Security+ Certification

Objectives

  • A basic understanding of security issues
  • Familiarity with encryption, secure remote connections and protocols
  • Successful preparation to pass the CompTIA Security+ Certification Exam

Text: CompTIA Security+ Certification, CompTIA Press

Get the Security+ Exam Objectives at http://certification.comptia.org/Training/testingcenters/examobjectives.aspx

Day 1

Introductions, skill assessment

Chapter 1: Mitigating threats

Chapter 2: Cryptography

Day 2

Chapter 3: Authentication systems

Chapter 4: User- and role-based security

Day 3

Chapter 5: Peripheral security

Chapter 6: Public Key Infrastructure

Day 4

Chapter 7: Application and messaging security

Chapter 8: Ports and protocols

Day 5

Chapter 9: Network security

Chapter 10: Wireless security

Day 6

Chapter 11: Remote access security

Chapter 12: Vulnerability testing and monitoring

Day 7

Chapter 13: Organizational security

Chapter 14: Business continuity

 

Security+: Definitions and Catchwords

The 7 Layers of the OSI Model courtesy of Webopedia

Ports, well-known and otherwise

NAT and Private Address Ranges (thanks JP)

Definitions and Catchwords

Asset – anything valuable, such as information, software or a car stereo

Threat – any event or object that might result in a loss, like theft or fire damage

Threat Agent – any person or thing that can carry out a threat, like a thief or a flood

Vulnerability – a weakness in security, like an unprotected server or a hole in a fence

Exploit – actually taking advantage of a weakness, for instance by attacking an unprotected server or going through that hole in the fence

Risk – the likelihood that that an exploit will actually be performed

Risk managment is what it’s all about: how much risk can you tolerate, and how much will you spend to avoid it?

    1. Integrity – Insurance that a message, software or other item hasn’t been changed in any way.
    2. Confidentiality – Only authorized persons have access to the information.
    3. Availability – Information is available to properly authorized users.

Social Engineering – tricking a person into allowing access to a system; this includes dumpster diving and phishing

Password Guessing – this includes brute force (throwing thousands of passwords at a system), dictionary attacks (hashing every word in the dictionary to compare that hash value to user’s hashed password, looking for matches) and software exploitation (like buffer overflows).

Weak Keys – algorythms that allow the creation of keys with detectable patterns or structures allow weak keys.

Mathematical Attacks – usually these are statistical analyses that attempt to discover keys

Birthday Attacks – taking advantage of the birthday paradox, which is the greater possibility of finding something in common (like a birthday) if you start looking from a known value (like a certain date) rather than trying to analyze all values (like all dates).

Man-In-The-Middle Attacks (MIM) – The attacker looks like the server to the client, and looks like the client to the server, thus intercepting traffic and information.

Replay Attacks – These are similar to MIM attacks, except the traffic or information is changed before it is relayed.

TCP/IP Hijacking – setting up a device that appears to be valid to perform an MIM attack; spoofing is the act of falsifying one’s IP address to do this; Address Resolution Protocol (ARP) spoofing does this at the level of MAC addresses, by falsifying the MAC address resolution table.

In Windows, use the shell command:

arp -a

to view your ARP table. Note that you can use the arp -s command to add new entries manually, and the arp -d command to delete them. Command:

arp /?

for detailed information.

SYN/ACK Attacks – Understand the basic nature of client/server connections in order to understand these attacks. A client sends a SYN packet to a server as its opening request, to initiate a “handshake.” The server, if it receives this SYN packet, responds with a SYN-ACK. The client, then, responds with an ACK. Think of it this way:

Client
Server
SYN
—–>
<—–
SYN-ACK
ACK
—–>

This is a bit of an oversimplification, because after the very first packet from the client, every packet contains an ACKnowledgement of response, and the final packet exchange will be FIN packets (“we’re finished”).

Here lies the basis of the SYN flood attack (see this page for a longer explanation). Basically, if I’m an attacker, I can send a server a SYN package, but never acknowledge the ACK that comes back. The server holds a half-open connection for me, but I never reply. Instead I send a new SYN packet from yet another spoofed IP address, opening but never acknowledging another connection. Before long the server is overwhelmed with these faked connections, and DOS results: this is a SYN flood.

The similar Smurf attack occurs when an attacker sends forged ICMP echo request packets to every computer on a network, using a false source IP (usually a server’s). This causes them to send responses to the victim, the server that really holds that IP address. This floods the network, resulting in DOS. A Smurf is made possible by misconfigured network devices that respond to ICMP echoes sent to broadcast addresses (x.x.x.255).

A Fraggle attack is the same technique, used over UDP rather than ICMP.

The Ping of Death is a variant of Smurf that sends deliberately malformed ICMP ping packets, attacking computers susceptible to this malformation.

A Land attack is an older one that sends a packet with the same host specified as both sender and receiver. This locks up some systems.

Distributed Denial-of-Service (DDoS) Attacks – These attacks amplify the situation by using dozens, hundreds, or thousands of “zombie” computers. If you’re already in this situation, obviously, life is bad.

The Security+ test gets very picky about the differences between these categories. Know these intimately.

Viruses – These attach themselves to something, whether a document or a program. They are executable code. The most common vector is e-mail attachments. The victim has to do something to activate a virus; typically this is clicking on the attachment. Anti-virus software is the (putative) cure.

Worms – These travel by themselves. They do not have to attach themselves to something else. They do not require action by the victim to be launched into action. They do often use e-mail as a convenient vector of propagation. You’ll need both procedures (“Never even open e-mails from unknown sources!”) and products (hardware and software firewalls) to protect against worms.

Logic Bombs – A specific event triggers a logic bomb, which then does its damage. This can be a date or an event like a person’s account being deactivated. Policies like code reviews, practices like network surveillance and monitoring programs, and products like Tripwire (which monitors signatures of executable files for changes) are all necessary, but not sufficient to protect against logic bombs.

Trojan Horses – Some programs disguise themselves as one thing, then reveal an ugly side when they’re opened. People addicted to internet freebie programs are very susceptible to this threat. These things are tough to fight, typically requiring anti-virus and other software to prevent, and often forcing disinfection after an infection occurs. These in particular force me to enforce a rule: “If you don’t HAVE to have a piece of software to do your job, you are FORBIDDEN to have it.” Needless to say this is very unpopular; but I’ve seen more than one business literally bankrupted by violating this practice.

Back Doors – Worms, trojans or viruses may install secret entrances to systems. Sometimes an innocent intent opens this vulnerability, like a programmer’s testing procedure that’s never removed. Sometimes an evil virus like MyDoom creates the opening. Your only protection is network scanning. Visit, for instance, Gibson Research and follow the ShieldsUp! link for a scan of your home PC.

Layering -Providing multiple layers of protection: physical access control, a firewall, antivirus software, etc. The key concept is preventing one layer’s configuration from compromising other layers. If you leave workstations logged in overnight to distribute antivirus updates, you’ve weakened security with that compromise.

Limiting – Basically, limiting access, whether physical or logical.

Diversity – Using more than one type of a given security method; for instance, both a physical and a software firewall.

Obscurity – Limiting the information available to attackers. For example, your web server should not reveal that it’s Apache 1.2.

Simplicity – Put simply, don’t make your security layers hard to understand or configure.

 

1.0 Network Security

Domain 1.0 Network Security – 21%

Computers, routers and other network equipment store fixed firmware in ROM modules, including:

  • Erasable Programmable Read-Only Memory (EPROM)
  • Electronically Erasable Programmable Read-Only Memory (EEPROM)

    Computer manufacturers (such as Dell), chipset manufacturers (such as Intel) and router manufacturers (such as Cisco) frequently issue firmware updates. The system administrator is responsible for knowing about and implementing these updates.

    Cisco routers in particular must be carefully updated. More than one bad update has been issued by Cisco, but Cisco users will still have to do their best to keep up-to-date.

