Security Plus: Get Certified Get Ahead

DoS, Smurf, and Fraggle Attacks

2012-02-01T06:45:00.000-08:00

Denial of service (DoS) attacks such as smurf and fraggle attacks are important to understand when studying for any security certification including Security+, SSCP, or CISSP. Smurf and fraggle attacks are similar but they have subtle differences.

DoS Attack

A DoS attack comes from a single entity and is intended to make a computer’s resources or services unavailable to users. DoS attacks against a server prevent the server from responding to legitimate requests from users. A distributed DoS (DDoS) attack comes from multiple attackers at the same time.

Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

Smurf Attack

A smurf attack uses Internet Control Management Protocol (ICMP) to send a broadcast ping with a spoofed source address. It's easier to understand this by looking at one step at a time.

Normal ping. A regular ping sends one or more ICMP echo requests to a system and the system responds with one or more ICMP echo replies. This provides verification the remote system is operational. A regular ping uses unicast. In other words, the ICMP packet is addressed to one system from one system.
Broadcast ping. A broadcast ping is not normal. It sends the ICMP echo request to a broadcast address sending it to virtually all systems on the network. Each system will then respond to the system that sent it flooding this system with ICMP echo replies.
Spoofed source broadcast ping. The smurf attack spoofs the source address with the address of the victim, and then sends it out as a broadcast ping. Each system on the network will then respond, and flood the victim with echo replies.

There's an important point to remember though. Routers do not pass broadcast packets. This was actually a change in RFC 2644 released in 1999 in direct response to smrf attacks and the use of networks as smurf amplifiers. RFC 2644 is an update to RFC 1812 which stated that a router must default to forwarding directed broadcasts. Routers today comply with RFC 2644 so smurf attacks are limited to a broadcast domain. They will not go beyond a router.

With this in mind, it would be rare to see a smurf attack. However, that doesn't mean it won't be tested.

Note: Many firewalls block ICMP packets to prevent any type of attack using ICMP. If a ping succeeds, it verifies that the system is operational. However, if a ping fails it doesn't prove that the system is not operational. ICMP may be blocked preventing the ping.

Studying SSCP?
This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide

Fraggle Attack

Fraggle attacks are similar to smurf attacks but instead of using ICMP, they use UDP ports 7 and 19.

As described earlier, the ping command uses ICMP and it is used to check if a system is operational. Tools are available that use UDP instead of ICMP and instead of checking to see if a system is operational, they check to see if the system is listening on a specific port. This is commonly done with many different types of vulnerability scanners used by both attackers and security administrators.

Chargen (character generator) is an older protocol described in RFC 864 (dated May 1983). A system listens on either TCP or UDP port 19 (known as the chargen port) for chargen requests. When a connection is established to this port, the system would respond with a constant stream of characters to the original system. Typically the original system would use TCP or UDP port 7 (known as the echo port) but this isn't required. When the original system begins receiving the characters, it knows the target system is operational, and closes the connection.

In a fraggle attack, a spoofed broadcast packet is sent to port 17. The spoofed address is the address of the victim. Since it is broadcast, it goes to every system on the network. If port 17 is open and the character generator service is running on these systems, they will send a stream of characters to the victim.

Realistically, systems today will not have port 17 open or the chargen service running. Additionally, routers do not pass broadcasts so any attacks are limited to a single network. Said another way, it is very unlikely you will ever see a fraggle attack today.

Looking for quality Practice Test Questions for the SY0-301 Security+ exam?
CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions

Basic Protection

In addition to ensuring that routers are configured in compliance with RFC 2644 and do not pass broadcasts, there are some other basic steps that protect you from these types of attacks:

Disable unnecessary services and protocols. If a service or protocol is not needed on a system, it should not be enabled. I cannot think of a system in use today that would need the chargen service so it should be disabled if it is even available on the system.
Close unneeded ports. If a port is not needed, it should be closed on both network-based and host-based firewalls. With the port closed, all traffic is blocked and attacks are stopped.
Use ingress filters on firewalls. Don't allow traffic into a network that shouldn't be there. A common ingress filter on a boundary firewall (between the Internet and an internal network), blocks all traffic coming from the Internet with a spoofed private IP address.

Summary

In summary, DoS attacks such as smurf and fraggle attacks attempt to prevent a system from responding to legitimate attacks. A smurf attack sends a broadcast ping with a spoofed IP address (the IP address of the victim), and ping uses ICMP. A fraggle attack uses UDP ports 7 and 19 instead of ICMP, and sends broadcast UDP traffic with a spoofed IP address (the IP address of the victim).

Kindle Version of Security+ Study Guide Now Available

2012-01-31T06:23:00.000-08:00

The Kindle version of the Security+ Study Guide is now avaialble. This is the same content as the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide with more than 450 Security+ practice test questions, but as a Kindle edition, portable enough to store with as many as 50,000 more of your favorite books. Many people that used the SY0-201 Study Guide told me that they purchased both the paperback version for times when they wanted to read it from a book, and the Kindle version to have it available on the go. With this in mind, I set the price for the Kindle version at $9.99.

Free Kindle Apps Available

One of the great things about the Kindle ebooks is that you don't need a Kindle reader to read the books. If you don't have a Kindle, you can download free applications from Amazon for must about any platform from here. The have applications for the following platforms:

iPhone
Windows PC
MAC
BlackBerry
iPad
Android
Windows Phone 7

Additionally, they recently released the Kindle Cloud Reader. The Kindle Cloud Reader lets you read ebooks from a web browser without requiring a Kindle device.

Security+ Practice Test Questions on the Kindle

If you've already been studying for the Security+ exam and don't want to get the full study guide, check out the CompTIA Security+ SY0-301 Practice Test Questions. It includes 280 realistic practice test questions and dozens of flash cards all formatted specifically for the Kindle. The goal is for this to be more like a Kindle application rather than a Kindle ebook.

The book is organized in six chapters matched to the six Security+ domains so readers can easily focus on specific domains. Each chapter includes three sections:

Practice test questions without answers. Created for readers that want to go through all the questions without seeing the correct answers or explanations.
Practice test questions including answers formatted for the Kindle. One Kindle screen shows the question. When you decide what you think is the correct answer, go to the next Kindle screen to see the correct answer. Each question includes an in-depth explanation so you'll know why the correct answers are correct, and why the incorrect answers are incorrect.
Flash cards formatted specifically for the Kindle to help reinforce important concepts. One Kindle screen shows a flash card type question and the next Kindle screen shows the answer.

These questions are a subset of the questions in the full Security+ SY0-301 Study Guide. However, readers have told me they've enjoyed these as a supplement to the study guide to focus on reinforcing the content.

Security+ Practice Test Questions on Mobile Apps

A recent blog also talked about the availability of Security+ Practice Test Questions for Your Mobile Phone. The benefit of these is that they are presented in actual test engine formats and also include flash cards. The content is a subset of the content in the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide but readers have told me they've enjoyed using them as a supplement on their mobile phones as an additional study source. These apps are currently available for:

Security+ SY0-301 Practice Test Questions

2012-01-25T17:14:00.000-08:00

If you're preparing for the Security+ SY0-301 exam, you may be looking for some practice test questions. Recent blog articles were on authentication topics and the following two questions are samples of what you may see on the exam related to these topics. The two related blog articles are: Identification, Authentication, and Authorization, and Three Factors of Authentication.

Security+ SY0-301 Practice Test Questions

Q. What is completed when a user’s password has been verified?

A. Identification

B. Authentication

C. Authorization

D. Access verification

Answer below.

Looking for a full book on Security Practice Test Questions?
Check this out.
CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions

Q. Which of the following is an example of multifactor authentication?

A. Smart card and token

B. Smart card and PIN

C. Thumbprint and voice recognition

D. Password and PIN

Answer below.

Security+ SY0-301 Practice Test Questions
Formatted specifically for the Kindle

Read Kindle Books on your PC: Free Kindle Apps for any platform.

SY0-301 Answers

Q. What is completed when a user’s password has been verified?

A. Identification

B. Authentication

C. Authorization

D. Access verification

Answer: B. A user is authenticated when the password is verified. The user claims an identity with a username. After users are authenticated, they are authorized to access resources based on their proven identity, and auditing can verify what resources a user has accessed.

Pass the first time you take the exam.
Get the full Security+ SY0-301 Study Guide.

Q. Which of the following is an example of multifactor authentication?

A. Smart card and token

B. Smart card and PIN

C. Thumbprint and voice recognition

D. Password and PIN

Answer. B. A smart card and PIN is an example of multifactor authentication since it uses methods from the something you have factor and something you know factor. A smart card and token are both in the something you have factor. Thumbprint and voice recognition are both in the something you are factor. A password and PIN are both in the something you know factor.

Three Factors of Authentication and Multifactor Authentication

2012-01-22T12:29:00.000-08:00

If you're studying for one of the security certifications like CISSP, SSCP, or Security+ it's important to understand the different factors of authentication, and how they can be intertwined as multifactor authentication. These are commonly known as something you know (such as a password), something you have (such as a smart card), and something you are (using biometrics. A basic understanding of these topics can help you correctly answer many different questions on authentication on any of these certification exams.

A previous post covered identification, authentication, and authorization. As a reminder, identification occurs when a user (or any subject) claims an identity. Authentication occurs when the user provides proof of the identity, such as with a password. Authorization grants access to resources based on the user's proven identity.

Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

Something You Know

The something you know factor includes passwords and personal identification numbers (PINs). This is considered the weakest form of authentication because users often use weak passwords, give them out, or write their passwords down.

A strong password is complex and includes at least eight characters. Complex means that the password uses a mixture of upper case, lower case, numbers, and special characters. Some documentation indicates using three of the four character types is enough, while other documentation states that a complex password has four character types. The key is that more character types results in a more complex password that is harder to crack. However, the bigger point is that many users create passwords with only a single character type.

Troy Hunt did a great analysis of passwords that were stolen from Sony's web sites and published on the Internet. He found that half used only a single character type and only 1 percent used any non-alphanumeric characters. Some of the top passwords were very simple: seinfeld, password, winner, 123456, purple, sweeps, contest, princess, maggie, and abc123. More than 64 percent of the passwords were found in common password-cracking dictionaries. Additionally, when users had accounts on two separate Sony sites, over 92 percent of them used the same password.

Password policies are often used to ensure that users create strong passwords and change them often. Some common password policy settings are:

Maximum password age. Requires users to change their password.
Minimum length. Ensures passwords have a minimum number of characters.
History. Remembers specific number of past passwords (such as last 5, or last 24 passwords). Prevents users from reusing the same passwords.
Minimum password page. Prevents users from changing their password right away. Used with the password history to prevent users from changing their password multiple times to circumvent the password history.

Looking for quality Practice Test Questions for the SY0-301 Security+ exam?
CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions

Something You Have

Smart cards and token, or fobs are common examples within the something you have factor of authentication. A smart card is a credit card sized card that holds key information about the user. Smart cards have certificates embedded in them using TLS and provide very strong authentication. This blog covers the differences between smart cards, a common access card (CAC), and a personal identity verification (PIV) card.

A fob (sometimes called a token) has an LED display that shows a number that changes regularly, such as every 60 seconds. This number is synchronized with a server. When users log into a website, they enter the number shown on the display to verify they have the token. This factor is often combined with another factor to provide multifactor authentication.

Studying SSCP?
This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide

Something You Are

The something you are factor uses biometrics to prove a user's identity. Fingerprints are very commonly used for authentication, but there are many other examples. Biometrics are often divided into two categories: physical biometrics and behavioral biometrics.

Physical biometrics are based on physical traits of an individual. It includes fingerprints, thumbprints, handprints, palms retina scanners, and iris scanners.
Behavioral biometrics is based on behavioral traits of an individual. It includes voice recognition, signature geometry, and key strokes on a keyboard.

Biometrics systems are susceptible to false readings. These are commonly known as:

Type 1 error. False Reject Rate (FRR). This occurs when a biometric system incorrectly rejects an authorized user.
Type 2 error. False Accept Rate (FAR). This occurs when a biometric system incorrectly identifies an unauthorized user as an authorized user.

Most biometric systems allow you to adjust the sensitivity of the system. For example, you can adjust it to minimize false rejections (FRR errors) but this will result in an increase in the false acceptances (FAR errors). The overall accuracy of a biometric system is identified with the crossover error rate (CER), where the FAR and FRR are equal. A biometric system with a lower CER is more accurate than one with a higher CER.

