally is using Internet Explorer to do a search with DNS is used to resolve to an IP address and a packet is sent to the Google web site with Sally’s search data. The packet will have a source and destination IP address, and a source and destination port:

  • Source
    Port 1025
  • Destination
    Port 80
When the packet reaches the destination IP address (Google), it is examined to identify the destination port. The Google server sees the port is 80 and passes the packet to the service handling HTTP - the web server service. It knows to do this because port 80 is the well-known port for HTTP.  The web server service than creates a return packet with the data.

  • Destination
    Port 1025
  • Source
    Port 80
What isn’t apparent is that when the packet was created for Internet Explorer, the system designated a port (in this case 1025) for Internet Explorer. When the packet from Google reaches Sally’s computer, it has a destination port of 1025 so the packet is passed to Internet Explorer.

At another time, Sally’s computer may register port 1046 (or some other port beyond port 1023) to Internet Explorer. The point is that while well-known ports are constant, the return port isn’t constant.

Good luck in your studies.


Wednesday, October 28, 2009

Security+ and CISSP

While the CompTIA Security+ exam is a difficult exam, many people look at it as a stepping stone to other certifications. If you stay in the security arena, a next step may be the CISSP ISC2 certification, which is significantly more difficult than the CompTIA Security+.

Several weeks after taking the CISSP exam, I received notification of a successful pass. Woo Hoo!

One thing that was very apparent to me was the information I learned while studying the CompTIA Security+ objectives definitively helped me with the CISSP. The CISSP exam is a monster and will take a lot more time and effort to master than the Security+ certification. However, if you take the time to truly learn the material for the Security+ exam, you'll be a step closer to the CISSP.

As one of many examples, understanding public key cryptography helped with many questions on the CISSP exam. Chapter 9 of the CompTIA Security+ SY0-201: Get Certified, Get Ahead book includes all of the material you'll need for cryptography in Security+ and you won't need much more if you later pursue the CISSP.


Monday, October 26, 2009

Biometrics used in Authentication

When preparing for the CompTIA Security+ (SY0-201) exam, you'll come across objectives related to authentication, including the use of biometrics.

There are three factors of authentication:
  • Something you know (such as a password or PIN)
  • Something you have (such as a smart card)
  • Something you are (using biometrics)
Biometrics can be very exact when the technology is implemented accurately. However,it is possible to get false readings.  Two possible false readings are:

  • False acceptance. This is when a biometric system incorrectly identifies an unauthorized user as an authorized user.
  • False rejection. This is when a biometric system incorrectly rejects an authorized user.
True readings occur when the biometric system indicates a match. Two possible readings are:

  • True acceptance. The biometric system accurately determines a positive match.
  • True rejection. The biometric system accurately determines a non-match.
Good luck with your studies.

Darril Gibson

Saturday, October 24, 2009

Digital Signatures

Cryptography covers 15 percent of the CompTIA Security+ (Exam SY0-201) objectives, and digtial signatures are one element you should understand.

A digital signature provides authentication, integrity and non-repudiation.  It requires a PKI infrastructure because public and private keys are used. A public and private key pair is two keys where one can encrypt data, and this data can only be decrypted by the other key.

Here's the process if Sally creates a messages and digitally signs it.
  • First, a hash is created of the message.  This is effectively just a number (though a large number) created by executing a hashing algorithm agains the message. The hash provides integrity.
  • The hash (not the message) is encrypted with Stally's private key.  Sally's private key is private and she is the only one that access to it.
  • Sally sends the message to Joe.  Joe has Sally's public key.  If Sally's public key can decrypt the hash, then it must have been encrypted with Sally's private key.  This provides both authentication and non-repudiation. 
  • The hash can be recomputed on Joe's computer.  If the hash is the same as the encrypted hash sent by Sally, message integrity has been maintained. If the hash was different, message integrity is lost.

Hope this helps.