Filtering packets as they arrive is the primary means of protection. Filtering can be by:

  • IP address
  • Domain name
  • Protocol (TCP, UDP, IP)
  • Port
  • Text-based, by word or phrase

    The filtering criteria are called a rule base. This is a chain of rules, with a final “cleanup rule,” is scanned in sequence (“rule base scanning“), with any rejection aborting the packet’s passage into the network.

    Each rule has an action:

  • Allow
  • Deny (which returns rejection informaion to the sender)
  • Drop (which sends no information back to the sender)

    The critical action for the network administrator is examining log files, no less than weekly.

4.0 Application, Data and Host Security

Domain 4.0 – Application, Data and Host Security – 16%

System Security is our initial set of best practices. It includes:

  • Disabling non-essential systems and services
  • Hardening operating systems by
    • Applying updates and
    • Securing file systems
  • Hardening applications by
    • Hardening servers (daemons or services) and
    • Hardening data stores
  • Hardening networks through
    • Firmware upgrades and
    • Secure network configuration

In Windows, view Services:
Start > Settings > Control Panel > Administrative Tools > Services
or
the msconfig command from Start > Run
or
the services.msc command from Start > Run

  • Visit www.microsoft.com/technet or www.BlackViper.com for discussion of any services with which you’re not familiar.
  • Note that services can be Automatic, Manual or Disabled.
  • Probably the single most dangerous service is UPnP, Universal Plug-and-Play. Unless you have a specific, compelling reason to enable this, disable it.
  • Service names and display names in the Services applet are not always the same.

In Linux, view processes with:
ps -aux

Generally, services are processes ending with a “d,” e.g. httpd.

Services, Port Numbers and Sockets:

  • The combination of an IP address and a port number is a socket (e.g. 192.168.2.1:80).
  • Most ports are available to both TCP and UDP.
  • A total of 65,535 ports are available.
  • The first 1,023 are called the “well-known port numbers.”

In Windows:

  • Service Packs are cumulative sets of updates
  • Hotfixes are single-issue fixes, typically correcting software problems, not security issues
  • Patches are software updates, often to correct security problems

    Popular Patch Management Systems for Windows are Windows Update Services (for standalone computers), Microsoft Operations Manager (MOM, formerly known as Software Update Services, SUS, and by other names), and the Shavlik family of security/patch management tools.

    In Linux:

  • Patches typically require re-compiling software, or performing an upgrade installation of binary software distributions

    Red Hat provides update services through the Red Hat Network update system.

    This is all about restricting user access, primary through Access Control Lists (ACLs).

    In Windows:

  • NTFS allows file and folder access permissions (though older versions only controlled folder permissions).
  • FAT32 provides no access control
  • Active Directory provides domain-based management (and replaces the older NT Domain model)
  • The Microsoft Management Console (MMC) is a utility that can control almost every aspect of a system.
  • MMC accepts “snap-ins” for expanded functionality
  • The Security Template snap-in organizes security attributes in one screen
  • Groups of computers sharing a security configuration are Group Policy Objects
  • Group Policy Settings define these configurations
  • Domain-based settings, however, cannot be overridden by group policy settings

    In Linux:

  • Basic file and folder permissions can be controlled at the operating system level
  • Larger networks use domain services and directories:
    • Network Information Service (NIS)
    • Novell Directory Services
    • Sun, Netscape and other directory services

In Windows:

  • Use the Microsoft Baseline Security Manager (MBSA) to analyze
    • Security settings
    • Application update compliance

In Linux:

  • Use update management tools from Red Hat, SuSE and others
  • Stay current with specific product updates for applications and services such as Sendmail, Apache and MySQL, for example

You are personally responsible for staying current with vulnerabilities. Subscribe to security bulletins such as Shavlik Technologies [shavlik_announce@shavlik.com].

  • Tightly configure ACLs
  • Delete sample files
  • Delete sample scripts!
  • Delete unused or obsolete scripts and software
  • Use IPSec, SSL (port 22, TCP and UDP) or HTTPS to encrypt sensitive traffic

    Web Servers

  • Web servers (HTTP, port 80, TCP and UDP) should provide only this service
  • Web servers should live in a DMZ, not inside a network’s main firewall
  • Use HTTPS or Secure HTTP (port 443 TCP) to encrypt sensitive traffic

    Email Servers

  • E-mail servers should live in a DMZ, not inside a network’s main firewall
  • E-mail servers (POP, port 110, SMTP, port 25) should provide only this service
  • E-mail system administrators must know what an “open relay” is, and must make sure their server is not an open relay
  • Visit www.abuse.net/relay.html and enter the name of your email server, and click “Test for relay” for independent verification

    FTP Servers

  • Old-fashioned FTP is highly vulnerable because it passes login names and passwords as unencrypted traffic
  • Turn off Anonymous Login unless it is critical to provide it
  • Set the ACL to read-only whenever possible
  • Limit the number of login attempts
  • Limit the number of sessions

    DNS Servers

  • DNS servers are the most potentially toxic servers on the Internet
  • DNS servers update each other through Zone Transfers, which is a major vulnerability
    • DNS servers can be attacked by cache poisoning
    • Prevent this by closing port 53 (used for zone transfers), or
    • Rejecting inbound connections on port 53, or
    • Explicitly designating which servers are trusted to receive zone transfers

File and Print Servers

  • Require authentication for access
  • Let users pause or cancel only their own print jobs
  • Give users ACL permissions to their own folders and files, but no others
  • Whenever possible, allow only read-only access to public folders
  • Give read and write access only for group folders
  • Be very cautious with execute permissions for folders:
    • In Windows, denying execute will prevent software execution
    • In Linux, denying execute will prevent browsing and listing

    DHCP Servers

  • Disable this service unless you specifically  need it
  • Keep DHCP servers patched

In Windows:

  • Active Directory controls domains
  • The Security Accounts Manager (SAM) database controls domain accounts, and must be protected

    SQL Server also requires protection from:

  • Buffer overflow attacks
  • Malicious SQL commands (including SQL injection from malicious URL formation)
  • As you version of SQL Server permits, encrypt its data
  • Only the user logged into the local host containing the SQL Server should be allowed full administrative rights

Further Info:

bastion.inf

“dsniff is a collection of tools for network auditing and penetration testing.”

BelArc Advisor: Knowing what you’ve got that works

Nessus: Knowing what you’ve got that doesn’t

Don’t forget Ethereal/Wireshark: http://www.wireshark.org/

 

5.0 Access Control and Identity Management

Domain 5.0 Access Control and Identity Management – 13%

Authentication, Access Control & Auditing

Know For The Security+ Test: The three “pillars” or “foundations” of information security are Authentication, Access Control and Auditing. (The mnemonic “AAA” may help you remember.)

By What You Know – A password, PIN, or mother’s maiden name

By What You Have – A key, SmartCard or ID card

By What You Are – Unique characteristics like a fingerprint or retina pattern

Username and Password – (what you know)
This is the most common authentication method.
This is also the weakest.

ID Management makes this method more secure, by allowing users to have a single, secure, complex password. Also known as “Single Sign-On,” it includes:
– Liberty Management
– Identity Web Services Framework

Tokens – (what you have)
Typically a plastic card with either a magnetic strip or an embedded chip.

A newer type is the Proximity Card, which doesn’t require “swiping” through a reader; the user simply places it near a reader, which uses a radio signal to read the card.

Biometrics – (what you are)
Fingerprint, retina, voice or other bodily characteristics.
These characteristics can be stolen.

Digital Certificates (or simply Certificates) – (what you have)
A certificate proves identity.
A certificate provides identification.

A certificate is not a key; it does not encrypt information.

Certificates are issued by Certification Authorities (CAs).

Kerberos –

Be very clear on Kerberos.

