Monday, February 18, 2013

Risk Management


If you're planning on taking the Security+SSCP, or CISSP exam you should understand the common risk management methods used by security professionals. As an example, Objective 2.1 "Explain risk related concepts" for the CompTIA Security+ exam lists risk-avoidance, transference, acceptance, mitigation, and deterrence.  

Risk management is the practice of identifying, monitoring, and limiting risks to a manageable level. It doesn’t eliminate risks, but instead identifies methods to limit or mitigate them. The amount of risk that remains after managing risk is residual risk.

The primary goal of risk management is to reduce risk to a level that the organization will accept. Senior management is ultimately responsible for residual risk—the amount of risk that remains after mitigating risk. Management must choose a level of acceptable risk based on their organizational goals. They decide what resources (such as money, hardware, and time) to dedicate to mitigate the risk.

Practice Question

Consider this question:

Q. Joe is evaluating security controls related to a known vulnerability. This vulnerability has resulted in two events in the past year resulting in losses of $3,000 each. A third-party company says they can eliminate the losses at a cost of $5,000. What should you do?

A. Do nothing and save $5,000
B. Mitigate the risk and save $2,000
C. Transfer the risk and save $1,000
D. Transfer the risk and save $2,000

The answer is below, but if you understand some common terms related to risk management, you can answer the question correctly.
Pass the Security+ exam the first time you take it:
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

Risk Avoidance

An organization can avoid a risk by not providing a service or not participating in a risky activity.

For example, an organization may evaluate an application that requires multiple open ports on the firewall that it considers too risky. It can avoid the risk by not using the application. 

Risk Transference

An organization can transfer the risk to another entity. The most common method of risk transference is by purchasing insurance. Another method is by outsourcing the risk, or contracting a third party to manage the risk. 

Risk Acceptance

When the cost of a control outweighs the potential losses of a risk, an organization will often accept the risk. For example, spending $100 in hardware locks to secure a $15 mouse doesn’t make sense. Instead, the organization accepts the risk of someone stealing the mouse.

Similarly, even after implementing controls, some risk remains and the organization accepts this residual risk.

Risk Mitigation

When an organization implements controls to reduce the risk, it is referred to as risk mitigation. These controls may reduce the vulnerabilities or weaknesses in a system, or they may reduce the impact of the threat. For example, up-to-date antivirus software mitigates the risks of malware by reducing a system's vulnerability to malware. 

Risk Deterrence

An organization can deter a risk by implementing some security controls. For example, security guards and monitoring cameras can deter losses from different types of risks. A security guard mitigates the risk of tailgating and cameras can mitigate risks associated with theft.

Some security professionals identify the first four methods of risk management but don’t include risk deterrence. Instead, they include deterrence methods within the risk mitigation category. However, the Security+ objectives list these five.

Quantitative Risk Management

There are times when you need to calculate costs related to risks using a quantitative risk management method. When using a quantitative method you should understand the following terms:
  • Single loss expectancy (SLE). The SLE is the cost of any single loss.
  • Annualized rate of occurrence (ARO). The ARO indicates how many times the loss is expected to occur annually. 
  • Annualized loss expectancy (ALE). The ALE is the SLE x ARO.

Practice Question Answer

Q. Joe is evaluating security controls related to a known vulnerability. This vulnerability has resulted in two events in the past year resulting in losses of $3,000 each. A third-party company says they can eliminate the losses at a cost of $5,000. What should you do?

A. Accept the risk and save $1,000
B. Mitigate the risk and save $2,000
C. Transfer the risk and save $1,000
D. Transfer the risk and save $2,000

Answer

C is the correct answer.  Outsourcing the risk by contracting a third party is risk transference and if you transfer the risk to a third-party, you can save $1,000.

The ARO is 2.

The SLE is $3,000.

The ALE  is $6,000 ($3,000 X 2)

The cost of the control is $5,000.

In this case, you can spend $5,000 to prevent the losses of $6,000 effectively saving $1,000.

Because the cost of the control ($5,000) is less than the expected losses ($6,000), it makes fiscal sense to purchase the control. (An organization will likely evaluate other factors but in general when the cost of the control is less than the losses it's expected to remove, the control is worth the cost. If the control costs more than the losses it can prevent, it is not worth the cost.)

A is not correct. If you accept the risk, you will still be losing $6,000 annually. Based on the scenario, accepting the risk cannot result in a savings of $1,000. However, if the cost of the control was $7,000 (instead of $5,000), accepting the risk could be interpreted as a savings of $1,000.  You could spend $7,000 or do nothing and lose $6,000. Doing nothing (accepting the risk) is $1,000 cheaper.

B is not correct. Mitigating the risk means that you are doing something to reduce it. Outsourcing the risk to a third-party is rarely referred to as mitigating the risk. Also there isn't any math that results in a savings of $2,000 within this scenario.

D is not correct. Outsourcing to a third-party is risk transference. However, this results in a savings of $1,000 rather than $2,000.

Summary

Ensure you understand the basics of a risk management methods when taking any security-based exam such as the Security+SSCP, or CISSP exams. The primary methods are known as risk avoidance, risk transference, risk acceptance, risk mitigation, and risk deterrence.


