security
TRANSCRIPT
Security+ study guide
Written by McCya mccya.webs.com Page 1
Security+ Concepts
The Security+ exam is well-known to test heavily on concepts rather than on purely
technical knowledge. Security+ concepts relate to the ideas that govern good information
security practices. You can think of these core concepts as a sort of “constitution” or even a
“charter” of information security. Any organization or practice will inevitably have some sort
of governing ideology; for the Security+ exam (for information security), this ideology is
always related to the acronym: CIA.
What’s CIA?
CIA (in this context, of course) stands for Confidentiality, Integrity, and Availability.
These are the three tenets or cornerstones of information security objectives. Virtually all
practices within the umbrella called “Information Security” are designed to provide these
objectives. They are relatively simple to understand and common-sense notions, yet the
Security+ exam writers love to test on CIA concepts. So, you should understand CIA very
well in order to understand the reasoning behind later practices as well as to ace this portion
of the exam.
Confidentiality
Confidentiality refers to the idea that information should only be accessible to its intended
recipients and those authorized to receive the information. All other parties should not be
able to access the information. This is a pretty common and straight-forward idea; the US
government for example marks certain items “Top Secret,” which means that only those
who are cleared to see that information can actually view it. In this way, the government is
achieving information confidentiality. Another common example is the sharing of a secret
between two friends. When the friends tell each other the secret, they usually whisper so that
nobody else can hear what they are saying. The friends are also achieving confidentiality.
Integrity
Security+ study guide
Written by McCya mccya.webs.com Page 2
Integrity is the idea that information should arrive at a destination as it was sent. In other
words, the information should not be tampered with or otherwise altered. Sometimes, secret
information may be sent in a locked box. This is to ensure both confidentiality and integrity:
it ensures confidentiality by assuring that only those with a key can open it; it ensures
integrity by assuring that the information is not able to be altered during delivery. Similarly,
government documents are often sealed with some sort of special stamp that is unique to an
office or branch of government. In this way, the government ensures that the people reading
the documents know that the document is in fact a government document and not a phony.
Availability
Imagine that a terrorist blocks the entrance to the Library of Congress. Though he did not
necessarily destroy the integrity of the books inside nor did he breach confidentiality, he did
do something to negatively affect the security of the Library. We deem his actions a “denial
of service,” or more appropriately, a denial of availability. Availability refers to the idea
that information should be available to those authorized to use it. When a hacker floods a
web server with erroneous requests and the web server goes down as a result of it, he denied
availability to the users of the server, and thus, one of the major tenets of information security
have been compromised.
Wrap Up
Well, you’ve completed your first Security+ lesson! That wasn’t so bad, now was it? As you
can see, a lot of what is covered on the Security+ exam is actually commonsense. However,
don’t take CIA lightly – it is heavily tested! Below are a few questions that should help you
review what you’ve learned today:
Quick Review
1. Which of the following are components of CIA? (Choose all that apply)
a. Confidentiality
b. Authentication
c. Integration
d. Integrity
e. Availability
f. Character
Security+ study guide
Written by McCya mccya.webs.com Page 3
2. A user encrypts an email before sending it. The only person that can decrypt the
email is the recipient. By encrypting the email in this way, the user is attempting to
preserve the:
a. Confidentiality of the recipient
b. Accessibility of the email server
c. Confidentiality of the information
d. Integrity of the information
3. A hooligan unplugs the power from the central data server at a large bank. Which of
the following describe the effect on information security?
a. Confidentiality has been breached
b. Loss of availability
c. The information has lost integrity
Answers
1. The components of CIA are Confidentiality, Integrity, and Availability. The answer is
(A,D,E)
2. This is a tough question that is sure to manifest itself on the exam. Don’t be confused
between confidentiality and integrity. Remember that confidentiality refers to the fact that
only the recipient can receive the information, whereas integrity means that the information is
basically in the same state that it was sent. Although the encryption may prevent others “in
the middle of the communication” from understanding the email, it does nothing to prevent
them from manipulating the email being sent. So, the answer is that it only ensures the
confidentiality of the information and NOT the integrity of the information. ( C )
3. By unplugging the power, the punk is basically denying availability to the users of the
server. He is not however actually changing the information stored on the server nor is he
trying to read any sort of confidential information. The answer is therefore that his actions
produce a loss of availability (B)
Access Control
Security+ study guide
Written by McCya mccya.webs.com Page 4
One of the most crucial areas of information security that dates back to its origins is the idea
of access control. Access control is the ability of a system to limit access to only certain
users. When you think access control, think “password.” Of course, there are many ways to
authenticate users than just passwords, but passwords are probably the most well-known way
of controlling access to resources, especially to information security laymen. We’ll now look
into the specifics of access control.
Types of Access Control Factors
One of the key questions associated with access control is: How do you ensure that a user is
in fact who he claims to be? There are many ways to do so, and so they have been
categorized into three types of factors.
Type I: What you know – Access control methods related to “what you know”
include passwords, numeric keys, PIN numbers, secret questions and answers,
and so forth. Basically, Type I access control depends on the user knowing something
in order to access the information.
Type II: What you have – You probably use this access control method every day
without realizing it. A physical key is used to open a door to your house through a
lock – a form of Type II access control. In information security terms, Type II access
control methods may include physical keys or cards, smart cards, and other
physical devices that might be used to gain access to something.
Type III: What you are – This form of access control is closely related to biometrics
or authentication by biological factors. Some high-tech systems may use
fingerprints, retinal scans, or even DNA to ensure that a user is who he claims to
be. This type of access control is considered the most secure because it requires that a
user be physically present whereas the other two can be compromised by theft of a
password or a keycard.
The best authentication systems use more than one factor (Type) to ensure a user’s
identity; this is known as “multi-factor authentication.”
Security+ study guide
Written by McCya mccya.webs.com Page 5
The Workings behind Access Control
There are essentially three steps to any access control process.
1. Identification: Who is the user?
2. Authentication: Is the user who he says he is?
3. Authorization: What does the user have permission to do?
Authentication is achieved through the factors discussed above, but Authorization is
actually achieved between the reference model and the Kernel of the operating system.
The reference model is the system that directs the Kernel what it can and cannot access. A
request to access information would be sent through the reference model to verify that the
user requesting access should actually have access to what he is requesting. The kernel then
acts only if the reference model directs it to do so.
Methods of Access Control
Another very important question that should be raised when considering access control is:
“Who determines which users have access to information?” The Security+ exam suggests
three different methods of determining this:
MAC: Mandatory Access Control is the system in which a central administrator or
administration dictates all of the access to information in a network or system. This
might be used in high-security applications, such as with the label "top-secret
government information". Under MAC, subjects (the user or process requesting
access) and objects (the item being requested) are each associated with a set of
labels. When a subject requests access to an object, access is granted if labels match,
and denied if the labels do not match.
DAC: Discretionary Access Control is the system in which the owners of files
actually determine who gets access to the information. In this system, a user who
creates a sensitive file determines (through his own discretion) who can access that
sensitive file. This is considered far less secure than MAC.
RBAC: Role-Based Access Control is related to a system in which the roles of users
determine their access to files. For example, if Bob is a member of accounting, he
should not be able to access the engineering files.
A Last Word
Access Control is a very important and highly-tested subject! It is, like CIA, highly
conceptual but crucial to understanding information security. It is used to ensure both the
confidentiality and the integrity of information and therefore plays a large role in the CIA
picture. You should spend time understanding the Types and Methods of access control so
that you can ace this portion of the exam.
Security+ study guide
Written by McCya mccya.webs.com Page 6
Quick Review
1. On an Active Directory network the group(s) that a user is in determines his access to
files. This is a form of:
a. MAC
b. DAC
c. Type II Authentication factor
d. RBAC
e. Type I Authentication factor
2. Which of the following is not a possible description of Type III authentication?
a. Something you are
b. Fingerprints
c. Passwords
d. Retinal scans
3. Which of the following is the correct order of the access control process?
a. Identification, Authorization, Authentication
b. Authorization, Identification, Confidentiality
c. Identification, Authentication, Authorization
d. Confidentiality, Integrity, Availability
Answers
1. Because the group that the user is in determines his access to files, it is not a far step to say
that his role really determines his access to those files. The answer is RBAC. (D)
2. Passwords are Type I (something you know) rather than Type III (something you are), so
the answer is C
3. The correct order of the process is C.
Security+ study guide
Written by McCya mccya.webs.com Page 7
Special Authentication Methods
There are some authentication methods that merit their own coverage because they are
specifically tested on the exam. Below is the information about each of them that you need to
know in order to answer these kinds of questions correctly.
Kerberos
Kerberos is an open-source and widely-accepted method of authentication that works
on a shared secret key system with a trusted third party. Before you begin to understand
how Kerberos actually works, you should consider this analogy: two people are in love and
want to deliver messages of their affection to each other. The problem is that they cannot
express their love for each other openly because of a family feud. So, they entrust a mutual
friend to deliver their secrets to each other.
In essence, Kerberos does much of the same. If two users wish to communicate with each
other, they must first contact a trusted Kerberos server to obtain a shared secret key. Only the
users that have this key can communicate with each other because the key encrypts and
decrypts messages. The logical part of the Kerberos server that governs key distribution is
aptly called the Key Distribution Center, or KDC. Once keys have been distributed to the
two parties wishing to communicate, Kerberos then issues what are known as “tickets”
through the TGS or Ticket Granting Server. These tickets allow for the actual
communication between the clients by storing authentication information.