Element one is a KDC, or Key Distribution Center, which takes your username/password, token, or what have you, and issues you a Ticket Granting Ticket (TGT). Your computer will cache the TGT during your session.

Then, when you want access to an actual network resource, your computer presents its TGT back to the KDC. The KDC then gives you a session ticket. Then the server that controls that resource will accept your session ticket (if it’s valid) and give you access (if you have permission).

Tickets:
-are encrypted
-contain user identification information
expire

Challenge Handshake Authentication Protocol (CHAP)

CHAP is more secure than password authentication.

  1. The user enters a username and password, which are sent to a server.
  2. The server returns a challenge message.
  3. The user’s computer creates a response using an algorythm, and sends it to the server.
  4. The server compares this response to its own algorythm-encrypted response to validate the user.

The server may require reauthentication at any time.

Mutual Authentication

Mutual Authentication helps prevent man-in-the-middle and replay attacks.

Each party is required to identify and authenticate themself to the other.

Multifactor Authentication

Put simply, this means requiring more than one method of authentication, e.g. both username/password authentication and a token or PIN.

Access control comprises mechanisms for limiting access to information or resources, based on
-user identity
-membership in groups.

Operating systems store this information in an Access Control List (ACL).

An ACL consists of access control entries (ACEs).

Rights based on group membership are inherited rights. These may include:
-Full Control
-Modify
-Read
-List Contents
-Execute
-Write.

Understand this intimately.

1. No subject can alter another subject’s access level.

2. All access is strictly defined at the object level:
-only members of a specific group have access

and at the group level:
-access to an object requires membership in a certain group.

3. This type of access control is used in government and military environments where objects are labelled as “Top Secret” or “Secret,” for example.

All access is defined by a user’s specific role, for instance:
-Manager
-Accountant
-Biller.

One user may have many roles.

The Security+ test may ask about Rule-Based Access Control, or Rule-Based Role-Based Access Control (RB-RBAC). This confusing issue arises when a rule-based mechanism like a router assigns a role to a user based on those rules (yes, really).

This is the least restrictive model. Think of Windows workgroup permissions: the user of a PC shares a folder, assigns a password, and sets permission (for instance, read-only).

The user decides everything.

Windows and Unix can log actions automatically, but in Windows in particular, the administrator must configure exactly which actions are logged.

System scanning checks the permissions assigned to a user or role, then examines them for compliance to standards

In Windows, use the Security Configuration and Analysis Tool (SCAT), which uses templates to perform the compliance analysis.

Access Control Lists:

A simpler guide to understanding Cisco Access Control Lists:
Cisco Access Control Lists (ACL) at
http://www.networkclue.com/routing/Cisco/access-lists/index.aspx

Another example courtesy of JLSNet:
http://www.jlsnet.co.uk/index.php?page=cc_access

What these rules look like as Linux kernel firewall rules (thanks to the JustLinux Forums):
http://www.justlinux.com/forum/showthread.php?threadid=150675

Virtual Private Networks:

IPSec, encryption and how Diffie-Hellman is used

6.0 Cryptography

Domain 6.0 Cryptography – 11%

 

Symmetric Cyphers
Type Block or Stream Key Rounds Details
DES 64 bit block 56 bit 16 Used in the electronic payment industry.
3DES/TDES/3TDES 64 bit block 56 bit 16 x 3 different keys TDES is used in commercial data transfers.
AES (Rijndael – “Rhine doll”) 128 bit block 128/192/256 bit 10/12/14 Java, OpenSSL, FIPS (Federal Information Protection Standard 140-2, specifically)
Blowfish (Open Source courtesy of Bruce Schneier) 64 bit block 0 – 2040 0 – 255 SSH
IDEA (International Data Encryption Algorythm) 64 bit block 128 bit 8.5 Patented but free in most cases.
RC5 32/64/128 0 – 2040 0 – 255 OpenSSL
RC6 A submission for AES.
One Time Pad Same length as message; one-time use An alphabet-rotation cypher in which each character is rotated by a different number.

 

Asymmetric Cyphers: Public Key Cryptography
Type Method Details
Eliptic Curve Two points along an eliptic curve become the public and private keys. Used in OpenSSL, Java, .NET. Resistant to brute-force attacks. Shorter keys are more secure than longer RSA keys.
RSA (Rivest/Shamir/Adleman) Public and private keys are generated through the multiplication of two large prime numbers. Very commonly used in PKI. Vulnerable to brute-force and man-in-the-middle attacks.
Diffie-Hellman IKEA
(Internet Key Exchange Algorythm)
Uses public key cryptography to transfer a shared key for a symmetric cryptography session. Session keys are used once only, but Diffie-Hellman is still vulnerable to man-in-the-middle attacks.
El Gamal Generates public and private keys using cyclic-group mathematics. Used in PGP and GPG.
DSA (Digital Signature Algorythm) Public key digital signing. The federal government standard for signatures. Developed by NIST (National Institute of Standards and Technology).

 

Security+ Security Tools

My Favorite Free Security Tools
Command-Line Tools
Command
Description
Example
Explanation
Linux
dig
Queries DNS servers for host name/IP address mappings. dig
dig <hostname>
Queries hosts listed in /etc/resolve.conf or the host named.
ping
Requests a response from a host. Keeps going until Ctrl-C. ping google.com Asks the computer handling requests for google.com for a response.
telnet
Insecure unencripted terminal client program telnet host.foolish.com Attempts to open telnet communications with host.foolish.com. This service should be disabled.
traceroute
Requests a detailed path from your PC to the destination. traceroute google.com Produces a report of the path your request takes, including IP addresses and response times.
whois
Queries DNS information about the owner and host of a domain. whois XXX
dd
A disk duplication utility useful in forensics dd /dev/hda0 /dev/hdb0
nmap
The classic network mapper. Consider carefully who you map. nmap arrestme.com
Windows
arp
Reports the current Address Resolution Protocol cache arp -a Shows all current IP to MAC mappings.
netstat
Reports established ports and connections being monitored netstat -ano Returns a 5-column report of IP addresses and port numbers.
nslookup
Queries DNS servers for host name/IP address mappings.
ping
Requests a response from a host. Cycles 4 times. ping google.com Asks the computer handling requests for google.com for a response.
telnet
Insecure unencripted terminal client program telnet host.foolish.com Attempts to open telnet communications with host.foolish.com. This service should be disabled.
tracert
Requests a detailed path from your PC to the destination. tracert google.com Produces a report of the path your request takes, including IP addresses and response times.
GUI Tools
Application
Description
Functions
Platform
Related
Remote security scanner for Linux, BSD, Solaris, and other Unix. Over 1200 remote security checks, and also uses plug-ins. Multi-format reports are available. And it even suggests solutions! Security Check Unix:
Linux
BSD
Solaris
Others
A network protocol analyzer for Unix and Windows. Capture packets from a network or read a capture file on disk. View summary and detail information for each packet. Filter the info display and view a reconstructed stream of a TCP session. Unix
Windows
A command-line version called tethereal (included)

Netcat (Unix)

Netcat (Windows)

“Netcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It is designed to be a reliable ‘back-end’ tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.” –www.securityfocus.com Network Exploration Unix, Windows
Or follow the…

… vulnerability scanner page on Darknet at…

 

http://www.darknet.org.uk/tag/vulnerability-scanner/

Security+ : Sample Questions

Sample Questions

Q: What exactly is a PKI certificate?

A) PKI has nothing to do with certificates
B) Certificates provide identifying credentials only
C) Certificates identify a certificate authority
D) Certificates provide a copy of a remote system’s private key
E) Certificates provide a copy of a remote system’s public key

 

 

A: Certificates provide a signed copy of a remote system’s or user’s public key.


Q: Which of these are components of IPSEC?