Saturday, February 16, 2013

Smurf Attacks


If you're planning on taking the Security+SSCP, or CISSP exam you should know about many of the attack types such as the smurf attack.  As an example, Objective "3.2 Analyze and differentiate among types of attacks"  for the CompTIA Security+ exam lists several common types of attacks including the smurf attack.

A smurf attack spoofs the source address of a broadcast ping packet to flood a victim with ping replies. That's a complex sentence, so it's worthwhile breaking this down. 

A Ping is Normally Unicast

A ping is normally a unicast message sent from one computer to one computer. It sends ICMP echo requests to one computer, and the receiving computer responds with ICMP echo responses.  Figure 1 shows how this works. Computer 1 is sending out a unicast ping to computer 3 and computer 3 responds with ICMP replies.
Ping uses unicast
Figure 1
If you receive the responses you know that the other computer is operational.

Note: Because ICMP is used in many types of attacks, many firewalls block ICMP echo requests. If you don't receive ping responses back it doesn't necessarily mean the other computer is not operational. It could be because the ping is being blocked by a firewall.

On Windows systems, ping sends out four ICMP requests and gets back four replies. On  some other operating systems, ping continues until stopped. You can add the -t switch to ping on Windows systems causing ping requests to continue until stopped.
Pass the Security+ exam the first time you take it:
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

A Smurf Attack Sends the Ping Out as a Broadcast

Instead of using a unicast message, a smurf attack sends out the ping request as a broadcast.  In a broadcast, one computer sends the packet to all other computers in the subnet. These computers then reply to the single computer that sent the broadcast ping as shown in Figure 2. Computer 1 is sending out a broadcast ping to all the computers on the subnet and each one of them are now responding, flooding the computer with ping replies.
Ping using broadcast instead of unicast
Figure 2
If computer 1 is the attacker, the results of Figure 2 aren't very beneficial.  If something isn't changed, the attacker gets attacked.

The Smurf Attack Spoofs the Source IP

If the source IP address isn’t changed, the computer sending out the broadcast ping will get flooded with the ICMP replies. Instead, the smurf attack substitutes the source IP with the IP address of the victim, and the victim gets flooded with these ICMP replies. Figure 3 shows how computer 1 can send out the smurf attack using computer 2's IP address as the source IP address. All the computers on the subnet then flood computer 2 with ICMP replies.
Broadcast ping spoofing the source IP address
Figure 3

Smurf Attacks Use Amplifying Networks

A smurf amplifier is a computer network used in a smurf attack. This is easily prevented by blocking IP directed broadcasts used by smurf attacks. However, if a router or a firewall isn't configured to protect the network, it can become part of the attack.

Figure 4 shows how this works. The attacker (computer 1) sends a broadcast ping into the amplifying network with a spoofed source IP address of computer 6. Each computer in the amplifying network receives the broadcast and then responds by flooding the victim (computer 6) with ping replies.
Smurf attack using amplifying network
Figure 4

Not Blue Packets

The rumor that a smurf attack is one where attackers send out little blue packets that report back to Papa Smurf is simply not true.
Smurfs

Summary

Ensure you understand the basics of a smurf attack when taking any security-based exam such as the Security+SSCP, or CISSP exams. A smurf attack spoofs the source address of a broadcast ping packet to flood a victim with ping replies. Smurf attacks are known to use amplifying networks but administrators commonly block this rules on a router or firewall.

Tuesday, February 12, 2013

Security+ Ports


If you're planning on taking the CompTIA Security+ exam you should have many of the well-known ports memorized. Objective 1.5 "Identify commonly used default network ports" for the CompTIA Security+ exam lists several protocols and you should know the ports used for each of these.

Well Known Ports

Well known port numbers are matched to specific protocols and when you see the port, you should be able to identify the protocol. Sometimes you may be given the protocol and be required to identify the port. There are 1024 well known TCP and UDP ports (numbered 0 through 1023) but you don't need to memorize them all. You should know the ports in the tables on this page.

Logical Ports

The well-known ports are logical ports and have nothing to do with physical ports. For example, TCP port 80 is the port used for Hypertext Transfer Protocol (HTTP) and TCP port 443 is the port used for Hypertext Transfer Protocol Secure (HTTPS).

In contrast, a physical port on a switch or router is used to make a physical connection between devices. You can touch the physical port while the logical port is simply a number embedded in the packet.

Every packet has both a source port and a destination port along with a source IP address and a destination IP address. The IP address is used to get the packet to the destination system and when the packet is received, TCP/IP uses the port information to determine how to handle the packet. This blog on Understanding Ports for Security+ describes the process of how logical ports are used in more detail.
Pass the Security+ exam the first time you take it:
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

TCP and UDP

Each of these logical ports are technically identified as either a Transmission Control Protocol (TCP) port or a User Datagram Protocol (UDP) port depending on which transport protocol they use. When preparing for the Security+ exam, you should be aware of some of the protocols that use UDP instead of TCP.