Darril Gibson

Thursday, October 22, 2009

Use of Virtualization in Security

One of the CompTIA Security+ (Exam SY0-201) objectives is "Explain the purpose and application of virtualization technology." You may be wondering what this is about.

First, virtualization centers around virtualization desktop infrastructure (VDI) where a single physical computer can host multiple computer operating systems. Many virtualization technologies exist such as VMWare and Microsoft's Virtual PC (upgraded and renamed to Windows Virtual PC in Windows 7). I'm more familiar with Virtual PC (VPC) but the uses between brands are common. One great feature is that if something goes wrong with the virtual system, changes can be easily rolled back or undone.

As a simple example, I am running Windows 7 on my desktop PC and have a virtual mini-lab running on the system with Windows Server 2008 in one virtual system running as a domain controller, and a Windows 7 computer running as a client in the virtual domain. I have configured both of these two be able to communicate with each other but they are isolated from the host system or the Internet.

With an understanding of virtualization and VDI, we can now discuss how it can be used in security.  From a security perspective, virtualization can be use for a couple of purposes such as:

  • Testing of patches. When patches for the operating system or applications are released, they can be applied in a virtual environment. They can be tested here in a safe environment without any impact on the production environment.
  • Testing of malware. Once malware is discovered, security professionals want to know what it does and how it does it. This often entails releasing it and observing what happens. Again, a virtual environment is safe and won't impact the performance of the host operating system or the regular network.

Monday, October 19, 2009

Encryption Basics for Security+

The CompTIA Security+ (SY0-201 exam) objectives state that 15 percent of the exam will be on cryptography. Cryptography has several elements and an important one is the use of encryption.

Encryption is used to enforce confidentiality (one of the three elements in the security triad of confidentiality, integrity and availability). If you want to keep your data secure and prevent unauthorized disclosure, you can encrypt the data to make it unreadable.

Encryption uses an algorithm and a key. If either the algorithm is weak or the key is weak, the encryption can easily be broken. Most algorthms are well known but keys are either frequently changed, or kept secret.

Two major types of encryption are used: symmetric and assymmetric.

Symmetric encryption uses a single key to both encrypt the data and decrypt the data.

The most popular type of symmetric encryption is AES. AES is considered a fast, highly secure encryption algorithm. It is significantly faster (using less processor and memory resources) than both DES and 3DES. AES256 uses a key size of 256 bits.

Asymmetric encryption uses two keys that are created as a matched pair (a public key and a private key). Data encrypted with a public key can only be decrypted with the matching private key. Data encrypted with the private key can only be decrypted with the public key
A Public Key Infrastrcuture (PKI) is required to support asymmetric encryption. Any entity can have a private key (which is always kept private). The matching public key is embedded in a certificate issued from a certificate authority (CA).

Darril Gibson

Sunday, October 18, 2009

SY0-201 Practice Exam Question Cryptography

Which of the following can use a PSK?

  A. Asymmetric encryption

  B. PKI

  C. TPM

  D. PGP

Answer below.
On the surface, this 8 word question seems rather simplistic. However, unless you've spent time with the material, all of the acronyms will make it very difficult. PSK can mean many things, but in the context of  security, and with all of the answers relating to cryptography, it refers to a pre-shared key.

Over 375 practice test questions in this book:
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

The correct answer is C. A trusted platform module (TPM) uses a pre-shared key (PSK) to encrypt and decrypt data such as entire disks.  (Microsoft uses this with BitLocker.) Symmetric encryption uses a single key to both encrypt and decrypt while asymmetric encryption uses two keys—public and private. Both PGP (Pretty Good Privacy) and PKI (Public Key Infrastructure) use asymmetric encryption.

Good luck on the exam.

Darril Gibson

Saturday, October 17, 2009

SY0-201 Practice Exam Question

Sally is using a Bluetooth enabled device.  She asks you what the best protection is that she can use to protect this device.  What do you tell her?

