Monday, November 30, 2009

RADIUS

When preparing for the CompTIA Security+ (SY0-201) exam, you will run across the term RADIUS and you should understand what a RADIUS server provides.

The Remote Authentication  Dial-In User Service (RADIUS) is used to centrally authenticate users when remote access or network access is used.

Assume a large company has employees that regularly go on the road selling, consulting, teaching, or other reasons. However, they need access to the back end network. RADIUS provides authentication when the employees dial-in.

The company could have offices spread across the country and users are encouraged to dial-in to the closest office. For example, when they're in California, they should dial-in to a server in California. When in Florida, they should dial-in to a server in Florida. Each server could hold authentication details for each employee in a local database. However, if this is done, when an employee is added or removed from a database on one server, the database must be updated on every server in every region. This becomes too much work.

Instead, a RADIUS server is used for central authentication. All remote access servers send their authentication requests to the RADIUS server. In this way, only one authentication database (on the RADIUS server) needs to be maintained.

TACACS+ is a Cisco alternative to RADIUS. TACACS+ provides two significant benefits.
  • It is more secure than RADIUS since it encrypts the entire authentication process
    (RADIUS only encrypts the password)
  • It interacts with Kerberos allowing it to work with Microsoft networks.
Both RADIUS and TACACS+ are widely in use today.

Good luck with your studies.

Darril Gibson

Wednesday, November 25, 2009

Practice Question Email Sender

You want to ensure that a user that sent an email cannot later claim that he did not send it. What should be used?

A. Confidentiality
B. Integrity
C. Non-repudiation
D. Access control

Answer below.

Over 375 practice test questions in this book:



Answer: C. Non-repudiation can be used to prevent someone from later denying an action. Non-repudiation is commonly enforced with digital signatures. Confidentiality is used to prevent the unauthorized disclosure of information, often by encrypting the data. Integrity is used to verify that data has not been modified and is enforced with hashing or message authentication codes. Access control is one of many methods used to grant access to entities to resources after they have been authenticated.

Monday, November 23, 2009

Practice Question Implicit Deny

Which one of the following describes the principle of implicit deny?

  A. Denying all traffic between networks
  B. Denying all traffic unless it is specifically granted access.
  C. Granting all traffic to network unless it is explicitly granted.
  D. Granting all traffic unless it is explicitly denied.

Answer below.

Over 375 practice test questions in this book:


CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Answer: B. Implicit deny indicates that unless something (such as traffic on a network) is explicitly allowed, it is denied. It isn’t used to deny all traffic, but instead used to deny all traffic that isn’t explicitly granted or allowed.


Saturday, November 21, 2009

SY0-201 Practice Exam Question

What would be used to control the traffic that is allowed into our out of a network?

  A. Hub
  B. ARP
  C. ACL
  D. ALE

Answer below.

Over 375 practice test questions in this book:




Answer: C. An access control list (ACL) is implemented to control inbound and outbound traffic on a network segment. A hub has no intelligence and will pass all traffic to all ports. Address Resolution Protocol (ARP) is used to resolve IP addresses to MAC addresses in a subnet. Annual Loss Expectancy (ALE) is used to identify how much money is expected to be lost in a quantitative analysis.

Thursday, November 19, 2009

Redundancy

When preparing for the CompTIA Security+ (SY0-201) exam, you should understand some basics about redundancy from redundant disks all the way to redundant sites.


Some key points to remember are:

  • RAID-0 does not provide any fault tolerance.
  • RAID-1 is also known as a mirror and includes two disks.
  • RAID-5 is also known as striping with parity and includes three or more disks with the equivalent of one drive dedicated to parity.
  • Hardware RAID solutions are more efficient than software RAID but generally cost more to implement.
  • Failover clusters can be used to provide redundancy for servers.
  • Redundant WAN links (such as T1 or partial T1 lines) can be used to provide redundant connections. A second ISP can be contracted to provide redundant connections to the Internet.
  • A hot site includes the equipment, software, and communications capabilities of the primary site with all the data up-to-date.
  • A hot site can take over for a failed primary site within minutes. It is the most effective disaster recovery solution for an alternate site, but it is also the most expensive to maintain.
  • A cold site includes only the very basic utilities and is the hardest to test.
  • A warm site is a compromise between a hot site and a cold site.
Good luck in your studies,

Darril Gibson

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Saturday, November 14, 2009

Phishing

When preparing for the CompTIA Security+ (SY0-201) exam, you should understand different social engineering tactics such as phishing.