A) Encapsulating Security Payload (ESP)
B) Security Policy (SP)
C) Authentication Header (AH)
D) Challenge-Handshake Authentication Protocol (CHAP)
E) Internet Security Association Key Management Protocol (ISAKMP)

 

 

A,C,E: IPSEC uses three protocols to provide three types of security.

ESP encrypts packet payloads.

AH provides authentication.

ISAKMP allows secure key exchange.


Q: In PKI cross-certification,

A) client and CA exchange certificates
B) client and CA exchange public keys
C) client and CA exchange private keys
D) one CA exchanges certificates with another
E) two CAs sign each other’s certificates

 

 

A: E is correct. This strange maneuver allows clients in segregated administrative domains to communicate.


Q: What’s it called when someone captures and views packets from a network?

A) Fracking
B) Spoofing
C) Phreaking
D) Dissing
E) Sniffing
F) Packet Attack

 

 

A: We all know what a network sniffer is, and what sniffing is. Don’t forget this “formal” definition.


Q: All CAs have to have a formal statement of how certificates can be used. This statement is a(n):

A) Certificate Policy
B) Certificate Practice Statement
C) CRL
D) JVM

 

 

A: A CP is the formal, corporate set of rules for the operation of a PKI, such as auditing, enforcement and requirements (and CP is the right answer). A CPS is the technical, managerial description of actual practice and procedures.


Q: Is “down-level software” considered more secure? (Yes/No)

 

 

A: No. The term “down-level software” generally means older-version software (down one level in version numbers), which presumably has more known vulnerabilities. Thus it’s usually considered less secure.


Q: What are the features of a cold site? A warm site? A hot site?

A) It’s a long-term solution
B) Allows flexible configuration
C) Provides annual readiness testing
D) Provides only a building; you supply all equipment
E) Gives you a way to use proprietary hardware
F) It’s exclusive to your company
G) It’s a low-cost solution

 

 

A: Hot site: A, B, C, E, F. The fastest-recovery solution, it’s fully set up for your company alone, provides annual readiness testing, and allows flexible configuration. But it’s also the most expensive. NOTE that if you select “It’s a high-cost solution” (which is true of a hot site), you’ll be WRONG if the test asks about advantages to your company. High cost? An advantage? Not.

Warm site: B, E. Partially configured and less expensive, a warm site depends on a vendor or support organization to supply proprietary hardware and software – after disaster strikes. Not as quick, but cheaper.

Cold site: A, D, E, G. The cheap alternative, this is simply a building environment. There’s no equipment, so you’ll experience the longest downtime while you get your equipment in place and operating.


Q: Access rights and permissions determine (1) who can access resources and (2) which resources they can access. The mechanisms that limit Authorization to resources are:

A) local (host) security policies
B) file/data ownership
C) domain or network security policies
D) the principal of least privilege
E) separation of duties and responsibilities

 

 

A: The mechanisms that limit authorization to resources are B, D and E.
– File and data owners can set rights and permissions on network resources.
– The “principal of least privilege” means that users are given only the minimum necessary level of permissions to network resources to perform their duties – and no more.
– The concept of “separation of duties and responsibilities” means keeping a system of checks and balances. In a truly secure enterprise, no one can entirely control any function. Purchasing decisions, for instance, may be made by a department head, but must be confirmed by a purchasing manager.


Q: What two ports are used for http and https?

 

 

A: HTTP typically uses port 80, HTTPS uses 443.


Q: Think about it, now: what exactly is a router?

A) An L2TP device that provides a dedicated path
B) A network device that restricts access to prevent attacks
C) A POTS device with a dedicated connection to the CO
D) A network interconnection device between two or more networks

 

 

A: We all know what firewalls are (B), what telco devices are (C), what tunneling involves (A), and that a router always routes between multiple networks. Don’t be confused by technobabble.


Q: Which of these is the WAP layer providing security?

A) EAP
B) ERP
C) ESP
D) WTLS

 

 

A: WAP is the Wireless Application Protocol. It includes:
Wireless Application Environment
Wireless Session Protocol
Wireless Transport Protocol
Wireless Transport Layer Security (WTLS – the correct answer)
Wireless Datagram Protocol


Q: You’re the unfortunate administrator of a wireless network that you’re trying to keep secure. You’ve got things clamped down fairly tightly, but one access point keeps reverting to open permissions. When you get the chance you dig into that access point, you discover that the _____ settings aren’t right; a nearby user is changing the access point’s setup, even though he isn’t supposed to do so.

A) WEP
B) Permissions
C) DAC
D) MAC
E) ACL
F) WPA

 

 

A: There are a lot of semi-correct acronyms the test could throw at you in this example. The question really is about permissions, but Permissions isn’t the right answer. Neither of the security standards (WEP and WPA) deal with permission settings. DAC is the mechanism that lies behind setting permissions on files you own, not with network settings. A MAC address is just a MAC address. But all the action involving network and user permissions happens at the ACL (Access Control List) level, where permissions are actually set.


Q: You’ve just set up a Windows 2000 Server, which means of course that it has default security settings. The following users and groups have permissions to the C: folder. Which one should be removed?

A) Everyone
B) System
C) Anonymous
D) Administrator
E) Quick! Shut down the server!

 

 

A: Pulling the plug is always the most secure option, short of, say, encasing the server in concrete. But the Admin and the System user absolutely need access to the root directory for the system to run. The Anonymous user shouldn’t have access, but does because it’s a member of Everyone (of course). The real error here is in giving Everyone system root access in the first place, so Everyone is the correct answer here. Note that if Everyone isn’t on the list, but Guest is, Guest will be the correct answer (assuming identical phrasing of the question).


Q: Which of these are used to implement VPDNs (Virtual Private Dial-Up Networks)?

A) L2TP
B) LT2P
C) L2F
D) L2TF
E) PPTP
F) PPP

 

 

A: This is a case where knowing exactly what the acronyms mean will really help you. L2TP is Layer 2 (of the OSI model) Tunneling Protocol (a correct answer), L2F is Layer 2 Forwarding (another correct answer), and PPTP is Point-to-Point Tunnelling Protocol (the last correct answer). “Tunnelling” and “forwarding” are the key words here, dead giveaways for VPN operations.


Q: You’re using a form of RAID in which data is duplicated across two disks, but you fear that if a disk controller fails you won’t be able to get to either disk. For better fault tolerance, you should be using:

A) RAID 0, disk striping
B) RAID 1, disk mirroring
C) RAID 1, disk duplexing
D) RAID 0, disk striping with parity
E) RAID 5

 

 

A: No striping, even with parity, will get you past a disk controller failure. RAID 1 can be either mirroring (two disks on one controller) or duplexing (two disks on two controllers), and clearly duplexing can get past a failed (single) controller.


Q: What’s the most important element in a new security policy?

 

 

A: Management buy-in is the most important part of any security policy! Remember this point.


Q: Select the event that you should audit if you suspect someone is attempting improper access to an account and that account’s data.

A) success/failure of changes to accounts
B) restarts and shutdowns
C) use of accounts during off hours
D) success/failure of access to printers and shares

 

 

A: Only the success/failure of access to resources can pinpoint suspicious account activity (among the choices listed here).


Q: Select the cable that provides the best protection from electromagnetic interference, for instance from heavy machinery.

A) UTP
B) STP
C) Coaxial
D) Thicknet
E) fiber-optic

 

 

A: All of the electrical conductors are susceptible to EMF. Only fiber-optic cable is immune to it.


Q: Your company retains a security consultant to test your network. He lets you know he’s running an attack on your servers. But when you check you see no attack happening. Why is this?

A) The consultant is using the wrong account.
B) He’s not getting through the firewall.
C) He’s actually a cracker trying to sucker you.
D) He’s trapped in a “honeypot.”
E) Your company would never hire a security consultant.

 

 

A: Even if E is true, it’s not the right answer. Of course there is no “hacker” account, so A is wrong. He is conducting an attack against SOMETHING, so he’s certainly getting through the firewall. Your company has retained this consultant, so he’s (most likely) not a cracker. So D, “He’s trapped in a ‘honeypot,'” is the correct answer.