  A. Ensuring the Bluetooth device is in discovery mode

  B. Ensuring the Bluetooth device is in non-discovery mode

  C. Ensuring the Bluetooth device has bluejacking disabled.

  D. Ensuring the Bluetooth device has bluesnarfing disabled.
Answer listed below

You can read a blog on risks and vulnerabilities for Bluetooth devices here:

Over 375 practice test questions in this book:

The correct answer is B.

Ensuring a Bluetooth device is in non-discover mode is the best protection against bluesnarfing and bluejacking attacks. When in discovery mode, Bluetooth devices can easily be exploited. Bluesnarfing is the unauthorized access to or theft of information from a Bluetooth device.Bluejacking is the unauthorized sending of text messages from a Bluetooth device.

Related objective:
2.7 Explain the vulnerabilities and implement mitigations associated
with wireless networking.
• Bluejacking
• Bluesnarfing

Friday, October 16, 2009

Qualitative Risk Assessment

The CompTIA Security+ (SY0-201 exam) includes many objectives on risk assessments.  One type of risk assessment is the qualititative risk assessment.

A qualitative risk assessment uses numbers or values to categorize risks based on probability and impact. (Quantitative risk assessments use dollar figures to calculate SLE and ALE.)

As an example, terms such as low, medium, and high could be used or the numbers one through ten could be used. The two categories often included in a qualitative risk assessment are probability and impact.

  • Probability. The likelihood an event will occur. For example, the probability that an Internet-facing web server will be attacked is close to 100 percent and could be given a numerical value of 10. However, the likelihood that an internal workstation in the library with no Internet access will be attacked through the Internet is very low, so it could be given a numerical value of 1.
  • Impact. The negative result of the event occurring. If the web server is down, the impact may be considered significant and given a value of 10. If the library workstation is down, a library patron may be inconvenienced, so it may be given a value of 1.
Now the risk can be calculated by multiplying the probability and the impact.

  • Web server. 10 * 10 = 100
  • Library computer. 1 * 1 = 1
A manager can look at these numbers and easily determine how to allocate resources to protect against the risks. More resources would be allocated to protect the web server than the library computer.

While these two examples are extreme to show how the model can be used, the model can help identify the priorities in the middle ranges which are more difficult determine.

You can read about quantitative risk assessments here.
Good luck on your Security+ exam!

Darril Gibson

Thursday, October 15, 2009

Bluetooth Concerns

The CompTIA Security+ (SY0-201) exam includes some objectives related to Bluetooth.

Bluetooth is a popular short-range wireless system used in smaller portable wireless devices including phone, personal digital assistants (PDAs), and computer devices.

Two significant threats and one vulnerability exists with Blueetooth.

Threats. Bluesnarfing and bluejacking are two threats against Bluetooth devices that are left in discovery mode.
  • Bluesnarfing is the unauthorized access to or theft of information from a Bluetooth device. Information that can be accessed through bluesnarfing includes: email, contact list, calendar, and text messages.
  • Bluejacking is the unauthorized sending of text messages from a Bluetooth device without the permission of the owner.
Vulnerability. Any Bluetooth device that is turned on and in discovery mode is easily exploited through a bluesnarfing or bluejacking attack.

When Bluetooth devices are first configured, they are configured in discovery mode.While in discovery mode, a Bluetooth device is easily discoverable and visible to other devices. Bluetooth devices are identified with a MAC address just as a NIC has a MAC address. In discovery mode, the Bluetooth device broadcasts its MAC address, allowing other devices to see it and connect to it.
Once a device connects with another device, it is paired to open the communication channel. After the pairing process, the Bluetooth device should be changed from discovery mode to non-discovery mode. Non-discovery mode is also referred to as invisible mode. While in non-discovery mode, the device doesn’t broadcast information about itself. Additionally, many devices add encryption to the communication process when in non-discovery mode.
Darril Gibson

Wednesday, October 14, 2009


When preparing for the CompTIA Security+ (SY0-201) exam, you should have a basic understanding of how SSL is used and how certificates can be checked.

Web sites use certificates to create SSL sessions. When a user clicks a HTTPS link, it initiates the SSL handshake process.

