Tuesday, June 8, 2010

HTTPS Process

When studying for the CompTIA Security+ exam, you'll come across some cryptography objectives.  One thing that confuses many people is how SSL works with HTTPS.

I've broken it down to the following steps with a diagram at the end that may help you understand it a little better.
  1. The client starts the HTTPS session by clicking on the link.
  2. The server responds by sending a certificate. The certificate includes the server's public key that is part of a matched private/public key pair. The private key is always kept private by the server.
  3. The client creates a random session key (such as 13579BDF2468ACE).
  4. The client encrypts the session key with the server's public key.
  5. The client then sends the encrypted session key to the server.
  6. The server then decrypts the session key with the server's private key.
  7. Rest of session uses symmetric session key.

Question:  What type of encryption does SSL use to privately share the session key? 
Answer: Asymmetric

Question: What type of encryption does SSL use to encrypt the session data?
Answer: Symmetric

Trick Question: What type of encryption does SSL use ?

Answer: Asymmetric and symmetric

You can find more details on cryptography in this chapter 9 of this book:
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

You can also watch a video on YouTube here:
SSL Asymmetric and symmetric encryption

HTH,

Darril Gibson

Tuesday, May 18, 2010

Biometrics False Positive False Acceptance

I'm teaching a Security+ class this week and this topic came up again.  Here's some clarification...

Biometrics is used for authentication.  It is in the "something you are" factor. You can read about the three factors of authentication here.

However, biometrics can be calibrated for different levels of accuracy.  Two types of errors are possible.
  • False acceptance or false positive. This is when a system inaccurately identifies someone as someone else.  For example, imagine that Attacker Al steals Sally's laptop. The laptop has a fingerprint scanner for authentication with Sally's fingerprint .  Attacker Al tries his fingerprint and it works.  It accepts his fingerprint even though it shouldn't. It returns a positive match as though his fingerprint is the same as Sally's even though this is obviously false.
  • False rejection or false negative. Now imagine that Sally has the same laptop.  She has registered her fingerprint on the system.  The next day she tries to use this for authentication. Unfortunately, the system rejects her fingerprint. It returns a negative match as though Sally's fingerprint isn't actually her finger even though it's the same finger she used the day before.
The confusion with some people is realizing that false acceptance is the same as false positive, and false rejection is the same false negative. 

Think about this.  The PoweBall lottery in the U.S. wants to give you a million dollars for your winning ticket. Do you accept it?  You'll probably answer with a positive answer such as Yes, or Absolutely.  Accept is a positive response.  On the other hand, reject is a negative answer.  Someone may say No they don't want the money (though I can't imagine why not). The rejection with a No is a negative response.

You can overthink this, but it's as simply as acceptance is positive, and rejection is negative.

Interestingly, both terms are simplified.  Biometrics more technically use the following terms:
  • False reject rate (FRR).  This is commonly referred to as a Type I error, or a false rejection error.
  • False accept rate (FAR). This is commonly referred to as a Type II error, or a false acceptance error.
  • Crossover error rate (CER). This is a measurement betwee then the FRR and FAR represented as a number or a percentage.  The lower the number or percentage, the more accurate the biometrics system is.  For example, a  CER of 2 (or 2 percent) is much better than a CER of 10 (or 10 percent).
Here's an interesting article that explains FRR, FFAR, and CER. It's a CISSP study article and digs a little deeper into the topic than necessary for Security+ but may help clarify things for you.

Good luck with your studies.

Darril Gibson

Thursday, April 22, 2010

YouTube Videos

After teaching a Security+ class this week, I decided to create a few videos for the cryptography topics. I created them in Camtasia and posted them on YouTube. You can view them here:

Security+ Encryption and the Rayburn box


Digital Signatures

SSL Asymmetric and symmetric encryption

Hashing and integrity


Darril Gibson

Monday, March 1, 2010

A Twist on the MP3 Study Method

Years ago, a student told me of method he used to study for certification exams.  This blog entry talks about it. In short, you can read study material into an MP3 recorder.  Whenever you have the chance, you listen to the recordings. Since MP3s are so portable you can listen to the recording just about anywhere.