Kerberos has a wide variety of applications, especially in open source software, but is not
without vulnerabilities. One is that Kerberos makes extensive use of that trusted third
party. If the third party is compromised, information confidentiality and integrity may
be breached. If the third party simply fails, availability is lost. Kerberos also uses time
stamps in order to “time out” communications. Time stamps mitigate the threat of replay
attacks and provide a small measure of integrity. If two hosts are on different times,
communication will be impossible.
Remember that Kerberos is associated with SSO (single sign-on) technology.
Biometrics
Security+ study guide
Written by McCya mccya.webs.com Page 8
As discussed before, biometric factors are factors of authentication that utilize the biological
factors of a user. Biometric authentication and identification is considered the most secure.
Typical biometric factors include fingerprint and retinal scans as well as photo-comparison
technology.
Username / Password
The most common form of authentication system is a username and password system.
This is a Type I system and therefore relies on the difficulty of guessing the password for
effectiveness. There may be questions on the Security+ exam about what constitutes a good
password. Use common sense here! A good password would obviously consist of numbers
and letters, lower and upper case, and symbols. In other words, the general rule of thumb is
that a good password is complex. Another rule of thumb is that a good password should be at
least six characters and probably eight. In fact, eight or more is the standard at the moment.
Systems that allow for lost password retrieval should not allow a malicious user to learn
information about the users of a system; in addition, systems should not elaborate as to
whether a username or password is incorrect as this would aid potential attackers.
Multifactor
Multifactor authentication refers to using more than one factor to authenticate a user. Multifactor authentication is more secure than single factor authentication in most cases. An
example of multifactor authentication would be an authentication system that required a user
to have both a password and a fingerprint.
CHAP
Challenge-Handshake Authentication Protocol, or CHAP, is an authentication protocol that
uses username and password combinations that authenticate users. It is used in PPP, so
its most common application is dial-up internet access user authentication. All you really
need to know about it is that it uses a three-way handshake to prevent replay attacks.
Microsoft has a version of CHAP known as MS-CHAP.
SSO
Single sign-on, or SSO, refers to the ability for a user to only be authenticated once to be
provided authorization to multiple services.
Summing it up
Security+ study guide
Written by McCya mccya.webs.com Page 9
You will see a question on the Security+ exam on almost every one of these items. Kerberos
will be tested with more than two questions. It would be to your benefit to carefully study
each of these items individually to understand what each is all about.
Quick Review
1. Which of the following would not be a form of multifactor authentication?
a. Requiring an ATM card and a pin number
b. Requiring a secret answer to a given question
c. Requiring a fingerprint and a Kerberos ticket
d. Requiring a USB key and a password
2. Which of the following is a true statement about Kerberos?
a. It requires two distinct physical servers, one to give keys and the other to give tickets.
b. It is only used in UNIX environments.
c. Communication can only take place when both parties can utilize a trusted third party
Kerberos server.
d. It is a form of biometric identification and authorization.
3. A user complains that he has to use a separate login and password for his email, his
domain account, his specialized software, and even for his computer. What would be a
solution to his problems?
a. Smart card
b. SSO technology
c. Biometrics
d. CHAP
Answers:
1. All of the choices use two factors for authentication with the exception of B, which
requires only one factor (an answer to a question). (B)
Security+ study guide
Written by McCya mccya.webs.com Page 10
2. Be careful! Kerberos is often used in UNIX environments, but it is not exclusively used in
UNIX environments. Also, the TGS and KDC servers are logically but not necessarily
physically separate. Finally, choice D is totally without merit. The answer is ( C ).
3. Because SSO provides a single sign on for multiple services, the user would desire that as
a solution as it could create fewer login screens. The answer is ( B )
Attacks and Malicious Users
(An example of a buffer-overflow attack)
A key aspect to any war is to know your enemy. If you consider the battle against malicious
users a war, then understanding the attacks that they use is crucial. Below is a listing with
descriptions of the most common kinds of attacks used by malicious hackers and other bad
people.
Social Engineering
This kind of attack is probably the most commonly successful and damaging of all attacks,
yet it requires no technical ability. Social engineering is an attack by which the attacker
manipulates people who work in a capacity of some authority so that the attacker can get
those people to do something that he desires. For example, if an attacker calls into a business
posing as a bank representative who is reporting foul activity on an account and then
proceeds to ask for a routing number, that attacker is engaged in a social engineering attack.
Remember, social engineering means manipulating people.
Dumpster Diving
This is another low-tech attack. All you have to remember about this attack is that the name is
very indicative of the nature of this attack – a dumpster diver would look through trash
and other unsecured materials to find pertinent information to either launch an attack or
carry out some other maliciously intended action.
Security+ study guide
Written by McCya mccya.webs.com Page 11
Password Cracking
This is an attack by which the attacker wishes to gain authentication (and
authorization) to network resources by guessing the correct password. There are three
basic kinds of password cracking attacks:
Brute Force – Every single possible combination of characters
(aaa,aaA,aAA,AAA,aab…)
Dictionary – Enter passwords from a text file (a dictionary)
Hybrid - A variation of the Dictionary approach, but accounting for common user
practices such as alternating character cases, substituting characters ("@" in place of
"A", etc), using keyboard patterns ("1QAZ", etc), doubling passwords to make them
longer, or adding incremental prefix/suffix numbers to a basic password
("2swordfish" instead of "swordfish, etc).
Attackers know that many users use the same or similar passwords for different systems.
Using a sniffer to obtain a user's password on an unsecure platform will provide a good
starting point for a quick hybrid attack on a different, more secure platform. For example,
Yahoo Messenger transmits passwords in clear text. An attacker can easily obtain a user's
Yahoo password, and then attempt to access their bank account, or other sensitive
information, using that same password or a variant of that same password.
Most of the time when password cracking is attempted, the cracker has some means of
entering username and password combinations quickly. Usually this is through a cracking
program such as Brutus. One way to defend against cracking attacks is to put a mandatory
wait time before login attempts. Another way is to lock out the login system after a certain
number of attempts. Finally, limiting the number of concurrent connections to a login
system can slow down a cracking attack.
Flooding
Just like a flood can overwhelm the infrastructure of a locale, a flooding attack can
overwhelm the processing and memory capabilities of a network system or server. In a
flooding attack, the attacker sends an inordinate amount of packets to a server or a group of
hosts in order to overwhelm the network or server. This would, of course, cause a denial of
service to the hosts who demand whatever network resource has been overwhelmed. Some
special kinds of flooding attacks:
SYN Flood – A flood of specially crafted SYN packets
ICMP Ping Flood – A flood of ICMP pings
Spoofing
Spoofing is not always a form of attack but can be used in conjunction with an attack.
Spoofing is any attempt to hide the true address information of a node and is usually
associated with IP spoofing, or the practice of hiding the IP address of a node and replacing
it with another (false) IP address. One implication of a successful spoof is that investigators
Security+ study guide
Written by McCya mccya.webs.com Page 12
cannot trace the attack easily because the IP address is false. Spoofing can be achieved
through proxy servers, anonymous Internet services, or TCP/IP vulnerabilities.
Birthday Attack
Any attack based on favorable probability is known as a birthday attack. This comes
from the statistical truth that it is far more likely in a room of 100 people to find two people
who have the same birthday than it is to find a person with a specific birthday. For the exam,
just associate birthday attack with probability.
Buffer Overflow
A buffer overflow attack is a very specific kind of attack that is very common when attacking
Application level servers and services. Basically, a buffer is a memory stack that has a certain
holding size. Through a specifically and maliciously crafted packet, information can
overflow in that stack, causing a number of problems. Some buffer overflow attacks result
in a simple denial of service while others can allow for system compromise and remote
takeover of a system. Patches are usually issued to defend against specific buffer overflow
issues.
[edit section] Sniffing
A sniffing attack is one in which an attacker “sniffs” information, either off the media
directly or from regular network traffic, in order to compromise the confidentiality or
integrity of information. Un-switched Ethernet traffic can easily be sniffed when the NIC
operates in “promiscuous” mode, the mode in which the NIC reads all traffic regardless of the
destination IP address. Sniffing can be thwarted by careful attention to media security and
switched networks.
Overview
While there is certainly a dearth of space here to list all of the wonderful tricks that hackers
have up their collective sleeves, it is safe to say that the attacks that you will see on the
Security+ have been covered above. Study each one carefully and try to associate one word
with the attack that will help you remember what it’s all about; after a while, the distinction
between attacks will become more obvious and clear to you.
Quick Review
Security+ study guide
Written by McCya mccya.webs.com Page 13
1. An attacker sends a series of malformed packets to a server causing him to gain
access to the server as the “root” user. Which attack is this most likely to be?
a. Ping
b. Birthday
c. Spoofing
d. Sniffing
e. Buffer Overflow
2. You notice a dramatic increase in the traffic going through your network. After a
close examination of the traffic, you realize that the majority of the new traffic is in the
form of empty broadcast packets sent from a single host. What is most likely
happening?
a. You are experiencing normal network activity
b. The network is revamping from under-utilization
c. The network is being flooded
d. The network is being spoofed
3. Which of the following courses of action would not prevent a social engineering
attack?
a. Mandatory security training for new computer users
b. Administrative approval for any major system changes
c. Hiring a dedicated operator to handle undirected phone calls and emails
d. Installing a firewall with NAT technology
4. You notice that there have been over a thousand login attempts in the last minute.
What might you correct in order to prevent a similar attack in the future?
a. Install Apache Web Server
b. Limit the timeout value
c. Mandate and configure a lockout time period
d. Change the access control method
Security+ study guide
Written by McCya mccya.webs.com Page 14
Answers:
1. In a buffer overflow attack, a malformed packet is sent to overflow the heap of memory
that a server application uses. Some attacks can actually gain access to the root account. So,
the answer is (E)
2. Since the network is experiencing a dramatic increase in basically meaningless traffic from
a single host, it is likely to be an attempt at a flood attack. ( C )
3. All of the choices would inhibit the ability of an attacker to use a social engineering attack
except for (D), which would not affect the ability of an attacker to manipulate people in any
way.
