The 7 Layers of the OSI Model courtesy of Webopedia
Ports, well-known and otherwise
NAT and Private Address Ranges (thanks JP)
Asset – anything valuable, such as information, software or a car stereo
Threat – any event or object that might result in a loss, like theft or fire damage
Threat Agent – any person or thing that can carry out a threat, like a thief or a flood
Vulnerability – a weakness in security, like an unprotected server or a hole in a fence
Exploit – actually taking advantage of a weakness, for instance by attacking an unprotected server or going through that hole in the fence
Risk – the likelihood that that an exploit will actually be performed
Risk managment is what it’s all about: how much risk can you tolerate, and how much will you spend to avoid it?
- Integrity – Insurance that a message, software or other item hasn’t been changed in any way.
- Confidentiality – Only authorized persons have access to the information.
- Availability – Information is available to properly authorized users.
Social Engineering – tricking a person into allowing access to a system; this includes dumpster diving and phishing
Password Guessing – this includes brute force (throwing thousands of passwords at a system), dictionary attacks (hashing every word in the dictionary to compare that hash value to user’s hashed password, looking for matches) and software exploitation (like buffer overflows).
Weak Keys – algorythms that allow the creation of keys with detectable patterns or structures allow weak keys.
Mathematical Attacks – usually these are statistical analyses that attempt to discover keys
Birthday Attacks – taking advantage of the birthday paradox, which is the greater possibility of finding something in common (like a birthday) if you start looking from a known value (like a certain date) rather than trying to analyze all values (like all dates).
Man-In-The-Middle Attacks (MIM) – The attacker looks like the server to the client, and looks like the client to the server, thus intercepting traffic and information.
Replay Attacks – These are similar to MIM attacks, except the traffic or information is changed before it is relayed.
TCP/IP Hijacking – setting up a device that appears to be valid to perform an MIM attack; spoofing is the act of falsifying one’s IP address to do this; Address Resolution Protocol (ARP) spoofing does this at the level of MAC addresses, by falsifying the MAC address resolution table.
In Windows, use the shell command:
to view your ARP table. Note that you can use the arp -s command to add new entries manually, and the arp -d command to delete them. Command:
for detailed information.
SYN/ACK Attacks – Understand the basic nature of client/server connections in order to understand these attacks. A client sends a SYN packet to a server as its opening request, to initiate a “handshake.” The server, if it receives this SYN packet, responds with a SYN-ACK. The client, then, responds with an ACK. Think of it this way:
This is a bit of an oversimplification, because after the very first packet from the client, every packet contains an ACKnowledgement of response, and the final packet exchange will be FIN packets (“we’re finished”).
Here lies the basis of the SYN flood attack (see this page for a longer explanation). Basically, if I’m an attacker, I can send a server a SYN package, but never acknowledge the ACK that comes back. The server holds a half-open connection for me, but I never reply. Instead I send a new SYN packet from yet another spoofed IP address, opening but never acknowledging another connection. Before long the server is overwhelmed with these faked connections, and DOS results: this is a SYN flood.
The similar Smurf attack occurs when an attacker sends forged ICMP echo request packets to every computer on a network, using a false source IP (usually a server’s). This causes them to send responses to the victim, the server that really holds that IP address. This floods the network, resulting in DOS. A Smurf is made possible by misconfigured network devices that respond to ICMP echoes sent to broadcast addresses (x.x.x.255).
A Fraggle attack is the same technique, used over UDP rather than ICMP.
The Ping of Death is a variant of Smurf that sends deliberately malformed ICMP ping packets, attacking computers susceptible to this malformation.
A Land attack is an older one that sends a packet with the same host specified as both sender and receiver. This locks up some systems.
Distributed Denial-of-Service (DDoS) Attacks – These attacks amplify the situation by using dozens, hundreds, or thousands of “zombie” computers. If you’re already in this situation, obviously, life is bad.
The Security+ test gets very picky about the differences between these categories. Know these intimately.
Viruses – These attach themselves to something, whether a document or a program. They are executable code. The most common vector is e-mail attachments. The victim has to do something to activate a virus; typically this is clicking on the attachment. Anti-virus software is the (putative) cure.
Worms – These travel by themselves. They do not have to attach themselves to something else. They do not require action by the victim to be launched into action. They do often use e-mail as a convenient vector of propagation. You’ll need both procedures (“Never even open e-mails from unknown sources!”) and products (hardware and software firewalls) to protect against worms.
Logic Bombs – A specific event triggers a logic bomb, which then does its damage. This can be a date or an event like a person’s account being deactivated. Policies like code reviews, practices like network surveillance and monitoring programs, and products like Tripwire (which monitors signatures of executable files for changes) are all necessary, but not sufficient to protect against logic bombs.
Trojan Horses – Some programs disguise themselves as one thing, then reveal an ugly side when they’re opened. People addicted to internet freebie programs are very susceptible to this threat. These things are tough to fight, typically requiring anti-virus and other software to prevent, and often forcing disinfection after an infection occurs. These in particular force me to enforce a rule: “If you don’t HAVE to have a piece of software to do your job, you are FORBIDDEN to have it.” Needless to say this is very unpopular; but I’ve seen more than one business literally bankrupted by violating this practice.
Back Doors – Worms, trojans or viruses may install secret entrances to systems. Sometimes an innocent intent opens this vulnerability, like a programmer’s testing procedure that’s never removed. Sometimes an evil virus like MyDoom creates the opening. Your only protection is network scanning. Visit, for instance, Gibson Research and follow the ShieldsUp! link for a scan of your home PC.
Layering -Providing multiple layers of protection: physical access control, a firewall, antivirus software, etc. The key concept is preventing one layer’s configuration from compromising other layers. If you leave workstations logged in overnight to distribute antivirus updates, you’ve weakened security with that compromise.
Limiting – Basically, limiting access, whether physical or logical.
Diversity – Using more than one type of a given security method; for instance, both a physical and a software firewall.
Obscurity – Limiting the information available to attackers. For example, your web server should not reveal that it’s Apache 1.2.
Simplicity – Put simply, don’t make your security layers hard to understand or configure.