As a twist, someone recently told me they had their girlfriend record the material. He liked hearing her voice more than his own. Think about your girlfriend or boyfriend saying in their most sultry voice "Integrity is used to verify that data has not been modified." It sounds like a great idea. 

I guess the only danger is that when someone starts talking to you about security issues you may remember the voice and get a little excited.  But is that such a bad thing?

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Friday, February 26, 2010

Practice Question Virus Infection

A computer is infected with a virus.  The installed antivirus software didn't detect the problem.  What would be the first action to take?


  A. Notify an administrator

  B. Install new antivirus software
  C. Update the antivirus signature files
  D. Contain the problem.


Answer below.









Over 375 practice test questions in this book:













CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide


List of  Security+ Blogs
List of Security+ Questions


Answer: D. The first step in response to an incident to contain or isolate the problem. This can often be done by simply pulling the cable on the NIC. Notification should be done after containment, but policy would often dictate the notification of someone on an incident response team. Ensuring that a system has antivirus software and updated signature files are good steps to take, but not as a first step after an infection. You’d still want to contain the problem to a single system before installing the software and updating definitions.

This question is related to objective:
6.3 Differentiate between and execute appropriate incident response procedures.
  • Damage and loss control

Wednesday, February 24, 2010

Incident Response Practice Question

What documentation is needed to verify that the evidence collected is the same evidence that is presented in court?

  A. Affidavit of evidence
  B. Chain of custody
  C. Chain of forensics
  D. Access authorization

Answer below.

Over 375 practice test questions in this book:














CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide







Answer: B. A chain of custody verifies that evidence presented in court is the same evidence that was collected; a chain of custody should be established when seizing any evidence. The other documents listed won’t take the place of chain of custody documentation.

This question is related to objective :
   6.3 Differentiate between and execute appropriate incident response procedures.
  • Chain of custody

Thursday, February 18, 2010

Least Privilege

When studying for the CompTIA Security+ (SY0-201) exam, you'll come across this objective.

3.1 Identify and apply industry best practices for access control methods.

One of the praactices you should understand is: Least Privilege.

The principle of least privilege specifies that individuals or processes should be granted only the rights needed to perform assigned tasks or functions, but no more. For example, if Sally needs to print to a printer, you should grant her print permission for that printer but nothing else.
There's a subtle difference between Least Privilege and Need to Know.  Least Privilege focuses on rights or actions.  Need to Know focuses on permissions or access to data.

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Thursday, February 11, 2010

Mandatory Vacations

When studying for the CompTIA Security+ (SY0-201) exam, you'll come across this objective.

  • 6.4 Identify and explain applicable legislation and organizational policies. One of the policies you should understand is: Mandatory Vacations.
In my years in the Navy, we often had events that were referred to as mandatory fun. This was often accompanied by the phrase "all leave and liberty will be cancelled until morale improves." This isn't quite the same thing.

Instead, mandatory vacations are designed to ensure that someone gets out of the office for a period of time requiring someone else to perform their job. The goal is to reduce the incidents of fraud or embezzlement.  If an employee knows that someone else will be covering their work for a period, they also know the risk of being discovered is much higher.

Mandatory vacations are frequently required in different banking institutions. Employees are often required to take a vacation of at least five consecutive workdays. 

Good luck in your studies.

Darril Gibson

Wednesday, February 10, 2010

Separation of Duties

When studying for the CompTIA Security+ (SY0-201) exam, you'll come across this objective.
  • 3.1 Identify and apply industry best practices for access control methods.
One of the praactices you should understand is: Separation of Duties.

The Separation of Duties principle ensures that no single person or entity controls all of the functions for a critical process. Instead of a single person or entity having all of the responsibility, the responsibilities are divided between two or more people or entities.

Consider an accounting department. They are responsible for accepting bills, identifying bills that will be paid and then paying them. Separation of Duties is commonly used to separate the functions into two separate divisions.