Looking for practice test questions to test your readiness for Security+?
CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions

Multifactor Authentication

Multifactor authentication combines two or three of the factors. Two common examples are:

A user has a smart card and also uses a personal identification number (PIN)
A user has a token and also enters a username and password

It's important to realize that multiple authentication and multifactor authentication are not the same thing. For example, if a user enters a pin (in the something you know factor), and a password (also in the something you know factor), this is not multifactor authentication.

Network+ N10-004 and N10-005 Differences

2012-01-15T05:27:00.001-08:00

If you're studying for the CompTIA Network+ exam, you probably know there are currently two versions of the exam. The N10-004 exam came out in 2009 and is available until August 31, 2012. The new version (N10-005) has been available since December 2011. A common question whenever a new exam comes out, is what are the differences so I've tried to address some of the differences here.

Networking is a challenging topic. If you're looking for a good book to introduce networking topics and lay a solid foundation, check out this book: Microsoft Windows Networking Essentials. It's a good read with plenty of full-color graphics. Many people buy it with one of Todd Lammle's Network+ books: CompTIA Network+ Study Guide: Exam N10-004 or CompTIA Network+ Study Guide: Exam N10-005.

Domain Differences

The following table shows a comparison of the domains in the two exams. The first thing that stands out is that N10-005 has one less domain. The Network Tools domain was rolled into the Network Management domain. What's not apparent from the table is that many of the objectives have been moved around. For example, the OSI model was in the Network Management domain previously, but it is in the Network Concepts domain now.

N10-004 Domain	N10-005 Domain
1.0 Network Technologies (20%)	1.0 Network Concepts (21%)
2.0 Network Media and Topologies (20%)	2.0 Network Installation and Configuration (23%)
3.0 Network Devices (17%)	3.0 Network Media and Topologies (17%)
4.0 Network Management (20%)	4.0 Network Management (20%)
5.0 Network Tools (12%)	5.0 Network Security (19%)
6.0 Network Security (11%)

Daily Network+ and Security+ Tips on Twitter.

1.0 Network Concepts

The first domain of the N10-005 exam is Network Concepts. A primary focus here is with the seven layer OSI model. While the OSI model was in the N10-004 exam, there are a couple of differences. First, it adds in the TCP/IP model. Also, it includes the following objective: Classify how applications, devices, and protocols relate to the OSI model layers. You'll need to be able to look at an application, device, or protocol and identify which layer it operates on.

Many of the protocols and ports are similar. However, the new exam digs into Domain Name System (DNS) a little more. You'll need to know the different types of records and what dynamic DNS is. Troubleshooting methodologies are added but these are largely the same as they were in Domain 4 in the previous exam.

A completely new topic 1.9 Identify virtual network components. Virtualization is widely used and important to understand. Interestingly, they indirectly added a reference to cloud computing with Network as a Service (NaaS).

2.0 Network Installation and Configuration

This topic includes many of the objectives from the Network Devices domain in the previous domain. However, it does expand on some topics such as Dynamic Host Configuration Protocol (DHCP). Many people commonly remember that DHCP provides IP addresses, but it does much more and the objectives identify topics such as reservations, scopes, leases, and options.

This topic also adds in troubleshooting topics for wireless networks and common router and switch problems. Most of these topics were in the Network Management domain previously.

3.0 Network Media and Topologies

This domain includes many of the same topics as the Network Media and Topologies domain in the previous exam. However, there is an important difference. In the previous exam, the objective often included the word identify or categorize. However, in the new exam, these words have sometimes been replaced with describe, or compare and contrast. These imply additional depth for the topics.

For example, instead of just being able to identify common physical network topologies such as Star or Ring, you're expected to be able to describe them. If you're asked to point to a square peg or a round hole, that requires one level of knowledge. However, it is a little more difficult to describe a square peg or a round hold.

4.0 Network Management

While the previous exam had a domain labeled as Network Management, many of the objectives are not the same. That's not to say that all of the objectives in the N10-005 Network Management domain are new. They aren't. Instead, objectives have just been moved around. As mentioned earlier, the Network Tools domain was rolled into this domain. Additionally, some of the specialized network devices topics from the Network Devices domain were put into here. Some of the other objectives have been reworded with a different emphasis, but the core objectives are the same.

Pass the Security+ exam the first time you take it

CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

5.0 Network Security

The first thing to notice here is that security has become much more important. It was only 11 percent of the previous exam, but is 19 percent in current exam. Security is an important part of any network administrator's job and this reflects the growing importance of security.

Wireless security topics have been added and placed right at the beginning, and again in objective 5.4. This makes a lot of sense since wireless networks are so common and people often implement them with weak security.

The objective related to firewalls has different wording. Instead of just expecting you to explain common features of a firewall, the new objectives expect you to be able to install and configure a basic firewall. You'll still be expected to explain the common features, but you should have deeper knowledge of firewalls.

Summary

In summary, there are quite a few differences between the N10-004 and N10-005 exams. If you're studying for Network+, ensure you are studying the relevant materials for the exam you plan on taking. Also, if you're studying for the N10-004 exam, ensure you take it before the exam retires on August 31, 2012.

Good luck.

Best of luck in your studies,

Darril

Get a solid foundation in networking.

Microsoft Windows Networking Essentials

Security+ Study Guide Sale

2012-01-02T16:31:00.001-08:00

The CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide is now available for a limited time for only $19.99 (plus $4.99 shipping and handling to addresses within the United States). Book includes over 450 practice test questions. The retail price of this book is $36.99!

Buy your copy from the author today. If you want a signed copy, just ask. I'll be happy to sign your copy before sending it out.

SY0-301 Study Guide

The CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide is an update to the top-selling SY0-201 Security+ study guide, which helped thousands of readers pass the Security+ exam the first time they took it. Here are a few highlights about the book:

100 percent coverage of SY0-301 objectives
Over 450 realistic practice test questions
100 question pre-test
100 question post-test
Practice questions in each of the eleven chapters
Comprehensive acronym list

All practice test questions have in-depth explanations. You’ll know why the correct answers are correct, and why the incorrect answers are incorrect. Additionally, the chapter content explains the topics in full detail. No matter how CompTIA words the questions, you’ll have the knowledge to correctly answer them.

I only have a limited number of these books available at this price. If you want one, buy your copy today.

Do You Use Wikipedia

2011-12-28T12:24:00.000-08:00

Do you use Wikipedia? I do and I love it. So much so that I've donated to them to help them keep providing the service that I value so much. I really like the style of the articles and the way that authors police themselves to prevent problems. It's a great resource and awesome that it's free.

Jimmy Wales (Wikipedia Founder) sent me the following email and asked me to send it out to others. Here it is:

Dear Darril,

Here's how the Wikipedia fundraiser works: Every year we raise just the funds that we need, and then we stop.

Because you and so many other Wikipedia readers donated over the past weeks, we are very close to raising our goal for this year by December 31 -- but we're not quite there yet.

You've already done your part this year. Thank you so much. But you can help
us again by forwarding this email to a friend who you know relies on Wikipedia and asking that person to help us reach our goal today by clicking here and making a donation.

If everyone reading this email forwarded it to just one friend, we think that would be enough to let us end the fundraiser today.

Of course, we wouldn't turn you down if you wanted to make a second donation or a monthly gift.

Google might have close to a million servers. Yahoo has something like 13,000 staff. We have 679 servers and 95 staff.

Wikipedia is the #5 site on the web and serves 470 million different people every month – with billions of page views.

Commerce is fine. Advertising is not evil. But it doesn't belong here. Not in Wikipedia. Wikipedia is something special. It is like a library or a public park. It is like a temple for the mind. It is a place we can all go to think, to learn, to share our knowledge with others.

When I founded Wikipedia, I could have made it into a for-profit company with advertising, but I decided to do something different. We’ve worked hard over the years to keep it lean and tight. We fulfill our mission, and leave waste to others.

Thanks again for your support this year. Please help spread the word by forwarding this email to someone you know.

Thanks,

Jimmy Wales

Wikipedia Founder

If you can afford to share some of your wealth, I encourage you to consider sharing some of it with the people at Wikipedia. We all benefit.

Security+ Practice Test Questions for Your Mobile Phone

2011-12-27T01:24:00.000-08:00

Study Security+ From Your Mobile Device

CompTIA Security+ (SY0-301) practice test questions and flash cards are now available for your mobile devices. The content was written by Darril Gibson and includes:

Over 170 Flashcards
Over 275 Interactive Study questions with detailed explanations
Organized in seven practice tests based on Security+ objectives

This CompTIA Security+ SY0-301 mobile app includes relevant flashcards, interactive study questions and timed mock exams. Versions are available for your iPhone, iPad, Android phones, and Android tablets. Check it out here:

If you've been studying for this exam and want to test your readiness, this app is for you. This is the only app currently on the market for the SY0-301 exam where every question includes the explanation for the correct choice, and also explains why the other choices are incorrect. Use it to ensure you pass the exam the first time you take it.

If you're looking for a full study guide on the SY0-301 Security+ exam
that will help you pass it the first time you take it, check out this book.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

Sample Reviewer Comment

"I took the exam today and passed with an 874/900. This book gave me all I needed to pass and there wasn't anything that wasn't familiar. "

By Mike Berry

Mobile App Features

Practice test questions and flashcards are organized in six topics, with a topic dedicated to each of the Security+ domains:

1) Network Security
2) Compliance and Operational Security
3) Threats and Vulnerabilities
4) Application, Data and Host Security
5) Access Control and Identity Management
6) Cryptography

Comments from reviewers on mobile app:

"The app does go through the most current CompTIA objectives. I recommend this app to all CompTIA Security+ candidates."

by ramzsmith

"The flash cards and practice test were very useful. This is a good investment for anyone looking to get certified. Thanks......"

by AARON IRVING

Identification, Authentication, and Authorization

2011-12-26T03:38:00.000-08:00

If you're studying for one of the security certifications like CISSP, SSCP, or Security+ it's important to understand the difference between identification, authentication, and authentication. These concepts are intertwined, but have specific differences. When looking at these topics, especially for the SSCP and CISSP exams, it's important to understand the differences between subjects and objects.

Subject. A subject is the active entity that accesses an object. For example, when a user accesses a file, the user is the subject. Other subjects include programs, processes, and any entity that can access a resource.
Object. An object is a passive entity that is being accessed by a subject. For example, when a user accesses a file, the file is the object. Other objects include databases, computers, printers, or any other resource that can be accessed by a subject.

Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

Identification

Identification occurs when a user (or any subject) claims or professes an identity. This can be accomplished with a username, a process ID, a smart card, or anything else that can uniquely identify a subject. Security systems use this identity when determining if a subject can access an object.

Looking for quality Practice Test Questions for the SY0-301 Security+ exam?
CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions

Authentication

Authentication is the process of proving an identity and it occurs when subjects provide appropriate credentials to prove their identity. For example, when a user provides the correct password with a username, the password proves that the user is the owner of the username. In short, the authentication provides proof of a claimed identity.

There are several methods of authentication that I'll cover in another post, but in short they are:

Something you know, such as a password or PIN
Something you have, such as a smart card, CAC, PIV, or RSA token
Something you are, using biometrics

Studying SSCP?
This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide

Authorization

Once a user is identified and authenticated, they can be granted authorization based on their proven identity. It's important to point out that you can't have separate authorization without identification and authentication. In other words, if everyone logs on with the same account you can grant access to resources for everyone, or block access to resources for everyone. If everyone uses the same account, you can't differentiate between users. However, when users have been authenticated with different user accounts, they can be granted access to different resources based on their identity.

In summary, it's important to understand the differences between identification, authentication, and authorization when studying for security exams such as the Security+, SSCP, or CISSP exams. Identification occurs when a subject claims an identity (such as with a username) and authorization occurs when a subject proves their identity (such as with a password). Once the subject has a proven identity, authorization techniques can grant or block access to objects based on their proven identities.

Single Sign-On (SSO) and Federated Identity Management

2011-12-21T15:24:00.000-08:00

If you're studying for one of the security certifications such as CISSP, SSCP, or Security+ it's important to understand single sign-on (SSO) concepts and federated access.

SSO refers to the ability of a user to log on or access multiple systems by providing credentials only once. It enhances security by requiring users to use and remember only one set of credentials for authentication. Once signed on using SSO, this one set of credentials is used throughout a user’s entire session.

Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

Kerberos

Kerberos is an authentication protocol commonly used to help support SSO in many networks. When users authenticate, a Key Distribution Center (KDC) issues the user an encrypted time-stamped ticket-granting ticket (TGT). The TGT is cached on the user's system and normally has a lifetime of 10 hours but can be renewed. Kerberos uses symmetric cryptography to encrypt tickets and in most current implementations it uses Advanced Encryption Standard (AES). The KDC is also referred to as an authentication server (AS) or sometimes as a Kerberos authentication server (KAS).