Phishing is the practice of sending unwanted email to users with the purpose of tricking them into revealing personal information (such as user account or bank account information) or clicking on a link.

As an example, I have an email account with cox.net and I often receive different phishing email’s from accounts that state they’re from cox.net (but they aren't). These follow a similar format of many phishing emails.
  • They state some fictitious problem. Some state they’ve noticed suspicious activity on my account, others state that my account has been discovered to be accessed from different computers, others state that they are upgrading security, and some just say they're upgrading their database.
  • They request personal information such as username, password, PIN, SSN and/or my date of birth.  This is supposed to be to be verify my account, but instead the purpose is access my account with an ultimate goal of stealing my identity.
  • They include a threat such as disabling my account if I don’t reply. Phishing emails often say this is to protect my privacy, but it’s really a “call to action.” They are trying to create some sense of urgency.
Most (if not all today) organizations will never follow this type of a format to request your personal information.  However, the emails are often pretty sophisticated.  They use images from the actual company and often look official.  If you think there may be a chance it's real, check out the message header. 

The following image shows the message options from one of these phishing messages in Microsoft Outlook.  You can access this page by right-clicking the message and selecting Message Options. 



While the From address may sometimes look official and at least have the address of the company (such as cox.net), the Reply-To address is the real destination.  When the From and Reply-To addresses are different with different domain names (aol.com instead of cox.net), it's a real give away.  Don't trust it.

Links within email can also lead unsuspecting users to install malware.
Other common social engineering tactics are:

Good luck with your studies.
 
Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Thursday, November 12, 2009

Dumpster Diving

When preparing for the CompTIA Security+ (SY0-201) exam, you should understand different social engineering tactics such as dumpster diving.

Dumpster diving is exactly what it sounds like: searching through trash to gain information from discarded documents. Discarded papers can have written notes or important documents. On a personal basis this includes preapproved credit applications or blank checks given by credit card companies.

Documentation with any type of Personally Identifiable Information (PII) should be shredded or burned.

Other social engineering tactics you should know about are:

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Wednesday, November 11, 2009

Piggybacking or Tailgating

When preparing for the CompTIA Security+ (SY0-201) exam, you should understand different social engineering tactics such as piggybacking or tailgating.

Piggybacking or tailgating occurs when one user follows closely behind another user without using valid credentials. Some organizations require access methods such as smart cards, or proximity cards to gain access to secure areas. Ideally, each person would use his access card and the door would close behind him. Often, what happens is that one person uses his card, and others follow behind without using their access card.

Piggybacking can be thwarted with the use of mantraps or security guards.

A mantrap can be as simple as a turnstile similar to what you’ve seen in subway stations or bus terminals. Only a single person can get through. Simple, but effective. Can you imagine two men trying to go through the same turnstile? Neither can I.

A turnstile that requires each person to provide credentials (such as swiping a smart card or proximity card) but will lock as soon as that person gets through. More sophisticated mantraps allow a person to walk through a revolving cage, and the cage can be locked after the person enters, but before the person is through. This effectively locks the person inside the mantrap.

Other social engineering tactics you should know about are:

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Tuesday, November 10, 2009

Impersonation

When preparing for the CompTIA Security+ (SY0-201) exam, you should understand different social engineering tactics such as impersonation.

Impersonation is a social engineering tactic where an attacker impersonates someone, such as a repair technician, to gain access to a secured area. A repair technician shows up at the door and says I’m here to work on the phones (or server, or routers, or whatever).

Once the attacker gains access, he can steal the hardware, install malware, or install other hardware such as a protocol analyzer connected to the network and broadcasting the captured packets via a wireless access point.

Identity verification methods can also be used to thwart impersonation attempts. In other words, employees should be trained to verify visitors are who they say are.

