Friday, October 30, 2009

Well-known ports

When studying for the CompTIA Security+ exam (SY0-201), you’ll come across information on ports. These are important to know and it’s also important to understand how they’re used. In this post, I want to cover some of the well-known ports and why they’re relevant when studying Security+.

First, you should understand how ports are used. This blog entry gives an overview. http://sy0201.blogspot.com/2009/10/understanding-ports.html

Ports from 0 to 1023 are known as well-known ports. There are assigned by IANA and can be viewed here: http://www.iana.org/assignments/port-numbers.

However, you don’t need to know them all. First, let’s discuss why are they relevant.

When doing basic packet filtering, a firewall can filter based on IP addresses and ports. However, what if you want to allow HTTP traffic (regular Internet traffic)? You can’t create packet filter rule to allow HTTP traffic (at least not directly). Instead, you create a packet filter rule to allow port 80 (the well-known port for HTTP).

What if you want to allow SMTP traffic? You would allow traffic using port 25. What if you want to allow DNS traffic? You allow traffic using port 53.

Routers and firewalls typically use an implicit deny implementation. What this means is that all traffic is blocked (implicitly denied) unless it is explicitly allowed. In other words, the only traffic that is allowed is the traffic that has an associated rule allowing it. Allowed traffic is sometimes referred to as an exception.

How does all this apply to Security+? You may need to know how to block, or how to allow certain traffic identified either by the protocol or by the port. The only way you can answer these types of questions is by knowing the well-known ports.

Here are some:
  • FTP 20, 21
  • SSH 22
  • Telnet 23
  • SMTP 25
  • DNS 53
  • HTTP 80
  • Kerberos 88
  • POP3 110
  • NNTP 119
  • IMAP4 143
  • LDAP 389
  • HTTPS 443
  • LDAP/TLS or LDAP/SSL 636
You can find more information on ports including some sample questions in this book: CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide



Good luck in your studies.

Darril

Thursday, October 29, 2009

Understanding Ports

When studying for the CompTIA Security+ exam (SY0-201), you’ll come across information on ports. These are important to know and it’s also important to understand how they’re used. In this post, I want to cover how ports are used by systems.

TCP/IP uses IP addresses (and MAC addresses) to get traffic from one host to another. However, when a packet arrives, how does the system know what service, process or protocol to send the packet to? The answer is the port.

Imagine that Sally is using Internet Explorer to do a search with Google.com. DNS is used to resolve Google.com to an IP address and a packet is sent to the Google web site with Sally’s search data. The packet will have a source and destination IP address, and a source and destination port:

  • Source
    70.167.73.10
    Port 1025
  • Destination
    74.125.67.100
    Port 80
When the packet reaches the destination IP address (Google), it is examined to identify the destination port. The Google server sees the port is 80 and passes the packet to the service handling HTTP - the web server service. It knows to do this because port 80 is the well-known port for HTTP.  The web server service than creates a return packet with the data.

  • Destination
    70.167.73.10
    Port 1025
  • Source
    74.125.67.100
    Port 80
What isn’t apparent is that when the packet was created for Internet Explorer, the system designated a port (in this case 1025) for Internet Explorer. When the packet from Google reaches Sally’s computer, it has a destination port of 1025 so the packet is passed to Internet Explorer.

At another time, Sally’s computer may register port 1046 (or some other port beyond port 1023) to Internet Explorer. The point is that while well-known ports are constant, the return port isn’t constant.

Good luck in your studies.

Darril

Wednesday, October 28, 2009

Security+ and CISSP

While the CompTIA Security+ exam is a difficult exam, many people look at it as a stepping stone to other certifications. If you stay in the security arena, a next step may be the CISSP ISC2 certification, which is significantly more difficult than the CompTIA Security+.

Several weeks after taking the CISSP exam, I received notification of a successful pass. Woo Hoo!

One thing that was very apparent to me was the information I learned while studying the CompTIA Security+ objectives definitively helped me with the CISSP. The CISSP exam is a monster and will take a lot more time and effort to master than the Security+ certification. However, if you take the time to truly learn the material for the Security+ exam, you'll be a step closer to the CISSP.

As one of many examples, understanding public key cryptography helped with many questions on the CISSP exam. Chapter 9 of the CompTIA Security+ SY0-201: Get Certified, Get Ahead book includes all of the material you'll need for cryptography in Security+ and you won't need much more if you later pursue the CISSP.

Darril

Monday, October 26, 2009

Biometrics used in Authentication

When preparing for the CompTIA Security+ (SY0-201) exam, you'll come across objectives related to authentication, including the use of biometrics.