When the user later wants to access a resource such as a file on a server, the user's system submits the TGT with a request to access the resource. The KDC validates the TGT and sends the user a ticket (sometimes called a service ticket) for the resource. The user's system then submits this ticket to the host of the resource (in this case the file server) with a request to access the resource. The host checks with the KDC to ensure that the ticket is valid and if so, allows access as long as the user is authorized.

Kerberos requires all systems to be time synchronized and the default in version 5 is for all systems to be within five minutes of each other. If a system is more than five minutes off, the KDC won't issue a TGT or any other tickets, effectively blocking all non-anonymous access on a network. It uses a database of credentials to authenticate users and uses port 88 by default.
A drawback with Kerberos is that it represents a single point of failure. If the KDC fails, all authentication stops. Additionally, if the KDC is compromised, all credentials are compromised.

Studying SSCP?

This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide

Federated Identity Management

Identity management refers to the management of user identities and their credentials. For example, usernames and passwords are stored in a database that can be accessed by Kerberos to authenticate users. Users claim an identity and prove their identity by authenticating, such as with a password. In federated identity management, organizations join a group of organizations called a federation. All the organizations within the federation agree on a method to share identities between the organizations.
Once the federation is configured, users are able to log on one time within their organization and then access resources in other organizations without logging on again. This is usually transparent to the user.

As an example, I have worked in an organization where we logged on with smart cards. We had access to training sites hosted by other organizations but part of a federated identity management system. All we had to do was access the web site using a web browser, and our credentials were automatically recognized without requiring us to take any additional steps.

In summary, SSO methods can increase security by reducing the number of passwords users must remember. Federated access allows an organization to share identities between different organizations in a common group, or federation of organizations.

Free Security+ Books from Amazon Prime

2011-12-09T05:44:00.001-08:00

Two Security+ books are now available through the Kindle lending library, a new feature of Amazon Prime. If you have any version of a Kindle and Amazon Prime, you can check out any available book for free for a month. Books for both the SY0-201 and SY0-301 Security+ exams are available to check out.

Two Security+ Books Available

The following two Security+ books are a part of this program so you can checkout either one without charge.

While Amazon has created Kindle applications to run on just about any platform, the lending library doesn't currently work with these applications. I really don't know if they plan to add it later or not. However, if you don't have a Kindle, you can still get these two books for only $9.99 using one of these free applications.

These Security+ books are also available in paperback versions.

Amazon Prime Benefits

I've had Amazon Prime for quite a while and have been very happy with it. It costs $79 annually but you can try it out for a free one month trial. It has the following benefits:

Free two-day shipping on products shipped from Amazon
Instant streaming of movies and TV shows
Instant access to thousands of books

Kindle Versions

There are several versions of Kindles available and for reading books, I've been very happy with it. I have an iPad but don't find it as easy to read books from the iPad as the Kindle.

Also, I recently purchased the new Kindle Fire and have been impressed with it too. It works very similar to the iPad. I don't think it'll be an iPad killer but it has a lot of similar functionality and has great potential.

If you're studying for the Security+ exam and you have a Kindle and Amazon Prime, be sure to check out the new lending library. If you don't have these though, you can still get some good quality Security+ study materials. Best of luck in your studies.

Security+ Practice Test Question Hardware Device

2011-11-27T03:01:00.000-08:00

Here's a practice test question for anyone planning on taking the SY0-301 Security+ exam.

Security+ Practice Test Question

Your organization has an existing server and you want to add a hardware device to provide encryption capabilities. What is the easiest way to accomplish this?

A. TPM
B. HSM
C. DLP
D. IaaS

Answer below:

If you're looking for a Study Guide on the SY0-301 exam that can help you take and pass the Security+ exam the first time you take it, check out the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide. It covers 100 percent of the CompTIA Security+ SY0-301 objectives using real-world examples of security principles in action to help you master the important concepts. It also includes over 450 realistic practice questions with in-depth explanations. You'll know why the correct answer is correct, why the incorrect answers are incorrect, and be able to pass this exam the first time you take it.

If you think you're ready for the exam, but just want some realistic practice questions to test your readiness, check out this book instead: CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions. It includes 275 practice test questions with in-depth explanations and is available for only $9.99 on the Kindle.

Answer

Your organization has an existing server and you want to add a hardware device to provide encryption capabilities. What is the easiest way to accomplish this?

A. TPM
B. HSM
C. DLP
D. IaaS

The correct answer is B.

A hardware security module (HSM) is a hardware device you can add to a server to provide encryption capabilities.

A Trusted Platform Module (TPM) is a chip embedded into a motherboard that also provides hardware encryption, but you can’t easily add a TPM to an existing server.

A Data Loss Prevention (DLP) device can reduce the risk of employees e-mailing confidential information outside the organization.

Organizations use Infrastructure as a Service (IaaS) to rent access to hardware such as servers via the cloud to limit their hardware footprint and personnel costs.

TPM, HSM, and DLP are covered in depth in Chapter 5 of CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide. IaaS and other cloud computing topics are covered in Chapter 4. Also you may like to check out this blog on TPMs and HSMs.

SY0-301 Security+ Study Guide Released

2011-11-10T02:34:00.000-08:00

The CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide is released! This is an update to the top-selling SY0-201 Security+ study guide, which helped thousands of readers pass the Security+ exam the first time they took it. Here are a few highlights about the book:

100 percent coverage of SY0-301 objectives
Over 450 realistic practice test questions
100 question pre-test
100 question post-test
Practice questions in each of the eleven chapters
Comprehensive acronym list

All practice test questions have in-depth explanations. You'll know why the correct answers are correct, and why the incorrect answers are incorrect. Additionally, the chapter content explains the topics in full detail. No matter how CompTIA words the questions, you'll have the knowledge to correctly answer them.

Picture yourself taking the Security+ exam and seeing the results “You passed.” You can do it and this book can help.

40% Discount For A Limited Time

As a favor to the many people that have shown so much interest in this update, I’m making it available at a reduced introductory price. For a short introductory period, I'm offering the book with a special discount of 40% off. That's a whopping $14.80 off the list price of $36.99.

Order here now
Enter discount code XQY3HAAG when you check out for the 40% off discount

Why am I offering such a steep discount? I’d like to get this book into as many people’s hands as soon as possible. While there is certainly no obligation, I’m hoping some of you take the time to provide comments on the book. Readers just like you posted comments on the SY0-201 Study Guide Amazon page to let others know about the book value. It may be your review that 54 out of 54 people find helpful.

A Quick FAQ List

I can hear a couple of questions coming so here are some quick answers:

Q. Will the book be available on Amazon?
A. Yes. I expect it to be on Amazon within two weeks.

Q. Is the 40% discount available on Amazon?
A. No. Amazon controls their discounts. As an example, the CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions book was published on September 15, 2011 and as of today, they still have not reduced the price.

Q. How long will the 40% discount be available?
A. I plan to replace it with a 25% discount in 30 days.

Q. Is a Kindle version coming out?
A. Yes. The process takes a little while, but I expect to have the Kindle version out within 60 days. I'm not sure of the pricing at this moment.

Instructors

If you're an instructor, check out this page http://getcertifiedgetahead.com/instructor-resources.aspx Many instructors in the United States and in at least two other countries used the CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide to help their students pass the Security+ exam the first time they took it. You can help your students pass the SY0-301 Security+ exam the first time they take it too.

Darril Gibson

Security+ SY0-301 Practice Test Questions

2011-11-03T14:49:00.000-07:00

If you’re planning on taking the SY0-301 Security+ exam, you might like to hear about a new book that just came out. It includes over 275 realistic practice test questions with in-depth explanations for only $9.99. It's called CompTIA Security+: Get Certified Get Ahead:SY0-301 Practice Test Questions and you can get it here:

You can download free Kindle applications for just about any device from here.

You may know that I've been updating my CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide to the SY0-301 version. I've completed the rewrite. Unfortunately, the process to get it to print is lengthy and it has a couple more phases to go through before it makes it to print. At this point, I’m thinking it’ll be out in October, but much of it is out of my hands. The ISBN is 1463762364 but it isn’t on Amazon yet either.

However, I continue to get queries about the update and I know many people want to take the new exam. Because of this, I copied 275 practice test questions from the new book and created the Kindle book. I’m able to control 100 percent of the process with the Kindle, so I knew I could get it to published quickly.

Update on SY0-301 Practice Test Questions Book

Several people asked if the the Practice Test Question book can come out as a hard copy book. It took a little work, but CompTIA Security+: Get Certified Get Ahead: SY0-301 Practice Test Questions is now available on Amazon.

You can also get it from here: https://www.createspace.com/3687639. Enter JXCRTNUT for 25% off.

Answers to a Few FAQs

I continue to get queries about the SY0-201 and SY0-301 exam. Here's a few answers that may help you too.

Can you still take the SY0-201 version?
Yes. You can still take the SY0-201 version until December 31, 2011. The CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide is still helping many people take and pass this exam.

Do employers care which version you take?
No. Employers want to know that you are certified. I don’t know of any employer that cares which version you have (SY0-201 or SY0-301).

Is the SY0-301 version harder than the SY0-201 version?
This is a tough question to answer. It's different. It includes concepts that are newer because security topics continue to evolve. Since writing the first SY0-201 book, I've written several other security books, and contributed to a couple more. I tech edited a CISSP book, and I am in the final phase of a SSCP book based on the new objectives for the SSCP exam. Because of this, I've already been exposed to many of these topics so I was able to easily pass the exam when I took it (though I did miss a question).

Will I see questions on the SY0-201 exam that aren’t covered in the SY0-201 book?
Yes. CompTIA seeds the exam with beta questions but the beta questions are not graded. As an example, the SY0-201 objectives do not include any topics on cloud computing, yet many people report seeing questions on cloud computing. You'll probably see the same thing in three years when CompTIA releases the SY0-401 version.

Some Information on the Full SY0-301 Book

CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide is an update to my top-selling SY0-201 guide, which helped thousands of readers pass the exam the first time they
took it.

The SY0-301 version covers every aspect of the SY0-301 exam, and includes the same elements readers raved about in the previous version. Each of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action. I use many of the same analogies and explanations I’ve honed in the classroom that have helped
hundreds of students master the Security+ content. You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.

You’ll have over 450 realistic practice test questions with in-depth explanations to help you test your comprehension and readiness for the exam. It includes a 100 question pre-test, a 100 question post-test, and practice test questions at the end of every chapter. Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.

If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for
other exams. This SY0-301 study guide is for any IT or security professional interested in advancing in their field, and a must read for anyone striving to master the basics of IT systems security.
However, if you can't wait for the study guide to be published, or you just want some realistic practice test questions with in-depth explanations, check out the CompTIA Security+:Get Certified Get Ahead:SY0-301 Practice Test Questions Kindle book.

You can also check out a SY0-301 Security+ blog here, and the GetCertifiedGetAhead.com site for more certification releated information.

Audio Files Now Available

2011-01-23T05:54:00.000-08:00

Several readers have recommended that we create audio files for key portions of the CompTIA Security+ Get Certified and Get Ahead Study Guide and we have recently done so.

We've worked with professional voice actor Nate Collins to produce top quality MP3 files that you can listen to, and supplement your studies. These files include:

All of the Remember blocks from each chapter
Listen to key exam information as many times as you like
All of the questions, answers, and explanations from each of the chapters
Reinforce why the correct answers are correct and why the incorrect answers are incorrect

Over 170 MB of MP3 files.

10 separate Remember files
One for each chapter
10 separate question and answer files
One for each chapter

Only $9.99 for all the files and available with just a few clicks.

HTTPS Process

2010-06-08T09:56:00.000-07:00

When studying for the CompTIA Security+ exam, you'll come across some cryptography objectives. One thing that confuses many people is how SSL works with HTTPS.

I've broken it down to the following steps with a diagram at the end that may help you understand it a little better.

The client starts the HTTPS session by clicking on the link.
The server responds by sending a certificate. The certificate includes the server's public key that is part of a matched private/public key pair. The private key is always kept private by the server.
The client creates a random session key (such as 13579BDF2468ACE).
The client encrypts the session key with the server's public key.
The client then sends the encrypted session key to the server.
The server then decrypts the session key with the server's private key.
Rest of session uses symmetric session key.

Question: What type of encryption does SSL use to privately share the session key?
Answer: Asymmetric

Question: What type of encryption does SSL use to encrypt the session data?
Answer: Symmetric

Trick Question: What type of encryption does SSL use ?