Q: What are the two components of L2TP?

DNS
LAC
LNS
PAP
MS-CHAP
CHAP

 

 

A: LNS is “L2TP Network Server,” and LAC is “L2TP Access Concentrator.” At least one mnemonic is that the first letter of each is “L” because each handles part of “L”2TP.


Q: What does the acronym SNMP mean?

 

 

A: No, really. Know that it’s Simple Network Management Protocol.


Q: Which of these solutions is entirely biometrics-based?

A) passwords
B) fingerprints and PIN numbers
C) voice recognition and retinal scans
D) PIN numbers and face recognition

 

 

A: Obviously, passwords, fingerprints and face recognition are not biometric. C is correct.


Q: Which of these statements about CAs is true?

A) CAs use the X.509 standard for certificate format
B) CAs store both public and private keys
C) CAs sign certificates using their public keys
D) CAs sign certificates using their private keys
E) CAs enroll and distribute digital certificates

 

 

A: Yes, Virginia, CAs enroll, distribute and revoke certificates. A CA signs certificates using its private key, and uses the X.509 standard for format. A, D and E are true.


Q: What protocol provides secure login and traffic?

A) Telnet
B) SSH
C) SSL
D) S/MIME
E) SHTTP
F) SOCKS

 

 

A: SSH (Secure Shell) provides secure, i.e. encrypted, login and session traffic. Telnet encrypts nothing. SSL is primarily used in web traffic, and SHTTP is used exclusively for HTTP traffic. S/MIME is used for secure email.

WARNING! I have seen a version of this question that asks, “which protocol provides secure login and Telnet traffic?” The correct answer was still SSH, but technically Telnet is not involved in SSH; it’s a different protocol.


Q: How could you use cryptography for access control?

A) Encrypt using a symmetric algorithm, and give the key to the people you want to access the data
B) digital signatures
C) everyone encrypts all documents
D) Users sign on with their certificates, and all permissions and restrictions are defined on a per-certificate basis.

 

 

A: Okay, sharing keys is literally giving the keys away. Digital signatures or encryption alone won’t provide access control, just identificaton and encryption. The real way to do this is via an LDAP-type directory that recognizes and uses certificates.


Q: It’s Patch Tuesday, and Microsoft releases a critical update. Your intern wants to go gung-ho and install it, but you know better. You want to follow which step(s) of best practice?

A) determine if your systems need the patch
B) perform test installations on non-production computers
C) schedule downtime if a reboot is necessary
D) install the patch on production computers

 

 

A: All of these, and any others that become necessary. Patches can bring down your machines. But you knew that already.


Q: Some systems are weak when it comes to reassembling overlapping IP fragments. Hackers can target these systems by sending a series of overlapping, fragmented IP packets. This kind of attack is called:

A) Smurf attack
B) root kit
C) Ping of Death
D) Fraggle attack
E) Land attack
F) Teardrop attack

 

 

A: This particular attack is a Teardrop attack.

A Smurf attack occurs when an attacker sends forged ICMP echo request packets to intermediaries, using a false source IP. This causes them to send responses to the victim, the server that really holds that IP address. This floods the network, resulting in DOS. A Smurf is made possible by misconfigured network devices that respond to ICMP echoes sent to broadcast addresses.

A Fraggle attack is the same technique, used over UDP rather than ICMP.

A root kit is any of several ways of gaining root access on a Unix computer, not an attack per se.

The Ping of Death is a variant of Smurf that sends deliberately malformed ICMP ping packets, attacking computers susceptible to this malformation.

A Land attack is an older one that sends a packet with the same host specified as both sender and receiver. This locks up some systems.


Q: Which of these statements about PGP are true?

A) Phil Zimmerman developed it
B) It uses a web-of-trust model (not a CA)
C) The acronym stands for “Pretty Good Privacy”
D) It provides secure, encrypted email
E) It provides only message encryption, not proof of origin

 

 

A: All except the last are true. PGP does provide both sender authentication and message encryption.


Q: In which area of your network should you place public DNS and web servers?

A) Web Zone
B) DMZ
C) IPChains
D) ISP
E) VPN
F) Firewall
G) VLAN

 

 

A: Don’t be confused by and combination of acronyms. The only (reasonably) safe place to put web servers, and DNS servers if you’re running an ISP for instance, is in the De-Militarized Zone (DMZ).


Q: Computers installed in the DMZ should:

A) Be running IP forwarding
C) Be in an unsecured location
B) Run lots of services
E) Be hardened and run only essential services
D) Come pre-loaded with a root kit

 

 

A: Obviously, servers in the DMZ should be hardened and stripped. The fewer services, the less the vulnerability footprint. And no server should be “in an unsecured location.”


Q: PKI trust models include:

A) Network/Mesh
B) Key ring
C) Trust
D) Weighted
E) Hierarchical
F) Balanced
G) Token ring

 

 

A: Network/Mesh, trust, hierarchical, and key ring are the four categories of PKI trust models.


Q: Hash encryption is a ______ process.

A) One-way
B) Fast
C) Three-way
D) Two-way
E) Slow

 

 

A: When data is “hashed,” it’s scrambled irrecoverably. This means it’s a one-way process.


Q: A PKI certificate contains which of the following?

A) PGP hash
B) Serial Number
C) Digital Signature
D) Date of creation
E) Name
F) Copy of the certificates holder’s private key
G) Expiration Date
H) Copy of the certificate holder’s public key

 

 

A: A PKI certificate contains:
name
serial number
expiration date
digital signature
a copy of the certificates holder’s public key


Q: After you perform an upgrade (hardware or software) on a server, test it and put it back into production, what’s the most critical next step?

A) Back up
B) Clear logs
C) Reset auditing
D) Document changes
E) Lock up

 

 

A: Consider this a gimme. Good SOP will always include documentation.


Q: What is the port number for HTTP?
FTP?
PPTP?
L2TP?
ISAKMP?
LDAP?
Telnet?
SMTP?
POP?
MS SQL Server?
Oracle?
NetBIOS over TCP/IP?

 

 

A: This is mean stuff if you have a hard time with numbers, but the test expects you to know it because you’ll sometimes need to open these ports.

HTTP = 80
FTP = 21
PPTP = 1723
L2TP = 1701
ISAKMP = 500
LDAP = 389
Telnet = 23
SMTP = 25
POP = 110
MS SQL Server = 1433, 1444
Oracle = 1521, 1522, 1525 or 1529
NetBIOS over TCP/IP = 139 and 445 (Win 2000 also uses 445 for directory services, a port used by Zotob)


Q: What is the most informative IDS?

A) Honeypot
B) Network-based
C) Router-based
D) Host-based

 

 

A: A honeypot isn’t an IDS; there are formally only two kinds: network-based and host-based.

Network-based IDSs use a less complex Manager application. Host-based IDSs rely on a single Manager and multiple Agents distributed among PCs. They see more and do more, to put it simply.


Q: Under Kerberos, you give this to a server so you can access a resource.

A) P2P
B) PGP
C) CHAP
D) Session ticket
E) Lip

 

 

A: Be very clear on Kerberos.

Element one is a KDC, or Key Distribution Center, which takes your username/password, token, or what have you, and issues you a Ticket Granting Ticket (TGT). Your computer will cache the TGT during your session.

Then, when you want access to an actual network resource, your computer presents its TGT back to the KDC. The KDC then gives you a session ticket. Then the server that controls that resource will accept your session ticket (if it’s valid) and give you access (if you have permission).