4. By configuring a lockout time period ( C ) you can ensure that after a certain number of
unsuccessful attempts, further logins are disabled.
Remote Access
One of the most ever-present and ancient uses of the Internet and networking has been to
provide remote access to networks or network resources. Since the early 1980’s, different
remote access protocols have existed to allow users to remotely “dial in” to a network of
choice; while some of these protocols have come and gone, many of them remain widely
in use even today in dial-up WAN access and business VPN networks. The Security+
examination will test you on your ability to identify the security features, benefits, and costs
of several types of remote access protocols and services.
RAS
RAS, or Remote Access Service, is a rarely-used, unsecure, and outdated Microsoft offering
in the area of remote access technology. You should know for the exam that RAS provides
dial-up access and once was the protocol of choice for connecting to the Internet.
PPP
RAS was eventually replaced by PPP, the most common dial-up networking protocol
today. PPP, or point-to-point protocol, utilizes a direct connection from a client to WAN over
TCP/IP. This is advantageous for dial-up networking services as most people today wish
to be able to use the Internet, which of course requires TCP/IP networking. When you think
dial-up access, think PPP.
Security+ study guide
Written by McCya mccya.webs.com Page 15
Secure Connections
The next group of technologies is considered “secure” in that the technologies set up an
encrypted, sometimes “tunneled,” and difficult-to-intercept connection. These are the
technologies typically employed in VPN (Virtual Private Network) applications and
corporate remote networks.
PPTP
Point-to-point tunneling protocol, or PPTP, is a tunneling protocol that can encapsulate
connection-oriented PPP packets (which are simple remote access packets) into
connectionless IP packets. In doing so, the data remains within the “IP capsule,” which
prevents sniffing and other outside manipulation. PPTP is a client-server system that requires
a PPTP client, a PPTP server, and a special network access server to provide normal PPP
service. PPTP is commonly used to set up “Virtual Private Networks,” which are like LAN’s
that are spread across the Internet so that multiple remote clients can connect to one logical
network.
L2TP
Like PPTP, L2TP (Layer 2 Tunneling Protocol) utilizes a tunneling protocol, but unlike
PPTP, L2TP utilizes IPSec (IP Security) to encrypt data all the way from the client to
the server. Because of this, L2TP data is difficult to intercept. L2TP can accommodate
protocols other than IP to send datagrams and is therefore more versatile; it is also common
in VPN applications.
Tunneling, VPN, and IPSec
In the last lesson we learned about some of the more common remote access protocols in use
today. You should recall that a remote access protocol allows remote access to a network
or host and is usually employed in dial-up networking. Alternatively, some remote access
technologies are involved in remote control of a host, such as through secure shell or Telnet.
However, another class of remote access technologies does exist. This class is related to two
of the fundamental aspects of information security: confidentiality and availability. This
type of remote access technology allows a user to securely dial in or otherwise access a
remote network over an encrypted and difficult-to-intercept connection known as a “tunnel.”
These protocols are therefore usually referred to as tunneling or secure remote access
protocols.
Security+ study guide
Written by McCya mccya.webs.com Page 16
VPN
A virtual private network is a pseudo-LAN that is defined as a private network that
operates over a public network. It allows remote hosts to dial into a network and join the
network basically as if it were a local host, gaining access to network resources and
information as well as other VPN hosts. The exam will test you on your ability to recognize
different applications of VPN networks. Use common sense here! Obviously, VPN networks
would likely be employed in settings in which information security is essential and local
access to the network is not available. For example, a VPN might be utilized by a
telecommuting employee who dials into the office network.
PPTP
PPTP, or Point-to-point tunneling protocol, is a commonly implemented remote access
protocol that allows for secure dial-up access to a remote network. In other words, PPTP
is a VPN protocol. PPTP utilizes a similar framework as PPP (point-to-point protocol) for the
remote access component but encapsulates data into undecipherable packets during
transmission. It is as its name implies: an implementation of PPP that utilizes tunneling
by encapsulating data.
IPSec
IPSec is a heavily tested area of the Security+ exam. You will inevitably see at least one
question on IPSec and probably around three, so it will be to your benefit to understand IPSec
well. IPSec allows for the encryption of data being transmitted from host-to-host (or router-
to-router, or router-to-host… you get the idea) and is basically standardized within the
TCP/IP suite. IPSec is utilized in several protocols such as TLS and SSL. You should
know that IPSec operates in two basic modes. We will now study these modes in greater
detail.
Transport Mode – Provides host-to-host security in a LAN network but cannot be
employed over any kind of gateway or NAT device. Note that in transport mode, only
the packet’s information, and not the headers, are encrypted.
Tunneling Mode – Alternatively, in tunneling mode, IPSec provides encapsulation of
the entire packet, including the header information. The packet is encrypted and then
allowed to be routed over networks, allowing for remote access. Because of this, we
are usually most interested (at least for exam purposes) in the Tunneling mode.
IPSec is comprised of two basic components that provide different functionality:
AH – Authentication Header (AH) can provide authentication of the user who sent
the information as well as the information itself
Security+ study guide
Written by McCya mccya.webs.com Page 17
ESP – Encapsulating Security Protocol (ESP) can provide actual encryption
services which can ensure the confidentiality of the information being sent.
IPSec implementation
L2TP
L2TP, or Layer 2 Tunneling Protocol, is an alternative protocol to PPTP that offers the
capability for VPN functionality in a more secure and efficient manner. Rather than
actually replacing PPP as a remote access protocol or IPSec as a security protocol, L2TP
simply acts as an encapsulation protocol on a very low level of the OSI model – the Data
Link layer. L2TP, therefore, commonly utilizes PPP for the actual remote access service and
IPSec for security. Note that L2TP operates on a client/server model with the LAC (L2TP
Access Concentrator) being the client and the LNS (L2TP Network Server) acting as the
server.
Quick Review
1. Your boss asks you to recommend a solution that meets the following requirements:
1) He wishes to access the company network remotely, and 2) The access must be as
secure as possible. Which would you implement?
a. A VPN using L2TP and IPSec
b. A PPP dial-in network
c. Telnet
d. SSH
2. Which of the following components of IPSec would allow a message to be traced back
to a specific user?
Security+ study guide
Written by McCya mccya.webs.com Page 18
a. L2TP
b. TLS
c. AH
d. ESP
3. Which of the following is a true statement regarding the difference between tunneling
and transport modes of IPSec?
a. Transport only works with remote hosts
b. Tunneling only works between remote hosts
c. Transport is more secure than tunneling
d. Transport only works between local hosts
Answers
1. Your boss is essentially asking for a solution that allows for secure remote access to the
network (as opposed to a network host, which you might recommend SSH for). The answer is
A because the VPN satisfies his basic requirements.
2. AH provides the essential service of authentication of users sending messages. This allows
a message to be traced back to a specific host. The answer is C.
3. Transport mode is exclusive to local host traffic because only the payload is encrypted.
Transport mode will not work between remote hosts; for this, you must employ tunneling.
The answer is D.
Introduction to Cryptography
In this Security+ study guide you will notice that we like to jump around from topic to topic.
This is intentional! We want you to keep different topics fresh in your mind as some topics in
the exam are particularly boring. In this lesson, we will learn about the basics of
cryptography, including common terminology, function, and applications. In later
lessons, we will take a look at the more technical aspects of cryptography.
What is Cryptography?
Cryptography is the science of hiding the meaning of a message. Even children are familiar
with the concept of cryptography as they learn to speak to each other in “code languages” that
adults cannot understand. Rap stars employ lyrics that have alternate and more explicit
Security+ study guide
Written by McCya mccya.webs.com Page 19
meanings. The British in World War II were able to crack the Enigma Machine, Nazi
Germany’s method of ciphering critical data.
For the purposes of the Security+ exam, however, we will usually speak of cryptography in
terms of IT information security. Computers are often employed in conjunction with
cryptographic services and protocols as many of these require complex calculations that only
computers can provide in a timely manner.
AES, one of many cryptographic algorithms
How Cryptography Works
The basic concept of cryptography is very simple. In a typical cryptographic exchange,
information that is meant to be hidden for whatever reason is encrypted, or ciphered into a
difficult-to-interpret form. We call this conversion encryption because it involves the change
of clear text, or understandable data, into cipher text, or difficult-to-interpret data. The
encryption process is one-half of the entire cryptographic exchange.
At the other end of the process is decryption, or the conversion of cipher text into clear
text. Decryption is not always a part of encryption, however – some algorithms are called
“hashes” as they only apply encryption (that is, from clear to cipher text) and have no means
of deciphering the information. We will cover more on this later.
Public Key and Private Key Systems
A key is the password of sorts used to encrypt and decrypt data.