Answer: Asymmetric and symmetric

You can find more details on cryptography in this chapter 9 of this book:
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

You can also watch a video on YouTube here:
SSL Asymmetric and symmetric encryption

HTH,

Darril Gibson

Biometrics False Positive False Acceptance

2010-05-18T04:53:00.000-07:00

I'm teaching a Security+ class this week and this topic came up again. Here's some clarification...

Biometrics is used for authentication. It is in the "something you are" factor. You can read about the three factors of authentication here.

However, biometrics can be calibrated for different levels of accuracy. Two types of errors are possible.

False acceptance or false positive. This is when a system inaccurately identifies someone as someone else. For example, imagine that Attacker Al steals Sally's laptop. The laptop has a fingerprint scanner for authentication with Sally's fingerprint . Attacker Al tries his fingerprint and it works. It accepts his fingerprint even though it shouldn't. It returns a positive match as though his fingerprint is the same as Sally's even though this is obviously false.
False rejection or false negative. Now imagine that Sally has the same laptop. She has registered her fingerprint on the system. The next day she tries to use this for authentication. Unfortunately, the system rejects her fingerprint. It returns a negative match as though Sally's fingerprint isn't actually her finger even though it's the same finger she used the day before.

The confusion with some people is realizing that false acceptance is the same as false positive, and false rejection is the same false negative.

Think about this. The PoweBall lottery in the U.S. wants to give you a million dollars for your winning ticket. Do you accept it? You'll probably answer with a positive answer such as Yes, or Absolutely. Accept is a positive response. On the other hand, reject is a negative answer. Someone may say No they don't want the money (though I can't imagine why not). The rejection with a No is a negative response.

You can overthink this, but it's as simply as acceptance is positive, and rejection is negative.

Interestingly, both terms are simplified. Biometrics more technically use the following terms:

False reject rate (FRR). This is commonly referred to as a Type I error, or a false rejection error.
False accept rate (FAR). This is commonly referred to as a Type II error, or a false acceptance error.
Crossover error rate (CER). This is a measurement betwee then the FRR and FAR represented as a number or a percentage. The lower the number or percentage, the more accurate the biometrics system is. For example, a CER of 2 (or 2 percent) is much better than a CER of 10 (or 10 percent).

Here's an interesting article that explains FRR, FFAR, and CER. It's a CISSP study article and digs a little deeper into the topic than necessary for Security+ but may help clarify things for you.

Good luck with your studies.

Darril Gibson

YouTube Videos

2010-04-22T16:53:00.000-07:00

After teaching a Security+ class this week, I decided to create a few videos for the cryptography topics. I created them in Camtasia and posted them on YouTube. You can view them here:

Security+ Encryption and the Rayburn box

Digital Signatures

SSL Asymmetric and symmetric encryption

Hashing and integrity

Darril Gibson

A Twist on the MP3 Study Method

2010-03-01T06:09:00.000-08:00

Years ago, a student told me of method he used to study for certification exams. This blog entry talks about it. In short, you can read study material into an MP3 recorder. Whenever you have the chance, you listen to the recordings. Since MP3s are so portable you can listen to the recording just about anywhere.

As a twist, someone recently told me they had their girlfriend record the material. He liked hearing her voice more than his own. Think about your girlfriend or boyfriend saying in their most sultry voice "Integrity is used to verify that data has not been modified." It sounds like a great idea.

I guess the only danger is that when someone starts talking to you about security issues you may remember the voice and get a little excited. But is that such a bad thing?

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Practice Question Virus Infection

2010-02-26T07:26:00.000-08:00

A computer is infected with a virus. The installed antivirus software didn't detect the problem. What would be the first action to take?

A. Notify an administrator

B. Install new antivirus software
C. Update the antivirus signature files
D. Contain the problem.

Answer below.

Over 375 practice test questions in this book:

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

List of Security+ Blogs
List of Security+ Questions

Answer: D. The first step in response to an incident to contain or isolate the problem. This can often be done by simply pulling the cable on the NIC. Notification should be done after containment, but policy would often dictate the notification of someone on an incident response team. Ensuring that a system has antivirus software and updated signature files are good steps to take, but not as a first step after an infection. You’d still want to contain the problem to a single system before installing the software and updating definitions.

This question is related to objective:
6.3 Differentiate between and execute appropriate incident response procedures.

Damage and loss control

Incident Response Practice Question

2010-02-24T07:26:00.000-08:00

What documentation is needed to verify that the evidence collected is the same evidence that is presented in court?

A. Affidavit of evidence
B. Chain of custody
C. Chain of forensics
D. Access authorization

Answer below.

Over 375 practice test questions in this book:

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Answer: B. A chain of custody verifies that evidence presented in court is the same evidence that was collected; a chain of custody should be established when seizing any evidence. The other documents listed won’t take the place of chain of custody documentation.

This question is related to objective :

6.3 Differentiate between and execute appropriate incident response procedures.

Chain of custody

Least Privilege

2010-02-18T17:08:00.000-08:00

When studying for the CompTIA Security+ (SY0-201) exam, you'll come across this objective.

3.1 Identify and apply industry best practices for access control methods.

One of the praactices you should understand is: Least Privilege.

The principle of least privilege specifies that individuals or processes should be granted only the rights needed to perform assigned tasks or functions, but no more. For example, if Sally needs to print to a printer, you should grant her print permission for that printer but nothing else.
There's a subtle difference between Least Privilege and Need to Know. Least Privilege focuses on rights or actions. Need to Know focuses on permissions or access to data.

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Mandatory Vacations

2010-02-11T11:08:00.000-08:00

When studying for the CompTIA Security+ (SY0-201) exam, you'll come across this objective.

6.4 Identify and explain applicable legislation and organizational policies. One of the policies you should understand is: Mandatory Vacations.

In my years in the Navy, we often had events that were referred to as mandatory fun. This was often accompanied by the phrase "all leave and liberty will be cancelled until morale improves." This isn't quite the same thing.

Instead, mandatory vacations are designed to ensure that someone gets out of the office for a period of time requiring someone else to perform their job. The goal is to reduce the incidents of fraud or embezzlement. If an employee knows that someone else will be covering their work for a period, they also know the risk of being discovered is much higher.

Mandatory vacations are frequently required in different banking institutions. Employees are often required to take a vacation of at least five consecutive workdays.

Good luck in your studies.

Darril Gibson

Separation of Duties

2010-02-10T04:31:00.000-08:00

When studying for the CompTIA Security+ (SY0-201) exam, you'll come across this objective.

3.1 Identify and apply industry best practices for access control methods.

One of the praactices you should understand is: Separation of Duties.

The Separation of Duties principle ensures that no single person or entity controls all of the functions for a critical process. Instead of a single person or entity having all of the responsibility, the responsibilities are divided between two or more people or entities.

Consider an accounting department. They are responsible for accepting bills, identifying bills that will be paid and then paying them. Separation of Duties is commonly used to separate the functions into two separate divisions.

Accounts receivable. This division receives and approves the bills.
Accounts payable. This division pays the bills approved by accounts receivable.

If a single person did both functions, the potential for fraud is increased. This person may decide to submit a bogus bill, approve the bill, and pay the bill. The books look valid since an approved bill is paid, but it is still fraud.

The principle of separation of duties is designed to prevent fraud, theft, and errors.

Good luck in your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

VOIP Risks

2010-02-06T16:20:00.000-08:00

Voice Over IP (VOIP) is becoming more and more popular. Clients with broadband connections can use VOIP as a phone. You want to talk to your sister but you live in Virginia Beach and she lives in San Francisco. If you both have VOIP, you can do so without any long distance charges.

VOIP can also be used for video teleconferencing. You can lead a presentation to multiple users located in several cities around the world. Again, without the cost of long distance.

All of this sounds good, but VOIP does have some risks. The primary risks related to VOIP are:

Eavesdropping. When a VOIP connection is created, attackers can listen in on the phone calls. It’s relatively easy for an attacker on the source network, the destination network, or any connection points in between to eavesdrop on the conversation. It is possible to encrypt VOIP but that isn’t done very often.

Vishing. Vishing is similar in concept to phishing but VOIP connections are often used. The victim is tricked into calling a phone number attached to a VOIP account, or a robo-caller dials VOIP numbers until it receives an answer. The victim is informed of fraudulent activity on a credit card, PayPal account or some other banking institution and encouraged to call another phone number to resolve the problem. The other number is an automated system that requests the user’s credentials.

Good luck with your Security+ studies.
Darril Gibson

-- Edited February 11 2010

While working on another project I came across NIST's SP 800-58 which is titled: Security Considerations for Voice Over IP Systems

It lists two specific disadvantages of VOIP

Security. There are many more ways for intruders to attack a VOIP system than a conventional voice telephone system or PBX. VOIP is flexible. However it is much more complex to secure the voice and data sent over VOIP.
Startup cost. The initial installation can be complex and expensive for a business.

The SP 800 series of publications from the National Institute of Standards Security and Technology (NIST) is widely respected and considered authoritative. In other words, this is an excellent source to identify disadvantages of VOIP in addition to the specific security risks mentioned earlier.

- Darril

Vulnerability Assessments

2010-02-04T15:25:00.000-08:00

When studying for the SY0-201 Security+ exam, you may come across the following objective:
4.2 Carry out vulnerability assessments using common tools.

• Vulnerability scanners

Vulnerabiltiy scanners are used to perform vulnerability assessments. Vulnerabilties are weakenesses.

Vulnerability assessments are performed to determine if systems or networks are vulnerable to any known issues. The goal is to identify weaknesses so that they can be resolved before they are detected and exploited by attackers.

Most vulnerabilities tools including the following features.

Can check for weak passwords with a password cracking tool
Can check for open ports with port scanner
Can check for sensitive data (such as social security numbers or any desired matching pattern) being released on the network, or sent through the firewall
Can check for security policy settings
Can check for the deployment of updates

Nessus is one of the popular vulnerability assessment tools in use today but many more exist.

After a vulnerability assessment identifies weaknesses, it's important to plug the holes. If the deficiencies are not corrected the vulnerabilities remain.

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

CompTIA Makes it Official - No Recertification until 2011

2010-01-31T15:44:00.000-08:00

CompTIA updated their renewal policy reversing their earlier statements. You can read about it here.
http://www.comptia.org/certifications/listed/renewal.aspx

If you're certified now or certify sometime in 2010, your certification will be good for life just as it's been in the past. However, if you get certified in A+, Network+, or Security+ on January 1, 2011 or later the certification will be good for three years from the date you get certified.

Certifications that expire can be updated by earning continuing education credits. Expect CompTIA to announce details of the continuing education program sometime before January 1, 2011.

Darril

CompTIA Backs Down

2010-01-29T07:54:00.000-08:00

ARS Technica posted a good article titled CompTIA Backs Down.

Even though CompTIA hasn't officially posted a change to the new recertification policy apparently they are changing it.

If you certify in A+, Network+, or Security+ in 2010 (or previously), your certification is good for life.
If you certify in 2011, you'll need to recertify every three years.

If you want to get certified and keep it for life without requiring renewals, now's the time.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Hashing

2010-01-23T21:48:00.000-08:00

When preparing for the CompTIA Security+ SY0-201 exam, you'll come across the following objective related to hashing:
5.2 Explain basic hashing concepts and map various algorithms to appropriate applications.

In short, a hash is a number created by applying an algorithm to a file or a message. The same hashing algorithm will always return the same hash (the same number) when applied to an unchanged file or message. Hashing is used to verify integrity which is an important element of the security triad.

As an example, imagine that a message of "Hello" needs to be sent. Assume that the hashing algorithm calculates the hash as 1234. Both the message and the hash is sent.

When the message is received, the hash is calculated on the received message. This results in a hash of 1234 which is then compared to the original hash of 1234. Since both hashes are the same, the message has not lost data integrity.

What if the message is changed?

Imagine that the message of "Hello" is sent with the hash of 1234. However, the message is modified in transit and the received message is "Goodbye".

The hash of "Goodbye" is 5678. The hash of the received message (5678) is compared to the original hash (1234) and it's apparent the hashes are not the same. The message has lost data integrity.

Applications can be used to calculate hashes and perform the comparisons automatically. When the hashes don't match a message appears informing the user of loss of data integrity.

MD5 is a hashing algorithm that produces a 128 bit hash. SHA-1 is a hashing algorithm that produces a 160 bit hash.

Here's a practice question on hashing.

Good luck with your studies.

