Security+: Definitions and Catchwords

The 7 Layers of the OSI Model courtesy of Webopedia

Ports, well-known and otherwise

NAT and Private Address Ranges (thanks JP)

Definitions and Catchwords

Asset – anything valuable, such as information, software or a car stereo

Threat – any event or object that might result in a loss, like theft or fire damage

Threat Agent – any person or thing that can carry out a threat, like a thief or a flood

Vulnerability – a weakness in security, like an unprotected server or a hole in a fence

Exploit – actually taking advantage of a weakness, for instance by attacking an unprotected server or going through that hole in the fence

Risk – the likelihood that that an exploit will actually be performed

Risk managment is what it’s all about: how much risk can you tolerate, and how much will you spend to avoid it?

    1. Integrity – Insurance that a message, software or other item hasn’t been changed in any way.
    2. Confidentiality – Only authorized persons have access to the information.
    3. Availability – Information is available to properly authorized users.

Social Engineering – tricking a person into allowing access to a system; this includes dumpster diving and phishing

Password Guessing – this includes brute force (throwing thousands of passwords at a system), dictionary attacks (hashing every word in the dictionary to compare that hash value to user’s hashed password, looking for matches) and software exploitation (like buffer overflows).

Weak Keys – algorythms that allow the creation of keys with detectable patterns or structures allow weak keys.

Mathematical Attacks – usually these are statistical analyses that attempt to discover keys

Birthday Attacks – taking advantage of the birthday paradox, which is the greater possibility of finding something in common (like a birthday) if you start looking from a known value (like a certain date) rather than trying to analyze all values (like all dates).

Man-In-The-Middle Attacks (MIM) – The attacker looks like the server to the client, and looks like the client to the server, thus intercepting traffic and information.

Replay Attacks – These are similar to MIM attacks, except the traffic or information is changed before it is relayed.

TCP/IP Hijacking – setting up a device that appears to be valid to perform an MIM attack; spoofing is the act of falsifying one’s IP address to do this; Address Resolution Protocol (ARP) spoofing does this at the level of MAC addresses, by falsifying the MAC address resolution table.

In Windows, use the shell command:

arp -a

to view your ARP table. Note that you can use the arp -s command to add new entries manually, and the arp -d command to delete them. Command:

arp /?

for detailed information.

SYN/ACK Attacks – Understand the basic nature of client/server connections in order to understand these attacks. A client sends a SYN packet to a server as its opening request, to initiate a “handshake.” The server, if it receives this SYN packet, responds with a SYN-ACK. The client, then, responds with an ACK. Think of it this way:

Client
Server
SYN
—–>
<—–
SYN-ACK
ACK
—–>

This is a bit of an oversimplification, because after the very first packet from the client, every packet contains an ACKnowledgement of response, and the final packet exchange will be FIN packets (“we’re finished”).

Here lies the basis of the SYN flood attack (see this page for a longer explanation). Basically, if I’m an attacker, I can send a server a SYN package, but never acknowledge the ACK that comes back. The server holds a half-open connection for me, but I never reply. Instead I send a new SYN packet from yet another spoofed IP address, opening but never acknowledging another connection. Before long the server is overwhelmed with these faked connections, and DOS results: this is a SYN flood.

The similar Smurf attack occurs when an attacker sends forged ICMP echo request packets to every computer on a network, using a false source IP (usually a server’s). This causes them to send responses to the victim, the server that really holds that IP address. This floods the network, resulting in DOS. A Smurf is made possible by misconfigured network devices that respond to ICMP echoes sent to broadcast addresses (x.x.x.255).

A Fraggle attack is the same technique, used over UDP rather than ICMP.

The Ping of Death is a variant of Smurf that sends deliberately malformed ICMP ping packets, attacking computers susceptible to this malformation.

A Land attack is an older one that sends a packet with the same host specified as both sender and receiver. This locks up some systems.

Distributed Denial-of-Service (DDoS) Attacks – These attacks amplify the situation by using dozens, hundreds, or thousands of “zombie” computers. If you’re already in this situation, obviously, life is bad.

The Security+ test gets very picky about the differences between these categories. Know these intimately.

Viruses – These attach themselves to something, whether a document or a program. They are executable code. The most common vector is e-mail attachments. The victim has to do something to activate a virus; typically this is clicking on the attachment. Anti-virus software is the (putative) cure.