When an encryption key is made available to any host, it's known as a public key. In
contrast, a private key is confidentially shared between two hosts or entities.
A symmetric encryption algorithm uses the same key for encryption and decryption. When
a different key is used for encryption and decryption this is known as asymmetric encryption.
Security+ study guide
Written by McCya mccya.webs.com Page 20
More complex systems require both a public key and a private key to operate. We will go into
greater detail regarding these public key systems in later lessons but you should know of their
existence.
Cryptanalysis and cracking
Cryptanalysis is the act of breaking the cipher or attempting to understand the cipher
text. Cracking is often associated with cryptanalysis as cracking a shared key is often
essential to cryptanalysis attempts. Not every cipher is decipherable – for example, some
encryption algorithms are mathematically unbreakable (they operate on randomness) and
other encryption algorithms are hashes that do not provide one-to-one functionality (that is,
more than one input can result in the same output, making reverse-encryption or cryptanalysis
impossible). However, most cryptographic algorithms can theoretically be cracked but
require extraordinary amounts of computational power to do so. For example, RSA can take
millennia to crack, hardly the amount of time that a potential attacker or cryptanalyst
has available.
Applications and Functions of Cryptography
The Security+ exam will test you on your ability to recognize situations in which
cryptography might be employed. The general rule here is that cryptography is employed in
settings in which data confidentiality and integrity are desirable. For example, you would not
use cryptography when transferring MP3 files (unless those files were highly sensitive for
some reason) but you would certainly employ cryptographic methods when transferring
health information. In addition to data confidentiality and integrity, cryptography can provide
non-repudiation, which is the idea that a sender of information would not be able to
refute the fact that he or she did send that information or data. Here is a sample laundry
list of some well-known functions of cryptography:
Tunneling protocols and VPN
Email security (PGP et al.)
Secure file transfer (S-FTP)
Secure access to web pages (SSL)
Kerberos Authentication
Certificates
Document security
Final Thoughts
Security+ study guide
Written by McCya mccya.webs.com Page 21
We will continue to explore more on cryptography in the lessons to come. Cryptography is a
heavily-tested portion of the Security+ exam; we will cover the subject accordingly. It is
important that as you learn the specifics of cryptography protocols you understand the basic
terminology that is employed in any discussion of them.
Quick Review
1. Your manger asks you to employ a system in which the sender of a message would
not be able to deny that he sent that message. Your manager is asking for:
a. Certificate of authenticity
b. Non-repudiation
c. Authorization
d. SSL over HTTP
2. What is the primary difference between asymmetric and symmetric encryption
algorithms?
a. The use of a public key
b. Symmetric algorithms are one-way functions
c. The relative strength of the algorithm
d. The ability to perform man-in-the-middle attacks
3. Which of the following protocols does not employ cryptography?
a. HTTPS
b. SSH
c. Telnet
d. SFTP
e. IPSec
Answers
1. The idea that a sender would not be able to deny that he sent the information is called non-
repudiation. The answer is B.
Security+ study guide
Written by McCya mccya.webs.com Page 22
2. The primary difference between asymmetric (public key) and symmetric (private key)
algorithms is that asymmetric algorithms use both a public and a private key. The answer is
A.
3. All of the listed protocols with the exception of Telnet provide some encryption
functionality. Telnet transfers all information in clear text. The answer is C.
Malicious Software: Viruses, Trojan Horses, Worms
Despite all the hype about viruses and worms, the Security+ exam actually does not heavily
test on viruses and the like. However, you will probably see at least a few questions on these
topics and we will therefore go into some detail on the differences between different types of
malicious programs and how they can be avoided or prevented from propagating.
Viruses
A computer virus is malicious software that propagates itself upon the action of a user.
For example, some viruses send emails promising great information on how to get rich
quickly or pleasant images. The user then opens some sort of executable attachment (that is
almost certainly not what is promised) and the virus either immediately acts or waits as a
dormant drone to act, either upon the request of a master host or some sort of time period.
Viruses typically inflict damage by either destroying files categorically or installing new
files that drastically affect the performance of the computer. Most viruses also act to
“insert” themselves into various executable files, increasing the likelihood that a user will re-
run the malicious executable file.
One of the core tendencies of any computer virus is propagation. Most viruses include some
mechanism for both local and network propagation, including the sending of instant
messages, the setting up of web servers, and of course, emails. However, viruses are not
truly “self-propagating” in the sense that the virus is actually incapable of “forcing” itself on
another host machine in most cases. A virus typically needs user interaction to act (such as
opening an attachment). This need for user interaction is usually seen as what separates a
virus from a worm.
Worms
Unlike the friendly creatures that crawl beneath the crust, computer worms can be
extremely destructive and costly malicious programs that self-propagate to cause
unbelievable damage to computer networks across the world. Alternatively, worms can
help provide us the wonders of Google and Yahoo search engines. How can a worm be so
good and yet so bad?
Security+ study guide
Written by McCya mccya.webs.com Page 23
Actually, worms are not inherently evil. Worms are simply pieces of software that are able to
(through various means) self-propagate about the Internet. In many cases, computer worms
provide various services that we all love and utilize. One such worm is the World Wide Web
Worm, which “crawls” the Internet to pick up data from web pages for categorization and
indexing that we later utilize through popular search engines. Other “friendly” worms work
to quickly patch software that is vulnerable to attacks by – you guessed it – other
worms!
However, some worms also do irreparable damage to computers. Many of these worms,
which carry malicious payloads, install self-destructive software or a backdoor into the
PC. Remote control of infected hosts is often a primary goal of worm writers who seek to
crash high-profile websites and services through “Denial of Service” attacks.
Trojan Horses and Backdoors
A Trojan horse or backdoor is any software that attempts to give a remote user unauthorized
access to a host machine or user account. Some backdoors actually serve a legitimate purpose
(SSH, for example, might be classified as a “backdoor”) but in general, the terms
“backdoor” and especially “Trojan horse” are associated with malicious intent.
Some popular Trojan horses include:
BackOrfice
NetBus
SubSeven
VNC (can be used legitimately but also used for unauthorized access in
conjunction with a worm)
Quick Review
Security+ study guide
Written by McCya mccya.webs.com Page 24
1. What is a fundamental difference between a worm and a virus?
a. Worms are less destructive
b. Worms only act on the lower layers of the OSI model
c. Worms do not require user intervention
d. Worms are more destructive
2. You notice unusual network traffic on a port number whose function you cannot
identify. This is probably the mark of a (an):
a. NetBIOS session
b. Trojan horse
c. Exploit
d. Telnet session
3. Which of the following is not true of viruses?
a. They tend to carry malicious payloads
b. They can be timed to attack
c. They destroy hardware and software components of a PC
d. They can overwhelm a network
Answers:
1. Worms are truly self-propagating as they utilize exploits and other tricks to propagate
without the use of user intervention. The answer is C.
2. Trojan horses usually employ unusual port numbers and traffic. The answer is B.
3. All of the choices are true except C, because a virus cannot actually destroy hardware. The
answer is C.
Security+ study guide
Written by McCya mccya.webs.com Page 25
Implementation of L2TP, a popular tunneling protocol
SSL
SSL, or Secure Sockets Layer, is a technology employed to allow for transport-layer security
via public-key encryption. What you should know about this for the exam is that SSL is
typically employed over HTTP, FTP, and other Application-layer protocols to provide
security. HTTPS (HTTP over SSL) is particularly used by web merchants, credit card
validation companies, and banks to ensure data security (think: lock icon)
Kerberos
Kerberos is a *Nix (Unix-like) technology that is also being implemented in Microsoft
technology to allow for client-server authentication over a network based on a shared
key system. Kerberos is a public-key encryption technology and therefore is considered quite
modern.
Quick Review
1. You wish to implement VPN access so that an attorney can connect to the firm’s
network remotely. Which remote access protocol might you use?
a. LDAP
b. PPTP
c. PPP
d. SSL
Security+ study guide
Written by McCya mccya.webs.com Page 26
e. IPSec
2. A user complains that he cannot access a website because he does not have “some
protocol” enabled. What is this protocol most likely to be?
a. FTP
b. HTTP over SSL
c. FTP over SSL
d. PPTP
e. VPN
3. Your manager wants to make sure that when he dials in to a faraway corporate
network, his connection is very secure and reliable. Which of the following is the most
secure and reliable RAS?
a. RAS
b. PPP
c. PPTP
d. L2TP
e. HTTP
Answers
1. Of the choices, only PPTP can be used to implement VPN. Note that IPSec is a feature of
IP and not a remote access protocol in its own right, though it is used by L2TP. The answer is
B.
2. Websites are typically accessed through the HTTP protocol, so it is likely that the website
is SSL-enabled and that he does not have that technology enabled on his client PC. The
answer is B.
3. L2TP is most secure as it features both tunneling and encryption, which none of the other
protocols listed can provide. The answer is D.
Firewalls
Security+ study guide
Written by McCya mccya.webs.com Page 27
As we continue to skip about in our lesson plans, we have now arrived at the subject of
firewalls. Firewalls are one of the most thoroughly misunderstood concepts around in
networking and security today. It is your duty to dispel some of the most common
misconceptions about firewalls not just for the purpose of passing the Security+ exam but
also for the sake of the information security community!
What is a Firewall?