Q: To analyze encrypted traffic, you’ll need a(n) ____-based IDS system:

A) Cryptography
B) Network
C) Heuristic
D) Router
E) Host
F) Stastics

 

 

A: IDSs differ along several lines. They include:
Host-based vs. network-based
Active vs. passive
Signature- vs. anomaly-based

But in this case we have a trick(y) question. When is encrypted traffic not encrypted (i.e. analyzable)? When it’s on the host, prior to encryption and transmission. In this instance the right answer is host-based.


Q: Which is more secure, two-factor authentication, or single-factor?

 

 

A: In this context, a “factor” is anything like a password (something you know) or a token (something you have). Requiring two factors, then, is always more secure than requiring only one.


Q: IDS systems do all of the following EXCEPT?

A) Log violations
B) Monitor activity
C) Analyze activity
D) Prevent attacks
E) Sense attacks
F) Track abnormal activity

 

 

A: Again, “Duh!” An IDS is not an IPS, and the literature I’ve seen so far makes it appear CompTIA isn’t talking about these yet (I write 6/17/2005). So just remember that if there’s a “D” then we’re only talking about Detection, not Prevention.


Q: Which client-server protocol allows users to communicate with a centralized server?

A) NetBEUI
B) rlogin
C) PPP
D) RADIUS
E) SLIP
F) SSL
G) LDAP

 

 

A: Tricky, tricky. All of these are client-server protocols, so practically anything could fit, if that were the only requirement. But it’s the “allows” and “centralized server” that are the clues here. What they’re really asking is, which protocol allows a user to communicate ONLY with an authorization server until they’re authenticated – a textbook description of a directory service. Only one is listed here: LDAP. If NDS or AD showed up they’d fit too.


Q: Hash generation takes data of any size and converts it into _____________.

A) A private key
B) A 128-bit value
C) A secret key
D) A 64-bit value
E) A verified cryptospasm
F) A fixed-length 32-bit string

 

 

A: If you’re having cryptospasms, see your doctor. But if you have an encrypted hash, you have a fixed-length value that depends on the hash: 32, 48, 64, 128 bits etc.

BE AWARE that some study materials indicate “a fixed 128-bit value” is the answer they’re looking for, even if other length values are listed.


Q: Which of these should be performed as part of a security baseline?

A) DoS
B) Spoofing
C) Scanning other people’s networks
D) Port scanning
E) ICMP redirects
F) Pings

 

 

A: Yeah, you should do a Denial of Service attack on yourself. No, a good (series of) port scan(s) is always a part of establishing a security baseline.


Q: “Accountability” means that any action can be traced back to:

A) Users
B) Groups
C) Administrators
D) Token users
E) the police

 

 

A: Accountability focuses on the individual. “Users” is the correct answer.


Q: In your network, users are assigned a security clearance, and network objects have security labels that show their data classification. What kind of access controls or security levels are we talking about in this environment?

A) ACL: Access Control List
B) MAC: Mandatory Access Control
C) DAC: Discretionary Access Control
D) RBAC: Role-Based Access Control
E) CAC: Configurable Access Control
F) The Wild, Wild West

 

 

A: When you see a description like this, the dead giveaways are “security clearance” and “security labels.” Both of these are used only in government-type classified environments, which are run using MAC, the “tightest” of the security models.


Q: What are the principles of information security?

A) Confidentiality
B) Spoofing
C) Availability
D) Accountability
E) the parity bit

 

 

A: CompTIA loves lists, so know this one. The three principles are Confidentiality (data is protected from other eyes), Availability (the people who need it can get it) and Accountability (everything you do can be traced back to you).


Q: Which of these accurately describes the main responsibility of the IT security pro?

A) damage control
B) flaw management
C) risk assessment
D) risk management
E) threat management
F) threat control

 

 

A: As much as it feels like damage control, the real task of the IS security pro is risk management (which included risk assessment). Don’t be confused by any combination of term and “management” or term and “assessment.” This job is all about managing the risk.


Q: Which three of these are true about DSS?

A) DSS means “Digital Signature Standard”
B) DSS means “Dual Symmetric Standard”
C) It uses symmetric keys
D) It uses public and private keys
E) It provides non-repudiation

 

 

A: A, D and E are true.


Q: What mechanisms are used for protecting email?

A) 3DES
B) PGP
C) PHP
D) PEM
E) S/MIME

 

 

A: PGP (Pretty Good Privacy), PEM (Privacy Enhanced Mail) and S/MIME (Secure Multipurpose Internet Mail Extensions) provide authentication and encryption of email.


Q: Whether securing a single computer or a whole network, the admin must ensure the availability of data but also protect:

A) rights and privileges
B) integrity and confidentiality
C) data backups
D) integrity and rights
E) flow control and error handling
F) altruistic synergistics

 

 

A: Remember that list: Principles of Security:
Confidentiality
Integrity
Availability


Q: From an IT security standpoint, any attempt to get around security is:

A) an access
B) a hack
C) an attempt
D) an attack
E) a crack

 

 

A: Any attempt is an attack, whether it succeeds or not.


Q: What kind of attack attempts to prevent normal access to data by authorized users?

A) autodialer
B) cracking
C) denial of service
D) hijacking
E) login attempt

 

 

A: The key word here is “denial,” because that’s what’s going on. Of course we’re all primed to look for denial of service.


Q: ________ is the process by which a user or computer states who they are in order to gain access to a network resource.

A) Identification
B) Identity theft
C) Authentication
D) Hijacking
E) Accountability

 

 

A: The Security+ test splits these layers very thin. There are three major steps to logging in.
The first is Identification, and happens when I provide a login name, for instance.
The second is Authentication, which happens when I provide a password.
The third is Authorization, which is the actual granting of permissions to a resource.
Within this context, then, the correct answer is Identification. Be wary of vague phrasing in this and related questions.


Q: IDSs come in several types. Which type performs analysis using a database of attack signatures?

A) active detection
B) passive detection
C) reactive detection
D) network-based detection
E) host-based detection
F) signature-based detection
G) misuse detection
H) Mozilla detection

 

 

A: Know these categories well!

Misuse detection (the correct answer here) gathers and analyzes network traffic, and compares it to a database of attack signatures. This type of IDS requires lots of upkeep.

Anomaly detection is arguably more sophisticated. The IDS analyzes traffic compared to a baseline load, distribution of protocols, packet size and other criteria. Unusual traffic or events are logged.

Network-based IDS (NIDS) analyzes the packets passing through a network, in order to find unusual ones that may have escaped the attention of a firewall.

Host-based IDSs monitor packets on each separate host (computer).

Passive IDSs simply log any event that may be a potential security breach.

Reactive IDSs do more than log: they may log off a user, or actively alter firewall rules to block traffic from suspect sources.


Q: Mandatory Access Control is: (select one)

A) based on a mandatory check of user identity
B) enforced via reliable mechanisms
C) based on the properties of an object
D) implemented using a login server. If the server can’t be reached, the mandatory login can’t be done.

 

 

A: Mandatory Access Control is all about the properties of network objects. An object has a security rating, and users must have at least that rating to access it.

Compare this to Discretionary Access Control, in which all permissions are at the owner’s discretion. I can grant you read, write, execute or other permissions on my files, a la NTFS or ext2.

Role-Based Access Control is implemented using groups, which have permissions, and users, who are assigned to groups depending on their role in the organization.


Q: Kerberos provides: (select one)

A) integrity
B) confidentiality
C) access to multiple hosts, though the user must log in to each host
D) non-repudiation
E) single sign-on

 

 

A: Kerberos (Cerberus) was the three-headed guard dog of the underworld in Greek myth. In other words, he provided the one barrier to everything beyond, which is exactly what the Kerberos system does in the computing realm: single sign-on.


Q: A PKI certificate is: (select one)

A) a copy of a remote host’s private key
B) proof that a certificate authority is trustworthy
C) only used for authentication
D) a signed copy of a remote host’s public key
D) Don’t be ridiculous; PKI doesn’t use certificates.