There are three factors of authentication:
  • Something you know (such as a password or PIN)
  • Something you have (such as a smart card)
  • Something you are (using biometrics)
Biometrics can be very exact when the technology is implemented accurately. However,it is possible to get false readings.  Two possible false readings are:

  • False acceptance. This is when a biometric system incorrectly identifies an unauthorized user as an authorized user.
  • False rejection. This is when a biometric system incorrectly rejects an authorized user.
True readings occur when the biometric system indicates a match. Two possible readings are:

  • True acceptance. The biometric system accurately determines a positive match.
  • True rejection. The biometric system accurately determines a non-match.
Good luck with your studies.

Darril Gibson

Saturday, October 24, 2009

Digital Signatures

Cryptography covers 15 percent of the CompTIA Security+ (Exam SY0-201) objectives, and digtial signatures are one element you should understand.

A digital signature provides authentication, integrity and non-repudiation.  It requires a PKI infrastructure because public and private keys are used. A public and private key pair is two keys where one can encrypt data, and this data can only be decrypted by the other key.

Here's the process if Sally creates a messages and digitally signs it.
  • First, a hash is created of the message.  This is effectively just a number (though a large number) created by executing a hashing algorithm agains the message. The hash provides integrity.
  • The hash (not the message) is encrypted with Stally's private key.  Sally's private key is private and she is the only one that access to it.
  • Sally sends the message to Joe.  Joe has Sally's public key.  If Sally's public key can decrypt the hash, then it must have been encrypted with Sally's private key.  This provides both authentication and non-repudiation. 
  • The hash can be recomputed on Joe's computer.  If the hash is the same as the encrypted hash sent by Sally, message integrity has been maintained. If the hash was different, message integrity is lost.

Hope this helps.

Darril Gibson

Thursday, October 22, 2009

Use of Virtualization in Security

One of the CompTIA Security+ (Exam SY0-201) objectives is "Explain the purpose and application of virtualization technology." You may be wondering what this is about.

First, virtualization centers around virtualization desktop infrastructure (VDI) where a single physical computer can host multiple computer operating systems. Many virtualization technologies exist such as VMWare and Microsoft's Virtual PC (upgraded and renamed to Windows Virtual PC in Windows 7). I'm more familiar with Virtual PC (VPC) but the uses between brands are common. One great feature is that if something goes wrong with the virtual system, changes can be easily rolled back or undone.

As a simple example, I am running Windows 7 on my desktop PC and have a virtual mini-lab running on the system with Windows Server 2008 in one virtual system running as a domain controller, and a Windows 7 computer running as a client in the virtual domain. I have configured both of these two be able to communicate with each other but they are isolated from the host system or the Internet.

With an understanding of virtualization and VDI, we can now discuss how it can be used in security.  From a security perspective, virtualization can be use for a couple of purposes such as:

  • Testing of patches. When patches for the operating system or applications are released, they can be applied in a virtual environment. They can be tested here in a safe environment without any impact on the production environment.
  • Testing of malware. Once malware is discovered, security professionals want to know what it does and how it does it. This often entails releasing it and observing what happens. Again, a virtual environment is safe and won't impact the performance of the host operating system or the regular network.
Darril

Monday, October 19, 2009

Encryption Basics for Security+

The CompTIA Security+ (SY0-201 exam) objectives state that 15 percent of the exam will be on cryptography. Cryptography has several elements and an important one is the use of encryption.

Encryption is used to enforce confidentiality (one of the three elements in the security triad of confidentiality, integrity and availability). If you want to keep your data secure and prevent unauthorized disclosure, you can encrypt the data to make it unreadable.

Encryption uses an algorithm and a key. If either the algorithm is weak or the key is weak, the encryption can easily be broken. Most algorthms are well known but keys are either frequently changed, or kept secret.

Two major types of encryption are used: symmetric and assymmetric.

Symmetric encryption uses a single key to both encrypt the data and decrypt the data.

The most popular type of symmetric encryption is AES. AES is considered a fast, highly secure encryption algorithm. It is significantly faster (using less processor and memory resources) than both DES and 3DES. AES256 uses a key size of 256 bits.

Asymmetric encryption uses two keys that are created as a matched pair (a public key and a private key). Data encrypted with a public key can only be decrypted with the matching private key. Data encrypted with the private key can only be decrypted with the public key
A Public Key Infrastrcuture (PKI) is required to support asymmetric encryption. Any entity can have a private key (which is always kept private). The matching public key is embedded in a certificate issued from a certificate authority (CA).