Worms – These travel by themselves. They do not have to attach themselves to something else. They do not require action by the victim to be launched into action. They do often use e-mail as a convenient vector of propagation. You’ll need both procedures (“Never even open e-mails from unknown sources!”) and products (hardware and software firewalls) to protect against worms.

Logic Bombs – A specific event triggers a logic bomb, which then does its damage. This can be a date or an event like a person’s account being deactivated. Policies like code reviews, practices like network surveillance and monitoring programs, and products like Tripwire (which monitors signatures of executable files for changes) are all necessary, but not sufficient to protect against logic bombs.

Trojan Horses – Some programs disguise themselves as one thing, then reveal an ugly side when they’re opened. People addicted to internet freebie programs are very susceptible to this threat. These things are tough to fight, typically requiring anti-virus and other software to prevent, and often forcing disinfection after an infection occurs. These in particular force me to enforce a rule: “If you don’t HAVE to have a piece of software to do your job, you are FORBIDDEN to have it.” Needless to say this is very unpopular; but I’ve seen more than one business literally bankrupted by violating this practice.

Back Doors – Worms, trojans or viruses may install secret entrances to systems. Sometimes an innocent intent opens this vulnerability, like a programmer’s testing procedure that’s never removed. Sometimes an evil virus like MyDoom creates the opening. Your only protection is network scanning. Visit, for instance, Gibson Research and follow the ShieldsUp! link for a scan of your home PC.

Layering -Providing multiple layers of protection: physical access control, a firewall, antivirus software, etc. The key concept is preventing one layer’s configuration from compromising other layers. If you leave workstations logged in overnight to distribute antivirus updates, you’ve weakened security with that compromise.

Limiting – Basically, limiting access, whether physical or logical.

Diversity – Using more than one type of a given security method; for instance, both a physical and a software firewall.

Obscurity – Limiting the information available to attackers. For example, your web server should not reveal that it’s Apache 1.2.

Simplicity – Put simply, don’t make your security layers hard to understand or configure.

 

Security+ Certification

Objectives

  • A basic understanding of security issues
  • Familiarity with encryption, secure remote connections and protocols
  • Successful preparation to pass the CompTIA Security+ Certification Exam

Text: CompTIA Security+ Certification, CompTIA Press

Get the Security+ Exam Objectives at http://certification.comptia.org/Training/testingcenters/examobjectives.aspx

Day 1

Introductions, skill assessment

Chapter 1: Mitigating threats

Chapter 2: Cryptography

Day 2

Chapter 3: Authentication systems

Chapter 4: User- and role-based security

Day 3

Chapter 5: Peripheral security

Chapter 6: Public Key Infrastructure

Day 4

Chapter 7: Application and messaging security

Chapter 8: Ports and protocols

Day 5

Chapter 9: Network security

Chapter 10: Wireless security

Day 6

Chapter 11: Remote access security

Chapter 12: Vulnerability testing and monitoring

Day 7

Chapter 13: Organizational security

Chapter 14: Business continuity

 

Network+ : Servers and Support

Redundancies

RAID Levels

Backup Techniques

On the CD:

Dr. TCP

TCPView

Freeproxy

On the Internet:

About MTU

http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci213605,00.html

http://www.tech-faq.com/mtu.shtml

http://openvpn.net/archive/openvpn-devel/2002-07/msg00009.html

http://www.dslreports.com/forum/remark,17719662?hilite=

What is my external IP? WhatIsMyIP.com

How fast is my Internet connection? DSLReports.com

 

The OSI Model

The 802 Stack

Media Types

Network Types

Protocol Stacks

IP Address Classes

Subnets and CIDR

Ports

WAN Protocols

Wireless Variants and Security

Command-Line Tools

Cross-Platform Connectivity

RAID

Backing Up

Network+ : Sharing Resources

Naming: UNC and URL

Permissions: Share-level and Domain

Accessing Shares

DNS

IPCONFIG /DISPLAYDNS (or /FLUSHDNS)

NSLOOKUP and dig

http://www.zoneedit.com/doc/nslookup.html

http://www.windowsnetworking.com/articles_tutorials/Using-NSLOOKUP-DNS-Server-diagnosis.html

http://www.activexperts.com/support/activmonitor/nslookup

DHCP

APIPA

WINS

NBTSTAT -c (or no switch)