  • Accounts receivable. This division receives and approves the bills.
  • Accounts payable. This division pays the bills approved by accounts receivable.
If a single person did both functions, the potential for fraud is increased. This person may decide to submit a bogus bill, approve the bill, and pay the bill. The books look valid since an approved bill is paid, but it is still fraud.

The principle of separation of duties is designed to prevent fraud, theft, and errors.

Good luck in your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Saturday, February 6, 2010

VOIP Risks

Voice Over IP (VOIP) is becoming more and more popular. Clients with broadband connections can use VOIP as a phone. You want to talk to your sister but you live in Virginia Beach and she lives in San Francisco. If you both have VOIP, you can do so without any long distance charges.

VOIP can also be used for video teleconferencing. You can lead a presentation to multiple users located in several cities around the world. Again, without the cost of long distance.


All of this sounds good, but VOIP does have some risks. The primary risks related to VOIP are:

  • Eavesdropping. When a VOIP connection is created, attackers can listen in on the phone calls. It’s relatively easy for an attacker on the source network, the destination network, or any connection points in between to eavesdrop on the conversation. It is possible to encrypt VOIP but that isn’t done very often.

  • Vishing. Vishing is similar in concept to phishing but VOIP connections are often used. The victim is tricked into calling a phone number attached to a VOIP account, or a robo-caller dials VOIP numbers until it receives an answer. The victim is informed of fraudulent activity on a credit card, PayPal account or some other banking institution and encouraged to call another phone number to resolve the problem. The other number is an automated system that requests the user’s credentials.
Good luck with your Security+ studies.
Darril Gibson

-- Edited February 11 2010

While working on another project I came across NIST's SP 800-58 which is titled: Security Considerations for Voice Over IP Systems

It lists two  specific disadvantages of VOIP
  • Security.  There are many more ways for intruders to attack a VOIP system than a conventional voice telephone system or PBX.  VOIP is flexible.  However it is much more complex to secure the voice and data sent over VOIP.
  • Startup cost. The initial installation can be complex and expensive for a business.
The SP 800 series of publications from the National Institute of Standards Security and Technology (NIST) is widely respected and considered authoritative.  In other words, this is an excellent source to identify disadvantages of VOIP in addition to the specific security risks mentioned earlier.

- Darril

Thursday, February 4, 2010

Vulnerability Assessments

When studying for the SY0-201 Security+ exam, you may come across the following objective:
4.2 Carry out vulnerability assessments using common tools.

• Vulnerability scanners

Vulnerabiltiy scanners are used to perform vulnerability assessments.  Vulnerabilties are weakenesses.

Vulnerability assessments are performed to determine if systems or networks are vulnerable to any known issues. The goal is to identify weaknesses so that they can be resolved before they are detected and exploited by attackers.

Most vulnerabilities tools including the following features.
  • Can check for weak passwords with a password cracking tool
  • Can check for open ports with port scanner
  • Can check for sensitive data (such as social security numbers or any desired matching pattern) being released on the network, or sent through the firewall
  • Can check for security policy settings 
  • Can check for the deployment of updates
Nessus is one of the popular vulnerability assessment tools in use today but many more exist.

After a vulnerability assessment identifies weaknesses, it's important to plug the holes.  If the deficiencies are not corrected the vulnerabilities remain.

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Sunday, January 31, 2010

CompTIA Makes it Official - No Recertification until 2011

CompTIA updated their renewal policy reversing their earlier statements.  You can read about it here.
http://www.comptia.org/certifications/listed/renewal.aspx

If you're certified now or certify sometime in 2010, your certification will be good for life just as it's been in the past.  However, if you get certified in A+, Network+, or Security+ on January 1, 2011 or later the certification will be good for three years from the date you get certified. 

Certifications that expire can be updated by earning continuing education credits.  Expect CompTIA to announce details of the continuing education program sometime before January 1, 2011.

Darril

Friday, January 29, 2010

CompTIA Backs Down

ARS Technica posted a good article titled CompTIA Backs Down.