Darril Gibson

Sunday, October 18, 2009

SY0-201 Practice Exam Question Cryptography

Which of the following can use a PSK?

  A. Asymmetric encryption

  B. PKI

  C. TPM

  D. PGP

Answer below.
On the surface, this 8 word question seems rather simplistic. However, unless you've spent time with the material, all of the acronyms will make it very difficult. PSK can mean many things, but in the context of  security, and with all of the answers relating to cryptography, it refers to a pre-shared key.

Over 375 practice test questions in this book:
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

The correct answer is C. A trusted platform module (TPM) uses a pre-shared key (PSK) to encrypt and decrypt data such as entire disks.  (Microsoft uses this with BitLocker.) Symmetric encryption uses a single key to both encrypt and decrypt while asymmetric encryption uses two keys—public and private. Both PGP (Pretty Good Privacy) and PKI (Public Key Infrastructure) use asymmetric encryption.

Good luck on the exam.

Darril Gibson

Saturday, October 17, 2009

SY0-201 Practice Exam Question

Sally is using a Bluetooth enabled device.  She asks you what the best protection is that she can use to protect this device.  What do you tell her?

  A. Ensuring the Bluetooth device is in discovery mode

  B. Ensuring the Bluetooth device is in non-discovery mode

  C. Ensuring the Bluetooth device has bluejacking disabled.

  D. Ensuring the Bluetooth device has bluesnarfing disabled.
 
Answer listed below

You can read a blog on risks and vulnerabilities for Bluetooth devices here:

Over 375 practice test questions in this book:


   
The correct answer is B.

Ensuring a Bluetooth device is in non-discover mode is the best protection against bluesnarfing and bluejacking attacks. When in discovery mode, Bluetooth devices can easily be exploited. Bluesnarfing is the unauthorized access to or theft of information from a Bluetooth device.Bluejacking is the unauthorized sending of text messages from a Bluetooth device.

Related objective:
2.7 Explain the vulnerabilities and implement mitigations associated
with wireless networking.
• Bluejacking
• Bluesnarfing

Friday, October 16, 2009

Qualitative Risk Assessment

The CompTIA Security+ (SY0-201 exam) includes many objectives on risk assessments.  One type of risk assessment is the qualititative risk assessment.

A qualitative risk assessment uses numbers or values to categorize risks based on probability and impact. (Quantitative risk assessments use dollar figures to calculate SLE and ALE.)

As an example, terms such as low, medium, and high could be used or the numbers one through ten could be used. The two categories often included in a qualitative risk assessment are probability and impact.

  • Probability. The likelihood an event will occur. For example, the probability that an Internet-facing web server will be attacked is close to 100 percent and could be given a numerical value of 10. However, the likelihood that an internal workstation in the library with no Internet access will be attacked through the Internet is very low, so it could be given a numerical value of 1.
  • Impact. The negative result of the event occurring. If the web server is down, the impact may be considered significant and given a value of 10. If the library workstation is down, a library patron may be inconvenienced, so it may be given a value of 1.
Now the risk can be calculated by multiplying the probability and the impact.

  • Web server. 10 * 10 = 100
  • Library computer. 1 * 1 = 1
A manager can look at these numbers and easily determine how to allocate resources to protect against the risks. More resources would be allocated to protect the web server than the library computer.

While these two examples are extreme to show how the model can be used, the model can help identify the priorities in the middle ranges which are more difficult determine.


You can read about quantitative risk assessments here.
Good luck on your Security+ exam!

Darril Gibson

Thursday, October 15, 2009

Bluetooth Concerns

The CompTIA Security+ (SY0-201) exam includes some objectives related to Bluetooth.

Bluetooth is a popular short-range wireless system used in smaller portable wireless devices including phone, personal digital assistants (PDAs), and computer devices.

Two significant threats and one vulnerability exists with Blueetooth.

Threats. Bluesnarfing and bluejacking are two threats against Bluetooth devices that are left in discovery mode.
  • Bluesnarfing is the unauthorized access to or theft of information from a Bluetooth device. Information that can be accessed through bluesnarfing includes: email, contact list, calendar, and text messages.
  • Bluejacking is the unauthorized sending of text messages from a Bluetooth device without the permission of the owner.
Vulnerability. Any Bluetooth device that is turned on and in discovery mode is easily exploited through a bluesnarfing or bluejacking attack.