Darril Gibson

The Security Triad

2010-01-22T15:01:00.000-08:00

When studying for the CompTIA SY0-201 exam, you'll come across three core concepts that are commonly referred to as the security triad. They are:

Confidentiality. The goal of confidentiality is to prevent the unauthorized disclosure of information.
This is accomplished by controlling access to resources and using encryption to protect the data when it's stored or when it's transferred over the network.
Integrity. The goal of Integrity is to verify that data has not been modified. Integrity is commonly enforced by controlling data to prevent it from being modified, and by using hashes. Enforced by controlling data and using hashes.
Availability. The goal of Availability is to ensure that data and services are available when needed. This includes using backups and using different types of redundancies. This blog talks about disk redundancies, but you can also have server redundancies (with failover clusters) and site reduandicies (hot site, warm site, cold site).

You'll see confidentiality and integrity referenced with cryptography most often. Confidentiality can be enforced with encryption and hashing is used to verify integrity.

Good luck with your studies.

Darril

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

List of Security+ Blogs

2010-01-18T14:25:00.000-08:00

I've posted close to 50 posts on Security+ topics so though it'd be worthwhile to list many of them to help you in your studies.

This blog lists some of the topics. If you want to see a few practice test questions, check out this blog.

Least Privilege
Mandatory Vacations
Separation of Duties
VOIP Risks
Vulnerability Assessments
CompTIA Makes it Official - No Recertification until 2011
Hashing
The Security Triad

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Promiscuous or non-promiscuous
Protocol Analyzers
Faraday cage
Symmetric vs Asymmetric
What's in a CRL
Identity proofing
RADIUS
Redundancy

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Phishing
Dumpster diving
Piggybacking or tailgating
Impersonation
Social engineering
Disk redundnacy using RAID
DoS and DDoS attacks
Well-known ports
Understanding ports
Biometrics used in authentication
Digital signatures
Use of virtualization in security

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Encryption basics
Qualitative risk assessment
Bluetooth concenrs
SSL, OCSP, vs CRL
Three factors of authentication
Quantitative risk assessments
Intrusion detection systems (HIDS and NIDS)

Good luck in your studies

Darril Gibson

List of practice questions

2010-01-18T14:21:00.000-08:00

I've posted close to 50 posts on Security+ topics so thought it'd be worthwhile to list many of them to help you in your studies.

This blog lists the practice test questions I've written and posted. If you want to view a list of Security+ topics I've posted, check out this blog.

Incident Response

Good luck in your studies.

Darril Gibson

Just passed 70-647

2010-01-18T08:50:00.000-08:00

OK, I realize it's not related to Security+, but I was happy to finally complete this exam. I took it about an hour ago and just double-checked that this was my last exam needed for the MCITP Enterprise Administrator certification on Windows Server 2008. Wooo Hooo!

Next up... Windows 7.

Darril

Will Your Security+ Certification Expire?

2010-01-15T12:51:00.000-08:00

I posted a blog about CompTIA's new certification renewal policy and you may be wondering how it affects your Security+ certification.

Here are the basics:

If you certified with the older exam (SY0-101) available before July 31 2009, you will need to retake an exam by December 2011 to stay certified.

You can take the SY0-201 exam (100 questions, passing score 750, $258 US)
Or you can take the BR-001 bridge exam (50 questions, passing score 560, $190 US)

If you passed the SY0-201 exam, you can keep the certification valid by submitting continuing education credits.

The cost to submit the credits is $49.
Details aren't finalized, but you can continuing education credits by attending training, blogging, teaching, writing, and more. More details here.
If you passed the SY0-201 exam in 2009 (say in December 2009), you have until December 2011 to submit the credits.
If you passed the SY0-201 exam in 2010 or later, you have three years from the date of your exam.

Darril Gibson

CompTIA Certification Renewal Policy

2010-01-14T02:36:00.000-08:00

Update.
CompTIA has apparently changed their mind. Read about it in this CompTIA Backs Down article. In short, if you certify in 2010 or before, it's good for life, but requires recertification if you certify in 2011 or later.

* * *

CompTIA has modified their certification renewal policy and now setting expiration dates for some certifications. This change affects the A+, Network+, and Security+ certifications but my focus in this blog entry is only on the Security+ certification.

In the past, CompTIA certifications have been granted for life. In other words, once you became Security+ certified, you remained Security+ certified. Based on this policy, certifications will only last for three years.

As background, the Security+ certification has had two versions:

SY0-101 was the original version and it could be taken up until July 2009
SY0-201 was released in late 2008 and the current version.

If you earned the original Security+ certification by taking the SY0-101 exam, your certification will expire December 31, 2011. You must take an exam to retain the Security+ certification. You can take either the SY0-201 exam, or a shorter bridge exam (BR0-001).

If you earned the updated Security+ certification by taking the SY0-201 exam in 2008 or 2009, your certification will expire December 31, 2011. You can retain the Security+ certification through enrollment and participation in a continuing education program which hasn't been defined yet.

If you earned the updated Security+ certification by taking the SY0-201 in 2010 or later, your certification will expire three years from the date it was awarded. You can retain the Security+ certification through enrollment and participation in a continuing education program which hasn't been defined yet.

You can read the details from CompTIA's site here:
http://www.comptia.org/certifications/listed/renewal.aspx

Darril Gibson

Promiscuous or non-promiscuous

2010-01-01T13:04:00.000-08:00

A previous blog entry talked about protocol analyzers. When using protocol analyzers you should be aware of the two modes of a protocol analyzer. They are promiscuous and non-promiscuous.

Non-promiscuous. In non-promiscuous mode, the protocol analyzer can only capture traffic addressed to the system (including broadcasts), or coming from the system. In other words, it can't capture unicast traffic between two other hosts.
Promiscuous. In pomiscuous mode, the protocol analyzer can capture any and all traffic that reaches it's NIC. Attackers would use a protocol analyzer in promiscuous mode.

Wireshark is a protocol analyzer that you can download for free and will work in both promiscuous mode and non-promiscuous mode.

As a side note, you should know that when a protocol analyzer is operating in promiscuous mode, it gives telltale signs on the network. Don't just start running it on a live network without permissions.

I remember teaching a Security+ class at a college once. One of the students was in the Army and had admnistrative privileges on his system. The next day he downloaded Wireshark, installed it, and began sniffing the network. Within about 15 minutes security administrators were at his desk looking over his shoulder asking what he was doing. Thankfully, you can't get fired from the Army very easily but the same may not be true at your job.

Good luck in your studies.

Darril Gibson

Protocol Analyzers

2009-12-31T13:03:00.000-08:00

When studying the CompTIA Security+ exam (SY0-201) you'll come accross the following objective related to protocol analyzers:
2.3 Determine the appropriate use of network security tools to facilitate network security.

A protocol analyzer can be used to capture data packets as they travel across the network if the data is sent "in the clear" or unencrypted.

One of the early protocol analyzers was called Sniffer Network Analyzer and it became so popular protocol analyzers in general are commonly called "sniffers." Wireshark is a popular protocol analyzer that you can download for free today.

Because protocol analyzers are so readily available to attackers, network administrators need to carefully consider allowing any sensitve data (such as passwords) from being sent across the network in clear text.

Protocol analyzers can also be used by administrators to analyze traffic on the network. As an example, a protocol analyzer can detect malformed packets or other types of network attacks.

Good luck with your studies.

Darril Gibson

Security One of the Hottest Skills for 2010

2009-12-30T09:12:00.000-08:00

Computerworld recently published a list of the six hottest skills for 2010. Number 5 is Security.

An understanding of basic security issues is becoming mandatory across a wide range of jobs from programmers, networking professionals, IT managers, and project management professionals. Companies want employees with basic cyber security skills.

Tom Silver, senior vice president for North America at Dice Holdings Inc., which operates Dice.com and other careers Web sites was quoted as saying: "If you know how to help keep your company's information secure, there will be a home for you forever." "Security" he says. "is an evergreen skill."

Darril Gibson
Security+ Tip of day Tweets
http://twitter.com/DarrilGibson

Environmental Controls Practice Question

2009-12-27T05:46:00.000-08:00

When preparing for the Security+ exam, you'll come across this objective: "Explain the importance of environmental controls" including Shielding. Here's a practice question
What is the purpose of a Faraday cage? (Choose all that apply.)

A. To mitigate data emanation
B. To detect attacks on host
C. To detect network attacks
D. To prevent interference

Answer below.

Over 375 practice test questions in this book:

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Answer: A, D.
A Faraday cage is designed to mitigate data emanation and also prevents EMI/RFI from entering the enclosures. Network intrusion detection systems (NIDS) would be used to detect network attacks, and host-based intrusion detection systems (HIDS) would be used to detect attacks on a host.

Faraday Cage

2009-12-26T05:31:00.000-08:00

When preparing for the Security+ exam, you'll come across this objective: "Explain the importance of environmental controls" including Shielding.

Shielding is used to protect data from emanating out so that it can be intercepted, or prevent interference from getting in and corrupting data transmissions. A Faraday cage can be used to prevent emissions and interference.

A Faraday cage prevents signals from emanating outside a room. It uses electrical features that cause RF signals that reach the boundary of the room to be reflected back. It can also also provide shielding to prevent outside interference such as electromagnetic interference (EMI) and radio frequency interference (RFI) from entering the room.

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Does Security+ Certification Expire?

2009-12-25T09:50:00.000-08:00

CompTIA certifications are granted for life. In other words, they never expire. This is different than some other certifications which do expire (such as the CISSP certification). Part of the reason for this is that the CompTIA certifications are often considered to be a stepping stone to other certifications.

However, even though the certifications don't expire, the knowledge becomes less relevant. As an example, my transcript shows that I became certified in A+ in 1999. If I never took A+ again, I could continue to say I'm A+ certified.

Similarly, my Security+ certification (from the 2000 objectives) was relevant when I was teaching Security+ using the 2000 objectives. However, when I began teaching the 2008 objectives, I took and passed the Security+ exam with the 2008 objectives. I didn't have to, but it helped me understand how to interpret the new objectives.

Some companies are encouraging employees to upgrade Security+ by taking the new exam, but this is an employer requirement, not CompTIA. To make this path easier for test takers, CompTIA has created a bridge exam (BR0-001) that can be taken if you're Security+ certified using the older exam (SY0-101) based on the 2000 objectives. In other words, you can take the BR0-001 bridge exam instead of the SY0-201 exam. The BR0-001 exam is only 50 questions (instead of 100 for SY0-201) and a passing score of only 560 is required to pass (instead of 750 for SY0-201).

In summary, if you earn the CompTIA Security+ certification, it is good for life. You can update your certification by taking a newer exam with updated objectives, but this is not required by CompTIA.

Darril Gibson

Edited January 2010
At least this is the way it used to be. CompTIA announced a change in their policy in January 2010. These two blogs talk about some of the changes.
CompTIA Certification Renewal Policy
Will Your Security+ Certification Expire?

Darril Gibson

Symmetric vs Asymmetric

2009-12-24T09:49:00.000-08:00

Cryptography covers 15 percent of the CompTIA Security+ (Exam SY0-201) objectives, and cryptographic algorithms are important to understand.

Algorithms are primarily characterized as either symmetric or asymmetric. In short, symmetric encryption uses a single key to encrypt and decrypt. Asymmetric uses two keys.

Symmetric encryption:

Is about 1000 times faster than asymmetric encryption.
Uses the same key to encrypt as it does to decrypt. For example, if the key 123 is used to encrypt data using the Advanced Encryption Standard (AES), then the same key of 123 is used to decrypt the data. (Encryption keys are actually much more complex than just a simple number like 123.)
The key is commonly called a session key, a shared key, a preshared key, or a shared secret.
The most popular encryption algorithm is AES which faster and more efficient than other encryption algorithms (such as DES and 3DES).

Asymmetric encryption:

Is extremely slow compared to symmetric encryption so only used to encrypt/decrypt a very small amount of data.
Is primarily used to privately share a symmetric key over a public network (such as the Internet). Once the key is exchanged using asymmetric encryption, symmetric encryption is used to encrypt session data.
Uses two keys know as a public key and a private key (or public/private key pair). The public key is freely shared but the private key is kept private for a single entity (such as a single server).
Requires a public key infrastructure (PKI) to publish certificates. Public keys are published in a certificate and the certificate is freely shared to others.
If a public key encrypts data, only the private key can decrypt it.
If a private key encrypts data, only the public key can decrypt it.

Other blogs on cryptography you might like:

And of course, this book CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide has a full chapter on the relevant cryptography concepts needed to pass the Security+ exam the first time.

Good luck with your studies.

Darril Gibson

Cryptography practice

2009-12-21T15:08:00.000-08:00

What would a CA do if a private key is considered compromised

A. Cancel the certificate
B. Publish the certificate
C. Revoke the certificate
D. Reissue the certificate

Answer below.