 

 

A: Yes, PKI does use certificates, which contain a host’s public key. Private keys are not shared. PKI provides Authentication (through the public key) and Integrity (by providing an integrity check, namely successful decryption).


Q: Which of the following are standard measures of accuracy in a biometric system?

A) False positives
B) False negatives
C) Type I errors
D) Type II errors
E) Type III errors
F) Crossover error rate
G) Null error rate

 

 

A: With this type of question, you need to know that rejecting a valid user is a Type I error, and accepting an invalid user is a Type II error. The crossover error rate is the error rate when false positives and false negatives are equal; a lower number is a better number. There are no Type III errors, and there is no such measure as a null error rate.


Q: I’ve managed to insert my computer into the traffic stream between you and your server. To you, I look like the server. To the server, I look like you. What am I doing?

A) Infecting you with a worm
B) A man-in-the-middle attack
C) Installing a trojan
D) A browser hijack
E) Giving you a virus

 

 

A: This one’s a gimme; obviously anything like this is a man-in-the-middle attack.


Q: Which of these is a cryptographic attack?

A) social engineering
B) klez
C) dictionary
D) birthday
E) “random-number” attack
F) Anna Kournikova

 

 

A: Of these, only the birthday attack involves cryptography. Social engineering is a lousy way to crack cryptography. klez is a worm. A dictionary attack is a password attack, as is a pseudorandom generator attack.


Q: Of these types of malware, which one both propagates without any human intervention, and does not embed itself in another program?

A) worm
B) smurf
C) trojan
D) macro
E) virus

 

 

A: A worm is by definition self-propagating code that travels independent of existing software. Worms such as Code Red travelled as email attachments – the whole attachment is the worm.

A virus propagates by attaching itself to other files. Melissa is an email-attachment virus. Melissa infected attachments, but can’t be an attachment on its own.

And a trojan requires human cooperation for its propagation. A trojan by definition appears benign, but frequently destroys data.

Also be familiar with logic bombs, which are not generally “infective” – that is, usually a logic bomb is a one-off booby trap, not a mass mailing, for instance. The most common exploit by a logic bomb is the destruction of data.


Q: Which of these are examples of symmetric encryption, and which are examples of asymmetric encryption?

DES
Triple DES
AES
RC 4 and RC 5
Skipjack
Blowfish
CAST-128
RSA
Diffie-Hellman
Elgamel

 

 

A: Actually this list is easy. Only the last three are examples of asymmetric encryption. I use the acronym “RED” to remember these three.

YOU CAN COUNT ON SEEING THIS ON THE TEST.
Public Key Encryption (asymmetric encryption):
RSA
Diffie-Hellman
Elgamel


Q: Select at least three mechanisms for accessing or distributing digital certificates.

A) FTP
B) HTTP
C) AARP
D) LDAP
E) NMPIRG

 

 

A: You can access or distribute digital certificates via FTP, HTTP or LDAP (among others).


Q: Select the two modes of IPSec.

A) Host Mode
B) Transfer Mode
C) Network Mode
D) Integrity Mode
E) Tunnel Mode

 

 

A: Transfer Mode and Tunnel Mode are the two modes of IPSec. Transfer mode is used for point-to-point VPNs, while Tunnel Mode is used when there are other devices (routers etc.) between the two endpoints. Important point: Tunnel Mode encrypts headers as well as packet payload, while Transfer Mode encrypts only the payload.

But you need to understand this one level deeper. IPSec in and of itself provides authentication and encryption over the public internet via the Policy Agent.

Internet Key Exchange (IKE) manages peer authentication and key exchange, and does its job before an actual IPSec connection is made. It is in fact the method for exchanging the necessary pre-shared keys in order to form and secure an IPSec connection. It does this based on the authentication and security information it receives from the Policy Agent. IKE is a combination of ISAKMP and the Oakley Key Determination Protocol.

ISAKMP (the Internet Security Association Key Management Protocol) provides a protocol for negotiating what encryption scheme will be used for the IPSec session.

Under IKE, the Diffie-Hellman key-exchange protocol actually performs the key exchange. Both parties involved send a hashed version of the pre-shared key.

Once all this is done, IPSec creates the connection. The Authentication Header (AH) signs packets with a hash to provide authentication and guaranteed integrity. Normally unencrypted, these headers ARE encrypted in Tunnel Mode.

Encapsulating Security Payload (ESP) signs payloads with a hash, as well as encrypting them (regardless of mode).

(How’s that for a mouthful?)


Q: A program that has the following two properties:
1. It moves from host to host without needing human intervention
2. It’s self-contained, and doesn’t infect other software (or need to)
is a:

A) klez
B) nimda
C) macro
D) worm
E) trojan
F) virus

 

 

A: Remember:

A worm is by definition self-propagating code that travels independant of existing software.
A virus must infect another program.
A trojan requires human intervention.


Q: A consultant tells you your phone system is vulnerable to attack. Why is he even concerned about this?

A) Because your phone and data systems are integrated
B) Because your phone system provides a dedicated connection between two LANs
C) Because phone systems are peer-to-peer
D) Because your phone system provides a connection between different kinds of networks

 

 

A: Many (but not all) systems combine PBX phone services with data networking. Thus your PBX can be a gateway to your LAN or VPN.


Q: In the most common model of client-server networking, the client has to authenticate itself to a server. But in higher-security models, each participant in a transaction must definitively identify itself to the other. This is called:

A) client-client networking
B) mutual mistrust model
C) peer-to-peer
D) two-way authentication
E) mutual authentication

 

 

A: Sure, you could make an argument for any of these (especially the mutual mistrust model), but the correct term is mutual authentication.


Q: To what does the X.509 standard apply?

A) encryption algorythms
B) the format of http packets
C) the format of ip packets
D) the format of digital certificates
E) the format of digital signatures

 

 

A: X.509 defines the format of digital certificates.


Q: Which of these statements about Key Escrow is true?

A) Key Escrow uses the X.507 standard for payments
B) Key Escrow is when a trusted third party stores private keys
C) Key Escrow is when a trusted third party stores public keys
D) Key Escrow the standard for key distribution
E) Key Escrow is a technique for reading keys

 

 

A: Key Escrow is a service provided by trusted third-party organizations, which allows the recovery of lost private keys.


Q: Which of these are NOT encryption algorythms?

A) RSA
B) 3DES
C) kerberos
D) IDEA
E) MD5
F) RC-4

 

 

A: They’ll fool you with this one. 3DES, IDEA and RC-4 are encryption algorythms. MD5, however, is a one-way hash algorythm, and Kerberos is involved in single sign-in. RSA is a signature algorythm.


Q: Which of these statements about CRLs are true?

A) CRLs are issued by CAs
B) CRLs are Certificate Recovery Lists
C) CRLs are Certificate Revocation Lists
D) CRLs identify digital certificates that are no longer valid
E) CRLs are transmitted using X.509

 

 

A: A, C and D are true: Certificate Revocation Lists are issued by CAs, and identify expired or revoked certificates.


Q: User A trusts User B, and User B trusts User C. If User A trusts User C because User B does, this is what kind of trust?

A) meaningless
B) two-way
C) three-way
D) transitive
E) intransitive

 

 

A: This is a transitive trust. If User C did NOT trust User A, it would be an intransitive trust.


Q: CRLs are Certificate Revocation Lists. A certificate listed on Certification Hold in a CRL is in what state?

A) revoked
B) hold
C) suspended
D) lost
E) destroyed

 

 

A: Not all certificates listed in CRLs are revoked; certificates on Certification Hold are merely suspended.


Q: Which of these are used for authentication?

A) driver’s license
B) token
C) 3DES
D) biometrics
E) kerberos

 

 

A: Tokens, biometrics and kerberos are all involved in authentication (not identification).