The NET commands

Routing and Routing Tables

NETSTAT -NR and ROUTE PRINT

NAT

Proxy Servers

http://www.ripe.net/

http://en.wikipedia.org/wiki/RIPE

http://www.ripe.net/ris/index.html

http://www.ris.ripe.net/bgplay/

Longest prefix match: http://en.wikipedia.org/wiki/Longest_prefix_match

http://groups.google.com/group/news.admin.net-abuse.sightings/browse_thread/thread/af33e9b82606e603/b1fa87415bedced0?lnk=raot

http://en.wikipedia.org/wiki/Autonomous_System_Number

Network+ : TCP/IP and Network Operations

Exercises:

Configuring NICs

Network Setup:

NetBIOS

IPX/SPX

TCP/IP

TCP/IP Networking

Local Networking

MAC Resolution

MAC uses FRAMES (with MAC headers)

Broadcast: FFFFFFFFFFFF  (12 Fs)

How do you tell if it’s local or remote?

arp -a
arp -d *

Out-of-subnet Networking: IP

Gateways

Subnet Masking

Class
First Octet
Number of addresses
A
1 – 126
16.7 Million
(loopback)
127
 
B
128 – 191
65,534
C
192 – 223
254

Classless Subnetting (CIDR)

Non-Routable Special Addresses

Class
     
A
10.0.0.0
10.255.255.255.255
B
172.16.0.0
172.31.255.255
C
192.168.0.0
192.168.255.255

DNS

DHCP

WINS

Network Operating Systems

Models:

Client/Server
Peer-to-Peer
Resource-Based (Workgroup)
Server-Based (Domain)
Organization-Based (Directory)

Network+ : Networking Variants, Physical Installation

Ports

http://www.lb.shuttle.de/apastron/ports.htm

“Exotic” or Large-Scale Network Protocols

FDDI and CDDI
ATM
Frame Relay
MPLS
Metro Ethernet

Installation

Structured Cabling
Fire Ratings
Equipment Rooms
Equipment Racks: 19″, “U” units
Patch Panels
Patch Cables
EIA/TIA 606
Floor Plans
Pulling
Testing

Multispeed Switches and Backbone Networks

Toners

Wireless Networking

Wireless NICs
Access Points (APs)
Wireless Bridges: Point to Point / Point to Multipoint

Wireless Networking Software

Modes: Ad-hoc vs. Infrastructure

Basic Service Set

Extended (Basic) Service Set

CSMA/CA

Wireless Networking Security

SSID

MAC Filtering

WEP

64 bit encryption
Shared, static key

WPA

128 bit encryption
Key variants: Enterprise 802.1x vs. Personal PSK

Exercise:

WAP Configuration

Network+ : From Physical Topologies to Protocols and Domains

Network Topology
Bus
Ring
Star
Physical vs. Logical

Cable

Coaxial

RG-5 – Cable service
RG-8 – 10Base5
RG-62 – TV
RG-58 – 10Base2
RG-59 – rare Cable service
STP – usually Token Ring

UTP

10BaseT – see p. 128
100BaseTX
100BaseT4
1000BaseCX
1000BaseSX
1000BaseLX

Fiber Optic

10BaseFL – early fiber optic
100BaseFX

Boxes

Repeater
Bridge
Hub
Switch
Router
MAU or MSAU

IEEE

802.1x – NAC
802.2 – MAC
802.3 – Ethernet
802.5 – Token Ring
802.11 – Wireless

a
b
g
n
MIMO

The Data Link Layer
Logical Link Layer
Media Access Control Layer
Full vs. Half-duplex

Network Protocol Stacks

Lan Manager

Localtalk

NetBEUI/NetBIOS

IPX/SPX

AppleTalk

TCP/IP

SMB/Samba

NFS

Domains and Directories

Workgroups

NT Domains

Active Directory

Network Information System (Yellow Pages)

Novell Directory Services

Red Hat/Sun Directory Services

Network+ Certification

Instructor: Glenn Norman
Text: Network+ Certification All-In-One Guide, 5th Edition, Mike Meyers

  • A solid understanding of network functionality
  • Familiarity with construction, maintenance and troubleshooting networks
  • Successful preparation to pass the CompTIA Network+ Certification Exam

The Network+ Exam 2011 Revision
CompTIA Exam Objectives and Sample Tests

ARPANET

Client/Server

Sharing and Accessing Resources

The OSI Model
http://en.wikipedia.org/wiki/OSI_model

The Physical Layer
Cable
Connectors
NICs
Hubs

Packet Architecture

Exercise: Cable construction, punchdown blocks

This website has great wiring pinouts for T=568A & B:

http://www.incentre.net/content/view/75/2/