Over 375 practice test questions in this book:

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Answer: C

If a private key is compromised the key is revoked by revoking the certificate that holds the matching public key. Revoked keys are published on the certificate revocation list (CRL). Certificates can’t be cancelled. The certificate is already published. It’s not appropriate to reissue a certificate with a compromised private key.

What's in a CRL?

2009-12-20T15:02:00.000-08:00

When studying for the Security+ exam, you may run across the following objective:

“Explain core concepts of public key cryptography.” This objective includes a listing of several related topics including Certification Revocation List (CRL)

This blog on SSL, OCSP and CRLs talked about the relationship of SSL, OCSP and CRLs, but you may be wondering what a CRL actually is. In short, a CRL is a certificate that holds the serial numbers of revoked certificates.

As a little background, a certificate holds a public key but it holds a lot more. You can view one in Internet Explorer by clicking Tools, Internet Options, Content, Certificates, Trusted Root Certification Authority, selecting a certificate and clicking View. Click the Details tab and you can see all the contents.
The following figure shows the details on a Verisign root certificate. The public key is selected and the public key is shown in the bottom pane. But notice also that the the first field showing is the serial number. The serial number is used to uniquely identify a certificate. Select serial number and you can see the serial number (which is important for this conversation). Select the Public Key and you can view the actual Public Key.

This public key is part of a matched public/private key pair. When data is encrypted with the public key it can only be decrypted by the private key (which is commonly done with SSL). When data is encrypted with the private key, it can only be decrypted with the public key (which is commonly done with digital signatures).

If the private key ever becomes compromized, the certificate needs to be revoked so that it is no longer used. How can the certficate be untiquely identified? With the serial number. A certificate authority (CA) issues the certificate and if the matching private key for the certificate becomes compromized, the certificate is published on a Certificate Revocation List (CRL pronounced as crill).

CA's commonly publish the CRL as a version 2 certificate as shown in the following figure. This CRL has only one certificate, but it's much more common for a CRL to have multiple revoked certificates.

Hope this helps you with your studies.

Darril Gibson

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide
includes a full chapter on cryptography.
Over 375 practice test questions to help you pass Security+ the first time.

Identity proofing

2009-12-15T07:53:00.000-08:00

When studying for the SY0-201 Security+ exam, you'll see this objective: "Explain the difference between identification and authentication." This directly relates to identity proofing.

Identity proofing is done during the identification process prior to issuing credentials. An account within a network isn't just given to anyone that asks for one, but instead a user must provide some type of identification first. Within a company, identification is provided by the individual when they are hired. The HR department may then introduce the new hire and ask for an account to be created.

A second use of identity proofing is performed after credentials have been issued. For example, online banks often ask for more information on a user (such as street they grew up on, first pet's name, middle name of oldest sibling, and so on.) Later, if the user is doing online banking from a different compuer than they normally use, the Web site may recognize this and challenge the user to provide more than just their user name and password.

Good luck with your studies.

Darril Gibson
Author CompTIA Security+: Get Certified Get Ahead

Not off the grid

2009-12-15T07:50:00.000-08:00

I haven't been able to post or blog much recently so thought I'd mention why. Nothing's wrong, I'm just overwhelmed with two large writing projects. I hope to have some breathing room next year (which is only a couple of weeks away). I'm playing hookie for an hour or so now, but will be jumping back in soon.

CompTIA Security+: Get Certified Get Ahead is still selling (most notably on Amazon) and I've been receiving some very kind emails from readers who've used it and passed.

Good luck with your studies.

Darril Gibson

RADIUS

2009-11-30T02:47:00.000-08:00

When preparing for the CompTIA Security+ (SY0-201) exam, you will run across the term RADIUS and you should understand what a RADIUS server provides.

The Remote Authentication Dial-In User Service (RADIUS) is used to centrally authenticate users when remote access or network access is used.

Assume a large company has employees that regularly go on the road selling, consulting, teaching, or other reasons. However, they need access to the back end network. RADIUS provides authentication when the employees dial-in.

The company could have offices spread across the country and users are encouraged to dial-in to the closest office. For example, when they're in California, they should dial-in to a server in California. When in Florida, they should dial-in to a server in Florida. Each server could hold authentication details for each employee in a local database. However, if this is done, when an employee is added or removed from a database on one server, the database must be updated on every server in every region. This becomes too much work.

Instead, a RADIUS server is used for central authentication. All remote access servers send their authentication requests to the RADIUS server. In this way, only one authentication database (on the RADIUS server) needs to be maintained.

TACACS+ is a Cisco alternative to RADIUS. TACACS+ provides two significant benefits.

It is more secure than RADIUS since it encrypts the entire authentication process
(RADIUS only encrypts the password)
It interacts with Kerberos allowing it to work with Microsoft networks.

Both RADIUS and TACACS+ are widely in use today.

Good luck with your studies.

Darril Gibson

Practice Question Email Sender

2009-11-25T02:17:00.000-08:00

You want to ensure that a user that sent an email cannot later claim that he did not send it. What should be used?

A. Confidentiality
B. Integrity
C. Non-repudiation
D. Access control

Answer below.

Over 375 practice test questions in this book:

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Answer: C. Non-repudiation can be used to prevent someone from later denying an action. Non-repudiation is commonly enforced with digital signatures. Confidentiality is used to prevent the unauthorized disclosure of information, often by encrypting the data. Integrity is used to verify that data has not been modified and is enforced with hashing or message authentication codes. Access control is one of many methods used to grant access to entities to resources after they have been authenticated.

Practice Question Implicit Deny

2009-11-23T02:13:00.000-08:00

Which one of the following describes the principle of implicit deny?

A. Denying all traffic between networks
B. Denying all traffic unless it is specifically granted access.
C. Granting all traffic to network unless it is explicitly granted.
D. Granting all traffic unless it is explicitly denied.

Answer below.

Over 375 practice test questions in this book:

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Answer: B. Implicit deny indicates that unless something (such as traffic on a network) is explicitly allowed, it is denied. It isn’t used to deny all traffic, but instead used to deny all traffic that isn’t explicitly granted or allowed.

SY0-201 Practice Exam Question

2009-11-21T02:13:00.000-08:00

What would be used to control the traffic that is allowed into our out of a network?

A. Hub
B. ARP
C. ACL
D. ALE

Answer below.

Over 375 practice test questions in this book:

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Answer: C. An access control list (ACL) is implemented to control inbound and outbound traffic on a network segment. A hub has no intelligence and will pass all traffic to all ports. Address Resolution Protocol (ARP) is used to resolve IP addresses to MAC addresses in a subnet. Annual Loss Expectancy (ALE) is used to identify how much money is expected to be lost in a quantitative analysis.

Redundancy

2009-11-19T01:44:00.000-08:00

When preparing for the CompTIA Security+ (SY0-201) exam, you should understand some basics about redundancy from redundant disks all the way to redundant sites.

Some key points to remember are:

RAID-0 does not provide any fault tolerance.
RAID-1 is also known as a mirror and includes two disks.
RAID-5 is also known as striping with parity and includes three or more disks with the equivalent of one drive dedicated to parity.
Hardware RAID solutions are more efficient than software RAID but generally cost more to implement.
Failover clusters can be used to provide redundancy for servers.
Redundant WAN links (such as T1 or partial T1 lines) can be used to provide redundant connections. A second ISP can be contracted to provide redundant connections to the Internet.
A hot site includes the equipment, software, and communications capabilities of the primary site with all the data up-to-date.
A hot site can take over for a failed primary site within minutes. It is the most effective disaster recovery solution for an alternate site, but it is also the most expensive to maintain.
A cold site includes only the very basic utilities and is the hardest to test.
A warm site is a compromise between a hot site and a cold site.

Good luck in your studies,

Darril Gibson

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Phishing

2009-11-14T15:33:00.000-08:00

When preparing for the CompTIA Security+ (SY0-201) exam, you should understand different social engineering tactics such as phishing.

Phishing is the practice of sending unwanted email to users with the purpose of tricking them into revealing personal information (such as user account or bank account information) or clicking on a link.

As an example, I have an email account with cox.net and I often receive different phishing email’s from accounts that state they’re from cox.net (but they aren't). These follow a similar format of many phishing emails.

They state some fictitious problem. Some state they’ve noticed suspicious activity on my account, others state that my account has been discovered to be accessed from different computers, others state that they are upgrading security, and some just say they're upgrading their database.
They request personal information such as username, password, PIN, SSN and/or my date of birth. This is supposed to be to be verify my account, but instead the purpose is access my account with an ultimate goal of stealing my identity.
They include a threat such as disabling my account if I don’t reply. Phishing emails often say this is to protect my privacy, but it’s really a “call to action.” They are trying to create some sense of urgency.

Most (if not all today) organizations will never follow this type of a format to request your personal information. However, the emails are often pretty sophisticated. They use images from the actual company and often look official. If you think there may be a chance it's real, check out the message header.

The following image shows the message options from one of these phishing messages in Microsoft Outlook. You can access this page by right-clicking the message and selecting Message Options.

While the From address may sometimes look official and at least have the address of the company (such as cox.net), the Reply-To address is the real destination. When the From and Reply-To addresses are different with different domain names (aol.com instead of cox.net), it's a real give away. Don't trust it.

Links within email can also lead unsuspecting users to install malware.
Other common social engineering tactics are:

Piggybacking or tailgating
Impersonation
Dumpster diving
Shoulder surfing

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Dumpster Diving

2009-11-12T16:15:00.000-08:00

When preparing for the CompTIA Security+ (SY0-201) exam, you should understand different social engineering tactics such as dumpster diving.

Dumpster diving is exactly what it sounds like: searching through trash to gain information from discarded documents. Discarded papers can have written notes or important documents. On a personal basis this includes preapproved credit applications or blank checks given by credit card companies.

Documentation with any type of Personally Identifiable Information (PII) should be shredded or burned.

Other social engineering tactics you should know about are:

Phishing
Piggybacking or tailgating
Impersonation
Dumpster diving
Shoulder surfing

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Piggybacking or Tailgating

2009-11-11T13:53:00.000-08:00

When preparing for the CompTIA Security+ (SY0-201) exam, you should understand different social engineering tactics such as piggybacking or tailgating.

Piggybacking or tailgating occurs when one user follows closely behind another user without using valid credentials. Some organizations require access methods such as smart cards, or proximity cards to gain access to secure areas. Ideally, each person would use his access card and the door would close behind him. Often, what happens is that one person uses his card, and others follow behind without using their access card.

Piggybacking can be thwarted with the use of mantraps or security guards.

A mantrap can be as simple as a turnstile similar to what you’ve seen in subway stations or bus terminals. Only a single person can get through. Simple, but effective. Can you imagine two men trying to go through the same turnstile? Neither can I.

A turnstile that requires each person to provide credentials (such as swiping a smart card or proximity card) but will lock as soon as that person gets through. More sophisticated mantraps allow a person to walk through a revolving cage, and the cage can be locked after the person enters, but before the person is through. This effectively locks the person inside the mantrap.

Other social engineering tactics you should know about are:

Phishing
Impersonation
Dumpster diving
Shoulder surfing

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Impersonation

2009-11-10T13:51:00.000-08:00

When preparing for the CompTIA Security+ (SY0-201) exam, you should understand different social engineering tactics such as impersonation.

Impersonation is a social engineering tactic where an attacker impersonates someone, such as a repair technician, to gain access to a secured area. A repair technician shows up at the door and says I’m here to work on the phones (or server, or routers, or whatever).

Once the attacker gains access, he can steal the hardware, install malware, or install other hardware such as a protocol analyzer connected to the network and broadcasting the captured packets via a wireless access point.

Identity verification methods can also be used to thwart impersonation attempts. In other words, employees should be trained to verify visitors are who they say are.

Other social engineering tactics you should be know about are:

Phishing
Piggybacking or tailgating
Dumpster diving
Shoulder surfing

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Social Engineering

2009-11-08T13:51:00.000-08:00

When preparing for the CompTIA Security+ (SY0-201) exam, you should understand social engineering.
Social engineering is the practice of individuals to use flattery, conning, impersonation, and other methods to encourage uneducated users into giving up information.

It bypasses the best technology protections which makes it important for all users to understand. It’s often just people talking to one another - either directly, or via the phone - without using technology at all. It can also be done via email using phishing tactics.

Common social engineering tactics are:

You should be aware of each of these tactics. Some you may already know but others you may not. If not, use your favorite Internet search engine to dig a little deeper.

Or, check back here for some more posts on social engineering topics.