A firewall is any hardware or software designed to prevent unwanted network traffic. Some firewalls are simplistic in nature; in fact, many people use NAT devices as firewalls as
they do effectively prevent direct incoming connections to hosts behind the NAT. Other
firewalls are intricate operations, based on whitelists and blacklists, rules, and alerts. What all
firewalls have in common, however, is an ability to block incoming traffic that may be
deemed harmful.
Simple diagram of a firewall
Types of Firewalls
Because the definition of a firewall (at least as given above) is somewhat generalized, it is
hard to define the general actions and methods of firewalls. Instead, we look at the ways
different types of firewalls work. Each type of firewall has abilities, advantages, and
drawbacks; to do well on the Security+ exam, you should understand these.
Packet Filtering Firewall
A packet filtering firewall polices traffic on the basis of packet headers. IP, UDP, TCP,
and even ICMP have enough header information for a packet filtering firewall to make an
Security+ study guide
Written by McCya mccya.webs.com Page 28
informed decision as to whether to accept or reject that packet. You can think of a packet
filtering firewall as a bouncer at a party. The bouncer may have a list of people that are
allowed to come in (a whitelist) or a list of people to specifically exclude (a blacklist). The
bouncer may even check a guest’s identification to assure that the guest is above 18.
Similarly, a packet filtering firewall simply inspects the source and destination of traffic in
making a decision on whether to allow the packet to pass through. For example, some traffic
may be addressed to a sensitive recipient and would therefore be blocked.
A packet filtering firewall can also filter traffic on the basis of port numbers. For example,
many companies now block traffic on port 27374 because it is well-known to be a port
used by the Trojan horse “SubSeven.”
Note that a packet filtering firewall basically operates through a special ACL (access
control list) in which both the white and black list of IP addresses and port numbers are
listed. In essence, this firewall operates at the Network and Transport layers of the OSI
Model. This model is notable for its simplicity, speed, and transparency – however, traffic is
not inspected for malicious content. In addition, IP addresses and DNS addresses can be
hidden or “spoofed,” as discussed in the Attacks lesson.
Circuit-Level Gateway
A circuit-level gateway is a type of firewall that operates on the Session layer of the OSI
model. Instead of inspecting packets by header/source or port information, it instead
maintains a connection between two hosts that is approved to be safe. This is something
akin to a parent who approves the people that their children can speak with on the phone once
they trust those people. In this scenario, the parent does not have to listen into the
conversation because they know they can trust the two communicating children. Similarly, a
circuit-level gateway establishes a secure connection between two hosts that have been
authenticated and trust each other.
Application-Level Gateway
As the name suggests, an application-level gateway operates in the Application layer of the
OSI model and actively inspects the contents of packets that are passed through to the
gateway. It is for this reason that application-level gateways are considered the most secure
as they can actively scan for malformed packets or malicious content. Think of an
application-level gateway as the eavesdropping parent. An eavesdropping parent has the most
complete knowledge of his or her child’s activities because he or she can listen into all of the
child’s conversations. An application-level gateway does have drawbacks, however,
including speed and routing problems. Application-level gateways are notorious for the
amount of time it can take to inspect packets.
A special kind of application-level gateway is a proxy server, which is a server that
serves as the “middle man” between two hosts that wish to communicate. In the proxy
server model, the host wishing to communicate sends a packet to the application-level
Security+ study guide
Written by McCya mccya.webs.com Page 29
gateway (proxy server), which then makes the decision whether to forward the packet to the
intended recipient or to deny the request to send the packet.
Quick Review
1. Your manager wishes to implement some kind of device that would reject traffic from
online gambling sites and other distractions. Which of the following devices would be
most effective in achieving this solution?
a. Packet Filtering Firewall with NAT
b. Circuit-Level Gateway with ESP
c. Application-Level Gateway in the form of a Proxy Server
d. Circuit-Level Gateway with TLS
2. Which of the following is not a reason to implement a firewall?
a. To limit the number of malicious packets sent to the network
b. To reduce extraneous traffic that is deemed undesirable
c. To limit a particular host’s access to the Internet
d. To improve network throughput
3. Which of the following is true of a packet filtering firewall?
a. It implements an ACL
b. It inspects the contents of packets being filtered
c. It does not read the headers
d. None of the above
Answers
1. Only an application-level gateway can actually inspect the contents of individual packets,
so the answer must be C.
2. Although network throughput could ostensibly improve as a result of implementing a
firewall, it would not typically be reason to implement one and in most cases, a firewall acts
as a bottleneck to network traffic. The answer is D.
Security+ study guide
Written by McCya mccya.webs.com Page 30
3. In order for a packet filtering firewall to operate, it must have a list of all of the allowable
or disallowable hosts to evaluate based on header information. The answer is A.
Networking Overview
In subsequent chapters of this study guide, we will take a look at different security topologies
or ways that networks can be set up with security in mind. Before we can do this, however,
we must have a clear understanding of different networking devices and concepts. We will
now very briefly describe different key networking components to help you understand how
they are related to information security and the exam.
A cartoon-ish network
IP Address
An IP address is a unique numeric identifier of a host machine within the scope of a
TCP/IP network. Public IP addresses are unique and individual to each host in the world,
while private IP addresses are often duplicated among different private networks. You can
think of a public IP address as a sort of telephone number and the private IP address as a sort
of extension system that operates “in-house.” All IP addresses are formed as four octets
separated by a dot: for example, 192.168.1.1 is a commonly-used private IP address.
NAT
NAT, or Network Address Translation, is a service in which a gateway can allow multiple
private hosts to operate under the guise of a single public IP address. One of the
implications of NAT is that hosts “behind” the NAT are effectively “hidden” from the rest of
the Internet, with the NAT acting as a sort of packet filtering firewall.
Router
A router can forward packets of information based on the IP address of the header of the
packet. Think of the header of the packet as a sort of shipping label for the packet in which
the contents (the package) are contained. A router can quickly examine the shipping label and
send it off to the appropriate destination.
Security+ study guide
Written by McCya mccya.webs.com Page 31
Gateway
A gateway serves as a sort of middle-man between two networks, usually the Internet and a
private network. Many routers also serve as gateways, and many gateways have NAT
functionality built into them.
Media
The term “media” in networking refers to the physical medium of communication that the
network utilizes. In many Ethernet networks CAT-5 cabling is employed. In high-speed
applications, fiber optic media is used.
Applications and Ports
Applications, in the networking sense, refer to specific Application-layer services that
hosts provide over specific ports, or gateways into the system. For example, a web server
is an application server that provides web pages over the port TCP 80. Other Application
servers include FTP, Telnet, SSH, and Media servers.
Firewall
A firewall is a device that can selectively filter communications between two hosts.
Although we have an entire article dedicated to firewalls, it never hurts to reinforce the
concept of what a firewall is for your own extended understanding.
Switch/Hub
Hosts are connected to each other via a switch or a hub. The difference between a switch
and a hub is that a hub forwards all packets to all connected hosts whereas a switch
forwards packets only to selected recipients, increasing information confidentiality.
DMZ Host
A DMZ host is basically a “catch-all” host for requests on non-configured ports. Through a
DMZ host, undesirable network traffic can be sent to single safe host rather than any host that
would be in danger from malicious traffic.
Security+ study guide
Written by McCya mccya.webs.com Page 32
Quick Review
1. Which of the following can be used as a sort of packet filtering firewall?
a. Proxy Server
b. Switch
c. NAT Device
d. None of the above
2. Why can’t a packet sniffer intercept switched network traffic?
a. The packet sniffer can only work in promiscuous mode
b. Switched networks direct traffic by MAC address
c. The packet sniffer can only work in latent mode
d. The port configuration is incorrect
3. Which of the following are not application services or servers? (Choose all that apply)
a. Proxy Server
b. Email Server
c. Web Server
d. DMZ Server
e. ARP Server
f. DHCP Server
Answers:
1. Only an NAT device would actually block packets based on headers (the definition of a
packet filtering firewall) because an NAT device would categorically block incoming traffic
that has not established a session. The answer is C.
2. A switch only forwards traffic to the intended recipient via MAC address (just like a router
only forwards traffic to the recipient via IP address), so the answer must be B.
Security+ study guide
Written by McCya mccya.webs.com Page 33
3. D, E, and F are all non-application servers. DMZ servers are non-existent, and DMZ hosts
would nominally operate in the network layer of the OSI model. ARP servers would operate
in the Data-Link layer of the OSI model, and DHCP servers would operate in the Network
layer of the OSI model.
Symmetric (Private) Key Cryptography
In this lesson we will learn about different symmetric key algorithms and their key features.
More importantly, we will learn about some more key concepts related to cryptography as it
applies to both symmetric and asymmetric algorithms. Finally, we will learn the
advantages and disadvantages of symmetric and asymmetric algorithms. First, let’s learn a bit
about the differences between block and stream ciphers.
Block v. Stream Ciphers
The difference between a block and a stream cipher is rather simple. A block cipher would
break up a clear text into fixed-length blocks and then proceed to encrypt those blocks
into fixed-length ciphers. Because the blocks are of a fixed length, keys can be re-used,
making key management a breeze. Typically, computer software uses block ciphers.
Stream ciphers operate on continuous (read: non-discrete) portions of data that arrives“in
real time.” In other words, stream ciphers work on information “bit-by-bit” rather than
“block-by-block.” Because the data does not need to broken down, stream ciphers are
generally faster than block ciphers, but keys are not re-usable in stream ciphers, making key
management a real pain. For this reason, stream ciphers are usually employed at the hardware
level.