When Bluetooth devices are first configured, they are configured in discovery mode.While in discovery mode, a Bluetooth device is easily discoverable and visible to other devices. Bluetooth devices are identified with a MAC address just as a NIC has a MAC address. In discovery mode, the Bluetooth device broadcasts its MAC address, allowing other devices to see it and connect to it.
 
Once a device connects with another device, it is paired to open the communication channel. After the pairing process, the Bluetooth device should be changed from discovery mode to non-discovery mode. Non-discovery mode is also referred to as invisible mode. While in non-discovery mode, the device doesn’t broadcast information about itself. Additionally, many devices add encryption to the communication process when in non-discovery mode.
 
Darril Gibson

Wednesday, October 14, 2009

SSL, OCSP vs CRL

When preparing for the CompTIA Security+ (SY0-201) exam, you should have a basic understanding of how SSL is used and how certificates can be checked.

Web sites use certificates to create SSL sessions. When a user clicks a HTTPS link, it initiates the SSL handshake process.

The web site will then send the client a certificate with a public key that can be used in the asymmdtric portion of the SSL session to create a session key. (The session key will then be used in the symmetric portion of the SSL session.) The client needs to verify the certificate is trusted and valid:

Trusted. First, the certificate must have been issued from a trusted certificate authority (CA). A list of trusted CAs can be viewed in Internet Explorer by clicking Tools -> Internet Options, selecting the Content tab, click the Certificates button, and selecting Trusted Root Certification Authorities. If the certificate was issued to the web site from a company with a certificate in the Trusted Root Certification Authority store, it will be trusted. If the certificate is not trusted, the user will be notified that it's not trusted and encouraged not to continue.

Valid. Next, the client attempts to validate the certificate. CAs can revoke certificates if they become compromised in some way. A revoked certificate is considered invalid and shouldn't be used. Revoked certificates are published on a certificate revocation list (CRL). Clients can check if a certificate is valid using one of two methods:

  • Requesting the CRL. The client requests a copy of the CRL from the CA. The CA sends the CRL and the client then checks the CRL to see if the certificate is on the list. If it's on the list, it's considered invalid and wouldn't be used.
  • Online Certificate Status Protocol (OCSP). OCSP is an improved streamlined process. Instead of the client requesting a copy of the CRL, the client queries the CA about the certificate. Certificates are uniquely identified with a serial number. The CA then replies indicating the certificate is healthy (not revoked), not healthy (revoked), or unknown (the serial number is not known by the CA.
Once the certificate is verified to be trusted and valid, the public key embedded in the certificate is used to encrypt the session key. Imagine the client wants to use a key of 1234. The client then encrypts this key with the public key to result in something like "AF4D2D0F3EB304". (Both the session key and the encrypted session would be much larger but are shortened for illustration purposes. )

At this point, only the client knows the session key. The encrypted session key is sent back to the web server. Since this key was encrypted with the public key (which is matched to the private key held by the server and unknown to anyone else) it can't be decrypted if anyone intercepts it. When the web server receives the encrypted key, it decrypts it with the private key. Use of the public and private key is known as asymmetric encryption.

For the remainder of the session, the client and server use the session key (symmetric encryption).

Darril Gibson

Tuesday, October 13, 2009

Three Factors of Authentication

A heavily tested concept in the CompTIA Security+ (SY0-201) exam is authentication. Authentication is used to verify a user’s identity by providing a previously known identifier. Basically, there are three ways to do this which are commonly referred to as the three factors of authentication.

  • Something you know. As an example, a user would know their username and password. This is considered the weakest form of authentication. One of the primary reasons is that users often use weak passwords or write their passwords down. 
  • Something you have. Smart cards and fobs are common examples. A smart card is a credit card sized card that holds key information about the user. Smart cards have certificates embedded in them using TLS and provide very strong authentication. A fob (sometimes called a token) has an LED display that shows a number that changes regularly, such as every 60 seconds. This number is synchronized with a server. When the user logs into a website, they enter the number shown on the display to verify they have the token. This factor is often combined with another factor to provide multifactor authentication.
  • Something you are. Biometrics is used for this factor of authentication and is not only in movies. Biometrics is commonly used in many applications today. A common example is at theme parks like Disney World. It includes fingerprints, retinal scans, voice prints and even handwriting analysis. Biometrics is considered the strongest form of authentication, but also the most expensive.
Multifactor Authentication. Multifactor authentication combines two or three of the factors. Two common examples are where:
  1. Someone may have a smart card and know a personal identification number (PIN), or
  2. Have a fob and know their username and password.
Darril Gibson
http://www.sy0-201.com/

Sunday, October 11, 2009

DoD 8570.1 and Security+

I've occassionally heard people ask about the popularity of CompTIA Security+ certification in the past few years. What is driving so many people to seek this certification?