The web site will then send the client a certificate with a public key that can be used in the asymmdtric portion of the SSL session to create a session key. (The session key will then be used in the symmetric portion of the SSL session.) The client needs to verify the certificate is trusted and valid:

Trusted. First, the certificate must have been issued from a trusted certificate authority (CA). A list of trusted CAs can be viewed in Internet Explorer by clicking Tools -> Internet Options, selecting the Content tab, click the Certificates button, and selecting Trusted Root Certification Authorities. If the certificate was issued to the web site from a company with a certificate in the Trusted Root Certification Authority store, it will be trusted. If the certificate is not trusted, the user will be notified that it's not trusted and encouraged not to continue.

Valid. Next, the client attempts to validate the certificate. CAs can revoke certificates if they become compromised in some way. A revoked certificate is considered invalid and shouldn't be used. Revoked certificates are published on a certificate revocation list (CRL). Clients can check if a certificate is valid using one of two methods:

  • Requesting the CRL. The client requests a copy of the CRL from the CA. The CA sends the CRL and the client then checks the CRL to see if the certificate is on the list. If it's on the list, it's considered invalid and wouldn't be used.
  • Online Certificate Status Protocol (OCSP). OCSP is an improved streamlined process. Instead of the client requesting a copy of the CRL, the client queries the CA about the certificate. Certificates are uniquely identified with a serial number. The CA then replies indicating the certificate is healthy (not revoked), not healthy (revoked), or unknown (the serial number is not known by the CA.
Once the certificate is verified to be trusted and valid, the public key embedded in the certificate is used to encrypt the session key. Imagine the client wants to use a key of 1234. The client then encrypts this key with the public key to result in something like "AF4D2D0F3EB304". (Both the session key and the encrypted session would be much larger but are shortened for illustration purposes. )

At this point, only the client knows the session key. The encrypted session key is sent back to the web server. Since this key was encrypted with the public key (which is matched to the private key held by the server and unknown to anyone else) it can't be decrypted if anyone intercepts it. When the web server receives the encrypted key, it decrypts it with the private key. Use of the public and private key is known as asymmetric encryption.

For the remainder of the session, the client and server use the session key (symmetric encryption).

Darril Gibson

Tuesday, October 13, 2009

Three Factors of Authentication

A heavily tested concept in the CompTIA Security+ (SY0-201) exam is authentication. Authentication is used to verify a user’s identity by providing a previously known identifier. Basically, there are three ways to do this which are commonly referred to as the three factors of authentication.

  • Something you know. As an example, a user would know their username and password. This is considered the weakest form of authentication. One of the primary reasons is that users often use weak passwords or write their passwords down. 
  • Something you have. Smart cards and fobs are common examples. A smart card is a credit card sized card that holds key information about the user. Smart cards have certificates embedded in them using TLS and provide very strong authentication. A fob (sometimes called a token) has an LED display that shows a number that changes regularly, such as every 60 seconds. This number is synchronized with a server. When the user logs into a website, they enter the number shown on the display to verify they have the token. This factor is often combined with another factor to provide multifactor authentication.
  • Something you are. Biometrics is used for this factor of authentication and is not only in movies. Biometrics is commonly used in many applications today. A common example is at theme parks like Disney World. It includes fingerprints, retinal scans, voice prints and even handwriting analysis. Biometrics is considered the strongest form of authentication, but also the most expensive.
Multifactor Authentication. Multifactor authentication combines two or three of the factors. Two common examples are where:
  1. Someone may have a smart card and know a personal identification number (PIN), or
  2. Have a fob and know their username and password.
Darril Gibson

Sunday, October 11, 2009

DoD 8570.1 and Security+

I've occassionally heard people ask about the popularity of CompTIA Security+ certification in the past few years. What is driving so many people to seek this certification?

One of the big driving factors is a U.S. Department of Defense (DoD) directive named DoD 8570.1. This directive mandates many IT professionals employed in the government to have specific certifications. Some of the common certifications are CompTIA A+, Network+, and Security+ and the people required to have the different certifications are military personnel, civilian employees and civilian contractors.