If the protocol requires the benefits of TCP such as guaranteed delivery, it will use the TCP port.  For example, web traffic using Hypertext Transfer Protocol (HTTP) uses TCP because web pages will not display properly if some of the packets aren't received. TCP tracks all the packets and if one is lost, it sends a request to have it resent. This takes a little longer, but provides the assurance that all packets are received.

Some protocols use only the UDP port. For example, Trivial File Transport Protocol (TFTP) uses UDP port 69 but not TCP port 69.

Other protocols will use both TCP and UDP, depending on the purpose. For example, Domain Name System (DNS) will normally use UDP port 53 when responding to typical name resolution requests from clients. However, when one DNS server is transferring data to another DNS server, it will typically use TCP port 53.

The tables on this page specify whether a protocol uses TCP, UDP, or both. If you want to know specifically which transport protocol is used for other protocols, check out Wikipedia's list of TCP and UDP port numbers.

Interestingly, Internet Assigned Numbers Authority (IANA) previously identified which transport protocol was used for each port in their Service Name and Transport Protocol Port Number Registry . However, they seem to have defaulted to just listing both TCP and UDP for each port. For example, Telnet (defined in RFC 854) only uses TCP port 23, not UDP. However, IANAs port number registry lists both TCP and UDP for Telnet.
Realistic practice test questions for the Network+ exam
CompTIA Network+ N10-005 Practice Test Questions (Get Certified Get Ahead)

Practice Test Question

When you know the ports and understand the protocols, questions are much easier to answer. For example, consider this practice test question:

Q. What port do you need to close to block outgoing email?

A. TCP port 22
B. TCP port 25
C. TCP port 110
D. TCP port 443

Answer at the end of the blog.

Will You Be Tested on Ports?

It's entirely possible that if you take the time to memorize these ports, you might not get any questions on them. It's rare, but some test takers report not seeing a single question on ports. However, this knowledge is still valuable to you in the field.

It's also entirely possible that if you don't memorize them, you'll get ten questions on ports and drop the exam due to this lack of knowledge. With this in mind, it's worth your time to memorize these ports. If you're tested on them, the questions will be "gimme" questions that you'll breeze through easily.

Security+ Ports

When preparing for the Security+ exam, you should know the ports in the following tables. They are organized based on usage.

File Transfer Ports

The ports in this table are used with protocols that transfer files.

File Transfer ProtocolsTCPUDPPort
FTP - File Transport ProtocolTCP 20, 21
SSH - Secure ShellTCP 22
SFTP - Secure File Transport Protocol (uses SSH)TCP 22
SCP - Secure Copy (uses SSH)TCP 22
TFTP - Trivial File Transport Protocol  UDP69
FTPS - File Transport Protocol Secure (uses SSL)TCP 443

Email Ports

The ports in this table are used with email related protocols.

Email Related ProtocolsTCPUDPPort
SMTP - Simple Mail Transport ProtocolTCP 25
POP3 - Post Office Protocol version 3TCP 110
IMAP4 - Internet message access protocol version 4TCP 143

Remote Access Ports

The ports in this table are associated with protocols used to connect to remote computers for various purposes.

Remote Access ProtocolsTCPUDPPort
TelnetTCP 23
TACACS - Terminal Access Controller Access-Control System UDP49
TACACS+TCP 49
SSL VPN - Secure Sockets Layer virtual private networkTCP 443
ISAKMP (VPN) - Internet Security Association and Key Management Protocol (virtual private network) UDP500
L2TP - Layer 2 Tunneling Protocol UDP1701
PPTP - Point-to-Point Tunneling ProtocolTCPUDP1723
RDP - Remote Desktop ProtocolTCPUDP3389

Miscellaneous Ports

The ports in this table don't fit neatly in any of the other categories but are still relevant.

ProtocolTCPUDPPort
DNS - Domain Name SystemTCPUDP53
DHCP - Dynamic Host Configuration Protocol UDP67, 68
HTTP - Hypertext Transfer ProtocolTCP 80
HTTPS - Hypertext Transfer Protocol SecureTCP 443
KerberosTCPUDP88
NNTP - Network News Transfer ProtocolTCP 119
SNMP - Simple Network Management Protocol UDP161
SNMP Trap - Simple Network Management Protocol TrapTCPUDP162
LDAP - Lightweight Directory Access ProtocolTCPUDP389
Syslog UDP514

 Practice Test Question Answer

Q. What port do you need to close to block outgoing email?

A. Port 22
B. Port 25
C. Port 110
D. Port 443

Answer: B

TCP port 25 is used for SMTP and SMTP is used for outgoing email.
TCP port 22 is used for SSH, SFTP, and SCP but not for email.
TCP port 110 is used for POP3 but POP3 is only used for incoming email, not outgoing email.
TCP port 443 is used for HTTPS, not email.

Summary

There are 1024 well known TCP and UDP ports, numbered 0 through 1023. You don't need to memorize them all but you should know some of the common port numbers when preparing for the Security+ exam. You should also know which protocols have a preference of TCP over UDP.  These concepts are covered in more depth in the CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions.
Good luck.