Thursday, December 31, 2009

Protocol Analyzers

When studying the CompTIA Security+ exam (SY0-201) you'll come accross the following objective related to protocol analyzers:
2.3 Determine the appropriate use of network security tools to facilitate network security.

A protocol analyzer can be used to capture data packets as they travel across the network if the data is sent "in the clear" or unencrypted.

One of the early protocol analyzers was called Sniffer Network Analyzer and it became so popular protocol analyzers in general are commonly called "sniffers." Wireshark is a popular protocol analyzer that you can download for free today.

Because protocol analyzers are so readily available to attackers, network administrators need to carefully consider allowing any sensitve data (such as passwords) from being sent across the network in clear text.

Protocol analyzers can also be used by administrators to analyze traffic on the network. As an example, a protocol analyzer can detect malformed packets or other types of network attacks.

Good luck with your studies.

Darril Gibson

Wednesday, December 30, 2009

Security One of the Hottest Skills for 2010

Computerworld recently published a list of the six hottest skills for 2010.  Number 5 is Security.

An understanding of basic security issues is becoming mandatory across a wide range of jobs from programmers, networking professionals, IT managers, and project management professionals.  Companies want employees with basic cyber security skills.

Tom Silver, senior vice president for North America at Dice Holdings Inc., which operates Dice.com and other careers Web sites was quoted as saying: "If you know how to help keep your company's information secure, there will be a home for you forever." "Security" he says. "is an evergreen skill."

Darril Gibson
Security+ Tip of day Tweets
http://twitter.com/DarrilGibson

Sunday, December 27, 2009

Environmental Controls Practice Question

When preparing for the Security+ exam, you'll come across this objective: "Explain the importance of environmental controls" including Shielding.  Here's a practice question
What is the purpose of a Faraday cage? (Choose all that apply.)


  A. To mitigate data emanation
  B. To detect attacks on host
  C. To detect network attacks
  D. To prevent interference

Answer below.

Over 375 practice test questions in this book:




Answer: A, D.
A Faraday cage is designed to mitigate data emanation and also prevents EMI/RFI from entering the enclosures. Network intrusion detection systems (NIDS) would be used to detect network attacks, and host-based intrusion detection systems (HIDS) would be used to detect attacks on a host.

Saturday, December 26, 2009

Faraday Cage

When preparing for the Security+ exam, you'll come across this objective:  "Explain the importance of environmental controls" including Shielding. 


Shielding is used to protect data from emanating out so that it can be intercepted, or prevent interference from getting in and corrupting data transmissions.  A Faraday cage can be used to prevent emissions and interference.

A Faraday cage prevents signals from emanating outside a room. It uses electrical features that cause RF signals that reach the boundary of the room to be reflected back. It can also also provide shielding to prevent outside interference such as electromagnetic interference (EMI) and radio frequency interference (RFI) from entering the room.

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Friday, December 25, 2009

Does Security+ Certification Expire?

CompTIA certifications are granted for life.  In other words, they never expire.  This is different than some other certifications which do expire (such as the CISSP certification). Part of the reason for this is that the CompTIA certifications are often considered to be a stepping stone to other certifications. 

However, even though the certifications don't expire, the knowledge becomes less relevant.  As an example, my transcript shows that I became certified in A+ in 1999. If I never took A+ again, I could continue to say I'm A+ certified.

Similarly, my Security+ certification (from the 2000 objectives) was relevant when I was teaching Security+ using the 2000 objectives.  However, when I began teaching the 2008 objectives, I took and passed the Security+ exam with the 2008 objectives. I didn't have to, but it helped me understand how to interpret the new objectives.

Some companies are encouraging employees to upgrade Security+ by taking the new exam, but this is an employer requirement, not CompTIA.  To make this path easier for test takers, CompTIA has created a bridge exam (BR0-001) that can be taken if you're Security+ certified using the older exam (SY0-101) based on the 2000 objectives. In other words, you can take the BR0-001 bridge exam instead of the SY0-201 exam.  The BR0-001 exam is only 50 questions (instead of 100 for SY0-201) and a passing score of only 560 is required to pass (instead of 750 for SY0-201).

In summary, if you earn the CompTIA Security+ certification, it is good for life.  You can update your certification by taking a newer exam with updated objectives, but this is not required by CompTIA.

Darril Gibson

Edited January 2010
At least this is the way it used to be. CompTIA announced a change in their policy in January 2010.  These two blogs talk about some of the changes.
CompTIA Certification Renewal Policy
Will Your Security+ Certification Expire?

Darril Gibson

Thursday, December 24, 2009

Symmetric vs Asymmetric

Cryptography covers 15 percent of the CompTIA Security+ (Exam SY0-201) objectives, and cryptographic algorithms are important to understand.

Algorithms are primarily characterized as either symmetric or asymmetric.  In short, symmetric encryption uses a single key to encrypt and decrypt. Asymmetric uses two keys.