Q: All of the below are true of IEEE 802.11b except:

A) traffic can be passed as clear text
B) traffic can be encrypted securely
C) 802.11b is slower than 802.11g
D) anyone with the right configuration and a decent signal can connect

 

 

A: Don’t fool yourself. Nobody seriously considers 802.11b’s WEP encryption scheme secure, due to key weaknesses. In the sample tests I’ve seen, nobody seems to be talking about WPA, which is of course more secure, but hardly flawless.


Q: What is TACACS+?

A) a VPN protocol
B) an authentication server
C) a communication protocol allowing network devices to talk to an authentication server
D) working too hard will give you heart TACACS+

 

 

A: This question approaches the issue of remote authentication from the back door. What we’d usually be talking about is RADIUS, the open IETF standard for remote authentication. But in this realm, Cisco went its own way with its proprietary TACACS,  TACACS+ and XTACACS.

Critical word here: Server. Both RADIUS and TACACS+ are protocols (i.e. they do communication), not servers.


Q: Which of these are provided by IPsec?

A) confidentiality
B) integrity
C) authentication

 

 

A: All of them. The two components of IPsec are actually IKE (Internet Key Exchange, which provides authentication) and IPsec (which provides confidentiality and integrity assurance via encryption).


Q: Which of these are true of IPsec?

A) IPsec provides authentication and encryption
B) It travels over the Internet
C) It operates at Layer 3
D) It can secure all applications that run at Layer 4 or higher

 

 

A: All of these. Know this list well!


Q: Time for acronym soup. Which of these comprises the protocols and standards used to securely exchange information under PKI?

A) CP
B) CPS
C) CRL
D) OCSP
E) PKCS

 

 

A: A Certificate Policy (CP) is the formal, corporate set of rules for the operation of a PKI, such as auditing, enforcement and requirements.

A Certificate Practice Statement (CPS) is the technical, managerial description of actual practice and procedures.

A Certificate Revocation List is a CRL.

Online Certificate Status Protocol (OCSP) is a “live,” internet-based alternative to CRLs.

And the Public Key Cryptography Standards (PKCS) are standards and protocols that dictate secure exchange of data using PKI (Public Key Infrastructure). This is the correct answer.

There seem to be several versions of this type of question; know these acronyms thoroughly!


Q: What’s the best way to make your users employ strong passwords?

A) AD domain policies
B) firings
C) education
D) event auditing

 

 

A: The test expects you to be magnanimous; education is the only effective way to get any results in this area (take it from me if you haven’t learned this already!).


Q: There are many kinds of attacks. Define:

A) keylogger
B) trojan
C) man in the middle
D) trapdoor
E) replay

 

 

A: A keylogger (which may be software or a hardware device) records your keystrokes. It may “phone home,” or it may be secretly picked up.
A trojan is a program that appears to do one thing, but does something malicious instead or in the background.
Man-in-the-middle attacks happen when someone manages to put himself into your traffic stream, where he can alter or intercept data.
A trapdoor is a usually-intentional “opening” into a program that can allow unauthorized access.
A replay attack is similar to a man-in-the-middle exploit, but what seems to be a live session is actually a “replay” of the real action.


Q: What protocol is being used by a web page that begins with “https://”?

A) PKI
B) hashing
C) auditing
D) S-HTTP
E) SSL

 

 

A: HTTPS uses SSL as its transport layer. S-HTTP would have been the correct answer if it ever caught on, but it didn’t.


Q: Which way does public-key encryption work?

A) Sender and recipient have to trade private keys
B) The public key allows you to calculate the private key
C) The sender encrypts the message with the recipient’s public key
D) The sender encrypts the message with her own private key

 

 

A: Be sure you understand how this process works. First, it’s the sender’s responsibility to encrypt the message, of course. And theoretically the sender could encrypt with her own private key and distribute the public key for decryption – but that’s not the way it’s done. The sender encrypts with the recipient’s public key. Why? Because anyone could decrypt a message I sent encrypted with my private key; I only want the designated recipient to be able to decrypt it.

Asymmetric encryption algorythms include: RSA, RC2, RC4, RC5, Blowfish, Diffie-Hellman, and the mysterious El Gamal.

If we were talking about symmetric encryption, then we’re forced to share our private key because it’s the only way to decrypt. Obviously this is highly open to abuse.

Symmetric encryption algorythms include DES and Triple DES, IDEA (Int’l Data Encrytion Algorythm), AES (Advanced Encrytion Standard, a.k.a. Rijndael), and the charming Skipjack.


Q: Which of these are components of a host-based IDS?

A) Manager
B) Agent
C) Rules
D) Policies
E) Reporting

 

 

A: A manager, multiple agents and a reporting subsystem are the three software components of a host-based IDS. Rules and policies are involved too, but they are determined by the manager; the test apparently considers them NOT to be “components.”


Q: A router ACL question:

You’re looking at the router’s ACL for the INTERNAL network, which you know operates on the 192.168.2.0 subnet. You see this rule:

allow 204.133.16.0 0.0.0.255

You scratch your head and check out the ACL for the EXTERNAL network, and see:

deny 204.133.16.0 0.0.0.255

What conclusions can you draw from this?

 

 

A: Darn right this is esoteric. What we’re really looking at are three-part rules.

The first component is the permission: simply “allow” or “deny.”
The second component is the IP address of the external interface (in this case).
The third component is a subnet mask.

So what do we really have? One rule allows all addresses on the internal network to “get to” the external interface. This is nice if we want to access the Internet. The other rule denies anyone from the outside world from pretending it has an IP address on our internal network.

Now think about this: what we really have here is a setup that blocks spoofing attempts.


Q: Now for a question about auditing. If you’re suspicious that a cracker has broken into your system, what should you audit?

A) Unsuccessful login attempts
B) Successful login attempts
C) Resource accesses
D) Changes to accounts
E) Everything

 

 

A: If you think she’s already in, the thing to audit is successful logins. Then you can see exactly when she enters or entered.


Q: Which of these is the most common attack against web servers??

A) Worm
B) Virus
C) SYN flood
D) Spoofing
E) Man in the middle

 

 

A: I was surprised to read that SYN floods are one of the most, if not the most common attack against web server.


Q: Cryptographic security has what four goals?

A) Authentication
B) Integrity
C) Nonrepudiation
D) Confidentiality
E) Authorization
F) Availability

 

 

A: I use the acronym CAIN to remember these four goals.

Confidentiality means unauthorized people can’t access the data.

Authentication means only people with the correct credentials can access the data.

Integrity means the data can’t be changed without detection.

Nonrepudiation means the sender can’t deny sending.


Q: What are the most common attacks against the Transport Layer of the OSI network model?

A) Worm
B) Virus
C) SYN flood
D) Spoofing
E) Hijacking

 

 

A: SYN floods and hijackings are the most common attacks at this layer. Keep in mind that hijacking, in this context, does NOT mean browser hijacks. Instead it refers to an attacker interfering with the predictable flow of traffic to interrupt sessions.


Q: Which of these is the most common attack against web servers??

A) Worm
B) Virus
C) SYN flood
D) Spoofing
E) Man in the middle

 

 

A: I was surprised to read that SYN floods are one of the most, if not the most common attack against web server.


Q: Uh-oh. You’ve got BackOrifice. Which ports should you look at?

A) UDP 31337
B) TCP 1056
C) UDP 1056
D) UDP 1049
E) TCP 1049

 

 

A: BackOrifice uses a whole cluster of port. By default, the server component runs on UDP 31337.

The client component runs on UDP 1049, but if the BackOrifice HTTP web server is running, it’ll use TCP 1056. (Notice that TCP.)


Q: A tricky question about services: your server assigns IP addresses, and resolves IP addresses to domain names. Which of the below must you leave enabled?

A) DNS
B) FTP
C) DHCP
D) POP3
E) TCP/IP
F) NetBEUI

 

 

A: You know darn well we’re talking about DHCP and DNS. But never forget that both of these run over TCP/IP.