While civilian companies aren't mandated to have employees with these certifications, they are much more competitive when they compete for IT service contracts if some of their employees have the certifications.

Darril Gibson

Saturday, October 10, 2009

Quantitative Risk Assessments

If you're preparing for the CompTIA Security+ SY0-201 exam, you'll see some objectives related to risk, risk assessments, and risk management.

Risk assessments are used to prioritize risks. All risk can’t be prevented. Instead, risk management attempts to mitigate risk.

One quantitative risk model uses three elements three elements to quantify and prioritize risks. They are:
  • Single loss expectancy (SLE). The is the cost of any single loss expressed in monetary terms (such as $4,000).
  • Annualized rate of occurrence (ARO). This indicates how many times the loss is expected to occur if no action is taken. For example, it may have occurred an average of 4 times in the past three years, so the ARO would be 4.
  • Annualized loss expectancy (ALE). SLE * ARO. What you expect to lose annually if no action is taken in this example is $16,000.
Now imagine that you have used this to quantify 4 different losses. They have AROs of $100, 2,000, $, 8,000, and $16,000. Which one is the most important to mitigate? Knowing the AROs, you can easily see the risk that results in an annual loss of $16,000 is the most important to address.

Using an SLE of $4,000, and an ARO of 4, see if you can solve this problem. Suppose you could spend $2,000 and reduce the ARO from 4 to 1. How much money would you save?

  • The original ALE is $16,000 ($4,000 * 4).
  • If the ARO was reduced to 1, the ALE would be $4,000 ($4,000 * 1), or a reduction of losses by $12,000.
  • You spent $2,000 to save $12,000 so you saved $10,000
Another way of looking at this is to use these figures to determine the effectiveness of a mitigation measure. Imagine the ALE is $16,000. Someone proposes a risk mitigation solution that costs $35,000 a year with a guarantee that it will eliminate this risk. Does that make fiscal sense? In other words, you’ll spend $35,000 to save $16,000 - not too good. Now instead of losing $16,000, you’re spending $35,000.

Make sure you understand the SLE, ALE, and ARO when preparing for the CompTIA Security+ SY0-201 exam.

You can read about qualitative risk assessments here.

Darril Gibson

Intrusion Detection Systems (HIDS and NIDS)

Someone recently mentioned that they took the CompTIA Security+ SY0-201 exam and had several IDS questions such as HIDS and NIDS. This makes a lot of sense since these are heavily covered on the objectives. Here are some of the basics:

An Intrusion Detection System (IDS) is designed to detect intrusions but a host-based IDS (HIDS) works a little differently than a network-based IDS (NIDS). Some of the points of each are:

  • Installed on a host computer such as a workstation or server
  • It is used primarily to monitor traffic going through the NIC of the host
  • Can consume resources of the workstation
  • Can monitor network traffic sent to the host or coming from the host only
  • Data stored locally (on the host)
  • Installed on network devices (such as firewalls, routers or switches)
  • These devices are referred to as sensors or tabs
  • Data centrally managed - sensors report back to a central console
  • Cannot monitor encrypted traffic on individual hosts
Both types can use either signature-based detection or anomaly-based detection.

The IDS looks for known attack patterns (similar to how anti-virus program use virus signatures)

A baseline of normal operation is created to determine normal operation. When events occur that are ‘out of the norm’ (anomalies), the system alerts

Also, both types can have either a passive or active response.

Passive Response
Alerts are logged and personnel are typically notified.

Active Response
An active response will also take some action to modify the environment. A common active response would be to change the ACL on a router or firewall to block access from the attacker.

Darril Gibson

Friday, October 9, 2009

Moving my blog to BlogSpot

After my original Security Plus blog (hosted on went down for four days,. I've decided to move it to a more reliable location. 

In addition to moving my other blog posts over to blogspot, I'll be adding regular blog entries on Security Plus

Darril Gibson