Symmetric encryption:
  • Is about 1000 times faster than asymmetric encryption.
  • Uses the same key to encrypt as it does to decrypt.  For example, if the key 123 is used to encrypt data using the Advanced Encryption Standard (AES), then the same key of 123 is used to decrypt the data. (Encryption keys are actually much more complex than just a simple number like 123.)
  • The key is commonly called a session key, a shared key, a preshared key, or a shared secret.
  • The most popular encryption algorithm is AES which faster and more efficient than other encryption algorithms (such as DES and 3DES).
Asymmetric encryption:
  • Is extremely slow compared to symmetric encryption so only used to encrypt/decrypt a very small amount of data.
  • Is primarily used to privately share a symmetric key over a public network (such as the Internet).  Once the key is exchanged using asymmetric encryption, symmetric encryption is used to encrypt session data.
  • Uses two keys know as a public key and a private key (or public/private key pair).  The public key is freely shared but the private key is kept private for a single entity (such as a single server). 
  • Requires a public key infrastructure (PKI) to publish certificates. Public keys are published in a certificate and the certificate is freely shared to others.
  • If a public key encrypts data, only the private key can decrypt it. 
  • If a private key encrypts data, only the public key can decrypt it.
Other blogs on cryptography you might like:
And of course, this book CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide has a full chapter on the relevant cryptography concepts needed to pass the Security+ exam the first time.

 Good luck with your studies.

Darril Gibson

Monday, December 21, 2009

Cryptography practice

What would a CA do if a private key is considered compromised

  A. Cancel the certificate
  B. Publish the certificate
  C. Revoke the certificate
  D. Reissue the certificate

Answer below.

Over 375 practice test questions in this book:





Answer: C

If a private key is compromised the key is revoked by revoking the certificate that holds the matching public key. Revoked keys are published on the certificate revocation list (CRL). Certificates can’t be cancelled. The certificate is already published. It’s not appropriate to reissue a certificate with a compromised private key.

Sunday, December 20, 2009

What's in a CRL?

When studying for the Security+ exam, you may run across the following objective:


“Explain core concepts of public key cryptography.” This objective includes a listing of several related topics including Certification Revocation List (CRL)

This blog on SSL, OCSP and CRLs   talked about the relationship of SSL, OCSP and CRLs, but you may be wondering what a CRL actually is. In short, a CRL is a certificate that holds the serial numbers of revoked certificates.


As a little background, a certificate holds a public key but it holds a lot more. You can view one in Internet Explorer by clicking Tools, Internet Options, Content, Certificates, Trusted Root Certification Authority, selecting a certificate and clicking View. Click the Details tab and you can see all the contents.
The following figure shows the details on a Verisign root certificate. The public key is selected and the public key is shown in the bottom pane.  But notice also that the the first field showing is the serial number.  The serial number is used to uniquely identify a certificate. Select serial number and you can see the serial number (which is important for this conversation). Select the Public Key and you can view the actual Public Key.



This public key is part of a matched public/private key pair. When data is encrypted with the public key it can only be decrypted by the private key (which is commonly done with SSL).  When data is encrypted with the private key, it can only be decrypted with the public key (which is commonly done with digital signatures).

If the private key ever becomes compromized, the certificate needs to be revoked so that it is no longer used. How can the certficate be untiquely identified?  With the serial number.  A certificate authority (CA) issues the certificate and if the matching private key for the certificate becomes compromized, the certificate is published on a Certificate Revocation List (CRL pronounced as crill).

CA's commonly publish the CRL as a version 2 certificate as shown in the following figure.  This CRL has only one certificate, but it's much more common for a CRL to have multiple revoked certificates.


Hope this helps you with your studies.

Darril Gibson

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide
includes a full chapter on cryptography.
Over 375 practice test questions to help you pass Security+ the first time.

Tuesday, December 15, 2009

Identity proofing

When studying for the SY0-201 Security+ exam, you'll see this objective: "Explain the difference between identification and authentication."  This directly relates to identity proofing. 

Identity proofing is done during the identification process prior to issuing credentials. An account within a network isn't just given to anyone that asks for one, but instead a user must provide some type of identification first.  Within a company, identification is provided by the individual when they are hired.  The HR department may then introduce the new hire and ask for an account to be created.  

A second use of identity proofing is performed after credentials have been issued. For example, online banks often ask for more information on a user (such as street they grew up on, first pet's name, middle name of oldest sibling, and so on.) Later, if the user is doing online banking from a different compuer than they normally use, the Web site may recognize this and challenge the user to provide more than just their user name and password. 

Good luck with your studies.

Darril Gibson
Author CompTIA Security+: Get Certified Get Ahead

Not off the grid

I haven't been able to post or blog much recently so thought I'd mention why. Nothing's wrong, I'm just overwhelmed with two large writing projects. I hope to have some breathing room next year (which is only a couple of weeks away). I'm playing hookie for an hour or so now, but will be jumping back in soon.

CompTIA Security+: Get Certified Get Ahead is still selling (most notably on Amazon) and I've been receiving some very kind emails from readers who've used it and passed.

Good luck with your studies.

Darril Gibson