] End-to-End Encryption
End-to-End encryption refers to a situation in which data is encrypted when it is sent and
decrypted only by the recipient. Of course, in order for the packets to be routed, the relevant
TCP/IP headers must be present and unencrypted on the packet.
Link Encryption
In Link encryption, every packet is encrypted at every point between two communicating
hosts. In this formulation, information sent to one router is encrypted by the host and
decrypted by the router, which then re-encrypts the information with a different key and
sends it to the next point. Of course, in this formulation, the headers are also encrypted. The
obvious drawbacks include speed and vulnerability to “man-in-the-middle” attacks.
Security+ study guide
Written by McCya mccya.webs.com Page 34
Key Strength
A cryptovariable, or key, is the value applied to encrypted or clear text in order to
decrypt or encrypt the text. The length of the key, in bits, is usually a good indicator of the
strength of the key. A 128-bit key is, for example, much stronger than a 32-bit key.
Symmetric Key Cryptography
In a symmetric key cryptosystem, a single key is used to encrypt and decrypt data between
two communicating hosts. In order to break the system, an attacker must either: A) discover
the key through trial-and-error, or discover the key during the initial “key agreement.”
(From Navy) Symmetric Key Encryption Schema
Symmetric key protocols are known to be faster and stronger than their asymmetric
counterparts but do possess unique disadvantages that we will discuss later. We will now
look at some common symmetric algorithms.
DES
DES is an outdated 64-bit block cipher that uses a 56-bit key. It is a symmetric algorithm that
splits the 64-bit block into two separate blocks under the control of the same key. It is
considered highly insecure and unreliable and has been replaced by 3DES.
3DES
Security+ study guide
Written by McCya mccya.webs.com Page 35
Triple DES or 3DES is the partial successor to DES but is still considered outdated and slow.
It uses three separate 56-bit keys for an effective key length of 168 bits. However, a
vulnerability exists that would allow a hacker to reduce the length of the key, reducing the
time it would take to crack the key. In addition, 3DES is very slow by today’s standards and
would not be practical to use in encrypting large files.
AES
AES is the true successor to DES and uses a strong algorithm with a strong key. It is based on
the Rijndael Block Cipher. The Rijndael Block Cipher can utilize different block and key
lengths (including 128, 192, and 256 bit keys) to produce a fast and secure symmetric block
cipher. The Twofish algorithm, an alternative to Rijndael, utilizes 128-bit blocks for keys up
to 256 bits.
IDEA
All you have to remember about IDEA is that:
PGP uses IDEA to ensure email security, and
It operates using 64-bit blocks and a 128-bit key
RC5
RSA Security developed RC5, a fast, variable-length, variable-block symmetric cipher. It can
accommodate a block size of up to 128 bits and a key up to 2048 bits.
Symmetric v. Asymmetric
Here is a quick run-down of the advantages of symmetric and asymmetric algorithms:
Symmetric
Faster and easier to implement
Lower overhead on system resources
Asymmetric
Scalable and does not require much administration
Easier for users to use
Security+ study guide
Written by McCya mccya.webs.com Page 36
Quick Review
1. Which of the following symmetric ciphers is used in PGP for email security?
a. IDEA
b. PGP Security
c. RC5
d. Blockfish
2. Which of the following is not an advantage of asymmetric algorithms?
a. Scalability
b. Multiple functionality
c. Speed
d. Provides confidentiality and authentication
3. Why is DES considered “insecure?”
a. Buffer overflow exploit
b. Man-in-the-middle attack potential
c. Weak key length
d. All of the above
Answers
1. PGP (Pretty Good Privacy) uses IDEA for encryption. The answer is A.
2. Although asymmetric algorithms can be fast, they are generally slower than their
symmetric counterparts, making Speed an issue for these algorithms. The answer is C.
3. DES is insecure because its key length is so short (56 bits). The answer is C.
Public Key Cryptography
Security+ study guide
Written by McCya mccya.webs.com Page 37
Public Key Cryptography is a widely-applied form of cryptography commonly utilized in
many network transactions. The Security+ exam will test you on your both your
understanding of how public key systems work as well as your ability to discern between
different types of public key algorithms. The exam will also cover PKI, or public-key
infrastructure.
The workings of Public Key Cryptography
Unlike private key systems, in which two communicating users share a secret key for
encryption and decryption, public key systems utilize widely-available and unique “public
keys,” as well as “private keys,” to securely transmit confidential data.
Here’s how a public key transaction works: Assume we have two users, Pat and Jill, and that
Pat wishes to send Jill a secret love note. Pat encrypts the love note using Jill’s public key.
The message is sent via email to Jill. Jill then can read the message by decrypting the
message with her private key. Note that in order for this transaction to take place, only Jill
has to know her private key. This is the beauty of a public key (or asymmetric) system.
Through this transaction, known as secure message format, the confidentiality of the message
is assured: only Jill can read it!
Public-key cryptography can also be applied to validate the authenticity of a message. In this
formulation, Pat would send Jill a message using his private key (therefore encrypting the
message). To read the message, Jill would use Pat’s public key. In doing so, Jill has affirmed
that the message was in fact sent by Pat. This is known as open message format.
In order to ensure both information authenticity and confidentiality, signed and secure
message format may be employed. Extending the love note example, Pat would first encrypt
the message with Jill’s public key and then encrypt that encrypted message with his own
private key. When the message is sent to Jill, she can use Pat’s public key to verify the
message was indeed from Pat. But the message is still encrypted! To overcome this, she can
use her own private key to decrypt the message.
(From Navy) Public Key Schema
Security+ study guide
Written by McCya mccya.webs.com Page 38
Public Key Protocols
RSA is an asymmetric key transport protocol that can be used to transmit private
keys between hosts. The algorithm utilizes large prime numbers for effectiveness. The
process can be explained very simply – Pat encrypts the private key with Jill’s public
key, and Jill decrypts the message with her private key to reveal the private key.
Diffie-Hellman is a key agreement protocol that can be used to exchange keys. It
uses logarithms to ensure security in the algorithm. In the Diffie-Hellman operation,
Pat and Jill each use their own private keys with the public key of the other person to
create a shared secret key. Note that Diffie-Hellman is vulnerable to man-in-the-
middle attacks.
El Gamal is an extension of Diffie-Hellman that includes encryption and digital
signatures.
Message Digesting
A message digest is something of an unreadable, condensed version of a message. More
specifically, a message digest utilizes a one-way hash function to calculate a set-length
version of a message that cannot be deciphered into clear text. Message digests are usually
employed in situations in which it would be undesirable to be able to decrypt the message.
One such application is in modern username/password systems, in which the password is
stored using a hash function or digest. After the password has been hashed, it cannot be un-
hashed. When a user attempts to login with a password, the password he types is also hashed
so that the two hashes (rather than the two passwords) are compared against each other. Note
that the hash assumes that a hashed value cannot be deciphered and that no two messages will
produce the same hash.
Hashing Protocols
MD5 is the most commonly-used hash protocol and uses a 128-bit digest. It is very
fast in hashing a message and is also open-source.
SHA-1 is a more secure implementation of a hashing protocol that uses a 160-bit
digest and “pads” a message to create a more difficult-to-decipher hash.
Quick Review
1. Which of the following ensures message confidentiality, but not authenticity?
a. Secure message format
b. Open message format
c. Signed and secure message format
Security+ study guide
Written by McCya mccya.webs.com Page 39
d. Symmetric cryptography
2. Which of the following is not an asymmetric protocol?
a. Diffie-Hellman
b. El Gamal
c. 3DES
d. RSA
3. Why is a hash more difficult to decipher than a standard encryption protocol?
a. It is a one-way function
b. It uses strong encryption techniques
c. It uses large prime numbers
d. It uses discrete logarithms
Answers
1. Secure message format works by encrypting a message with the public key of the intended
recipient, ensuring confidentiality but not integrity. The answer is A.
2. 3DES is the only listed protocol that does not utilize a public key system. The answer is C.
3. Because a hash is a one-way function, the only way to decipher it is to try a large number
of hashes of cleartext until one matches the original hash. The answer is A.
Organizational Security
Thus far, we have learned the tough stuff – the technically-oriented portions of the exam. We
haven’t finished learning all of the technical items yet, either! However, we will take a short
break from the technical aspects of the exam to take a look at organizational security, a
relatively simple and common-sense portion of the exam you should do quite well on.