Even though CompTIA hasn't officially posted a change to the new recertification policy apparently they are changing it.
  • If you certify in A+, Network+, or Security+ in 2010 (or previously), your certification is good for life.
  • If you certify in 2011, you'll need to recertify every three years.
If you want to get certified and keep it for life without requiring renewals, now's the time.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Sunday, January 24, 2010

Hashing

When preparing for the CompTIA Security+ SY0-201 exam, you'll come across the following objective related to hashing:
5.2 Explain basic hashing concepts and map various algorithms to appropriate applications.
  • SHA
  • MD5
In short, a hash is a number created by applying an algorithm to a file or a message. The same hashing algorithm will always return the same hash (the same number) when applied to an unchanged file or message.  Hashing is used to verify integrity which is an important element of the security triad.

As an example, imagine that a message of  "Hello" needs to be sent.  Assume that the hashing algorithm calculates the hash as 1234.  Both the message and the hash is sent.

When the message is received, the hash is calculated on the received message.  This results in a hash of 1234 which is then compared to the original hash of 1234.  Since both hashes are the same, the message has not lost data integrity.

What if the message is changed?

Imagine that the message of "Hello" is sent with the hash of 1234.  However, the message is modified in transit and the received message is "Goodbye". 

The hash of "Goodbye" is 5678.  The hash of the received message (5678) is compared to the original hash (1234) and it's apparent the hashes are not the same.  The message has lost data integrity.

Applications can be used to calculate hashes and perform the comparisons automatically.  When the hashes don't match a message appears informing the user of loss of data integrity.

MD5 is a hashing algorithm that produces a 128 bit hash. SHA-1 is a hashing algorithm that produces a 160 bit hash.

Here's a practice question on hashing.

Good luck with your studies.

Darril Gibson

Friday, January 22, 2010

The Security Triad

When studying for the CompTIA SY0-201 exam, you'll come across three core concepts that are commonly referred to as the security triad.  They are:
  • Confidentiality. The goal of confidentiality is to prevent the unauthorized disclosure of information.
    This is accomplished by controlling access to resources and using encryption to protect the data when it's stored or when it's transferred over the network.
  • Integrity. The goal of Integrity is to verify that data has not been modified. Integrity is commonly enforced by controlling data to prevent it from being modified, and by using hashes.  Enforced by controlling data and using hashes.
  • Availability.  The goal of Availability is to ensure that data and services are available when needed. This includes using backups and using different types of redundancies. This blog talks about disk redundancies, but you can also have server redundancies (with failover clusters) and site reduandicies (hot site, warm site, cold site). 
You'll see confidentiality and integrity referenced with cryptography most often.  Confidentiality can be enforced with encryption and hashing is used to verify integrity.

Good luck with your studies.

Darril

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Monday, January 18, 2010

List of Security+ Blogs

I've posted close to 50 posts on Security+ topics so though it'd be worthwhile to list many of them to help you in your studies.

This blog lists some of the topics.  If you want to see a few practice test questions, check out this blog

Least Privilege
Mandatory Vacations
Separation of Duties
VOIP Risks
Vulnerability Assessments
CompTIA Makes it Official - No Recertification until 2011
Hashing
The Security Triad

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Promiscuous or non-promiscuous
Protocol Analyzers
Faraday cage
Symmetric vs Asymmetric
What's in a CRL
Identity proofing
RADIUS
Redundancy

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Phishing
Dumpster diving
Piggybacking or tailgating
Impersonation
Social engineering
Disk redundnacy using RAID
DoS and DDoS attacks
Well-known ports
Understanding ports
Biometrics used in authentication
Digital signatures
Use of virtualization in security

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Encryption basics
Qualitative risk assessment
Bluetooth concenrs
SSL, OCSP, vs CRL
Three factors of authentication
Quantitative risk assessments
Intrusion detection systems (HIDS and NIDS)

Good luck in your studies

Darril Gibson

List of practice questions

I've posted close to 50 posts on Security+ topics so thought it'd be worthwhile to list many of them to help you in your studies.

This blog lists the practice test questions I've written and posted.  If you want to view a list of Security+ topics I've posted, check out this blog.



Incident Response


 Good luck in your studies.