Other social engineering tactics you should be know about are:
  • Phishing
  • Piggybacking or tailgating
  • Dumpster diving
  • Shoulder surfing
Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Sunday, November 8, 2009

Social Engineering

When preparing for the CompTIA Security+ (SY0-201) exam, you should understand social engineering.
Social engineering is the practice of individuals to use flattery, conning, impersonation, and other methods to encourage uneducated users into giving up information.

It bypasses the best technology protections which makes it important for all users to understand. It’s often just people talking to one another - either directly, or via the phone - without using technology at all. It can also be done via email using phishing tactics.

Common social engineering tactics are:

You should be aware of each of these tactics. Some you may already know but others you may not. If not, use your favorite Internet search engine to dig a little deeper.

Or, check back here for some more posts on social engineering topics.
 
Good luck with your studies.
 
Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Thursday, November 5, 2009

Disk Redundancy using RAID

When studying for the CompTIA Security+ (SY0-201) exam, you'll come across using RAID for disk redundancy.

RAID is short for redundant array of independent (or inexpensive) disks. Redundancy provides fault tolerance. In other words, if a fault occurs in one drive, your system can tolerate the fault and continue to operate. Several different RAID types are available. When studying for Security+, you should be aware of the following topics.

  • RAID-0 (also known as striping) does not provide any fault tolerance but increased performance.
  • RAID-1 (also known as mirroring) uses two disks and provides fault tolerance.
  • RAID-5 (also known as striping with parity) uses at least three disks and provides fault tolerance while also providing increased performance. The equivalent of one drive is dedicated to parity.
  • RAID-10 (also called 1+0) combines RAID 1 and RAID-0. A variant is 0+1. Both provide fault tolerance and increased performance for specific applications.
Both hardware and software RAID solutions are avaialble. Hardware RAID is more expensive provides significantly better performance than sofware RAID.

Good luck in your studies


Darril

Monday, November 2, 2009

DoS and DDoS Attacks

When studying for the CompTIA Security+ (SY0-201) exam, you should know the difference between DoS and DDoS attaacks.

Both a Denial of Service attacks.  The difference is that a Denial of Service (DoS) attack comes from a single attacker, while a Distributed Denial of Service attack comes from multiple attacks.

As an example, the SYN Flood attack is a DoS attack that attacks a single system by flooding it witth only two parts of the TCP three way handshake.  Normally, the TCP handshake is three packets. The client sends a SYN packet, the server replies with a SYN / ACK packet, and the client should reply with the ACK flag to complete the handshake. 

However, the client instead withholds the third packet and leaves the server hanging. If the client is able to do this enough times, the server's resources become consumed as it has perhaps hundres of unfinished sessions.  A SYN Flood attack can actually take servers down if not detected and stopped.

A DDoS attack often starts with malware taking control multiple computers.  These computers act as clones or zombies in a malware controlled botnet.  When the contoller sends the order, the zombies then launch a distributed attack.

Good luck with your studies.

Darril

Check out chapter 6 of this book (Predicting and Mitigating Threats) for more details on the different threats you may see covered on the Security+ exam, including over 375 practice questions.


CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Sunday, November 1, 2009

SY0-201 Practice Exam Question Hashing

What is it called when the hash of two different files is the same?

A. Variation
B. Deviation
C. Collision
D. Conflict

Answer: C

Answer below.

A hash is simply a number that is created by performing a hashing algorithm on a file or a message. No matter how many times the hashing algorithm is calculated, it will always return the same number - unless the file or message has been modified.

When used in this context, a hash provides integrity. The hash is calculated at the source, and then again at the destination. If the hashes are different, the file or message has lost integrity.

However, what if someone could modify the message enough so that the new has is the same as the original hash. It would look like it has not lost integrity because the hashes are the same, but it has lost integrity. A secure hash (one of sufficient strength) cannot be recreated. In other words, someone should not be able to modify a file or message enough to reproduce the original hash.

Over 375 practice test questions in this book:
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

A hash collision occurs when two completely different files can produce the same hash when they are hashed using the same hashing algorithm. The other terms listed aren’t related to hashes.