Security+ study guide
Written by McCya mccya.webs.com Page 40
Physical Security
Physical security refers to the aspects of information security that are related to physical
threats, such as fire or natural disasters. We will cover some basic physical security
threats below:
] Fire
Remember that fire needs heat, oxygen, and fuel to burn. Also remember that there are four
classes of fires:
A, which includes common combustibles
B, which includes burnable fuels
C, which includes electronics
D, which includes chemical and other fires
There are also three common methods of fire detection:
Heat-sensing, which detects fires by temperature
Flame-sensing, which detects fires by the flicker of a flame or infrared detection
Smoke-sensing, which detects fires by variations in light intensity or presence of
CO2
There are also a number of different systems to suppress fire:
Water: Traditional method and effective against Class A fires
CO2: Suppresses by removing O2 element. Useful against Class B and C fires
Soda acid: Combination of chemicals used to eliminate Class A, B fires
Security+ study guide
Written by McCya mccya.webs.com Page 41
Halon: Useful against A,B, and C fires but illegal by Montreal Protocol (ozone
depleting)
HVAC
You should note that HVAC (heating, ventilation, and air conditioning) simply refers to
the typical environmental controls that we would call “air conditioning.” For the purposes of
the exam, you should use common sense and note that:
High temperatures can cause computer equipment, especially processors, to over-
heat and perform poorly
High humidity can cause corrosion in equipment due to water damage
Low humidity creates an environment suited for too much static electricity (ESD)
Electricity and Power
Remember that electrical power originates from a utility substation or a power grid and
that it would be to your best interest to have access to electric distribution panels (circuit
breakers and so forth). Also note some of the following information on electric power:
EPO (Emergency power-off) switches are used to shut down power immediately
Backup power sources can be used to ensure continuity in the case of a disaster
Backup sources should be used in critical applications, such as servers and physical
access equipment
ESD is also covered on the exam, so you should know that:
ESD is electrostatic discharge, a convoluted term for static electricity build-up and
release
ESD can be prevented by 40 to 60 percent humidity levels, grounding, and antistatic
floor mats (and other antistatic material)
Electric noise is the crossover or interference that occurs in electrical wires due to high-
energy electrons “crossing over” into another wire or signal. To avoid this, you should:
Use power line conditioners and surge protectors
Grounding and shielded cabling
Business Continuity and Disaster Recovery Planning
The idea of business continuity revolves around the premise that your business should
continue to operate in the face of a disaster. Disaster recovery planning, in contrast, is
related to the effort to recover infrastructure that fails as the result of a disaster.
Security+ study guide
Written by McCya mccya.webs.com Page 42
Quick Review
1. Which of the following fires can be put out easily with water?
a. Class A
b. Class B
c. Class C
d. Class D
2. Which of the following conditions would have little effect on the ability for systems to
continue functioning?
a. 80% humidity
b. 15% humidity
c. -10 degrees Celsius temperature
d. 100 degrees Celsius temperature
e. 0% humidity
3. Which of the following should be included in a BCP (business continuity plan)?
a. How information on servers that come down will later be retrieved
b. How to salvage existing equipment
c. How to shift the load of processing to backup emergency servers
d. How to mitigate the risk of a network attack
Answers
1. Only Class A fires can be effectively extinguished with water. The answer is A.
2. While mild humidity, dryness, or high temperatures can result in equipment failure,
slightly uncomfortable low temperatures will rarely result in equipment failure. The answer is
C.
3. Answers A and B are concerned with how to recover assets that had been lost after the
Security+ study guide
Written by McCya mccya.webs.com Page 43
disaster. Answer D is not concerned with continuity planning, but rather, risk mitigation. The
answer is C.
Email and Application Security
Some of the Security+ exam will test you on your knowledge of some basic email, Internet,
and application security issues. Although the amount of detail of knowledge that is required
is quite minimal, you must still have a working knowledge of some simple email and
application security concepts.
Email Security
Email is a wonderful tool, no doubt, but it is not without security issues. Typical email
configurations allow for senders of email to spoof their addresses and send email messages in
plain text. Even worse, it is difficult for a recipient of an email to verify that the sender is
actually who sent the message! Thankfully, we have a few security tools at our disposal to
ensure confidentiality (through encryption) and integrity (through encryption, digital
signatures, and strong passwords). Here are some of those tools:
S/MIME, or Secure Multipurpose Internet Mail Extensions, provides basic
cryptographic services for email sent via the Internet. Most popular browsers and
email clients support S/MIME, making it among the more popular cryptographic
email security services available.
MOSS, or MIME Object Security Services, is a less-common, more extensive suite
of security services for email.
PEM, or Privacy Enhanced Mail, provides 3DES encryption for email.
PGP, or Pretty Good Privacy, is an open-source and extremely popular email
security suite that uses IDEA to encrypt email and validate signatures.
Email also has a few security vulnerabilities:
Spam is one of the most commonly mentioned nuisances, but did you know it is
actually considered a security threat? By clogging the email server, widespread spam
denies to the user availability, a key component of the CIA triangle. Some spam
solutions include user education, email filtering, and reporting of Spam to the proper
authorities (where necessitated by law)
Security+ study guide
Written by McCya mccya.webs.com Page 44
Open relays are email servers that forward email without any kind of authentication.
In other words, open relays allow malicious users to send bulk email without logging
into an email server. A good email security setup always includes a non-open relay
server (or authenticated relay server). Malicious Software: Obviously, viruses and worms are a large problem. Many
propagate via email messages that are automatically sent by infected hosts. One of the
more common solutions is to virus scan and filter incoming email.
Internet Security
The Internet can be a dangerous place, and so, we are interested in protecting users from
malicious web sites (with browser scripts) as well as protecting the information that users
send to web sites.
SSL is a connection-oriented standard designed to allow for secure cryptographic
communication between two hosts via the Internet. TLS is the newest version of SSL.
S-HTTP is a connectionless standard that provides for symmetric encryption,
message digests, and client-server authentication.
Browser Scripts/Vulnerabilities are controls, scripts, programs, or other software
that can run from the browser and cause damage to a host. In particular, ActiveX
controls are well-known for their often malicious content. The best way to protect
against browser buffer overflows is to remain vigilant and updated on the latest
patches.
Quick Review
1. Which of the following is not a program or tool used to ensure email security?
a. S/MIME
b. MOSS
c. SSH
d. PGP
2. You notice that many users are complaining that their emails are being rejected by
the servers that they send the emails to. You also notice that the reason that they are
being rejected is because those servers have supposedly received bulk email from your
domain. Assuming that your users are innocent of spamming others, the most likely
cause of this is:
a. A man-in-the-middle attack is changing all of the users’ messages to spam
b. A spoof attack is falsely identifying the emails as originating from your domain name
Security+ study guide
Written by McCya mccya.webs.com Page 45
c. A worm has spread to your network
d. Your email server is configured for open relay
3. Which of the following is least likely to be associated with browser security?
a. ActiveX controls
b. Javascripts
c. Birthday attacks
d. Buffer overflows
e. Malicious CGI code
Answers
1. SSH is used to maintain a secure remote access connection between two hosts. The answer
is C.
2. Although choices A, B, and C are theoretically possible, they are unlikely. It would be
cumbersome and counter-intuitive to an attacker to change every email message sent; if he
had the ability to do this, he would just send his own messages. Similarly, although a spoof
attack is possible, it would be difficult for the attacker to spoof his IP address without the use
of a proxy; unless your server is a proxy server, he probably would not target your domain
name. Finally, a worm might have spread to your network, but most worms do not send out
unsolicited bulk (junk) email. The answer is D, because in most cases, open relays lead to
spam and bulk email.
3. Birthday attacks are related to probability and therefore unlikely to be associated with
browser security. The answer is C
Security Topologies
One of the most essential portions of information security is the design and topology of
secure networks. What exactly do we mean by “topology?” Usually, a geographic diagram of
a network comes to mind. However, in networking, topologies are not related to the physical
arrangement of equipment, but rather, to the logical connections that act between the
different gateways, routers, and servers. We will take a closer look at some common
security topologies.
Screening Router
Security+ study guide
Written by McCya mccya.webs.com Page 46
In a screening router setup, the router acts as the sole gateway and gatekeeper between
the un-trusted, outside network (i.e. the Internet) and the trusted network (i.e. LAN). The router maintains sole discretion on which traffic to allow in by implementing an ACL, or
access control list. The router in this setup, which blocks traffic based on source, destination,
and other header information, is analogous to Saint Peter, who acts as the gatekeeper into
Heaven. Some of the advantages of screening routers include their transparency and
simplicity. However, in the screening router setup, the router is the sole point of failure and
depends heavily on the administrator to maintain a favorable ACL. Also, a screening router
has difficulty in masking internal network structure.
Dual-Homed Gateway
The dual-home gateway is a screening router setup that implements a bastion host between
the screening (external) router and the trusted network. A bastion host is a host that is
configured to withstand most attacks and can additionally function as a proxy server. By
adding the bastion host, no direct communication exists between the external network and the
trusted network, masking the internal network structure and allowing for traffic to be
screened twice. It is considered fail-safe in that if one of the components (bastion host,
router) fails, the security system remains available. However, it is cumbersome and rather
slow in comparison to other topologies.
Screened Host Gateway
A screen host gateway is essentially a dual-homed gateway in which outbound traffic
(from trusted to un-trusted) can move unrestricted. Incoming traffic must first be
screened and then sent to the bastion host, like in a dual-homed gateway. This is a less secure
but more transparent system than dual-homed gateway.
Screened-Subnet
Security+ study guide
Written by McCya mccya.webs.com Page 47
A screened-subnet setup works to employ a bastion host between two screening routers.
What this provides is a special zone for publicly available services (around the bastion host)
and transparent access for users on the trusted network. The zone around the bastion host that
operates publicly and whose traffic to the trusted network is screened is known as a DMZ
zone; for this reason, bastion hosts are sometimes referred to as DMZ hosts. Remember for
the exam that a DMZ host would always be well-secured, just like a bastion host would be.
IDS
An intrusion detection system, or IDS, can track or detect a possible malicious attack on a
network. For the exam, you will have to know about some division of IDS classifications:
Active v. Passive IDS: An active IDS will attempt to thwart any kind of detected
attacks without user intervention. A passive IDS simply monitors for malicious
activity and then alerts the operator to act, or in other words, requires their
intervention. Passive IDS is less susceptible to attacks on the IDS system as it does
not automatically act.