Darril Gibson

Just passed 70-647

OK, I realize it's not related to Security+, but I was happy to finally complete this exam.  I took it about an hour ago and just double-checked that this was my last exam needed for the MCITP Enterprise Administrator certification on Windows Server 2008.  Wooo Hooo!

Next up... Windows 7.

Darril

Friday, January 15, 2010

Will Your Security+ Certification Expire?

I posted a blog about CompTIA's new certification renewal policy and you may be wondering how it affects your Security+ certification.

Here are the basics:

If you certified with the older exam (SY0-101) available before July 31 2009, you will need to retake an exam by December 2011 to stay certified.

  • You can take the SY0-201 exam (100 questions, passing score 750, $258 US)
  • Or you can take the BR-001 bridge exam (50 questions, passing score 560, $190 US)
If you passed the SY0-201 exam, you can keep the certification valid by submitting continuing education credits.

  • The cost to submit the credits is $49. 
  • Details aren't finalized, but you can continuing education credits by attending training, blogging, teaching, writing, and more.  More details here.
  • If you passed the SY0-201 exam in 2009 (say in December 2009), you have until December 2011 to submit the credits.
  • If you passed the SY0-201 exam in 2010 or later, you have three years from the date of your exam.
Darril Gibson

Thursday, January 14, 2010

CompTIA Certification Renewal Policy

Update.
CompTIA has apparently changed their mind. Read about it in this CompTIA Backs Down article. In short, if you certify in 2010 or before, it's good for life, but requires recertification if you certify in 2011 or later.

* * *

CompTIA has modified their certification renewal policy and now setting expiration dates for some certifications.  This change affects the A+, Network+, and Security+ certifications but my focus in this blog entry is only on the Security+ certification.

In the past, CompTIA certifications have been granted for life. In other words, once you became Security+ certified, you remained Security+ certified. Based on this policy, certifications will only last for three years.

As background, the Security+ certification has had two versions:
  • SY0-101 was the original version and it could be taken up until July 2009
  • SY0-201 was released in late 2008 and the current version.
If you earned the original Security+ certification by taking the SY0-101 exam, your certification will expire December 31, 2011.  You must take an exam to retain the Security+ certification. You can take either the SY0-201 exam, or a shorter bridge exam (BR0-001).

If you earned the updated Security+ certification by taking the SY0-201 exam in 2008 or 2009, your certification will expire December 31, 2011. You can retain the Security+ certification through enrollment and participation in a continuing education program which hasn't been defined yet.

If you earned the updated Security+ certification by taking the SY0-201 in 2010 or later, your certification will expire three years from the date it was awarded. You can retain the Security+ certification through enrollment and participation in a continuing education program which hasn't been defined yet.

You can read the details from CompTIA's site here:
http://www.comptia.org/certifications/listed/renewal.aspx

Darril Gibson

Friday, January 1, 2010

Promiscuous or non-promiscuous

A previous blog entry talked about protocol analyzers. When using protocol analyzers you should be aware of the two modes of a protocol analyzer. They are promiscuous and non-promiscuous.

  • Non-promiscuous. In non-promiscuous mode, the protocol analyzer can only capture traffic addressed to the system (including broadcasts), or coming from the system.  In other words, it can't capture unicast traffic between two other hosts.
  • Promiscuous. In pomiscuous mode, the protocol analyzer can capture any and all traffic that reaches it's NIC.  Attackers would use a protocol analyzer in promiscuous mode.
Wireshark is a protocol analyzer that you can download for free and will work in both promiscuous mode and non-promiscuous mode.

As a side note, you should know that when a protocol analyzer is operating in promiscuous mode, it gives telltale signs on the network. Don't just start running it on a live network without permissions.

I remember teaching a Security+ class at a college once. One of the students was in the Army and had admnistrative privileges on his system.  The next day he downloaded Wireshark, installed it, and began sniffing the network.  Within about 15 minutes security administrators were at his desk looking over his shoulder asking what he was doing.  Thankfully, you can't get fired from the Army very easily but the same may not be true at your job. 

Good luck in your studies.

Darril Gibson