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Disk Redundancy using RAID

2009-11-05T06:28:00.000-08:00

When studying for the CompTIA Security+ (SY0-201) exam, you'll come across using RAID for disk redundancy.

RAID is short for redundant array of independent (or inexpensive) disks. Redundancy provides fault tolerance. In other words, if a fault occurs in one drive, your system can tolerate the fault and continue to operate. Several different RAID types are available. When studying for Security+, you should be aware of the following topics.

RAID-0 (also known as striping) does not provide any fault tolerance but increased performance.
RAID-1 (also known as mirroring) uses two disks and provides fault tolerance.
RAID-5 (also known as striping with parity) uses at least three disks and provides fault tolerance while also providing increased performance. The equivalent of one drive is dedicated to parity.
RAID-10 (also called 1+0) combines RAID 1 and RAID-0. A variant is 0+1. Both provide fault tolerance and increased performance for specific applications.

Both hardware and software RAID solutions are avaialble. Hardware RAID is more expensive provides significantly better performance than sofware RAID.

Good luck in your studies

Darril

DoS and DDoS Attacks

2009-11-02T15:57:00.000-08:00

When studying for the CompTIA Security+ (SY0-201) exam, you should know the difference between DoS and DDoS attaacks.

Both a Denial of Service attacks. The difference is that a Denial of Service (DoS) attack comes from a single attacker, while a Distributed Denial of Service attack comes from multiple attacks.

As an example, the SYN Flood attack is a DoS attack that attacks a single system by flooding it witth only two parts of the TCP three way handshake. Normally, the TCP handshake is three packets. The client sends a SYN packet, the server replies with a SYN / ACK packet, and the client should reply with the ACK flag to complete the handshake.

However, the client instead withholds the third packet and leaves the server hanging. If the client is able to do this enough times, the server's resources become consumed as it has perhaps hundres of unfinished sessions. A SYN Flood attack can actually take servers down if not detected and stopped.

A DDoS attack often starts with malware taking control multiple computers. These computers act as clones or zombies in a malware controlled botnet. When the contoller sends the order, the zombies then launch a distributed attack.

Good luck with your studies.

Darril

Check out chapter 6 of this book (Predicting and Mitigating Threats) for more details on the different threats you may see covered on the Security+ exam, including over 375 practice questions.

CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

SY0-201 Practice Exam Question Hashing

2009-11-01T06:28:00.000-08:00

What is it called when the hash of two different files is the same?

A. Variation
B. Deviation
C. Collision
D. Conflict

Answer: C

Answer below.

A hash is simply a number that is created by performing a hashing algorithm on a file or a message. No matter how many times the hashing algorithm is calculated, it will always return the same number - unless the file or message has been modified.

When used in this context, a hash provides integrity. The hash is calculated at the source, and then again at the destination. If the hashes are different, the file or message has lost integrity.

However, what if someone could modify the message enough so that the new has is the same as the original hash. It would look like it has not lost integrity because the hashes are the same, but it has lost integrity. A secure hash (one of sufficient strength) cannot be recreated. In other words, someone should not be able to modify a file or message enough to reproduce the original hash.

Over 375 practice test questions in this book:
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

A hash collision occurs when two completely different files can produce the same hash when they are hashed using the same hashing algorithm. The other terms listed aren’t related to hashes.

Well-known ports

2009-10-30T11:54:00.000-07:00

When studying for the CompTIA Security+ exam (SY0-201), you’ll come across information on ports. These are important to know and it’s also important to understand how they’re used. In this post, I want to cover some of the well-known ports and why they’re relevant when studying Security+.

First, you should understand how ports are used. This blog entry gives an overview. http://sy0201.blogspot.com/2009/10/understanding-ports.html

Ports from 0 to 1023 are known as well-known ports. There are assigned by IANA and can be viewed here: http://www.iana.org/assignments/port-numbers.

However, you don’t need to know them all. First, let’s discuss why are they relevant.

When doing basic packet filtering, a firewall can filter based on IP addresses and ports. However, what if you want to allow HTTP traffic (regular Internet traffic)? You can’t create packet filter rule to allow HTTP traffic (at least not directly). Instead, you create a packet filter rule to allow port 80 (the well-known port for HTTP).

What if you want to allow SMTP traffic? You would allow traffic using port 25. What if you want to allow DNS traffic? You allow traffic using port 53.

Routers and firewalls typically use an implicit deny implementation. What this means is that all traffic is blocked (implicitly denied) unless it is explicitly allowed. In other words, the only traffic that is allowed is the traffic that has an associated rule allowing it. Allowed traffic is sometimes referred to as an exception.

How does all this apply to Security+? You may need to know how to block, or how to allow certain traffic identified either by the protocol or by the port. The only way you can answer these types of questions is by knowing the well-known ports.

Here are some:

FTP 20, 21
SSH 22
Telnet 23
SMTP 25
DNS 53
HTTP 80
Kerberos 88
POP3 110
NNTP 119
IMAP4 143
LDAP 389
HTTPS 443
LDAP/TLS or LDAP/SSL 636

You can find more information on ports including some sample questions in this book: CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

Good luck in your studies.

Darril

Understanding Ports

2009-10-29T16:18:00.000-07:00

When studying for the CompTIA Security+ exam (SY0-201), you’ll come across information on ports. These are important to know and it’s also important to understand how they’re used. In this post, I want to cover how ports are used by systems.

TCP/IP uses IP addresses (and MAC addresses) to get traffic from one host to another. However, when a packet arrives, how does the system know what service, process or protocol to send the packet to? The answer is the port.

Imagine that Sally is using Internet Explorer to do a search with Google.com. DNS is used to resolve Google.com to an IP address and a packet is sent to the Google web site with Sally’s search data. The packet will have a source and destination IP address, and a source and destination port:

Source
70.167.73.10
Port 1025
Destination
74.125.67.100
Port 80

When the packet reaches the destination IP address (Google), it is examined to identify the destination port. The Google server sees the port is 80 and passes the packet to the service handling HTTP - the web server service. It knows to do this because port 80 is the well-known port for HTTP. The web server service than creates a return packet with the data.

Destination
70.167.73.10
Port 1025
Source
74.125.67.100
Port 80

What isn’t apparent is that when the packet was created for Internet Explorer, the system designated a port (in this case 1025) for Internet Explorer. When the packet from Google reaches Sally’s computer, it has a destination port of 1025 so the packet is passed to Internet Explorer.

At another time, Sally’s computer may register port 1046 (or some other port beyond port 1023) to Internet Explorer. The point is that while well-known ports are constant, the return port isn’t constant.

Good luck in your studies.

Darril

Security+ and CISSP

2009-10-28T02:40:00.000-07:00

While the CompTIA Security+ exam is a difficult exam, many people look at it as a stepping stone to other certifications. If you stay in the security arena, a next step may be the CISSP ISC2 certification, which is significantly more difficult than the CompTIA Security+.

Several weeks after taking the CISSP exam, I received notification of a successful pass. Woo Hoo!

One thing that was very apparent to me was the information I learned while studying the CompTIA Security+ objectives definitively helped me with the CISSP. The CISSP exam is a monster and will take a lot more time and effort to master than the Security+ certification. However, if you take the time to truly learn the material for the Security+ exam, you'll be a step closer to the CISSP.

As one of many examples, understanding public key cryptography helped with many questions on the CISSP exam. Chapter 9 of the CompTIA Security+ SY0-201: Get Certified, Get Ahead book includes all of the material you'll need for cryptography in Security+ and you won't need much more if you later pursue the CISSP.

Darril

Biometrics used in Authentication

2009-10-26T17:00:00.000-07:00

When preparing for the CompTIA Security+ (SY0-201) exam, you'll come across objectives related to authentication, including the use of biometrics.

There are three factors of authentication:

Something you know (such as a password or PIN)
Something you have (such as a smart card)
Something you are (using biometrics)

Biometrics can be very exact when the technology is implemented accurately. However,it is possible to get false readings. Two possible false readings are:

False acceptance. This is when a biometric system incorrectly identifies an unauthorized user as an authorized user.
False rejection. This is when a biometric system incorrectly rejects an authorized user.

True readings occur when the biometric system indicates a match. Two possible readings are:

True acceptance. The biometric system accurately determines a positive match.
True rejection. The biometric system accurately determines a non-match.

Good luck with your studies.

Darril Gibson

Digital Signatures

2009-10-24T02:16:00.000-07:00

Cryptography covers 15 percent of the CompTIA Security+ (Exam SY0-201) objectives, and digtial signatures are one element you should understand.

A digital signature provides authentication, integrity and non-repudiation. It requires a PKI infrastructure because public and private keys are used. A public and private key pair is two keys where one can encrypt data, and this data can only be decrypted by the other key.

Here's the process if Sally creates a messages and digitally signs it.

First, a hash is created of the message. This is effectively just a number (though a large number) created by executing a hashing algorithm agains the message. The hash provides integrity.
The hash (not the message) is encrypted with Stally's private key. Sally's private key is private and she is the only one that access to it.
Sally sends the message to Joe. Joe has Sally's public key. If Sally's public key can decrypt the hash, then it must have been encrypted with Sally's private key. This provides both authentication and non-repudiation.
The hash can be recomputed on Joe's computer. If the hash is the same as the encrypted hash sent by Sally, message integrity has been maintained. If the hash was different, message integrity is lost.

Hope this helps.

Darril Gibson

Use of Virtualization in Security

2009-10-22T02:03:00.000-07:00

One of the CompTIA Security+ (Exam SY0-201) objectives is "Explain the purpose and application of virtualization technology." You may be wondering what this is about.

First, virtualization centers around virtualization desktop infrastructure (VDI) where a single physical computer can host multiple computer operating systems. Many virtualization technologies exist such as VMWare and Microsoft's Virtual PC (upgraded and renamed to Windows Virtual PC in Windows 7). I'm more familiar with Virtual PC (VPC) but the uses between brands are common. One great feature is that if something goes wrong with the virtual system, changes can be easily rolled back or undone.

As a simple example, I am running Windows 7 on my desktop PC and have a virtual mini-lab running on the system with Windows Server 2008 in one virtual system running as a domain controller, and a Windows 7 computer running as a client in the virtual domain. I have configured both of these two be able to communicate with each other but they are isolated from the host system or the Internet.

With an understanding of virtualization and VDI, we can now discuss how it can be used in security. From a security perspective, virtualization can be use for a couple of purposes such as:

Testing of patches. When patches for the operating system or applications are released, they can be applied in a virtual environment. They can be tested here in a safe environment without any impact on the production environment.
Testing of malware. Once malware is discovered, security professionals want to know what it does and how it does it. This often entails releasing it and observing what happens. Again, a virtual environment is safe and won't impact the performance of the host operating system or the regular network.

Darril

Encryption Basics for Security+

2009-10-19T02:43:00.000-07:00

The CompTIA Security+ (SY0-201 exam) objectives state that 15 percent of the exam will be on cryptography. Cryptography has several elements and an important one is the use of encryption.

Encryption is used to enforce confidentiality (one of the three elements in the security triad of confidentiality, integrity and availability). If you want to keep your data secure and prevent unauthorized disclosure, you can encrypt the data to make it unreadable.

Encryption uses an algorithm and a key. If either the algorithm is weak or the key is weak, the encryption can easily be broken. Most algorthms are well known but keys are either frequently changed, or kept secret.

Two major types of encryption are used: symmetric and assymmetric.

Symmetric encryption uses a single key to both encrypt the data and decrypt the data.

The most popular type of symmetric encryption is AES. AES is considered a fast, highly secure encryption algorithm. It is significantly faster (using less processor and memory resources) than both DES and 3DES. AES256 uses a key size of 256 bits.

Asymmetric encryption uses two keys that are created as a matched pair (a public key and a private key). Data encrypted with a public key can only be decrypted with the matching private key. Data encrypted with the private key can only be decrypted with the public key
A Public Key Infrastrcuture (PKI) is required to support asymmetric encryption. Any entity can have a private key (which is always kept private). The matching public key is embedded in a certificate issued from a certificate authority (CA).

Darril Gibson

SY0-201 Practice Exam Question Cryptography

2009-10-18T03:07:00.000-07:00

Which of the following can use a PSK?

A. Asymmetric encryption

B. PKI

C. TPM

D. PGP

Answer below.
On the surface, this 8 word question seems rather simplistic. However, unless you've spent time with the material, all of the acronyms will make it very difficult. PSK can mean many things, but in the context of security, and with all of the answers relating to cryptography, it refers to a pre-shared key.