Network v. Host IDS: A network-based IDS is one that operates as its own node
on a network, while host-based IDS systems require agents to be installed on
every protected host.*
Knowledge v. Behavior IDS: A knowledge-based IDS works by assessing network
traffic and comparing it with known malicious signatures, much like antivirus
software. A behavior-based IDS analyzes baselines or normal conditions of network
traffic; it then compares them to possibly malicious levels of traffic. Note that this
type of IDS produces more false alarms.
Security+ study guide
Written by McCya mccya.webs.com Page 48
Honeypot
A honeypot is designed to lure attackers or malicious users into attempting an attack on a
fictional or purposefully-weak host and then recording the patterns of their activity or the
source of the attack. A honeypot can also act as bait for the rest of the network by luring
attackers to an “easy target.”
Quick Review
1. Which of the following topologies features a demilitarized zone or DMZ?
a. Active IDS
b. Passive IDS
c. Dual-Homed Gateway
d. Screened-Subnet
2. Why would behavior-based IDS require less maintenance than knowledge-based
IDS?
a. Behavior-based systems necessarily work without user intervention
b. Knowledge-based IDS can only work on a screened-subnet or screened host gateway
topology.
c. No DMZ host is required in a behavior-based IDS
d. Behavior-based systems do not require signatures or libraries of attacks
3. Your company wishes to implement a web server, email server, and voice-over-IP
server that are accessible to the rest of the Internet. However, it wants to ensure that the
structure and hosts within the rest of the network are totally protected from outside
access. Which of the following setups would provide this functionality?
a. Dual-Homed Gateway
b. Screened Host Gateway
c. Screening Router
d. Screened-Subnet
Security+ study guide
Written by McCya mccya.webs.com Page 49
Answers
1. The screened-subnet topology features a DMZ between two screening routers, effectively
isolating the publicly-accessible zone from the rest of the trusted network. The answer is D.
2. Because behavior-based systems compare baseline use levels to current or potentially
malicious levels, they do not require signatures of libraries, decreasing the amount of active
administrator maintenance that is required. The answer is D.
3. A screened-subnet gateway provides a protected zone for public services. The answer is D.
Security+ study guide
Written by McCya mccya.webs.com Page 50
Security+ Study Guide Review
We would like to wrap up some of the points that we’ve covered previously and introduce
you to the kinds of questions that you will encounter on the real Security+ examination.
Therefore, this review will feature questions that are sure to have you thinking;
hopefully, you will be prepared from reading the guide to do well.
Questions
1. Your manager asks you to implement a system that can filter out unwanted content,
such as viruses and unproductive Internet content. The best way to accomplish this
would be through a system that implements a:
a. Circuit-level gateway
b. Proxy server
c. Packet filtering firewall
d. DMZ host
e. Bastion host
2. Which of the following is the function of PGP?
a. Filter unwanted Internet traffic
b. Create a buffered security zone
c. Provide access control functionality
d. Boot a *Nix server that is not operational as the result of an attack
e. Provide message encryption services
3. How do mandatory access controls protect access to restricted resources?
a. Sensitivity labeling
b. User-level share permissions
c. Server-level share permissions
d. Role-oriented permissions
e. ACL lists
Security+ study guide
Written by McCya mccya.webs.com Page 51
4. You notice a rapid increase in the number of ICMP requests coming from a single
host. The requests are continuous and have been occurring for minutes. What kind of
attack are you likely experiencing?
a. Ping flood
b. Smurf
c. Birthday
d. Buffer overflow
e. You are not experiencing an attack
5. Your company requires secure remote access through a terminal to a server. Which
of the following would provide such secure access?
a. Telnet
b. SSH
c. FTP
d. SSL
e. Ethernet
6. Which of the following is an advantage of symmetric-key cryptography in
comparison to asymmetric-key cryptography?
a. Symmetric keys are stronger than asymmetric keys
b. Symmetric key systems are more scalable than asymmetric systems
c. Symmetric key systems are faster than their asymmetric counterparts
d. Symmetric key systems can operate in more than layers of the OSI model than can
asymmetric systems
e. None of the above
7. Which of the following is not a way that IDS systems are commonly classified?
a. Active
b. Passive
Security+ study guide
Written by McCya mccya.webs.com Page 52
c. Latent
d. Knowledge-based
e. Behavior-based
8. Which of the following provides tunneling over the data-link layer?
a. IPSec
b. L2TP
c. PPP
d. PPTP
e. VPN
9. Which of the following authentication factors is considered the strongest?
a. Type 1
b. Type 2
c. Type 3
d. Type 4
e. Type 5
10. You setup a packet-filtering firewall that accepts or rejects traffic based on the IP
address of the source. What kind of attack is this firewall specifically vulnerable to?
a. Buffer overflow
b. Man-in-the-Middle attack
c. Smurfing
d. Spoofing
e. Distributed denial of service
11. Your manager complains that he cannot remember his password. You have also lost
your copy of the password, but the MD5 hash of the password is stored in the database.
How can you use the MD5 hash to recover the password?
Security+ study guide
Written by McCya mccya.webs.com Page 53
a. Decrypt the hash using a shared secret key
b. Decrypt the hash using a public encryption system
c. Encrypt the hash using a shared secret key
d. Encrypt the hash of the hash using a shared secret key
e. You cannot recover the password from the hash
12. Which of the following parts of the CIA triangle are effectively ensured by
cryptography?
a. Confidentiality Only
b. Integrity Only
c. Accessibility Only
d. Accessibility and Integrity Only
e. Confidentiality and Integrity Only
13. Which of the following is not a parameter of a security association in IPSec?
a. SPI
b. Source IP Address
c. Destination IP Address
d. Security Protocol ID
14. Which of the following is not considered a physical security threat?
a. Fire
b. Water
c. Severe Weather
d. Electricity
e. Buffer Overflow
Security+ study guide
Written by McCya mccya.webs.com Page 54
15. Which of the following is a layer-3 device that connects two dissimilar network
segments?
a. Bridge
b. Switch
c. Hub
d. Router
e. Gateway
Answers
1. A proxy server is the best way to filter content because it prevents a direct connection
between a local and remote host and therefore can effectively filter incoming and outgoing
traffic. Answer: B
2. PGP, which stands for “Pretty Good Privacy,” is used to provide message signing and
encryption services. Answer: E
3. Mandatory is the key word in mandatory access control, which means that the sensitivity
of information is determined at the top of the decision-making tree rather than up to the user’s
discretion. To accomplish such a task, sensitivity labeling is necessary. Answer: A
4. Unusually large numbers of ICMP packets are usually employed in a ping flood attack. In
this attack, the number of packets is supposed to be so great that the system is overwhelmed
and succumbs to the attack, denying availability. Answer: A
5. Only SSH provides secure access through the Internet to a terminal. Telnet provides
remote access over cleartext. Answer: B
6. While symmetric key systems can prove difficult to manage and are cumbersome for many
users, they offer a greater degree of speed as fewer and less complex calculations are
involved in the process. Answer: C
7. IDS systems are not classified by latency, as such a concept makes no sense in that context.
Answer: C
Security+ study guide
Written by McCya mccya.webs.com Page 55
8. L2TP stands for “Layer 2 Tunneling Protocol.” This should help you remember that L2TP
indeed provides tunneling over Layer 2, or the Data Link layer of the OSI model. Answer: B
9. As Types 4 and 5 are fictitious types of authentication factors, we are left with a choice
between Types 1, 2, and 3. Although Types 1 and 2 can offer strong factors, biometric
identification (“what you are”) is usually considered the strongest, as it is difficult to
impersonate a fingerprint. Answer: C
10. Because the firewall discerns traffic by IP address, the best way to circumvent this
firewall would be to make it appear that your IP address is different than it really is. To do
this, you would have to “spoof” your IP address. Answer: D
11. A hash, by definition, is a one-way function that encrypts a message for digesting.
Therefore, it is impossible to actually “decrypt” the hash. Answer: E
12. Cryptography can both protect the contents of a message and ensure that a message
remains the same as when it was sent. Therefore, cryptography can be used to ensure
confidentiality and integrity. Availability, or the idea that systems should be available, is not
ensured by cryptography. Answer: E
13. Because the destination IP address is not a security interest in IPSec transmissions, it is
not included on the security association. Answer: C
14. A buffer overflow, while a serious threat to system stability, is a logical rather than a
physical vulnerability. Answer: E
15. A router operates in the Network layer of the OSI model and is typically used to adjoin
two dislike network segments together (and forward packets based on IP address). Answer:
D
Your Progress and Final Thoughts
If you scored between 0 and 7 questions correct, you need to study the entire guide again.
Obviously, you are lacking in mulitple areas of the security+ examination and could
therefore benefit from reading all of the subject areas in depth.
If you scored between 8 and 11 questions correct, you should take a close look at the subject
areas of the questions that you missed and carefully re-read and review the lessons in the
guide concerning those specific areas. If you took the exam today, you would probably not
pass with this sort of score.
Security+ study guide
Written by McCya mccya.webs.com Page 56
If you scored between 12 and 15 questions correct, great job! You should probably glance
over some of the questions that you missed and the corresponding guide article, but you are
most likely ready to move on to our cram sheet. If you took the exam today, you would
likely pass it.
We wish you the best of luck in your pursuit of Security+ certification. Be sure to check
out our Security+ Cram Sheet and take plenty of practice exams! We hope you do well.