One of the big driving factors is a U.S. Department of Defense (DoD) directive named DoD 8570.1. This directive mandates many IT professionals employed in the government to have specific certifications. Some of the common certifications are CompTIA A+, Network+, and Security+ and the people required to have the different certifications are military personnel, civilian employees and civilian contractors.

While civilian companies aren't mandated to have employees with these certifications, they are much more competitive when they compete for IT service contracts if some of their employees have the certifications.

Darril Gibson

Saturday, October 10, 2009

Quantitative Risk Assessments

If you're preparing for the CompTIA Security+ SY0-201 exam, you'll see some objectives related to risk, risk assessments, and risk management.

Risk assessments are used to prioritize risks. All risk can’t be prevented. Instead, risk management attempts to mitigate risk.

One quantitative risk model uses three elements three elements to quantify and prioritize risks. They are:
  • Single loss expectancy (SLE). The is the cost of any single loss expressed in monetary terms (such as $4,000).
  • Annualized rate of occurrence (ARO). This indicates how many times the loss is expected to occur if no action is taken. For example, it may have occurred an average of 4 times in the past three years, so the ARO would be 4.
  • Annualized loss expectancy (ALE). SLE * ARO. What you expect to lose annually if no action is taken in this example is $16,000.
Now imagine that you have used this to quantify 4 different losses. They have AROs of $100, 2,000, $, 8,000, and $16,000. Which one is the most important to mitigate? Knowing the AROs, you can easily see the risk that results in an annual loss of $16,000 is the most important to address.

Using an SLE of $4,000, and an ARO of 4, see if you can solve this problem. Suppose you could spend $2,000 and reduce the ARO from 4 to 1. How much money would you save?

  • The original ALE is $16,000 ($4,000 * 4).
  • If the ARO was reduced to 1, the ALE would be $4,000 ($4,000 * 1), or a reduction of losses by $12,000.
  • You spent $2,000 to save $12,000 so you saved $10,000
Another way of looking at this is to use these figures to determine the effectiveness of a mitigation measure. Imagine the ALE is $16,000. Someone proposes a risk mitigation solution that costs $35,000 a year with a guarantee that it will eliminate this risk. Does that make fiscal sense? In other words, you’ll spend $35,000 to save $16,000 - not too good. Now instead of losing $16,000, you’re spending $35,000.

Make sure you understand the SLE, ALE, and ARO when preparing for the CompTIA Security+ SY0-201 exam.

You can read about qualitative risk assessments here.


Darril Gibson

Intrusion Detection Systems (HIDS and NIDS)

Someone recently mentioned that they took the CompTIA Security+ SY0-201 exam and had several IDS questions such as HIDS and NIDS. This makes a lot of sense since these are heavily covered on the objectives. Here are some of the basics:

An Intrusion Detection System (IDS) is designed to detect intrusions but a host-based IDS (HIDS) works a little differently than a network-based IDS (NIDS). Some of the points of each are:

HIDS
  • Installed on a host computer such as a workstation or server
  • It is used primarily to monitor traffic going through the NIC of the host
  • Can consume resources of the workstation
  • Can monitor network traffic sent to the host or coming from the host only
  • Data stored locally (on the host)
NIDS
  • Installed on network devices (such as firewalls, routers or switches)
  • These devices are referred to as sensors or tabs
  • Data centrally managed - sensors report back to a central console
  • Cannot monitor encrypted traffic on individual hosts
Both types can use either signature-based detection or anomaly-based detection.

Signature-based
The IDS looks for known attack patterns (similar to how anti-virus program use virus signatures)

Anomaly-based
A baseline of normal operation is created to determine normal operation. When events occur that are ‘out of the norm’ (anomalies), the system alerts

Also, both types can have either a passive or active response.

Passive Response
Alerts are logged and personnel are typically notified.

Active Response
An active response will also take some action to modify the environment. A common active response would be to change the ACL on a router or firewall to block access from the attacker.

Darril Gibson

Friday, October 9, 2009

Moving my blog to BlogSpot

After my original Security Plus blog (hosted on webhostforasp.net) went down for four days,. I've decided to move it to a more reliable location. 

In addition to moving my other blog posts over to blogspot, I'll be adding regular blog entries on Security Plus

Darril Gibson
http://www.sy0-201.com/