Over 375 practice test questions in this book:
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

The correct answer is C. A trusted platform module (TPM) uses a pre-shared key (PSK) to encrypt and decrypt data such as entire disks. (Microsoft uses this with BitLocker.) Symmetric encryption uses a single key to both encrypt and decrypt while asymmetric encryption uses two keys—public and private. Both PGP (Pretty Good Privacy) and PKI (Public Key Infrastructure) use asymmetric encryption.

Good luck on the exam.

Darril Gibson

SY0-201 Practice Exam Question

2009-10-17T03:48:00.000-07:00

Sally is using a Bluetooth enabled device. She asks you what the best protection is that she can use to protect this device. What do you tell her?

A. Ensuring the Bluetooth device is in discovery mode

B. Ensuring the Bluetooth device is in non-discovery mode

C. Ensuring the Bluetooth device has bluejacking disabled.

D. Ensuring the Bluetooth device has bluesnarfing disabled.

Answer listed below

You can read a blog on risks and vulnerabilities for Bluetooth devices here:

Over 375 practice test questions in this book:

The correct answer is B.

Ensuring a Bluetooth device is in non-discover mode is the best protection against bluesnarfing and bluejacking attacks. When in discovery mode, Bluetooth devices can easily be exploited. Bluesnarfing is the unauthorized access to or theft of information from a Bluetooth device.Bluejacking is the unauthorized sending of text messages from a Bluetooth device.

Related objective:
2.7 Explain the vulnerabilities and implement mitigations associated
with wireless networking.
• Bluejacking
• Bluesnarfing

Qualitative Risk Assessment

2009-10-16T01:52:00.000-07:00

The CompTIA Security+ (SY0-201 exam) includes many objectives on risk assessments. One type of risk assessment is the qualititative risk assessment.

A qualitative risk assessment uses numbers or values to categorize risks based on probability and impact. (Quantitative risk assessments use dollar figures to calculate SLE and ALE.)

As an example, terms such as low, medium, and high could be used or the numbers one through ten could be used. The two categories often included in a qualitative risk assessment are probability and impact.

Probability. The likelihood an event will occur. For example, the probability that an Internet-facing web server will be attacked is close to 100 percent and could be given a numerical value of 10. However, the likelihood that an internal workstation in the library with no Internet access will be attacked through the Internet is very low, so it could be given a numerical value of 1.
Impact. The negative result of the event occurring. If the web server is down, the impact may be considered significant and given a value of 10. If the library workstation is down, a library patron may be inconvenienced, so it may be given a value of 1.

Now the risk can be calculated by multiplying the probability and the impact.

Web server. 10 * 10 = 100
Library computer. 1 * 1 = 1

A manager can look at these numbers and easily determine how to allocate resources to protect against the risks. More resources would be allocated to protect the web server than the library computer.

While these two examples are extreme to show how the model can be used, the model can help identify the priorities in the middle ranges which are more difficult determine.

You can read about quantitative risk assessments here.
Good luck on your Security+ exam!

Darril Gibson

Bluetooth Concerns

2009-10-15T02:04:00.000-07:00

The CompTIA Security+ (SY0-201) exam includes some objectives related to Bluetooth.

Bluetooth is a popular short-range wireless system used in smaller portable wireless devices including phone, personal digital assistants (PDAs), and computer devices.

Two significant threats and one vulnerability exists with Blueetooth.

Threats. Bluesnarfing and bluejacking are two threats against Bluetooth devices that are left in discovery mode.

Bluesnarfing is the unauthorized access to or theft of information from a Bluetooth device. Information that can be accessed through bluesnarfing includes: email, contact list, calendar, and text messages.
Bluejacking is the unauthorized sending of text messages from a Bluetooth device without the permission of the owner.

Vulnerability. Any Bluetooth device that is turned on and in discovery mode is easily exploited through a bluesnarfing or bluejacking attack.

When Bluetooth devices are first configured, they are configured in discovery mode.While in discovery mode, a Bluetooth device is easily discoverable and visible to other devices. Bluetooth devices are identified with a MAC address just as a NIC has a MAC address. In discovery mode, the Bluetooth device broadcasts its MAC address, allowing other devices to see it and connect to it.

Once a device connects with another device, it is paired to open the communication channel. After the pairing process, the Bluetooth device should be changed from discovery mode to non-discovery mode. Non-discovery mode is also referred to as invisible mode. While in non-discovery mode, the device doesn’t broadcast information about itself. Additionally, many devices add encryption to the communication process when in non-discovery mode.

Darril Gibson

SSL, OCSP vs CRL

2009-10-14T01:54:00.000-07:00

When preparing for the CompTIA Security+ (SY0-201) exam, you should have a basic understanding of how SSL is used and how certificates can be checked.

Web sites use certificates to create SSL sessions. When a user clicks a HTTPS link, it initiates the SSL handshake process.

The web site will then send the client a certificate with a public key that can be used in the asymmdtric portion of the SSL session to create a session key. (The session key will then be used in the symmetric portion of the SSL session.) The client needs to verify the certificate is trusted and valid:

Trusted. First, the certificate must have been issued from a trusted certificate authority (CA). A list of trusted CAs can be viewed in Internet Explorer by clicking Tools -> Internet Options, selecting the Content tab, click the Certificates button, and selecting Trusted Root Certification Authorities. If the certificate was issued to the web site from a company with a certificate in the Trusted Root Certification Authority store, it will be trusted. If the certificate is not trusted, the user will be notified that it's not trusted and encouraged not to continue.

Valid. Next, the client attempts to validate the certificate. CAs can revoke certificates if they become compromised in some way. A revoked certificate is considered invalid and shouldn't be used. Revoked certificates are published on a certificate revocation list (CRL). Clients can check if a certificate is valid using one of two methods:

Requesting the CRL. The client requests a copy of the CRL from the CA. The CA sends the CRL and the client then checks the CRL to see if the certificate is on the list. If it's on the list, it's considered invalid and wouldn't be used.
Online Certificate Status Protocol (OCSP). OCSP is an improved streamlined process. Instead of the client requesting a copy of the CRL, the client queries the CA about the certificate. Certificates are uniquely identified with a serial number. The CA then replies indicating the certificate is healthy (not revoked), not healthy (revoked), or unknown (the serial number is not known by the CA.

Once the certificate is verified to be trusted and valid, the public key embedded in the certificate is used to encrypt the session key. Imagine the client wants to use a key of 1234. The client then encrypts this key with the public key to result in something like "AF4D2D0F3EB304". (Both the session key and the encrypted session would be much larger but are shortened for illustration purposes. )

At this point, only the client knows the session key. The encrypted session key is sent back to the web server. Since this key was encrypted with the public key (which is matched to the private key held by the server and unknown to anyone else) it can't be decrypted if anyone intercepts it. When the web server receives the encrypted key, it decrypts it with the private key. Use of the public and private key is known as asymmetric encryption.

For the remainder of the session, the client and server use the session key (symmetric encryption).

Darril Gibson

Three Factors of Authentication

2009-10-13T02:01:00.000-07:00

A heavily tested concept in the CompTIA Security+ (SY0-201) exam is authentication. Authentication is used to verify a user’s identity by providing a previously known identifier. Basically, there are three ways to do this which are commonly referred to as the three factors of authentication.

Something you know. As an example, a user would know their username and password. This is considered the weakest form of authentication. One of the primary reasons is that users often use weak passwords or write their passwords down.
Something you have. Smart cards and fobs are common examples. A smart card is a credit card sized card that holds key information about the user. Smart cards have certificates embedded in them using TLS and provide very strong authentication. A fob (sometimes called a token) has an LED display that shows a number that changes regularly, such as every 60 seconds. This number is synchronized with a server. When the user logs into a website, they enter the number shown on the display to verify they have the token. This factor is often combined with another factor to provide multifactor authentication.
Something you are. Biometrics is used for this factor of authentication and is not only in movies. Biometrics is commonly used in many applications today. A common example is at theme parks like Disney World. It includes fingerprints, retinal scans, voice prints and even handwriting analysis. Biometrics is considered the strongest form of authentication, but also the most expensive.

Multifactor Authentication. Multifactor authentication combines two or three of the factors. Two common examples are where:

Someone may have a smart card and know a personal identification number (PIN), or
Have a fob and know their username and password.

Darril Gibson
http://www.sy0-201.com/

DoD 8570.1 and Security+

2009-10-11T02:20:00.000-07:00

I've occassionally heard people ask about the popularity of CompTIA Security+ certification in the past few years. What is driving so many people to seek this certification?

One of the big driving factors is a U.S. Department of Defense (DoD) directive named DoD 8570.1. This directive mandates many IT professionals employed in the government to have specific certifications. Some of the common certifications are CompTIA A+, Network+, and Security+ and the people required to have the different certifications are military personnel, civilian employees and civilian contractors.

While civilian companies aren't mandated to have employees with these certifications, they are much more competitive when they compete for IT service contracts if some of their employees have the certifications.

Darril Gibson

Quantitative Risk Assessments

2009-10-10T16:52:00.000-07:00

If you're preparing for the CompTIA Security+ SY0-201 exam, you'll see some objectives related to risk, risk assessments, and risk management.

Risk assessments are used to prioritize risks. All risk can’t be prevented. Instead, risk management attempts to mitigate risk.

One quantitative risk model uses three elements three elements to quantify and prioritize risks. They are:

Single loss expectancy (SLE). The is the cost of any single loss expressed in monetary terms (such as $4,000).
Annualized rate of occurrence (ARO). This indicates how many times the loss is expected to occur if no action is taken. For example, it may have occurred an average of 4 times in the past three years, so the ARO would be 4.
Annualized loss expectancy (ALE). SLE * ARO. What you expect to lose annually if no action is taken in this example is $16,000.

Now imagine that you have used this to quantify 4 different losses. They have AROs of $100, 2,000, $, 8,000, and $16,000. Which one is the most important to mitigate? Knowing the AROs, you can easily see the risk that results in an annual loss of $16,000 is the most important to address.

Using an SLE of $4,000, and an ARO of 4, see if you can solve this problem. Suppose you could spend $2,000 and reduce the ARO from 4 to 1. How much money would you save?

The original ALE is $16,000 ($4,000 * 4).
If the ARO was reduced to 1, the ALE would be $4,000 ($4,000 * 1), or a reduction of losses by $12,000.
You spent $2,000 to save $12,000 so you saved $10,000

Another way of looking at this is to use these figures to determine the effectiveness of a mitigation measure. Imagine the ALE is $16,000. Someone proposes a risk mitigation solution that costs $35,000 a year with a guarantee that it will eliminate this risk. Does that make fiscal sense? In other words, you’ll spend $35,000 to save $16,000 - not too good. Now instead of losing $16,000, you’re spending $35,000.

Make sure you understand the SLE, ALE, and ARO when preparing for the CompTIA Security+ SY0-201 exam.

You can read about qualitative risk assessments here.

Darril Gibson

Intrusion Detection Systems (HIDS and NIDS)

2009-10-10T02:01:00.000-07:00

Someone recently mentioned that they took the CompTIA Security+ SY0-201 exam and had several IDS questions such as HIDS and NIDS. This makes a lot of sense since these are heavily covered on the objectives. Here are some of the basics:

An Intrusion Detection System (IDS) is designed to detect intrusions but a host-based IDS (HIDS) works a little differently than a network-based IDS (NIDS). Some of the points of each are:

HIDS

Installed on a host computer such as a workstation or server
It is used primarily to monitor traffic going through the NIC of the host
Can consume resources of the workstation
Can monitor network traffic sent to the host or coming from the host only
Data stored locally (on the host)

NIDS

Installed on network devices (such as firewalls, routers or switches)
These devices are referred to as sensors or tabs
Data centrally managed - sensors report back to a central console
Cannot monitor encrypted traffic on individual hosts

Both types can use either signature-based detection or anomaly-based detection.

Signature-based
The IDS looks for known attack patterns (similar to how anti-virus program use virus signatures)

Anomaly-based
A baseline of normal operation is created to determine normal operation. When events occur that are ‘out of the norm’ (anomalies), the system alerts

Also, both types can have either a passive or active response.

Passive Response
Alerts are logged and personnel are typically notified.

Active Response
An active response will also take some action to modify the environment. A common active response would be to change the ACL on a router or firewall to block access from the attacker.

Darril Gibson

Moving my blog to BlogSpot

2009-10-09T17:24:00.000-07:00

After my original Security Plus blog (hosted on webhostforasp.net) went down for four days,. I've decided to move it to a more reliable location.

In addition to moving my other blog posts over to blogspot, I'll be adding regular blog entries on Security Plus

Darril Gibson
http://www.sy0-201.com/